Introduction to pentesting: Reconnaissance

Social Engineering

No discussion of reconnaissance would be complete without including social engineering. Many people would argue that social engineering is one of the most simple and effective means for gathering information about a target.

Social engineering is the process of exploiting the “human” weakness that is inherent in every organization. When utilizing social engineering, the attacker’s goal is to get an employee to divulge some information that should be kept confidential.

Let us assume you’re conducting a penetration test on an organization. During your early reconnaissance, you discover an e-mail address for one of the company’s salespeople. You understand that salespeople are highly likely to return product inquiry e-mails. As a result, you sent an e-mail from an anonymous address feigning interest in a particular product. Actually, you didn’t care about the product. The real purpose of sending the e-mail is to get a reply from the salesperson so you can review the e-mail headers contained in the response. This process will allow you to gather additional information about the company’s internal e-mail servers.

Let us take social engineering example one step further. Suppose our salesman’s name is Ben Owned (we found this information during our reconnaissance of the company website and in the signature of his e-mail response). Let us assume that in this example, when you sent the employee the product inquiry e-mail, you received an automatic reply with the notification that Ben Owned was “currently out of the office travelling overseas” and “would be gone for two weeks with only limited e-mail access”.

A classic example of social engineering would be to impersonate Ben Owned and call the target company’s tech support number asking for help resetting your password because you are overseas and can’t access your webmail. If you’re lucky, the tech support people will believe your story and reset the password. Assuming they use the same password, you now have access to Ben Owned’s e-mail and other network resources like VPN for remote access or FTP for uploading sales figures and customers orders.

Social engineering, like reconnaissances in general, takes both time and practice. Not everyone makes a good social engineer. To be successful, you must be supremely confident, knowledgeable of the situation and flexible enough to go “off-script”. If you’re conducting social engineering over phone, it can be extremely helpful to have detailed and well-written notes in case you’re asked about some obscure detail.

Another example of social engineering is to leave USB thumb drives or CDs at the target organization. The thumb drives should be distributed to several locations in or near the organization. The parking lot, the lobby, the bathroom and an employee’s desk are all great “drop” locations. It’s human nature for most people to insert the thumb drive or CD into their PC just to see what’s on the drive. In this example though, the thumb drive or CD is preloaded with a self-executing backdoor program that automatically launches when the drive is inserted into the computer. The backdoor is capable of bypassing the company firewall and will dial home to the attacker’s computer, leaving the target exposed and giving the attacker a clear channel into the organization. We’ll discuss the topic of backdoors later.

(Later, we’ll add a complete social engineering course, with impersonating techniques, pretexting and some other things to perform a successful social engineer)