Wednesday, April 4, 2012

The Art of Human Hacking -Social Engineering(SE) tutorial series



Hello BTS readers, here we come with an interesting tutorial written by my friend Mr.Ashish Mistry who is the founder of Hcon and author of 'HconSTF ' project.


Hello all,

after a long time I am again started writing, In a hope that my believe in “sharing the spirit of learning” fulfills well. So from today I am going to write series of tutorials on my favorite topic, 'Social Engineering' (SE).

starting from small intro to very basics of what SE is, why should you learn and use it, How it works, and as we go on further in this series, we will look at 'leveraging SE into penetration testing'.

Disclaimer: All the examples used in the tutorials series are some of my own and some of from the random pick from internet and Social-net, so if any of the example accidentally meets your situation than, no one can held me responsible for anything in any regards what so ever. This are just for examples and totally educational purpose and I am not in an intention to offense anyone or anything.
This tutorials are for educational purpose only, only you as reader is responsible for whatever you do with this material published here and not the author and not the site.

So lets we begin with the first tutorial on SE,

what is social engineering???
Its an art of manipulating humans.
In more easy words 'tricking people so, they do what YOU want from them or get done by them'.

got confused??

Lets take one example:
suppose you go to some toyshop with your child, and your child want a toy car, so he asks to the sales person to show a car or any one he has may be seen from the display. So that sales person shows that car or always starts with a costly car so when the boy saw the car he asks for to take that car only because the sales person showed some features like lights and remote and all. But the toy car is too costly for your this month's budget and boy wants it anyhow, so you try to divert the child to some other little more in your budget car, as he is a small child so he does not listens to you and at the end of all this,
either you buy that costly car child wanted or he didn't get anything or some other car.

Now you might ask me “So whats new in this? Its very normal every child does it right???” but my point of this example is to explain a perfectly crafted and executed 'social engineering attack' in our day to day life.
In above example the social engineer was the shop's sales person who used the child to sell a costly car and have more money from you.

Basically the sales person targeted the nature of that child because he knows that once it is showed what a child wants than its very difficult for the parents to divert the child so he can sell as HE wanted.

So if you understand basic exploitation terms than,
  • Attacker = the sales person
  • Vulnerability (weakness) = child (actually the obvious nature)
  • Exploit (trick) = showing more costly car and showing more features of it to gain more attention of the child
  • Payload (purpose) = more money from you
  • Target = yes you guessed it right its YOU :)


Lets take another example:

This one is simple but real world example from Facebook,
a person shared this image of a quote from honorable Mr. APJ Abdul kalam.

Its good right ?? he is proud of him or liked the quote right ??
but lets now try to understand it by SE point of view.
there are some things to note down in the photograph
1. on the image - one website address is there
2. below the image again the website address is written

First let me tell you that the web address was not from any government site but a private product trading site which is totally unrelated to what the image is and marking the image with it is such a disrespect done by the person, anyways
so why anyone would do like this ??

a very simple but cleaver kind of SE here
  • Attacker = who initially edited this photo with web address
  • Vulnerability (weakness) = human nature of sharing and liking good photos/quotes
  • Exploit (trick) = the edited photo which has quote
  • Payload (purpose) = marketing of his web site, and reaching some more audience for business for FREE
  • Target = any one on Facebook who shares this photo

Another noticeable point is that if you see anything which is liked by your mind, it gets stored somewhere in your mind so when anyone around you ask or talk about any property or trading things, your mind might flashes about this site.
now after this example lets refine and add to our previous simple definition of SE.

"Its an art of manipulating people so that they do as you want or give you what you want from them. Without any kind of physical offense, Its a whole psychological process of targeting other peoples mind to gain their TRUST and exploiting it and using human weaknesses against target by crafting SE attacks by the kind of work we want to get done by others"

Hopefully now you must have got the idea of social engineering (SE), and some things to start understanding and observing it. but yes every human and its psychological behavior will be different, by studying your target and crafting attack according to you goal will going to give more success.for this one of the key thing is observation and quick responsive abilities if the attacker or social engineer.

So who can be considered as social engineers??
it can be anyone from your relative/friend, convincing you to do or believe what they say even if you don't want do do it or believe it.

It can be sales person, marketing parsons, thief/con artist, your boss, penetration testers, forensics experts or anyone around you !!

More on it, its not a new thing but it used from centuries by different people, even if you consider any historical persons from your nation.

Think on it, might be you had been social engineered by someone??? some where ??

Thats all for this first introductory tutorial.
If you have any Questions or want to give any feedback or anything you want to get explained in this tutorial series than please post in comments.


Article author: Ashish Mistry
Article license: Social Engineering tutorials series by Ashish Mistry is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

Share This Article on Twitter/Facebook/Blog/Forum or Anywhere:


New Post Older Post Home
 

© Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com