Edit: Some of the methods I show you may be difficult, or not work at famous or high quality hotels.
Welcome back, my excited hackers! Right now I am on vacation in the wonderful city of Tulum, Mexico. I thought it would be a great idea to teach you guys yet another social engineering excercise to get your brain up and running. Today we are going to be learning how to open a hotel room or other important locked room that isn't yours. This tutorial requires no lock picking, or knowledge of card readers in advance. However this tutorial does require that your hotel use card readers to open locked doors.
Skill Level: Hard
Important Note: This social engineering attack should only ever be performed on your own hotel room if you lost the key, or if it is an emergency. This tutorial claims no responsibility for anything idiotic you do with this information.
Step 1: Situation
Let's imagine you are an elite hacker on an important mission to take down a government website. You know that the owner of this website is spending his vacation in the Rio Plaza Hotel, and will keep his website updated about the food and quality, meaning that he has his laptop with him. We also know his laptop is in his room and he is far away from the room at a pool. Using this attack we are going to trick an employee to unlock the door for us so we can get in, exploit (or steal if you're completely evil) his computer, and get out.
Let's begin.
Step 2: Room Number
First of all we need to know this guy's room number. I'm assuming that you will be practicing this attack on your own room or a friend's room, but I will teach you how to find the room number of somebody you don't know in case of any kind of emergency.
Find out his room number by following him around for a bit. But not creepily. For instance, if he or she is lounging at a pool, get a drink at the bar right next to the pool. When he is going back to his room, walk a good 6 feet behind him and watch which room he goes into. Don't make him think you are following him, though. You want to act as if you are going to a different room. Once you have his room number you can proceed to the next steps. In the next step I can talk about some interesting things you can do with his room number.
Step 3: Calling His Room
Calling his room is something absolutely amazing you can do. Through experience, I have come to the conclusion that if you can get in contact with his room (from a mobile phone) and say that you are the front desk, they will almost always believe you. From here you can access a humungous amount of information that normally would not be given. To call his room, just call the hotel and say something like this:
Hello Rio Plaza Hotel how may I help you?
Hi could you put me through to (name) at (room number)?
Sure, One second...
Hello?
Hi this is Mark from the front desk?
Hi...
A hilarious example of this can be found here:https://www.youtube.com/watch?v=kazEfTx-rmw
You can go from here. Make some stuff up. If you want to do this just for fun or as a prank call, you can convince him that there have been multiple noise complaints for his room. If you want to stay focused and gather information, ask him when he registered for the hotel and how long he will stay. Ask for his name and the name of the other people in his room. You should write all of this down. I always suggest if you are writing down confidential information, always do it on paper. No system is secure, and if forensic investigators get hold of your computer, then it would be best to not have the information of another person on your text editor. Now we will look into the next step which is the actual breaking into the room.
Step 4: Getting in the Room
Before we break into a room we must make sure he is not in the room. You can do this simply by knocking on the door and if somebody answers, just say you had the wrong room. If nobody answers or you know they are gone, sit in the hallway and wait for a janitor. When the janitor comes by, tell him you are locked out of your room. Don't act whiney, but still act upset. The janitor will most likely feel bad for you, and open the room for you. If he redirects you to the front desk, just act like you found it and walk away. Once you are in the room, you should have a plan in case somebody comes in.
If somebody comes in the room, your two best options are as so:
Act like you are house cleaning. You can do this by coming prepared in employee clothing. Just take a picture of an employee and cherry pick out the clothes that you need to be prepared with. Also wear a name tag, as this will tell the person entering the room that you are a staff. If you are snooping on his laptop, you should immediately close it and pick it up as if to set it on a table while he walks in. This will make it look like you are re-organizing things. In the next step, we are going to talk about some technical attacks you can do on his or her laptop, quickly and with ease.
Step 5: Attacking
For all of these following attacks I am going to recommend purchasing a USB Rubber Ducky to perform all of them in seconds rather than manually typing. I will also link the USB Rubber Ducky Code for every corresponding attack.
- Changing Hosts File For Phishing
You're best bet if you want to phish the target, without sending him a phony url is to change his hosts file. The host file is where you can change where a url will direct you. For instance, www.facebook.com will send you to 173.252.120.6. There is a simple tutorial on how to do this here, but if you want to use your USB Rubber Ducky to do it in under 15 seconds, the USB Rubber Ducky code is here.
- Putting a Shell On the System
While putting a shell on a system is a bit more risky, it works, and can give you access to many confidential files. There are many tutorials here on Null Byte but here are ones that might be particularly helpful for this case:
Use Social Engineering To Hack Computers
Again, if you want to do this without any manual typing in under 15 seconds, you can make a shell quickly here.
Step 6: Conclusion
This tutorial was made to show you how easy it is to access a computer if you are at a hotel. To protect yourself from this social engineering attack I suggest always putting your computer in a safe or in a drawer where an attacker won't look for it. Also for hotel's to never let their employees open doors for people without a name. If you enjoyed this tutorial you're welcome to throw a kudo at me and if you have any questions feel free to comment below.
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
8 Comments
Hi, Thanks for the the write up.
I have worked in 2 different brands of major Hotel/Resorts and since 98 they stopped given personal info out with out name and room number.
They will most likely call the room in question to confirm for you while you wait in the lobby.
As far as building engineers letting you in the room are slim they will refer you to the front desk, if you even find one because they are very busy taking microwaves to rooms and unclogging toilets..
As for room cleaning crew you will get picked off by the cleaning supervisor or one of the cleaning crews on each floor.
Also when hired they tell you to watch out for suspect people and fraudsters. See they get targeted a lot by thief's and scammers because of meeting spaces and tactics like those.
Just a few of my thoughts on it. The human link is the weakest link...
Hmmm... This is strange. Right now I am at a hotel and all of these methods have worked for me. You just have to wait in the lobby and act like you are locked out. I agree that it is possible that many hotels are patching their systems but it really ends up with connecting personally to the employees and having them believe you. Personally I have found this works better in foreign places where the employees only understand a quick brief of what you are saying.
Also trained in face recognition and the 15/5 rule. Maybe you have been there a few days and that all it takes.
But you are right it may work in some places in some brands.
Well, thank you for the good info. I will make an edit at the top that states that some of these methods may be patched.
At the top you said this might be patched, but as ghost_ said:
"There's no patch to human nature."
Indeed. By patched I meant that hotel's reinforced the security of their employees.
but I see what you're saying...I'll make an edit of the word "patched"
Hi Cameron!
i started reading your real life social engineering articles and i must say they're quite interesting. however i'd like your opinion on what kind of cultures do you imagine these kind of things working best with. I guess you are from america and americans have a reputation of trusting people easily (because you have less liars than we do obv) . I can't imagine this kind of things working this well in some countries. I'd like to know what you think about this.
Very interesting read though ;)
Share Your Thoughts