A gentle introduction to Social Engineering
You probably heard this mantra "Social Engineering ! because there is no patch for human stupidity". Social engineering is the art of hacking humans. In other words, it is a set of techniques (technical and nontechnical) used to get useful and sensitive information from others using psychological manipulation. In this article, we are going to learn Social engineering fundamentals, Why people and organizations are vulnerable to it and finally, how to perform social engineering attacks using Kali Linux.
Social Engineering Overview
There are many books like "The art of inception", "The art of deception", "Ghost in the wire", "The art of hacking the human mind" and so that discussed Social engineering and presented many techniques to teach how to manipulate people to get them to disclose sensitive information and useful information so you can use them later in your attacks. All the works proved that human is the weakest link when it comes to information security. It is not just about hacking tools and techniques. Studying human weaknesses could be very useful to succeed in an attack. Before learning how to perform Social engineering attacks let's explore why People and organizations are vulnerable to Social engineering attacks.
[Image Courtesy: https://wraysec.com/wp-content/uploads/2015/10/Social-engineering-security.png ]
What makes Organizations vulnerable to Social engineering?
We discovered previously that social engineering uses psychological manipulation to trick targets. Thus, many human weaknesses could be exploited when performing SE. These are some causes why people and organizations are vulnerable to Social engineering attacks:
- Trust
- Fear
- Greed
- Wanting to help others
- Lack of knowledge
Other causes were discussed and named " Cialdini's 6 Principles of Influence"
Cialdini's 6 Principles of Influence
The Cialdini's 6 principles of influence were developed by Dr Robert Cialdini. These principles can be exploited while performing social engineering engagement. The principles are:
- Reciprocity: we pay back what we received from others.
- Commitment & Consistency: We tend to stick with whatever we've already chosen
- Social Proof: We tend to have more trust in things that are popular or endorsed by people that we trust
- Liking We are more likely to comply with requests made by people we like
- Authority : We follow people who look like they know what they're doing
- Scarcity: We are always drawn to things that are exclusive and hard to come by
Maslow's hierarchy of needs (Maslow)
Everyone knows the Maslow's hierarchy of needs. It is very implemented in the framework while attack vectors can be based on it. By having a fair understanding of its needs attackers can exploit them to perform social engineering attacks
Social Engineering Techniques
There are a lot of Social engineering attacks. Generally, they can be divided into two major categories:
- Person-based social engineering attacks
- Computer-based social engineering attacks
The following are some of the most used engineering attacks:
- Baiting: is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims
- Impersonation: is an act of pretending to be another person for the purpose of entertainment or fraud.
- Tailgating: a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security's approval and opens their door,
- Dumpster Diving : is searching through the trash for obvious treasures like access codes or passwords written down on sticky notes.
- Phishing : Phishing scams might be the most common types of social engineering attacks used today
- Shoulder surfing : is the practice of spying on the user of a cash-dispensing machine or another electronic device in order to obtain their personal identification number, password, etc.
Phases of Social Engineering
To perform Social engineering you need to follow well-defined steps:
- Information gathering about the target
- Victim Selection
- Engagement with the selected victim
- Collecting information from the victim
Social Engineering with Kali Linux
By now, we acquired a fair understanding of Social engineering and theoretically how to perform it. It is time to put what we learned into the test and practice what we learn using many open source scripts and Kali Linux tools. As discussed before information gathering is a required step in social engineering. We already explored information gathering in many Peerlyst posts so, I think we need to dive in directly into how to perform social engineering.
Social-Engineering Toolkit
Social engineering Toolkit is an amazing open source project developed by Trustedsec to help penetration testers and ethical hackers perform social engineering attacks. To check the project official GitHub repository you can visit this link: https://github.com/trustedsec/social-engineer-toolkit
In this article we are using Kali Linux as a distribution, so there is no need to install while it is already installed in Kali Linux.
To run the toolkit just open the terminal and run setoolkit
To start using the social engineering toolkit you can select one of the following options.
If we want to perform a social engineering attack type 1
You will find many Computer-based Social engineering techniques you can choose from. Let's suppose that we want to create a Facebook phishing website. Select Credential Harvester Attack Method
and then Site Cloner. Enter all the required info and options (The URL to clone and so on)
Summary
In this post, we explored the fundamentals of Social Engineering and some of its techniques (Human and computer-based). Later we practice what we learned using many useful scripts and Kali Linux tools.
References and Further Readings:**
- SEEF definition of Social Engineering:"The elicitation of information from systems, networks or human beings through methods and tools" : https://seef.reputelligence.com/
- Dr. Robert Cialdini's 6 Principles of Persuasion (Over 60+ Examples Inside!):https://www.referralcandy.com/blog/persuasion-marketing-examples/
- 5 Social Engineering Attacks to Watch Out For: https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/