Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Social Engineering to gain VPN and domain admin

  1. #11
    Just burned his ISO Lammer's Avatar
    Join Date
    Nov 2008
    Posts
    11

    Default You Rule

    Very well done.
    Pretty amazing real story
    Loved to read it.
    For many times i tried to use social engeneering as weel but however not with your success.

  2. #12
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    7

    Default

    Props on the excellent use of social engineering, especially the on-the-fly improvisation. I've never had the chance to test such a large organization with numerous support personnel under multiple tiers, but I will keep this test in mind when I do.

  3. #13
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Unfortunately, most of the people (even the ones working in IT) thinks that "systems hardening" can be directly translated into "featuring a state of the art intrusion prevention system" or "deploying the best firewalls" available.
    Well, 99% of the times this is not true.
    A serious attacker will try every possible way to gain access and it's quite hard to stress out that the weakest part of every information system is the human part of it...
    Obviously, noone should ever run an IT environment without all of the bells and whistles of modern IT security tools and devices.
    But it's amazing to see how many passwords can be easily cracked using the "rubber-hose cryptanalysis" instead of using huge passfiles...

  4. #14
    Junior Member
    Join Date
    Nov 2006
    Posts
    38

    Default

    Nice one. Most of the Organization are vulnerable to this attack. Great.

  5. #15
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Social engineering can be used in many ways and the interesting thing is that often the small details make a big difference.
    I remember when I was 16 and wanted to buy cigarettes. I always looked them deep into their eyes when I asked for 20 Marlboro, which makes it psychologically harder for the person to ask for ID. I had the money prepared so I didn't have to waste time fiddling with my wallet - that means more time for her to think if I'm 18. If I looked to friendly then it is much easier for them to ask for ID. I found out if I looked a bit in a hurry and wasn't smiling to much or anything, I always came out with the cigarettes.
    I also thought of the idea of looking for my wallet, and "accidentally" pulling another pack of cigarettes out which implies I'm 18, then I say oops and get my wallet out. Also if the store had multiple lines, I picked the one where the sales person(whats the proper word in english??) looked easiest to persuade.
    Maybe you social engineer more often then you actually think every day (:
    - Poul Wittig

  6. #16
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Deathray View Post
    Social engineering can be used in many ways and the interesting thing is that often the small details make a big difference.
    I remember when I was 16 and wanted to buy cigarettes. I always looked them deep into their eyes when I asked for 20 Marlboro, which makes it psychologically harder for the person to ask for ID. I had the money prepared so I didn't have to waste time fiddling with my wallet - that means more time for her to think if I'm 18. If I looked to friendly then it is much easier for them to ask for ID. I found out if I looked a bit in a hurry and wasn't smiling to much or anything, I always came out with the cigarettes.
    I also thought of the idea of looking for my wallet, and "accidentally" pulling another pack of cigarettes out which implies I'm 18, then I say oops and get my wallet out. Also if the store had multiple lines, I picked the one where the sales person(whats the proper word in english??) looked easiest to persuade.
    Maybe you social engineer more often then you actually think every day (:
    Social Engineering is used every day by thousands of people and most don't realize it. Sales is all about social engineering. Those that are really good at SE are also excellent salespeople. I don't mean your dumb clerks, but sales people that could sell icecubes to eskimos.

    Anyone that's really interested in SE needs to read a book about interpreting body language. Once you can properly interpret and then fake body language in return to something you see, you'll be really successful at it. It not only helps in Sales, but it also helps in picking up chicks, because women are more prone to reading body language subconsciously.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #17
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    Social Engineering is used every day by thousands of people and most don't realize it. Sales is all about social engineering. Those that are really good at SE are also excellent salespeople. I don't mean your dumb clerks, but sales people that could sell icecubes to eskimos.
    Heh - I used to do quite well way back when selling 3rd party vehicle warranties. Secret to my success: mirror matching
    dd if=/dev/swc666 of=/dev/wyze

  8. #18
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by wyze View Post
    Heh - I used to do quite well way back when selling 3rd party vehicle warranties. Secret to my success: mirror matching
    Yep, mirror matching is a powerful selling technique. I used it many times myself and used to show the new sales people how to do it. Not many were really able to consciously read and then match.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #19
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Heard a thing once from a DJ on the radio I think it was, saying he had someone try it on him, so he tested it, all sorts, crossing legs, drinking, playing with pen, everything he did this guy copied, said it freaked him out instead of make him feel comfortable.

    Moral of the story, great trick, don't over do it
    wtf?

  10. #20
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Andy90 View Post
    Heard a thing once from a DJ on the radio I think it was, saying he had someone try it on him, so he tested it, all sorts, crossing legs, drinking, playing with pen, everything he did this guy copied, said it freaked him out instead of make him feel comfortable.

    Moral of the story, great trick, don't over do it
    The trick is to be subtle in doing it. You never mirror someone the instant they change the position. You wait a few seconds and then do it as though it was natural. What you'll find is eventually you take over the as the primary and they become the mirror. That's when you know you have them, and you can sell them anything.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •