Chapter 08: Exploiting Physical and Social Vulnerabilities Flashcards
Trust
The foundation of many social engineering attacks
Creating a perception of trust can be done in many ways, since most individuals want to trust others—that’s a target for social engineer
Reciprocation
Relies on the target feeling indebted or that they need to return a favor to you
Authority
Focuses on making the target believe that you have the power or right to ask them to perform actions or provide information
Urgency
The sense that the action needs to be performed, often because of one of the other reasons
Fear
Something will go wrong or someone will be punished if they don’t respond or help a common target
Likeness / Similarity
Between the social engineer and target builds trust, as the target is set up to sympathize with the pentester due to similarities
Social Proof
Relies on persuading the target that other people have behaved similarly and they should as well
Scarcity
Related to fear-based approaches but focuses on there being fewer rewards or opptys, requiring faster action and creating a sense of urgency
DION NOTES
* Urgency is an approaching deadline (TIME)
* Scarcity is limited supply (QUANTITY)
Helpful Nature
The straightforward truth about most decent people
When given an innocent oppty to be appreciated, a target will usually be helpful
Social Engineering
Any attempt to manipulate users to reveal confidentialn information or perform actions detrimental to a system’s security
Hacking the human, not the tech
Phishing
Social engineering attaack where the threat actor communicates with the victim from a supposedly reputable source to lure the victim into divulging sensitive information
In a generic phishing attempt, the pentester is sending an email for the attack—not targeting any user or group, just sending a massive email to a lot of people
Spearphishing
* More targeted, uses same targeting and techniques as normal phishing
* This is most often what is used in pentest vs generic phishing campaign
Whaling
* Focusing on key executives
* Dion says this is the most effective form of phishing he’s seen in pentests
* Execs are always busy and on the receiving end of 100s or 1000s emails a day, so they don’t always scrutinize the links
* Also they’re better targeted and the messaging is more customized to them
Smishing
* SMS text message phishing
Vishing
* Phone call phishing
BEC
* Business email compromise
* Occurs when an attacker takes over a high-level executive’s email account and orders employees to conduct tasks
Pharming
* Tricks users into divulging private information by redirecting avictim to a website controlled by the pentester or threat actor
* Usually involves hijacking the user’s browser settings or running a background process that redirects to a malicious site
* You can also add entries into the host.ini file to force a redirect to occur
Social Engineering Tools
SET (Social Engineering Toolkit)
* Python-based collection of tools and scripts that are used to conduct social engineering during a pentest
BEF (Browser Exploitation Framework)
* Used to assess the security posture of a target environment using cross-site attack vectors
* Great tool for testing browsers and associated web servers and apps
Call Spoofing Tools
* Tools like Asterisk inside Kali can spoof calls over VoIP
* Hide your identity, but also if you’re doing an impersonation attack to have a number that looks like it’s from inside the org
