SOCIAL ENGINEERINGTHE HUMAN HACK

By: Lance Howell

A LITTLE ABOUT ME… VERY LITTLE.

•36 years old

•BS in Information Systems

Security

•Interests: Information

Security, Linux, web

development, and general

hacking

•Web Site: www.tech-

heaven.net

WHAT DO YOU THINK OF

L

iar

C

onman/Conartist

C

riminal

P

oliticians

A

ctor

P

erformer (Magician, Hypnotist, Comedian, etc)

STEPS OF AN ATTACKI

nformation Gathering

E

licitation

P

re-texting

I

nfluencing Others• Reciprocation• Scarcity• Authority• Commitment and Consistency• Liking• Consensus or Social Proof

PSYCHOLOGICAL PRINCIPLES TO STUDY

M

odes of Thinking

E

ye Cues

M

icro-Expressions

N

euro-Linguistic Programming (NLP)

I

nterview and Interrogation

E

stablish Rapport with the Person

MICROEXPRESSIONS

T

he small facial expressions and body language

that can be used to tell what a person is really

thinking or what they are feeling about the

conversation.

EXAMPLES OF MICROEXPRESSIONS

ANGER

1. Eyebrows are down and together.

2. Eyes glare.

3. Narrowing of lips.

CONTEMPT

1. Lip corner tight and raised on one side of face.

DISGUST

1. Narrowed eyes.

2. Wrinkled nose

3. Parted mouth

SAD

1. Creased forehead.

2. Eyes loosing focus.

3. Downturned mouth.

4. Wavering chin

FEAR

1. Raised eyebrows and pulled together.

2. Wide-open eyes.

3. Tensed lower eyelids.

4. Parted lips. Lips slightly stretched.

COMPUTER-BASED TOOLS

M

altego 3.0

M

altego Mesh: Firefox Plug-in (No longer supported or updated)

S

ocial Engineering Toolkit (SET): Good for E-Mail Based Attacks and Phishing

C

ommon User Password Profiler (CUPP)

C

ree.py BRAND NEW

MALTEGO 3.1

C

ommunity Edition vs. Commercial Edition

W

orks on Windows, MAC and Linux

P

rovides a graphical way to do several Linux

commands

MALTEGO MASHWHY USE IT???

F

ree

H

elps you find information quickly within a large page (no need to read an

entire blog that’s long to find an email address

Q

uickly search on facebook with email addresses instead of having to

browse to each site.

N

ot being developed anymore.

DEMONSTRATION OF MALTEGO 3

SOCIAL ENGINEERING TOOLKIT (SET)

T

ool designed to perform advanced attacks against a person or organization used

during a penetration test.

U

nder constant development (Be sure to update SET every couple of days) Current

Version 3.3

C

onfigure set_config file.

N

ew version includes a web GUI

T

raditional interface is an interactive menu driven interface

TYPES OF ATTACK VECTORS

SHODANHTTP://WWW.SHODANHQ.COM/

S

earch Engine for connected machines.

S

earch for computers that is connected to the

internet based on city, country, latitude/longitude,

hostname, operating system and IP

DEMONSTRATION OF SHODAN

CREE.PY ISN’T IT

Retrieves information from Twitter as well as Flickr

Gather geolocation data from flickr, twitpic.com,

yfrog.com, img.ly, plixi.com, twitrpix.com,

foleext.com, shozu.com, pickhur.com, moby.to,

twitsnaps.com, and twitgoo.com

Download it from

http://ilektrojohn.github.com/creepy/

DEMONSTRATION OF CREE.PY

CLOSING COMMENTS

W

ays to protect yourself against attacks

M

ore resources to further your knowledge and

education

WAYS TO PROTECT YOURSELF

E

ducate yourself and your staff on proper procedures when answering the

phone, e-mail, and questioning people.

D

o Not Click On Links in e-mails.

H

ave training in social engineering techniques. (Even a newsletter is better

than nothing)

Q

uestion people in your building that you do not know especially if the

building is not open to the public.

ADDITIONAL RESOURCES

w

ww.social-engineer.org

w

ww.offensive-security.com/metasploit-unleashed/

w

ww.secmaniac.com

S

ocial Engineering: The Art of Human Hacking by Chris Hadnagy

N

o Tech Hacking by Johnny Long

G

oogle Hacking by Johnny Long