How do you?

by **Ninfa** on Tue Feb 24, 2009 7:26 am ([msg=18532]see Re: How do you?[/msg])

SE is an art. To manipulate people for your purposes. It doesn't even have to involve a user/password, you might just want that person or group of people to do a certain task and you find a way to manipulate it to such. It can go from pre-teen scamming to FBI evading, it's an art not to be underestimated. Pretty much the most successful one, it is much easier to manipulate the system by understanding the people involving it than to "hack" into it.

It is like any other type of "hacking", and logicaly, there is no concrete answer to the question "How do you do it?".
But if your intentions are to get examples, search SEing on google, you'll find plenty of world famous examples.

http://www.419eater.com/html/letters.htm
Has some amusing examples of social engineering.

Social Engineering is really just hacking of the mind, I don't see how it's really illegal if somebody is slow enough to fall for it.
SE can be used for far more things than User/Passwords, such as gaining money, (you can call it stealing, but when a clerk actually willingly hands you the money herself because she's easily flattered or such, you'd think otherwise). There are many ways how it's done, overloading the victim's mind, flirtation, or establishing a false sense of trust, but basically it's about being smarter than the other person and knowing what they're weak against (like the hot clerk and how she's easily distracted by flirtation :roll:

).

kiddietron wrote:http://www.crunchgear.com/2009/02/20/booting-services-add-to-the-fun-of-xbox-live/

Some of it can be just stupid.

"There are two popular methods, one involving hosting a game and watching incoming traffic and another basically asking the victim “YO WUT IZ UR IP ADDY?” Both seem to work quite well when dealing with pre-teens."

You certenly don't know what the term social engineering means... Most of the time people are being kind with the people and they don't steal anything from them. For example if you want to open a PO box without using your real identity you just need to be nice and have some skills and they will let you open a PO Box with only ID from a schools that you previously made with other social engineering.

In my opinion social engineering helps me climb higher mountains as a hacker.

My (personal) take on SE in a nut shell. "Using people to get/do what you want." Oh, I LOLed at "I know it's illegal"

Let's hypothetically say you're in a situation where you need to gain access to an organization or groups computer systems (NB: Where I'm going here could be highly illegal - do not do this unless you have permission from the "system" owner). You are in contact with a certain member of this group who is more or less morally corrupted, or you know enough about this person to push some hot buttons to get them to install things on the network/computers such as remote access and/or keylogging programs. That's the basics. Reading between the lines however through a computer screen can be quite difficult when trying to predict and manipulate for an exploit. That's just the basics however.

TheMindRapist wrote:http://www.419eater.com/html/letters.htm
Has some amusing examples of social engineering.

Very good example, and yes very hilarious. However, lets take this as an example a bit further, hypothetically, using the social engineer's fight against online fraud. You are one of these anti-scammers looking to collect intel, and come across a country rank with internet scammers. You begin emailing one of the country's many scammers (we'll call him Mr. A for now) as another scammer after studying this country's traditions, culture, language/regional dialect characteristics, and even perhaps doing enough research on Mr. A (due to a little to much personal information he may have leaked out) to better understand your mark. After a while you've convinced Mr. A that you are a fellow fraudster in a neighboring country and that you are rolling in the cash and willing to enter in a lucrative business partnership with him. Your mark has just seen the dollar signs flash before his eyes, and him being a thief you should have very little moral qualms out of him. So while he is inundated in this stupor you tell him that he should install keyloggers and remote access programs on public computers scammers are using at libraries or internet cafes when they aren't looking... or perhaps install them on fellow scammers personal computers when they aren't in the room... so you can gain the account and/or money transfer information from other scammers. It shouldn't matter right? A thief is a thief. Once Mr. A has done this, you swoop in with the remote access, change some firewall and anti-virus settings just incase the programs you installed may have set them off... and begin collecting intel for the anti-fraud fight. Again, illegal but a way SE could be used in a real world application.

Very close to phishing in my opinion as far as trying to get the person to trust you. It's more in depth though because you have to make contact and maintain your credibility while trying to understand your mark through a computer screen.

Edit to add: One interesting thing on social engineering with respect to intelligence would no doubt be the stasi when you had east and west Germany. They had at one point, what was estimated by some of the highest intelligence agencies world wide, some of the best field intel operations when it came to monitoring their own civilian population. How did they do this? They managed to convince one person per 166 citizens to be an agent to inform on their own population, and even perfected some of the art of bugging and other means of technical surveillance. They also worked out the means of "breaking the spirit" (psychological warfare) towards the end of their regime as it proved effective as a means to getting information or even getting rid of a "threat to society" through bad publicity (not something you want on the block). To this day they are still feared by many who remember the wall. Information, and psychological manipulation was how they played their game. It's much the same today, we just happen to be more in tune with advances in publicly available technology. Whether it be cracking a bit of code out to get the information or convincing the target population in question to aid at your beck and call, it's all a means of getting a job done.

godofcereal wrote:Ok i know social engineering is illegal but out of curiosity how do you do it? How do you find people that are stupid enough to give you their password? Where do you start?
And remember this. Its just out of curiosity.

Social engineering in and of itself is not illegal. All it is, in its simplest form, is manipulation of truth.

You want to get into a building, but it requires a card. You do not have a card, so you resort to social engineering. You get a moving box and wait until someone is about to head into the building. You follow behind them and groan under the "weight" of the box (which should be empty, but they do not know that). Most people will hold the door open for you, and maybe even smile! You're in.

That's a classic example. Social engineering could also be viewed as hacking people's minds. If you are interested, I would suggest you start with people watching. I know it sounds creepy, but in order to learn about people, you have to watch them. Find out what people do in certain situations. Someone drops a piece of paper, and someone else picks it up. It sounds basic, but it means a lot when you look at it. People are basically good, use that to your advantage.

The first step is in getting comfortable with lying. Have fun!

Ninfa wrote:SE is an art. To manipulate people for your purposes. It doesn't even have to involve a user/password, you might just want that person or group of people to do a certain task and you find a way to manipulate it to such. It can go from pre-teen scamming to FBI evading, it's an art not to be underestimated. Pretty much the most successful one, it is much easier to manipulate the system by understanding the people involving it than to "hack" into it.

It is like any other type of "hacking", and logicaly, there is no concrete answer to the question "How do you do it?".
But if your intentions are to get examples, search SEing on google, you'll find plenty of world famous examples.

Well said...manipulating people for your purposes.
You can get all kinds of information from people just by saying/doing the right things. You can do it on irc as well....there are no limits 8-)

What I like to do is practice my SE skills by trying to get access to things I am allowed access, without the right authorisation. For example, I recently withdrew £200 from my bank account using a utility bill and my card, after the woman had told me that wasn't enough ID. Next step could be to make a fake utility bill, perhaps.
I also tried to social engineer my way into a disused oil refinery, to take a look around. Didn't work though

automatica wrote:You are one of these anti-scammers looking to collect intel, and come across a country rank with internet scammers. You begin emailing one of the country's many scammers (we'll call him Mr. A for now) as another scammer after studying this country's traditions, culture, language/regional dialect characteristics, and even perhaps doing enough research on Mr. A (due to a little to much personal information he may have leaked out) to better understand your mark. After a while you've convinced Mr. A that you are a fellow fraudster in a neighboring country and that you are rolling in the cash and willing to enter in a lucrative business partnership with him. Your mark has just seen the dollar signs flash before his eyes, and him being a thief you should have very little moral qualms out of him. So while he is inundated in this stupor you tell him that he should install keyloggers and remote access programs on public computers scammers are using at libraries or internet cafes when they aren't looking... or perhaps install them on fellow scammers personal computers when they aren't in the room... so you can gain the account and/or money transfer information from other scammers. It shouldn't matter right? A thief is a thief. Once Mr. A has done this, you swoop in with the remote access, change some firewall and anti-virus settings just incase the programs you installed may have set them off... and begin collecting intel for the anti-fraud fight. Again, illegal but a way SE could be used in a real world application.

We've done this many times, although not with the Keylogger/RA twist over at http://419eater.com . Personally, I wouldn't mind using them, but as there is a small risk of getting something like that traced back to me, I most likely won't. Just because there is a risk. Instead, what I would recommend, is that you use social engineering to get them to give you access to their e-mail account, and from there send a warning to every victim in their list. That way you are doing a whole lot of good without breaking the law.