Welcome back, my future hackers! After my first tutorial about doxing, I decided I would dive a little bit deeper into the world of social engineering. In this tutorial we will learn some basic social engineering techniques to get into a company building, find out more information about the company's security, and maybe even exploit the company's computers if you get the chance.
The thing that makes social engineering special is that it has it has been around for thousands of years. Social engineering with the right amount of skill is usually successful and can spill out tons of information that will be useful for hacking. Social engineering is used every day in the form of scams, phishing, fraud, and carding, but today we are going to look at the bare basics of pretending to be someone you are not. There are many ways to do this, so I will break up each step in a different category.
Phone calls are a great way to pretend to be someone you are not, because unlike actually seeing and talking to a person face to face, you can pretty much change who you are completely. There are even apps out there that will spoof your caller ID to make you look like a completely different person! In this section I will break down the basic techniques of phone calls and how you can trick employees easily.
The most important thing in a phone call is to make the employee think you have more power than he or she does. This is fairly simple. We can practice this by calling up a Starbucks and messing around with the employees. Through my experience with prank calls, I am going to show you a script that usually works with most companies.
Hello, Starbucks, How may I help you?
Hello, this is Mark from the Corporate Office, have you been experiencing any computer issues lately?
Well, the computer is a bit slow.
Okay, that's fine. The IT department just called in saying they were having some issues with the computer there and they were going to fix them soon.
Alright, can I have your name please?
(Says her name here)
And to verify that you are in fact a Starbucks Employee, can I have your partner number? (For those of you that don't know, starbucks employees all have partner numbers to get discounts on drinks, and educations.)
(Says her partner number)_
Okay, great. Have a nice night.
As you can see from the following phone call, it was fairly simple to trick the employee into giving me her partner number. Pretending to be the company's corporate office usually works pretty well. If it doesn't work the first time, just call a different store, you'll get it eventually. Practice a bit with phone calls. If you want to spoof your caller ID, I recommend the app for iPhone, spoof card, which is free (for a while). There are also other websites that will spoof your caller id for you, but if you can't use any of them, always make sure to type in star 67 before the number.
Now that you have practiced a bit with your phone calls, you can start to use social engineering in real life. This is a bit more risky, and not always necessary, but it will give you a great deal of information about the company.
If you are going to go to the store's location, make sure your wardrobe is on point. If it is a coffee shop or other regular store, dress up like an at&t employee. If it is a business building, dress up like an architect. Anything that will convince the front desk will work.
If there is a locked door with a card swiper, wait by the door until an employee exits for a smoking break. Converse with the employee, try to be more comfortable with him or her. Once the employee goes back and swipes their card, hold the door open for them, and enter after them. You would be surprised how many employees will take this as a compliment and not an intrusion.
I suggest brining a camera and or microphone. This way you can go back to your house and plot down all the information you gathered. Some things you will definitely want are:
- Picture of the lobby
- Picture of entrance and exit
- Picture of security devices (card readers, name tags, etc.)
Now that you have gathered information on your target company, you will definitely want to know how to exploit them.
Now that you know where everything is, including the computers, you are ready to exploit them. If you want, you can come prepared with a USB Password Stealer. This is fairly easy to make, but hard to exploit without being noticed. It will take skill to use this effectively. To read more about he USB Password Stealer, you can go ahead and visit http://www.hackershandbook.org/tutorials/usb-password-stealer
If you want to try something a little bit more elite, (but a little bit more pricy,) I would suggest a USB Rubber Ducky. This tool is designed to look like a USB, but the computer reads it as a keyboard. The Ducky then injects whatever pre-programmed code you put on its SD Card, and types it into the computer at a superhuman speed. The best part about this device is that you can program whatever you want onto it. There is a whole community of people with programs like password stealers, key loggers, data stealers, and more. To read more about the USB Rubber Ducky, I would suggest heading over to http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
So you learned some of the basic social engineering techniques, and how you can use these techniques to trick people. I hope all my readers take this information to protect themselves and their companies from social engineering attacks. Train your employees to ask questions like, "Which corporate office?" and "What's your phone number and name?"
I hope you have all learned something from this tutorial and comment if you have any questions or concerns.