User Tools

Site Tools

diy:social-engineering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
diy:social-engineering [2024/05/19 21:47] – created - external edit 127.0.0.1diy:social-engineering [2024/09/20 04:23] (current) – [Psyops Techniques] Humphrey Boa-Gart
Line 1: Line 1:
-{{wst>iw-import}}+{{wst>iw-cleanup}}
  
 ====== Social Engineering ====== ====== Social Engineering ======
  
 +Social engineering as defined by wikipedia is, “the art of manipulating people into performing actions or divulging confidential information.” In a nutshell social engineering can be equated to “people hacking.” Where as hackers find flaws in computer systems, networks, and programs and exploit those flaws in an attempt to gain access to restricted files, information, or otherwise confidential information, social engineers find flaws in the human psyche and exploit those flaws for many of the same reasons a “typical” hacker would.
  
-{{tag>Tutorials Stubs}}+===== Tools Of The Trade ===== 
 + 
 +When it comes to social engineering there are typically only a handful of “tools” at the disposal of the social engineer. Among these tools are a basic understanding of human nature, cognitive biases, and psychological fallacies. The following lists name, and explain, many of the common cognitive biases. While it is not important to commit each and every one of them to memory, it is important to learn which of the following you typically observe in everyday life and commit them to memory as you'll notice that they will turn up more and more as you continue your social engineering career. 
 + 
 +[[wp>List of cognitive biases]] 
 + 
 +==== Techniques ==== 
 + 
 +  * Be Polite: I cannot tell you how many people hung up on me when I first started social engineering because I acted like an asshole. Act like you own the place but be polite at the same time. Saying, “I would like to speak with your manager” and “BITCH GET ME YOUR FUCKING MANAGER” both mean the same thing at their core but which one would you personally like to respond to? 
 +  * Be Knowledgeable: Different professions and companies have different technical jargon. If you can learn this jargon through means of the internet, go for it. If not, try calling a few times and asking tech specific questions which may unlock little nuggets of wisdom for you. Maybe they call a motherboard a MoBo (this is a poor example but whatever), make note of these words. 
 +  * Be Firm: People naturally want to help people but that doesn't mean you make yourself a wet noodle. 
 +  * Being passive-aggressive while asking for help makes people actually want to help you more. If you ever saw the movie Hackers you can remember the scene when Zero Cool/Crash Override/Dade Murphy called up the television company and told the guard that if he didn't get the work done the corporate big heads would have him commit huri kuri. By asking for help while still “pushing” the guard to help him, Dade Murphy was able to hack into the television network. 
 +  * Learn Basic Psychology: I've put up a list of certain things people take to be true even though they shouldn't but you shouldn't stop there. Learn the kinds of people that someone is more likely to help, to avoid, to hate. Knowing these things will help you become any type of person you want. If you think one of the CEO's is an asshole and you try to impersonate them but act nice, your cover is blown. 
 + 
 +==== Psychology basics ==== 
 + 
 +  * if you need to lie (which you shouldn't because we seem to be 'in the clear') make sure your lies are around 90% truth and only 10% lie. This makes it much harder to disprove, and if the subject decides to research on their own, they will find the truth then see your argument as creditable. If they find anything disproving, also this adds reasoning that the person, merely miscommunicated rather then lie directly to the target. 
 +  * People generally will generally convince themselves when it comes to falshoods, the best thing to do is provide the groundwork and let their minds work against them. (someonewhat stated above) 
 +  * Details are the absolute most important thing there is. Several small things are infinitely more likely to pass you off as a true member of the community than a huge red fucking banner on your myspace proclaiming 'I HEART YIFF' or whatever applies. Once again, people generally convince themselves far more effectively than anyone else ever could. All you have to do is lay the path and put the rose petals down. 
 +  * At the same time, too much detail is a bad thing. If a new user demonstrates encyclopaedic knowledge of the target community, people will become suspicious. 
 +  * If you need a guide on how to troll through arguments, and need more help on the argument itself, see [[tactics:forum trolling]]. 
 +  * Learn the Rules of Inference, such a Modus Tollens. Learning basic propositional logic teaches how to dissect and build arguments mechanically. Eg: If A and B are true, then C must be true (each person CHOOSES what A and B are, so even if D is false, by only exposing A and B, the argument is true to the uninformed) 
 + 
 +==== Psyops Techniques ==== 
 + 
 +  * [[wp>Disinformation]] (False sources) 
 +  * [[wp>Scapegoating]] (blame it on someone else) 
 +  * [[wp>Proof by assertion]] (they love dis) 
 +  * [[wp>Appeal to emotion]] (basic foundations for psyops) 
 +  * [[wp>Straw man]] (Misrepresenting a position) 
 +  * [[wp>Glittering generality]] (Pick your wordz wisely) 
 + 
 +Also familiarize yourself with these methods and their consequences: 
 + 
 +  * [[wp>Black propaganda]] 
 +  * [[wp>Grey propaganda]] 
 +  * [[wp>White propaganda]] (Do it for the lulz) 
 + 
 +These are much longer and more difficult to understand. So make sure you re-read and master. 
 + 
 +  * [[wp>Ad hominem]] (basic way they use to attack) 
 +  * [[wp>False dilemma]] (limiting your choices) 
 +  * [[hazards:red-herring|Red Herring]] (going off topic) 
 +  * [[wp>Half-truth]] 
 +  * [[wp>Reductio ad Hitlerum]] 
 + 
 +===== Exercises ===== 
 + 
 +The following exercises make use of a phone or an internet connection, although if you are reading this now, chances are you have an internet connection. When mentioning exercises in the context of this write-up, I will call them “hacks” because essentially you are simply hacking the mind. 
 + 
 +==== Exercise 1: The “AOL” Hack ==== 
 + 
 +This hack is an all time favorite of mine although I'm pretty biased with this opinion since it was the first hack I ever did. Essentially you call up AOL (or any company for that matter) Customer Service, tell them about a fictional problem you have, and try to keep them on the line fixing your “problem” as long as possible. For this hack make sure to have thought of your “problem” before calling AOL, this will build the foundation for the AOL 2.0 hack which you will read about later. For this hack you don't need to write down the names of any employees you come across just try to stay talking to someone (or on hold) for as long as possible. Below is an example conversation I had with AOL one day. 
 + 
 +**AOL:** Hello this is AOL customer service, Michelle speaking, how can I help you?\\ 
 +**Sintakz:** Yes hello, this is George(fictional name) and I seem to be having problems browsing the interwide web (trying to sound pretty technologically challanged).\\ 
 +**A:** You mean the Internet?\\ 
 +**S:** Yes that thing.\\ 
 +**A:** Please wait while we transfer you to our internet troubleshooting department George.\\ 
 +**S:** Alright.\\ 
 +//[Note: So far I know that in the most bottom of the AOL hierarchy is Michelle who answers the phone and redirects people to whichever department would better help the caller. Also I played the “stupid” guy because that way I can say stupid things and have the rep spend more and more time on the line with me.]//\\ 
 +**//-some time later-//**\\ 
 +**A:** Hello, this is Gary\\ 
 +**S:** Hello Gary, my name is George and I seem to be having problems browsing the interwide web.\\ 
 +**A:** Interwide web? You mean the Internet?\\ 
 +**S:** Yeah, that thing.\\ 
 +**A:** Well what is the problem you seem to be having?\\ 
 +//[Note: I had told myself to do something outrageous this time around]//\\ 
 +**S:** Well no matter which website I type into the little box thingy(url bar) I always get sent to a bestiality site.\\ 
 +**A:** What do you mean by bestiality?\\ 
 +**S:** Like young women having sex with farm animals and dogs.\\ 
 +**A:** Oh my... sir I don't think I've ever encountered a problem like this, let me transfer you to the senior rep for our department.\\ 
 + 
 +Ok, I'll stop the example there. So far I've gotten two names from the company and had been on the line a total of 15 minutes, not too shabby. Notice one thing though, because I acted stupid I got a stupid rep. Had I told Michelle, “My client seems to be unable to resolve DNS's correctly and keeps redirecting me to bestiality sites.” I'd still get Gary because Michelle doesn't know any better. Once I got to Gary, if I told him, “I'm having DNS resolution problems” I would have still gotten to the “senior rep” BUT I would have one less lie to remember. This is because I have still not explicitly stated my problem and if I were doing this without a script written beforehand, it would give me less time to think of a lie. By playing stupid I had a lot more time to think of a lie. That bring us to our next exercise. 
 + 
 +==== Exercise 2: The “AOL 2.0” Hack ==== 
 + 
 +This hack is exactly like the last except that you call without a prepared problem or script already at hand. Once the first person picks up you have to either think of a problem on the spot or work your way up the ladder while thinking of your problem. With this exercise make sure to write down the names of people you encounter and “where” in the company they stand. The example text from Exercise 1 would do here as well. 
 + 
 +==== Exercise 3: The “Family Member” Hack ==== 
 + 
 +This is always a fun hack. Take that list of names from Exercise 2 and pick one of the higher ups. Call up AOL Customer Support and tell the first person who answers that you are the brother/sister/dad/mom/cousin/gay lover/girlfriend/boyfriend whatever of {Insert Name Here} in the {Insert Name Of Department Here} department. Hopefully the person who answered will transfer you. Here is where the fun comes, once your significant other in whatever department answers act as if you reached them through the normal means of “Please hold while we transfer you,” and act as if you have a problem (think about it ON THE SPOT) and see how long you can keep them on the line. The following hacks can be done essentially anywhere. 
 + 
 +==== Exercise 4: The “Lost Contact” Hack ==== 
 + 
 +This one came to me one day while watching a woman search frantically for her contact lens. The premise is simply, play the lost, confused, sad person who just wants to find their contact lens and try to enlist people to help you. See how many people and/or how long you can get the people to help you look for your lost contact lens before you sigh and proclaim, “I'm sorry for wasting your time, we can't find it and I guess I'll just have to go back and buy a new pair.” This exercise can be done with any easily misplaced item in any area at all. Losing your shopping bag in the food court at the mall, forgetting your cellphone in a coffee shop, losing your mind, etc. 
 + 
 +==== Exercise 5: The “Friendship” Hack ==== 
 + 
 +I've only done this a handful of times but it was fun to do none the less. Go to a moderately crowded area and at random choose a person (or group if you are up for the challenge) and try to establish a conversation with them. Here is the fun part, you have to make yourself seem as good a potential friend as possible. This tests all the random things you pick up everyday and all the research you should be doing on different types of people. Say you unknowingly pick a metal-head. Would you be able to hold your own while talking about favorite bands or about old school metal and Nu Metal? This hack will teach you to learn a little about everything as possible so that you can become any person at a moments notice. Of all the hacks, this is the most valuable hack to master which is why it is the last one you should attempt. 
 + 
 +===== Conclusion ===== 
 + 
 +This is a beginners introduction to social engineering, and as such, things have been left out. After “wetting” your feet with these techniques and hacks you can create your own exercises and develop your own style of “people hacking”. This is in no way the only way to social engineer but I believe it is the best way to teach the basics although others may disagree. Knowing how to Social Engineer helps to teach you how not to fall for social engineering attempts. In the case of Dade Murphy and the Television Network security guard, there should have been some rule stating that certain information not be disclosed which would have put a big boulder in the path of Dade Murphy hacking the network. Now that you know the basics, it is time to delve deeper into the practice and learn as much as you can. See ya in space, cowboy. 
 + 
 +===== External Links & PDF Mirror ===== 
 + 
 +[[http://tinyurl.com/28uwmdr|Kevin Mitnick Art of Deception]] <-- has examples and techniques. Update: Re-uploaded via Google Docs. 
 + 
 +[[http://www.google.com/search?q=The+Art+Of+Deception+filetype%3Apdf|Google it]] <-- Search for the PDF. You'll find it. 
 + 
 +{{tag>Tutorials}}
diy/social-engineering.1716155256.txt.gz · Last modified: 2024/08/06 05:53 (external edit)

Find this page online at: https://bestpoint.institute/diy/social-engineering