11 minute read

What is Social Engineering?

Social Engineering can be defined as follows: “Influencing a person to take an action that benefits the influencer”. Other definitions of Social Engineering mention that the person gets tricked into divulging sensitive information. However, obtaining sensitive information is not always the initial goal of a social engineer. Neither is it always the end goal. A social engineer might have the initial goal of getting past the security guards of a facility, with the end goal of stealing company hardware. The definition that I described above fits these goals better.

Influence is key when it comes to Social Engineering. Dr. Robert Cialdini is seen as an expert in this subject because of his years of scientific research on the psychology of influence. He is the author of Influence: Science & Practice and Influence: The Psychology of Persuasion, which has sold over 3 million copies. Cialdini’s theory of influence is based on seven key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity, unity. I recommend familiarizing yourself with these principles before conducting a Social Engineering pentest.

Books about Social Engineering

Here are some books about Social Engineering that I’ve personally read and would also recommend others to read:

  1. Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You
  2. Hacking the Human: Social Engineering Techniques and Security Countermeasures
  3. Hacking the Human II: The Adventures of a Social Engineer

Types of Social Engineering attacks

There are different types of Social Engineering attacks. The main four methods are:

  1. Phishing
    • Sending e-mails that appear to be from reputable sources with the goal of influencing people into performing an action, such as sending personal information or clicking a malicious link/attachment.This is the most well-known form of Social Engineering.
  2. Vishing
  3. SMiShing
    • Sending mobile phone text messages (SMS) that appear to be from reputable sources with the goal of influencing people into performing an action, such as downloading a malicious app or visiting a malicious link.
  4. Impersonation
    • All of the above methods use impersonation to a certain extent. In this case we are talking about pretending to be another person with the goal of influencing people into performing an action, such as holding the door open for you or granting you a visitors badge. The physical aspect of impersonation is important here.


Typical steps in a Social Engineering attack

An experienced Social Engineer will typically perform the following five steps in a Social Engineering attack:

  1. Information Gathering
    • In this step, the attacker will become familiar with his / her target. This is done by collecting as much information as possible. The more the attacker knows about the target, the higher the chance of a successful attack. That is why this step is often the largest time spent of an attacker.
    • Collecting information can be done in several ways. Some examples are:
      • Dumpster diving
      • Shoulder surfing
      • Open Source Intelligence (OSINT)
    • The OSINT Framework is an important source for collecting information. OSINT framework offers a simple website that allows you to filter by categories such as: username, e-mail address, domain name, telephone numbers, metadata, terrorism, dark web, and threat intelligence. When you click on one of the categories, a number of useful resources appear to search with. The framework uses four indicators:
      • (t) - indicates a link to a tool that must be installed locally.
      • (D) - Google Dork (advanced Google search queries)
      • (R) - requires registration.
      • (M) - indicates a link that contains the search term. The link must be edited manually.
  2. Plan of Attack
    • Once there is plenty of information collected on the target, this information can be translated into multiple attack scenarios. The preliminary investigation may have revealed some names, job titles, phone numbers, dates of birth, and information about systems being used by the target. What kind of attack scenarios can you imagine with this information? That is the question that should be answered in this step.
    • When drawing up attack scenarios, it can help to first come up with a goal of the Social Engineering attack. For example, the end goal could be to obtain user credentials. An attack scenario that fits this goal is to influence the helpdesk into performing a password reset. So by first determining the goal of the attack, it can be easier to come up with attack scenarios that are relevant.
  3. Building Trust
    • A smart attacker does not immediately ask for sensitive information, but first ensures that some kind of bond is formed with the target. When you convince the target that you are trustworthy it becomes easier to achieve the goal of your attack. Building trust can be done in many ways. Some examples are:
      • Clothing - when I say the word “doctor” you probably think of someone wearing a white coat. Or let’s suppose you see a stranger wearing a T-shirt that has your favorite music group on it. You may then be more inclined to approach this person and start a conversation than if this person were wearing a neutral T-shirt. Clothing plays an important role in building trust. When you pretend to be an inspector, you will have to dress like one. Your appearance must match the role you take on. In addition to the use of clothing, general appearance is also important. Other objects/props can be used for this. For example, someone posing as a helpdesk employee may appear more credible if they carry a keyboard or network cable.
      • Voice - tone and speed are especially important here. When someone speaks calmly and you respond at the same pace, this person is more likely to start trusting you. However, do not imitate the target excessively. This can come off as mocking and the target will no longer respect you.
      • Taking small steps - you can do this by, for example, first calling the target with an innocent question. By calling back at a later time, the target will recognize you and therefore trust you more quickly.
  4. Execution
    • In the previous step, a bond with the target has been formed. He or she now thinks that we are actually the person as how we present ourselves. During the ‘Execution’ step, the actual attack is performed and the objective of the attack scenario is achieved. Let’s consider the example of the aforementioned helpdesk attack scenario: during this step the password reset gets executed.
  5. Exit
    • Once the goal of the attack scenario has been reached, the attack can be terminated. At this stage, we do so without arousing suspicion in the target. In our example scenario we can do this by kindly thanking the helpdesk employee for his/her help and wishing them a nice day.


How to conduct a Social Engineering pentest

Step 1: Planning, initial scope and contract

In this step, you will identify what is in scope and how the pentest will be performed. This typically requires a meeting with the management of the company you are performing the test on. In order to keep the pentest as accurate as possible, you need to minimize awareness of the test. So it is advisible to keep the number of people involved in this meeting to a minimum.

In order to stay out of jail while conducting your pentest, it is important that your scope results in a clear contract that is agreed on by all parties involved.

Step 2: Information Gathering

The scope defined in the previous step may limit your methods of information gathering. For example: it could be that your client does not want you to use dumpster diving as a method for information gathering. Or your client will provide you with a set of information that you are only allowed to use in your attack. More common however, is that the client expects a thorough investigation on information about the company and its employees that is publicly accessable. As mentioned before, the OSINT Framework is an important source for this.

Step 3: Definitive scope

This step is optional. If you were not limited by the initial scope during the information gathering step, you may have collected interesting results on departments/employees that your client did not consider a worthy target at first. This could result in a change of scope. It is important to check if these changes are in line with the contract that was agreed on in step 1.

Step 4: Plan of Attack

Once the scope of the pentest is clear and you have collected enough information about your target, it is time to identify all of the methods that will be used during the test. Personally, I would structure my plan of attack in the following way:

  • Introduction - briefly explains how the plan of attack originated.
  • Attack vectors - a clear list of all attack vectors, in which a link is made to the objective and the target of the attack. Example: “A helpdesk employee (target) will be tested by vishing (attack vector) in an attempt to acquire user credentials (objective). This test involves impersonating an employee that has forgotten their password.”.
  • Step-by-step plan - describes which steps will be followed for each attack scenario. Detailed steps, so also contains information on props/objects that will be used and any other relevant details.
  • Agreement - contains signatures of all relevant parties.
  • Appendix - contains the crash plan, get out of jail free card and any other relevant documents.

Crash plan

During the pentest, it is possible that your target finds out that something just isn’t right. When your target suspects that you are not who you say you are, it is good to have a backup plan as you do not want the situation to escalate. What do you tell your target when this happens? If the attack completely fails, who do you need to inform? Those are things that you determine in the crash plan.

Get Out of Jail Free Card

If you fail during a physical Social Engineering test, you will in most cases show a signed letter with information about the pentest to the employee that detected your attack. To make the test more challenging, you could craft a fraudulent letter and show this letter first. This is your “Get Out of Jail Free Card”. If the employee does not take further action, you may be able to get past them.
Make sure this is backed up by a genuine letter that is signed by higher management of the company you are testing. The genuine letter should contain more information about the scope of the pentest and which parties are involved in it.

Step 5: Execution

All of the listed attack vectors from the plan of attack will be executed in this step. Keeping documentation is important here, as it forms the evidence for the final report. This can be done by recording the telephone conversations for example. It is also good to include the start and end times of the test, name of the pentester, and name of the target in the documentation. This will help you when it comes down to writing the final report.

Step 6: Reporting

Now it is time to bring all of the results in together. A typical pentesting report contains the following chapters:

  1. Executive summary
  2. Overview of OSINT results
  3. Overview of executed attack scenarios
  4. Findings
  5. Possible impact of vulnerabilities found
  6. Remediations
  7. Conclusion

In addition to delivering a final report, a presentation can also be given in which the most important findings and remediations are presented.

Depending on your relationship with the client, the final step is eliminating the vulnerabilities found during the test. The most common way to do so is through a “perform pentest, remediate, repeat pentest as necessary” method.


Sources:

  1. https://www.social-engineer.org/framework/general-discussion/
  2. https://purplesec.us/social-engineering-penetration-testing/
  3. https://brand-minds.medium.com/why-you-should-come-and-see-dr-robert-cialdini-at-brand-minds-2019-be63f22ff763
  4. https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
  5. https://securitytrails.com/blog/osint-framework
  6. Books:
    Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You
    Hacking the Human: Social Engineering Techniques and Security Countermeasures
    Hacking the Human II: The Adventures of a Social Engineer