Monday, May 30, 2011

Social Engineering

Social Engineering

Before I get into the World of Social Engineering, please keep in mind that this guide was made for, but not limited to, beginners. So with that in mind, let's get this show on the road! So what exactly is social engineering? I'm sure this question has been asked a million times, you're probably even asking yourself this now! To cut around the BS and throw away the leftovers, social engineering is the act of manipulating people into revealing information or tricking the slave to performing actions that are beneficial to the user. That's it! To put it in simpler terms; ever trick someone into doing something dumb, or told a lie to get someone to tell you something, or even get your friend to lie for you to get "something" out of it? That's social engineering my friends! It's that simple, and anyone can do it, even the weird kid in your class that's deaf that tries to talk, but can't, but still tries anyway! Although social engineering is relatively easy to do, and can be used anywhere at any time, the very world of it is complex, there is no "one-way" to doing things. Your options are endless, so make use of it!


An Example of Social Engineering:
A True Story

One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.


Primary Methods of Social Engineering
  • Phishing - is a technique often used to obtain private information. Typically, the user sends an e-mail that appears to come from a legitimate business requesting "verification" of information and warning of some consequence if it is not provided. The e-mail usually contains a link to a web page that seems legit and has a form requesting everything from a home address to an ATM card's PIN.
  • IVR or phone phishing - also known as "vishing"; this technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution's IVR system. The slave is prompted to call in to the "bank" via a phone number provided in order to "verify" information.
  • Baiting - Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the slave. In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the slave to use the device.
  • Quid pro quo - An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.

Social Engineering Basics


Persuading Someone

PREPARATION


Plan: Before you start a conversation with your slave you should think of how to approach him. You can have either one of the following stances:

Offensive stance: If you have a lot of knowledge on the subject and good opinions to back it up you should keep this stance. Intimidate the listener, interrupt him every now and then and prove that you have more knowledge than he does.

Defensive stance: Listen to what the slave has to say, let him finish and give hime the idea that he's winning the argument. Then, pose a question to him/her that will get him to doubt himself. However, don't get carried away cause if he speaks too much, HE/SHE will keep an offensive stance and you're generally screwed.

Ironic stance: If you answer ironically to the slave's ideas and thoughts he/will get angry and lose it, which means he/she will start making a fool of himself/herself. Then he/she will get worried and almost everything he/she says won't make sense. There's your chance for counter attack. Just try not to look like an idiot.

Co-operative stance: This depends on the listener you're dealing with. When arguing, you can try agreeing with his ideas and giving him/her the wrong idea that he/she is winning. You can even try praising him/her for his beliefs. After that, the listener will be flattered, thus, vulnerable. That's when you strike. However, this way is very difficult and complex so it's not recommended for people who aren't really into Social Engineering.


OBSTACLES YOU MIGHT COME ACROSS


Belief Conflict: First of all there will be a conflict between you and your listener's beliefs. It's not easy to persuade a Muslim that Allah is not real and that God is our only divide power (though even I don't believe this). So, trying to change somebody's mind on subjects he has built his life on is not recommended.

Knowledge: Before you try starting a conversation with the listener you must take his knowledge about the subject into consideration. If you're trying to argue with a NASA scientist about Earth's orbit or comets' speed you're obviously about to fail (and look like an idiot). Try to use topics in which you have a particular knowledge so you can overwin the listener and finally convince him.

Skeptics: That's definitely the worst case scenario. Skeptics are people who doubt almost everything you want to tell them. If your listener is one of them then your chances of convincing him will be minimum. So, if you're not experienced enough you'de better avoid making a conversation with him cause it will end up with you wasting your time.



WAYS TO OVERCOME THE OBSTACLES - COUNTER TECHNIQUES


Shaking His Existing Belief: If the listener doesn't have much knowledge on the subject you can shake his/her existing belief and substitute your own. You can accomplish that by using countering facts and holding a co-operative stance against him/her.

Undermine His Knowledge Base: When the listener has a certain knowledge about the subject he/she uses it as a shield to defend himdself by any possible "belief threats". To bring this shield down you have to do something very simple. Convince him that you know more than him. By using false, but believable facts you will make the listener doubt his own, even if he's doing that subconciously. When you get to that point, forget about passing on your idea and try to make sure that your listener is convinced that you know more than he/she does. The rest is easy and up to you.



Program His Subconscious Mind: You can achieve this by reapeating again and again your idea. This method is a part of the mind-programming skill for which I will be posting a tut in the next days.

Provide Proof for the Skeptic: There isn't much to do in this situation than providing legitimate proof to the skeptic. If you can't do that then there isn't anything else to do, you believe your own ideas, he/she does the same and life goes on.

Believing in Your Idea: Apart from manipulating the listener there is one thing you must apply to yourself. Believe in your ideas. If you're trying to pass an idea that even you don't believe in it then I can guarantee you will fail. When you have faith on what you're talking about the whole process will be easier for you.


Repetition and the Law of Attraction: There have been several experiments on that via TV over the last few years. Particularly, there was a banned comercial of the Coka-Cola company which only showed the logo of the product for 1 second. That's it. However, every person who watched this commercial wanted to buy a coca-cola. That happened because subconciously, the mind kept telling the individual that he needed the product. That's exactly what you're going to do. Every now and then, you're gonna talk to the listener about your idea for just a few seconds or minutes. Thus, he is going to think your subject for the rest of the day. Even if he doesn't want to.


TIPS


#1 Try to talk firmly without losing any word cause this shows your uncertainty. Doing this will make the listener believe you are trustworthy.

#2 Use big words and sentences. It's recommended that you don't answer questions with one or two words. Back up your opinion as well as you can.

#3 Don't look desperate. It shows that you have lost faith on what you're trying to do which intrigues the listener whether you believe in it or not.

#4 Try to stare him/her in the eyes. Thus, you will intimidate him and he will hold an affirmative stand against you, even though he's doing it subconciously.

#5 Tell a joke. If you seem more light about the subject your slave will be even lighter and believe everything you want to pass on.

#6 Be more demanding. You will let the listener know that you are determined to convince him so there is no way out.

#7 Do not touch the listener. You will scare him away by doing that and he will keep a very defensive way.

#8 I would say follow the rules above but it would be ****ty. Try to speak loud and clear. Do not make the listener ask you "What?" cause automatically you lose lots of points


Lying
1. Always look the person you are talking to in the eye.
If you dont look them in the eye it seems suspicous as if you are untrustworthy and nervous. And if you get accused of doing something maintain a confused facial expression


2. Make sure you know what your your going to say and don't change it later on.
The main error people make is changing their story later on and getting caught up. If your going to lie make sure you tell the whole story to the person. Don't add little detail later on. Make sure what you say can't be proved wrong.


3. Dont laugh or smile.
if you laugh or smile you always look sort of dodgy. Also when you fake smile or fake laugh, it doesnt show in your eyes. When you smile normally your eyes look softer. when you fake smile your eyes look hard and cold. If you think your going to laugh because the lie you are telling is funny think about someone close to you dying. that usually helps me. Also speak calmly and slowly. Not super slow but slower than usual. Another thing, stand loose not tall and stiff.


4. Don't fidget!
I can't stress this enough. It is so obvious when someone lying because most people get nervous and bite their nails or touch their ear or rub their neck. IT IS VERY OBVIOUS!!
Scratching yourself
Itching yourself
Adjusting yourself
Swallowing
Overly blinking
Exaggerated breathing



5. REMEMBER YOUR STORY
If you don't remember your story you tangle yourself up trying to remember and it is a stupid mistake to make.


Applying Techniques
Social engineering is applicable in many fields. From daily life to accomplishing a task, social engineering can always improve yourself. One popular form of social engineering is called "e-whoring", as well as other forms of scams, however, social engineering is not always used for bad purposes.




~ see the original post here ~

1 comment:

  1. I have used AVG protection for a number of years now, and I would recommend this product to everybody.

    ReplyDelete