::::::::: :::::::: ::::::::: :::::::::: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ +:+ +:+ +:+ +#++:++#+ +#++:++#++ +#++:++#: :#::+::# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+# #+# #+# #+# ######### ######## ### ### ### http://blacksun.box.sk ____________________________ ___________________I Topic: I_____________________ \ I I / \ HTML, I Social Engineering I Author: / > Forbze I I < / I____________________________I Forbze \ /________________________> <_______________________\
Before I start this tutorial I would like to say something, This topic is a very talked about topic, and I have tried my best to include all that I can, If you cant think of anything better than to flame me for writing this then please don't bother, if you think you can do better, why dont you write a new tutorial on this and we'll gladly upload it.
Welcome to my tutorial. In this text I will try to explain some of the techniques used while trying to social engineer somebody. This will apply to computer chat, phone conversation, and also just day to day life.
what is social engineering?
Basically, social engineering is the art and science of getting somebody to comply with your wishes. It is not a form of mind control, it will not allow you to get people to perform tasks wildly outside their normal behaviour and it is far from foolproof.
It also involves a lot more than simply quick thinking and a few selective accents. Social engineering can involve a lot of groundwork. Like normal hacking, Social engineering needs prior preparation, and the majority of the work goes into this, rather than the actual attempt it self.
Social engineering concentrates on the weakest link of the computer security chain, humans. It is often said that the only secure computer is an unplugged one, even this comment is untrue. It is possible that you could talk somebody into plugging it in and switching it on.
It is also important to note that the human link in the security chain, is the most important one. There is not one computer system in the world that don't exist with out human interaction, and unlike a normal exploit, this vulnerability is universal, independent of platform, software, network or hardware.
Anybody with access to the system physically or electronically is a possible threat. This means that even people not normally included in a security policy could be involved.
It is impossible to obscure the fact that humans use the system or that they can influence it, because as I stated before, there isn't a computer system in the world that does not use human interaction as a part of it.
Almost every human has the skills to attempt social engineering, the only difference is the amount of skill used when making use of these tools.
Some of the tools are going to be explained below here, and we make note that these are not foolproof skills, and that common sense is the most important tool that you will ever have.
The first "skill" and most obvious is simply a direct request, where the individual is asked to complete your task directly. Although least likely to succeed, this is the easiest and most straightforward method. The individual knows exactly what you want them to do.
The second is to create a fake situation, which the individual is simply a part of. With more factors than the individual concerned it is more likely that you will succeed, because you create reasons for compliance other than simply personal ones. This involves far more work for the person making the attempt at persuasion, and most certainly involves gaining extensive knowledge of the 'target'. This also does not mean that the whole social engineering operation needs to be all lies, the best operation will be one where the facts are more truthful than lies.
One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sys-admins excel in, especially in there own field of expertise.
Another thing that you can use against somebody is the notation of conformity. It is possible to make somebody to "conform" with the group, even if they know that the decision is wrong, eg. Have you ever been in an assembly/class and the teacher asks a question, eg. Who here has smoked before? When the majority of the class puts their hand up the odd others that haven't tentivally put their hands up so that they do not get looked down upon by their peers.
That is just an example of the extent that people will go to just so that they don't loose face with the friends/ work companions.
Using situations where the person is more likely to go with the flow is a effective way to social engineer them.
However most social engineering attempts are done by lone individuals and so the social pressure and other influencing factors to be constructed by creating a believable situation that the target feels emersed in are less effective.
If the situation, real or imaginary has certain characteristics then the individual is more likely to comply with your requests. Following this paragraph they are listed.
Diffusion of responsibility away from the target individual. This is when the individual believes that they are not solely responsible for their actions.
A chance for imagination. Compliance is more likely to occur if the individual believes that by complying that they are ingratiating themselves with someone who may give them future benefits. Getting on the good side of the boss is surely going to have some benefits hey?
Moral duty. This is where the target complies because they believe that it is there moral duty to. Part of this is guilt. People prefer to avoid guilty feelings and so if there is a chance that they will feel guilty they will if possible avoid this outcome.
On a personal level there are methods used to make a person more likely to cooperate with you. The aim of persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your requests.
Basically the target is simply being guided down the garden path,:P. The target believes that they have control of the situation, and that they are exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have been invented is irrelevant. The target believes they are making a reasoned decision to exchange these benefits for a small loss of their time and energy.
There are several factors, which if present will increase the chances of a target co-operating with a social engineer.
The less conflict the better. Co-operation will be readily gained when the softly-softly approach is used. Pulling rank, annoyance or orders rarely work for effective persuasion.
Psychological research has also shown that people are more likely to comply with your wishes if you have dealt with the same person before. Before trying the 'big hit' try requesting smaller and more reasonable requests. This way they will be more compliant to your needs.
When attempting a social engineering hack, the more sensory detail you can provide to the target is better. A person would be more compliant to your needs if they can See and smell you as well as speak to you, it is often difficult to get some one to comply with just a simple phone call. However these days the possibilities are great because of the fact that so many businesses are on the net. Another point I am going to make is that it is often impossible to persuade somebody using ASCII chat or e-mail. Ever tried Social Engineering some one on IRC?
The main thing I can tell you is don't try Social engineering people with higher authority than the made up person you are using, for instance, don't try to Social engineer the sys admin as we all know he's more competent than you are, Especially on his own network.
Remember before attempting to social engineer somebody, you have to do some info searching on that particular person. I have known people to read over people's shoulder when a person was typing on the phone just to gain knowledge on the targets lifestyle and friends. Another aspect of what people will go to just to find out information on people is to watch as they type in their Credit card and ATM pin numbers. Some even go to the extent as to watch from windows across the road with binoculars to see these numbers being punched.
Ever sat in computer class and called to your teacher to type in some sort of password, which you conveniently watch over his fingers on the keyboard as he punches in this innocent request. This is the sort of ways social engineering can be taken into life, I have often used skills described in this tutorial just to nock down prices on goods at a local market.
When looking for information on a Target, you want to consider going Dumpster diving, or trashing as it is sometimes called. On these outings remember to take a sturdy pair of shoes, gloves and a torch (preferably with red filter), Bolt cutters may come in handy too! Oh and remember to cover yourself up! In these outings you can often find employee names, phone numbers, account details, amongst the mounds of IT treasures.
One technique to use on a target is to pretend you're an employee of another company doing surveys for a hardware company, if you choose to follow this line of attack, have the questions lined up, and make sure you take time as if you were writing down their reply's.
Any information gained from these phone calls can be used, Information on the companies firewalls, routers or servers could be used for further attack on the companies Website.
So now you have some of the skills that it takes to become a good social engineer, but remember like I said at the start of this tutorial, the most important tool of common sense out weighs any of the skills in this text.
Even major companies can be social engineered, an example of this is an AOL employee who was having a Tech support session, during which the hacker mentioned he had a car for sale, at a very good price, and the techie was interested. Of course the hacker sent the techie a pic of car, binded to the jpg was a trojan, which enabled the hacker to get into the internal network.
So remember anything is possible with the right incentive, you just have to please the person's senses.