// An Introduction to Social Engineering
// A Paper by TRAiN3R @ Evilzone.org
First and foremost I do not imply that I am some elite social engineer or anything like that. I am simply sharing this to help teach those who are interested in social engineering and what it means. The information I am posting is easily googled, just decided to create this tutorial to inform the uninformed.What is Social Engineering?Social Engineering
is the ability to obtain information by manipulating a person into simply giving information to you, although, not all of it. Social Engineering is used by many top hackers to obtain top secret information that they decide what to use it on. In my experiance and opinion Social Engineering is one of the most powerful tools a hacker can utilize.
Keep in mind not just anyone can become a master of Social Engineering as it takes a person skilled in persuesion and to have the ability to convince people things that they do not know or believe in. Some people are also more suseptable to Social Engineering than others, but we will get into that later.Why Social Engineering Matters?
Many people think that Social Engineering is worthless, however I beg to differ. There are some systems in which they are very much secure and various exploits (buffer overflows, etc) are patched and very strongly protected. With this case, these systems are extremely hard to break into without having some sort of physical access to these systems. With Social Engineering you will be able to break into these systems by obtaining various information that only company insiders have, making it seem like you are part of the corperation and are privy to top secret information shared on their systems.Research, Research, and Research
The most important part of Social Engineering is RESEARCH
. With research, especailly "Doxing" (A form of hacking in using the internet to obtain information about a victim) is utilized to get information on a target that most people do not have access to.
In todays society with services such as Twitter, Facebook, and other social networking sites, doxing has become a lot easier. People freely post information about themselves with no thought of their security. With as little as a name and location you can get complete information about a person. Such things as addresses, phone numbers, work, relatives, bank accounts, etc. I may work on another tutorial explaining doxing in detail, but lets just say, it is definatly a skill any social engineer should know.
Also there are non technical ways of obtaining information as well. The most popular being dumpster diving. You can do this at their work or home. At home it is not illegal as long as the trash is on a public sidewalk, although you probably don't want anyone seeing you. Best time is garbage day, people freely put their garbage out on the street the night before. You may be thinking what the hell do you think you're going to find in the garbage? Well its actually a great way to learn someones habits, what they eat, what they like, what they buy, etc. You may even find mail, telephone numbers, appointment cards, etc. With this information you have a better idea of what this person likes and does. You can even find out what bank they are with as well as if they are in financial trouble (or not) and way too many other things to list.Some Techniques
In the following I will try my best to describe some of the techniques social engineers use to obtain "Need-To-Know" information from an individual.Pretexting
Pretexting is tbe act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform action that would be unlikely in ordinary circumstances (source Pretexting Wikipedia
) After you have done your research on a victim you can effectivly use pretexting to get further information from your target by impersonating various people that have authority over your victim such as co-workers, police, bank workers, tax authorities, etc.
I find that with pretexting its important to think outside of the box and be able to
come up with various scenarios for how the target may react when you ask them
information. It's important to be able to word scentances and think of responses fast to ensure your target that you are who you say you are. This will give them trust in you. Now it may be impossible to think of every scenario that could happen which is why it is important to thoroughly think of every thing you can before you contact your victim.Phishing
Phishing is a technique of fraudulently obtaining private information. Many people hear phishing and automatically assume someone is going to steal their facebook account information, which yes that can be phished, however it is much more then that. Creating the phisher is simple, its getting the people to use your phisher that is more important. In the days of MySpace, phishing was much more simple than that of this Facebook era, as people have now publically heard of this attack method. However it is still used and can be beneficial for the social engineer. For example, MySpace allowed HTML changes throughout their website, and with all these page generators of CSS and HTML, people just didn't take their time to read through the code, even to remove their linkbacks. I can't remember the code completely but it worked by adding a code to someones profile, so whenever you clicked anywhere on the persons page, it would bring you to a MySpace login, however it was indeed the phisher. This made its rounds and made it easy to obtain MySpace passwords without much Social Engineering, however it
opened the door for further Social Engineering. Phishing can be used to obtain logins, credit card information, social security numbers, birthdays, etc.Baiting
Baiting is a method that can have different actions but relies on curiosity. Say you
are taking a tour of the eBay facility and drop a disk in an elevator, however this is
no ordinary disk, instead it is a "bait disk" on this disk is malware, such as
stealers, keyloggers, RATs, etc. It could be spread by a network, or whenever the disk is inserted. However I'm getting a little off topic, that is more for you to learn. In any case you can use information obtained from these compromised systems, especially if they use it on their work computers, and possibly home computers. You can gather more information. Another option would to be after gaining information you can gain further information such as who their tech support company is. Say for example they use an external company that monitors and sets up their computer infrastructure. After someone has used your "bait disk" you learned who that company is. You know have more information then the average person, and you can fall back onto pretexting. Say you either invest or make a few remote hardware keyloggers, you know impersonate the tech support agency and are able to get a few hardware keyloggers installed learning more and more information about the victim/target.Quid pro quo
Quid pro quo simply means something for something
. With this method one can entice someone with something they want or need for information you want or need. An example of this would be calling someone claiming to be technical support. If you get a computer iliterate person, it would be very easy to enable remote access to the machine since your target has no idea what you are asking them to do, however throughout it, you actually fix their issue raising no flags as well as keeping control over the system for further penetration.Tailgating
No, not like ate a football game sitting in the parking lot barbequing, but instead
following people into a more secure facility that may require some sort of pass or RFID card. After you gain access via tailgating, you can either get access to documents, computers, etc again taking information you want. Again you can insert hardware keyloggers, install malware on computers, make copies of important documents and memos that are not common knowledge, thus opening the door for further SE.Who to target
The target that you choose is dependent on the information you want. An example that comes to mind is from the movie Takedown (A movie about Kevin Mitnick) which shows a lot of social engineering. At first the movie shows Kevin Mitnick learning about a system called SAS and he successfully SE'd a few different people to gain access to the system. However later in the movie, he learns about "nokitel" codes that can turn a cellphone into a scanner, he proceeds to try and SE a computer security expert Tsutomu Shimomura who doesn't fall for it. Let this be a lesson that the more computer illiterate someone is, the easier they will fall for Social Engineering.Conclusion
Well, like most good things, I think its time to come to an end as this is simply an
Introduction into social engineering. I would also like to point out a little bit of
examples from movies that show Social Engineering, and what you can gain from it ^_^
-In the film Hackers, Dade (the protagonist) used pretexting when he asked a security guard for the telephone number to a TV station's modem while posing as an important executive.
-In the movie Live Free or Die Hard, Justin Long is seen pretexting that his father is
dying from a heart attack to have a On-Star Assist representative start what will
become a stolen car.
-In the movie Sneakers, one of the characters poses as a low level security guard's
superior in order to convince him that a security breach is just a false alarm.
-In the James Bond movie Diamonds Are Forever, Bond is seen gaining entry to the Whyte laboratory with a then-state-of-the-art card-access lock system by "tailgating". He merely waits for an employee to come to open the door, then posing himself as a rookie at the lab, fakes inserting a non-existent card while the door is unlocked for him by the employee.
You can also see Social Engineering in other movies such as Anti-Trust [dubbed hackers 3] as well as Takedown [aka Operation Takedown or Hackers 2] which is a bunch of SE by "Kevin Mitnick" probably one of the largest KNOWN social engineers.
In the end, I hope you enjoyed my Introduction to Social Engineering and hope you
I know a few typos and such, I will get to fixing this, formatting changes, as well as adding information, this was just a quick write up