View Full Version : Social Engineering - The Art of Hacking into Human Minds ....

03-15-2011, 07:18 PM
If you want to be a good hacker you should be a good social engineer while reading about Kevin Mitnik some years ago i come across this term and done some R&D on it :D...

social engineering is almost a necessity for any hacker. You would be surprised what valuable information people will give away to a complete stranger.

Social Engineering is the art of manipulating a person into revealing sensitive information. Social Engineering is the best hacking tool you can use, in my opinion. Similar to using a computer program to make another system spew out amounts of valuable information about the machine, that an attacker can later use. Think of it as "people hacking". When hacking into system you find a weakness or vulnerability that you can exploit, to gain access to restricted information. Social engineering is taking advantage of a persons weakness and getting them to disclose confidential information. All it takes is a large amount a confidence and basic knowledge of human nature and social behavior patterns. Social engineering does not just apply to computer security, it can apply to nearly any situation.

Understanding Human Nature
When it comes to social engineering there are typically only a handful of “tools” you can use. Some of which are; A basic understanding of human nature, cognitive biases, and psychological fallacies. People generally have social patterns and behaviors that can easily be exploited. Everyone has these flaws, it is a matter of finding out what works with the particular person. There are literally hundreds of these fallacies, and nearly everyone is guilty of them. This is just a few that really stand out to me. Maybe I will cover more in a future article. Some of the most popular human social patterns include:

*The Bandwagon Effect-This is the tendency to follow patterns of another persons, or a groups behavior. Generally everyone has heard the term "jump on the bandwagon", It simply means to do as others do. This particular bias plays a very important roll in social engineering and can be taken advantage of quite easily. Also known as conformity.

*Illusion of Control-This is the illusion that a human believes that they can control the outcome of certain situation, when it is clearly out of their hands. Think of someone who is gambling who believes they can really control the outcome of the numbers they roll. Some people truly believe that they can control the outcome of an event as if to predict the future. Prayer or belief in the paranormal could also be thrown into this category.

*Stereotyping-Stereotyping is judging a person by their distinguished characteristics. Everyone is clearly guilty of this at some point. Every time you meet someone for the first time, you almost always inadvertently judge them. You judge them by their clothes, their hairstyle and just their general appearance. However, stereotyping can sometimes be accurate as I will explain later on in the article.

*The Ostrich Effect-This is act of ignoring the negative situation that is going on. Think of someone that is over-optimistic about financial issues and pretending everything is fine. This particular fallacy is performed by almost anyone in a negative situation.

*Consistency bias-This is known as incorrectly remembering your past thoughts or actions in a given situation. This can be greatly taken advantage of. A new employee may not know how to answer a question, or how they answered it in the past. Therefore possibly disclosing valuable information.

Basic Techniques

You are not going to want to use every technique at once, find one that fits a particular situation and play the part well. Most social engineering can be done over the phone. It is quite simple to call up a company while imitating a person of authority and retrieving sensitive information. Help desks and customer service are very likely to this method of attack.

Be Polite
The best thing you can do is always be polite, never blow your cover by acting rude. Remember, you are sometimes taking advantage of someones good nature. So getting on their bad side is not a good start. Remember to speak up and be firm, but do not be rude. For example, call up a company you are interested in, and politely ask questions. Act as if you truly want to learn about how their system works, or what tools they use. Do not blatantly ask for something that you know is restricted information. You have to keep talking to them, while sounding knowledgeable and interested. Ask to speak to a manager, or someone in charge. Working your way up to someone that knows it all. Write down the names of employees pretend you are interested in that particular field of work, ask what type of education and things you will need to learn. The goal here is to persuade them from a psychological point of view.

Pretend to be ignorant
You obviously do not want the target to know much about you, so you want to be as discrete as possible. You do not want them to become concerned with a question you may have asked. Playing dumb is also another technique that can be used. Pretend to know nothing whatsoever and create a fake problem to ask customer service about. Keep them on the phone long enough and keep asking questions. Give them a fake name and phony problem. Ask for their name and figure out where they stand in the company. You know how annoying it is when you call a company and they keep redirecting you to someone else. They have thousands of calls each day, chances are they will not remember you. In all honesty they probably could not care less, they just want to get rid you and have someone else help you.

Be Curious, without giving it away
Write down a list of things you want to figure out with a certain phone call. Whether it be a certain name, phone number or just a piece of information that helps put together a piece of the puzzle. Ask for names, and to speak to certain people. Make sure you do your homework first and have a general knowledge about the company. If you do not know what to say beforehand you will sound like a fumbling idiot and your confidence level will decrease.

Pretending to be someone of higher authority
This applies the the bandwagon effect and also false memory. Tell a client that is lower in the chain that you are someone who you are not. Tell them you are an employee (in this case it would be a good idea to have a list of employees that you found on the company website or through the yellow pages.) Ask to speak to so and so, who is higher up in the company than she is. Tell them you need a phone number, or whatever it may be you are searching for. That is why I think it is a good idea to have a goal of what you are truly after. This method is known as reverse social engineering. This requires a bit of research and preparation to pull off, but with proper execution and very well be one of the best methods.

Other Techniques

These techniques are aimed to physical access to a specific company. Be careful with these though, they could land you in some pretty tough situations that may be harder to talk your way out of. Just remember that social engineering can be applied to nearly any given situation.

*****ter Diving
As silly as this may sound, *****ter diving as an effective way of gaining valuable information about a company. You would be surprised what kinds of things they may have thrown away. Perhaps a trashed company computer with the hard rive still in it. Or possibly company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware. I will not go into great detail of how to *****ter dive, but I am sure you get the picture. Bottom line is that valuable things can be found in a company *****ter.

Shoulder Surfing
Seems easy enough, right? It is as simple as it sounds, peering over someones shoulder to see what they are typing. Be careful not to get caught with this one, by making it obvious you are trying to view what they are typing. I am sure all of you have exercised some form of this at one point. I do not think I need to go into great detail on this, just be smooth about things.

Hope You had a Good time and ready to hack your friend's/victim Mind :D ...

Cheers ....

03-16-2011, 07:05 AM
Falgun, we appreciate your efforts but do not forget to give credit to the real author and the source (http://www.hackthissite.org/articles/read/1051)

03-16-2011, 09:34 AM
M really sorry i forget to mention but forget Thanks to www.hackthissite.org crew and some other people ....

07-30-2011, 01:35 AM