Ofer For You (1)

Wednesday, 13 August 2014

Social Engineering Attack

By "Kunal Vohra", Director@H2K










I myself have had a few people in the past ask me questions on social engineering. I always say to
anyone, you need to imagine social engineering as a game. But before i talk about the 'Game', I want to
go into detail about Basic knowledge and self preparation.
Basic knowledge and self preparation:

It's important like most things in life to be fully equipped and prepared to take on a task. I myself would
suggest you have clear outlines of what your trying to achieve, be it to get someone's email
password, exploiting them for money, to get into a online game group/clan etc etc. In this case the email
and password of Facebook account.
First of all, you need to take into consideration of what you will need, for this social engineering tutorial
i'm going to outline this from an obtaining someone's email password perspective. Before i continue, i
would like to stress some important factors you might want to take into consideration:

1) People are more open to you if they perceive you as an idiot.
2) People are less suspicious of you when you make them laugh.
3) People are more trusting if you actually take an interest in them.

I'm going to break these three points down to give you a better understanding of why this is:

In the case of 1 - nearly everyone seems to be more careless when they perceive you as an idiot, the
main reason for that is, you don't consider someone who appears to be an idiot as a threat. Another
reason is that people tend to become more open and arrogant when they feel they are on a higher
pedistel than you (never forget that!). Now there are things you need to remember however, although
these things are true if you overplay your idiot persona it will not be good in your fortune. Always
remember real morons are annoying as hell, you DO NOT want to put off the person your trying to
social engineer(unless your trying to fail, then knock yourself out).

In the case of 2 - when talking to someone it's easy to see why this rule is advised. Often it's a good ice
breaker, also reinforcing the idea that "your a nice guy", it slowly allows the person to build a
relationship of 'trust' with you.

in the case of 3 - also an obvious advisement, if you just pester someone for information without atleast
pretending to take an interest in what they are saying, not only will you come across as rude, it will
make the person wonder why your probing them for person info.

With these three points made, i will now continue with my example of obtaining someone's Facebook
Email and password. Before you go into detail, it's important to outline what you need to successfully
social engineer the password out of someone. Now you could try to Social engineer them for their
password, I advise you be a bit more intelligent and indirectly social engineer them for their password by
obtaining their password recovery knowledge. Now it's important to what you need to successfully hack
their account through recovery questions. You will need the following:

Their email address
Their account password

With this in mind it's imperative you plan how you will obtain these details. I will tell you how i do it. But
first i need you to understand, this whole transaction will not be completed over a course of a day, it can
take days to weeks depending on the person. I suggest you talk to them and read them first. If their open,
then you can do it within days, if their not then it would be better you spread this out over a week or two.
I also want you to imagine what you will say, try to predict their answers and MOST OF ALL, think of a
scapegoat on why your probing them for these answers, just in case your less than suttle and arouse
suspicion, if they ever suspect you it will go from a flame to a fire it's important to stamp all of their doubt
in you as soon as possible.
Now there are many ways you can obtain their password and addressee. Some people and post their
address on their profiles. In which case this is easy pickings, however that is rare. So you need to devise a
way of obtaining that info. Now you can pretend that you are from bank or something like this and ask for
their email address. Or you can pretend that you are some student an doing some research. Be creative

Now i need the answer to their security question, now you need to find out what the question is, i suggest
pretend to recover password to see what it is or get the info for all of the recovery questions email asks.
Im going to go with the first option and say for example their recovery question was : What is your dogs
name?.

How I would go about obtaining this would be to pretend to have a pet of my own, i would start off the
convo like so:

Kunal: Ffs my dog wont stop barking, seriously where did i leave my ducktape lol!
victim: lol yeah i know sometimes my dog's the same, annoying -.-
Kunal: Oh you have a dog? i didn't realize whats your dogs name, if you don't mind me asking.

It is important to add "if you don't mind me asking", because it gives the person a bit of power over you
and also show's a little respect (once again reinforcing the notion your a nice fellow).

POINT: I wouldn't dive straight into "whats your dogs name" start with the breed first and remember try

to predict what they will inturn ask (mines blah blah whats yours?).
With that in mind, I'm sure by now you can see how easy it is, to social engineer someone's password
through the indirect method of password recovery. Now obviously most recovery questions wont be about
pets mostly they're "mothers maiden name" "place of birth" etc. But use the same logic and work around
it, remember think every detail through and ask yourself this if someone gave you this story or asked you
in a certain way would it seem legit to you?
and when you have the email address, click on Facebook, I forgot password and will be sent on your
email.

The Game:

The game is basically, perfecting "self preparation". Social engineering is a game,. If you think about it in
this way: each time trust is given to you, you advance a level, which each level you advance, your ability
of obtaining information from this person becomes easier. In a sense mastering the ability to come up
with more ingenious ways of manipulating someone, without arousing suspicion, is what separates the
lucky noobs from the elites.
When thinking about this as a game, you need to reflect on your goals. As I've mentioned before try to
imagine the dialogue between you both, think about how you will obtain certain things and more
importantly have clear directives. With this in mind i think we can now talk about how you might want to
consider presenting yourself (only applies if the person is indeed a stranger).

So if you were going to go after a complete stranger, you should first try and get as much research on
them as you can. For example, age, name. This is important for making up for fake identity. I would also
suggest if you social engineer more than one person you write down, in detail! your differn't alias so you
don't get confused. Nothing would be worse than using the wrong alias on the wrong person.

When building your identity decide on what would give you the biggest advantage with this person. This
can be from faking your age to match the interests of this person, thus giving you the advantage of being
able to "click" with the person. Pretending to be a student or in a dead end job for sympathy manipulation
or in the case of a dead end job, pretending to relate to the slave. There are many things you can do, as
I've mentioned it depends on the circumstances you need.







Still Having Problem..!!! Connect with Admin 
 Kunal Vohra
Download Our Official Android App & Get Free Internet
"The Hackers Street"

For Daily Updates 

No comments:

Post a Comment