Pen testing by asking questions: the Art of Elicitation
2019-11-09, 14:00–14:25 (US/Pacific), Red Day

Pen testing doesn't have to be all dropping exploits and launching shells. Learning to ask the right questions at the right time can lead to a better understanding of vulnerabilities on your targets than actually running tests.


There’s a long, storied history around social engineering your way to success. Getting users to give up passwords, create accounts, and generally do things they’re not supposed to do are part of our collective hacker history.

But what about when the user is supposed to give you the details. If you’re on a pen test or part of a system assessment, interviewing users, developers, and administrators is an important information gathering process. However, unlike straight up social engineering, there’s not a lot of art out there on how to conduct successful interviews. Eliciting useful information can help you uncover badness and vulnerabilities faster. Using the right techniques can make the difference between an hour long architecture review where you get no new information and a short discussion where a user points you directly at all the weak points in a system.

This talk will examine the art of elicitation including the history of elicitation as a concept, understanding elicitation techniques, tips to guide you to getting the information you want, and examples of good and bad elicitation techniques.

Bruce Potter is the founder of The Shmoo Group, CISO at Expel, and helps run ShmooCon each year in Washington DC. Bruce has over 20 years (yikes!) of experience in hacking and cyber security including working with DoD an Intelligence Community clients as well as numerous finance, healthcare, and transportation companies. Bruce used to do a lot of wireless and network attack and defense work but lately focuses on risk management, threat categorization, and building more secure systems. Bruce likes to talk about himself in the third person, but usually only does it in bios.

This speaker also appears in: