Social Engineering - Christopher Hadnagy [85]
Maybe you get stopped at the door during a social engineering gig and the gatekeeper refuses you access to the building. See whether you can “gain access” by using a line like this: “I understand Mr. Smith is busy and can’t meet with me. Would you mind giving him this CD of information about our products and I will follow up with a phone call later on today or tomorrow?”
It is a lesser admission, but nevertheless would get if not you, then one of your tools in the door.
The End Goal
To prepare to use proper interview or interrogation tactics, as a social engineer you may want to answer a few questions of your own. I encourage you to write these down in a notepad because doing so can help you prepare for your encounter with the target. Plus, writing down your answers makes them real and gives you a path to work on during the preparation for your interrogation.
Answer these questions:
Who: With whom is the interrogation or encounter being conducted? What role does he play? List names, titles, and other information about him that is relevant to the interrogation.
What: Exactly what preparation has been done and what is going to be your goal during the interrogation? You must have a definite aim.
When: What is the timeframe of the interrogation? What time of day or night? What are the circumstances at the business that lead to this decision about when to make your move? Is there a party you overheard about? Is it a time when a large portion of the employees are on vacation? Is it during lunch time? Is it during the changing of the security staff?
Where: What is the location of the interrogation? Are you going to be at the target’s location? Are you tracking the person to his or her gym, local bar, or daycare? Where is the best place to try to obtain the information you need from the target?
Why: People hear this question often enough from their kids, but it must be asked. What is the purpose of this interrogation? To make the target admit to the location of something? To make him give out information he should not? For you to gain access to a room or a server?
How: What methods will you use in this interrogation? NLP? Embedded commands? Human buffer overflow (discussed at the end of this chapter)? Microexpressions?
Of course, in a criminal interrogation the goal is confession to a crime. With interrogation as a social engineer the goal is a confession of a different sort. You want people to feel comfortable giving you information, and using the interrogation tactics discussed earlier you can make that easier to do. In the end, your social engineering interrogations should be like smooth interviews. However, a social engineer can use some other techniques to help while using interview and interrogation tactics on a target.
Gesturing
Gestures have a wide variation due to the fact that they are very much culturally dependent. Unlike microexpressions, which are universal, gestures from the United States can actually be insulting in other parts of the world, or have no meaning at all.
Here is an exercise to help you better understand gesturing differences. If you want you can write down your answers to refer to in a few minutes. Depending on what culture you’re from, the answers will be interesting to see.
Write down what you think this gesture means and whether it is rude in each case:
1. Holding your palm facing upward, point at someone with your index finger and beckon to him.
2. Make a “V” sign with your index and middle fingers.
3. Sit with the soles of your feet showing.
4. Make the “ok” symbol with your fingers.
5. Wave a hand with your palm facing outward.
6. Nod your head up and down.
If you wrote down your answers, compare them to some of the following interesting cultural differences:
1. In the U.S. this gesture simply means “Come here,” but in the Middle or Far East, Portugal, Spain, Latin America, Japan, Indonesia, and