Gathering Information

With the plethora of social networking sites out there, people can easily share every aspect of their lives with anyone they choose, making potentially damaging information more readily available than ever before.

Many of the skills or methods that a social engineer may use come from other fields. One field that is superb at gathering information is sales. Salespeople tend to be very talkative, easygoing, and very good at collecting data about those with whom they interact.

Gathering information is like building a house. If you try to start with the roof your house will surely be a failure. A good house will be built using a solid foundation and from there it will be built literally from the ground up. As you gather information you may be overwhelmed with how to organize and then use this data, so starting a file or an information gathering service to gather this data in is a good idea.

Many tools exist to assist in collecting and then using this data. For penetration tests and social engineering audits I use a Linux distribution called BackTrack that is specifically designed for this purpose. BackTrack is like most Linux distributions in that it is free and open source. Perhaps its

greatest asset is that it contains more than 300 tools designed to assist in security auditing.

All of the tools within BackTrack are also open source and free. Especially attractive is the high quality of BackTrack’s tools, many of which rival and even surpass tools you would pay an arm and a leg for. Two BackTrack tools that are particularly useful for information gathering and storing are called Dradis and BasKet.

How you interact with people in public can have devastating effects. In the following scenario I was asked to audit a company and before I could proceed I needed to gather some data. Take a look at how simple, seemingly meaningless information can lead to a breach.

Simply following one of the higher ups of the target company for a day or two showed me that he stopped for coffee every morning at the same time. Since I was aware of his 7:30 a.m. coffee stop at the local coffee shop I could plan a “meeting.” He would sit for 30–35 minutes, read the paper, and drink a medium cafe latte. I enter the shop about 3–5 minutes after he sits down. I order the same drink as him and sit down next to him in the shop. I look over as he places one section of the paper down and ask whether I can read the paper he is done with. Having already picked up a paper on the way I knew that page three contained an article about a recent murder in the area. After acting as if I just read it, I say out loud, “Even in these small towns things are scary nowadays. You live around here?”

Now at this point the target can blow me off, or if I played my cards right, my body language, vocal tone, and appearance will put him at ease. He says, “Yeah, I moved in a few years back for a job. I like small towns, but you hear this more and more.”

I continue, “I am just traveling through the area. I sell high-end business consulting services to large companies and always enjoy traveling through the smaller towns but I seem to hear more and more of these stories even in the rural areas.” Then in a very joking tone I say, “You don’t happen to be a bigwig in a large company that needs some consulting do you?”

He laughs it off and then as if I just challenged him to prove his worth says, “Well I am a VP of finance at XYZ Corp. here locally, but I don’t handle that department.”

“Hey, look, I am not trying to sell you something, just enjoy coffee, but if you think I can stop by and leave you some information tomorrow or Wednesday?”

This is where the story gets interesting, as he says, “Well I would but I am heading out for a much-needed vacation on Wednesday. But why don’t you mail it to me and I will call you.” He then hands me a card.

“Going somewhere warm and sunny, I hope?” I ask this knowing that I am probably getting close to my point where I need to cut it off. “Taking the wife on a cruise south.” I can tell he doesn’t want to tell me where, which is fine, so we shake hands and part ways.

Now could he have been blowing me off? Probably, but I have some valuable information:

• His direct number
• When he is leaving for vacation
• What type of vacation
• That he is local
• The name of his company
• His title in his company
• That he recently relocated

Of course, some of this information I already had from previous information gathering, but I was able to add a substantial amount to it after this meeting. Now to launch the next part of the attack, I call his direct line the day after he is supposed to be gone and ask for him, only to be told by his receptionist, “Sorry, Mr. Smith is on vacation—can I take a message?”

Excellent. The information is verified and now all I need to do is launch the final phase, which means dressing up in a suit and taking my $9 business cards to his office. I enter, sign in, and tell the receptionist I have an appointment with Mr. Smith at 10:00 a.m. To which she replies, “He is on vacation, are you sure it is today?”

Using my practice sessions on microexpressions, I show true surprise: “Wait, his cruise was this week? I thought he left next week.”

Now this statement is vital—why?

I want the appointment to be believable and I want the receptionist to trust me by proxy. By stating I know about his cruise this must mean Mr. Smith and I have had intimate conversation—enough so that I know his itinerary.

But my helplessness elicits pity and right away the secretary comes to my aid. “Oh, honey, I am sorry, do want me to call his assistant?”

“Ah, no.” I reply. “I really wanted to leave some information with him. How about this—I will just leave it with you and you can give it to him when he gets back? I am terribly embarrassed; maybe you can avoid even telling him I did this?”

“My lips are sealed.”

“Thank you. Look I am going to crawl out of here, but before I do can I just use your bathroom?” I know that I normally would not be buzzed in, but I hope the combination of my rapport, my helplessness, and their pity will lead to success—and it does.

While in the bathroom, I place an envelope in one stall. On the cover of the envelope I put a sticker that says PRIVATE. Inside the “private” envelope is a USB key with a malicious payload on it. I do this in one stall and also in the hallway by a break room to increase my chances and hope that the person that finds one of them is curious enough to insert it into their computer.

Sure enough, this method seems to always work. The scary thing is that this attack probably wouldn’t work if it weren’t for a useless little conversation in a coffee shop.

The point is not only about how small data can still lead to a breach, but also how you collect this data. The sources that you can use to collect data are important to understand and test until you are proficient with each method and each source of collection. 

There are many different types of sources for collecting data. A good social engineer must be prepared to spend some time learning the strengths and weaknesses of each as well as the best way to utilize each source.