1. The engineering part of social engineering
aluc#
or why just lying your way in don't get you anywhere.
2. Im Aluc
Im a old hacker who loves the blood of your network
3. Preface:
4. Needed Skillset:-physical-logical-Customer Preparation-theoretical models of attack-check the customer needs by his business-Contract
5. Needed physical/psychical Skillset:-understanding of craftsmanshipideal life experiences as electrician telephone cable Guy computer Mechanic-lock picking-in hostile environment Physical Security-good rhetoric-understanding of the person you approach-a understanding of human psychology-NLPideal Hypnosis
6. Example Skills:
7. Example Skills:
8. What is your first impression?-Cloths Civil/Uniform type -Body type-Gender-Ethnic-Manners/Discipline-Physical Markings-Smell-Teeth-Hands
9. Everyone talks about NLP what is this:NLP is a communications model Created in the early 70s by John GrinderandRichard BandlerThe basisoftheirworkaretheanalysesoftheworkofthetherapists Fritz Perls, Virginia Satir and Milton H. EricksonThe N stands for the flow of Neurologic processes in the Human BrainThe L stands linguistic what is our capability to speakThe P stands for programming what means the change of the inner Program of a Human
10. The Modeling: in this Process you want to find out how your Brain operates by analyzing the pattern of verbal and nonverbal communication. The outcome can be used for step by step guides to transfer skills from one person to another Example: From the Basement to the Bedroom a Pickup guide by Chris Nickerson
11. Understanding keywords and differ between Attributes and states:-A humans Brain can process about 100 trillion terraflops-Your sensors getting 10.000 bit/s-from this 10.000 bits are about 40 being processedThat makes us to make up our very own version of this world.
12. How do we use this:-listen in conversations to keywordslike stress freedom love etc-find out in which state the person is vs his/her believing-pay attention to micro expressions-understand the difference between a state and a attribute he feels vs he has
13. Micro Expressions:Based on the System which Dr.Friesen developed, we can divide about 1000 unique facial expressions which are exposedby the neurological connection between the emotions and the 43 muscles we have in the face. This can be used to find out if a person lies at you.One should not underestimate what you can see in the eyes.With a bit of training you can see if a person sees a video picture in the "mind's eye" (Visual) or is listening to an internal recording(Auditory), or if she/he is concentrating on feelings (Kinaesthetic)
14. Micro Expressions:here some Charts from Dr.Lightman:
15. Convert Attributes into States:-try to generate and feel states for yourself-try to generate Statesfrom other people by using the right words-find out when these states are appropriate - find the right timing to use these statesDont forget: From the 2Mio Bit/s messages you get in you can only deal with 7 at one time
16. Intelligence Gathering before 1th customer meeting:internet search:-Maltego-theHarvester-BundesAnzeiger-http://www.onstrat.com/osint/-whois-Social Mediavisit the Place ie. As customer-building-video surveillance-entry systems -security/alarm systems
17. Meet the Client:-find out what his business is-find out about the companies hierarchy-customer relations-vendor relations
18. Treat Modeling:-asset (resources which can become targets) -threat-vulnerability-attack-countermeasures1.identify the security objectives2.get a application overview3.decompose the architecture4.identify threats 5.identify vulnerabilities
19. Treat Modeling:STRIDE Model-Spoofing Identity -Tampering with Data-Repudiation-Information Disclosure-Denial of Service-Elevation of Privilege
20. Treat Modeling:DREAD Model-Damage Potential-Reproducibility-Exploitability-Affected Users-Discoverability
21. Treat Modeling:
22. The Assesment:-the Storyboard-Infiltration-Find & fetch the data-Exfiltratethe data-backup plan-Writing report-Business impact analyses-customer meeting-Customer Trainings
23. Infiltration:-tailgating / piggybacking-steal Fingerprint-use of RFID Skimmer-Copy entry badges ie. With a proxmark III-Car key skimmer-drop 32GB USB Key-pick Locks-entry as Vendor-entry as Client
24. Example Infiltration Hardware:
25. 26. Finding and fetching Data:-Printer-Spearfishing-Dumpster diving-0x41414141-Keylogger-l0pthcrack
27. Exfiltrate Data:-USB Key-printout in Trash-over the Net-photo
28. Thanx for listening see/hear me at: http:// aluc.tv