Pen testing by asking questions: the Art of Elicitation
2019-11-09, 14:00–14:25, Red Day

Pen testing doesn't have to be all dropping exploits and launching shells. Learning to ask the right questions at the right time can lead to a better understanding of vulnerabilities on your targets than actually running tests.

There’s a long, storied history around social engineering your way to success. Getting users to give up passwords, create accounts, and generally do things they’re not supposed to do are part of our collective hacker history.

But what about when the user is supposed to give you the details. If you’re on a pen test or part of a system assessment, interviewing users, developers, and administrators is an important information gathering process. However, unlike straight up social engineering, there’s not a lot of art out there on how to conduct successful interviews. Eliciting useful information can help you uncover badness and vulnerabilities faster. Using the right techniques can make the difference between an hour long architecture review where you get no new information and a short discussion where a user points you directly at all the weak points in a system.

This talk will examine the art of elicitation including the history of elicitation as a concept, understanding elicitation techniques, tips to guide you to getting the information you want, and examples of good and bad elicitation techniques.