The complete guide to social engineering and it's uses in
hacking the system...
Section 1. hat this guide is and what it is not.
This guide is meant to be a glimpse into what can be a hackers best tool. This is meant to be a guide as to ways of breaking into a computer system, NOT as a way of harassment. You should never do anything illegal, but if you choose to, be my guest...
Section 2. What is social engineering and why would I need it?
People are stupid. They will believe almost anything with enough proof. (falsified or otherwise) The general goal of social engineering (in this case) is to compromise a computer's security by taking advantage of the weakest link: Humans.
Social engineering is usually done over the phone or sometimes in person. (people will never believe an e-mail, but a human voice will do wonders) Social engineering is most often used when a hacker wants to gain access to a certain network or computer system after exhausting all of his resources.
Before we get into social engineering too far, let us go over the rules that will make you the best engineer you can be.
1. Have confidence. If you are nervous and stutter while you are trying to be an executive, you will be embarrassed and laughed at.
2. When calling up a sysop or a computer technician, act like a woman. (If you are 13 or under, you can get away with this one easily) Most computer "nerds" are social misfits and will do anything for a nice-sounding woman on the phone. If you flatter the guy by saying something like "I've seen you around campus a few times and I think you are cute." you will have passwords thrown at you faster than you can write.
3. Act the part. If you are going to a place in person, look nice. You won't get into Nation's Bank wearing your Slayer t-shirt and long hair. Wear a suit, or at least look preppy. Comb your hair and pull it back if it is long.
4. Act like you own the place. People cower in the presence of confidence, but don't act cocky. Be polite.
Section 3. What do I need?
Quick thinking. If you are slow-witted don't even try. You also need to be a great liar and have a good memory. (to remember your past lies, of course)
A good arsenal of fake ID making equipment. When you go on a tour of a company you plan to hack, take a long hard look at the ID cards. (this is also where good memory comes in handy)
If you plan on doing anything from your phone, you need the following:
A good non-cordless phone. (unless you are two feet away and never get static)
A voice changer. These are available from almost any mail order catalogue that specializes in useless, expensive toys. (The Sharper Image, etc.)
Section 4. Social engineering over the phone.
This is probably the easiest method of social engineering. If it doesn't work right, you just hang up and you are done.
First of all, you need a "mark". (in most circles, this refers to the poor sap you are going to imitate) You want to find out ALL the info you can about this person. The best way is to call up the person as a telemarketer and tell them they have won something, and that "you need a social security number, and a mother's maiden name". You should also ask for something simple like an address or something. It really looks suspicious otherwise. You should also listen carefully to how the person speaks. High-pitched or deep? Anything strange about the voice, like a lisp? You will need these things.
Now comes the hard part. Call up the sysop office or technical support and tell them that you lost your password while acting like the mark. They will ask you for your login and will also ask for some kind of verification like a social security number or your mother's maiden name. (misuse of a SS# is ILLEGAL and I DO NOT condone this kind of activity)
Hopefully everything ran smoothly and you got what you wanted. If not, just hang up and hope they don't have caller ID.
Section 5. In person. Tours, visitors, and other live fun.
This is much more difficult that social engineering over the phone, but still the best way to get anything you want. Remember, people will believe almost anyone in person.
There are two good ways of getting into an office and looking around. The first is tours. If the office offers tours, take it and "get lost". You can wander around looking confident until someone asks you what you are doing there. You then tell them that you got lost while on the tour. Pretty easy.
The other way of getting into an office building is a little more difficult. You have to act like you belong there. If you are under 21 or so, pretend you are a worker's kid. If you are challenged while poking around, have the name of some worker in another department to blurt out.
If you are over 21, you have to act like you work there. Walk in and act like you own the place. Get impatient and snippy when challenged and say you "Have an important meeting. Fake IDs also come in handy here. (see Chapter 4)
Once you are in and alone (somewhat) you can begin doing what you came to do. Find the mainframe computer and look at how it is connected. Look and see what kind of OS they are running. See if it is connected to a dial-in or to the Internet. The sysop is probably going to be here. If he is sitting around and you feel lucky, act REALLY interested in how good of a job he has done with the security, etc. Flatter the guy by saying "I'll bet this computer could never be hacked into. You do too good of a job." He will tell you everything you need to know.
Section 6. Outro and other loose ends.
These are not the only ways of social engineering. You can use U.S. mail, e-mail, and online chats to manipulate people. I only want to provide a few simple rules and techniques to get you started in the world social engineering. Don't be afraid to take risks. Otherwise, you will just be another wannabe without any guts.
Do what you will once you are in...That is when my job ends and yours begins.
