1.1 What is social engineering?
The hacker's jargon dictionary says this:
Social Engineering: n. Term used among crackers and samurai for cracking
techniques that rely on weaknesses in wetware rather than software; the aim is
to trick people into revealing passwords or other information that compromises a
target system's security. Classic scams include phoning up a mark who has the
required information and posing as a field service tech or a fellow
employee with an urgent access problem.
This is true. Social engineering, from a narrow point of view, is basically
phone scams which pit your knowledge and wits against another human. This
technique is used for a lot of things, such as gaining passwords, keycards and
basic information on a system or organization.
1.2 Why is there a FAQ about it?
Good question. I'm glad I asked. I made this for a few reasons. The first being
that Social Engineering is rarely discussed. People discuss cracking and
phreaking a lot, but the forum for social engineering ideas is stagnant at best.
Hopefully this will help generate more discussion. I also find that social
engineering specialists get little respect, this will show ignorant hackers what
we go through to get passwords. The last reason is honestly for a bit of
Neophyte training. Just another DOC for them to read so I don't get bogged with
email.
1.3 Who Cares?
To Neophytes: You should, you little fuck. If you think the world of computers
and security opens up to you through a keyboard and your redbox then you are so
fucking dead wrong. Good. Go to your school, change your grades and be a
"badass" hacker. Hacking, like real life, exists in more than just your system.
You can't use proggies to solve everything. I don't mean to sound upset, but
jesus, have a bit of innovation and a sense of adventure.
To Experienced Hackers: Just thought it would help a bit.
1.4 Basic intro and shit for this document.
This FAQ will address phone techniques, mail techniques, internet techniques and
live techniques. I will discuss Equipment and will put some scripts of actual
conversations from social engineering. There are times I might discuss things
that cross the line into phreaking or traditional hacking. Don't send me email
and say that my terms aren't correct and blahblahblah isn't social engineering.
I use them for convenience and lack of better methods of explanation (eg I might
say "dumpster diving is a form of social engineering") Don't get technical.
SECTION II: PHONES
2.1 Basics
This is probably the most common social engineering technique. It's quick,
painless and the lazy person can do it. No movement, other than fingers is
necessary. Just call the person and there you go. Of course it gets more
complicated than that.
2.2 What Equipment is necessary for this?
The most important piece of hardware is your wetware. You have to have a damn
quick mind. As far as physical Equipment goes, a phone is necessary. Do not have
call waiting as this will make you sound less believable. There is no real
reason why this does but getting beeped in the middle of a scam just throws off
the rhythm. The phone should be good quality and try to avoid cordless, unless
you never get static on them. Some phones have these great buttons that make
office noise in the background.
Caller ID units are helpful if you pull off a scam using
callback. You don't want to be expecting your girlfriend and pick up the phone
and say, "I wanna fuck you" only to find out it was an IBM operator confirming
your identity. Operators don't want to have sex with you and so your scam is
fucked. Besides, call ID units are just cool because you can say, "Hello,
<blank>" when someone calls. The Radio Slut carries these pretty cheap.
Something I use is a voice changer. It makes my voice sound deeper than James
Earl Jones or as high as a woman. This is great if you can't change your pitch
very well and you don't want to sound like a kid (rarely helpful). Being able to
change gender can also be very helpful (see technique below). I got one for a
gift from Sharper Image. This means that brand will cost quite a bit of cash,
but it's very good quality. If anyone knows of other brand of voice changers,
please inform me.
2.3 Phreaking and Social engineering?
Social Engineering and phreaking cross lines quite a lot. The most obvious
reasons are because phreaks need to access Ma Bell in other ways but computers.
They use con games to draw info out of operators. Redboxing, greenboxing and
other phreaking techniques can be used to avoid the phone bills that come with
spending WAAAAYYY too much time on the phone trying to scam a password. Through
the internet, telnetting to California is free. Through ma bell, it's pricey. I
say making phone calls from payphones is fine, but beware of background noise.
Sounding like you're at a payphone can make you sound pretty unprofessional.
Find a secluded phone booth to use.
2.4 How do I pull off a social engineering with a phone?
First thing is find your mark. Let's say you want to hit your school. Call the
academic computer center (or its equivalent). Assuming you already have an
account, tell them you can't access your account. At this point they might do
one of two things. If they are stupid, which you hope they are, they will give
you a new password. Under that precept, they'll do that for most people. Simply
finger someone's account, specifically a faculty member. At this point, use your
voice changer when you call and imitate that teacher the
best you can. People sound different over the phone, so you'll have a bit of
help.
Try to make the person you're imitating a female (unless you are
a female). Most of the guys running these things will give anything to a good
sounding woman because the majority of the guys running minicomputers are social
messes. Act like a woman (using voice changer) and you'll have anything you want
from them. Most of the time the people working an area will ask for some
sort of
verification for your identity, often a social security number. You should find
out as much information about a mark as you can (see mail and live techniques)
before you even think about getting on the phone. If you say you are someone you
aren't and then they ask you for verification you don't have, they will be
suspicious and it will be infinitely more difficult to take that system.
Once again for idiots: DO NOT TRY TO SOCIAL ENGINEER WITHOUT SUFFICIENT INFORMATION ON YOUR MARK!
Once people believe you are someone, get as much as you can
about the system. Ask for your password, ask for telnet numbers, etc. Do not ask
for too much as it will draw suspicion. You must sound like a
legitimate person. Watch your mark. Learn to speak like him/her. Does that
person use contractions? Does that person say "like" a lot? Accent? Lisp?
The best way for observation of speech is to call the person as a telemarketer
or telephone sweepstakes person. Even if they just tell you they can't talk to
you, you can learn a quite a bit from the way they speak. If they actually want
to speak to you, you can use that oppurtunity to glean information on them. Tell
them they won something and you need their address and social security number
and other basic info.
WARNING: ABUSING SOMEONE'S SOCIAL SECURITY NUMBER IS ILLEGAL!!!
DON'T SAY YOU WEREN'T WARNED!!!
SECTION III: SNAIL MAIL
3.1 Is snail mail really useful?
Yes. It actually is. Snail mail is not tapped. Snail mail is cheap. Snail mail
is readily available. But how can you use it in social engineering. As I
said above, it's difficult to find systems that just let you call with no
verification. They do exist but they are rare. So therefore you need info on
your mark and the mark's system. You can try the telemarketing scam, but that
isn't always succesful, as people do not trust telemarketers. For some reason,
though, people trust the written word. Morons. People will respond to
sweepstakes forms with enthusiasm and will give you whatever info you want on
it. That's why snail mail is so great.
3.2 What do I need?
Obviously you need mail "equipment" which includes stamps and envelopes. But
subtle things are required as well. You're going to want to have return address
stickers that include "your company's" logo and name. This can be procured at
places like Staples, Office Max and other stores for a relatively cheap price.
The most important part to mail social engineering is a layout
program. WordPerfect is okay, but I prefer QuarkXpress or PageMaker. These
programs are not cheap, but can be used for plenty of other applications and are
well worth their price. IF YOU GET IT PIRATED, I DON'T ADVOCATE THAT ACTION.
With these DTP programs, you can emulate a totally professional document. More
about this below.
A private mailbox is good. If you want to be very professional, get a PO box.
I'm in a band, so I use that PO box. They can be rented at a variety of places,
including Post Offices and Mailboxes, etc. for low fees. Share the cost with
others for great cost effectiveness.
3.3 I've got the stuff, now what?
What is your mark? Generally, for a mail social engineer, your mark is going to
be a large group of people. Thus, your mail should look like a mass mail
sweepstakes. Use computer labels and the like to keep this illusion. You need a
list of employees from that company and their addresses.
Look at the junk mail in your mail. Sweepstakes forms, mail-in orders, etc. Try to fake that look. Something with very few lines to fill in (but with your vital info on them). A watermark is always a good touch for these documents. Use the fonts a business would use and word your letters in a similar fashion. Illusion is everything. The information on these should include social security numbers. Another good idea is to say that you'll need a password to verify the prize with a voice call. Hopefully it'll be the same as their net account password. It usually is. Yes, people actually fall for this stuff.
To make someone fill these out, they must be concise and visually appealing. A person filling these out cannot be hassled with difficult choices. Check Boxes are also a nice effect. These must look believable. Credibility is everything with social engineering. I cannot stress that enough. I will soon release examples, although you should be original and make some on your own.
Now, after stamping and addressing your letters, send them out
and wait. Soon you should receive some answers. At this point, use a standard
phone social engineering. Social Security numbers are the most common
verification. If you find that you need some other form, send out letters with
that information. For example, sometimes mother's maiden name is used.
SECTION IV: INTERNET
4.1 Isn't this just a form of hacking?
I guess it is to a point. Hacking takes more advantage of holes in security
while the social engineering takes advantage of holes in people's common sense.
Finding your marks through a hole in the fingering system is a great way to
start an engineer. Many fingers give full names last logins, login locations and
all sorts of info. Find someone who hasn't been on in quite sometime.
There are also the classic schemes. Pretending to be a sysop in an IRC or online
chat room can make people give up passwords with ease. Yes, generally actions
taken in the Internet or online are considered traditional hacking, but your
knowledge of the average human's wetware comes into play.
SECTION V: LIVE, FROM NEW YORK...
5.1 In person?
Yup. This is pretty damn important. You can do quite a bit over a phone or
through mail, but sometimes you just have to get off your ass and do things
yourself. Getting a password digging through a desk is good, so is touring an
office and just looking around. Even conning your way into a terminal works.
5.2 Equipment
This is the only time in hacker culture where looks matter a great deal. Don't
expect to walk into VIACOM's offices wearing your Misfits T-shirt with lotsa
zits and your walkman makes you look suspicious. Look dignified. Wear a suit.
Comb your hair. Don't get out of hand.
Be polite. If you want to look like you belong in that office, you should act
that way, too. So you need a suit. If you weigh more than 200 lbs (and are under
6' 2") or look like you're 20 or younger, don't try this. You'll look dumb, be
laughed at and possibly have security called on you. You can look like an office
worker's kid if you're that young. If you can do this, go ahead. Most of us
can't.
Fake ID security cards (the kind that alligator clip to a belt
or something) can be made with a photo, a layout program and a lamination sheet.
This just makes you look more official. Sometimes one of this stick on visitor
patches can be helpful. They make you look like your unnatural observation is
warranted by your visiting status.
5.3 I'm sweating in this suit ...now what?
Walk into an office building with confidence. Flash your badge or just have your
visitor tag. Pretend you really belong there. That's how you look. An office
with cubicles is great. Just walk around and peer at people's belongings. Find
the company's UNIX minicomputer. They tend to keep them behind a big plate glass
window, so you can check out how its connected. This is good scouting without
having to sift through dumpsters or watching through binoculars.
DO NOT TRY TO HACK WHILE IN THE BUILDING! IT'S PRETTY SUSPICIOUS
LOOKING!
SECTION VI: PUTTING IT TOGETHER
You want to see what your school's minutes are or you want to hack a local
chemical company to see their new toxins, but even if you had access it would be
problematic to access the passwords because they are running a VAX. Now what?
First you get a list of employees. For schools, just use the catalog. For companies, use a live engineering technique. Look for payroll sheets, or posted employee lists. If you look right, you can just ask a low level employee for a list. Remember, be calm in front of people. You have to maintain your credibility.
Finger each employee's account. Find out who has or hasn't used their account in the past few months. Those who haven't are your marks. Write those names down cause your gonna play them for all they are worth, goddammit. Now we go to the phone book and get the employees addresses. Then we create a document in our DTP program that emulates a short sweepstakes form or another short document commonly encountered in the field. It must look professional but subtle enough not to look false. Credibility once again. Remember to include the social security number space as well as other information. Send these out and wait or masturbate or whatever you do for a few days.
Yes, you're going to have to spend $10 on stamps unless you are
on good terms with who you engineered in person. If they trust you, go back and
use the stamping machine ... might as well. Now get your phone and call their
sysadm. Use women voices first because the guys that run these machines have
rarely seen daylight, let alone women. They are EASILY manipulated with a
woman's voice. Sound helpless, they love it. If they don't give you your
password, you'll have plenty of info for them for verification. If you pretend
to be a woman, they'll give you plenty of leeway. Go as far as saying you've
seen them at work and think they are cute. Watch the passwords fly.
That's it. Once you're in, do what you do. I can't help you from here.
Contact/Submit
theNSAisWATCHIN
News Monster
Images Archive
News Monster Archive
The Killing The Messenger Web
Portal