FSFlow – A Social Engineering Call Flow Application


FSFlow is a Social Engineering Call Flow Application, which was created to improve and standardize social engineering calls. It’s a difficult thing to do, conversations can go almost anywhere over the span of a phone call which makes defining a specific process hard, if not impossible.

FSFlow is mostly a proof of concept tool but it’s fully functional, it’s an interesting tool and an area which not many people have thought about or looked into. Social Engineering is part science and part art (charisma and charm helps a lot), so a tool like this helps a lot especially in creating repeatable social engineering tests.

FSFlow - A Social Engineering Call Flow Application

It’s based on the concept of the call flow software that is involved in most telemarketer jobs. Nearly everything that they say is presented to them on a screen in front of them, and they would navigate through a process flow as the call progressed.

Judging User Response

One of the major pains with designing an application like this is judging the response of a user. You can never predict the user’s exact response so the measure of the response needs to be somewhat abstracted. The approach here is to identify if the user’s response is positive or negative. For instance, if you say “Hi, How are you?” and they say “Great!” – that’s a clearly positive response, while “What do you want.” is a bit more negative. Similarly, if you ask someone “What is your password?” and they provide it to you, that would be positive, while anything else is likely to be negative.

The difficult thing here is that many user responses aren’t easily categorized as negative or positive; perhaps a sliding scale would be more appropriate – but that would create tons of possible branches, making a complete call flow impractical.

Logging

Another hugely important part of FSFlow is to capture how the call progressed. The call log records how the call progresses and what information is obtained at what points in the call flow. You could potentially use this information to determine where users need more security awareness training – e.g. every user was willing to disclose their IP address, but only some gave their password or even when asking this specific question, users got suspicious and ended the call.

The Interface

FSFlow’s interface is meant to be as simple and straightforward as possible so that the caller is not overwhelmed or distracted during the call.

The first release resulted in 4 major areas: the statement pane, response pane, objectives and call variables:

  • Statement Pane – The statement pane is the actual wording the caller says during the call. This is your social engineering attack. The important thing about this pane is that the wording is clear and easy to read aloud. You’ll notice in the screenshot above that there are placeholders, e.g. “[TARGETNAME]”, this are call specific variables that are populated once you populate the Call Variables pane (described below).
  • Response Pane – Directly under the statement pane is the response pane compromised of the “Negative Response”, “Positive Response”, Busted” and “Recovery Mode” buttons. Each of these buttons progress the call to the next flow state. The “Recovery Mode” button is meant to gently direct the call to an end without aggravating the callee. The “Busted” button is more of an “Ok, you got me” response where you let the callee know that this is a social engineering call, they should contact the point of contact for the company (the person that hired the caller), and to please not tell the coworkers of the test :)
  • Objectives – The Objectives pane is where the caller can log what elements of information they’re able to obtain during the call.
  • Call Variables – Call Variables customize the flow to each individual call. Before the call starts, the caller populates these variables so that the placeholders in the statement pane are replaced with pertinent information. It also serves as a reminder to the caller to who they are pretending to be!

The Call Flow

Thee most important component of FSFlow is its XML based call flows. The idea behind the call flow is that they could be easily shared to be improved and make standardized attacks. Let’s look at sample.xml that’s included with the application.


The entire call flow is included within a block which takes one attribute, name. Within the CallFlow block, you have Objective, CallBlock, and FlowBlocks.

Objectives

Defining objectives is pretty straightforward:

CallBlocks

A CallBlock is effectively a container for an individual statement. These statements are then linked together within the FlowBlock below. Place holders can be anything you’d like, as long as they’re wrapped in brackets. FSFlow analyzes the flow on start up to populate the “Call Variables” pane.

The “Busted” Call block is a static value used throughout the call:

FlowBlocks

The FlowBlock links together individual CallBlock and ties them to buttons.

You can download FSFlow here:

fsflow-0.1.2.zip

Or read more here.

Posted in: Social Engineering


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Comments are closed.