Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report.
One time, during a vishing-only engagement, the client gave me several phone numbers to contact, all part of a phone routing system. I wanted to understand what types of support calls the technical support person usually took before I actually chatted with anyone, so I performed OSINT and looked at Facebook, LinkedIn, and other sites to find current employees at the company. I also looked to see if there was any breach data that went along with the client’s name, and while I did find some, I wasn’t sure about how old or reliable the data was.
From there, I began my calls. One of the phone numbers routed me to a technical support person, and when they asked who I was, I pretended to be a specific employee I’d found using LinkedIn. My problem? I just got back from vacation and completely forgot my credentials!
“Totally fine,” said tech support. Since they already had my name, they just needed the last four digits of my Social Security number.
“No problem,” I said.
See, during the OSINT stage, I was able to gather usernames, since the client hosted a website login to its Citrix Portal. Also, the breach data I discovered happened to have several password combinations that appeared to include four numbers at the end, such as “Frank0201.” I took a swing in the dark, picke ..
Support the originator by clicking the read the rest link below.
