Social Engineering : Exploiting the Human

Oh no its another blog post about social engineering run away! lols No! This post about the way I personally approach social engineering and the mindset one should have to be able to create new and unexpected methods of extracting information from a target.

Your goal is to get information from a target, the problem you have is that this target is not just going to hand you this information---though in some rare cases it will be this easy---. How do you get the target from a state where it doesn't want to give you this information to a state where it'll willingly hand over the information to you? I think about it in terms of 5 steps:

  • Doxing:
    • Describing the profile of the target
    • Building the targets trust network
  • Infiltration:
    • Adding foreign agents to the trust network
    • Spoofing trusted information
  • Extraction:
    • Manipulation
  • Distraction:
    • Drawing attention away from yourself
  • Escape:
    • Leaving quietly
Each of these aspects must be mastered in order to conduct successful extraction of information. The key is to remain undetected, and to always obfuscate your true goal. You target must never know what you are planing. Keep in mind that you will need to have a flexible strategy, and you must only interact with the target in ways that solicit manageable responses i.e don't rile up your target all willy nilly and risk your true goal being detected. 

So lets talk about these 5 processes...


stalking the target...
The process of doxing must be done first, all the information you need to impersonate/infiltrate/manipulate must be gathered long before you plan on actually attacking. It provides your with a means to build a picture of the targets trust network. This network details the people/information sources that the target trusts for people this is as simple as building a map of his/her friends and enemies or a map of twitter followers. 

By trust I mean, if the target responds to the information from a person or source we will say that they trust it---its more a question of authentication---. All we require is a list of information sources that the target has or will interact with. You will need to find a place in this network to influence the target from. We need to build the trust network because:
  • It helps us understand the targets defence mechanisms what information keeps them safe? what information source prevents them from becoming paranoid maniacs? It is these details that will de detailed in the trust network.
  • provides a literal map to the targets trust zone! zone in the trust network that is trusted almost without question or doubt, i.e family members,best friends,the butler!
  • The security of the target depends completely on the security of all other elements in the network! the bigger the network, the more weak points it has!
---I suggest your read up on some graph theory, though you will not need it for the purposes of this article but it provides you with mechanism that allow to immediately recognize certain anomalies in a trust network...yes we can use abstract mathematics to infiltrate peoples minds lols also you can write programs to find these anomalies pretty easily is you can build programs that can build the trust network--
Doxing targets is most favourably done on the internet where anonymity is easy to pull off. You can build trust networks using the following sources---these are mere suggestions many many more sources exist---
  • Twitter:
    • followers list
    • Tweets
    • Favorited/Retweeted tweets
  • Facebook:
    • Friends list 
    • Groups the target frequently posts to
      • this helps you build really huge trust networks, and the bigger the trust network the greater the chance of finding a weakness!
    • Liked items
  • LinkedIn
    • The persons network duh!
In general any social NETWORKING site provides a good source of information to build the trust network. 

Building the trust network:

Building the network is pretty easy. We call the lines that join to information sources in the network edges and an information source a vertex. There are a few stipulations to consider in order to build the trust network in a helpful way:
  1. The target is the centre of the network, all other information sources exist in the network because they are attached to the target in some direct or indirect way.
    1. in graph theory we call this the source/start vertex
  2. The amount of edges from the target to an information source depends on the the frequency of the interaction between the target and the information source. The more the target interacts with an information source the edges we will need to travel to get the target from that information source.  The same goes for every other vertex in the network.
    1. in graph theory we call this the edge distance from one vertex to the other
Obviously there will often be thousands of ways to build the trust network, you need to find the representation that most accurately approximates the way the target sees his/her trust network. The closer you get the to targets actually mental image the better you will be able to derive the targets thinking patterns! 

Another point I must make is it is probably impossible to account for ALL the information sources that are trusted, because not all of them are real or tactile. There will be information sources that no-one besides the target knows about. This game of building the trust network  is an optimization problem, get the biggest number of most trusted information sources and build as rich a network as possible. By rich I mean not just family members or just friends or just family and friends, try getting websites and email servers etc, as rich in information source type as possible! the richness of the network will allow you to build more unpredictable attacks


You will need to infiltrate the trust network and find a place to influence the target from.
The most favourable information sources to impersonate in the network depends on the your attack stance. You will be attacking targets in different emotional states/attitudes---ninjutsu calls these the Five elements, social engineers call it the Five Weaknesses---. My goal in any attack is to remain undetected, so my stance is a passive subtle one. The information sources I favour are the ones that:

  • influence the least elements in the trust network:
    • i.e a person that the least amount of elements in the network have in common
  • is as indirectly linked to the target in the network while remaining trusted:
    • the information source that is least likely to be discussed or suspected of being impersonated
  • information sources that are easy targets
You are now choosing an infiltration point, this means you are actually going to perform a smaller instance of your attack on one---preferably more---of the elements in the network---typical property of an optimization problem!---and guess what; if you have built a big enough trust network for the target, you have also built a trust network for the other information sources, pretty convenient right? The more detail you have about everything else in the network the more flexible your attack will be able to be.

You need to impersonate an information source, so chances are you don't have a lot of time to influence the target. The key is to impersonate as much information sources---simultaneously--as possible leaving the target unaware of the extent of the infiltration and with little chance of relying on a legitimate source of information. Trap the target in an illusion---ninjutsu calls this Hensojutsu--- so as to manipulate its actions. 

Extraction of the information

Manipulation is done by playing on the targets inherent psychological weaknesses, there are six basic weaknesses---I mention the 5 elements of the target in ninjutsu terms as well:
  • Anger
    • Soliciting specific interaction by making the target angry at something
  • Sex
    • Soliciting specific interaction by seducing the target...ladies ;)
  • Hate
    • specific interaction by playing on the hate the target has for someting
  • Sympathy
    • creating specific interaction by playing the sympathy card
  • Fear
    • installing paranoia and fear driven reaction to create specific interaction
  • Laziness
    • augmenting responses into specific interaction by allowing the target to lazily omit certain actions
How you achieve your goal through manipulation is up to, all I detail here is what weaknesses are most successful at engineering an interaction from the target. A tip would be to try and find evidence of how the target responds to a given situation, and recreate this situation. Try using the targets environment and create situations that will create these weaknesses if a weakness doesn't exist, you may use the following events to create an emotion:
  • Insurance premium hike
  • "You've been hacked!"
  • Court summons
  • Loss of a Job
  • Death of loved one
  • Playing on desire:
    • Free music
    • Free Porn
    • Free Movies etc
  • etc
Many more situations exist. You want to bait the target into responding a certain way, though do not simply throw this attack at your target first establish trust and then bait them. Use distraction to remove suspicion from your attack, at all times make sure the target is unaware of your true intentions! The target must never be aware of the information you are actually after, because often if this is known by the target, it will make special effort to protect this information! 
Some rules of thumb:
  • If the target is aware that it is being attacked
    • convince the target you are in capable of performing a successful attack, make the target underestimate you and trap it the moment it becomes convinced of this falsehood, you may then attack the target as though it is unaware!
  • If the target is unaware
    • provide the target with means to stay convinced, impersonate more than one source. create shills ---objects involved with a con, that help convince the target, or accelerate the buy in to the situation--- for instance don't just pose as the HR department, send another email impersonating a friend of the target discussing the legitemacy of the original attack. This provides two means to getting the information! You could also pose an attacker and an ally and play your game to benefit from both roles while remaining undetected, this is an excellent example of how distraction works
After applying these methods you should either have created many situations where you will be able to solicit the information or will already have the information. You now need a away to escape while remaining undetected.


You need to leave the trust network as unsuspectingly as you entered it. Some people don't believe this is important, but to me remaining undetected prolongs the usefulness of an attack and creates targets that are recyclable---we can always come back and make use of the targets for other attacks---! How do we leave with out being suspect/detected? 

One method you can apply is by forcing the target to believe someone else in its trust network is the perpetrator, framing someone. This way you focus the target on one information source, chances are the target will consult other information sources, so plant your seeds right in the beginning in expectation of this. To do this successfully you need to plan this right from the beginning! Start feeding suspects to the target right from the beginning, this also serves as a method of distraction to draw attention away from elements in the network you are actually impersonating.

Please read through this article a couple of times, and build yourself a play book, because more important than actually attacking people or getting target practice is developing the skill to create effective attacks.

The problem of infiltrating the trust network depends on the infiltration of the smaller trust networks that exist inside it. Its a dynamic programming problem really! My advice is plot your attack by planing from the end. Decide on your what the final action of your target must be and backtrack until you find a way to start.

I hope you enjoyed this! More articles to come, some crticialy suggested reading is a book called
  • Ninja Hacking Unconventional Penetration Testing Tactics and Techniques Thomas Wilhelm and Jason Andress