Bleeding my enemy is the next greatest joy to burying him
I’m sure a lot of us are familiar with Miyamoto Musashi- the Buddhist, the Samurai, the artist, the writer. Yes, no, maybe so? Well, to some he’s become known as the greatest swordsman to ever live. With over 60 undefeated duels and having invented the style of fencing with two swords, this guy kinda defined the meaning of awesome! And although I’m not skilled in the art of swordsmanship, I do however tend to study and take what I can from this guy’s philosophical waxing and apply it to something that I do have an inclination to be adept in someday. Namely, exploiting human weaknesses.
In notably his most famous written work, A Book Of Five Rings, Miyamoto teaches us “Cutting-At-The-Edges”:
When you can’t attack an enemy directly, with a single telling thrust, you harass and attack his extremities.
This “Cutting-At-The-Edges,” classic guerilla strategy has uses far beyond the battlefield. Think about this from the perspective of a hacker. Oft times hackers have a tendency to over complicate things. We look for the toughest ways to break into systems when it’s sometimes just as easy as asking someone for a key. (Or checking under the mat at the doorstep for a spare.)
Always remember that any of the systems you will be interested in gaining access to are configured and maintained by people. If you were to research any major study on technical vulnerabilities and hacking you would find them all in agreement with two things:
- Users themselves are the weakest security link.
- Inside attackers pose the most serious threat to overall security.
Now put those two facts together and consider this-What if the user isn’t even aware that they are an inside attacker? This, my friend, is a very powerful and scary security flaw! What we’re touching on here is the part of a pen test where you’ll use people as an entry point to the systems you want to gain access to. Your primary goal in this phase will be to convince a person through some method or another to execute some type of action that will allow you to penetrate a system. That action can range from something as simple as giving you their password to something as drastic as granting you physical access to an unauthorized area. Granted, if that person’s system itself is your goal then once it’s accessed you’re done. The game is over. However, what you’re normally trying to do is use that person’s workstation as leverage to some of the core systems and services that are running within the organization that is your target. Later we’ll go into some of the techniques used to accomplish this such as phishing, social networking attacks, and using custom malware. My purpose here was to enlighten you with another attack vector in the penetration testing process.
When Romeo can’t reach Juliet’s balcony today, he plants the seed that tomorrow becomes the tree with branches strong enough to help him reach his goal.
Until next time, Hack On, gents!
