the engineering part of social engineering, or why just lying your way in don't get you anywhere
TRANSCRIPT
1. The engineering part of social engineering
aluc#
or why just lying your way in don't get you anywhere.
2. Im Aluc
Im a old hacker who loves the blood of your network
3. Preface:
4. Needed Skillset:-physical-logical-Customer
Preparation-theoretical models of attack-check the customer needs
by his business-Contract
5. Needed physical/psychical Skillset:-understanding of
craftsmanshipideal life experiences as electrician telephone cable
Guy computer Mechanic-lock picking-in hostile environment Physical
Security-good rhetoric-understanding of the person you approach-a
understanding of human psychology-NLPideal Hypnosis
6. Example Skills:
7. Example Skills:
8. What is your first impression?-Cloths Civil/Uniform type -Body
type-Gender-Ethnic-Manners/Discipline-Physical
Markings-Smell-Teeth-Hands
9. Everyone talks about NLP what is this:NLP is a communications
model Created in the early 70s by John GrinderandRichard BandlerThe
basisoftheirworkaretheanalysesoftheworkofthetherapists Fritz Perls,
Virginia Satir and Milton H. EricksonThe N stands for the flow of
Neurologic processes in the Human BrainThe L stands linguistic what
is our capability to speakThe P stands for programming what means
the change of the inner Program of a Human
10. The Modeling: in this Process you want to find out how your
Brain operates by analyzing the pattern of verbal and nonverbal
communication. The outcome can be used for step by step guides to
transfer skills from one person to another Example: From the
Basement to the Bedroom a Pickup guide by Chris Nickerson
11. Understanding keywords and differ between Attributes and
states:-A humans Brain can process about 100 trillion
terraflops-Your sensors getting 10.000 bit/s-from this 10.000 bits
are about 40 being processedThat makes us to make up our very own
version of this world.
12. How do we use this:-listen in conversations to keywordslike
stress freedom love etc-find out in which state the person is vs
his/her believing-pay attention to micro expressions-understand the
difference between a state and a attribute he feels vs he has
13. Micro Expressions:Based on the System which Dr.Friesen
developed, we can divide about 1000 unique facial expressions which
are exposedby the neurological connection between the emotions and
the 43 muscles we have in the face. This can be used to find out if
a person lies at you.One should not underestimate what you can see
in the eyes.With a bit of training you can see if a person sees a
video picture in the "mind's eye" (Visual) or is listening to an
internal recording(Auditory), or if she/he is concentrating on
feelings (Kinaesthetic)
14. Micro Expressions:here some Charts from Dr.Lightman:
15. Convert Attributes into States:-try to generate and feel states
for yourself-try to generate Statesfrom other people by using the
right words-find out when these states are appropriate - find the
right timing to use these statesDont forget: From the 2Mio Bit/s
messages you get in you can only deal with 7 at one time
16. Intelligence Gathering before 1th customer meeting:internet
search:-Maltego-theHarvester-BundesAnzeiger-http://www.onstrat.com/osint/-whois-Social
Mediavisit the Place ie. As customer-building-video
surveillance-entry systems -security/alarm systems
17. Meet the Client:-find out what his business is-find out about
the companies hierarchy-customer relations-vendor relations
18. Treat Modeling:-asset (resources which can become targets)
-threat-vulnerability-attack-countermeasures1.identify the security
objectives2.get a application overview3.decompose the
architecture4.identify threats 5.identify vulnerabilities
19. Treat Modeling:STRIDE Model-Spoofing Identity -Tampering with
Data-Repudiation-Information Disclosure-Denial of Service-Elevation
of Privilege
20. Treat Modeling:DREAD Model-Damage
Potential-Reproducibility-Exploitability-Affected
Users-Discoverability
21. Treat Modeling:
22. The Assesment:-the Storyboard-Infiltration-Find & fetch the
data-Exfiltratethe data-backup plan-Writing report-Business impact
analyses-customer meeting-Customer Trainings
23. Infiltration:-tailgating / piggybacking-steal Fingerprint-use
of RFID Skimmer-Copy entry badges ie. With a proxmark III-Car key
skimmer-drop 32GB USB Key-pick Locks-entry as Vendor-entry as
Client
24. Example Infiltration Hardware:
25. 26. Finding and fetching Data:-Printer-Spearfishing-Dumpster
diving-0x41414141-Keylogger-l0pthcrack
27. Exfiltrate Data:-USB Key-printout in Trash-over the
Net-photo
28. Thanx for listening see/hear me at: http:// aluc.tv