When a client requests a Social Engineering assessment, they are wanting to test any weaknesses found in the people themselves, not necessarily technology. After all, it’s often easier to just ask someone directly for their password instead of trying to find an exploit for an application. In the context of a penetration test, typically this takes the form of impersonating individuals through means like email (known as Phishing) or on the phone (Vishing).
In order to convince a person to give out their information, it’s critical to come up with a convincing premise. Instead of just adopting a random persona, it’s better to become someone that the target inherently trusts. How can you find out what to do? Well, people post all kinds of useful information on the internet that is searchable.
One of the easiest ways to gain information about the target is through Googling the right keywords. If you haven’t used Google’s operators yet, it’s extremely handy in identifying documents and files that may be sensitive. For example, a search like this:
will pull down a list of ALL pdf files that the Google-bot was able to spider. Depending on the target, you may find internal documents like Excel or Word files that give you insight into the language and responsibilities of the person you are trying to impersonate. If you can’t find any documents that are directly helpful, downloading them in Windows Explorer and right clicking -> properties may actually give valuable information such as who it was last saved by and the software used to create the document. This is known as metadata.
Although most workplaces have a social media policy, it’s difficult to control what people post on their own time to sites like LinkedIn, Facebook, and Twitter. For example, using the advanced search features on LinkedIn can pull up a list of current employees for a particular company. Users will often describe what types of systems they interact with, what technologies they use, and to whom they report. This type of information is extremely valuable for social engineering because it gives you insight into the day-to-day operations of the company. For example, you might find a picture of a company party on Facebook. In the picture, you see a catering company’s logo. Therefore, if you pretend to be an employee from the catering company, your target will be much more receptive to performing an action such as taking a survey over the phone.
One of the easiest ways to use knowledge obtained by social engineering is through a password reset tool. Most companies have some sort of self-service tool in the case of a forgotten password that requires users to know the answers to “secret questions”. Unfortunately, the rise of social media has caused some of these so-called “secrets” to be available to anyone with a computer and internet access. Common security questions include information such as mother’s maiden name (accessible via ancestry or news records), youngest sibling’s middle name (posted usually on Facebook), birthdate, (viewable on Twitter) and pet name (Instagram or Facebook). As you can see, the more information an attacker can uncover, the higher the chances an attacker has of succeding.
We use a tool called King Phisher to send out our social engineering emails. When users click on a link, we usually want one of two actions to occur: the submission of valid credentials into a site we control, or the downloading and installation of a file. One of our favorite tools for easily creating malicious documents is a tool called Empire. Although its features are too in depth for this blog, it is relatively easy to set up and automatically generate files that when opened will establish an interactive connection back to an attacker. The challenge, however, is to construct an email that will be able to bypass any sort of spam filtering, since a message’s spam score will be greatly increased with an attachment.