Key Takeaways

  • Humans are the weakest link in security
  • Pretexting creates believable cover stories
  • Cialdini's 6 principles are the foundation
  • Verification procedures are the best defense
Contents

1. What is Social Engineering?

Social engineering is the art of manipulating people into performing actions or divulging confidential information. Unlike technical hacking, it exploits human psychology rather than software vulnerabilities. Kevin Mitnick famously said, "The human firewall is the easiest to penetrate."

2. Psychology of Manipulation

Cialdini's 6 Principles of Influence

Emotional Triggers

3. Attack Techniques

Pretexting

Creating a fabricated scenario (pretext) to engage the victim. The attacker assumes a role: IT support, vendor, new employee, auditor.

"Hi, this is Mike from the IT helpdesk. We're seeing some suspicious activity on your account. I need to verify your identity - can you confirm your employee ID and the last 4 of your password?"
Baiting

Leaving malware-infected USB drives or files where victims will find them.

USB labeled "Executive Salaries 2024" left in parking lot
→ Curious employee plugs it in
→ Malware executes automatically
Tailgating/Piggybacking

Following authorized personnel through secured doors without credentials.

"Sorry, I forgot my badge - can you let me in?"
[Holding coffee cups] "Could you get the door? My hands are full."
Vishing

Voice phishing over the phone. Caller ID spoofing makes it look legitimate.

"This is the IRS. You owe $5,000 in back taxes. Pay now with gift cards or face arrest."

4. OSINT for Social Engineering

# Reconnaissance targets:
# - Employee names, titles, emails (LinkedIn, company website)
# - Org structure (who reports to whom)
# - Technology stack (job postings reveal tools)
# - Recent news/events (mergers, layoffs, projects)
# - Personal info (social media, hobbies, pets)

# Tools:
theHarvester -d company.com -b all
linkedin2username.py -c "Company Name"
# Social media OSINT: Facebook, Instagram, Twitter

# Use gathered info to build pretexts:
# "Hey John, I met you at the AWS conference last week..."
# "I'm working with Sarah on the Salesforce migration..."

5. Physical Social Engineering

Physical Penetration Testing

# Badge cloning with Proxmark
proxmark3> lf hid read
proxmark3> lf hid clone 2006xxxxxx

# Common pretexts for building access:
- Fire alarm inspector
- HVAC technician
- Printer repair
- Food delivery
- New employee

6. Red Team Operations

Social Engineering Engagement

  1. Scope definition: What's allowed? (phishing, vishing, physical)
  2. OSINT gathering: Research targets thoroughly
  3. Pretext development: Create believable stories
  4. Attack execution: Phone calls, emails, physical access
  5. Documentation: Record everything for the report
  6. Reporting: Findings, recommendations, awareness gaps

7. Defense Strategies

Organizational Defenses
  • Verification procedures: Callback verification for sensitive requests
  • Security awareness training: Regular, engaging training
  • Clear policies: No tailgating, badge required, visitor escorts
  • Incident reporting: Easy way to report suspicious activity
  • Physical security: Mantraps, cameras, guards
  • Need-to-know: Limit who has access to sensitive info
# Verification procedure example:
1. Receive request for sensitive data/action
2. Get caller's name and department
3. Hang up (politely)
4. Look up official contact info in directory
5. Call back on official number to verify
6. Never use callback number provided by caller

8. Resources & Training

FAQ

Is social engineering illegal?
Only with authorization (pentest contracts). Unauthorized social engineering to gain access or information is illegal (fraud, identity theft, computer crimes).
What's the most effective SE technique?
Pretexting combined with authority and urgency. "This is the CEO's assistant. He needs that report NOW for the board meeting."

Phishing Guide Pentest Guide Incident Response