A Beginner's Guide to Social Engineering

View previous topic View next topic Go down

A Beginner's Guide to Social Engineering

Post  Nikhlesh on Sat Apr 10, 2010 12:52 pm

A Beginner's Guide to Social Engineering



Contents:
1. Introduction to Social Engineering
2. Examples of Social Engineering
3. Methods of Social Engineering
4. Advantage of Social Engineering
5. Are You a Social Engineer?
6. Final Thoughts
+ REP IS APPRECIATED

1. Introduction to Social Engineering

Before I get into the World of Social Engineering, please keep in mind that this guide was made for, but not limited to, beginners. So with that in mind, let's get this show on the road! So what exactly is social engineering? I'm sure this question has been asked a million times, you're probably even asking yourself this now! To cut around the BS and throw away the leftovers, social engineering is the act of manipulating people into revealing information or tricking the victim to performing actions that are beneficial to the user. That's it! To put it in simpler terms; ever trick someone into doing something dumb, or told a lie to get someone to tell you something, or even get your friend to lie for you to get "something" out of it? That's social engineering my friends! It's that simple, and anyone can do it, even the weird kid in your class that's deaf that tries to talk, but can't, but still tries anyway! Although social engineering is relatively easy to do, and can be used anywhere at any time, the very world of it is complex, there is no "one-way" to doing things. Your options are endless, so make use of it!


2. Examples of Social Engineering

Anonymous Wrote:A True Story

One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.


Anonymous Wrote:Retail Paging Systems

Wal-Mart store phones have clearly marked buttons for the paging system. Wal-Mart is the exception, not the rule. So how do you get on the paging system to have a little fun when you're bored out of your mind shopping with your girlfriend? Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op. The key here is to become a harried employee, saying something similar to..."This is Bill in shoes. What's the paging extension?" More often than not, you'll get the extension without another word. Now, get some by saying something sweet over the intercom.


Anonymous Wrote:Hotels

Hotels hold such promise. Some hotels have voice mail for each room, guests receiving a PIN when they check in. Hotels also have "guest" phones; phones outside of rooms that connect only to rooms or the front desk. Pick up a guest phone, make like a friendly guest and say, "I forgot my PIN. Could I get it again? Room XXX." Knowing the registered name of the target room helps, for the Hotel and Restaurant Management Degree Program graduate may ask for it.


Proper Engineering is Social Engineering

[Image: ProperEngineeringisSocialEngineerin.gif]

3. Methods of Social Engineering

Courtesy of Wikipedia
Some Methods of Social Engineering:

* Phishing - is a technique often used to obtain private information. Typically, the user sends an e-mail that appears to come from a legitimate business requesting "verification" of information and warning of some consequence if it is not provided. The e-mail usually contains a link to a web page that seems legit and has a form requesting everything from a home address to an ATM card's PIN.

* IVR or phone phishing - also known as "vishing"; this technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution's IVR system. The victim is prompted to call in to the "bank" via a phone number provided in order to "verify" information.

* Baiting - Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.

* Quid pro quo - An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.

Courtesy of Wikipedia

4. Advantage of Social Engineering

So to soak up what you've learned so far, which was, an introduction to social engineering and some examples on the very subject itself (SE). On to the very question that people want to hear and know. What can I GAIN from using social engineering? Anything! Like I said before, and not afraid to hesitate to say again, your options are endless when using social engineering! It all depends on your goal and how you approach it, is the defining factor of your outcome. Now with that said, don't go off thinking that you can take over the World in a matter of a few days, not going to happen. But what you can do is practice using social engineering, little by little, step by step; learn how to build your ground and the environment around it. So yes, think outside the box and learn to open new doors! Keep in mind that connections and relationships is everything in being a social engineer, without it, what can you build from nothing? Nothing! That's when social engineering comes in place, learn to make new friends, take the time to ask questions, and most importantly, learn your target! Like one once said, "My greatest enemy is also my best friend." You can achieve anything with the right mindset!

5. Are You a Social Engineer?

So are you a social engineer? YES! You're a social engineer even without knowing it! Believe it or not, more than 50% of people living on this Earth subconsciously don't know what they're capable of! That's a scary thought, that's a lot of potential lost! But with the right direction and approach to your goal, anything is possible! Anything. Don't let your options deteriorate due to discouragement and with the wrong mindset. The decision is yours to let it happen or not!

6. Final Thoughts

You must feel good up to this point! I mean, not only did you catch a glimpse of the World of Social Engineering, but you can take this bit of info with you and apply it to whatever you are trying to achieve. One of the best features of social engineering is that it can't be subjugated to one subject, so it can basically be used on virtually anything! I personally recommend using social engineering to create a positive effect, rather than a negative one. Remember, don't get ahead of yourself and overdo it, or else you'll end up in these happy hands:

_________________
n1cKy cheers

Nikhlesh
Admin

Posts: 24
Points: 19779
Reputation: 0
Join date: 2009-04-01
Age: 24
Location: India

http://www.h4ck3rz.ideaboard.net or http://www.logmein.h4ck3r.in

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum