Social Engineering |
Article is yet to be rated |
|
| Author:
| mitnickjr
|
|
| Submitted: |
13-Jul-2004 21:28:30 |
| Imported From: |
zZine (original author: MitnickJr)
|
| Social engineering in short is to trick someone into giving you sensitive information, for example a password. This involves using your brain and cunning, referred to in social engineering as "wetware", rather than using any hacking/cracking software.
|
|
1. Before We Start
1.1Disclaimer
1.2 About This Text
2. Introduction
2.1 What is Social Engineering?
2.2 Why is it so important?
2.3 Case Study: Kevin Mitnick; The greatest Social Engineer of our times?
3. A Psychology Lesson
3.1 Introduction
3.2 Making a situation
3.3 Persuasion, Co-operation and Involvement; the key to success
4. Trained to Lie
4.1 Introduction
4.2 Reading/Watching Material
5. Methods
5.1 Phone
5.2 Mail
5.3 Internet
5.4 Dumpster Diving
5.5 In Person
6. Phone
6.1 Introduction
6.2 In Regard To Phreaking
6.3 Equipment
6.4 Doing the Job
7. Mail
7.1 Introduction
7.2 Equipment
7.3 Sweepstakes Forms
7.4 Doing the Job
8. Internet
8.1 Introduction
8.2 In regard to Hacking
8.3 Equipment
8.4 Doing the Job
9. Dumpster Diving
9.1 Introduction
9.2 Things to look for
9.3 Things to remember
10. in Person
10.1 Introduction
10.2 Pulling the Stunt
11. Putting the jigsaw together
11.1 Short Outline
12. Reverse Social Engineering
10.1 Introduction
10.2 Sabotage, Advertise, Assist
13. Links
13.1 Helpful URLs
13.2 Bibliography
1.Before We Start
1.1 Disclaimer
This document only explains how social engineering works and the different methods of social engineering. It is here ONLY for educational purposes and if used in the wrong way Broken Mirror Software, project tsunami, its members and its hosts holds no responsibility whatsoever for your actions.
We have placed it here only as a means of education and research.
1.2 About This Text
This paper may not be 100% correct due to it being written within 3-4 hours. My information is based on many other texts/articles I've read, but I have NOT ripped anyone off. This text is original, and I have not so far seen any one as in depth as this one, other than the book by Kevin Mitnick, “THE ART OF DECEPTION”. If you think not then please e-mail me: webmaster@brokenmirror.5u.com. DO NOT try anything stated in this text until you've read it in full, i.e. from beginning to finish, and even if you do try anything, I am not responsible for your actions or mistakes. If you want to reproduce or duplicate this article then please do, without making any changes and giving credit where it
is due, but e-mail a link to: webmaster@brokenmirror.5u.com, so we can
keep track of any changes, or if this text is updated (as it has been on
several occasions) we can contact you with details of a newer version.
Please keep this section of the paper unchanged.
2. Introduction
-------------------------------
2.1 What
is Social Engineering?
-------------------------------
Social
engineering in short is to trick someone into giving you sensitive
information, for
example a password. This involves using your brain and
cunning, referred to in social
engineering as "wetware", rather than
using any hacking/cracking software. This can be very
easy to do and can
be used to great effect, even against companies who spend millions on
their network security, but pay very little attention to their employees
who have access to
sensitive information and the ability to open up holes
in the system without knowing.
---------------------------
2.2 Why is
it so important?
---------------------------
Social Engineering is fast
becoming the lost art of hacking. Essentially not all passwords
and
computer access can be gained from a computer in your bedroom, you have to
get off your
backside and actually do something if you really want to get
passed a company's computer
security. Hacking is fast becoming harder and
harder as most newbies on the hacking scene
stick to the programs of
others, a major example being Sub7. There are also countless
useful
documents present in company filing cabinets and other storage units, i.e.
they
cannot be hacked. One thing a company can never protect against is a
person using his
cunning to get information from within the building, via
another person, can be anyone from
the hacker himself to top level network
admin. I'm not saying all you need in becoming a
hacker is to know about
social engineering and using it to your advantage, social
engineering
should be used with a combination of other hacking methods to successfully
carry out a complete
hack.
---------------------------------------------------------------------------
2.3
Case Study: Kevin Mitnick; The greatest Social Engineer of our
times?
---------------------------------------------------------------------------
Kevin
Mitnick is possibly the most widely recognized social engineer of our
times. He used
his skill to great effect, showing that social engineering
can be very important if you
attempt to infiltrate a company. He was
however involved with a scam on "Nokia Mobile
Phones Ltd", alongside a
Lewis De Payne, who was also convicted alongside Kevin Mitnick.
De Payne
specifically admitted to authorities that he posed as a Nokia employee and
attempted to convince Nokia personnel in Florida to ship a computer
program worth
approximately $240,000 to Southern California. Of course
this may seem almost impossible,
but these two hackers showed the world
that anything is possible, no matter how much
technological security you
have, no one can help themselves if they are manipulated by
someone on
the other end of a phone line, e-mail, or letter. It is said Kevin Mitnick
used
85% social engineering and 15% hacking from a computer. But they
also showed if caution is
not taken when hacking the consequences are
dire; Kevin Mitnick was given a Jail sentence
lasting almost 4 years with
3 years away from computers after his release and profits from
any form
of books or media which he writes or partakes in, which are based on his
computer
activities, must go to his "victims". Lessons should be learnt
from his work, not only is
social engineering possibly the hacker's most
powerful tool, but also if it is not used with
extreme caution the
consequences may be dreadful. However, it is widespread believe that
Kevin Mitnick didn't deserve the sentence that he did. The charges held
against him were
over exaggerated and distorted. He simply had a desire
to learn and to explore, 2 traits
which are becoming rare in the hacking
community.
+-+-+-+-+-+-+-+-+-+-+-+
3. A Psychology
Lesson
+-+-+-+-+-+-+-+-+-+-+-+
----------------
3.1
Introduction
----------------
Psychology is all about understanding how
the human brain works. It is important because in
understanding the way
the brain works, we can learn how to manipulate it, the same being
with a
computer. So we come to the point where we learn how to make the other
person work to
your advantage by creating situations and pressure for
them to conform to your way of
thinking.
----------------------
3.2
Making a Situation
----------------------
To make the target comply
with your requests you must make certain circumstances so the
target will
act predictably.
- Make the target think he will not be responsible for
whatever you are asking him/her to
do. Make them think there is a larger
group who will suffer if they do not comply, this will
create social
pressure and will cause them to comply with your requests, the
psychological
term for which is "Conformity".
- Make the target think
of their own benefits more than your benefit from their compliance,
for
example, they may get gratitude from a larger group of people lower or
above their rank
in the company, or they may get on a better note with
the boss.
- Make the target think about how they're helping you. Make
it seem like their moral duty,
make yourself sound a little helpless, and
in need of help. Everyone hates guilty
feelings.
---------------------------------------------------------------
3.3
Persuasion, Co-operation and Involvement; The key to
success
---------------------------------------------------------------
In
order for your target to comply they must think they have the upper hand,
so the
following things will be you 'guiding' them;
------------
-
Persuasion
------------
When persuading the target you must make them
think they are making a controlled decision in
giving you the information
you require. They must think they are giving you information
voluntarily
with 100% free will. You must make them feel sorry for you, and so they
will
give you the required information thinking about not only their own
benefits, but about
helping a fellow employee. You must guide the person
into thinking they are making a thought
out decision in exchange for
small time and effort on their behalf.
--------------
-
Co-Operation
--------------
To gain co-operation from the target you must
not appear to be over powering. Do not annoy
your target or your social
engineering may be over for that company, make yourself appear to
be from
a lower rank or of equal rank in the company, in need of help from a
co-worker.
Try work your way slowly, i.e. phone with a small request
first, something almost, but not
quite, irrelevant. Then phone later and
ask for a larger request, using the same identity.
Psychological research
has shown that there is a higher chance of compliance if the person
in
question has complied previously to a smaller, more subtle request.
People
also find it easier to give information to a person they can see, i.e. you
go to the
target and physically ask for the required information. It is
easier to say no to a person
over the phone or by letter than when they
are present in person.
-------------
- Involvement
-------------
You
must think about just how involved the target is to the company. Based on
this you can
base your arguments for persuasion. For example a person who
will be more involved, and so
may receive the brunt of any mistakes, will
consider and analyze your arguments, and so you
must have strong points
and counter points to avoid any doubt in their minds. This will be
people
like Admin, technicians, and anyone else whose job relies on using the
computer
system as a main resource. They will always consider the
possibilities of any mistakes,
they will think of counter points, even if
they do not voice them. Remember; do not allow
any doubt to be created in
their minds!
A person less involved in the company's computer
infrastructure will think little about any
repercussions of any
information wrongfully given. They will not think about whether your
points are valid or correct; they will simply look for a substantial
number of arguments for
your requiring the information that you
do.
+-+-+-+-+-+-+-+-+
4. Trained to
Lie
+-+-+-+-+-+-+-+-+
-----------------
4.1
Introduction
-----------------
Social engineering is all about lying.
You must be a convincing liar, with which comes many
needed skills. To
pull off a successful social engineer job you must of course rely on
psychology, however, even if you study it backwards and plan dialogs, you
must know your
story backwards and come up with backup plans and counter
measures. In essence, you must
_become_ the person you are pretending to
be. You must practice, for example, sit down with
a friend and try to
convince him you are someone, talk normally to someone you know, then
lie
to them about something, and then ask them if they picked up on the lie, if
they did ask
why, take notes. You must defeat any changes in facial
expressions and changes in voice.
-----------------------------
4.2
Reading/Watching
material
-----------------------------
Watch:
Hackers 2 - Operation
Takedown; This film is about the work of Kevin Mitnick, from his early
days of major hacking/social engineering to the day he got caught.
However, I'm not totally
convinced the movie is totally factual as to
what really happened, but it is "based" on the
true story. The reason I
recommend you watch it is because you can learn a lot about social
engineering from watching the character portraying Kevin Mitnick, social
engineer as he
apparently did.
Read:
Bernz - Read texts written by
Bernz. He has a whole load of texts from which I've learned a
lot about
Social Engineering.
+-+-+-+-+-+
5. Methods
+-+-+-+-+-+
There are
four main methods in social engineering. Phone, Mail, Internet and in
person. In
this section I will go through a basic introduction to each
method of social engineering and
in the proceeding sections I will go
through details as to how each method is carried out
with tips and tricks
you can use. Remember, this is only my opinion of each type of social
engineering so don't hesitate to adapt to your
situation:
---------
5.1 Phone
---------
Phone social engineering
involves you phoning your target and tricking them into thinking
you are
either someone high up, or lower down, in a company or if they are a home
user you
are verifying their account details. You will need to be a fast
thinker, a sweet talker, a
good liar and of course have some knowledge of
the target and the person you're pretending
to be.
--------
5.2
Mail
--------
Mail Social Engineering is mainly used to gain information
on your target or a range of
targets. You will need to make your
letter/form look professional. I recommend programs such
as Adobe
PageMaker and Quark Express. You need to remember that they should be
conned into
writing back. Methods such as sweepstakes, unclaimed prizes,
etc, work a treat. Final
demands for billing payments also work great,
but will require prior information of the
target, i.e. who she will pay
his/her bills to and other relating details.
------------
5.3
Internet
------------
Internet Social Engineering can be seen as a form
of hacking. However there is a significant
difference between this form
of social engineering and hacking. In hacking you are
manipulating and
finding holes in computers and networks, in internet social engineering you
are manipulating and finding holes in the mind of your target. This can
be something like
talking a person into giving you their password by
making them think you are someone big,
for example, a very classic trick
is to make your target think you are their e-mail service
provider
administrator and require confirmation of their
details.
-------------------
5.4 Dumpster
Diving
-------------------
Dumpster diving is essentially looking in the
target's dustbin for information concerning
the target. Important things
to look for are company phone books, organizational charts,
memos,
company policy manuals, calendars of meetings, events and vacations, system
manuals,
printouts of sensitive data or login names and passwords,
printouts of source code, disks
and tapes, company letterhead and memo
forms, and outdated hardware. These act as a jigsaw
puzzle, and when put
together can be used to create the identity you will be using against
the
company.
-------------
5.5 In Person
-------------
This is THE
riskiest form of Social Engineering. Getting caught can possibly end in a
jail
sentence, depending on what country you're in. This type of Social
Engineering involves you
basically walking into your target's building,
applies mainly to big companies, and making
them think you were sent to
check their systems for any faults, or something along them
lines. This
type of social engineering takes a lot of learning and a VERY fast mind.
Social engineering in general is very dangerous and can end in hefty
jail terms, depending
on your country. However, it can be used to great
effect and is very rarely detected as very
few people try it on large
organizations.
+-+-+-+-+
6. Phone
+-+-+-+-+
----------------
6.1
Introduction
----------------
Social Engineering via telephone simply
requires a phone and a person. Of course the person
will need to be quick
witted so as to outsmart the target. It tends to get more complicated
but
this is the general idea of this kind of social
engineering.
--------------------------
6.2 In regard to
Phreaking
--------------------------
Phreaking can be involved in this
as making calls may be registered on your bill, i.e. will
be proof for
authorities if you get caught, and it will of course cost you. Try using a
secluded phone box, so that there is no back ground noise. 'Boxes' can be
used for free
phone calls, such as the 'blue box' or 'red box'. Remember
that these will only work to your
advantage, making trace backs to you
harder for the authorities.
-------------
6.3
Equipment
-------------
The most important equipment in this kind of
social engineering is what is known as wetware.
You may be put on the
spot, asked awkward questions, so plan in advance as to who you are
pretending to be and what kind of questions relating to this you may be
asked.
A phone is obviously required. The phone should be good quality
as it will be hard to
believe someone with a fuzzy phone is working as
part of a company. Avoid phone boxes and
try to call from an office, i.e.
to make it sound more professional. If you do use a phone
box make sure
it is secluded so as to make sure there is no background noise from
passers-by
and traffic.
Voice changers will you a great deal. They can
give you a deep voice, like that of a grown
middle aged man or a higher
pitched voice, like that of a young woman. Of course being a
woman when
trying to get passwords off network admin as most of them are men (I'm not
being
sexist!) and so a few chat up lines won't go amiss, with which they
can be lulled into a
false sense of security and so will hand over
passwords more easily.
-----------------
6.4 Doing The
Job
-----------------
Know who you're targeting and if possible other
information about the target. For example,
if you intend to target a
school, try to know a little bit about the staff, find out how to
get in
contact with people such as admin via the phone, i.e. know the right
extension
numbers if they are required. The best thing to do would be to
impersonate a person (in this
case a teacher) whom hardly ever comes into
contact with the person giving you the required
information. This way the
admin won't know any better. This will take research, but it's
better to
do it all in one job rather than making mistakes and ruining your chances.
Use a voice changer and if possible try to impersonate a woman (unless
you are a woman) as
I've already mentioned this will lure the target
in.
Make sure you have some details of the user of the account you're
trying to gain access to.
User name, e-mail address, home address, date
of birth, social security number, etc.
Anything classified under
"Personal Information". They will get suspicious if you do not
pass this
stage and you may blow your chances of breaking into that network forever
as
security may be tightened. Do not social engineer without sufficient
information of the
person you are impersonating. Observing the person you
are attempting to be is a great
help. Learn to speak like them, laugh
like them, etc. This will add greater depth to the
illusion and will only
work to your advantage. Try calling them, and pretend that you
called the
wrong number. You could even pretend to be someone such as a telemarketer
and
try to talk to them for as long as you can. Take notes if necessary,
pick up small things
such as a lisp, a particular accent, and words they
keep repeating, such as "like". The
things to earn at this point are
endless but are also very important as it WILL work to your
advantage.
Refer to the '3. A Psychology Lesson' for details of making your target
vulnerable.
Once they believe you anything is possible. Try to get
anything you can out of them, telnet
numbers, password, etc; but do not
ask too much as suspicions will be raised.
Remember: Impersonating
someone counts as fraud and if caught there is a hefty penalty. Do
not
say you weren't warned. We take no responsibility for your
actions.
+-+-+-+
7. Mail
+-+-+-+
----------------
7.1
Introduction
----------------
Social Engineering via Mail is mostly
used as a way to get information about the person you
want to
impersonate. It's a great method because sending Mail is cheap and
obviously used by
everyone. This is in a way similar to the telemarketing
scam we spoke about above, it is a
means of getting information about the
person you want to impersonate so that you can use it
if you are asked for
verification when phoning your target. People generally respond
to
promising them huge amounts of money without them actually having to do
anything other than
fill in a form. So it's best to try and use a 'Prize
Draw' method where you make them fill
in a form, which you should make on
computer using software such as Adobe PageMaker and
Quark Express, which
contains details you think you may be asked about during verification
of
your identity. They will generally give you any details you want, but don't
ask too many
questions in case suspicions are raised as to how genuine
the form is. For this reason we
will go into the 'Prize Draw' method of
getting the required information from the person you
are
impersonating.
-------------
7.2 Equipment
-------------
You need
envelopes, stamps and address labels. You also need publishing software
which will
make your letter/form look more professional. I recommend
Adobe PageMaker 7 and Quark
Express, available on P2P software such as
Kazaa. Also organize a return address, try to use
a "P.O Box" number to
make it look more professional. This can be done at your local post
office. Sort out a logo and name for your 'Prize
Draw'.
---------------------
7.3 Prize Draw
Forms
---------------------
Look at your junk mail and pull out prize
draw forms and using them as a sort of template
design your own Prize
Draw form. Maybe scan it in and edit it on your computer? The choice
is
yours but it IS worth going to such trouble. Remember that the more concise
and visually
attractive ones, asking for the most important details are
the best. Make everything you
can as professional as you can, fonts,
colors, wording, etc. Ask for a password, saying
that you need to verify
it is the right person when you phone, with details of their
winnings.
Hopefully the person will be a little thick and will give the same password
as
their account password.
Remember to add class and originality to
the form so that they want to fill out the form.
-----------------
7.4
Doing The Job
-----------------
Try to make it look like a mass mailed
prize draw. This part crosses over into dumpster
diving. Look in your
target company's Bins and Rubbish for any letters sent out to
employees,
for any phone books containing names, numbers and addresses of employees of
the
target. More than likely, they will chuck these out without a second
thought. Then from this
select anything from 10 to a 100 employees. The
more people you send the form to the better
because not everyone will
reply. This way you choose the one which is most likely going to
be a
successful job, because for example they have given you the most (realistic
looking)
details, and then use them however you will.
+-+-+-+-+-+
8.
Internet
+-+-+-+-+-+
----------------
8.1
Introduction
----------------
Social Engineering via the internet is
possibly the easiest. It's risk free if you know
how to stay anonymous
and it can be as easy as talking to someone in a chat room. The
classic
examples would be to pretend you are a member of admin, or someone of that
authoritive stature.
------------------------
8.2 In regard to
Hacking
------------------------
Hacking and social engineering via the
internet are different in their own respect. Hacking
involves finding
holes in computer security whereas social engineering finds holes in
wetware, people's minds. However, social engineering and hacking cross
lines, as is with
phreaking, when you try to finger accounts, infiltrate
networks scouring for information on
users and when finding someone who
rarely uses their account.
--------------
8.3.
Equipment
--------------
Well the only real piece of equipment you need
is your computer and your own mind, You have
to respond as fast as you
can. It is also best to try use a temporary ISP because
occasionally you
might run into someone who knows what you're up to and might try to report
you. Try free small scale ISP, who will bother less about sorting you
out.
-----------------
8.4 Doing The Job
-----------------
Try
getting an e-mail address online which emulates admin in anyway. This is a
classic way
to get someone's password. Let's says you're attempting to
get access to a hotmail account.
Simply find an anonymous remailer. Use
one with many feature, I saw one some time back which
allowed you to type
in a fake e-mail address and name, so in the receivers inbox you
might
make it say; Hotmail Staff; Administrator@hotmail.com, or something
similar. Then send an
e-mail saying something like:
Dear Hotmail
User,
If you require password recovery to any other accounts you have
with Microsoft
Hotmail then please reply to this e-mail with the
following details. Your username on the
first line. Your password on the
second line. The account you require the password to on the
third line.
In the subject field simply write "Password Request". An automated computer
Bot
will reply with the password to the account as required.
The
reason we need your password is to verify you have an account with
Microsoft Hotmail.
Yours Sincerely
Hotmail Staff
Normally most
people will fall for this and I know of one person who tried this who got
access to a dozen or so accounts within a few
days.
+-+-+-+-+-+-++-+-+
9. Dumpster
Diving
+-+-+-+-+-+-++-+-+
----------------
9.1
Introduction
----------------
Dumpster diving is essentially going into
other peoples rubbish looking for valuables.
However in Social
Engineering it is generally referred to as looking through another
persons
rubbish for information which could help you attack a network.
--------------------
9.2 What to look for
--------------------
It
isn't based around looking for passwords written down on paper or other
such information
solely. It also involves looking for phone/address
books, charts, letters; anything which
gives out details about a
company's structure and about its employees. Look for e-mail
print outs,
policy documents specifying how to stop hackers entering the target's
network,
etc. Shredded paper is also a good thing to look for; the
shredded paper had some sensitive
data on it which led to it's shredding.
Take it home and jigsaw it together. It takes time
but is well worth
it.
----------------------
9.3 Things to
remember
----------------------
If you dumpster dive remember to do it
at night, very late. Dumpsters (bins) are normally
located around the
back of corporate buildings, look for alleyways or side roads on the
block of the building. Be prepared for a chase if caught. Know the local
area, know where
you'll run, have contingency plans, etc. If caught have
an excuse ready. For more
information check the links
section.
+-+-+-+-+-+-+
10. In
Person
+-+-+-+-+-+-+
-----------------
10.1
Introduction
-----------------
This is NOT recommended by me at all.
Reason being if caught you will get arrested on the
spot. No doubt you
need to have a very cool head and a very in depth knowledge of the
target. You will also have to be a very convincing liar, as you will have
to come out with
things to cover yourself on the spot if confronted by
any minor mistakes you made.
---------------------
10.2 Pulling the
stunt
---------------------
You need to look smart and important. Looks
are everything. You have to look old enough for
the person you say you
are, i.e. the higher ranking you say you are the older and mature
you
should look. So if you're a teenager or a little older DO NOT TRY IT. Have
a briefcase
with you. Know who you're pretending to be and know what to
do if they get suspicious in the
slightest. Try to go on a day when few
employees are around or when employees are likely to
be unbothered, like
the day before a holiday or on the first day after a holiday. This way
employees of the target may be caught un aware. Know what you will do
once you're in the
building.
Look for memos around desks, which tend
to have passwords written on them, if you're
ambitious look in bins, but
don't get caught. Try get access to an admin's computer so you
can see
what sort of firewalls they have and what ways the system can be cracked.
Try to wear a slight disguise so as to create an illusion, and will
also make it harder for
you to get caught afterwards, i.e. if you're
doing a big job then there may be an 'artists'
impression of you. Dye
your hair, wear glasses if you don't already or wear contact lenses
if
you do. Have a clean shave. Make sure your hair doesn't look ragged, i.e.
go to the
trouble of having a hair cut, if you need one and comb/style
your hair. The general idea is
to look
smart.
-----------------------------
10.3 Important things to
note
-----------------------------
Remember not to carry any form of
identification about your real self. That way if you get
caught and the
police search you then you can make up lies. Plan ahead, think about what
to
say if warning bells are rung. Have some sort of getaway driver ready
so you have the option
of an escape.
This type of social engineering
takes a lot of time and effort so do not attempt with a few
days of
preparation, it could take over a
month.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
11. Putting the Jigsaw
Together
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
------------------
11.1 Short
Outline
------------------
First you gather information about your
target. This is where Dumpster Diving comes into
action. Look for all the
things I've mentioned in section 9.2. Try the snail mail method
here also
with prize draw forms. Once you've got all your information together cross
check
people. Who do you have the most information on? Then emulate that
person over the phone.
Try to chat the target up a little too. If it's a
man, unless you're already a woman, use a
voice changer to put on a
woman's voice on. Make them vulnerable. Then they'll ask you for
verification of some kind, have all the information required ready in
front of you. Once
the think you are who you say you are then extract the
necessary information out of them
carefully. Do not ask too many
questions.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12.
Reverse Social Engineering - Complex Social
Engineering
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
----------------
12.1
Introduction
----------------
Reverse Social Engineering is a more
(much more!) advanced version of social engineering and
should be avoided
at all costs unless you have been social engineering for some time.
Reverse Social Engineering is exactly what the name implies, Social
Engineering just
backwards, making the target rely on you. Although it is
very difficult to carry out, it
does clear up any suspicions and
questions on the targets end. Reverse Social Engineering
puts the hacker
in control rather than the target in social
engineering.
--------------------------------
12.2 Sabotage, Advertise,
Assist
--------------------------------
Before doing anything there is
a need to research everything and anything about the
company.
Organizational structure, computer system structure, network
structure, employee names, etc,
etc.
----------
-
Sabotage
----------
You cause the network to collapse, or an important
system within the company to collapse.
Use Social Engineering techniques
to do this. Get some sort of access to the system, i.e.
social
engineering in person? Try opening a backdoor using hacking? Get access to
a
computer?
The possibilities are endless. Then you sabotage the
computer or computer network, or at
least make it look as though it has
broken down. Know what you are doing and know how to
fix
it.
-----------
- Advertise
-----------
This is the most
important part of Reverse Social Engineering. You must have correct
advertising placed around the error. For
example:
______________________________________________
|File
Permission Error _ o
X|
|----------------------------------------------|
|File cannot be
accessed by user. For |
|information on accessing this file please;
|
|Contact: Mr. A. Smith |
|Phone: (0207) 4565677
|
|______________________________________________|
If possible make it
seem more as though you work for the target company by providing a
company e-mail address. This can be easily done if you finger user
accounts and passwords
because you can then use the user's e-mail address
(Obviously, the user's e-mail address
should be someone from a different
part of the company). You can also social engineer the
password by
phoning in, pretending to have forgotten it. Then you simply keep track of
new
messages. This way you can play off the role more convincingly as
being a network admin or
computer technician of some kind from within the
company.
--------
- Assist
--------
If all goes to plan then you will
get contacted eventually. You make arrangements to go in
fix the problem,
sound like you know the error in question, but do not cause any kind of
panic, i.e. do not make it sound serious or they may tell others about
the error. Say
something like their user account's been misconfigured and
you'll need to come in and have a
look at it properly before diagnosing
it.
If you don't want to risk walking into the company building, i.e.
because you may get caught
out, and then make the target do certain
things for you over the phone. However questions
may be asked as to what
you are asking him/her to do.
At this point you have access to the
network, and so you have the power you wanted at your
disposal. If you do
choose to walk into the company building to fix the problem you will
probably be left alone at the terminal in question. This is when you can
extract the
information you want or open the backdoor you require to the
company's network.
+-+-+-+-+-+-+-+-+
13.
Links
+-+-+-+-+-+-+-+-+
=================
13.1 Useful
Links
=================
URL:
|http://thephinn.freeshell.org/texts/ue/skip_diving.txt
Description:
[Written by a member of Project Tsunami; it covers all aspects of dumpster
diving.]
=================
13.2 Bibliography
=================
1.)
http://packetstormsecurity.nl/docs/social-engineering/
2.)
http://online.securityfocus.com/infocus/1527
3.)
http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html
4.)
http://netsecurity.about.com/cs/socialengineering/
5.) The Art of
Deception, Kevin Mitnick.
And above all else, thanks to Cyberarmy.net
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|
You must be logged in to vote on an article
|
About Us | Privacy Policy | Mission Statement | Help
|