-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
        The Official HiR Guide To The Art Of Social Engineering
                                By: Axon
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

        First and foremost, I want to thank the Social Engineering Panel at
2600's Beyond HOPE In August 1997.  I was not able to attend the meeting,
but, thanx's to Izaac who RealAudio'd Most of the BH stuph, I was able to
add quite a bit to my SE (Social Engineering) knowledge.  Shoutouts to them
all!

        As I was mentioning, I gathered most of my information from personal
experience, THE Social Engineering Panel at BH, and the Social Engineering
FAQ.

Part 1: What exactly IS social engineering anyway?

Straight from the New Hacker's Dictionary, this is da definition:

social engineering: /n./  Term used among crackers and
        samurai for cracking techniques that rely on weaknesses in
        wetware rather than software; the aim is to trick people into
        revealing passwords or other information that compromises a target
        system's security.  Classic scams include phoning up a mark who has
        the required information and posing as a field service tech or a
        fellow employee with an urgent access problem.  See also the
        tiger team story in the patch entry.

okay, lingo check.  Some may not be able to understand some of the words in
there.  (If the above definition seems at all hazy or vague to you, you really
ought to pick up the Hacker's Jargon File or New Hacker's Dictionary).  I'll
go over a few less-commonly used words.  Wetware is referring to the human
brain.  This will be discussed later.  Samurai are hackers who hire themselves
out for legal hacking jobs.  The above definition does not include phreaks and
hackers in the scheme.  Matter of fact, social engineering doesn't have to be
about technology at all (We'll talk about that later, too).

        When you get right down to it, Social engineering is basically the
same as "Bullshitting", except it is used differently, in a more subtle manner
than flat-out lying.


Part 2: What is SE used for?  What good is learning how to bullshit people?

        Social Engineering is not typically done just for fun.  Usually, it
is an art reserved for finding out some info about a company, certain computer
network or server, person, or product.  One might try to use SE to get a
password out of a person with a standard user-level account on a specific
server (once a hacker has a user-level account, it's only a matter of time
before he can get root on the system).  Maybe you want free stuff.  Who knows.
Knowsing how to SE is a good thing to know, however.  No metter how secure a
system is, there is always the loser who isn't quite all there in-between the
ears, and will divulge a password over the phone believing you're a tech.  I
am sure that you'll find that the computers may not have security holes, but
the people who run them are the weakest link in the chain.


Part 3: How is SE done?

        The first thing you do is gather info.  Research.  Do they have a web
site?  Go for it.  Look for employee names, extension numbers, product or
service lists.  Do NOT jump into the situation blind.  Jump into their trash
bins, without getting caught trespassing, and look for anything and everything
useful.  You can even go up to them face-to-face, although this is a method I
would not recommend to anyone.  A more detailed way of getting information on
your mark is to dial them up on the phone.

        Sometimes you need to make multiple phone calls to your mark to get
through.  An SE panel member gave a good example that I will outline with my
own paraphrasing cuz i don't know exact words.  Call up your mark, and ask for
a certain department, maybe information Services if it's a college, or some
kind of thing like that.  Ask for the manager/leader/head/etc of that
department, and see if you can get a name.  If you can't, hang up and call
later, stating you need to mail something to the head of x department, and
need the name and mailing address.  Bingo, you have a name.  Later, you can
call and say "I need to fax John Smith this quote, could i get his Fax number"
and you have even more info.

        You can call somewhere, pretending to be a different branch (the BH
people picked on k-mart) that's having some sort of problem, in this case,
getting the PA system in the store to work.  So the hacker calls up a random
k-mart, asks for the menswear department, then, once menswear is on the phone,
requests a manager.  He tells the manager he's from a random k-mart in the
phone book, and asked if he was having trouble using the PA system.  The
hacker said that he normally dials 50 to get on the PA but that isn't working,
then the manager corrected him "50?  I've never heard of that.  Try 613." and
hung up.  Later he called back and asked for Shoes, then bullshitted about
sandals for a while, then asked to be transferred to 613.  After a couple of
seconds, he blared into the phone, deepening his voice, saying "Attention
K-mart shoppers: Everything in aisle 4 is FREE!" then hung up...

        Another very good technique was utilized in that last scenario.  Note
that the hacker did not ASK for the extension to the PA system.  He told the
manager what he thought it was, then proceeded to let himself be corrected.
this is a tactic that can be used to get passwords easily.  Use research to
find a mark that is potentially kind of slow, technologically.  Don't pick a
nerd to SE, pick the technophobe in he bunch, because a good scare will help
them give you the info.  Tell them that his system had a virus and you just
cleaned it, and now you're checking everyone's accounts for traces, so it
won't happen again.  Tell them "according to our records, your password is
xxxxxxxx (insert some stupid password there)."  Sure as hell if he's really
as dumb as you thought he was, you'll be corrected by him telling you what his
password REALLY is.

        SE is not limited to phone conversation, though.  You can use the same
technique with e-mail (spoofing, too), And in person, as i was dicussing
toward the beginning.  I'll leave the e-mail up to you, as I have never seen
it work without using phone SE too (Such as sending an e-mail from <some made
up company>, and then calling and saying "yah, this is <some name> from <that
made-up company>, i sent you an email the other day...") you get the picture.

        I've only seen live social engineering work once, when some guy went
into a company's doors with a huge array of A/V equipment, and fake press
cards, saying they were putting together a documentary of technology in the
kansas City area for journalism class as a final project, and wondered if they
could include this place, talked to the big guy in charge there, who was more
than happy to have some extra advertisement, and gave them a tour of the whole
placee (or most of it).  He taped everything.  Things he got on tape were
codes to unlock doors (they only had 3 different codes that he saw on about 8
doors), locations of certain rooms containing things of interest, he even got
a tour of a big room that people were working in, and was fortunate enough to
tape a guy logging on to a computer (although the last 2 letters of the
password weren't seen, he knew what side of the keyboard they were on.)  =]

        You can call tech-support lines and SE with techs.  In most companies,
the technicians are GODS.  They are omniscient, and can get you what you want.
Be careful, though.  They are usually fairly intelligent, too.  You can try to
get them to divulge specs on products, or maybe they can fax you a few white
papers or whatever else they have access to.

Part 4: Extra Tips and helpful SE Hints.

If your mark is a large company (more than 500 people) than find out enough
about that company to sound like you are with them.  Most company members will
tell co-workers anything they want to know.

Remember that humans are creatures of habit.  People's habits can be monitored
and exploited.  Just remember that you, too are human.  Hackers should strive
to be an exception to the rule.  Do not be a creature of habit, because that
is how hackers are caught.

Using an accent is helpful.  Make sure you stay on accent.  Try Japanese,
scottish, etc.  (Note: The most accepted accents in the U.S. are British male
and Southern Female)

To really throw your mark for a loop, combine SE tactics and SE them more than
one way at the same time.  Be careful though.

Remember that SE focuses on People as the weak link.  This is because, unlike
a computer, they respond to other humans and emotions (I.e. anger, kindness,
rushed, etc).  While you can exploit a seceratary's emotions, you can't make
a computer sympathize with you.


Part 5: Few final ideas

If you want to find someone's unlisted phone number, find out if they have
cable T.V. or some other service (in a pinch maybe electricity would work).
Call the cable, electrical, etc company, and SE them into giving you their
#.  (maybe you are ready to check out their cable and you're 1 and a half
hours ahead of schedule, and wanted to call them to see if earlier service
would be okay, whatever floats your boat)  This may also work for addresses
if you are a serviceman who "lost/forgot" the address...MAYBE.

Part 6: Conclusion

That pretty much sums it up for the HiR Guide to SE.  I hope this information
helps everyone out.  Most of this is just common sense.