Toolkit—a New Wave of Technology for Social Engineers
When we launched http://www.social-engineer.org
we wanted to create a place that would promote awareness of the attack
vectors that threaten so many companies in the world today.
When we called on the community to assist in
helping us spread this message we had many responses to help with
writing, research, development, web design and all other aspects of the
creation of this cornerstone of the www.
One area we didn’t really know what to expect was tools.
This is where Dave “Rel1k” Kennedy comes in. Dave
has been in the security community for 9 years serving in the US Military
and then the private sector as a lead penetration tester in his company, Secure State.
At times he has had to make tools to fit a
particular need, one such tool is Fast-Track. Which is now a popular tool and
included in the #1 penetration testing distribution, BackTrack. Dave
answered our call and offered to develop a tool that would assist a
penetration test/social engineer in auditing a company's response to
social engineer attacks. It is a
python based system that works in conjunction with the Metasploit
Framework and has built in power tools. It closely mimics what the “bad
guys” are doing and allows a security consultant to give clear answers
back to the company as to their staff’s response to such attacks.
can it do for you?
Toolkit or SET, as we call it for short, can help you test your
company’s response to these attacks.
It will allow you to set up a malicious website, or send out an
email from a spoofed address with a maliciously encoded PDF to all your
employees. Both of these vectors
lead to getting shells on the victim’s machines.
will this tell me about my company?
This is a good question, because, sure the tool
is FUN. We just sit around all day
getting shells on virtual machines because it is fun and it never gets
old. So fun factor aside, what
will this do for you?
SET provides you or your social engineering
company you hire to audit you, an environment to automate some of the
technological aspects of a good social engineering vector. Both setting up of a malicious website,
sending out emails with encoded PDF’s or other file types and then most
importantly, collecting the shells for those attacks.
future of SET
We are excited about the way the industry has
responded to SET and the benefits it can provide. Dave has been working hard on a new
feature that will just take SET to a whole other level.
It is so new to even us, we don’t have a name for
it yet, but basically it will allow you to wget any webpage you want and
then implant your malicious payload into that page. Using the arp spoofing feature, or
redirecting your client you can point the targets to a web page that
looks, feels and reacts exactly the same as any commercial site out
there. Yet with one major
difference…. When they browse they get owned.
Can You Protect
As wonderful and fun as all this is, really the
end result is how can you protect against this? If we can spoof your email address, if
we can mimic any website out there, including your homepage, if we can
send you a necessary java install signed from Microsoft, if we can do all this remotely or internally…
what possible way can you protect yourself?
Education, awareness and policies
are the three fold cord to tie this together. Of course policies really don’t enforce
anything. They do have their
purpose though, they let your employees know what your expectations are
and what you would want from them.
It lets them know the rules and the consequences for not following
The real fix is in awareness and education. Many times when we demo these attacks
for companies the response is jaw drop and tears. Why?
They had no clue these things where possible and not that
difficult. They spend $500,000 on
IDS, firewalls, the brand new gadget to protect their hardware… and $20
on the lock or $0 on education and root access was granted in a matter of
Having a regular, annual or even more frequently
held class for your staff educating them in what the dangers are, how to
spot them and what to do if they suspect a malicious social engineer
attack can save your company thousands or even millions.
By Chris loganWHD Hadnagy
When did you start to suck at social
There is an old saying that if all you have is a hammer,
everything looks like a nail. While that saying is supposed to teach us
something about how we all need to have a deep toolset to pull from, I
think there is another lesson we can take away from it: Imagine if that
was your only tool, think of how good you would get at using it.
Anyone that interacts with kids much knows one thing: they know
what they want and they want it NOW! From some new toy, to not having to
go to bed, to having a favorite meal, they want things. However, to
actually get these things they want, they have to ask someone else to get
it for them. They only have one tool, and they are really good at using
So what is it that makes a child so
successful and getting what they want?
What is this “tool” they posses and what can you and I learn from
it? These are the questions that
will help us to see when you started to suck at social engineering.
Now we are not saying that children are trained social engineers,
but let's take a look at a true to life scenario that happened in my life
to illustrate. When one of my
children was only two and half years old he loved to spend time at his
cousins house. He wanted to stay the night there for a few days and I had
been telling him no since we lived over 50 miles away at the time. We did
talk every few days to them on the phone, so I figured that was enough.
Finally, this transpired one evening:
Kid: Mom, I forgot! I'm supposed to stay the night at the cousins
tonight. You'd better call them.
Mom: You are? I don't remember anyone saying anything to me about
it. I think they would have told me if they needed you to, sweetheart. I
think you might have heard something else.
Kid: No, they forgot to tell you so they told me. You should call
them. Just call them and make sure tonight is the night they need me to.
What day is today?
Kid: YEAH!! It WAS tonight!! Just call them.
Mom: Alright. I'm calling her, I'm calling her.
Kid: I wanna talk first, please?!? (puppy eyes)
Mom: (dials the phone)
(Kid grabs phone and runs to his room. He slams the door and sits
down behind it to block it. I can still hear him though).
Kid: Hi. My mom wanted me to call you and see if I could stay the
night tonight. She said she has some... umm..things to do... and umm..
(Mom opens the door and start reaching for the phone) Hi mom! She said I
stay tonight. Bye! (Hangs up phone, throws it across room and runs from
room to try to hide while mom calls to find outfit the cousins was as clueless
with all of this as I was.)
As odd as it might sound, this
really is a true story. So let's analyze this to see what we can learn.
The child's goal was to spend the night, he knew if he just came
out and asked there was an almost guarantee of the answer being NO. He knew, without knowing what he was
doing, that he needed tools to win this battle. So he first develops a pretext that he
was asked to spend the night due to some unspecified event.
The mother almost throw's a monkey wrench into the mix when she
expressed interest verifying the information. Quickly the child tries to take control
of the situation by being the one to speak on the phone first. A liberal
use of the "cute" kid request was thrown in, just because he
knew mom always responded well to that. With this professional execution,
he gets through the first step with mom.
Now this is only half the battle, he now needs his cousins to
agree or his plans are thwarted. First he tries to remove mom from the
equation by going into a different room to speak to his cousins. He now
needs to create a different pretext to tell his cousins.
He tells his cousins that he is calling because his mother would
like him to stay over there, because she has "things to do".
Was this going to be successful? Who knows, because mom interrupted this
brilliant execution, forcing him to quickly try to wrap things up by
making it so the two adults can't speak to each other to verify the
The amazing thing about this is, it comes natural. So when did it
happen that you started to suck as social engineering? I am sure you have your own stories
that are as good or better than this one.
As we get older some changes occur such as we begin to care what
others think about us. We become
conscious that there are others in the world, and the universe doesn't
revolve around our needs. We begin
to understand consequences for bad actions, or actions that we are told
are bad. As these changes occur we
test our boundaries less and cease expanding our horizon's. Fear of disappointment, fear of getting
caught, fear of angering those we love becomes more serious to us. All of this causes us to start sucking
at social engineering.
Now this is not to say that to be a social engineer you must not
care about people, your surroundings our your conscience, we are merely
stating that these things put into us by society and our upbringing
contribute to us being less manipulative of people.
So if you choose a profession that involved your need to be skilled
at social engineering what can you do?
Start at the basics and watch a kid to learn. But please, not in a
creepy "Let me watch your children play" sort of way. That's
Just watch a kid asking for something, and see how they do it.
Try to categorize the way they interact, what they are playing off of. Go
through the framework and see what items you can apply to the child's
behavior. Some will be obvious, some will be subtle. Invest the time and
while you may not learn anything new, but you are guaranteed to remember
something you have forgotten.
Written by Jim