Social Engineering - Christopher Hadnagy [31]
Feedback: The goal with this scenario is to get the front desk receptionist to accept your USB drive that has a malicious program on it. The program will auto load and scrape her system for all information, such as usernames, passwords, email accounts, SAM files that contain all the passwords on the system, and more, copying it all to a directory on the USB drive. It also creates a reverse connection from the receptionist’s machine to your servers, giving you access to her machine and hopefully the network. I am fond of using the Metasploit framework or the Social Engineering Toolkit (see Chapter 7) that ties in with Metasploit. Metasploit executes exploit code on its victims and it has a built-in handler called Meterpreter. The user can script many things like keylogging, screenshots, and recon from the victim’s machines.
Receivers: Having one true target can be tricky because if your target is unreceptive to the idea, your plan is shot. You must be warm, friendly, and convincing. This must be done fast, too, because too much time will allow doubt to set in. But if you move too fast you can cause doubt and fear, killing your chances. A perfect balance must be accomplished.
Message: Because you’re delivering the message in person, it must be clear and concise. The basic story is that you saw the ad in the paper for a database administrator and you called in and spoke to Debbie, the HR person. She said she was booked today but you should stop in and drop off a resume for her review and then meet her at the end of the week. While you were driving over, a squirrel ran out, causing you to slam on the brakes and causing your coffee to come out of the holder and spill in your bag, ruining your resumes and other stuff. Anyhow, you have another appointment but really need this job and wonder whether she would print you a fresh copy from your USB drive.
Channel: You are going in person using verbal, facial, and body language communication.
Source: Again, this is you as the social engineer, unless you have a good reason to have a stand in.
Holding a coffee-stained folder with some wet papers in it can help sell the story. Looking dejected and not alpha-male-ish can also help sell it. Politely speaking to her and not using foul language will help her feel a liking to you and maybe even some pity. The USB key should contain a file called myresume.doc or myresume.pdf and be printable. PDFs are the most commonly used formats since most companies are running an older version of Adobe Reader that is vulnerable to many different exploits. Make sure the resume is in a format that allows for the most people to be able to open it—not some odd format.
Most of the time people want to help. They want to be able to assist a person in distress if the story is believable as well as heart wrenching. For a special twist if you really lack a heart as a social engineer, you can put a spin on the story: On my way over, it was my turn today to drop my daughter off at school. When she climbed over the seat to give me a kiss goodbye she knocked over my coffee into my bag. I was already running late and closer to here than home; could you print me a fresh copy?
Either way, this story usually works and will lead to the USB key being inserted into the computer and most likely a complete compromise of the receptionist’s computer, which can lead to a total compromise of the company.
The Power of Communication Models
Communication modeling is a powerful tool that is a must-have skill for every social engineer. The hardest part about communication modeling is to ensure your information-gathering sessions are solid.
In both of the earlier scenarios, not having enough a good enough plan