eJPT - 3.6 Social Engineering
HmadIntroduction
In the context of penetration testing, social engineering is a technique used to manipulate individuals or employees within an organization to gain unauthorised access to sensitive information, systems of facilities.
Social engineering was defined as a way to encourage people to handle social relations similarly to how they approach machines or mechanical systems. People react differently to certain events so you need to fine tune your attack according to their interests or character.
Social engineering attacks aim to bypass technical controls by targeting the weakest link in the security chain - the human chain. It exploits human psychology, trust and vulnerabilities to deceive targets into performing actions that compromise security.
You want to put people in situations where they will rely on their base instincts and most common forms of social interactions like:
Desire to be helpful
Tendency to trust people
Desire for approval
Fear of getting into trouble
Avoid conflicts or arguments
Instead of spending countless hours trying to infiltrate systems or networks through traditional server-side attacks like brute-force attacks, attackers can leverage social engineering to yield information or facilitate the execution of malware inside the company network in a matter of minutes.
Social media has improved the ability and effectiveness of attackers to perform social engineering attacks as employees can be easily contacted by anyone in the world. People post quite a lot of private or sensitive information that can be used by attackers in aid of their attacks.
In penetration tests and red teaming exercises, phishing simulations are valuable for assessing an organization's susceptibility to social engineering attacks and identifying areas for improvement in security awareness and controls.
| Technique | Description |
| Phishing | Deceptive emails, messages or websites designed to trick recipients into revealing confidential information such as passwords, account credentials or financial data |
| Spear Phishing | Targeted phishing attacks that are customised for specific individuals or groups within an organisation, often using personalised information or context to increase credibility and trust |
| Vishing | Phishing attacks conducted over phone calls or voice messages where attackers impersonate legitimate entities to extract sensitive information or manipulate victims into taking specific actions |
| Smishing | Phishing attacks via SMS where recipients are tricked into clicking on malicious links or providing sensitive information by impersonating trusted entities |
| Pretexting | Create a false pretext or scenario to gain the trust of targets and extract sensitive or confidential information |
| Baiting | Luring targets into performing a specific action by offering enticing incentives or rewards (free stuff or job opportunities) |
| Tailgating | Following authorised individuals into restricted areas without proper authentication. Attackers exploit social norms or courtesy to gain unauthorised access to secure locations |
Phishing
One of the most prevalent and effective social engineering attacks.
Planning and reconnaissance
Message crafting
Delivery or sending
Deception and manipulation
Exploitation
Spear Phishing
This is a targeted form of phishing. They are highly personalised and customised to exploit their interests and relationships.
Target selection and research
Message tailoring
These first two phases are the ones where it differs from phishing, only due to the customisation that you go through to personalise it for your target.
Pretexting
Unlike other forms of social engineering that rely on deception or coercion, pretexting involves the creation of a false narrative or context to establish credibility and gain the trust of the target.
There are these section within pretexting which I will cover in depth:
False pretence
Establishing trust
Manipulating emotions
Information gathering
Maintaining consistency
False pretence:
The attacker creates a fictional story or pretext to deceive the target into believing that the interaction is legitimate and trustworthy. This pretext often involves impersonating someone with authority, expertise or a legitimate reason for requesting information or assistance.
Establishing trust:
The attacker uses the pretext to establish rapport and build trust with the target. This may involve leveraging social engineering techniques, such as mirroring the target's language, tone and behaviour to create a sense of familiarity and connection.
Manipulating emotions:
Pretexting often exploits human emotions such as curiosity, fear, urgency or sympathy to manipulate the targets behaviour. By appealing to these emotions, the attacker can influence the target's decision making process and increase compliance with their requests.
Information gathering:
Once trusts is established, the attacker seeks to extract sensitive information or access privileges from the target. This may involve posing as a trusted entity and requesting information under the pretext or a legitimate need or emergency.
Maintaining consistency:
To maintain the illusion of legitimacy, the attacker ensures that the pretext remains plausible and consistent throughout the interaction. This may require careful planning, research and improvisation to adapt to the target's responses and maintain credibility.
As an example:
An attacker poses as a technical support representative from a legitimate company and contacts individuals claiming that their computer is infected with malware. The attacker convinces the target to provide remote access to their computer or install malicious software under the pretext of fixing the issue.
Pretexting is highly effective in bypassing technical controls and exploiting human vulnerabilities within organizations. It relies on psychological manipulation and social engineering tactics to deceive targets and achieve malicious objectives.
You can find a very good library of pretexts to use on offensive phishing engagements here.
Phishing with Gophish
Gophish is an open-source phishing framework designed for penetration testers to simulate phishing attacks against their own organisations. It provides a user-friendly platform to create, execute and analyse phishing campaigns, allowing users to assess their organisation's susceptibility to phishing attacks and improve their security posture.
Gophish has the following features which makes it quite useful:
Campaign creation
Allows users to create customised phishing campaigns tailored to their specific objectives and targets. Users can create multiple campaigns with different templates, email content and target lists.Email template editor
Provides a built-in email template editor interface that makes it easy to design and format professional looking emails that mimic legitimate communications.Target management
Manage your target lists and segment them based on various criteria such as department, role or location. Allows for targeted phishing campaigns that closely mirror real-world attack scenarios.Landing page creation
You can create landing pages that mimic legitimate login portals or websites. They can customised to capture credentials, personal information or other sensitive data.Tracking and reporting
Allows users to monitor the progress of their phishing campaigns in real-time. Users can track email open, link clicks and submitted data and generate detailed reports for analysis.Scheduling and automation
You can do campaign scheduling and automation, allowing users to schedule campaign launches at specific dates and times or set-up recurring campaigns.
You can view the website here, the GitHub repository here and the documentation here.
Lab Notes
In the lab, we have a Windows system preconfigured with Gophish as well as an email, an email template and a list of targets.
As the lab is not connected to the internet, we need to remove some files that Gophish normally uses for rendering within the web application. To do this, head over to templates and then open the base.html file in Notepad. Then delete the google.font lines at the start. Do the same for the login.html file. We will also need to edit the config.json file and set use_tls to false.
You can setup an SSL certificate for Gophish. To do this, you would open the config.json file and edit the listen_url parameter to the IP address where your Gophish server is hosted. You can edit other options as well if you wish to do so.
Now, let's run the Gophish executable and load it up in Firefox. We have already been given credentials to login.
Firstly, let's set up a sending profile. Set up the username to red@demo.ine.local and the password to penetrationtesting. We can then send a test email to victim@demo.ine.local.
We can now create a new landing page mimicking the iNE password reset portal. We can import the site being hosted at http://localhost:8080.
We can now create our email template by pasting it in from the Desktop. We can now create a user group for all the iNE emails to send to. We can now set up our campaign.
That’s it for this section. Next one up is the introduction to the web and HTTP protocol section.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.