Take Your Pretexting To The Next Level

We asked in our IRC channel for topic ideas and this month's topic was, in part, prompted by a great suggestion from Jaime Filson aka WiK. Thanks WiK, keep the great ideas coming!

Pretexting is a stable of the social engineer, one that a professional must become proficient at creating, using and perfecting. Yet, as social engineering is one of the largest threats to corporations in the world today, what responsibility does the professional social engineer have to perfect their pretexting skills? In addition, are there certain aspects to developing your pretext that can give you that upper edge?
In this newsletter, we will discuss some aspects of pretexting that will make a huge difference in your security audits.

What is Pretexting?

"Pretexting is defined as the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases[,] it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers can use pretexting to impersonate people in certain jobs and roles that they never them- selves have done. Pretexting is not a one-size-fits-all solution. A social engineer must develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. For example, mimicking the perfect tech support rep is useless if your target does not use outside support." - Social Engineering: The Art of Human Hacking 2011

With this in mind, many social engineers go with the standard pretexts of tech support reps, vendors, fellow employees and such. These are all very successful, but at times, a social engineer needs to expand beyond these standard pretexts and utilize something more specific to the given situation.

In one case, we had a goal to compromise a company and steal corporate secrets. This would require us to have a very strong rapport and a serious relationship with the targets. The targets were well guarded, used to being attacked, and ready for most common social engineering tactics. We had to think outside the box and be able to really use some serious pretexting tactics to make this work.  The following are some of the tactics we used to make sure the pretext was solid.

Character Development
As I mentioned many times before, a good pretext is not a lie, but it is a character you become. While in "character", you eat, breathe, and live that persona. To do this, I find it useful to write out a story line about this person's life. Details may include things like place and date of birth, marital status, kids or not, job title, work experience, education level, favorite foods, hobbies, vacation spots, and more. You might ask why all these details are important, but each one of these topics may affect the reactions or conversations that this person would have. Knowing and then writing a bit about each of these topics helps develop the character.
Once these details are completely written out and the picture is clear about whom this character is, the rest is not as difficult. But from there, you’ll have to decide what type of clothes the person wears, car they drive, and props they use. Clothes can do alot to prove or disprove an in-person pretext.

If you overdress, or under dress, you can become disconnected from your target. If your target is a blue collar worker and you dress in a 3 piece Armani suit, it can be uncomfortable for the target. Thinking out all these details is very important to the success of the pretext. Especially when it comes to items that you might need to plan for. In this case, we required a car that would support our pretext of being high level management and required us to not pull up in my older Honda Accord. Renting a car that fit my pretext was vital, finding a rental place that had the right car, and making sure everything was in place took some planning too.
If some of these things are hard for you to plan out, there are a couple of things you can do. First, what magazines would your character read? Find out and go buy them. See the cars, clothes and other advertisements in those magazines. This will help.

Another idea is to use Google Images. Let's say that our character is a research student in Harvard. This gives you results:

Analyzing these can give you a good idea about what a research student dresses like, looks like, and more.

What about Props?
One of the other, often overlooked, parts of pretexting is the use of props, or devices that back up your pretext. The problem with props is usually one of two things.

First, many social engineers will over use props. They rely so heavily on props that it can easily drown out the character and cause a disconnect with the target.  On the other hand, not using the proper props or the right amount can also cause this same disconnect.

For example, if your pretext is a computer tech support person and you have so many tools and gadgets it may raise some serious red flags. Whereas, coming in with no tools at all can cause a strong disconnect.

There are two other props that are often overlooked, but should be of serious concern to the professional social engineer.

The business card: It is amazing how simple this little tool is, but how it solidifies in many people's minds that you are who you say you are. For under $25 in the USA, you can have 100-500 decently printed business cards made with your characters name and contact information on it.
• http://www.123print.com/Business-Cards - starts at $9.98
• http://www.vistaprint.com/ - starts at $3.99
• http://www.printsmadeeasy.com/pricing.php - give 20 full color glossy cards for only $3.99

A real contact number:  In this age, disposable cell phones are so easy to obtain that every social engineer should have one. A dedicated cell phone for this character is not only important for your business card, but gives a very realistic impression.  Having a real number with voicemail can make a huge difference.

Besides disposable cell phones, there are services like Numbr that, for as little as $6.99 per month, will give you a disposable number that you have forwarded to any mobile or land line. 

Services like RingCentral are amazing virtual PBX services. They can create a whole virtual office with extensions, fax numbers, call forwarding, and many more real office features. If your pretext needs to be part of an office, you can have calls routed through a real PBX system then out to cell phones or land lines anywhere.

Of course, there are other little things that can make a huge difference like a valid URL and email on that business card. These little things make your pretext even more solid.

Don't Lose Focus
It is important to not lose focus with the little details, but at the same time focus on them. How can you do that?

Don't let the details overwhelm you at first. It is OK to make mistakes. Mistakes do two things. First, they make a story real. Not many of us remember every detail and every nuance. Secondly, mistakes are great teachers. Learn from them and improve for the next time.

In the account I mentioned above, we rented a brand new car, made sure we had an expensive looking suit, and for under $200, set up an online virtual PBX system.  When I had my business cards printed, they came with a toll free number and extension.  This alone solidifies your believability and it worked. 

Approaching the target in a relaxed atmosphere at the same gym allowed for an open conversation to start about how stressful the day was and how hard this work was going to be.  Natural curiosity led the target to ask what I do for a living, which made for a realistic reason to give a card.  All of these little details made for a very real environment that seemed natural with no reason to question.

A small conversation was started before the work out and then I made sure to time my completion with the target without seeming like a stalker.  After we were both dressed and heading out the door, I had a chance to ask a few more questions about his work and invite him to a lunch meeting to discuss how we could help each other.  Having chosen a good local restaurant and as I entered my "new" car, the pretext was so solid there was no reason to doubt me.

It is easy to rely so heavily on the details that the story loses focus too. So in the end, it is a fine balance between details and the big picture. Pretexting is an art form in itself. Mastering it can enhance your audits and your ability to notice little things that may tune you into social engineering attempts against you and your company.

Stay tuned for more next month.

Written by Christopher Hadnagy

Social Engineering in Penetration Tests

We cover a lot of aspects about social-engineering here between the newsletter, the site, podcast, and now Chris’s new book. But this month, I wanted to take a step back and talk about how the practice of social-engineering is put to use in penetration tests.

It’s common knowledge to hear about the threat of social-engineering and the damage it can do to you (or your business) to the point where I am not going to re-plow that field again. (Be sure to see the results of the latest poll “Is Social-Engineering the most dangerous threat to companies today?”) The natural question becomes:  how to defend against the threat? Obviously, there is no single action that a company can take to “be defended” and it’s a question of many different efforts coming together, from security awareness training to filtering technologies, from more secure and well configured baseline templates to even the policies at a company. But once that is all in place, how do you know if these systems are working? Where do you concentrate future efforts?

The Concept of Penetration Tests
This, of course, is the idea of penetration testing. The whole topic of penetration testing has become loaded with so many different points of view: what is or is not a penetration test; how they should be conducted; what they should include; and so on. So let’s look at the situation from a few different angles.

In its purest sense, a penetration test is an “attack simulation” where a third party will attempt to as closely as possible simulate the activities of a malicious party in conducting an attack against the organization. This would typically be done in a manner intended to minimize any sort of adverse events in the sequence of testing to control risks. The goal of this test is to identify proven security concerns for the company and demonstrate how a party can act on those identified issues. In no way does a penetration test act as a comprehensive identification of all security concerns for the organization, but rather a way of modeling the most likely situations to compromise the company.. The results of the test would then be used to maximize future security efforts in the organization by focusing on the high impact areas identified. This is important due to limited time and budget, companies want to make sure benefits to security expendituresare m aximized.

The point is, this sort of open attack simulation is not often done against an organization. There are many reasons for this, but the end result is various controls on the penetration test are put in place, identified in the “scope” of the engagement. This scope defines what can and can’t be done in the course of the assessment and can be imposed for legitimate or valid business reasons. For instance, if an organization knows they have likely issues on mobile device security, it would make sense to conduct a penetration test targeting only these mobile devices. While this does not reflect a true and accurate overview of potential compromise points for the company as a whole, it does focus on the targeted environment and can be very useful for an organization.

To use an example, you may go to a doctor and undergo a heart stress test. You may have other physical problems that need to be addressed; however, that does not mean that the heart stress test is a useless test. When used in conjunction with other assessments of overall health, it can provide a very useful and valid idea as to your overall health risk.
Modern Penetration Tests
As time has gone by, scope limitations have been imposed more to ease administrative burden to responding to an assessment. What this has resulted in is penetration tests that are no longer an attack simulation, but rather an assessment of the exploitation potential of un-patched, buggy, or mis-configured software.
There are many regulations that require penetration testing for compliance and a whole industry has been built around providing these compliance based penetration tests. These assessments are typically conducted as a simple overview of what services are available on the network, are there any exploitable flaws within those services, and demonstrate the exploitation of those vulnerabilities. This sort of assessment provides those responsible for securing the network a simple “to-do” list of flaws that can be remediated in time for a re-scan and a quick path to meeting compliance goals. For organizations conducting the testing, this also provides an economical model where a service can be provided with mid-level employees utilizing automated toolsets.
The biggest flaw that this situation has created; however, is that many organizations believe they are gaining the benefit from an attack simulation when all they are really gaining is an inventory of exploitable issues.
This situation has existed for some time and there is no indication that the situation is going to drastically change anytime soon. Service providers have too much incentive to deliver as much product as possible with as minimal investment as necessary and many businesses simply engage in penetration testing, not because they are interested in true attack simulation, but rather to meet compliance goals. As an industry; however, we have an obligation to deliver the best possible product within the constraints of our reality. (The day after this was written, Val Smith posted on the topic of automation based penetration testing on the Attack Research blog, and it is well worth a read)

Social Engineering Automation
Social engineering attacks have matured to the point now where there is no excuse for not including them within even a tightly constrained compliance based penetration test. Attackers will always go the path of least resistance and excluding this extremely common attack vector from scope has come to the point where it is simple negligence to not include it.
In large part, SET (social-engineer toolkit) is the primary driver of enabling even low-skilled penetration testers to conduct these attacks that are commonly ignored in low end penetration tests. This is positive for the industry as it increases the effectiveness of the lowest quality penetration tests. Even a simple mass-mailing with a malicious document or basic phishing attack is an improvement over what has traditionally been delivered at this level.

Anyone purchasing a penetration test should insist upon at least this minimal degree of social engineering component to be included. This small component of the assessment will deliver far more value then the exploitation inventory that is normally the focus of the testing.
Beyond that, companies seriously need to consider expanding the scope of their standardized penetration test to come closer to a true attack simulation. Focused social engineering penetration tests should be conducted as well as a way of addressing this long neglected attack vector.

Raising the Floor
For too long, social engineering attacks have been conducted only by malicious parties. It’s past time to raise the floor on what we consider acceptable and the tools are available to do it.

There are steps that service providers can do now to help reach this goal. First off, place social engineering attack as a standard part of the penetration test, not an optional add-on. When customers see it there by default, they are more likely to just leave it there as it removes the “decision” of including it or not. Identify what attacks you can include in your standard methodology so that you are not doing one-off efforts through different engagements. By using a standard attack set, you are able to provide your customers with true comparisons on how “normal” or not they are in regards to your other customers. Additionally, it provides you a metric that you can use for follow up engagements to show potential improvement in the environment that has been gained through the testing.

Take the time to have your consultants use the tools in a test environment and understand what is occurring for each attack to be successful. SET is a great way to do this as it enables you to watch the actual commands that are provided to the underlying tools. Take the time to research those commands so that you know what it is you are running. Utilize automated tools to help you maintain your profit margins, but do not believe that you can rely on these tools without understanding what is happening.

We would never argue that automation based penetration testing is adequate to fill the role of a true attack simulation, but we must accept that these automation-based assessments are here to stay. We must do what we can to increase the usefulness of the products they deliver.
In later articles, we will examine in detail the sort of “bare minimum” attacks that should be included in every penetration test. For now, be sure to check out the various tutorials on SET and http://www.offensive-security.com/metasploit-unleashed/SET and take a moment to review reports provided from your previous penetration tests to note what was not included. Please let us know if there are any specific attacks that you are interested in and we will be sure to address that for you. 

Written by James O'Gorman