009.txt

黑客培训教程

THE COMPLETE SOCIAL ENGINEERING FAQ!
"There's a sucker born every minute." PT Barnum

"Don't touch me, sucka." Mr. T

By bernz (official sponsor of the 1996 Croatian Olympic Men's Synchronized Swimming Team)
with shoutouts to: The Genocide2600, Silicon Toad and your big fat mama.

DISCLAIMER!!!!! THIS INFORMATION IS HERE FOR THE SOLE PURPOSE OF
ENLIGHTENMENT! IF YOU USE IT AND GET CAUGHT, NO ONE IS TO BLAME BUT
YOUR OWN IDIOTIC ASS!!!

SECTION I: INTRO
1.1 What is social engineering?
1.2 Why is there a FAQ about it?
1.3 Who cares?
1.4 Basic intro and other shit.

SECTION II: PHONE SOCIAL ENGINEERING
2.1 Basics
2.2 Equipment
2.3 Phreak stuff
2.4 Technique

SECTION III: SNAIL MAIL
3.1 Is Snail Mail acutally usefull for something?
3.2 Equipment
3.3 Technique

SECTION IV: INTERNET
4.1 Isn't this just hacking?

SECTION V: LIVE, FROM NEW YORK...
5.1 In person?
5.2 Equipment
5.3 I'm wearing a suit, now what?

SECTION VI: PUTTING IT TOGETHER
A sample problem

1.1 What is social engineering?

     The hacker's jargon dictionary says this:

Social Engineering: n.  Term used among crackers and  samurai for cracking
techniques that rely on weaknesses in  wetware rather than software; the aim
is to trick people into revealing passwords or other information that
compromises a target  system's security.  Classic scams include phoning up a
mark who has  the required information and posing as a field service tech or a 
fellow employee with an urgent access problem. 

     This is true. Social engineering, from a narrow point of view, is
basically phone scams which pit your knowledge and wits against another human.
This technique is used for a lot of things, such as gaining passwords,
keycards and basic information on a system or organization.

1.2 Why is there a FAQ about it?

     Good question. I'm glad I asked. I made this for a few reasons. The
first being that Social Engineering is rarely discussed. People discuss
cracking and phreaking a lot, but the forum for social engineering ideas is
stagnant at best. Hopefully this will help generate more discussion. I also
find that social engineering specialists get little respect, this will show
ignorant hackers what we go through to get passwords. The last reason is
honestly for a bit of Neophyte training. Just another DOC for them to read so
I don't get bogged with email.

1.3 Who Cares?

     To Neophytes: You should, you little fuck. If you think the world of
computers and security opens up to you through a keyboard and your redbox then
you are so fucking dead wrong. Good. Go to your school, change your grades and
be a "badass" hacker. Hacking, like real life, exists in more than just your
system. You can't use proggies to solve everything. I don't mean to sound
upset, but jesus, have a bit of innovation and a sense of adventure.

     To Experienced Hackers: Just thought it would help a bit.

1.4 Basic intro and shit for this document.

     This FAQ will address phone techniques, mail techniques, internet
techniques and live techniques. I will discuss Equipment and will put some
scripts of actual conversations from social engineering. There are times I
might discuss things that cross the line into phreaking or traditional
hacking. Don't send me email and say that my terms aren't correct and
blahblahblah isn't social engineering. I use them for convenience and lack of
better methods of explanation (eg I might say "dumpster diving is a form of
social engineering") Don't get technical.

SECTION II: PHONES

2.1 Basics

     This is probably the most common social engineering technique. It's
quick, painless and the lazy person can do it. No movement, other than fingers
is necessary. Just call the person and there you go. Of course it gets more
complicated than that.

2.2 What Equipment is necessary for this?

     The most important peice of hardware is your wetware. You have to have a
damn quick mind. As far as physical Equipment goes, a phone is necessary. Do
not have call waiting as this will make you sound less believeable. There is
no real reason why this does but getting beeped in the middle of a scam just
throws off the rhythym. The phone should be good quality and try to avoid
cordless, unless you never get static on them. Some phones have these great
buttons that make office noise in the background. 
     Caller ID units are helpful if you pull off a scam using callback. You
don't want to be expecting your girlfriend and pick up the phone and say, "I
wanna fuck you" only to find out it was an IBM operator confirming your
identity. Operators don't want to have sex with you and so your scam is
fucked. Besides, call ID units are just cool because you can say, "Hello,
<blank>" when someone calls. The Radio Slut carries these pretty cheap.
     Something I use is a voice changer. It makes my voice sound deeper than
James Earl Jones or as high as a woman. This is great if you can't change your
pitch very well and you don't want to sound like a kid (rarely helpful). Being
able to change gender can also be very helpful (see technique below). I got
one for a gift from Sharper Image. This means that brand will cost quite a bit
of cash, but it's very good quality. If anyone knows of other brand of voice changers, please inform me.


2.3 Phreaking and Social engineering? 

     Social Engineering and phreaking cross lines quite a lot. The most
obvious reasons are because phreaks need to access Ma Bell in other ways but
computers. They use con games to draw info out of operators.
     Redboxing, greenboxing and other phreaking techniques can be used to
avoid the phone bills that come with spending WAAAAYYY too much time on the
phone trying to scam a password. Through the internet, telnetting to
california is free. Through ma bell, it's pricey. I say making phone calls
from payphones is fine, but beware of background noise. Sounding like you're
at a payphone can make you sound pretty unprofessional. Find a secluded phone
booth to use.

2.4 How do I pull off a social engineering with a phone?

     First thing is find your mark. Let's say you want to hit your school.
Call the acedemic computer center (or its equivelent). Assuming you already
have an account, tell them you can't access your account. At this point they
might do one of two things. If they are stupid, which you hope they are, they
will give you a new password. Under that precept, they'll do that for most
people. Simply finger someone's account, specifically a faculty member. At
this point, use your voice changer when you call and imitate that teacher the
best you can. People sound different over the phone, so you'll have a bit of
help. 
     Try to make the person you're imitating a female (unless you are a female). Most of the
guys running these things will give anything to a good sounding woman because the majority of
the guys running minicomputers are social messes. Act like a woman (using voice changer) and
you'll have anything you want from them.