BotHack

BotHack makes getting things done easy and fun. Delving deep into the technoweb, BotHack brings back simple and totally life-altering tips and tricks for managing your information and time. At this wild moment in the development of human-oriented technology, BotHack is your own personal early adopter, here to guide you through the onslaught of the new. The world is full of fascinating problems waiting to be solved: BotHack can help.

Friday, November 11, 2005

BotHack: Guide to Social Engineering

Introduction: What is Social Engineering?

Social engineering is the act of presenting false and/or intimidating information to an individual in order to manipulate that individual into providing you with goods, information, access, or authority which would normally be difficult or impossible to obtain using other methods. While I certainly do not advocate the theft of personal property, especially by using a method as dishonest as social engineering, in some cases social engineering is necessary... even for survival.

The purpose of this article is to further explain the psychological aspect of both sides of social engineering as well as certain common problems encountered by individuals who have attempted to social engineer.

(For most of the remainder of this article, I will use "SX" to represent the term "social engineer" as a verb and "SE" to represent the term "social engineer" as a noun.)


Part One: Preparing for the Attack

It seems that few people are truly skilled at social engineering. I feel this is because of two main reasons. The first reason is that many people are so afraid of failing that they do not even try.

If you have ever attempted to SX someone, you probably remember your first time, regardless of whether you were successful. You probably had "butterflies in your stomach", as they say, and shaky hands. As with hacking, social engineering gives you a rush; a unique high that comes from a mixture of danger, secrecy, and an "I really shouldn't be doing this" feeling. For some, even the very idea of SXing is too much to handle. They can't do it. For most of those people, it is simply a matter of being too nervous. For some, however, it is a justified fear of being caught. This fear can be remedied fairly easily.

The most common medium of SX attacks is the telephone. Therefore, we need to consider how we can use the telephone to our advantage, as well as how the telephone can be used against us. One of the biggest advantages of the phone is only our voice is received by the other side. If you can disguise your voice well enough, you can become anyone on the phone. Also, you do not need to control your facial expressions while using the phone. The major disadvantage of using the telephone, though, is that it is very easy to trace a call (caller ID also creates a problem). This is a problem that must be corrected before any SX attempt is made. Fortunately, getting around it is fairly easy. You never want to SX from your home, so the two most feasible options are payphones and your neighbors' phones. Payphones are great, because even if the call is traced, there is no way for authorities to know it was you (except for in rare cases when there is a security camera near the phone). The major downfall of payphones is that most of them say "PAYPHONE" in the caller ID stream. That makes your call look very suspicious. The other option is to use a neighbor's phone line. This used to be much easier, as you could pop open the junction box on your neighbor's house and connect a phone to the terminals. The phone companies have gotten wise, however, and have recently started removing the junctions altogether. Now the line runs straight through the box, if the box is there at all. There are still ways to access the phone line, though they are not as discreet. You will need to skin the two wires and connect your beige box to them, then you should be able to dial out. Of course, there is still a small risk with the caller ID, but a personal name looks better than "PAYPHONE". If you are still worried about caller ID, in some areas you can use *67 before dialing the number (the caller ID will say "PRIVATE" or "BLOCKED").

If the SE uses either of the previously mentioned methods, he doesn't have anything to worry about. Of course, if it is his first time, he will still be nervous. Therefore, I suggest a few practice runs. Go to a payphone and call up a local shopping center (Wal-Mart, K-Mart, et cetera). Ask to be transferred to a specific department, then talk that person into telling you the department codes. It doesn't matter if you are successful, you are just getting rid of the nervousness.


Part Two: Forming the Attack

The second reason for the lack of skillful SXing is because of ignorance. People just assume they can lie and be believed. There is much more that needs to be taken into consideration, however.

Perhaps the greatest skill an aspiring social engineer can learn is that of empathy. If you can think the way someone else is thinking, you will be able to talk them into almost anything. Empathy comes naturally for some. Unfortunately, the outgoing people who are willing to try SXing usually cannot empathize easily. Before you can develop empathy, you must develop sensitivity, which is a simple form of empathy. Try to think of how other people are feeling emotionally, and why they are feeling that way. Analyze the things they say and their actions, and try to guess their thoughts. You will probably be wrong, but the more you consider others' feelings, the more you will understand people in general, and then specifically. (People will like you more, as well.) For most, it can take several months to a year to understand a single person. For sensitive people, several days. For empathetic people, it takes only one conversation. That should be one of your goals as a social engineer.

While empathy makes it possible to SX almost anyone, it is not the most vital part of SXing. You can know your target inside and out, but if you cannot communicate with them in the proper way, it's worthless. When SXing by phone, the most obvious warning sign to the target is a shaky voice. Even if they're not smart enough to understand that you're trying to trick them, they will subconsciously know there is something wrong, and it will cause problems for you. Usually, a shaky voice can be overcome with practice. If you're voice is shaky all of the time, it is probably because you don't talk much. The more you talk, the better you will sound, and you will even become more articulate. Drinking something warm might also help you keep your voice steady.

Once you have mastered your voice, you will need to learn to control your face (this is only necessary if you are going to be SXing face-to-face). When you are lying, the ultimate giveaway is your eyes. That is what police interrogators watch when they are questioning a suspect. When you ask someone a question, they will move their eyes in one of two ways, depending on whether or not they are lying. For example, when they are remembering information (and getting ready to tell the truth) they might move their eyes to the side, and when they are making up information (and getting ready to tell a lie), they might roll their eyes for a few seconds. Each person moves their eyes differently, and you need to find out how you move yours. Practice with a friend, and then when you know how you move your eyes, practice lying while moving your eyes like you're telling the truth. As with a shaky voice, a victim may not realize how you are moving your eyes, but he will know subconsciously that something is wrong. In most cases (except when you are role-playing [part four]), you should try to maintain almost constant eye contact with the victim.

Part Three: Executing the Attack

When you are SXing, the first step is to let the victim know that you have authority, and you know what you're doing. As long as they believe that, you will have no trouble. You can tell them that you are friends with the owner of the company (make sure you know his name first) and he gave your permission. Or you can say you're with another department and you've already gone through the proper channels. This is your chance to be creative.

The next step is to let the victim know what you are after. You can do this two ways. First, come right out and say it. Let them know what you want and hope they buy your story. The other way is to get them to trust you, make subtle hints about what you want, and then present them with an opportunity to give it to you (it takes a lot of practice to pull this one off). The first method is easier and works most of the time, but when you're working in a delicate situation, sometimes the second way is the only option.

The third and final step is to "cover your tracks". It's not as hard as it sounds. You simply end the conversation on a good note, without doing or saying anything out of the ordinary. The ultimate objective is to pull off the whole thing without calling attention to yourself. That way, even if you fail, you can try again without much unnecessary risk.

Remember that during any part of the conversation, something unexpected could happen (and probably will). Always be ready for anything.


Part Four: Additional Tips and Tricks

One of the best-kept secrets of SXing is role-playing. It's a slightly complicated method, but once you learn it and practice it, it will help you tremendously. The theory behind role-playing while SXing is that you should have the opposite personality of the victim. For example, if the victim is quiet, humble, and goes along with anything, then you should be loud and commanding and act like they owe it to you. If they are sure of themselves and talkative, you should be meek and unsure and SX by making "suggestions". One of the only times you should not take on an opposite personality is when the victim is monotonous. You will want to actually match their personality, because they are likely in a bored state and will give you what you want as long as you don't "wake them up", so to speak. (Role-playing can be difficult to pull off. If you're not sure, then don't try it.)

Bluffing rarely works, and should only be used as a last resort. When I say "bluffing" I'm talking about stuff like "I already talked to your manager. Go ahead, call him!" That's a no-no.

If it doesn't work out, don't make a fuss. Just say something like "Oh, that's okay. I'll have my boss work it out tomorrow. Thanks. Bye." As I said earlier, your ultimate objective is almost always to do the job without calling attention.

Offer wrong information (an insignificant detail), and then correct yourself. This makes you seem more believable. If you try this, only do it one time in the conversation, and do it toward the beginning.

Make sure you do your homework. Whenever I SX, I like to totally make up my character on paper. I write a short biography, come up with details including date of birth, parents' names, friends, and previous jobs, and then I practice acting like that character before I actually SX. I also study the target(s), whenever possible. Find out how long they've been in their position, how old they are, and anything else that might be helpful. Usually, though, you won't be able to discreetly find information about the individual, so study the company or organization instead (study both if you can).

Disclaimer : All this info is only for educational purpose (yea right!). Anybody gets into trouble is on his own, we do not encourage SX, it is on your interest only.

Die Dulci Fruere

posted by Nitterbog @ 5:17 AM 

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home