Social Engineering

Social engineering manipulates people into revealing confidential information, aiming for passwords, bank details, or installing malicious software to gain control.

This is a topic I find quite interesting and I have studied quite extensive. However, I'll keep this page relatively short and focus more on the technical perspective rather than turning this into a blog on human behavior.

Phishing Types:

Vishing (Voice Phishing):
- Uses phone calls for phishing.
- Phishers confidently impersonate friends, relatives, or brands over the phone.
Smishing (SMS Phishing):
- Phishing through SMS alerts.
- Users may receive fake order details with malicious links to gather personal information.
Search Engine Phishing:
- Involves creating fake webpages targeting specific keywords.
- Users land on these pages, often unaware of the deception.
Spear Phishing:
- Carefully tailored emails target specific users.
- Phishers research social profiles and company websites for effective attacks.
Whaling:
- Targets senior management positions (CEOs, CFOs, etc.).
- These "whales" are key players in organizations.
- Phishing is prominent in technology, banking, and healthcare sectors due to their user base and data dependency.

Social Engineering typically involves several distinct phases. However these phases are not always strictly linear, and attackers may loop back to earlier phases or adapt their tactics as the situation evolves. Social Engineering attacks are highly adaptive and rely on exploiting human psychology and trust.

Information Gathering: Collect target data. This includes researching the organization, its employees, and potentially even their personal lives. Information is gathered from sources like websites, social media, and publicly available data.
Pretexting: With gathered information, the attacker creates a fabricated scenario, often pretending to be someone trustworthy. This pretext is used to initiate contact with the target.
Engagement: Initiate contact and build trust through various channels, including email, phone calls, or even in-person interactions.
Manipulation: Influence target actions. This can involve requesting sensitive information, providing instructions, or convincing the target to click on a malicious link.
Exploitation: Achieve objectives.
Evasion and Exit: Cover tracks and depart.

Let launch a phishing attack with a clone website.

Note that the clone website might not always be very good.

sudo setoolkit
Press y
In the SET Main menu, select the first option, "1) Social-Engineering Attacks."
Choose "2) Website Attack Vectors."
Select "3) Credential Harvester Attack Method."
Opt for "2) Site Cloner."
Provide the IP address of host machine and the URL to clone, for example, www.facebook.com.
Send the IP address of your Kali machine to the target and trick them into clicking a link, typically through email.
Once, the victim has entered their credentials they will show up in SET.

Book list

Here is a list of books regarding Social Engineering and Human behavior I have read and can recommend.

The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick
What Every Body is Saying: An Ex-FBI Agent's Guide to Speed-Reading People by Joe Navarro
The 48 Laws of Power by Robert Greene
The Charisma Myth: How Anyone Can Master the Art and Science of Personal Magnetism by Olivia Fox
Never Split the Difference: Negotiating as if Your Life Depended on It by Chris Voss
Emotions Revealed: Recognizing Faces and Feelings to Improve Communication and Emotional Life by Paul Ekman
Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage by Paul Ekman
Unmasking the Face by Paul Ekman and Wallace V. Friesen
Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You by Christopher Hadnagy
Social Engineering: The Science of Human Hacking 2nd Edition by Christopher Hadnagy

PreviousWireshark NextDenial of Service

Last updated 1 year ago

Phishing Types:

Vishing (Voice Phishing):

Uses phone calls for phishing.
Phishers confidently impersonate friends, relatives, or brands over the phone.

Smishing (SMS Phishing):

Phishing through SMS alerts.
Users may receive fake order details with malicious links to gather personal information.

Search Engine Phishing:

Involves creating fake webpages targeting specific keywords.
Users land on these pages, often unaware of the deception.

Spear Phishing:

Carefully tailored emails target specific users.
Phishers research social profiles and company websites for effective attacks.

Whaling:

Targets senior management positions (CEOs, CFOs, etc.).
These "whales" are key players in organizations.
Phishing is prominent in technology, banking, and healthcare sectors due to their user base and data dependency.

Social Engineering Phases

Information Gathering: Collect target data. This includes researching the organization, its employees, and potentially even their personal lives. Information is gathered from sources like websites, social media, and publicly available data.

Pretexting: With gathered information, the attacker creates a fabricated scenario, often pretending to be someone trustworthy. This pretext is used to initiate contact with the target.

Engagement: Initiate contact and build trust through various channels, including email, phone calls, or even in-person interactions.

Manipulation: Influence target actions. This can involve requesting sensitive information, providing instructions, or convincing the target to click on a malicious link.

Exploitation: Achieve objectives.

Evasion and Exit: Cover tracks and depart.

Using the Social Engineering Toolkit (SET)

The is a Python-based open-source tool designed for penetration testing. It's tailored for advanced attacks that exploit human behavior and can be used in focused and targeted attacks during penetration tests.

Let launch a phishing attack with a clone website.

Note that the clone website might not always be very good.

sudo setoolkit

Press y

In the SET Main menu, select the first option, "1) Social-Engineering Attacks."

Choose "2) Website Attack Vectors."

Select "3) Credential Harvester Attack Method."

Opt for "2) Site Cloner."

Provide the IP address of host machine and the URL to clone, for example, www.facebook.com.

Send the IP address of your Kali machine to the target and trick them into clicking a link, typically through email.

Once, the victim has entered their credentials they will show up in SET.

Book list

Here is a list of books regarding Social Engineering and Human behavior I have read and can recommend.

The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick

What Every Body is Saying: An Ex-FBI Agent's Guide to Speed-Reading People by Joe Navarro

The 48 Laws of Power by Robert Greene

The Charisma Myth: How Anyone Can Master the Art and Science of Personal Magnetism by Olivia Fox

Never Split the Difference: Negotiating as if Your Life Depended on It by Chris Voss

Emotions Revealed: Recognizing Faces and Feelings to Improve Communication and Emotional Life by Paul Ekman

Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage by Paul Ekman

Unmasking the Face by Paul Ekman and Wallace V. Friesen

Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You by Christopher Hadnagy

Social Engineering: The Science of Human Hacking 2nd Edition by Christopher Hadnagy