Social engineering has become one of the more prevalent attack methods in use today, and has been featured heavily in some high-profile breaches. The 2011 RSA breach, for example, involved a targeted spear phishing campaign and an exploit-laden Excel file. Thus, for organizations to adequately model the real threats they face, social engineering penetration testing should be a mandatory tactic in every pen testing toolkit.
Social engineering relies heavily on psychology. There are several types of incentives and motivators to which people are highly susceptible, allowing social engineers to persuade people to take an action. For example, Dr. Robert Cialdini in his classic book, Influence: The Psychology of Persuasion (first published in 1984), described six key motivators:
- Reciprocation: Feeling indebted to someone for doing something for you.
- Social proof: Looking to others for guidance on how to act.
- Commitment/Consistency: Developing patterns of behavior and maintaining them out of habit.
- Liking: Wanting to “fit in” and being more easily persuaded by someone you like.
- Authority: Acquiescing to requests or demands from perceived authority figures.
- Scarcity: Feeling higher motivation to pursue something if it is limited or exclusive.
Pen testers can leverage these motivators when performing social engineering assessments.
There are four social engineering techniques that pen testers can use to test an organization’s security: phishing, pretexting, media dropping and tailgating.
Social engineering penetration security testing: Phishing
Phishing involves sending an email to a user in order to persuade the user to perform an action. The goal of most phishing emails in a pen testing project is simply to entice the user to click something and then record that activity, or to actually install a program as part of a larger penetration testing effort. In the latter case, exploits can be tailored to client-side software known to have problems, such as browsers and dynamic content/media plug-ins and software.
The key to a successful phishing campaign is personalization. Tailoring the email to the targeted user, such as by sending it from a trusted (or perceived-to-be-trusted) source, increases the likelihood of the user reading the email or following some direction in the email. A good pen tester will always remember to check spelling and grammar; a well-written email, even a short one, will be much more believable.
Probably the best-known tool for creating phishing attacks is the open source Social Engineering Toolkit (SET). With its menu-driven email and attack-creation system, it’s one of the simplest ways to get started with phishing. Commercial tools like PhishMe Inc.’s PhishMe and Wombat Security’s PhishGuru can also be useful.
Social engineering penetration security testing: Pretexting
Pretexting involves telephoning the target and trying to solicit information from him or her, usually by pretending to be someone that needs assistance. This technique can work well in a penetration testing project by targeting non-technical users who can provide useful information.
The best strategy is to start with small requests and drop names of real people in the organization who may be waiting for something. In the pretexting conversation, the pen tester explains they need the target’s help. (Most people are willing to do small tasks that aren’t perceived as suspicious requests.) Once rapport has been established, the pen tester can ask for something more substantial with more success.
Listen to this as an MP3
Listen to Social engineering penetration testing: Four effective techniques as an MP3 here!
Reconnaissance before the pretexting exercise, using Google and tools like Paterva’s Maltego, can provide needed background information. Phone-masking/proxying tools like SpoofCard (a subsidiary of TelTech Systems) and SpoofApp from SpoofApp.com LLC, as well as Asterisk PBX add-ons from Digium Inc., can disguise the pen tester’s phone number, even making it appear to come from the organization’s own number block.
Social engineering penetration security testing: Media dropping
Media drops usually involve a USB flash drive left somewhere conspicuous, like a parking lot or building entrance area. The social engineer places an interesting-sounding file on the flash drive that launches some sort of client-side attack when opened.
One free tool for creating these files is Metasploit, with its built-in malicious payload generators. The “Infectious Media Generator” option in SET also utilizes Metasploit, but helps automate the process. SET can create a “legitimate” executable that executes automatically when Autorun is enabled on a target’s PC. Using automatic execution techniques and interesting-sounding files together can increase the chances of success.
Drop box devices for pen testing
Pen testers can install a small, innocent-looking box onto a client’s network and then run stealthy remote pen tests. There are commercially available products such as Pwnie Express’ PwnPlug, or pen testers can build their own pwning device loaded with hacking, sniffing and spoofing tools.
A more sophisticated approach to performing a media drop as part of a pen testing project is to develop custom attacks and programs on a USB drive, or to purchase USB drives that are pre-built for this purpose. To increase the success of USB attacks, add both automated exploits and attack-laden files to the device (PDF, Word and Excel formats are best). Labeling the device with an interesting sticker, like “HR Data” or “Employment”, can help, too.
Social engineering penetration security testing: Tailgating
Tailgating involves getting into a physical facility by coercing or fooling staff there, or just walking in. Usually the focus of these tests is to demonstrate that the pen tester can bypass physical security.
Pen testers should plan to procure sensitive data or install a device quickly to prove they were successful, as they may have only a short window of time before needing to leave the facility. The pen tester can take pictures of exposed documents left on printers or desks, or install a pen testing drop box device to provide Wi-Fi or 3G network access back to the environment later.
More from Dave Shackleford on pen testing
Check out Dave's exclusive Information Security magazine feature: Why you need an internal security pen testing program.
By using these four social engineering techniques, the pen tester can uncover an organization’s vulnerabilities and then recommend security controls and education techniques that will reduce the odds of an organization falling prey to malicious social engineering attacks.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.