Ethical hacking: Social engineering basics
What is social engineering?
In a nutshell, social engineering is the art of manipulation and misdirection. A social engineer’s goal is to do something that they are not authorized to do. This includes everything from stealing sensitive information to gaining access to a restricted area. Accomplishing this requires ensuring that the target, or “mark,” doesn’t notice what the social engineer is doing or, at least, doesn’t take any action to stop them.
What should you learn next?
How social engineering works
Social engineering is essentially lying and manipulation. Done properly, a social engineer can accomplish everything that traditional hacking can and often with a lot less work. When preparing for and performing a social engineering attack, there are a few useful tips and tricks.
Know your target
One of the most important parts of social engineering is knowing your target. This includes knowing as much as possible about what information or access you are trying to acquire and the person that you’re trying to acquire it from.
Distilling everything down to a single piece of information can make a social engineering engagement much simpler and more effective. If you need to ask many different questions, the more likely that the mark will become suspicious, which can bring a social engineering exercise to a sudden end.
Simplifying what you want, down to the simplest amount of information possible, can require some attack modeling. In many cases, a collection of information can be acquired from a single other piece of data. For example, access to an email account can provide a large amount of valuable data and only requires knowledge of the user’s password.
Acquiring the information in a subtle manner often requires knowing the target. There are a variety of different social engineering approaches (see Cialdini’s research for some suggestions), and knowing which one to try depends on knowledge of the person. Doing some research in advance can dramatically increase the probability of success in social engineering.
Keep it subtle
A social engineering exercise is only successful if the mark doesn’t catch on in the process. Social engineers are asking for something that they shouldn’t be allowed to have and if the mark realizes this, they can easily deny access.
In most cases, a key aspect of keeping social engineering subtle is hiding it in the conversation. While a single odd question may raise suspicions, a mark might not even notice the critical question if it’s a few minutes into a conversation and the social engineer and mark have built up some rapport.
One way to test if this level of rapport is sufficient (and if the mark is comfortable enough to answer unusual questions) is to ask something personal. Depending on if and how the target answers, the social engineer can get a feel for whether a question will be successful before asking.
Another important concept is the serial position effect, which says that someone is most likely to remember the first and last items in a list. When asking a series of questions in order to get a single answer, bury it in the middle of the list to minimize the chances of detection.
Not just talking
Social engineering is based on manipulating communication, but talking isn’t the only way that humans communicate. We communicate via body language, tone of voice and more, and for a social engineer to be successful, these have to match the message. In fact, some social engineering engagements can be performed without saying a word.
For a social engineer, a few well-chosen outfits can be an invaluable tool. A good suit, quick a steady stride and a cell phone can (literally) open doors. Some helpful employee may mistake the social engineer as someone from management in a hurry and politely hold the door. A similar effect can be accomplished with a heavy load and a mail carrier’s uniform (pick a private company, since impersonating a USPS employee is a felony) or through a variety of different ways.
During a conversation, an individual’s looks and body language needs to match the persona that they’re using as well. An executive can get away with authoritatively giving orders, but the office intern can’t. Preparing and practicing a good persona for a social engineering engagement can make everything easier and more effective.
Social engineering and ethical hacking
In some cases, social engineering is placed out of scope during an ethical hacking engagement. A lot of people dislike social engineering because it involves lying to the mark and can damage the relationship between the employees of a company and its management. This is especially true if the engagement is handled poorly and employees are left with the feeling that the company was trying to trick them into bad behavior.
However, social engineering exercises are a vital aspect of ethical hacking engagements. Over 99% of cyberattacks require human interaction because, in most cases, it’s much easier to trick a person than it is to trick a computer. An attacker attempting to steal millions of dollars from a company is unlikely to have any scruples about deceiving a few employees in the process. As a result, ethical hackers need to help customers learn to identify and respond properly to social engineering attempts.
Conclusion: Becoming an effective social engineer
Social engineering is the art of manipulation. Success at social engineering depends on understanding what makes people do things and how to incentivize someone to do something that isn’t in their best interests. People do things not in their best interests all the time, and the key is making what the social engineer wants seem enticing to the mark.
A number of different resources on social engineering exist and are definitely worth a read. However, nothing can replace practice. Communication is a two-way street, and social engineers need to think on the fly in order to ensure that the mark is hearing the message that they want to send. You can’t learn that from a book.
What should you learn next?
Sources
- The Science of Persuasion, Scientific American
- Serial Position Effect, Simply Psychology
- More than 99% of cyberattacks rely on human interaction, Help Net Security
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Ethical hacking: Social engineering basics
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
