Guide to Social Engineering by KILLAHDRAGON


What is Social Engineering?
An outside hacker's use of psychological tricks on legitimate users of a computer system, in order to gain the information he needs to gain access to the system."
Social Engineering is a way of getting important information from users without them knowing
they are giving this info to you.
To be able to social engineer you do need a few things:
- Some information on the target
- You must be very patient
- Good Social Skills
Although it may sound complex social engineering is probably the best 'tool' that you can
learn and become good at. IT'S ALSO VERY EASY.


What information can you get from a user using Social Engineering?
Anything. You can get anything you need from the target. But you must be able to use good
social skills and also be able to 'trick' the user.

How do I Social Engineer?
First of all make sure when you are social engineering that you do it through a chat program
or email (you may do it on the phone or face to face but if you get scared and get caught he
won't know who you are). Create a new email with a free host (hotmail, yahoo etc...) or if
you are going to use chat then create a new user on the chat program. When asked for your
details make sure you enter fake information but also make sure that its believable, this means
fill all details of your profile so when a user checks your profile he will think that he knows
your name, location etc... (but this should not be your real info).
Also before you start make sure you have written down everything on your self (not your real
self but your fake self) this will come in handy when the target asks you for your name, age
and other info. Also make a check list of all the info you want from your target.
Once you have got everything ready then find your target. I like to use ICQ, because of the
many exploits, flaws which make it easier to find info such as the victims IP.
Using the chat program find a target and start chatting to him/her. Become thier friend and
chat from a couple of hours. Make sure you are patient. Then slowly ask him for the info you
want, BUT make sure you don't make it obvious, for example: If i wanted to know if the user
had an anti-virus:

(after chatting to the target for a long time and he thinks we are friends)
ME: I am thinking of getting an Anti virus program, but i don't know which one. Could you suggest one?
VICTIM: Dunno, i heard Norton is good.
ME: I dont know, someone told me its not that good.
VICTIM: I really wouldn't know, i am not good at computers
ME: which anti-virus do you use?
VICTIM: i don't use one.
>From this case we have found out what we wanted, the victim does not use an anti-virus program,
we have also found out that he does not know much about computers.

Some of the most common techniques used are:


Direct Approach - An aggressor may directly ask a target individual to complete a task (for example, a phone call to a receptionist asking them for their username and password). While this is the easiest and the most straightforward approach, it will most likely not succeed, as any security conscious individual will be mindful of providing such information.

Important User - By pretending to be a senior manager of an organisation, with an important deadline, the attacker could pressure the Helpdesk operator into disclosing useful information, such as:

the type of remote access software used;
how to configure it;
the telephone numbers to the RAS server to dial;
the appropriate credentials to log in to the server.

Upon obtaining this information, the attacker could then set up remote access to the organisation's network. They could then call back hours later to explain that they had forgotten their account password and request for it to be reset.


Helpless User - An attacker may pretend to be a user who requires assistance to gain access to the organisation's systems. This is a simple process for an attacker to carry out, particularly if they have been unable to obtain/research enough information about the organisation. For example, the attacker would call a secretary within the organisation pretending to be a new temp who is having trouble accessing the organisation's system. By not wishing to offend the person, or appear incompetent, the secretary may be inclined to help out by supplying the username and password of an active account.

Technical Support Personnel - By pretending to belong to an organisation's technical support team, an attacker could extract useful information from the unsuspecting user community. For example, the attacker may pretend to be a system administrator who is trying to help with a system problem and requires the user's username and password to resolve the problem.

Reverse Social Engineering (RSE) - A legitimate user is enticed to ask the attacker questions to obtain information. With this approach, the attacker is perceived as being of higher seniority than the legitimate user who is actually the target.

A typical RSE attack involves three parts:


Sabotage - After gaining simple access, the attacker either corrupts the workstation or gives it an appearance of being corrupted. The user of the system discovers the problem and tries to seek help
Marketing - In order to ensure the user calls the attacker, the attacker must advertise. The attacker can do this by either leaving their business cards around the target's office and/or by placing their contact number on the error message itself
Support - Finally, the attacker would assist with the problem, ensuring that the user remains unsuspicious while the attacker obtains the information they require.

E-mail - The use of a topical subject to trigger an emotion which leads to unwitting participation from the target. There are two common forms that may be used. The first involves malicious code, such as that used to create a virus. This code is usually hidden within a file attached to an email. The intention is that an unsuspecting user will click/open the file; for example, 'IloveYou' virus, 'Anna Kournikova' worm or more recently the 'Vote-A' email aware worm. The second equally effective approach involves chain mail and Virus hoaxes. These have been designed to clog mail system by reporting a non existent virus or competition and requesting the recipient to forward a copy on to all their friends and co-workers. As history has shown, this can create a significant snowball effect once started.

Website - A ruse used to get an unwitting user to disclose potentially sensitive data, such as the password they use at work. For example, a website may promote a factitious competition or promotion, which requires a user to enter in a contact email address and password. The password entered may very well be similar to the password used by the individual at work.

Other techniques used may include:


//Somebody looking over the shoulder of a person as they type in their password.
\\A visitor watching users and their behaviour patterns.
//An attacker sifting through rubbish looking for clues to unlock an organisation's IT treasures.

 

Credits


KillahDragon
htw_hakr@yahoo.com
http://www.hacktheworld.net