The Social Engineer's Playbook Page 4
The Rules of Engagement (RoE) is an agreed upon plan with the social engineering team and the client for carrying out a social engineering test. The RoE must accompany each and every social engineering test. It must be followed strictly by all team members.
When performing social engineering work for a client, the Rules of Engagement (RoE) plan describes how the test will be carried out. More importantly, it specifically calls out tactics and actions that are out-of-scope for social engineers. For example, the RoE might state that tactics resulting in damage to company property are out of bounds behavior. It may state that spear phishing is out of scope. Or, it might call out something as simple as the time of day for testing. A RoE is an agreed-upon plan between the tester and the target involving what tactics are allowed and which ones aren’t. In any situation, a RoE is a good idea and should be mandatory for every consulting engagement.
Body Language
First and foremost, body language and expression are immense and complex topics that are too large to cover in this book. For that reason, I am forced to only scratch the surface on the subject. But I will make every attempt to touch on the most foundational elements. For a thorough study on the subject, I personally recommend the following publications:
What Every Body Is Saying by Joe Navarro
Introducing NLP: Psychological Skill for Understanding and Influencing People by Joseph O’Connor
The Definitive Book of Body Language by Allan and Barbara Pease
Positioning
Quite a bit can be said with non-verbal communication. That’s precisely why body language and gesturing is so deep-rooted in personal communication. And the link to social engineering is no different. When used properly, gestures can direct your target’s thought process subconsciously. So it’s important for social engineers to understand the basic elements of body language.
Hands, feet, arms and torso all are very telling about a person in their own way. So it’s important to be cognizant of these visual cues when reading a target. As social engineers, we will also want to send visual signals to our targets as well. Our social engineering plan may call for us to be authoritative. Therefore, we may stand up straight and assume an air of confidence about us, without being too threatening. If in a seated position, we may choose to steeple our hands, without looking too stiff.
Police interrogators make some of the best body language experts. They are able to pick up on the most subtle body positioning cues and mannerisms. It is often said that, “the lips lie but the body tells the truth.”
People talk with their hands, albeit, some more than others. I’m guilty of it and it seems even more exaggerated when I’m nervous. When engaging a target for the first time, it’s natural to get a little nervous. People who are nervous tend to fidget with their hands or an object, like a pen or piece of paper. As a matter of fact, I always get a shot of nervousness when engaging a target. But as social engineers, we must never show it. With time and practice, the nervousness subsides.
So what can we do to suppress nervousness? Aside from rehearsing? Not much. What we really should be doing is focusing on how to hide our nervousness.
Here are a few tips on body placement to help hide nervousness:
Hands should be free of any objects to prevent fidgeting (especially click pens)
Avoid the temptation to touch your hair as this is a sign of insecurity
Keep your arms and hands at your side – avoid the temptation to cross your arms or hold them up and against your belly area as this is a sign of nervousness/uncertainty
Avoid touching your ears, especially when leveraging authoritative tactics, as this is a sign of indecisiveness
This one goes without saying – refrain from finger drumming
If standing, avoid the temptation to sway or tap your foot
Know thyself – take an inventory of what nervous ticks you have and practice hiding them
Emulating
One of my favorite gestures is called emulating. Essentially, it boils down to copying the gestures and body positioning of the target. You may wonder why this is even a thing. Honestly, it is an efficient way to establish a non-verbal rapport with your target. In my early days, I often made use of emulating during job interviews. When you emulate the target, you create a subconscious sense of connection with that person. Consequently, you appear more likeable in his or her eyes. Obviously, this puts you in a better position of power and persuasion.
Now, it’s worth mentioning that the target’s each and every move should not be emulated. He or she would catch on eventually and it would likely turn into a rather awkward situation. People use subtle gestures all the time without really knowing it. So the objective is to mimic those subtle gestures.
Here are a few tips for emulating:
Select at least two repeated gestures and emulate them sparingly (e.g.: raising pen to mouth, etc.)
Match the volume of your voice to the target’s volume
Emulate the target’s body position (e.g.: leaning back in chair, standing, crossed legs, etc.)
Match the speed at which the target speaks to your own
Square up your body position to the target’s position
Lastly, do not overdo it!
Anchoring
The concept of anchoring has its origins in the study of Neuro-Linguistic Programming (NLP). NLP is an approach to communication by linking neurological processes, language and behavioral patterns through “programming.” What does that mean? Well, the concept of NLP is that it can be used in casual conversation to subliminally condition the mind, yours or others. As an aside, the concept is somewhat controversial in terms of validity. Some people think it’s pure hogwash. Some people consider it evil mind control while others claim that it’s useful for personal enrichment purposes. Personally I believe it works, but I’m a firm moderate on the subject. I’ve seen its effects firsthand, but I personally don’t believe all the hype. But I digress.
Anchoring is essentially all about association of statements while using some sort of physical gesture to do so. That is to say, language is used to associate two or more statements and gestures are the medium to link them together. The underlying objective is persuasive in nature. In other words, the purpose of anchoring is to subconsciously persuade the target toward one way of thinking.
Though the concept of anchoring might sound somewhat cryptic, it is actually used fairly significantly outside of social engineering. In fact, some sales people use anchoring as a sales tactic. For example, let’s assume a situation where a target and a sales person are sitting across from one another at table. During casual conversation, the sales person may make a reference about how bad the traffic is in the city. This will generally generate some kind of agreeable response by the target. A head nod or otherwise. After all, bad traffic is something that all of us can relate to. This is step one in the anchoring setup. While describing the bad traffic, he puts his left hand on the table forming a roadblock hand gesture. The negative association has now been built. Now it needs to be reinforced two or more time during the course of the conversation and with similar associations.
For a more thorough study on the science of Neuro-Linguistic Programming (NLP), please see the following book titled: Introducing NLP: Psychological Skills for Understanding and Influencing People (Neuro-Linguistic Programming), by Joseph O’Connor.
Link: http://books.google.com/books/
about/Introducing_NLP.html?id=rwoiMLdu9eIC
Moving forward in the conversation, the sales person will now go on to describe and build positive thoughts. For example, a funny story about his daughter or a fun trip to the cabin. During these stories, the sales person uses his right hand to gesture and punctuate the best highlights of the story. My favorite gesture is a form of the famous “Bill Clinton thumb smash.” If you’re not familiar, imagine you are holding an invisible remote control. Since the thumb smash is an often joked about gesture, you’ll want to augment your thumb smash a
bit.
At this point, the sales person has, in so many words, conditioned the target’s thinking. The left hand roadblock hand gesture is associated with something bad. The right hand thumb smash means something is good. By now in the conversation, the sales person will attempt to convince the target to purchase services from his company instead of the competing company. The sales person begins with describing the services by the competitor. But instead of outright bashing the competition, which is what the target expects, something else happens. Instead, the sales person exploits the pre-established anchors to convince the target that his company is better without verbally saying it. In fact, the target already agreed the sales person’s company was better once the anchors were established earlier in the conversation. It was simply the sales person’s job to make him subconsciously realize it.
Introducing NLP: Psychological Skills for Understanding and Influencing People (Neuro-Linguistic Programming), by Joseph O’Connor
Social Engineering: The Art of Human Hacking, by Christopher Hadnagy
Chapter 5:
Information Gathering
In social engineering, information is worth its weight in gold. Even the most seemingly insignificant details can be worth something. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. For that reason, the tactics examined here should be used for ethical purposes only.
Successful social engineering would not be possible without a strong source of information. Information fuels the social engineering plan and is one of the most vital components. In this chapter, we will cover information gathering techniques, sources and tools.
The following topics will be covered in this chapter:
Overview of Information Gathering
Information Gathering Techniques
Sources of Information
Information Gathering Tools
Overview
Throughout this book we’ve covered everything from anchoring, flattery, bracketing and baiting to emulating. You might be thinking, how do we support these tactics? How do I know which anchor statements to use? What information do I have at my disposal to use as bait for my target? All of these are important questions that must be answered.
You might be a superstar at confidential baiting. But your efforts, however well thought out they might be, are only as good as the information you have at your fingertips. Not enough research on a target or plan equates to a social engineering attempt that is destined to fail. There are so many social engineering tactics rely heavily on valuable information. Thus, valuable information, for whatever your tactic, must be derived from effective and efficient information gathering practices.
In this chapter, we will start out by discussing techniques used to gather information. Then we will take a look at what sources can be leveraged to collect this information. Finally, I’ll briefly introduce a few tools used to carry out information gathering sessions as well as talk about other commonly used social engineering tools.
Before we dig into the specifics of information gathering, we need to talk about how we are going to store this information from the get go. Every social engineering plan involves a multitude of data sources for information. Some information may be derived from eyes-on observation while other information may be obtained from online sources. In either event, we need a central repository to house this data for quick and easy retrieval.
Information Organization
Overview
During a social engineering test, there are likely going to be several things that need to be documented and stored for later use. One of the most prominent is information about targets. What’s also important to note is that data sources for targets often arrives from many sources. For example, this could include information gathered from LinkedIn, Facebook, Twitter, forums, Google and others. Managing information from disparate sources can be a challenge. Especially when a team of testers is involved and data must be available to all. Organizing information is essential and it doesn’t have to be an overly complex process.
Dradis Framework
Fortunately for us, there are tools freely available designed to help with the task of sharing data across teams. Dradis to the rescue. Dradis is a self-contained web application that provides a consolidated warehouse of information. It is an open source software project that can be found at http://dradisframework.org/.
The Dradis framework is freely available and runs on Linux, Windows, MacOS and FreeBSD systems. Dradis describes itself as tool designed especially for security assessments. As a result, it has plugins for popular security tools, such as: Retina, Zed, Nessus, Nikto and Nmap.
Dradis has a very intuitive collapsible tree menu system. Information is organized into multilevel containers called branches. Notes are entered “free form” and can be categorized for efficient retrieval.
Screenshot of the Dradis Framework v2.9.0
The interface itself is relatively straightforward. The main idea is to provide a mechanism for which to capture information from disparate data sources and that’s exactly what Dradis does. From a team perspective, the information in Dradis is viewable and modifiable by all members.
KeepNote
There are other tools to choose from. For example, KeepNote is an alternative to Dradis that is also freely available. KeepNote is quite similar in nature to Dradis, minus the team aspect. It isn’t a web application like Dradis, which is the reason behind its single user approach. Under the covers, KeepNote utilizes the same collapsible tree menu as Dradis. From a personal perspective, I like the KeepNote interface better. To me, it just has a better feel to it. For one-person social engineering engagements, KeepNote is perfect for those situations. It can be downloaded at http://keepnote.org/
KeepNote is freely available and capable of running on Linux, Windows (XP, Vista) and Mac OS X platforms. For Linux and Mac OS X, additional third-party libraries are required. Although Keep-Note doesn’t call itself a security assessment tool, it does come pre-installed on the Kali Linux penetration testing distribution.
KeepNote’s user interface allows for quicker and easier rich-text formatting of text. I especially like the ability to add file attachments, screenshots and its full-text search features. All in all, I believe its interface is a little easier to use.
Screenshot of KeepNote 0.7.8
My personal preference, however, leans toward Dradis specifically for team interaction and excellent search capabilities. Either tool will easily accomplish the goal of organizing data efficiently. For the most part, it comes down to personal preference. Whatever the tool you ultimately decide to organize your information, be sure it’s one that you feel comfortable working within.
Sources of Information
As any social engineer would tell you, there are many different sources for information gathering. It would not be possible to list each an every source here. But I’ll cover the most commonly used sources.
Listed below are the information sources we will cover in this upcoming section:
Online
Surveillance
Trash
Online
Online sources of information are vast and plentiful. Simply imagine what Google and Facebook alone have done to transform the state of online privacy to what it is today. In a matter of a few years short of a decade, these websites have managed to completely change the privacy landscape by making the activities of businesses and people public. What’s more, the transformation of the standards for company websites has evolved greatly. Today companies are much more transparent about their inner workings, culture, people and even their political standing. As a result, an organization’s website makes another great resource for mining for useful information during a social engineering test.
Naturally, a noteworthy change like these has created an atmosphere where a social engineer is able to obtain information, of a sensitive nature, from not one, but a multitude of online sources quite easily. For that reaso
n alone, many social engineers often rely heavily on online data sources for mining information about a target. And so should you.
Company Website
Mining the company’s website for information should be one of the first steps in the information gathering phase. Having said that, not all company websites are created equal. That is to say, not all organizations are as transparent and forthcoming with information as others. However, this should not be a deterrent. There are several ways of finding useful information within a company website, if you know where to look. Hence, a good social engineer should spend a decent amount of time in an attempt to mine that information.
Here are some of the pages/sections of an organization’s website that commonly present useful social engineering information:
Job openings and tech stack information (e.g. Windows, Ubuntu, .NET, PHP, Cisco, firewall technology, Amazon AWS, Rackspace, MS Exchange, etc.)
The About page and mission statements