Social Engineering: How It Is Done Step By Step
Posted 07 November 2007 - 05:00 PM
** Warning **
These examples are only to be performed on an institution that has hired you for performing this type of testing action. Any one of these actions will be considered a Federal Crime. This information is intended as help for Network Security Consulting firms or Security Consulting firms.
As in any project you are going to take you must set an achievable goal. For this example we wish to setup a wireless access point within a bank so that we can leisurely access the information from within the institution while safely outside. After proposing this idea to the institution for approval and it is approved we need to decide what items we will need.
First you need to put each of your actions and time of interactions with staff into a well organized document that should be approved by Board of Directors from the organization. Have an original of this document notarized and with you. In addition have a separate letter with the companies letter head signed and with a copy of the license of the executive assigned to oversee the test. Have a direct phone number for the overseeing executive as well as a secondary cell phone to ensure they will be contactable in case of a failed attempt. If your test fails and the staff follow procedures you will be arrested. You will need these documents and information so that authorities can contact the proper individuals and determine the credence of your story.
You must remember you are crafting a piece of fiction to not only deceive other individuals but also encouraging them to actively participate. The most common story I would use is that a branch office is having network latency in other words slow connections to the internet and central office locations. This is a perfect story for a few reasons.
1) Everyone believes there connections could be faster, to the internet and else where.
2) It allows you to enter the networking cabinet to install your wireless access point, and allows it to be out of plain site.
3) No one ever knows where it is so it gives you a bit of roaming capability and if you are escorted increases their impatience which is important (more on that later)
4) It ensures you do not have to work on an individuals PC, you always want to avoid working on someones PC. This is because a PC is part of a persons personal space. If you are working on it they will take great interest in what you are doing, which is something you do not want.
5) It is simple and easy to understand but complex enough to bore people, if something is complex people scrutinize it more. We are using something they take for granted (network connectivity) and something they have no interest in learning about. Using excuses such as cleaning spy ware off of a machine encourage interactivity. They could have a machine at home that have spy ware problem. So they may want to see what you are doing to learn how to fix there own. Interactivity is something you don't want.
Just as in a movie and a play, proper props will enhance the experience of the audience and put them at ease. In our case we are looking to perform the same thing. Before covering what to bring, lets cover what not to bring which is more important. Objects that encourage interaction or curiosity is what we don't want.
1) No laptops: In this case we do not need it. They encourage people to look at what you are doing on the screen, and can also send red flags that you are copying information. If you have to bring one make it an old one, make the wall paper have the logo of your fictitious company. Usually on the outside of the laptop I will include a fake "Property Of:" Like Property of: Light Speed Technologies (if lost contact: insert fake number here)
2) No fancy consumer gadgets: You don't want anything that is a conversation starter. You want people disinterested in you.
Now items that you should have:
1) Uniform: This should be the classic collared work shirt with company logo on the breast pocket, make sure it is wrinkled and even slightly dirty, Nothing horrible but you need to look like you have been sitting in your truck all day drinking coffee going from site to site. Jeans or wrinkled Khakis will out the ensemble. Get yourself some work boots that are well worn. The key is too look like you have been at your fictional company for a while, you are a seasoned veteran just doing the daily grind.
2) Work Bag: I use a well worn work bag that is open on the top so people do not think that anything is concealed inside. This is a common bag electricians use, I keep tools attached to the outside like pliers and cables, with zip ties attached to it. I then put the wireless access point under the cables. For the contents use everything you would take on a networking call. You are an IT professional you should know what needs to be inside. Remember nothing new.
3) Clip board and Work Orders: Create some fake work order forms or copy them from the internet. Fill out a couple as if from other fictional offices. They key is to look like you have been out all day. Make sure the forms don't looks so crisp that you just printed them out from a printer an hour ago. Your local office supply store will also sell Carbon Paper generic work order forms.
4) Work Van: Not unnecessary if the parking lot is not in eye shot. But if it is, a quick $50 rental from a home improvement store is great. Especially since the trucks are in terrible shape and dirty. Go on the net and order some magnetic signs with your company logo and name that you can stick to the side. They are extremely cheap and you can use them over and over again and they easily cover any other logo's on the truck.
5) Wireless Access Point: I always use some form of commercial enterprise brand of access point. Such as a Cisco Aironet. Never use a consumer grade device. First it will have poor range, second it will be recognizable to any escort you may have. I usually air brush a matte black finish over the device to cover an lettering that may indicate its actual use and it help blend into dark spaces. You should have this configured to be secure, you do not want to open holes in the security of a bank.
6) LAN testing device, a large hand held like Microtech or Fluke produce. Plugging this into the network will not send up any red flags since it does not look like a computer. And the look lets even the least bit techy of a person know it is some sort of testing device.
First your greatest chance of success is with a mid-size bank. Small banks everyone knows each other, large banks they most likely have internal staff that perform these functions.
Second, find the smallest branch, the farthest from the main office. They are used to having shoddy service, they probably see IT once or twice a year. It will also have the most inexperienced branch manger. The people here are used to be less diligent and are the best targets for not asking questions.
Visit the Banks website. If they have a Direct number for IT great, if not you can use the main number. Call the number posing as a telemarketer. Operate just like a telemarketer they are great at social engineering, when calling just ask " Can I speak to who handles IT", they will forward you over to an IT engineer, most executive secretaries will know you are a telemarketer and will forward you to someone less important. The entire time take down the names of each person you here, writing down what you assume the job function is. Whoever you get hit them with your canned message, 99% they will hang up on you which is fine, you have the information you need.
Next take a drive out to your target site. Take note of the foot traffic going in and out, what times are busy and what time they close up shop. If bank hours are until 4pm and you see them locking the doors at 4:00 exactly and out the door by 4:05pm , you know you picked the perfect location. These people are in a hurry to leave and this will increase their impatience and encourage mistakes.
If the branch closes at 4:00pm on a Friday we are going to schedule our appearance at 3:00pm and show up at 3:30. Why? because people want to leave and they are not going to be interested in what you are doing at all.
Now this might seem a bit different form what other people may do but I call ahead of time and schedule my visit. Why? because no one expects an intruder is going to schedule there time with the victim. This also makes it so that you do not need a story to get in the front door, showing up unannounced will increase suspicions and encourage them to call the main office. Many people use the old "Do you mean the main office didn't call you?" That send up immediate red flags. If you can have a female coworker call for you. I know it is stereotypical but it does lower the guard of many people. You or your colleague should call Thursday at lunch time. Ask for the branch manager. Your script should go like this:
You: Hello can I speak to the branch manager please?
Target: Yes that is me
You: I am just calling to schedule one of our engineers that is coming to your branch. The (insert main office location) informed us that your location has been experiencing latency or slowness when using the internet or contacting the main office. Our engineer will test the line and install an upgrade if need be. Unfortunately we only have 3pm tomorrow since the engineer is going to be at other branches in the morning.
Target: I didn't know that was happening?
You: Yes (insert IT employee here) has been working with your other branches on the same issue.
Target: Ok thank you.
You: Here is our number if you notice any issues with your connection between now and then please do not hesitate to contact us.
Now giving the number is very important, first it will relax the branch manager by indicating you are actually a real company, also if someone has become suspicious you will receive a call. This will let you know your cover is blown before showing up and will save you the time of having to deal with local authorities.
It's Friday, park in a lot down the street and then call the branch at 3:10 already 10 minutes late. Tell them you are the engineer, give your name, (always use your real first name, it will help you be natural) Apologize for being late and tell the manager you are almost there. Now you show up at 3:30. Your conversation should go like this.
You: I am very sorry that I am so late, dispatch has been messing up the locations all day, I can get this done real quick since you guys are probably closing soon.
Target: Thats ok what do you need to do?
You: I just need to know where the network closet is, its probably the one with all the wires going to it.
Target: Oh yea I know where that is (They wont be suspicious of this, they are trained to be nervous about the money, if you stay clear of the vault and teller stations no one will be concerned with you.)
Target: Here it is.
You: Thanks, lets see what we got. ( Hook up your testing gear, fiddle with wires, take your time, if you are lucky they will ask you if they can leave you here because they have to finish some work up.. Yes that is actually what happened to me and it made installation a breeze. If not continue with the dialog)
You: Yea you guys are definitely having some slowness (show them the test screen, it doesn't matter what it says) I will put an accelerator in, that should speed everything up, it will take me a few seconds. (Now just connect your wireless access point in)
You: There all set, sorry again for being late, I just need you to initial the work order, and I will get out of here. Also do you have a card? I will call you next week to see if everything is working ok.
And now you leave. You were a great engineer, and you have successfully performed a social engineering attack. Each project you do where social engineering is involved you will get more comfortable and hence much more successful. Hopefully this will help other engineers out, it took me a number of tries before I was able to come up with this method, and it has been extremely successful.
Would you like to earn money posting on GSO?
Posted 07 November 2007 - 06:06 PM
I can see a combination of tactics used from various sources and see you pulled it off nicely.
The idea of picking the smallest branchin a company is a great idea which never crossed my mind. Regarding the fact they will most likely not have IT staff and will have the least experienced managers. Some good ideas there.
Posted 07 November 2007 - 06:33 PM
[Edit: Glyph: Thanks Post. Warning. Points Assessed. /Edit]
Would you like to earn money posting on GSO?
Posted 07 November 2007 - 07:51 PM
As I say, with creativity & organization we can go really far
the telemarketer stuff is also a cool option, but sometimes it can only piss off the employees and they will probably end up saying nothing at all hehe. Even at my home I get those phone calls and surely I dont say anything, not even my name haha.
[ joke: no thanks post [/joke
Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!
Posted 08 November 2007 - 08:47 AM
and nicely worked out.
specially the get out of jail card is important
the only thing that I would maybe change is using a company of which the bank already has previously worked with.
it either makes it a lot easier...
or in some cases if they got the proper checkup procedures you are busted.
Posted 10 November 2007 - 05:29 PM
Would you like to earn money posting on GSO?
Posted 19 November 2007 - 07:01 AM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users