Pentesting lesson 3
social engineering hoax
A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. It is related to the idea of a scam, though in a hoax, the attacker's goal is not necessarily financial gain.
examples of hoaxes
A pop-up that says an antivirus program identified the presence of malware on a target's system. The target should click a link in order to fix this infection. In reality, the link itself leads to malicious code. An email claiming to be from a citizen of a foreign country asks the target to help them access funds in a bank account. They request that the target send them money in advance and that they will receive a percentage of the total sum in the account. In reality, there is no such account, and the attacker simply takes the money the victim sends them. An email claiming to be from Amazon says that the target's account has been flagged for suspicious activity. The target must sign in to Amazon and confirm that the account has not been compromised. In reality, the sign in link goes to a pharming website that steals the user's credentials. A blog post claiming that most computer performance issues are the result of RAM that has not been "cleaned" often enough. The post offers steps for how to perform a "clean" operation at the command line. In reality, this command has formatted a user's storage drive, completely wiping its contents.
SMiShing
Also called SMS phishing, this is a phishing attack in which the attacker entices their victim through SMS text messages. The prevalence of smartphones may make using SMS more attractive to an attacker than email, but people are more likely to ignore text messages from unknown or untrusted senders than with email.
Vishing
Also called voice phishing, this is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). While speaking to someone directly in order to entice them may be difficult for an attacker to pull off, it can also be more effective, as people tend to place more trust in those they can have a real-time conversation with.
lock picking and bypassing
Any given organization will undoubtedly have at least one door, cabinet, safe, device, or other asset that they will place behind a lock. You may need to find ways to circumvent these locks in order to achieve your goals. If you can't even get into an office because the front door is locked, then your physical pen test will be cut short. First and foremost, the type of lock will influence how you get around it. There are several different types of locks. One of the most common is a standard key lock, which, as the name implies, requires the correct key in order for the lock to open. Key locks typically use pin tumblers, interchangeable cores, or wafers under springs used for tension. Bolt cutters and hacksaws may be able to destroy locks that are made from substandard materials or are designed poorly. Other than physical destruction, you also have the option to pick the lock. Lock picking is a skill and requires practice with the right tools. Some vendors sell lock picking kits that come with an array of tools to make the job easier, but you still need to know how to use the tools properly for them to be effective. Such kits are usually designed to pick pin-tumbler locks, whereas they may not be adequate for more advanced high-security locks. The basic process of picking a pin-tumbler lock is to use a picking tool to raise or lower a pin until it is flush with the shear line (the gap between the key pin and the driver pin), then use a torsion wrench on the lock plug to hold picked pins in place. Then, you move onto the next pin and again use a pick to raise or lower the pin until it is flush with the shear line. You repeat this process until all pins are picked, at which point you use the torsion wrench to turn the lock plug, which disengages the lock. Not all locks use keys, however. Keyless locks like combination locks, access card locks, and biometric scanners must be either destroyed or bypassed. Simple combination locks can be brute forced with enough permutations, but access card locks and biometric scanners are difficult to bypass without the proper item or biometric profile. In these cases, you may need to think outside of the box. For example, the lock may only be active during off hours, so you can bypass it entirely by trying during a certain time. In some cases you might get lucky with a biometric lock: the product might have a high false acceptance rate (false positives) and allow unauthorized people to enter. You might even encounter doors that are physically weak or not installed properly, thus rendering their locks ineffective.
psychological manipulation
Attackers exploit humans' willingness to place trust in others and prey upon their sometimes erroneous decision-making abilities. Attackers also exploit the inherent cognitive biases within all people to craft more effective and targeted attacks.
pretexting
Attackers will communicate, whether directly or indirectly, a lie, half-truth, or sin of omission in order to get someone to believe a falsehood. This belief may spur the victim into committing an action they had not intended or that runs counter to their interests.
motivation
Attackers will try to motivate their target to take some action that will ultimately benefit the attacker.
motivation technique- fear
Because fear is such a visceral emotion, it can motivate people to act in ways they normally wouldn't, just to purge themselves of that fear. Fear of loss is especially powerful. Attackers often use fear tactics to convince a victim that they will lose money or access if they do not comply.
Before you focus on specific physical attacks, it would help to understand what you may be up against. The following is a list of common physical security controls that might be in place on the target's premises:
Door and hardware locks, both physical and electronic. Video surveillance cameras inside and outside of a building. Security guards stationed inside and outside of a building, or patrolling an area. Lighting that makes it easier to spot an intruder at night. Physical barriers like fences and gates. Mantraps. Alarms and motion sensors.
shoulder surfing
Gaining compromising information through observation (as in looking over someone's shoulder).
guidelines for performing physical security tests on facilities
Identify the physical security controls in place at the target premises as best you can. Look for low fences to entrances and other restricted areas that you might be able to go over. Consider using a ladder to scale a taller fence. Consider that scaling a fence with barbed or razor wire may lead to serious injury. Look for dumpsters outside of buildings that may contain sensitive material the organization has disposed of. Look for calendars containing passwords at the beginning of a new year. Look for poorly disposed-of sensitive business documents. Look for poorly sanitized storage drives and computer equipment. Practice with a lock picking tool to gain enough skill and experience to pick a key-based lock. Find other ways around keyless locks, like coming back at a time when the lock isn't activated. Use a handheld RFID writer to easily clone badges using insecure 125kHz EM4100 technology. Conceal a cloning tool in a bag or other container that can read badge data from several feet away. Use an Android device with NFC and a cloning app to clone encryption-based badges that use the default keys. Identify the area that motion sensors cover. Leverage motion sensor blind spots to move through a building. Consider using a piece of material to block a motion sensor, like cardboard. Focus an infrared light on a sensor to fool it into believing the area is at an acceptable level.
target eval
In many cases, attackers with specific targets in mind will evaluate those targets and determine how susceptible they are to specific types of social engineering. They will also evaluate their general level of awareness of computing technology and cybersecurity.
Pharming
In this type of attack, the attacker entices the victim into navigating to a malicious web page that has been set up to look official. The site may mimic an existing website, like the victim's banking website, or it may simply have an air of legitimacy. The victim interacts with this site in order to provide their sensitive information to the attacker, like filling out a fake "login" form with their password.
motion detection bypassing
Motion detection systems are used to detect movement in a particular area for the purposes of identifying unauthorized physical access. Such systems typically incorporate sensors that are placed at a building's key entrances and exits in order to monitor ingress and egress. Ingress and egress sensors can use a variety of different technologies to detect motion, but most focus on detecting minute changes in the infrared spectrum. Some sensors are specifically designed to detect the human body's infrared emissions. Others may detect when a strong infrared pattern is being blocked. More advanced sensors can be supported by algorithms that detect any deviation from the established infrared baseline of an area. However the sensor works, if it detects motion, it will likely trigger an alarm or a fail-safe mechanism, such as activating a mantrap. Bypassing motion detection systems can be tricky, especially if they cover an entire room that you want access to, or if they "block" your path to other rooms of value. The simplest method would be to assess where the sensors are and what zones they are covering, then attempt to move while staying out of the zones (i.e., taking advantage of blind spots). Most sensors are placed in ceilings and opposite of each other to cover the widest possible area. Finding a blind spot is not always feasible if the zones encompass too wide an area or you cannot identify where the sensor is. Another method would be to place a piece of material, like cardboard, Styrofoam, or glass, over the sensor to block it entirely. If you can't reach the sensor itself, you may be able to use the material to block your own body and minimize the infrared light you are projecting. However, this is not always effective and often requires you to move very slowly and use a large piece of the blocking material. Likewise, sensors that look for strong blocking patterns will not be fooled by either of these tactics. Some sensors can be bypassed by focusing an infrared or near-infrared light at them. They will not necessarily detect any blocking patterns and the focused light source may be able to mask any human-based infrared emissions. Note that this will not work with sensors that use a baseline comparison.
motivation technique- likeness
People are more likely to listen to someone and comply with their requests if they feel an affinity toward them. They may see themselves in this other person, such as having a similar speech pattern. Or, the other person may represent an ideal, such as someone who is physically attractive. Attackers can leverage this to be charming and persuasive to specific people.
motivation technique- scarcity
People tend to attach undue value to objects or ideas that are uncommon or otherwise difficult to obtain. A "secret" or "exclusive" item is more enticing to the victim than something they encounter every day. For example, the attacker may claim to reward a victim with a unique collectible that they cannot acquire anywhere else.
motivation technique- authority
People tend to obey authority figures even when they know the requested action is either ethically dubious or counter to their own interests. They also tend to obey authority figures when they don't have enough information to accurately assess a situation. An attacker posing as an authority figure, like a police officer, is often more successful at enticing a victim to perform some action they shouldn't.
what are some elicitation techniques
Requests, where the social engineer in a trusted position requests that the target provide them with some useful information. This is the most direct method of elicitation. Interrogation, where a social engineer directly asks people questions with the intention of extracting useful information. The social engineer may be posing as an authority figure to improve their chances of eliciting answers. Surveys, where a social engineer indirectly collects data from volunteers. Surveys are effective where interrogation is not a viable option. Observation, where a social engineer examines the target's behavior in a particular environment, with or without their knowledge. A person's behavior and day-to-day routine can provide the social engineer with insight into how they think or act in certain situations.
types of phishing
SMiShing Vishing Pharming Spear phishing Whaling
what can be achieved by compromising physical security controls
Take pictures of restricted areas, proprietary devices, and internal vulnerabilities and defenses. Steal devices, documents, and electronic data. Access restricted systems. Plant malicious devices such as keystroke loggers and Raspberry Pis on the private network. Search for new targets.
building relationships
The more comfortable and friendly a victim is with the attacker, the more likely they will trust the attacker. Attackers may therefore try to get to know their target on a personal level.
Whaling
This is a form of spear phishing that targets particularly wealthy or powerful individuals, like CEOs of Fortune 500 companies. The risk is higher for an attacker, as such individuals are likely to be better protected than an average person. However, the payout for the attacker will be significantly higher. For example, an urgent phony invoice might induce a CEO to order the finance department to wire a "long overdue" payment to the attacker's account.
Spear phishing
This is a phishing attack, irrespective of medium, that is crafted to target a specific person or group of people. Spear phishing attacks require that the attacker perform some reconnaissance and gather some people-based information on their targets before launching the attack. The attacker uses what they learn about their targets' habits, interests, and job responsibilities to create a custom message that is much more convincing than a generic message sent to anyone and everyone. For example, an attacker might know that a target's birthday is coming up soon and that they plan on holding a party at a specific venue. The attacker can pretend to work for this venue and mention the target's birthday party.
motivation technique- urgency
This is similar to scarcity, but with a time element involved. An attacker might encourage a victim to act quickly, lest the victim miss their opportunity at acquiring something. For example, a "limited time offer" will be more likely to pique a victim's interest.
motivation technique- social proof
This is similar to the concept of conformity, in which people tend to mirror the actions of others because they want to fit in. If a victim sees or believes they see an attacker engaging in some behavior, they may themselves engage in that behavior. This is more effective if the behavior is exhibited by a group of people whom the victim trusts. For example, a group of attackers working in concert may install a fake "antivirus" program on their computers, and the victim may decide to do the same in order to appear competent to their peers.
URL hijacking (typo squatting)
URL hijacking, also called typosquatting, is a social engineering attack in which an attacker exploits the typing mistakes that users may make when attempting to navigate to a website. For example, a user wishing to visit CompTIA's website might type in their browser: comtpia.org. The browser has no way of knowing this was a mistake, so it sends the user to that literal website, typo and all. An attacker has already registered this domain and is counting on users to make just such a mistake. So, the user essentially gets directed to a malicious site instead of their intended destination. The malicious site might be very clearly the wrong one, but more clever attackers will turn this into a pharming site that mimics the real one closely. That way, the victim may never even know that they committed an error, and will continue on, ignorant of the problem. In addition to misspellings, URL hijacking also encompasses instances where the wrong top-level domain is used (e.g., comptia.gov), instances where domains and subdomains are obfuscated (e.g., login.comp.tia.org), and instances where a different form of a word is used (e.g., thecomptia.org). Note that many companies have expended significant effort in combating typosquatted domains, though some do fall through the cracks.
guidelines for performing social engineering tests
Understand the basic components of social engineering and what ideas they rely on to be effective. Leverage the techniques that motivate people to fall prey to social engineering. Launch a phishing attack that entices targets to leak sensitive information. Use media other than just email to phish sensitive information. Create a convincing forgery of a popular website to entice targets to visit. Use the forgery to capture input credentials, like in a login form. Leverage gathered data about people to craft customized spear phishing attacks. Consider targeting executives and other high-level personnel in a phishing attack. Use impersonation techniques to make the attack seem more authentic, like posing as a help desk worker. Use elicitation techniques to get targets to reveal information, like requests and surveys. Leverage hoaxes to make attacks more convincing. Drop a USB drive loaded with malware in a parking lot to see if anyone plugs it into their system. Determine how users may fall victim to an attack by mistyping URLs. Leverage spam techniques with phishing attacks to reach many users. See how easy it is to observe employees at their computers without them noticing. Consider how an office environment might make tailgating or piggybacking more or less effective.
spam and spim
When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.
what are the motivation techniques
authority, scarcity, urgency, social proof, likeness, fear
BEC
business email compromise Elicitation is useful in supporting a variant of phishing called a business email compromise (BEC). In a BEC, an attacker usually impersonates a high-level executive or directly hijacks their email account. They then send an email to financial personnel, requesting money via a method like a wire transfer. Because the financial personnel believe the request is legitimate, they will approve the transfer. The attacker successfully elicits this payment without stealing it directly.
baiting
is a social engineering attack in which an attacker leaves some sort of physical media in a location where someone else might pick it up and use it. This exploits people's tendency to be curious about objects and situations that are out of the ordinary or that catch the eye in some way. The most common form of baiting involves leaving a USB thumb drive in a parking lot or some other public area near a workspace. An employee might notice the USB drive lying on the ground, pick it up, and plug it into their computer. Unbeknownst to them, the drive has been pre-loaded with malicious software that compromises the employee's computer. These kinds of attacks can rely on the victim's computer having autorun enabled so that the malicious code is executed immediately. The malware, depending on its nature, may then spread outward and start infecting other hosts on the network. Even if autorun is not enabled, the attacker can still entice a user to run the malicious code on the USB drive by disguising it as something fun (e.g., a video game), useful (e.g., an antivirus program), or mysterious (e.g., files with cryptic names).
RFID
is a standard for identifying and keeping track of objects' physical locations through the use of radio waves. RFID has many different applications, but in the context of physical security, it is often used with identification badges. An RFID tag is attached to the badge and contains an antenna and a microchip. A lock containing an RFID reader continuously sends a signal into the area surrounding the reader. The RFID tag's antenna picks up this signal when in close proximity and the microchip generates a return signal. The RFID reader receives this signal and opens the lock if the signal is authenticated. Unlike a card with a chip or magnetic stripe, an RFID badge does not need to be waved in front of the reader. It simply needs to be within a few feet of the reader, and can be inside of a bag, affixed to someone's shirt, or otherwise physically obstructed. RFID authentication systems can support granular access control with unique badges, allowing only certain badges to open certain locks. Although a badge is technically a "key" to the RFID lock, it helps to mitigate lock picking while still requiring that the user present a specific item for authentication.
tailgating
is an attack where the attacker slips in through a secure area while following an authorized employee. The employee doesn't know that anyone is behind them. For example, an employee might enter the company lobby by using an access card on the locked entrance. They open the door wide and let it close by itself, not looking to see if anyone's behind them. The attacker then quietly moves to the door as it's closing and stops it, then walks in. Tailgating requires several factors to be effective: the doors must not close too quickly; the followed employee must not be paying attention; and there must not be an attentive guard or other personnel waiting on the other side.
piggybacking
is essentially the same thing, but in this case, the target knows someone is following behind them. The target might know the attacker personally and be complicit in their attack, or they might be ignorant of what the attacker is doing. For example, if the attacker was recently terminated from the company, the target might not know this and assume it's just another day at the office. However, it's more likely that the target doesn't know the attacker, but is just keeping the door open for them out of common courtesy. The target may also let the attacker through in order to avoid confrontation. However, piggybacking will be less effective in smaller organizations where everyone knows everyone else, or in environments where building access is strongly controlled. Piggybacking and tailgating are also examples of how you can use social engineering as part of a physical attack. For example, one of the easiest ways for an intruder to enter an access-controlled building would be to slip in with employees as they return after a fire drill.
badge cloning
is the act of copying authentication data from an RFID badge's microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without actually stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You simply hold the badge up to the RFID writer device, press a button to copy its tag's data, then hold a blank badge up to the device and write the copied data. You now have a cloned badge. What's more, certain badge cloning tools can read the data like any normal RFID reader, in that the reader can be several feet away and concealed inside a bag. Note that badge cloning is most effective on older RFID badge technology that uses the 125kHz EM4100 protocol. This technology does not support encryption and will begin transmitting data to any receivers that are nearby. Newer RFID badge technology uses higher frequencies that increase the rate at which data can be sent, and subsequently, supports encryption. These badges only broadcast certain identifying attributes, rather than all authentication data on the badge. Despite the advances in security, these encryption-based badges can still be cloned with the right tools. All it takes is an Android device with NFC capabilities and a cloning app. Certain apps will contain the default encryption keys that are issued by the badge's manufacturer. Many organizations fail to change these keys, and as a result, you can easily copy the badge's data to a new badge through NFC.
impersonation
is the act of pretending to be someone you are not. Many of the most effective social engineering attacks, especially phishing, usually include impersonation as a component. In that sense, impersonation is an element of an attack, rather than an attack itself. Impersonation often relies on situations where a target cannot sufficiently establish the attacker's identity. A common example of impersonation is when an attacker pretends to be a help desk worker and calls an employee, asking them for their password so that they can reset an accounts database. If the target isn't familiar with the help desk employees or the phone number that they use, then they might not be suspicious of the request. Impersonation can also be more effective in face-to-face interactions. Most people want to avoid appearing rude or dismissive when they're talking with another human being directly. So, they may be less likely to question the impostor than if they had been contacted through email or on the phone. Of course, face-to-face impersonation will only work if the target doesn't know what the impersonated individual looks like, or doesn't know them well enough to be suspicious of their appearance.
dumpster diving
is the act of searching the contents of trash containers for something of value. In a pen test, dumpster diving can help you claim certain documents that contain sensitive information relevant to the organization. For example, in the first few weeks of the year, people often discard calendars from the previous year. Many people write their passwords down on their calendars so they don't need to remember them. In addition to personal documents, organizations sometimes improperly dispose of official documents in hard copy, like past quarterly financial reports or product proposal drafts. These can give you an insight into the target's business operations. You may even be able to piece together shredded documents with enough time and patience. In addition to documents, organizations also improperly dispose of storage drives and even whole computers. They may have failed to wipe the data from these devices, enabling you to recover their contents and possibly find something of value. Like fence jumping, dumpster diving will likely draw suspicion if you're seen. Still, dumpsters are usually placed out of view and away from where people work. Dumpsters may also be conveniently accessible outside of restricted areas, so that external sanitation personnel can pick up the trash without needing to go through a security checkpoint. In other words, they may be exposed to the public and require little effort to access. Note: Dumpster diving may also be considered a form of social engineering.
fence jumping
is the act of surmounting a height-based physical barrier like a fence, gate, or wall in order to gain access to a restricted area. Depending on the barrier's height, you may find it easier to go over it than attempt to go around it or through it. For example, some fences are only three to four feet high and are designed to prevent someone from casually walking up to an area they shouldn't be accessing. The fence may extend all along the perimeter, and is likely made of metal that is not easily bent or broken without the proper tools. Therefore, going over the fence could be the most viable option. However, someone attempting to climb or literally jump over the fence may attract suspicion if seen. More restrictive premises will likely install taller fences, usually above eight feet, that cannot be jumped and must be climbed. Not only will these fences attract suspicion, but they are also designed to be difficult to climb over without considerable effort. A ladder may aid in your efforts to scale a tall fence, though again, this could draw suspicion. More extreme anti-fence-jumping measures can come in the form of barbed wire or razor wire at the top of the fence. Even if you manage to scale the fence, you will have a difficult time actually going over it without injuring yourself. This acts as a powerful deterrent. However, sections of barbed wire and razor wire can be cut with the right tools, enabling passage over the fence without harm.
what is elicitation
is the process of collecting or acquiring data from human beings. This is different than information gathered about human beings—in elicitation, a social engineer will attempt to learn or access useful information by contacting people who may provide certain key insights. The advantage of this approach is that some knowledge useful to an attack or pen test can only be acquired by other people.
SET
social engineering toolkit
what are the basic components of social engineering attacks
target evaluation pretexting psychological manipulation building relationships motivation