Post by modeski on Dec 11, 2004 17:46:54 GMT
... "people hacking".
The telesales thread reminded me of a post I did on defensivethinking.com (forums dont exist anymore) on social engineering, and I'm going to resurrect it here. I could say its an attempt to redress the political:social thread balance, but that's only partly it. I also want to brag about how I successfully socially engineered my way into the south wing offices of terminal 4 in heathrow.
First though, what is social engineering? Basically it's the art and science of getting people to comply to your wishes.
It's not mind control, and nor is it hypnotism, it's simply using powers of persuasion, confidence and chutzpah. So onto heathrow.
I ordered a ticket from the travel agents too late for them to send it to my house, so instead they faxed me instructions to pick it up at the airport. Not at the ticket desk, bizarrely enough, but at "room 2500, south wing offices, terminal 4". Okey doke.
so I go to the elevator lobby for the south offices. The doors are locked with a keypad entry system to the left hand side. There also a tantalising red "release" button just on the other side of the glass. Looking up, I see a delivery guy loading chairs into the lift. Giving him my best "forgot me key, guv" look, I point to the release key on his side of the door. Only too happy to oblige, bob the delivery man let me through. 2 minutes later I was on the second floor, at an empty reception area, with another keypad-entry door. As luck would have it, someone came out of that very door, and I made for the opening. With barely a glance, she held it open for me. After all, it's only polite - you dont want let a door swing and hit a complete stranger in the face now, do you ?. So I wander through some corridors and past some sort of map room. Looked a bit like a Nazi war strategy room bizarrely enough. Some guy in a foreboding suit looked up at me and I gave him a friendly nod and "morning" as I walked past. He dittoed. Hah So yet more wandering leads me to a third door, with two people standing talking in front of it. Though not quite *entirely* in front - the door is still being propped open by the guy's foot, maybe he's about go back in and cant be bothered reentering the code. This time I'm not so sure I'll get through. Door guy asks me where I'm going, I reply "oh just going to see about a customer's ticket issue with malaysian airlines". Obviously if I know what office I'm going to I must be legit, right ? So I get to the office and after a bit of sweet talking as to how I got there, it turns out they sent me the wrong bit of paper. I *was* supposed to wait at the ticket desk. I assured her I knew my way out. I also managed to jump the queue and get checked in at first class (no upgrade sadly). That's just an example of what you can with social engineering.
The main thrust of this thread (and it'll be in a couple of parts prolly) is how to use sales techniques, such as those used by telemarketers, over the phone, in social engineering. After all, that's what sales is. This information is of course, only for educational purposes and anything you do with is nothing to do with me!
Without wanting to get into convoluted scenarios, i'll use a simple example of trying to get one piece of information from a receptionist, or security guard (call him Bob), manning the phone at a large company. Let's say its the bosses mobile number. The caller, who we'll call Ted, will pose as a representative from another company who wants to phone the boss after hours to confim meeting times the next morning. This is not a work of prose, so I'll be sticking to the simplest of names and places. Please excuse any switching between tenses, i'm tired and its the internet!
This is how the call should go:
1. The Introduction.
Obvious place to start, the introduction should consist of two parts, (1) Who you are, and (2)What you want. You should be fairly specific, but don't dive right in saying "I want Joe Blogg's phone number" (Joe Blogg being the boss). Bob will answer the phone, introduce himself and ask how he can help. This is when you come in and do likewise, in the same professional manner.
It is important to sound confident, sure of yourself and completely at ease with making this sort of request. Easily intimidated employees will automatically act a certain way for someone they perceive to be important, intelligent etc. For example:
>
Bob: Hi, you've reach Bob at Brickwall Corporate Offices, how can I help you?
Ted: Hi Bob, this is Ted Smith from Massivcorp in New York, I'm calling to confirm some details with Mr Boss.
Bob: I'm sorry Mr. Smith but Mr. Boss is out of the office right now, may I ask who you are and why exactly you need to speak to him?
>
Now this is where part 2 of the call comes in. Bob wants to confirm who are, as per his training, but he may not take a lot of convincing, if you can reply and make that reply sound like the sort of thing that should clear up any doubt, it often will. If Bob hears how you are utterly genuine then he'll think "well, must be true". Hesitate though and any headway you've made will crash right back down again. So, part 2:
2: The Hook
A term familiar to many i'm sure, used in sales to grab the customer's attention, the hook can also be used to keep Bob on the line and eager to please. The important thing to remember is you must Believe the Hook. Shall we return to Bob and Ted?
> Ted: Yes, as i said my name is Ted Smith, and I'm having a meeting with Mr. Boss in the morning. We were scheduled for a breakfast meeting but have not settled a time as yet. I'd like his mobile phone number please, as it will not be possible to reschedule.
Bob: Well okay then sir, let me just see if I can find it.
>
Of course this may not go quite as smoothly were it to be tried in real life. If Bob is not convinced by the Hook on its own, then you can always apply a number of different elements in order to convice him. From a social engineering point of view, if possible you could try to arrange a meeting with said Mr. Boss at a point in the future for example. It'd take a lot of guts, and particularly if you were trying to meet the head of any significant company, it'd be completely simple to find out you were not a genuine company. It could be applied to smaller businesses more readily, particularly those who do not spend millions on training all their worldwide staff on handling calls, security risks etc.
Now, if the hook didn't actually convince Bob entirely, Ted may still have made some headway. Bob will be thinking about the consequences if you are a genuine caller and the company might lose money somehow as a result of your overzealousness. On the other hand Bob might suspect Ted of being a prankster or someone who's generally up to mischief, and will be wary of risking his job. After hours, the only people working the phones tend to be low-level employees, perhaps contracted out from agencies that again may not train their staff in the same way as multinationals might. Bob still needs more convincing, so what Ted needs to do is make Bob give him the phone number, while making Bob think it was his own idea. This can be achieved using a technique called "Trial Closes" - part 3 of the call structure.
The telesales thread reminded me of a post I did on defensivethinking.com (forums dont exist anymore) on social engineering, and I'm going to resurrect it here. I could say its an attempt to redress the political:social thread balance, but that's only partly it. I also want to brag about how I successfully socially engineered my way into the south wing offices of terminal 4 in heathrow.
First though, what is social engineering? Basically it's the art and science of getting people to comply to your wishes.
It's not mind control, and nor is it hypnotism, it's simply using powers of persuasion, confidence and chutzpah. So onto heathrow.
I ordered a ticket from the travel agents too late for them to send it to my house, so instead they faxed me instructions to pick it up at the airport. Not at the ticket desk, bizarrely enough, but at "room 2500, south wing offices, terminal 4". Okey doke.
so I go to the elevator lobby for the south offices. The doors are locked with a keypad entry system to the left hand side. There also a tantalising red "release" button just on the other side of the glass. Looking up, I see a delivery guy loading chairs into the lift. Giving him my best "forgot me key, guv" look, I point to the release key on his side of the door. Only too happy to oblige, bob the delivery man let me through. 2 minutes later I was on the second floor, at an empty reception area, with another keypad-entry door. As luck would have it, someone came out of that very door, and I made for the opening. With barely a glance, she held it open for me. After all, it's only polite - you dont want let a door swing and hit a complete stranger in the face now, do you ?. So I wander through some corridors and past some sort of map room. Looked a bit like a Nazi war strategy room bizarrely enough. Some guy in a foreboding suit looked up at me and I gave him a friendly nod and "morning" as I walked past. He dittoed. Hah So yet more wandering leads me to a third door, with two people standing talking in front of it. Though not quite *entirely* in front - the door is still being propped open by the guy's foot, maybe he's about go back in and cant be bothered reentering the code. This time I'm not so sure I'll get through. Door guy asks me where I'm going, I reply "oh just going to see about a customer's ticket issue with malaysian airlines". Obviously if I know what office I'm going to I must be legit, right ? So I get to the office and after a bit of sweet talking as to how I got there, it turns out they sent me the wrong bit of paper. I *was* supposed to wait at the ticket desk. I assured her I knew my way out. I also managed to jump the queue and get checked in at first class (no upgrade sadly). That's just an example of what you can with social engineering.
The main thrust of this thread (and it'll be in a couple of parts prolly) is how to use sales techniques, such as those used by telemarketers, over the phone, in social engineering. After all, that's what sales is. This information is of course, only for educational purposes and anything you do with is nothing to do with me!
Without wanting to get into convoluted scenarios, i'll use a simple example of trying to get one piece of information from a receptionist, or security guard (call him Bob), manning the phone at a large company. Let's say its the bosses mobile number. The caller, who we'll call Ted, will pose as a representative from another company who wants to phone the boss after hours to confim meeting times the next morning. This is not a work of prose, so I'll be sticking to the simplest of names and places. Please excuse any switching between tenses, i'm tired and its the internet!
This is how the call should go:
1. The Introduction.
Obvious place to start, the introduction should consist of two parts, (1) Who you are, and (2)What you want. You should be fairly specific, but don't dive right in saying "I want Joe Blogg's phone number" (Joe Blogg being the boss). Bob will answer the phone, introduce himself and ask how he can help. This is when you come in and do likewise, in the same professional manner.
It is important to sound confident, sure of yourself and completely at ease with making this sort of request. Easily intimidated employees will automatically act a certain way for someone they perceive to be important, intelligent etc. For example:
>
Bob: Hi, you've reach Bob at Brickwall Corporate Offices, how can I help you?
Ted: Hi Bob, this is Ted Smith from Massivcorp in New York, I'm calling to confirm some details with Mr Boss.
Bob: I'm sorry Mr. Smith but Mr. Boss is out of the office right now, may I ask who you are and why exactly you need to speak to him?
>
Now this is where part 2 of the call comes in. Bob wants to confirm who are, as per his training, but he may not take a lot of convincing, if you can reply and make that reply sound like the sort of thing that should clear up any doubt, it often will. If Bob hears how you are utterly genuine then he'll think "well, must be true". Hesitate though and any headway you've made will crash right back down again. So, part 2:
2: The Hook
A term familiar to many i'm sure, used in sales to grab the customer's attention, the hook can also be used to keep Bob on the line and eager to please. The important thing to remember is you must Believe the Hook. Shall we return to Bob and Ted?
> Ted: Yes, as i said my name is Ted Smith, and I'm having a meeting with Mr. Boss in the morning. We were scheduled for a breakfast meeting but have not settled a time as yet. I'd like his mobile phone number please, as it will not be possible to reschedule.
Bob: Well okay then sir, let me just see if I can find it.
>
Of course this may not go quite as smoothly were it to be tried in real life. If Bob is not convinced by the Hook on its own, then you can always apply a number of different elements in order to convice him. From a social engineering point of view, if possible you could try to arrange a meeting with said Mr. Boss at a point in the future for example. It'd take a lot of guts, and particularly if you were trying to meet the head of any significant company, it'd be completely simple to find out you were not a genuine company. It could be applied to smaller businesses more readily, particularly those who do not spend millions on training all their worldwide staff on handling calls, security risks etc.
Now, if the hook didn't actually convince Bob entirely, Ted may still have made some headway. Bob will be thinking about the consequences if you are a genuine caller and the company might lose money somehow as a result of your overzealousness. On the other hand Bob might suspect Ted of being a prankster or someone who's generally up to mischief, and will be wary of risking his job. After hours, the only people working the phones tend to be low-level employees, perhaps contracted out from agencies that again may not train their staff in the same way as multinationals might. Bob still needs more convincing, so what Ted needs to do is make Bob give him the phone number, while making Bob think it was his own idea. This can be achieved using a technique called "Trial Closes" - part 3 of the call structure.