UGN used to be a site where a lot of good and useful information was exchanged on the board. But like most other boards the same thing happens. A lot of newbies join and ask the same questions over and over while the older members get tired of it and just hang out in IRC and leave the board alone. I wanna try to change that a little by bringing back some of the stuff that we had here a while ago. A lot of people used to type up articles about interesting things they know and wanted to share and we even has lessons that were done live through IRC. Well, I hope everybody pitches in a little. If everybody writes like one good article a month we could put together something like an ezine and post it on the board once a month, or put in all in the Kbase and build it up from material written by UGN members, which would be better than just posting other peoples stuff on here. This not only helps the newbies but also anybody who writes an article will learn more for themselve. It's true that you can learn a lot by reading.
Here's my first article to try and start this off. It deals with Social Engineering, because thats what I thought of on my way home. As soon as I find another interesting topic to cover I'll write another article.
Scoial Engineering is a topic on which volumes of books could be written. It involves everything from techinal stuff like gathering data through services and psychological stuff like scaring people into giving you info or making them trust you. In this article I won't try to tell you every technique but rathe I will tell you one technique that I used recently and hopefully you will get the main ideas of social engineering and be creative enough to come up with your own tricks.
Ok, so a few weeks ago I sitting at my comp gathering information about a certain host, we'll call it target.com. Now, target.com was interesting to me for personal reasons and I decided to try to hack just as a test of skills. First I did a nmap scan and found all the services available, then I found out which servers they were using and the version numbers. This can be done through reading the daemon banners, or on webserver by sending GET or HEAD request to the sever. On webservers I like to use a tool called "nikto" which gets the version of the server, OS, and does basic CGI tests to check for any vulnerabilites. Once I had all the services running I went around the web looking for weaknesses and exploits for those services.
After looking around for a while I couldn't find any remote exploits for any of the services. I found a few PoCs (proof of concept) but the code wouldn't compile and came back with too many errors for me to try to fix it. So this is the point where most people give up and move on to the next target. But like I said, this was a test of my skills so I couldn't do that. I decided I needed to get a login for the server and then try to exploit a local vulnerability.
This is where social engineering comes in. Guessing password and brute force will never work, at least not for people with an attention span shorter than 3 months. I looked up some of the email address for the company. target.com was a great source for that, they listed most of the employees with their full names and email addresses. There are other ways to do this depending on what your target is what kind of OS it's running. One trick I like to use is just to go to google.com and search for "@target.com" because workers use their work email a lot of times to post on web-boards, job search sites, dating services, etc. So what you need to have is a list of peoples names that work at that place. The larger the compnay the better your chances.
Next step is to find out who the network administrator is. Do a whois lookup of the site, search for information on their website, or just call up the company and ask to be connected to the network administrator or the IT department. When you talk to him you are looking for two things. His name and his voice and dialect. Pay attention to how he talks, does he have an accent, is he calm, or does he yell in the phone and get aggravated real quick. You could also put the phone on speaker and record the conversation so you can listen to him speaking later on. This is to prepare you for the next step, which is the acting part.
Now you have a list of employees and their user names and you know the name of the admin. Call up the company and ask to be connected to the victim. Here's an example of the conversation
You: Hello John Doe, this is Jack Black, the network administrator. I have just been made aware of a bug in our system which could wipe out all of your files and I need you to cooperate with me to get it fixes.
Once you say that the bug could wipe out all their files they won't care who you are or how you sound because they'll be too scared that they're going to loose all the [censored] they were working on. If you come across believable on this point the rest should be a breeze.
Victim: Oh yeah sure, just tell me what to do.
You: Ok, this is a little complicated. I'd come over there and do it myself but I'm really busy fixing this bug. What I'm doing rite now is calling all the employees who are vulnerable to this and making sure they change their login password to "whatever you want the password to be". After that I will go in a fix everything personally. I will require you however to change the password back in 30 minutes for security reasons. Do you know how to change the password or do you need help?
This does a few things. You are showing him that this bug is serious and other people are vulnerable too. Then you get him to change his password, which might make him a little suspicious, but rite after saying that you tell him some [censored] about "secuirty reasons" and gain his trust back.
Now, if he needs help changing his passwords walk him through it step by step. Make sure you know the OS they are using because if you mess up he will get suspicious. End the conversation and make sure to stress the point that he has to change the password back in 30 minutes. This will make him trust you so he doesn't go around the office asking other people about this [censored].
Now you have given yourself a 30 minute window to do whatever it is you need to do. My advice is to either install a keylogger to know his password after he changes it again or to open a backdoor or install a trojan.
Congratulation, you have just gotten access to their system and from this point you can do a lot like trying local exploits, installing sniffers, etc. As you can see, Social engineering is all about being creative and getting people to trust you. There is really no limits of what you can do with this. Kevin Mitnick, one of the most famous hackers of all time, was a big believer in social engineering. If you can't sneak in, just knock and have somebody open the door for you.
Well, thats it from me for now. I hope this will inspire some of the other members here to starting writing.