Credits: Jeff Green and James Barnett
Blog Series Introduction
Somewhere I Belong will be a running blog series on Social Engineering theory and practice. We will be bringing stories into it as often as we can but you can also expect blog posts focused on tools and tips, as well as, training resources for covert entry.
The theory and practice of social engineering
Part: 1 Walking in like we own the place!
So you want to learn how to conduct social engineering attacks? Here are some common social engineering quips.
● “Just walk in like you own the place!”
● “The best camo is always a high vis vest and a hardhat.”
● “A metal clipboard and a name tag will get you into anywhere.”
These quips are partially correct. Statements with minute detail are hard to make a into a heavy hitting one liner. To fill in the missing words I had to do some face to face social engineering myself. Before we fully understand what these quips entail we need to learn the basics…
Tone is important. Timbre is important. Body language is important. Your message is important. Any knowledge of the Standard Operating Procedures (SOP’s) and general background data of your target are priceless.
This list could go on forever so instead I will tell about a conversation I had the other day with a gym owner. I showed him what was wrong with his work computer while I signed up for the gym. He asked me what I do, I decided just to tell him and he asked me a question right away.
"So if your girl was cheating on you, you could find out what was on her phone?"
Kind of an awkward question but I answered him anyway and at the end of the conversation it waxed slightly philosophical. I told him,
"People often make the mistake of thinking that in the moment, they will make the right decision, but that rarely happens. If someone wants to take control of their lives they have to think themselves into being. Who are you? What kind of things do you do? What level of impact will you allow your emotions to have on your decisions? What will you never do? What will you always do whenever possible? Only people that decided before the pivitol moment will be able to make the "right" decision at crux because they already decided years ago and have been consistently reinforcing that decision their whole lives."
I coincidentally told this guy the basics of social engineering. While you cannot plan everything, you should plan what you can. You have to set some basic rules that your willing to break in the moment and another set of rules you will not ever break. You should do OSINT on your target, online and in real life. The closer you can get your persona to your personal reality, the easier convincing a victim will be.
Beware fellow social engineers.
Blunders are everywhere!
"Hi, im John from I.T." But did you know the I.T. office was next door to your victims office and they heard you. "Hi, im with helpdesk." Unfortunately for you your victim has had help before from "helpdesk" but their company calls it service desk with religious fervor.
These examples are why OSINT is so IMPORTANT.
Changes and redactions have been made in this story to protect those involved.
One of my favorite memories from doing Social Engineering in person was the night my partner and I went and hid in the dumbest place imaginable. I won’t say where but let’s just say that location is going to be checked by every guard every shift in most companies, but it is easy to overlook. Hence our predicament. We hid there for nearly an hour waiting for the cleaning crew to leave. Suddenly we came face to face with a security guard as he opened a door and stumbled upon us. An absurd look of surprise came across his face instantly. His shock was so great before confronting us he continued to finish his task just to recover. We lied to him shamelessly and desperately. We were only half ready. I flashed a WiFi pineapple in his face and said we were putting up WiFi acess points (AP’s). My partner and I played off each-other to gain his confidence until it was over.
Later that night he confronted us again and said no one was on the list for maintenance. I said, “ No, we work IN this building. We are I.T. We just had to work late tonight. Here is my badge.” I flashed him 3 inches of a lanyard I had stolen the night before from a security guard. I had stuffed it into my shirt since it was empty. He told headquarters we were good and that we had our badges….even though he never saw them. He also told us he would let the other guards know we were here working late and to not worry about us. Later that night another guard walked up on us while one of us was holding a can of air with a rigged straw on it to reach deeply and get well placed REX IR sensors to trigger. She just chit chatted for a bit about how tired she was and then stomped off. No question about it, at this point we BELONGED.
Analysis of our performance and some social engineering theory
It was a classic case of being prepared even though, I constantly tell myself how much we screwed up that night. We had just enough of the things we needed to slide right into our victim’s mind like we belonged. We knew so much about our targets from studying stolen material we got from on-duty guards. (If only I could tell you more ) Our biggest mistake that night was walking in like we owned the place. We tried to be sneaky but also just stomp around like we owned the place. Our pride in breaching the perimeter made us a little cocky. OSINT saved our bacon.
Humans process data in a very complex way. If something makes it to the highest level of awareness than the processing can be very detailed and thorough. Very little of our world is processed at a high level of awareness let alone the highest. Humans are very efficient creatures. Repetion is used to achieve consistent results in life and as things are repeated our need to focus our attention on the finer aspects of that event is reduced by becoming a pattern in our pattern recognition processor. This frees up our higher levels of awareness to remain focused on the task at hand and alter the world in front of us. Face to face social engineering revolves completely around ensuring that the image of you that your victim creates fits neatly into their pattern recognition processor. You do not need to belong in that building/place, you need to belong in their mind! You have to fit inside their mind so well that they do not even try to make sense of you. Everything from your clothes to your mannerisms need to be in alignment so that no alerts are set off by your victims’ processor. It is very much like bypassing EDR and AV.