Social Engineering - Christopher Hadnagy [99]
In a real buffer overflow, exploit writers use padding, which is a method of adding some characters that do not interrupt the execution but allow a nice little “landing pad” that leads to the malicious code. Social engineers can utilize phrases that are like padding, to help the next command have a soft place to land when it is injected, such as:
“When you…”
“How do you feel when you…”
“A person can…”
“As you…”
All of these statements create an emotion or a thought that allows you to inject code into the subconscious.
Many examples of embedded commands exist, but here are a few to ponder:
Using quotes or stories: The brain tends to process stories differently than other information. Some of the greatest teachers who have ever lived—Aristotle, Plato, Gamaliel, Jesus—all used stories and illustrations to teach those listening to them. Why?
The unconscious mind processes stories as direct instructions. Bandler, one of the fathers of NLP, taught that NLP practioners need to learn to use quotes. He knew the power of stories or quotes would give the speaker power over the thinking of his listeners. Reading quotes, using quotes, and then embedding commands into quotes can be a powerful use of this technique.
For example, in one situation I needed to manipulate a target to give me an old password so I could “change” it to a more secure password. My pretext was a support rep and they automatically questioned why there was a need to change old passwords. I used something like, “A recent study by Xavier Research Inc. stated that 74% of the people use weak passwords in corporate America. That is the reason we launched a program to change the passwords corporate-wide. I will perform that password change for you; I need for you to give me your old Windows password and then I will make that change now.” By quoting a research facility it added weight to my words about why this change had to occur.
Using negation: Negation is much like reverse psychology. By telling the target to not do something too much, you can embed a command into the sentence. For example, if I tell you “Don’t spend too much time practicing the use of embedded commands,” I can slip the command “practice the use of embedded commands” into my sentence. I also can presuppose that you will practice it to some extent, and if you are stubborn you might say, “You can’t tell me what to do, I will practice all I want.”
Telling a person that something is not important or relevant makes his unconscious pay extra attention so he can determine whether it is relevant or not. You can embed commands in negative sentences like the earlier example that will leave the listener no option but to take action.
Forcing the listener to use his imagination: This method works when you ask the listener a question, using phrases such as “What happens…” or “How do you feel when…,” for which he must imagine something to answer it. If you ask, “What happens when you become rich and famous?” The listener has to internally imagine the time he might be rich and famous to answer that question. If I ask you, “What happens when you master the use of embedded commands?” I am forcing you to imagine becoming a master and how you will feel when that happens. Think of it this way: If I tell you, “Do not imagine a red cow,” you have to picture a red cow first to tell yourself to not think about it. Your unconscious mind is responsible for interpreting each word in a set of commands into something it can represent and then give meaning to.
By the time your brain has understood the sentence, your unconscious has imagined it. The unconscious mind processes statements directly, with no regard to the context. The other great part is that the unconscious can track body language, facial expressions, voice tones, and gestures, and then connect each of them to the message being spoken. While it is connecting the dots, so to speak, the unconscious mind has little option but to comply if an embedded command exists.
What’s important when using embedded commands is to not mess up your