Social Engineering For Red Teams: A Practical Guide - Part 1

The elevator was packed, the heat of bodies filling the tiny space during the long climb to the top. My buttoned-up shirt stuck to my back as the sweat built up. I gambled on the floor I needed to get to by tailgating employees who entered from the 1st floor. I knew what floor my target company was on, just not sure if there was an employee inside the elevator with me at the time that I could tailgate the rest of the way. Anxiety grew with each stop as people exited the elevator, slowly reducing my chances of blending in with a group of one or more employees entering their company workspace. They all had access badges, and I had no way of cloning them at the time. This was a spur-of-the-moment task: Gain entry to the client company’s physical location and establish a Remote Access Tool (RAT) on as many systems as possible without being detected. Since I was unprepared, it meant I had to social engineer my way in... somehow.

Alas, I found myself alone on the 42nd floor of the building. I looked around and saw the target company behind glass doors, along with a buzzer that likely called a receptionist who was out of sight. I could see the two glass doors using Request to Exit sensors (REX sensors). If I had a can of air or a piece of paper on me, I could’ve tripped it open. But I didn’t, because I was unprepared. I had to do this the less technical way: with my words and body language. The office that I was tasked to infiltrate was one of three offices: Toronto, Montreal, and Ottawa. Toronto was their main HQ, so I picked Montreal. This location was primarily French-speaking, which I was not fluent in at all. I figured this could be to my advantage in case I get questioned while they don’t want to deal with the language barrier by letting me do what I need to do. Still, I needed a plan; I couldn't just completely wing this one. I rode the elevator back downstairs and waited for lunch hour to approach. Noon is always an opportune time for social engineering pressure techniques: people are hungry, clumsy, and are ready to take a quick break so they can “check out,” if you will.

I called my colleague and asked them to pretend to be the IT Director from the Toronto HQ office who, upon a quick Google search, appeared to be named "Michael." The plan was simple: First, I needed to replace my colleague's name in my contact list with the name of the IT manager at the Toronto HQ office. Then I would call them and have them on speaker from my cell phone, hit the button to reception, and ask to speak with the office manager. I would pretend to fumble and not know if this was the correct office or not after being sent from Toronto to conduct a quick WiFi survey.

As lunch hour approached, I made my move. After riding the elevator back up to the 42nd floor, I called the fake "Michael" and pressed the reception button. Someone approached from the inside, and I began to loudly say into my cell phone, "Yes, I think this is the correct place you sent; it looks like someone is here to let me in like you said." The person opened the door and asked if I needed any help. I informed them I was sent here from Toronto HQ to conduct a quick WiFi survey and asked, "Is the office manager around?" The person asked me to wait there while they looked for the office manager. A few anxiety-filled moments went by, and the office manager, fully suited up and clearly in a hurry, met with me.

Me: Hi, my name is Steve. I’m an independent contractor hired by Michael from the Toronto HQ to conduct a quick WiFi survey of the office.

Benjamin: Hi Steve, I'm Benjamin. Listen, I don’t remember getting an email about this. Who did you say sent you?

Me: Michael sent me, the IT Director over at Toronto HQ. Here, I have him on the phone.

At that moment, the person pretending to be Michael spoke:

Michael: Hi Benjamin, Michael here. I sent it out last week. Steven just needs 15 minutes, if that's alright.

Benjamin glanced at his watch, then squinted down at the phone in my hand, clearly seeing the contact name "Michael."

Benjamin: Sorry, I must have missed it. Unfortunately, I have an important meeting to run to. Can you conduct the survey after I get back? I need to verify who you are and then chaperone you around the office.

Me: Your meeting sounds important, and I don’t want to be the reason you are late. I also have a train to catch in 45 minutes, and missing it would be trouble for myself. Is there any way I could conduct this now?

Benjamin: Hmm, okay, how about you leave your details with Jerry? I'd just like to verify everything later if that's okay. I’ll introduce you to Jerry; he's a member of the IT help desk here. He can show you around.

Me: Sounds like a good idea, I can definitely do that. I appreciate your help. I’ll get started right away and provide everything to Jerry.

Benjamin, who holds some importance in this office, now introduces me to Jerry. Jerry is a young IT support specialist who shakes my hand as we are introduced to each other by someone who typically holds more authority—an instant reputation builder. Jerry has no need to question Benjamin!

After introductions with Jerry, who was hungry and wanted to go to lunch so didn’t feel like walking around the small office space, he let me walk around the office freely. I planted a few USB rubber duckies next to locked workstation keyboards and plugged my bash bunny into a few open workstations for some quick wins. Satisfied with pwning a few user workstations, I asked Jerry if he could show me into the server room real quick so I could get an inventory of everything in case we needed to upgrade them. I like to take in every detail about a person in case I need to build more rapport with them. For most people, it's their jewelry, shoes, hair, tattoos, etc. Anything that they do to help them distinguish themselves is what I like to compliment. Noticing his watch and nice brown leather dress shoes, I knew I had a few things I could compliment him on. As we walked to the server room, I said, “Nice watch by the way, is that a Seiko?” He nodded and began to talk about when he got it.

With the single compliment out of the way, I began to make positive statements like, "This is a great office space, beautiful view up here," etc. Something to get the conversation going during the seemingly endless walking we were doing. He seemed indifferent and saw that I wasn’t a threat, I guess. So when he opened the server room door and gestured within, I heard him say, “So yeah, go ahead and note down what you need. I’ll just be back at my desk finishing my lunch. Just remember to close up when you are done.”

I now had complete unsupervised access to the server room. I completed the rest of the objectives and left the building without issue.

Introduction

Many successful red team engagements rely on the art of social engineering. By having a deep understanding of how we humans communicate and the psychology behind it, you can gain unauthorized access to sensitive information and systems quicker than by finding code execution on the external perimeter through days upon days of staring at your Burp collaborator. In this blog post, I’m hoping to help aspiring cyber security students, penetration testers, and red teamers who are looking to sharpen and develop their social engineering skills. To do this, it takes a bit of understanding and accepting one's current comfort level.

I don’t consider myself an expert, as I am always learning and meeting people 1,000 times better than I am. You don’t need a lot of skill to do it; just understanding the concepts is enough to make anyone an expert. Everyone has this potential.

When I embarked on learning social engineering in 2017, it was phishing emails at first, then it built up to phone calls and in-person interactions like the real-world example above.

Social Engineering in Cyber Security

Social engineering attacks are designed to exploit the human element of security. Real-world attackers—the bad people—use psychological manipulation to coax individuals into divulging confidential information, downloading malicious software, or visiting unsafe websites. They might also trick people into transferring funds to fraudulent entities. These attackers prey on human vulnerabilities, leading to actions that compromise both personal and organizational security.

I'm hoping you can see why, in the context of red teaming, social engineering plays a pivotal role in testing an organization's defenses, focusing on the human element rather than just technical vulnerabilities. Helping organizations prepare for the different types of psychological attacks against their employees is very important for follow-up training, counter techniques, and providing them a way out of situations like these in case a real attacker would come calling (or in this case study, knocking on the front door).

There are various types of social engineering techniques that I won’t write about here; a quick Google search should get you started.

To become skilled at social engineering, it's important to understand the underlying principles of human psychology, such as trust, authority, and the desire to be helpful.

But first, let's pick apart what I did to use as a starting point to help you on your own learning journey.

Psychological Aspects and Challenges (Self Inflicted):

Initially, I experienced anxiety due to the uncertainty of the situation I found myself in while waiting for the elevator to stop on the company floor. This highlights, in my opinion, the biggest piece of social engineering: the need for adaptability and quick thinking in real-time scenarios. I’d say this is also the biggest thing that holds people back from social engineering.

I would be lying if I said I am never nervous or scared before I begin any type of social engineering scenario, be it in person, over the phone, or even by email/text. I’ve learned a few things over the years, and the best piece of advice is also the simplest: be prepared. Let's go over some techniques to help calm those nerves before we continue.

Recognizing the Source of Anxiety

In social engineering, anxiety often stems from the fear of getting caught or failing to adapt to unexpected changes. Recognizing this allows you to prepare mentally for these scenarios: so what if you get caught? The point is that you are getting paid to do this, legally (if you have the “get-out-of-jail-free card” in your pocket, aka legal approval letter).

The way I sometimes imagine it is: I am acting in a play and my role is to make sure I don’t break character. My roles might also change on the fly, but I don’t need to worry about that until the moment presents itself. If that doesn’t help, then you should research some mindfulness and breathing techniques. Practicing mindfulness and controlled breathing can definitely help manage the physiological symptoms of anxiety... I just wouldn’t recommend doing it when in an elevator filled with people as you approach your social engineering target.

Scenario Planning

Before embarking on a social engineering task, envision various scenarios and plan your responses. This mental rehearsal can reduce uncertainty and improve your adaptability. I was doing this during the train ride and again in the elevator. I used to think too hard about it, and my reactions would be slower because of this. For example, when questioned and stopped during a tailgate, I would have hesitated while thinking of what to say. Instead, just imagining myself in the role in which I had developed the scenario always seems to keep me calm and collected, which in turn keeps whoever is confronting me also calm and collected. I don’t overthink it because of it.

Improvisation Training

To help practice these techniques, I highly encourage engaging in activities that enhance your improvisation skills. Theater improvisation workshops, for example, are excellent for learning to think on your feet and adapt to changing situations. You can find these in most areas that have colleges or universities. Role-playing games, such as Dungeons and Dragons, are also a fantastic way to practice your improv skills. It might seem strange or difficult to imagine, but D&D is where I got most of my improv or “thinking on my feet” skills.

Familiarization with Environments:

If possible, familiarize yourself with the physical and social environment of your target too. Understanding common routines, dress codes, and social dynamics can aid in reducing anxiety and increase your adaptability.

I knew the building that housed the target company was a dress/suit/tie kind of place. If you haven’t been exposed to this sort of setting, then you should start. Get a decent suit; it doesn’t have to be expensive at all, and go for a walk in the city or out to dinner at some place nice with it. Find where the other dressed-up folks are sitting, walking, etc.

A massive tip is to have a basic understanding of fashion too, such as complementing colors and the do’s and don'ts of styling. This includes casual settings as well, just without the very fancy clothing. If your target company isn’t an office setting but a utility or construction setting, then I’m afraid you’re going to have to get the gear needed to “look the part” and maybe observe from afar or from a few online videos.

Behaviors and Social Engineering Tactics

Now let’s look at some behaviors and social engineering tactics that played a crucial role during this case study.

Tailgating and Blending In:

Stepping into the crowded elevator, my heart pounded with the anticipation of blending in with employees, waiting for one of them to exit on the target floor for me to follow in after them—a classic maneuver known as tailgating. The key here is observation. Just as a chameleon changes its color to match its environment, a successful social engineer observes and mimics the behavior, attire, and mannerisms of their surroundings. Notice the small details around you as you begin to blend in—the sway of their badges, the rhythm of their steps, the cadence of their small talk. These nuances are your camouflage.

• Behavior: Initially attempted to blend in with employees to walk alongside with them into the target office space, a common tactic known as tailgating.
• Actionable Cue: To effectively blend in, observe and mimic the behavior, attire, and mannerisms of the group. Pay attention to details like badges, the way they carry themselves, and their routine conversations.

Creating Urgency:

In mentioning my fictional train to catch, I injected a sense of urgency into the situation. It can be a very useful psychological tactic to create a sense of urgency using time; people tend to skip the regular checks and balances. The trick is to create a scenario so pressing that the person feels compelled to act swiftly. Sometimes, people tend to want to be helpful too. This often leads to hasty decisions, playing right into your hands. Use urgency sparingly, but effectively; it's a powerful tool in swaying decision-making.

• Behavior: Mentioning a train to catch created a sense of urgency, prompting quicker decision-making.
• Actionable Cue: People are more likely to make hasty decisions under time pressure. Introduce a sense of urgency or a time-sensitive matter to expedite compliance.

Authority Transfer:

The moment Benjamin introduced me to Jerry, trust was implicitly transferred without a question asked. I’ve seen many aspiring social engineers completely overlook exploiting hierarchical structures. Being vouched for by someone of authority automatically endows you with a layer of trust and legitimacy. You should always be on the lookout for this opportunity. Don’t get me wrong, it usually presents itself in the moment. But understanding, being aware of it, and leveraging this dynamic can significantly ease the process of gaining access or information.

• Behavior: Introduction by a higher authority figure to a lower authority figure transferred trust without the need for verification.
• Actionable Cue: Leverage the hierarchical structure of an organization. Being introduced or vouched for by someone higher up the chain can automatically confer trust and authority.

Compliments and Rapport Building:

A simple compliment can go a long way. My casual remark on Jerry's watch was more than just small talk—it was a deliberate attempt to build rapport and lower his defenses. People are inherently more receptive to those they share a positive connection with. Establishing this connection, finding common ground through compliments or shared interests, makes the them more amenable to your requests or suggestions. It's a subtle, yet effective tactic that softens the edges, making your presence less of an intrusion and more of a welcome interaction.

• Behavior: Complimenting personal items like a watch created a friendly rapport, lowering Jerry's guard.
• Actionable Cue: Compliments or finding common ground can quickly establish rapport. This lowers defenses and makes the individual more receptive to requests or suggestions.

Authenticity: The Keystone of Social Engineering Success

The mastery of tactics like tailgating, creating urgency, or even the subtle art of blending in, hinges on a far more foundational aspect: authenticity in your delivery. As we gear up for the next post that explores topics such as body language, information elicitation, baiting, and persuasion, it's important to understand that none of these strategies will work if they're not grounded in genuine interaction.

Think about it—at the heart of every successful social engineering endeavor is the ability to convince your targets that you're one of them, that your presence is natural, and your requests reasonable. This convincing isn't merely about the words you choose but how you deliver them. The faintest hint of insincerity, the slightest difference between what you say and how you say it, can be like a crack in a dam—inconspicuous at first, but potentially disastrous. People, especially those in professional environments honed by years of interaction, have a finely tuned radar for deceit. A fake tone, a forced smile, or an awkward stance can set off alarms, escalating suspicions and thwarting your objectives before you've even begun.

Therefore, as we get ready for the next layer of social engineering tactics, remember that the crux of these strategies lies not just in their execution but in the authenticity of your engagement. Making sure your targets last see you under pleasant circumstances, remembering you as a genuine interaction rather than a forced encounter, starts with meaning every word you say, or at least, seemingly so. This sincerity, or the perception thereof, is your secret weapon, enabling you to navigate through layers of skepticism and security. Stay tuned for part 2, where we'll unravel the threads of body language and other behaviors that, when mastered, can turn the tide in your favor, all while keeping your integrity and their trust intact.