What It Takes to Be a Social Engineer

To be successful at social engineering, you need the following four qualities:

• Patience

• Confidence

• Trust

• Inside knowledge

The sections that follow describe each of these four traits in greater detail.

Using Patience for Social Engineering

Patience is by far the most important trait to have as a social engineer. Many fail because they ask for information before they build up trust with someone. An effective social engineer might make several phone calls to the same person before asking for information such as passwords. You should always begin the conversation with nonrelevant information. For example, compare the following two conversations. In the first example, the penetration tester asks too quickly for information.

PenTester: Hi. This is Valerie from the help desk.

VictimUser: Hi. How can I help you?

PenTester: We are updating our records and need to know your password.

VictimUser: Wait a second. We are not supposed to give out passwords. Who is this? In the second example, the penetration tester asks for unimportant information so that the user is not suspicious of the questioning of the penetration tester.

PenTester: Hi. This is Valerie from the help desk.

VictimUser: Hi. How can I help you?

PenTester: We are updating our records and need to know some information about your computer. Do you have a laptop or a desktop?

VictimUser: A desktop.

PenTester: Could you read for me the serial number? It will be in the front, on the side, or on the back. (Most computer manufacturers place their serial numbers in these locations, so it is a safe assumption that a serial number exists.)

VictimUser: 59991124.

PenTester: Great. Can you tell me the version of Microsoft Internet Explorer you use? You can get it from going to the Help menu and choosing About.

VictimUser: 6.0

PenTester: Great. And do you have a 17-inch or 15-inch monitor?

VictimUser: 15-inch.

PenTester: And are you still using the username jdoe?

VictimUser: No, it is johndoe.

PenTester: Okay, I will make a note of that. And what is the current password you are using?

VictimUser: It is johndoe123.

PenTester: Great. And what kind of mouse do you have? (You should continue the conversation from this point asking for additional irrelevant information so as to not appear conspicuous.)

If the employee does not give out the information right away, do not give up. In the preceding example, if the employee did not give out his password and cited company policy, keep trying using other techniques such as need-based, logic, or informational tactics. If that does not work, or if the employee starts acting apprehensive, just continue asking questions so you do not look suspicious. Then call another employee who might not be as familiar with company policy.

Using Confidence for Social Engineering

The next important trait that every social engineer should possess is confidence. If you appear confident, people will believe you. When I was in high school, I once had to stand up and present a report. However, I failed to do the research and had no report. I walked up and presented with a blank piece of paper in front of me. I pulled it off because I presented with confidence, even though I had no report to read from. This same confidence is needed when practicing social engineering. You must be prepared for the unexpected.

The best way to gain this confidence is to take acting classes. Believe it or not, the best classes are improvisation drama classes, which are often offered at community colleges and sometimes by improv theater groups in your city. Learning improvisation techniques helps you to react to people no matter what they throw at you. Improv comedy can also come into play so that you can bring humor into the situation should it appear that you are about to get caught. Everybody likes to laugh, and if you can make your target person laugh, you are more likely to get him on your side.

You should practice in front of your coworkers and videotape or record yourself so that you can be critiqued and improve your persuasion tactics. You should also use direct eye contact and speak in a louder voice when trying to persuade others. Both make you appear confident to others.

If your firm is going to offer regular social engineering testing to its clients, you might want to invest in hiring a witness consultant to help make yourself believable to others. Lawyers often hire witness consultants in high-profile trials to assist with training the witness on how to respond to questioning. They are trained to make the person feel uncomfortable and to coach them on their response. Politicians often hire witness consultants to coach them before testifying before committees. Hiring a witness consultant can train you to respond to uncomfortable situations so that you are never caught off guard.

Just like a chess player, you must always be looking one step ahead of the game. If you are inside a building impersonating a telecommunications technician who is there to install a circuit and get caught by an IT manager, for example, you need to know how to react. Do not reveal that you were hired to attempt social engineering, because the news will travel fast, and you will be limited in attempting further tests. Instead, when the manager tells you a new circuit was never ordered, play it off by telling the manager that you need to call the central office to see how the mix-up occurred. Act as if you are getting bad reception, and then tell the manager that you need to step outside to make the call. After you are outside, you are free to leave inconspicuously and come back later to try a different technique.

Note

Always carry a copy of the authorization form in your wallet in the event that you are detained by security personnel. This is especially important when you are testing the security of government and military buildings.

Using Trust for Social Engineering

Besides patience and confidence, you also must build trust with your target person. Reciprocation and similarity techniques discussed earlier help to build trust with others. If you are attempting your social engineering in person, you have to pay attention to body behavior. If your target person crosses his arms, you should do the same. If he scratches his head, you should do the same. This is called the mirror technique, which is a nonverbal type of similarity tactic. Also, if your target person begins to stand to the side or step away, you have a clear sign that you are not connecting with him or, even worse, he is becoming suspicious of your questioning. At that point, the best approach is usually humor to get the person to relax. Be sure to laugh out loud, because laughter is contagious. That simple act can cause the other person to laugh and relax (even if he does not think your jokes are funny).

Sometimes in social engineering the target person loses trust with you. He might start asking questions like, "Who did you say you were again," or, "What company did you say you were with?" If that happens, turn the conversation back to the target. Keep talking to stay in charge of the conversation, gradually changing the topic of discussion back on the target. Make comments about him ("I like that shirt") and ask him questions about himself ("So what do you like to do outside of work?"). People innately like to talk about themselves. If it looks as if you might get caught, turn it back on the target to draw attention away from yourself.

Using Inside Knowledge for Social Engineering

The last ingredient to successful social engineering is to possess inside knowledge of the company. You must do your research if you want to appear authentic. Before you begin, you need the name of someone in the company whom you are going to contact. You can often get this directly off the website or by searching newsgroups for postings from internal staff. One technique to get the name of an IT staff member is to call the receptionist and say, "Hi. I just got done doing a phone interview with the IT manager, and I am supposed to call her back, but I do not remember her name and do not want to embarrass myself by asking for it again. Could you help me out?" Many companies have an after-hour service that lets you call in and punch the first few letters of the name of a person. By punching various combinations of buttons on your phone, you can gain a list of several employees within the company.

Calling after hours leads to another piece of information you should acquire before attempting social engineering the hours of operation. Many companies require badges to gain access to a building. By knowing when employees arrive, you can piggyback behind another employee and enter the building unsuspected. Even if a security guard is on duty, he is usually so busy in the morning that you might be overlooked, especially if you are able to get into a conversation with someone on your way from the parking lot into the building.

Gather as much information as you can about the company. Many organizations have a question-answer policy when it comes to revealing sensitive information. Before giving away a password, the employee might ask a question that only people in the company would know, such as, "When was the company founded? What is the name of the CFO?" Although it is tough to know what question might be asked of you ahead of time, doing some preliminary research will equip you for the unexpected.

Note

Perhaps the most common form of gathering internal information about a company is through dumpster diving. Dumpster diving is the practice of going through a company trash bin to collect sensitive information such as organizational charts or financial statements. Employees should shred these documents, but they usually just throw them out. A penetration tester, if authorized, should look through the dumpsters of his client to see if he can gather sensitive information. Although not the most enjoyable task, dumpster diving can yield some interesting results. You would be surprised at some of the information people throw away.

For example, if you were aware that a new board member was hired at a company, it is possible that new letterhead might be produced, with the old, still official-looking letterhead residing in the dumpster, ripe for using in social engineering attempts.