|
What is Social
Engineering?
An outside hacker's use of psychological tricks on
legitimate users of a computer system, in order to gain the
information he needs to gain access to the system."
Social Engineering is a way of getting important
information from users without them knowing they are giving this info to you.
To be able to social engineer you do need a few things:
- Some information on the target
- You must be very patient
- Good Social Skills
Although it may sound complex social engineering is
probably the best 'tool' that you can learn and become good at. IT'S
ALSO VERY EASY.
What
information can you get from a user using Social Engineering?
Anything. You can get anything you need from the target.
But you must be able to use good social skills and also be able to
'trick' the user.
How do I
Social Engineer?
First of all make sure when you are social engineering that
you do it through a chat program or email (you may do it on the
phone or face to face but if you get scared and get caught he won't
know who you are). Create a new email with a free host (hotmail,
yahoo etc...) or if you are going to use chat then create a new
user on the chat program. When asked for your details make sure you
enter fake information but also make sure that its believable, this
means fill all details of your profile so when a user checks your
profile he will think that he knows your name, location etc... (but
this should not be your real info).
Also before you start make sure you have written down
everything on your self (not your real self but your fake self)
this will come in handy when the target asks you for your name, age
and other info. Also make a check list of all the info you want
from your target.
Once you have got everything ready then find your target. I
like to use ICQ, because of the many exploits, flaws which make it
easier to find info such as the victims IP.
Using the chat program find a target and start chatting to
him/her. Become thier friend and chat from a couple of hours. Make
sure you are patient. Then slowly ask him for the info you want, BUT
make sure you don't make it obvious, for example: If i wanted to
know if the user had an anti-virus:
(after chatting to the target for a long time and he thinks
we are friends)
ME: I am thinking of getting an Anti virus program, but i
don't know which one. Could you suggest one?
VICTIM: Dunno, i heard Norton is good.
ME: I dont know, someone told me its not that good.
VICTIM: I really wouldn't know, i am not good at computers
ME: which anti-virus do you use?
VICTIM: i don't use one.
>From this case we have found out what we wanted, the
victim does not use an anti-virus program,
we have also found out that he does not know much about
computers.
Some of the
most common techniques used are:
Direct Approach - An aggressor may directly ask a target
individual to complete a task (for example, a phone call to a
receptionist asking them for their username and password). While
this is the easiest and the most straightforward approach, it will
most likely not succeed, as any security conscious individual will
be mindful of providing such information.
Important User - By pretending to be a senior manager of an
organisation, with an important deadline, the attacker could
pressure the Helpdesk operator into disclosing useful information,
such as:
the type of remote access software used;
how to configure it;
the telephone numbers to the RAS server to dial;
the appropriate credentials to log in to the server.
Upon obtaining this information, the attacker could then
set up remote access to the organisation's network. They could then
call back hours later to explain that they had forgotten their
account password and request for it to be reset.
Helpless User - An attacker may pretend to be a user who
requires assistance to gain access to the organisation's systems.
This is a simple process for an attacker to carry out, particularly
if they have been unable to obtain/research enough information about
the organisation. For example, the attacker would call a secretary
within the organisation pretending to be a new temp who is having
trouble accessing the organisation's system. By not wishing to
offend the person, or appear incompetent, the secretary may be
inclined to help out by supplying the username and password of an
active account.
Technical Support Personnel - By pretending to belong to an
organisation's technical support team, an attacker could extract
useful information from the unsuspecting user community. For
example, the attacker may pretend to be a system administrator who
is trying to help with a system problem and requires the user's
username and password to resolve the problem.
Reverse Social Engineering (RSE) - A legitimate user is
enticed to ask the attacker questions to obtain information. With
this approach, the attacker is perceived as being of higher
seniority than the legitimate user who is actually the target.
A typical RSE
attack involves three parts:
Sabotage - After gaining simple access, the attacker either
corrupts the workstation or gives it an appearance of being
corrupted. The user of the system discovers the problem and tries to
seek help
Marketing - In order to ensure the user calls the attacker,
the attacker must advertise. The attacker can do this by either
leaving their business cards around the target's office and/or by
placing their contact number on the error message itself
Support - Finally, the attacker would assist with the
problem, ensuring that the user remains unsuspicious while the
attacker obtains the information they require.
E-mail - The use of a topical subject to trigger an emotion
which leads to unwitting participation from the target. There are
two common forms that may be used. The first involves malicious
code, such as that used to create a virus. This code is usually
hidden within a file attached to an email. The intention is that an
unsuspecting user will click/open the file; for example, 'IloveYou'
virus, 'Anna Kournikova' worm or more recently the 'Vote-A' email
aware worm. The second equally effective approach involves chain
mail and Virus hoaxes. These have been designed to clog mail system
by reporting a non existent virus or competition and requesting the
recipient to forward a copy on to all their friends and co-workers.
As history has shown, this can create a significant snowball effect
once started.
Website - A ruse used to get an unwitting user to disclose
potentially sensitive data, such as the password they use at work.
For example, a website may promote a factitious competition or
promotion, which requires a user to enter in a contact email address
and password. The password entered may very well be similar to the
password used by the individual at work.
Other
techniques used may include:
//Somebody looking over the shoulder of a person as they
type in their password.
\\A visitor watching users and their behaviour patterns.
//An attacker sifting through rubbish looking for clues to
unlock an organisation's IT treasures.
Credits
KillahDragon
htw_hakr@yahoo.com
http://www.hacktheworld.net
|