-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

        The Official HiR Guide To The Art Of Social Engineering

                                By: Axon

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-



        First and foremost, I want to thank the Social Engineering Panel at

2600's Beyond HOPE In August 1997.  I was not able to attend the meeting,

but, thanx's to Izaac who RealAudio'd Most of the BH stuph, I was able to

add quite a bit to my SE (Social Engineering) knowledge.  Shoutouts to them

all!



        As I was mentioning, I gathered most of my information from personal

experience, THE Social Engineering Panel at BH, and the Social Engineering

FAQ.



Part 1: What exactly IS social engineering anyway?



Straight from the New Hacker's Dictionary, this is da definition:



social engineering: /n./  Term used among crackers and

        samurai for cracking techniques that rely on weaknesses in

        wetware rather than software; the aim is to trick people into

        revealing passwords or other information that compromises a target

        system's security.  Classic scams include phoning up a mark who has

        the required information and posing as a field service tech or a

        fellow employee with an urgent access problem.  See also the

        tiger team story in the patch entry.



okay, lingo check.  Some may not be able to understand some of the words in

there.  (If the above definition seems at all hazy or vague to you, you really

ought to pick up the Hacker's Jargon File or New Hacker's Dictionary).  I'll

go over a few less-commonly used words.  Wetware is referring to the human

brain.  This will be discussed later.  Samurai are hackers who hire themselves

out for legal hacking jobs.  The above definition does not include phreaks and

hackers in the scheme.  Matter of fact, social engineering doesn't have to be

about technology at all (We'll talk about that later, too).



        When you get right down to it, Social engineering is basically the

same as "Bullshitting", except it is used differently, in a more subtle manner

than flat-out lying.





Part 2: What is SE used for?  What good is learning how to bullshit people?



        Social Engineering is not typically done just for fun.  Usually, it

is an art reserved for finding out some info about a company, certain computer

network or server, person, or product.  One might try to use SE to get a

password out of a person with a standard user-level account on a specific

server (once a hacker has a user-level account, it's only a matter of time

before he can get root on the system).  Maybe you want free stuff.  Who knows.

Knowsing how to SE is a good thing to know, however.  No metter how secure a

system is, there is always the loser who isn't quite all there in-between the

ears, and will divulge a password over the phone believing you're a tech.  I

am sure that you'll find that the computers may not have security holes, but

the people who run them are the weakest link in the chain.





Part 3: How is SE done?



        The first thing you do is gather info.  Research.  Do they have a web

site?  Go for it.  Look for employee names, extension numbers, product or

service lists.  Do NOT jump into the situation blind.  Jump into their trash

bins, without getting caught trespassing, and look for anything and everything

useful.  You can even go up to them face-to-face, although this is a method I

would not recommend to anyone.  A more detailed way of getting information on

your mark is to dial them up on the phone.



        Sometimes you need to make multiple phone calls to your mark to get

through.  An SE panel member gave a good example that I will outline with my

own paraphrasing cuz i don't know exact words.  Call up your mark, and ask for

a certain department, maybe information Services if it's a college, or some

kind of thing like that.  Ask for the manager/leader/head/etc of that

department, and see if you can get a name.  If you can't, hang up and call

later, stating you need to mail something to the head of x department, and

need the name and mailing address.  Bingo, you have a name.  Later, you can

call and say "I need to fax John Smith this quote, could i get his Fax number"

and you have even more info.



        You can call somewhere, pretending to be a different branch (the BH

people picked on k-mart) that's having some sort of problem, in this case,

getting the PA system in the store to work.  So the hacker calls up a random

k-mart, asks for the menswear department, then, once menswear is on the phone,

requests a manager.  He tells the manager he's from a random k-mart in the

phone book, and asked if he was having trouble using the PA system.  The

hacker said that he normally dials 50 to get on the PA but that isn't working,

then the manager corrected him "50?  I've never heard of that.  Try 613." and

hung up.  Later he called back and asked for Shoes, then bullshitted about

sandals for a while, then asked to be transferred to 613.  After a couple of

seconds, he blared into the phone, deepening his voice, saying "Attention

K-mart shoppers: Everything in aisle 4 is FREE!" then hung up...



        Another very good technique was utilized in that last scenario.  Note

that the hacker did not ASK for the extension to the PA system.  He told the

manager what he thought it was, then proceeded to let himself be corrected.

this is a tactic that can be used to get passwords easily.  Use research to

find a mark that is potentially kind of slow, technologically.  Don't pick a

nerd to SE, pick the technophobe in he bunch, because a good scare will help

them give you the info.  Tell them that his system had a virus and you just

cleaned it, and now you're checking everyone's accounts for traces, so it

won't happen again.  Tell them "according to our records, your password is

xxxxxxxx (insert some stupid password there)."  Sure as hell if he's really

as dumb as you thought he was, you'll be corrected by him telling you what his

password REALLY is.



        SE is not limited to phone conversation, though.  You can use the same

technique with e-mail (spoofing, too), And in person, as i was dicussing

toward the beginning.  I'll leave the e-mail up to you, as I have never seen

it work without using phone SE too (Such as sending an e-mail from <some made

up company>, and then calling and saying "yah, this is <some name> from <that

made-up company>, i sent you an email the other day...") you get the picture.



        I've only seen live social engineering work once, when some guy went

into a company's doors with a huge array of A/V equipment, and fake press

cards, saying they were putting together a documentary of technology in the

kansas City area for journalism class as a final project, and wondered if they

could include this place, talked to the big guy in charge there, who was more

than happy to have some extra advertisement, and gave them a tour of the whole

placee (or most of it).  He taped everything.  Things he got on tape were

codes to unlock doors (they only had 3 different codes that he saw on about 8

doors), locations of certain rooms containing things of interest, he even got

a tour of a big room that people were working in, and was fortunate enough to

tape a guy logging on to a computer (although the last 2 letters of the

password weren't seen, he knew what side of the keyboard they were on.)  =]



        You can call tech-support lines and SE with techs.  In most companies,

the technicians are GODS.  They are omniscient, and can get you what you want.

Be careful, though.  They are usually fairly intelligent, too.  You can try to

get them to divulge specs on products, or maybe they can fax you a few white

papers or whatever else they have access to.



Part 4: Extra Tips and helpful SE Hints.



If your mark is a large company (more than 500 people) than find out enough

about that company to sound like you are with them.  Most company members will

tell co-workers anything they want to know.



Remember that humans are creatures of habit.  People's habits can be monitored

and exploited.  Just remember that you, too are human.  Hackers should strive

to be an exception to the rule.  Do not be a creature of habit, because that

is how hackers are caught.



Using an accent is helpful.  Make sure you stay on accent.  Try Japanese,

scottish, etc.  (Note: The most accepted accents in the U.S. are British male

and Southern Female)



To really throw your mark for a loop, combine SE tactics and SE them more than

one way at the same time.  Be careful though.



Remember that SE focuses on People as the weak link.  This is because, unlike

a computer, they respond to other humans and emotions (I.e. anger, kindness,

rushed, etc).  While you can exploit a seceratary's emotions, you can't make

a computer sympathize with you.





Part 5: Few final ideas



If you want to find someone's unlisted phone number, find out if they have

cable T.V. or some other service (in a pinch maybe electricity would work).

Call the cable, electrical, etc company, and SE them into giving you their

#.  (maybe you are ready to check out their cable and you're 1 and a half

hours ahead of schedule, and wanted to call them to see if earlier service

would be okay, whatever floats your boat)  This may also work for addresses

if you are a serviceman who "lost/forgot" the address...MAYBE.



Part 6: Conclusion



That pretty much sums it up for the HiR Guide to SE.  I hope this information

helps everyone out.  Most of this is just common sense.

