The Social Engineer's Playbook Read online

  A quick drive-by or aerial reconnaissance using Google Earth will help plan the travel route to and from the target location. Ideally, it should not take more than 10 minutes onsite. It should also involve at least two people working in tandem. For example, one person to jump inside the dumpster and toss trash out. The other person should load it into the vehicle and serve as a lookout. The entire process should be carried out as quickly as possible with the analysis portion to be conducted at an offsite location.

  Dumpster diving truly is a dirty job. Thus, you need to be prepared to get dirty and take precautions so that you don’t get injured. Remember, you will likely be up against broken glass, protruding nails and discarded furniture among other undesirables. For that reason and more, I recommend the following equipment:

  Step ladders

  Extra garbage bags

  Waist high waders (dark)

  Hand held flashlight and/or head worn lamp

  Safety glasses

  Steel toe reinforced boots

  Heavy duty gloves

  Thick long sleeve shirt and grubby jeans (dark)

  Change of clothes and garbage bag for your grubby clothes

  Vehicle with enough room to transport garbage bags and discarded items taken from the target location

  First-aid kit

  But before getting your hands dirty, no pun intended, there must be a plan of attack. Before going onsite, there should be some plan or expectation of what information is being sought out. For example, discarded invoices and technical documents would be looked-for if the pretext was to be around pretending to be an IT service engineer. Ultimately, it’s a crapshoot. You never know what you’re going to find until you find it. You probably won’t know what exactly are in the bags you’re taking. It will likely be dark and you may not time to acquire everything you want. But having a high level plan will save time.

  Making sense of the information collected is one of the most important steps in dumpster diving. Obviously, some pieces of information will be more valuable than others. To make the analysis process go efficiently, the following information should be sought out:

  Letterhead paper – It allows for making realistic forgeries, if necessary. It may also provide value in its content and give way of the names/titles of others in the org.

  Invoices/Billing Info – Useful for knowing who the target does business with and may help during pretexting.

  Technical Documents – Information about the infrastructure of the external/internal network configuration (IPs, networks, diagrams, OS, vendors).

  Employee Information – Information such as extension listings, cubicle maps and schedules. Useful for masquerading as an employee.

  Emails – Could be useful for their content, but would provide email address naming convention, email server technology and names of other individuals inside the org.

  Electronic Media – Floppy disks, CDs, DVDs, hard drives, USB drives. Extremely valuable in finding out information that is likely not available online or via other sources. A social engineer should acquire electronic media at every opportunity.

  Shredded Documents – These documents provide the most useful information. Most office shredders turn documents into long thin strips of paper. What’s more, the shredded document is usually kept all in the same waste paper basket. As a result, typical office shredding is almost useless. Most office-shredded documents can be reconstructed.

  Let’s pause for a moment to discuss shredded documents since these documents are important. Typical office shredders do not do a good job of destroying documents. Instead, think of office shredders as a way of obfuscating the document. It makes is difficult to read, but does not make it unreadable.

  Most office/home shredders slice in wide, long one-way shredding patterns leaving some text still readable. With time and effort, documents that have been shredded like this can be reconstructed by hand or with a little help from technology.

  Shredded document showing long, wide remnants by a typical office shredder

  The Unshredder (http://www.unshredder.com/) is a software application designed to reduce the time consumed by social engineers and investigators reconstructing shredded documents. The interface is rather intuitive and should not pose a significant learning curve for any computer savvy person. The software does require a flat bed scanner for reconstruction. At the time of this writing, it is a Windows-based application requiring about 1GB of RAM and about 1GB of free disk space. I’ve used the application with good results.

  When considering reconstruction of shredded documents, the following options must be considered:

  How much time can I afford to devote toward reconstruction? Can I justify the time?

  How obscure are the shredded documents? Are they shredded strip-cut, cross-cut or micro-cut?

  Is there any legible text on the documents? Will my efforts produce valuable information?

  The general rule of thumb before any considering reconstruction project is that there be at least two legible leads. That is, there should be shredded, but legible text, which triggers something of interest. It should garner enough interest that would justify hours of reconstruction work. If unable to piece together the first lead, you can fallback to the second lead and still attempt to gain something of value. Whatever the leads might be they should support the underlying social engineering plan and provide some level of value for the effort.

  Open Source Intelligence Techniques, by Michael Bazzell

  Google Hacking for Penetration Testers, by Johnny Long

  Chapter 6:

  Tools

  Tools facilitate the efficient execution of social engineering tests and are an integrated part of the social engineering assessment process. In most cases, tools can spell the difference between success and failure. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. For that reason, the tactics examined here should be used for ethical purposes only.

  In this chapter, we will closely examine the many different types of tools available to the social engineer. These tools range in nature quite significantly depending upon the task at hand. Therefore, we will broadly discuss a sampling of tools from each of the main categories identified.

  The following topics will be covered in this chapter:

  Computer Based Tools

  Physical Tools

  Telephone Tools

  Computer Based Tools

  As I stated earlier in this book, information gathering is paramount to a successful social engineering test. Just as a comprehensive information gathering strategy should involve multiple data sources, so too should a savvy social engineer leverage many information gathering tools. In general, tools give social engineers the capability to gather information far and wide with greater efficiency. Some of the tools we’ll cover not only help search and gather intelligence, but also help execute tests as well.

  Computer based tools are a category that used quite often. This is by no means a full and complete list, but the computer-based tools we will cover are the most commonly used ones.

  Kali Linux

  Kali Linux is a freely available security Linux distribution designed especially for penetration testing and digital forensics. Kali Linux comes preinstalled with well over 200 security tools and can be booted from a live CD, live USB drive or virtual machine. Why am I mentioning Kali Linux? Kali happens to come preinstalled with all of the computer based tools we are covering here as well as the tools mentioned in the previous chapter. Since social engineering testing is sometimes teamed together with red team testing, Kali makes a great one-stop shop Linux distro.

  Kali Linux 1.0 is based on a derivative of Debian Wheezy. So, Debian fans will certainly enjoy the co-mingling of the two. I certainly do!

  Screenshot of Kali Linux and the menu of preinstalled tools

  Kali is the official successor of the former BackTrack security distribution. In fact, the very same group, Offensive Security, maintains i
t. The evolution of BackTrack, now retired, to Kali has been in the making for several years. As a security distribution overall, Kali Linux is the premiere security distribution and I recommend it for social engineering purposes. As an aside, I have been using BackTrack since its beta debut in 2006 and personally recommend its use as an all purpose Linux distribution as well.

  Kali Linux can be downloaded at the following address: http://www.kali.org/downloads/

  It is available for download by torrent or direct HTTP in 64-bit or 32-bit ISO image.

  In short, Kali has a number of security tools that can be leveraged to gather information about your target beyond the tools we will discuss next. At the time of this writing, Kali has over 50 tools designed for information gathering purposes. Ultimately, the tools you will use will depend greatly upon the objectives of the social engineering test. However, there’s a good chance Kali will have the tool you need for the project.

  Social Engineering Toolkit (SET)

  What would a social engineering book be without discussing the Social Engineering Toolkit? The Social Engineering Toolkit (SET) is specifically designed to perform some of the most advanced social engineering attacks. It is both an information-gathering tool and an exploitation tool. SET was created and written by David Kennedy, of TrustedSec fame. It is an open-source, freely available and written in Python. Since its inception, it has become an industry standard with heavy support from the information security community.

  Screenshot of the Social Engineering Toolkit main menu

  SET comes with an array of social engineering capabilities. These range from spear phishing, media drop infection to Arduino based attack vector. For the purposes of this book, we are most concerned with SET’s spear phishing attacks, infectious media generator and its mass mailer attack. While there are other features of the toolkit that are most valuable, these three features are some of the most commonly used.

  Before we go any further, it’s worth mentioning that SET comes integrated with the Metasploit Framework. This is evident from SET’s main menu of options. The Metasploit Framework is an open source framework for developing and executing exploit code. We will discuss Metasploit in a little more detail coming up next.

  The Social Engineering Toolkit comes preinstalled on the Kali Linux distribution. Alternatively, it can be obtained through Git via the following:

  git clone

  https://github.com/trustedsec/socialengineer

  Screenshot of SET’s Social Engineering Attacks sub-menu

  SET features a great set of options all around. What is great about SET is that its modules add capability for generating payloads and starting listeners with testing. This is in part due to the integration with Metasploit, which we will get to next. This integration allows you to specifically craft email messages and send them to a large or small number of people with attached malicious file payloads and corresponding listeners. To help get started, SET provides a wizard to assist in the design and execution.

  We will concentrate on the Social Engineering Attacks, option #1, from the SET main menu. The list of features in the Social Engineering Attacks sub-menu gives us a set of 12 options. For the purposes of this book, we will discuss the following items from the SET Social Engineering Attacks sub-menu:

  Spear-Phishing Attack Vectors (menu option #1)

  Infectious Media Generator (menu option #3)

  Mass Mailer Attack (menu option #5)

  Spear-Phishing Attack Vectors

  When selecting option #1, Spear-Phishing Attack Vectors from the main menu. You are presented with 3 menu options. The options are as follows: 1) Perform a Mass Email Attack, 2) Create a File Format Payload and 3) Create a Social-Engineering Template.

  Screenshot of SET’s Spear-Phishing Attack Vectors sub-menu

  Option #1 is a wizard driven menu that walks the user through selecting a file format for the exploit (e.g. Adobe PDF with embedded EXE). The wizard goes on to help setup a payload that is launched once the user opens the file (e.g.: Windows Meterpreter Reverse_TCP). The wizard then helps the user add content and finally sends the email out.

  Option #2 in this sub-menu is a manual approach toward option #1 for the expert user. Option #3 allows the user to develop and save spear phishing email content to be re-used in the future. This is especially helpful if you use consistently spear phish and use SET to do so.

  Infectious Media Generator

  Another great feature to the Social Engineering Toolkit is the Infectious Media Generator for USB/CD/DVD media. This SET module allows the user to create an autorun.inf and a corresponding Metasploit payload. When the media is inserted, it will automatically run and execute the Metasploit payload, if the autorun feature is enabled. There are many Metasploit payloads to choose from. However, the Meterpreter payload is the most common and offers a great deal of control (e.g.: persistent backdoor).

  Screenshot of the Infectious Media Generator sub-menu

  The Infectious Media Generator feature is especially useful for Baiting targets. USB drives containing payloads are often placed on the ground in public areas near the target location. The USB drives are labeled with interesting titles, such as “payroll” or “private pics.” The strategy is designed to spark the user’s curiosity and increase the chances of the user plugging the device into their computer.

  Mass Mailer Attack

  Screenshot of the Mass Mailer Attack sub-menu

  SET’s Mass Mailer Attack feature is very straightforward, but handy. Most traditional email programs don’t always allow the user to send email to a large number of recipients. The E-Mail Attack Mass Mailer provides the user with an easy way to import a text file of email recipients in just a few taps. Alternatively, option #1 can be used to send a one-off email or to simply test email delivery using your own SMTP relay host.

  Metasploit Framework

  The Metasploit Framework is an open source, freely available security project. It is a tool for developing and executing exploit code. There are smaller sub projects that come with the Framework worth noting and include: the Opcode database, shellcode archive, MSF Encoder, etc.

  Screenshot the Metasploit console running in the command-line version (msfconsole)

  Metasploit has a number of modules that users can leverage in order to exploit and compromise systems. At the time of this writing, Metasploit has 1,354 exploits, 340 payloads and 35 encoders. Metasploit also comes with auxiliary programs as well. These auxiliary programs do not necessarily involve the exploitation of services or hosts, they’re auxiliary programs that do specialized tasks. For instance, there are Metasploit auxiliary programs that do fuzzing, scanning, denial-of-service and more.

  The Metasploit Framework can be downloaded for free at the following URL: http://www.rapid7.com/products/metasploit/

  metasploit-community-registration.jsp

  It runs on Unix, Windows and Mac OS X and can be integrated to run with Nmap, Nexpose and Nessus. Alternatively, Metasploit comes preinstalled on the Kali Linux security distribution.

  Since Metasploit’s inception in 2003 by HD Moore, it has undergone several changes over the years. Today, a security company called, Rapid7, now owns Metasploit. As a result of the Rapid7 acquisition in 2009, there are multiple versions of Metasploit including commercial paid-for versions. The commercial versions of Metasploit are geared toward teams and often involve additional feature sets.

  Breakdown of Metasploit versions:

  Metasploit Framework – The free version. It consists of the command line interface.

  Metasploit Community Edition – This is also free, and includes a web-based interface.

  Metasploit Express – An open-core commercial edition intended for security teams that includes a web-based GUI and some of the Pro features, such as smart brute forcing and automated evidence collection.

  Metasploit Pro – An open-core commercial edition that includes all features of Metasploit Express, plus web application scanning/exploitation, social enginee
ring campaigns and VPN pivoting.

  Metasploit Pro comes with powerful social engineering campaign features. At the time of this writing, this feature is quite similar to what SET does. For that reason, we won’t go into any further detail on its capabilities here. Having said that, the team at Rapid7 is constantly improving the product. So, I urge you to give it a try and see if it suits your needs. A fully functional 14-day trial can be acquired for Metasploit Pro by following this link:

  http://www.rapid7.com/products/metasploit/metasploit-pro-registration.jsp

  Maltego

  Maltego is an open source intelligence tool (OSINT) and forensics application provided by Paterva. Maltego provides the user with a library of transforms for discovery of data from open sources. It allows for the visualization of information in a graphical format for link analysis and data mining.

  Screenshot of Maltego running on Kali Linux

  At its core, Maltego focuses on analyzing real-world relationships between people, groups, websites, domains, networks, Internet infrastructure and affiliations, such as Twitter and Facebook.

  Maltego can be used to determine relationships and real world links between:

  People

  Groups (social networks)

  Companies

  Organizations

  Web sites

  Internet infrastructure

  o Domains

  o DNS names

  o Netblocks and IP addresses

  Phrases

  Affiliations