7.2 Performing the Attacks

What results might you seek to achieve with social engineering, whether in a real attack or in penetration testing? Useful information for obtaining access or for testing can be grouped into the following categories:

1. Physical access (to steal, modify, destroy, or violate any or all of the three components of the CIA model ”confidentiality, integrity, and availability ”of protected resources)

2. Remote access credentials (password and other access credentials for phone, computer networks, and other equipment)

3. Information (data, source code, plans, customer data, and other proprietary, confidential, or secret data)

4. Violation of other security controls (such as making victims run code, transfer funds, or perform other actions on behalf of the social engineer)

7.2.1 Active and Passive Attacks

For the purpose of this chapter, we divide social engineering attacks into active and passive . Active probes directly interact with the target and elicit its response, whereas passive attacks acquire information with stealth.

Active social engineering involves interaction with target personnel in order to obtain security-relevant information, gain access privileges, or persuade someone to commit a policy violation or act as a proxy on the attacker's behalf. In contrast, passive attacks include eavesdropping and observation and subsequent analysis of the results. Passive attacks often seek to acquire seed information with which to launch further active social engineering or network-based physical attacks.

It is also important to note that intelligence gathering in the form of passive social engineering and surveying open source intelligence is crucial for preparing a social engineering attack or test. People are much richer systems than computers. Thus, the process of "reading the manual" is more complicated when studying humans .

Active attacks elicit the required response through basic human emotions. The following are some methods for a successful attack:

Intimidation

This method uses "hardball" tactics ” threatening and referencing various negative consequences resulting from noncompliance with the attacker's request.

Impersonation

Involves posing as somebody else ”a classic trick of social engineers . Note that while it is sometimes beneficial to assume a position of power, the opposite comes in handy as well.

Blackmail

Does not necessarily translate to criminal offences, and might involve emotional blackmail.

Deception

The broad category of deception covers many of the other attack methods. Many attack methods may be enhanced with deception.

Flattery

Many people are surprisingly vulnerable to this simple ploy. Flattery is known to open doors to economic spies and con men.

Befriending

People do things for friends that they would never do for a stranger. If an attacker manages to position himself as a friend, many avenues for attack open up.

Authority

Related to intimidation, this tactic exploits a fear many people have of authority figures such as police officers, bosses, and others seemingly "above" the victim.

Pressure

Bad decisions are often made under pressure ”including decisions to disclose confidential information. High-pressure sales tactics also fall in this realm.

Vanity

Similar to flattery, an appeal to vanity often facilitates the connection between victim and attacker.

Sympathy

Earning the sympathy of a victim is likewise desirable in many cases.

Combination attacks (such as intimidation and impersonation) can be much more effective than individual attacks. Note also that not all of the tactics are applicable to every possible goal of social engineering. For example, it is unlikely that anybody ever obtained a password with a flattery attack.

The social engineer may consider the three positions in Table 7-1 before launching an attack.

Table 7-1. The attacker/target relationship

Depending upon the circumstances and personal preference, the attacker might play a helpless victim, if intelligence gathering indicates that this approach will be effective. On the other hand, an angry boss position of superiority works wonders sometimes. Finally, claiming to be an equal or a friend often yields results when the first approaches fail.

Let's examine some sample attacks using the positions and methods outlined above.

7.2.1.1 Sample 1: Impersonation

The attacker pretends to be a mailman in order to obtain access to a company facility. In this case, the attacker places himself in a lateral position, using just an impersonation technique to get privileged physical access.

7.2.1.2 Sample 2: Impersonation and authority

The attacker pretends to be a system administrator's superior and calls the sysadmin for a password. This method is more effective in a large organization, where many layers of hierarchy exist and people might not know their boss's boss. While this attack might sound easy, success depends on the attacker's knowledge of how to approach the victim in a convincing manner, as well as flexible conversation skills.

7.2.1.3 Sample 3: Blackmail

Information gained in the past can be leveraged for access to more information via blackmail. If this word smacks of bad crime novels , you may prefer the modernized "leveraging acquired information assets to gain further ground" instead. This definition emphasizes this technique's need for careful research, so that the attack may be optimized using knowledge of the victim's past transgressions.

7.2.1.4 Sample 4: Sympathy

The attacker asks for advice or guidance from an employee. Running this one requires the attacker to "genuinely" sympathize and requires some acting skills.

7.2.2 Preparing for an Attack

To pick roles for impersonation during the social engineering attack, consider the following list. On the defense side, be prepared for anybody initiating communication with you to use one of these tactics. We do not advise complete paranoia ”just a healthy helping of it. This list illustrates the thinking patterns of potential attackers , who might select a circuitous route to the goal ”one that may not be on the radar screen of the defending party.

Coworker

Subordinate, boss, new hire, intern, temp worker, consultant

Outside authorized party

Postman, janitor, building maintenance, delivery driver, repairman, partner-company employee, customer, research student, job applicant , ex-employee, vendor/contractor personnel, law enforcement/government agent

Social acquaintance

Friend, neighbor

In a social engineering attack exercise, you can select from these roles, depending upon your goals. Let us now turn to possible communication channels for the attack. Social engineering attacks can be conducted through various communication media, including the phone, mail, email, the Web, instant messaging or chat (IRC), or a mailing list or discussion forum. They can also take place in person.

The following are some examples of attacks using the above media:

• Social meeting (meet the target employee for coffee, and pump him for useful information)

• Facility tour (ask the future employer for a facility tour, and come back with passwords and network topology data)

• Sales call or job call (promise to solve their security problems, and meanwhile learn about their current IT defenses)

• Web survey (add a couple of questions about security devices to an innocent survey, and you have the inside scoop)

• Faked web site to collect login information (people naturally reuse passwords; thus, a password to one web site can open the way to corporate email)

• Paper mail survey (a formal survey to get details on their technology infrastructure)

Target selection is often based on initial information gathering and the possible roles we've mentioned. Common targets of social engineering attacks include help desk, tech support, and reception personnel. This list is by no means comprehensive, but these positions are consistently vulnerable to wetware attacks.

The attack comes after an initial sweep for information via public sources (i.e., passive social engineering or technology-based attacks such as network surveying). The methods we've described are combined with various communication media, using a social engineering action plan , or "toolkit." The action plan involves maneuvers based on the chosen target, along with any supporting information, followed by a determination of the sequence of attacks to try. It is a simplified framework for creating social engineering attacks. Table 7-2 gives a summary of sources that can be used as part of an initial sweep and information-gathering mission.

Table 7-2. Information gathering sources and methods

7.2.3 Social Engineering Action Plan

A social engineering action plan welds the social engineering attack components into one truculent blade . These are the steps of a planned social engineering attack:

1. Identify the target company.

2. Determine the desired outcome (access credentials, proprietary information, subversion, etc.).

3. List all people at the company who may have access to the desired information or be useful for the outcome (use publicly available information from the initial sweep).

4. Choose the individual targeted for attack.

5. Acquire more information about the victim, using passive social engineering tactics or other methods.

6. Decide on the type of communication media (in person or by phone, email, the Web, etc.).

7. Pick a social engineering method (impersonate, intimidate, blackmail, deceive, flatter, befriend, etc.) based on the victim's characteristics.

8. Run an attack.

9. Document the obtained information ( especially if the obtained information is not exactly what was required) and evaluate the victim as a potential source for more information or "help."

10. Adjust future strategy based on results.

Several of the steps in the action plan need additional clarification . For example, how does the attacker choose the best individual to target? While we are attempting to define social engineering attacks in terms of technology, the social engineer still relies heavily on experience and intuition. The final choices will likely be made on a hunch. In many scenarios, several unrelated targets are pursued, in order to "converge" on the desired information.

The following example is based on our action plan.

1. Example Electronics, a small manufacturer of components, is the target company. They have hired you to perform a social engineering attack on their network administration as part of a security audit.

2. The desired outcome is access to CEO correspondence (email, voice mail, and paper mail).

3. Individuals with access to the target resources include the CEO herself, the postman, a secretary (paper mail), a system administrator (email), and a PBX operator (voice mail).

4. You choose to attack the secretary and the system administrator.

5. The results of initial information gathering are as follows : the system administrator likes to play online games (she was observed posting to a forum on the topic using company email), and the secretary hangs out at Saloon X (he was seen there).

6. The selected communication channels for the attacks are in person for the secretary, and through web media for the system administrator.

7. Now, select the type of attack to employ . For the secretary, you decide to make friends and then obtain access to the company premises. In the case of the system administrator, you choose to send a web survey claiming to offer a prize, in order to get further information about email handling at Example Electronics.

8. Arrange a meeting in a social environment with the secretary and email the survey request to the system administrator.

9. After carrying out the attacks, document your findings: the secretary tells you that almost everybody leaves for lunch at 1:00 p.m. and the mailroom is left unlocked. From the survey completed by the system administrator, you discover that Example Electronics uses an outsourced email service that can probably be breached.

10. Your renewed strategy is to use the information you've gathered to gain further access to Example Electronics.

The action plan is flexible and does not need to be followed verbatim. Rather, it is merely a framework on which to build audits . Documentation is essential for reports on penetration testing and in order to evaluate the vulnerability of the company to social engineering attacks. In fact, accurate documentation is of even greater value for these tests than it is for technology-based tests, since the course of action must be constantly adjusted in a social engineering attack. People are more complex than computer systems.

Some additional tips:

1. If you are taking the authority route of attack, forge credibility. Fake business cards have been reported to work.

2. Use a team (it is often much easier to persuade a victim while working as a group ).

3. Aggressively chain contacts: when you obtain a single contact name , ask for more names and then contact those people, or impersonate using the previous person as a credibility prop. Keep detailed log data describing all contacts in order to evaluate their security awareness and resistance to attacks, and also to better target future attacks.

4. Sometimes calling and asking people directly gets sensitive information. Many people are naturally trusting and will give social engineers the information they need without further action.

7.2.4 Social Engineering Information Collection Template

If you are conducting social engineering attacks in the context of legitimate penetration testing (the only way we recommend doing it), here is a template for optimizing information collection.

This template outlines the documentation of information collected in social engineering attacks. It focuses on three areas: the company, its people, and its equipment (including computer systems).

 Company ----------------------- Company Name                            Company Address                                  Company Telephone                           Company Fax                             Company Web Page Products and Services Primary Contacts                        Departments and Responsibilities Company Facilities Location Company History                          Partners Resellers Company Regulations Company Infosecurity Policy                Company Traditions                       Company Job Postings Temporary Employment Availability /* get a job there and hack from inside */ Typical IT threats People -------------------------- Employee Information Employee Names and Positions          Employee Places in Hierarchy  Employee Personal Pages          Employee Best Contact Methods Employee Hobbies Employee Internet Traces (Usenet, Forums) Employee Opinions Expressed  Employee Friends and Relatives Employee History (Including Work History) Employee Character Traits Employee Values and Priorities Employee Social Habits Employee Speech and Speaking Patterns Employee Gestures and Manners /* used for creating and deepening "connection" during  social interaction */ Employee Login Credentials (Username, Password) for Various Systems Equipment ------------------------ Equipment Used Servers, Number and Type Workstations, Number and Type Software Used (with Versions) Hostnames Used Network Topology Anti-virus Capabilities Network Protection Facilities Used (with Software Versions) Remote Access Facilities Used (Including Dial-up) Routers Used (with Software Versions) Physical Access Control Technology Used Location of Trash Disposal Facilities