CompTIA Pentest+ PT0-002 – Section 8: Social Engineering and Physical Attacks Part 1

61. Social Engineering and Physical Attacks (OBJ 3.6)

In this section of the course, we’re going to discuss social engineering and physical attacks. Now, as we move into this section, we’re finally entering the third stage of the engagement, attacks and exploits. During this stage, a penetration tester is conducting research on various attack vectors, developing their exploits, and then performing their attacks against a given target organization. Now, this stage of the engagement is classified under domain three, attacks and exploits for the PenTest+ exam.

This domain is usually one of the most interesting domains to learn about because it covers all of the different ways somebody can attack or hack into an organization. Now, there is so much to learn in the attacks and exploits domain, which is why it is largest domain on the exam with 30% of the exam questions coming from domain three alone. It also makes domain three one of the longest domains that we’re going to be covering in this course. To help break up this massive domain, we’re going to be covering it one objective in each section primarily, beginning of course, with this section.

Now I’m not going to be covering these objectives in order as they come in the Objectives Guide, because I believe it is much more important for us to first cover the human elements that we can attack and exploit. This is why this section is called social engineering and physical attacks, because that is what we’re going to be covering first. I like to call these the non-technical attacks since they’re focusing more on exploiting human nature or the physical world instead of a traditional server or computer network. When we talk about social engineering, we’re referring to a broad range of malicious activities that can be accomplished through human interactions. Often, this involves psychological manipulation to trick users into making security mistakes or giving away sensitive information.

While there are some forms of social engineering that rely on technical methods, like phishing, spear phishing, whaling, watering hole attacks, and many others, the real focus of these techniques is not the technology being used by the attacker, but instead, the methods of influence that are used to persuade a human being into making a mistake. We’re going to cover all of these social engineering attacks and exploits, as well as the technologies and tools that are used to leverage these attacks in this section of the course.

Now we’re also going to dive into the world of physical attacks in this section, because many of them, like tailgating, shoulder surfing, badge cloning and dumpster diving also rely on the use of social engineering in order to be successful. As I said, in this section of the course, we’re going to be focusing on both social engineering and physical attacks, which are just one part of the larger set of objectives for domain three, attacks and exploits. In this section, we’re going to be focused on a single objective, Objective 3.6.

This states that given a scenario, you must perform a social engineering or physical attack. While this objective may seem short, there are a lot of sub-bullets underneath it that CompTIA has, and we’re going to cover all of them in this section of the course to make sure you are fully ready for the exam. Now remember, a defender can install all the technical controls they want, such as unified threat management systems and firewalls, but if their employees can still be tricked into clicking on a malicious link in an email using some kind of a spear phishing campaign, well guess what, all those firewalls are going to let the attacker right in because they’re responding to the request made by their own trusted users. Similarly, all high-end biometric and RFID locks aren’t going to be able to keep out a threat actor if one of the organizations’ employees simply opens the door for them because they were influenced into letting the attacker tailgate into the building when that authorized employee scanned their RFID badge or authenticated using their fingerprint. So let’s get started in our coverage of domain three, attacks and exploits with social engineering and physical attacks in this section of the course.

62. Methods of Influence (OBJ 3.6)

The backbone of social engineering is being able to trick a user into doing something for you. So the question is what really motivates a user to fall for your tricks? Well, that is what this lesson is all about. And we’re going to cover the six different methods of influence that you can use as a penetration tester, to get people to trust you and to do what you want them to do. This includes things like authority, urgency social proof, scarcity, likeness, and fear. First, we have authority. Now people are much more willing to comply and do what you tell them to do if they think it’s coming from somebody who’s in the position of authority. So pretending to be the boss, the boss’s boss or some of their high level manager could get some lower level employee to do what you need them to do. You might also pretend to be from an important client or potential client to get somebody to do what you want. Other things that work well are trying to pretend that you’re a government agency. I get voicemails all the time from scammers who are pretending to be the IRS saying if you don’t call us back in the next 24 hours we’re going to come and arrest you. That’s using the governmental authority and that governmental agency’s position to try to get me to do what they want. Now, realize that the IRS never really calls and leaves you a voicemail that way. So we know right away, that’s a scam attempt but it is a form of social engineering. Another thing that tends to work really well is phishing emails that come from something like a bank or financial institution.

Why? Because they’re in a position of authority and they control your money. You might get an email that says your account has been hacked. Click here to reset your password. And then when you click it you’re actually letting the bad guy into your system. All of that is using the authority of somebody in power, whether that’s somebody who’s a boss in your company, an important client, a governmental agency, or a financial institution. All of that are going to be things that fall into this authority category. The next one we have is called urgency. Now urgency is all about the fact that people know we’re in a rush most of the time. We are all so busy these days and people want to help each other out by nature. That is human nature, that’s what we want to do. So if I’m walking up and you’re going to hold the door open for me, that’s being nice, right? Well, if somebody’s busy and their hands are all full you want to help them get through quickly and that is the idea here with urgency. I’ve seen urgency work really well especially when you’re doing in-person social engineering. For example, I might walk up to an employee in the hall and say, “I’m running late for this meeting. I really need to get this printed out, I couldn’t print it out can you print it out for me?” And hand them a thumb drive.

Maybe they’re going to take that thumb drive and go print out that PowerPoint for me. Now on that thumb drive is a bunch of malware and they don’t know that, but I’m using urgency to get them to bypass the normal security procedures and do this thing for me right now. That’s the idea with urgency. If I call up the help desk and I say, “Hey this is John and my account’s locked out, I really need you to reset password right now.” And the person at the help desk says, no, I can’t do that. You’ve got to come in and show me your ID. That’s company policy. And I start going, no, no, no, no, no. I’ve got a meeting in three minutes. I got to get this done. The boss needs it, please help me out right now. I really need your help. They’re forcing that sense of urgency and trying to tell you that there’s this upcoming deadline and we have to take action right now. And when people start rushing, people start making mistakes. So that becomes a great motivation factor that you can use in your social engineering attacks. The next one we have is known as social proof. Let’s say I put up a website and I was trying to do a watering hole or something like that. Now, if I did that and that website looked fake and scammy and I was trying to phish people to get ’em to go there, that’s probably not going to be very effective. But if I can get some social proof through either Facebook or Twitter or Instagram or something else to get people to start liking the site and talking about the site and saying all the great things that you can do at this site that starts showing that social proof and people are more likely to click on it and follow in to go into that attack. Now, people are always much more likely to click on things that have more likes, shares and other friends that they see doing it. This is the idea of social proof. So if I’m targeting a company and I’m not able to trick their users maybe I can go after their second level connections maybe spouses or their friends and get them to say, “Hey, there’s this awesome site, you should go check it out.” And then when they do that, they’re clicking the link and they’re now using that social proof against them. And now I’m getting them to go to my site. This is some of the things you can do when you start using social proof as part of this. Anytime you’re trying to get people to crave to be a part of a social group or a social experience or a social interaction, you can rely on social proof to get that done. For example, I might create a Facebook group and say, “Hey join this Facebook group and be a part of this thing.” And then I can start building trust with that person and the other people in that group. Maybe I create an affinity group that has to do with something for people who used to work at a particular company who’s the focus of my penetration test.

Well, if I can get people to come in there and tell me all the bad things they hated about this company I now can find ways to get into that building. That’s going to be things that I can use. And again, social proof, getting more people in that group is going to add additional value. That’s going to get more people to join that group and becomes this perpetual growth thing that happens. Have you ever seen social proof used against you? Have you ever gotten one of those direct messages on Facebook from one of your friends? And you’re like, man, that is a scam. Why did they even fall for that? Well, because of social proof, they saw 10,000 other people who liked that post or shared that post. And so they did it too. Some of these things can be good. Some of these things can be bad. But either way there were social proof behind it that got built up because so many people liked it. For example, when you decided to buy this course you probably looked at the landing page and you tried to decide, is this the course for you? One of the things you may have looked at was how many people were already enrolled in this course and how many good reviews this course already had. Now, if there were zero people in the course already you probably would not want to buy it because you think, man, this is horrible. But if you see there’s a hundred thousand people in this course, you might go wow this course must be pretty good. That is social proof.

And we use it in selling all the time but you can also use it in your penetration tests. The next technique we have is known as scarcity. Now, scarcity is all about trying to get people to act quick. Now, this is often confused with urgency by a lot of people but it’s a little bit different. With urgency, you’re really talking about the fact that it needs to get done now because you’re at a deadline. But when you’re dealing with scarcity there’s only so much of something. For example, I might create a phish campaign against my target organization, that is all about how people need to sign up right now because supplies are limited. There’s only five spots left. You’ve got to sign up right now if you want to be a part of this webinar that’s coming up. Now, some people are going to act on that for fear of missing out. So they’re going to click on that link and sign up or maybe I do something that’s a really good deal. Hey, there’s this $2,000 MacBook Pro computer but we’re selling it for just 999 for the next 20 minutes. You better click here because there’s only three left. All of that is the sense of urgency. It’s about how much is left of something. That is the idea here. Now, if I’m a bad guy I might be trying to collect your credit card information to be able to charge you and take your money and never give you that MacBook. But in the case of a penetration tester I might be doing that just trying to get your personal details maybe are going to gimme your email address which is the same as your login for your company’s account. Or I make you create an account to be able to buy this thing. Now I have to have your email and a password and a lot of people do password reuse. And so maybe the same password you’re using on your company computer too. And so I can collect that now using this idea of scarcity. The idea here with scarcity is you’re trying to get somebody to act really quickly because there’s a limited quantity of something. With urgency, it’s more about the time. With scarcity, it’s more about the quantity. The next one we have is known as likeness. Now likeness is a term that they use in your exam objectives but I personally like the term likeability a lot better. The idea is the same.

People want to interact and be with people that they know they like, and they trust. Now, if you don’t know somebody or trust them yet, you at least want to like them. And social engineers are some of the most friendly and likable people that you will ever meet. Most people who are old, crusty, angry people just don’t make good social engineers. It doesn’t happen that way. You need people who are friendly. You need people who are pretty, you need people that people want to be around. And that’s the idea when you start dealing with likability or likeness. Now, one of the things that a lot of penn testing teams do is they’ll actually include very attractive people on their team and they make the best social engineers. For example, in the old days a lot of it and cybersecurity professionals were men. And a lot of pen testing teams would actually have a very pretty woman on the team that would then flirt with the men to get their way and have them open the door for them, to be able to steal their badges and all sorts of other things like that. That’s the idea here with likability and likeness. Now, remember when it comes to likability it doesn’t have to be sexual in nature. It doesn’t have to be based on attraction or looks. It can also be based on finding a common interest. For example, maybe you find out that that person who’s your target likes football. Maybe as you’re walking by their desk, you see some kind of sports memorabilia for the Denver Broncos. If you know about football, you can go up and start talking to that person about how you like the Denver Broncos too. And that now creates a shared interest that you can leverage into some way to gain information from them or get them to like you more. Now for me, that wouldn’t really work because I really don’t like football but I like video games. And so maybe if I found somebody else who liked video games I could say, oh, you like to play X, Y, Z game as well?

Well, so do I. “Hey, I’ve got this great new skin or bonus feature for your character. Let me go ahead and email that over to you.” Now, I email them a file, they open it because they want to be able to access that new skin or character or whatever. And guess what I’m now in the system because I embedded malware into that. That’s the idea of using likability and making that friendship and then using that as a way to get in. Again, this is going to depend on the scope of your engagement of which of these factors you’re going to be able to use and how you’re going to be able to play them out. Another one we have is known as fear. Now, when we talk about fear, it really is a great motivator if you properly use it. In fact, ransomware authors are really good at using fear. Oftentimes you’ll see something that pops up on your screen. It’s a threat or a demand. For example you might see a popup that says your computer’s been locked. You’ve been found guilty of the FBI of piracy click here to pay your fine of $200. Now, if you go and click there, they’re going to actually take your money, right? And if you don’t click there, no one’s going to come and arrest you because it really isn’t the FBI.

This is a scam they’re using fear or in ransomware they’re going to encrypt all your files and hold that key for ransom until you pay up. Again this is something that’s done in a fearful way. So remember your methods of influence. There are six different ways to get people to do what you want when you’re doing a social engineering or physical attack. This includes authority, urgency social proof, scarcity, likeness, or likability, and fear. Now, in this lesson, I talked about each of these factors individually, but as a penetration tester, you might find it to be more effective to combine multiple of these together. For example, you might combine social proof, scarcity and urgency, and it might look something like this. Click on this email right now because we only have three things left. This is only be on sale for the next 30 minutes. And we had a hundred people who already bought. Something like this combines all three of these factors together. And you’ll see often that when you combine things together like this, they become more effective than if you use them individually.

63. Social Engineering (OBJ 3.6)

In this lesson, we’re going to focus on different types of social engineering attacks, including phishing, spearfishing, whaling, smishing, vishing, a business email compromise and pharming. Now, before we get into the specific attacks, let’s define social engineering. Social engineering is any attempt to manipulate users into revealing confidential information or performing other actions that are detrimental to that user or the security of their systems. Social engineering is always focused on the human element and trying to find a way to bypass the systems technical controls by simply hacking the human instead of hacking the technology. For example, if I wanted to break into your wireless network and I found that you’re implemented a long, strong password for a WPA3 encrypted network, it could take me years and years to bruteforce that password, but if I instead was able to find out a way to trick your organization’s users into sharing that password with me, I can access that network by the end of the day in most cases. That’s the idea of social engineering. Now in most organizations networks, the weakest link in the our security is the end users and their employees.

As a penetration tester, using social engineering can really help you gain your initial foothold into a network, and then you can escalate your privileges or move laterally from there. When it comes to making recommendations at the end of your engagement, you should always include a recommendation to the organization that they conduct annual user cyber security training that includes lessons on how to avoid social engineering attempts because this is so often the root cause of many network intrusions. Now let’s take a look at some different types of social engineering attacks. The first one is phishing. A phishing attack is a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source in order to lure the victim into divulging sensitive information. Now, phishing is a generic term for this type of attack but there are also specific types such as spearfishing, whaling, smishing, and vishing. For the exam though, when they ask about phishing, they’re usually referring to the specific type of phishing based on the intended targets or the medium that’s used to send that message, whether it’s through email, text messaging or voice call.

So let’s go through each of these different types of phishing to ensure you understand what’s being referred to on exam day. Now the first type of phishing is the most generic type, and it’s going to be called simply phishing. Now in a generic phishing attempt, the attacker or penetration tester is going to send out an email to a large audience hoping they get somebody to click on the link in that email. For example, an attacker might send an email claiming they’re from PayPal, and they’re asking the victim to confirm their account data. In the email, the attacker can use PayPal’s logo, the same format that PayPal uses in their emails, and other things that make it appear legitimate. But if the user clicks on that link, it’s instead going to take them to a PayPal login page that’s hosted on the attacker’s website. Now from there, they’re going to try to get the victim to enter their login credentials by putting their username and password into that site. And at this point, the attacker has the victim’s account details and can steal money that may be in their account. Now, how many people do you think would fall for this type of generic phishing campaign? Well, you’d actually be really surprised because the answer is a lot of people. In previous phishing attempts I’ve done as part of penetration tests, I’ve personally seen response rates as high as 60 to 70% of users clicking on the links inside those emails. Even if I include things like bad grammar, poor spelling, improper logos, and other things like that, users still end up clicking the links at a rate of about 30 to 40%. This means phishing really works well from an attacker or penetration tester’s perspective.

And it’s one of the reasons that most penetration testers will use this as one of their initial access vectors into a given network. For the exam, anytime you see a question that is about sending out emails with malicious content or links to a large and diverse set of users, you should categorize this as a generic phishing campaign, or more simply put, a phishing campaign. Now in a phishing campaign, an attacker isn’t really targeting any particular person or group, but instead they’re sending out a lot of emails that are likely to capture the most amount of people. For example, the PayPal phishing email I just mentioned is a great form of phishing because there are over 377 million users of PayPal. So if I just sent out that email to every email address I had, most likely there’s a lot of those people who already have PayPal accounts and they’ll possibly click on the links in my email. Now the second form of phishing is known as spearphishing. Spearphishing is a more targeted version of phishing but in general it uses the same technology and techniques. For example, let’s pretend you’re a member of a small local bank called DT Savings and Loans. Now, unfortunately, DT Savings and Loan has had a data breach last year, and that resulted in all the names and emails of their account holders being downloaded by that attacker. That list of emails from the attack is now on the dark web. And so a young enterprising hacker could decide to craft a spearphishing email that targets a 100 of those users on that list. In the email they create, they’re going to pretend to be from DT Savings and Loans and they’re only going to send the email to people they know have an account at DT Savings and Loans. Do you see the difference here? Instead of trying to send out the email to millions of people and hoping some of them have a PayPal account, instead, we’re now targeting people that we know for sure had a banking relationship with DT Savings and Loans.

Now during a penetration test, you’re most likely going to be conducting a spearphishing campaign and not a phishing campaign. The reason for this is that it’s more targeted. For example, let’s say I am conducting an engagement against an organization, I can first during my reconnaissance phase create a list of all the people who work in the human resources department. I can identify them by looking on LinkedIn, Facebook, Twitter, and other places, then I could craft a spearphishing email about some mandatory new training video that all human resource employees must watch. When they click on the link in my email to load up that video, that will actually open a shell, download some malware or do some other malicious activity. The difference here is that I was targeted in my approach and I’m only sending the email to people I know for a fact work in the human resources department, and I built that email message around those targeted individuals to get higher clickthroughs. Now the third type of phishing is known as whaling. Whaling is like spearphishing but it’s even more focused because we’re only targeting key executives within an organization.

People like the CEO, the COO, the CFO, the CIO, the CSO, the CTO, and other key leaders, executives and managers within the company. Now in my experience, whaling is actually the most effective form of phishing during penetration tests. Now there’s a few reasons why whaling is so effective. The first reason is that executives are really busy in their lives. And they’re always on the receiving end of 100s or 1000s of emails per day. Because of this, they often don’t have time to really stop and check the emails they received to scrutinize them before clicking on a link. And if that whaling email is going to use urgency and even a little fear or authority, it can really cause the executives to open an email without thinking twice about clicking that link. The second reason that whaling emails tend to be effective is that they’re better targeted. And therefore the messaging is more clearly directed at that executive. Instead of writing an email and sending it to a generic group of 1000s of targets like you would in a generic fishing campaign, or 50 to a 100 employees in a spearphishing campaign, a whaling campaign usually relies on emailing, a single executive or maybe five to seven people who serve on the board of directors. This lets us craft a message that is much more focused and more likely to get the person on the other end of reading that email to click the link and open the attachments. The third reason that whaling emails tend to be more successful is that in general, the executives tend to be on the older side, and traditionally not as technically literate.

Now this was actually a really big deal back 10 or 20 years ago because executives of that era who were in their 40s to 60s, they didn’t grow up using computer computers. By the time computers really went mainstream in businesses and most positions, these folks were already in management ranks and they usually had a receptionist or an assistant who did most of the on keyboard work for them. This is becoming less and less of a problem these days because in many C-suites, we have that median age again of 40 to 60 years old. And these are people who were kids in the 1970s through 1990s, which means they spent most of their careers using desktop computers and emails at the very least. And this makes them a little bit more technically literate than they were before. And this means, they’re more likely to detect whaling attempts. Now the fifth type of phishing is called SMS phishing or more simply smishing. Now SMS stands for the short message service, and it’s the text message component inside of a cell phone, smartphone, tablet, or other mobile devices. SMS messages only support text messages though of up to 160 characters, and they don’t include any support for pictures. Now MMS or the multimedia messaging service on the other hand is a form of text messaging that allows pictures, sounds and videos to be sent using the service. Now regardless of whether a penetration tester or attacker is actually setting the message over the SMS or MMS protocol, this type of phishing is still referred to as smishing.

Now, if you’ve ever gotten a text message with a link in it that you weren’t expecting, it’s most likely because somebody was trying to use smishing against you. Now, smishing can also be combined with other social engineering attacks too. For example, I might use pre-texting to start a conversation with one of the targeted organizations employees that I meet at a bar. Then I could tell ’em about this cool website that they simply have to check out. I asked for their phone number and I send them a quick text with the link. So now the employee Paul is going to get that text message from me that says, “Hi, Paul, this is what I was mentioning when we met” with a link of tapr.ml/2ps, which uses a link shortener. Now, if Paul clicks on that link, hopefully using his corporate smartphone, I can then infect his device with malware, create a remote session or whatever other technical exploit I want to deliver when he clicks on that link and loads up the website which of course I control. Now smartphones have become so commonplace in our society that most of us have at least one in our pockets at all times. I say one because for a long time, I personally carry two.

One was my personal smartphone and the other one was my work issued smartphone. Now most people, if they get a text message like this, they’re either going to click on the link or they’re going to copy and paste that link into their browser. Now either way, they grab the bait and you’re ready to move on to the next stage in your attack or exploit. So remember, this is just another way you could start targeting that organization. This goes back to doing your information gathering earlier on too because if we know people cellphones and we know their name and the position they’re in, we can start targeting them and even do spearphishing through text messages using smishing. Now the six type of phishing is known as voice phishing, which we call vishing. Now vishing occurs when the message is being communicated to the target, using the voice functions of a telephone, basically vishing involves calling somebody up and pretending you’re somebody else.

While conducting vishing used to be a very targeted form of social engineering and involved a lot of pre-texting and knowing information about a given organization, vishing these days has moved into the mainstream because of the low cost of deploying automated calling bots. I don’t know about you, but it seems like I get at least a few vishing calls every single day to tell me about how my car warranty is about to expire, if I press one, I could speak to an agent. Now if you press one, that agent is going to then try to convince you you need a new warranty and they’re happy to take your credit card over the phone to get that started right away for you which of course is either a scam, a con, or a ripoff. Phishing is actually one of the oldest forms of phishing too. It goes back to the earliest hackers out there, those original hack we’re called freakers because they focused on hacking the phone systems. If you’re interested in really diving into the social engineering concepts in more depth, I recommend you check out the book, “Ghost in the Wires” by Kevin Mitnick. This is an autobiographical account of Mitnick’s exploits going through the 1970s and 1980s.

And it really focuses a lot on his social engineering prowess with vishing, pretexting, impersonation and his uncanny ability to influence others to do what he wanted. It really is a great book, and when you read it, it reads like spy novel, but it’s also considered non-fiction and truthful and it covers all the technologies used in those attacks too. There’s another type of attack that’s conducted using emails that some people classify under phishing and sometimes they break it out in its own category. This attack is known as a BEC, or business email compromise. A business email compromise is going to occur when an attacker impersonates a high level executive or they’re able to successfully hack into and over that executive’s email account. Then the attacker is going to send emails to other various employees to conduct different tasks and they’re going to do it because they believe the executive actually sent that email. Now one of the most common forms of business email compromise occurs when an attacker sends an email from the CFO or chief financial officer over to the financial accounts payable team, and it tells them to issue payment for an invoice in their queue by conducting a wire transfer.

Now in the email, the supposed CFO is going to direct the employees to wire the money to a bank account that’s provided in the email, which ultimately is owned by the attacker. Now as a penetration tester, you may find yourself using a business email compromise as a way to get lower level employees to conduct asks on your behalf if you’ve already been able to take over a higher level employee or executive’s email using some other form of technical attack or exploit. The final social engineering attack we need to talk about is pharming. Now pharming is not a type of phishing, making it unique in this lesson. Pharming attempts to trick users into divulging private information by redirecting a victim to a website control by the attacker or penetration tester.

Pharming usually involves hijacking the user’s web browser settings or running a background process that automatically redirects users to a malicious site. Another method is to add an entry into the workstation’s host.ini file to force a redirect to occur. Then the attacker users redirects or popups to display the website that they control in the browser and mask the actual URL. So it may appear that you’re on paypal.com, but you’re really on Jason controls paypal.com instead. Often an attacker’s goal here is to get the user to log into the website by entering their valid credentials. And then they’re going to get redirected to the actual site. Meanwhile, the attack or penetration tester has now collected the valid credentials and can now fully take over that victim’s account.

• Category: Uncategorized