Social Engineering - Christopher Hadnagy [20]
Like BasKet, Dradis is a free, open-source tool that can be found at http://dradisframework.org/. Whether you are using Linux, Windows, or a Mac, Dradis has easy-to-use set up and installation instructions found at http://dradisframework.org/install.html.
Once Dradis is installed and set up, you simply browse to the localhost and port you assigned, or use the standard 3004. You can do this by opening a browser and typing https://localhost:3004/.
Once logged in, you’re greeted with the screen shown in Figure 2-3. Notice the Add Branch button at the top left. Adding a branch allows you to add similar details as you can in BasKet: notes, images, and more, and you can even import notes.
Figure 2-3: Dradis has a nice, easy-to-use interface.
Dradis and BasKet are just two tools that I have used to collect and store data. The websites for both Dradis and BasKet have very nice tutorials on setting up and using these powerful tools.
Whatever operating system you use—Mac, Windows, or Linux—there are choices out there for you. What is important is to use a tool that you are comfortable with and that can handle large amounts of data.
For that reason I suggest staying away from things like Notepad in Windows or Smultron or TextEdit in Mac. You want to be able to format and highlight certain areas to make them stand out. In my Dradis server, pictured in Figure 2-3, I have a section for phone scripts. This functionality is handy for transcribing ideas that might work based on the information I gathered.
These tools suggest how a social engineer begins to utilize the information he collects. The first stage in utilizing the information you gather is thinking like a social engineer.
Thinking Like a Social Engineer
Having a few hundred megabytes of data and pictures is great, but when you start reviewing it, how do you train yourself to review and then think of the data in a way that has maximum impact?
Of course you could just open a browser and type in long-winded random searches that may lead to some form of information, some of which may even be useful. If you are hungry you probably don’t just run to the kitchen and start to throw whatever ingredients you see into a bowl and start digging in. Planning, preparation, and thought all cause the meal to be good. Similar to a real meal, a social engineer needs to plan, prepare, and think about what information he will try to obtain and how he will obtain it.
When it comes to this vital step of information gathering many people will have to change the way they think. You have to approach the world of information in front of you with a different opinion and mindset than what you normally may have. You have to learn to question everything, and, when you see a piece of information, learn to think of it as a social engineer would. The way you ask questions of the web or other sources must change. The way you view the answers that come back must also change. Overhearing a conversation, reading what seems like a meaningless forum post, seeing a bag of trash—you should assimilate this information in a different way than you did before. My mentor Mati gets excited when he sees a program crash. Why? Because he is a penetration tester and exploit writer. A crash is the first step to finding a vulnerability in software, so instead of being irritated at losing data he gets excited at the crash. A social engineer must approach information in much the same way. When finding a target that utilizes many different social media sites, look for the links between them and the information that can create a whole profile.
As an example, one time I rented a