What is Social Engineering?
Social Engineering is the process, which examine the valuable information and the exploit the vulnerabilities of the people through the examined process. It is mainly depend on the practice of learning and obtaining the valuable (necessary) information that is needed for the exploitation. This is the most vulnerable layer in the security infrastructure as the human is the weakest link in the security defense, because it is easy to find a lot of information within a short period of time by examine the activities of a human. This can be in to ways, one is the attacker can only get sensitive information of the person without any mediate for a instance through the social networks it is very easy today. Another way is the attacker is intruding with the victim, for an instance the victim’s computer can be used as the origin for the valuable information secretly install malicious software to the machine.
Basically there are four steps in attack process, this gives an idea of what social engineering entails.
This is the process of collecting the relevant information of the target. There are many techniques, as above mentions this can be either active or passive information gathering of the victim. Like, through online social networks, identifying third-party software packages used by the target victim, getting involved in corporate business events and parties, and attending conferences etc…
After getting involved with the victim it is possible to identifying the vulnerabilities. This should ensure that an attempt to get any confidential cooperate information would not harm or alert to the target.
This is the process that, whether the attacker is going to perform an active or passive attack to the target through identified vulnerabilities. The attacker should identify the methods to perform the tack and the way to do it (path to the attack)
This the place where the actual attack take place. In this point the attacker should have a plenty of information about the cooperate asset. In successful execution the exploitation and the expected task is get completed.
There are five methods that could be beneficial for understanding, recognizing, socializing and preparing the target for attacker’s final operation.
Step1-Attacke acts as a person whom very close or well-known person to the asset to gain trust.
Step2-Hence the target has no email account it identifies as the vulnerability.
Step3-Then planning to harvest a forge e mail request to the client as original, for the propose of getting sensitive information of the asset
Step4-After getting the necessary details (here the banker’s identity) impersonate the victim’s bankers identity.
Step1-In here the gathering information is a long time process because it is a matter of getting close and exchange mutual ideas with the asset.
Step2-getting close with the asset and identifying the major weakness of the target, in here the Alice’s eager to the antique pieces.
Step3-Then plan to get the required information, here Alice is compelled to exchange ABS company’s physical security policy details for a special antique pieces.
Step4-After the exchange Bob can get the details of security policy and execute the attack.
Step1-Part of impersonation method, in the XYZ Company to acquire their authentication details.
Step2-Identifying call spoofing method as the best way to get information.
Step3-Using the call spoofing as the CEO get the relevant details.
Step4– After gaining details, then can get the details of security policy and execute the attack.
Step1-This is matter of getting the best opportunity, getting information (emails) of the students of the university.
Step2-offering the voucher as the bait get the student details.
Step3– by letting them believe and persuade their thinking about getting the latest iPod for free planning to get the things.
Step4-then execute the vulnerability, can be extended to maximize commercial gain and achieve business objectives.
Step1-Acting as the opposite gender trying to get the detail of the target,
Step2-Identify the Alice as the victim and make a relationship with her and get know about the needed details through her.
Step3-Then plan to get the details, here meeting the Alice and extract useful inside of the financial and marketing perspective of the ABC Company.
Step4-then as usual execute the attack.
To start SET, navigate to Applications | Kali Linux | Exploitation Tools | Social Engineering Toolkit | setoolkit.
Using the Social Engineering Toolkit in Kali Linux
S.H.M Lahiru Prabtah Balasuriya.