First Impressions and the Social Engineer

< Day Day Up >

First Impressions and the Social Engineer

Having knowledge of the company is not always enough, however, to make a good impression on your target person. This applies to using social engineering both over the phone or in person.

If you are using the telephone, make sure you have a quality connection. Avoid nuisances like static or call waiting. Get rid of distractions around you because they can throw off your rhythm. If the employees of a company know you already, perhaps from previous penetration tests, you might need a voice changer to alter your voice on the phone.

If you are going in person and impersonating a profession such as a janitor or repair person, you might need a uniform. Most common uniforms are available at your local costume shop. If not, you might need to hire a costume designer at a local theatre company to make a uniform for you.

People are more willing to offer help to a person of the opposite sex. Make sure you employ both men and women on your penetration testing team for this reason. Also, attractive, tall people tend to make a better impression. Someone with a sales background is a definite advantage.

If you wear glasses, do not get antiglare shielding. Most offices are heavily lighted and cause reflections on glasses, making it hard for people to see your eyes. That allows you to make quick glances around without being noticed. Do not wear sunglasses or tinted glasses , because these look suspicious.

Often, a social engineer makes many trips into a building before trying to gain access to the corporate network. Some companies even allow people to take tours of their facilities, providing free access for social engineers to investigate the layout of the building. While in the building, social engineers walk around and find the exits, the server room, and the location of important personnel. Many times you can see what is in a server room, and in some countries it is required to have a window into the room for fire regulation purposes. Walk past the server room to see the type of equipment the company has, which can be useful later when you are looking up exploits.

Most importantly, have confidence. Even if you get lost in a building, do not look lost. Look around through the corner of your eye and do not turn your head too much so as not to cause suspicion. This is the same technique used by professional shoplifters. Most shoplifters get caught because they look suspicious. The best always appear confident and watch for security staff out of the corner of their eye rather than turn their head and draw attention to themselves . Act confident, and people will not question who you are or why you are in their building.

< Day Day Up >

Tech Support Impersonation

Now that you know what it takes to be a social engineer, you can examine different examples of impersonations used to gain access into data networks. These are not the only types of impersonations; the most successful social engineers are those who can come up with new, creative ways to persuade others into giving them information.

The first, and most common, form of social engineering is tech support impersonation. Here, you impersonate a help desk technician who is seeking to gain information, such as a password, from an unsuspecting user .

PenTester: Hi. This is Joel in technical support. Are you noticing a slowdown in your system?

VictimUser: Well, it does not seem too slow.

PenTester: Hmmm... We are showing significant network degradation. Okay, let me log on and test your PC. Your username is vuser, right?

VictimUser: Yes!

Usually the username is the same as the e-mail address. So, if the e-mail address is vuser@somecompany.com, it is likely that the account on the corporate network is vuser. You can gather e-mail addresses off of most company websites :

PenTester: Great! Let me look up your password. Hmmm... Our system is really slow... What is your password?

VictimUser: It is SimplePassword.

PenTester: Okay, I am in. It does not seem too bad. It must not be affecting users on your floor. Strange. Well, I should check the other floors. Thanks for your time.

VictimUser: Glad to help!

This example shows a simple tech support impersonation tactic. In a real-world scenario, you should ask the user more questions so as to build trust with him. Incorporate humor while sounding knowledgeable about the internal network of the company.

Some of the most overlooked and unprotected areas of a corporate network are in the home of a telecommuter. As a penetration tester, you should test these remote users. Often, they are more susceptible to social engineering tactics because they are away from the office where they might receive security awareness training and notices. They are also used to receiving phone calls from the help desk staff to walk them through scenarios.

The hardest part about this kind of testing, however, is getting the phone numbers of those who are telecommuters. You could circumvent this problem by pretending to be an executive needing the names of employees who work from home. This in itself does not seem like a serious breech of confidentiality, so most departments give away this information without much thought, especially if they believe they are being asked to do so by an executive manager. From there, you can use the phone book to look up names and phone numbers .

< Day Day Up >

Buy on amazon.com >>

Whitaker A., Newman D

<< Previous page

Table of contents

Next page >>