When you think of hacking, what picture comes to mind? For me, it’s a young guy in a hoodie, typing commands into a green and black terminal. Of course, this Hollywood hallucination couldn’t be farther from reality. So what does a hacker really do? If you look up guides to hacking, you’ll likely find hundreds of articles about exploits, programming languages, networking, crypto, and so on. But there’s one link in the tech stack that will always be vulnerable: the human mind. That’s why social engineering for red teamers is indispensable.
Pentesting a company is hard. Thus, knowing how to get what you want from people can smooth the process quite a bit. For example, to launch a good phishing campaign, you need to know how to trick people into clicking links. To break into a data center, you know how to fit in and seem like you belong.
For red teamers, social engineering is a basic skill. You simply must learn at least a little bit. But social engineering is a massive skill set, far too complex to cover in this small guide. So instead, we’ll give you the principles and resources to begin your learning journey the right way.
Let’s dive right in with a practical example.
Social engineering for phishing
Phishing stands out as the single most costly threat facing modern companies. Per a report from cisa.gov, “In the first 10 minutes of receiving a phishing email, 84% of employees took the bait by either replying with secret information or interacting with a spoofed link or file.”
Because workers tend to fare so poorly against phishing, any pentest should try to include a phishing audit. And what’s the core factor that decides whether a phishing email works? That’s right, good social engineering.
There are even tools that help red teams run phishing campaigns. You can download GoPhish for free and run your entire campaign from the web UI.
Okay, so if GoPhish does all the hard work for you, then why do you need to learn social engineering? The answer is simple: GoPhish handles the hard technical work, but it’s up to you to devise a campaign that will actually trick people.
What phishing message should you use? How should it look? An org that does basic customer service and has no tech staff probably won’t respond to a phishing message that pretends to be from Github, for example. A good phishing campaign should consider:
- What software do employees use
- Company culture (technical, creative, finance, etc)
- Common issues at the company
To learn more about phishing within the context of social engineering, check out this awesome resource on the topic: Social engineering (phishing and deceptive sites).
Physical penetration tests
There’s only one thing that can top the adrenaline rush you get when you hack into a box, and that’s breaking into an actual building. In these kinds of attacks, social engineering isn’t just helpful, it’s the core skill that makes the attack work. Even if you’re pentesting a closed building at night, consider the ways that social factors can make or break your pentest:
- Avoiding turning on lights in the building.
- Dealing with a security guard who finds you.
- Wearing clothing that camouflages you without looking like a burglar.
- Knowing how to appear nonthreatening and trustworthy to passersby.
For a great example of what physical pentesting is like, check out this wonderful episode of Darknet Diaries: Jason’s Pen Test. After listening to that, you should have a better intution for just how deeply social engineering and physical pentesting intertwine as skill sets.
Practice caution in how you develop this skill. Just like hacking, you don’t want to pentest a target without their consent. So how do you practice social engineering for a physical pentest? One approach I’ve enjoyed is to just ask local business owners. If you have a friend who manages a store or warehouse, ask if you can setup a free pentest for them.
It’s really fun and they’ll (usually) be grateful for the free help.
Digital Reconnaissance and social engineering for red teamers
Before you pentest a target, you’ll usually want to collect as much intel on them as you can. In other words, OSINT. But you can take OSINT a step further by interacting with the target to get extra information. Think of this as “interactive OSINT”. For example, you can email devs pretending to be a customer, to find out important details about the internal tech stack. Or you can call and pretend to be someone from within the company. Or you can even go into the building before the pentest and get a feel for things.
Social engineering makes all of this substantially easier. People have an instinct to help. As a social engineer, you can exploit this and get them to share extra info that helps you during your pentest. When security guards go on break, who has admin credentials, and which machines in the network allow you to gain privileges – you can use social engineering to ascertain this kind of information.
To give a practical example – suppose you steal someone’s password using phishing. However, they have an extra security step that asks you what their mother’s maiden name is. You may be able to acquire this info via OSINT, but if not, social engineering might be the only tool that can get the job done.
Learn more about social engineering for red teamers
Compared to “normal” hacking, hands-on social engineering experience is less straightforward to acquire. There aren’t many CTF games that focus on social engineering. However, some resources do exist to help you on your social engineering learning journey.
For example, HackTheBox’s OSINT challenges teach a number of reconnaissance skills that will help you in social engineering tasks. You can also learn a lot from high quality guides to common cognitive biases, such as this one: https://www.lesswrong.com/posts/ptxnyfLWqRZ98wnYi/biases-an-introduction.
Of course, nothing compares to real, hands-on experience. As we mentioned earlier, the best way to up your social engineering abilities is to contact small businesses and offer free physical pentesting work. After all, convincing friends who own businesses to let you do a physical pentest is its own social engineering for red teamers challenge!
Good luck, and happy hacking!
Leave a Reply