There are many essential skills required to be successful at social engineering, and one we have mentioned before but never really gone into is Pretexting. The easiest way I find to describe a pretext is to consider the motivation for an actor. When you see interviews with actors about their latest film and how they got into character, you will hear them talking about how they met with real life examples of their character, visited places they worked, stayed, etc. All of this is to enable them to get into the mindset of the role they are playing, what was their background, what did they experience in their life, what was their personality, their approach in life and what made them into the person they are today. They will also understand how the literally walk and talk, the body language, how they present themselves (clothes, style, attitude). This is what pretext is for a for social engineer, reaching a position to live, breath and feel in character for the position they will be looking to imply in the context of the social engineering engagement they are due to perform.
With all the power of the Interwebs understanding the individual or type of character is greatly reduced in effort, but to be successful it isnt just a case of reading a bio and job done. It really is important to take time to fully understand and visualise what it would be life for you to BE this character, as if you are to pull of the act successfully in a challenging situation you dont want to be pretending, you want to BE. This might seem odd, as of course you are you, and you are there on a Pentest or some other form of activity, but if you think like this and someone really challenges you on why you are doing something, you will get flustered, become unstuck, spill the beans and hand over your get out of jail free authorisation letter. However if you are acting out against your pretext the result would be different, you are not the Pentester, you are Bob the Head of Finance for ACME Inc, and when Bob is challenged from someone at reception, or any member of staff, he is not phased, as he would hope staff check people they are not familiar with, and would support it, but be very clear he is in a position of authority and should be treated accordingly.
A nice example of this is what happened to me on a physical engagement last year. The gig was going well, we had gained access to all but one of the objectives and was hunting around the facility to find its location. During the hunt we were approached and questioned by a facilities member of staff, they kindly asked what we were doing and what we were looking for. So I asked them when the location we were looking for was 🙂 (You dont ask you dont get). As this was a semi sensitive location they were unsure and this was obvious, so I confirmed without his need to ask why we needed to go there and what had been doing. All of this information was part of our devised cover story and formed some background of the pretext. Then he decided it would be best to call the facilities manager. OH SHIT 🙂 So now we crap ourselves and hand over the letter gig is up?? Nope. I encouraged him to call the guy, infact it would be good to meet him anyway, so he continued his call … “I have a couple of guys here who say they are X + Y and they need to go to Z”, few pauses, “OK I will take them there and you can meet us there? Sure. Sound good”. You might think this is crazy, but remember why wouldn’t we want to meet the manager if it was legitimate? Anyway, so the facilities guy who was very busy when we encountered him started to escort us through the building to our final objective and a meeting with the facilities manager. Cut a long story short, I had a good chat with him on route, shared some empathy around the mountain of work he seemed to have, and when we arrived at our location and the manager wasnt there, suggested we could wait here whilst he gets back to his work. He wasnt sure, I agreed might be best to wait with us, but I would understand if he needed to get back to it, and he did 🙂 We waited about 2 mins, then went walkabout know knowing where our final objective was for later.
What I am trying to confirm above is that if you have done your homework, and are fully acting out on your pretext you can push the boundaries further until they crack. Sure you might eventually get untangled and rumbled but it gives you alot more wiggle room. You will probably be running on adrenalin at this stage, and in the mental oh shit, oh shit loop, but if you have your motivation right you just need to rely on your skills. Essentially you are misdirecting from the issue as hand, and manipulating the situation to give yourself some options.
Below is my tip list on putting together your pretext, but regardless have fun with it and experiment.
- Keep it simple. The more complex you make it, the more stress you put yourself under, and this will make things less fluid.
- Room to maneuver. Have multiple paths you can take with your pretext. If you have kids, who are they, interests, etc.
- Dont reinvent the wheel. Regardless of your age you have alot of life experience, include some of yourself in your pretext.
- BIG BECAUSE. Remember to have a logical reason for what you are doing. Having a reason goes a long way to implied acceptance.
- Visualise. Mentally go through possible character interactions. How will you respond, where will that lead.
- Accents. If you cant do them, DONT. If you accent doesn’t match your pretext, change it, or have justifiable reasoning why it doesn’t.
- Accessorise. If your character should have certain accessories or props, have them with you. It completes the picture and reduces doubt.
- Ad-lib. Be prepared to go off script if things get messy. However keep in context and reference to your pretext.
- Context is key. Use your OSINT to help formulate your pretext. If the company dont have water coolers, being the water cooler guy is FAIL.
I hope this information was of some interest, and will help you in your next authorised social engineering assessment.