Mastering Elicitation

Like most aspects of social engineering, elicitation has a set of principles that when applied will enhance your skill level. To help you master these principles, remember these pointers:

• Too many questions can shut down the target.

• Peppering the target with a barrage of questions will do nothing but turn off the target.

•  Remember, conversation is a give and take. You want to ask, but you have to give to make the target feel at ease.

• Too few questions will make the target feel uncomfortable. Have you ever been in a conversation that is filled with “awkward silences”? It isn’t good is it? Don’t assume that your target is a skilled and willing conversationalist. You must work at making a conversation an enjoyable experience.

•  Ask only one question at a time.

As you have probably gathered, making elicitation work right is a delicate balance. Too much, too little, too much at once, not enough—any one of them will kill your chances at success.

However, these principles can help you master this amazing talent. Whether you use this method for social engineering or just learning how to interact with people, try this: Think of conversation as a funnel, where on the top is the largest, most “neutral” part and at the bottom is the very narrow, direct ending.

Start by asking the target very neutral questions, and gather some intel using these questions. Give and take in your conversation, and then move to a few open-ended questions. If needed, use a few closed-ended questions to direct the target to where you want to go and then if the situation fits, move to highly directed questions as you reach the end of funnel. What will pour

out of the “spout” of that funnel is a river of information.

A brief information-gathering session that occurred earlier, using carefully placed closed-ended or assumptive questions was key. After hearing about the company’s recent purchase for new accounting software and network upgrades I wanted to go in for the kill. Having scoped out the building I knew it used RFID, but I wasn’t sure if the target would go so far as to describe the

card and show it to me.

This is where the use of direct questions played a role: coming right out and asking what security the company used. By the time I used that type of question our rapport and trust factor was so high he probably would have answered any questions I asked.

Understanding how to communicate with people is an essential skill for an elicitor. The social engineer must be adaptive and able to match the conversation to his or her environment and situation. Quickly building even the smallest amount of trust with the target is crucial. Without that rapport, the conversation will most likely fail.

Other key factors include making sure that your communication style, the questions used, and the manner in which you speak all match your pretext. Knowing how to ask questions that force a response is a key to successful elicitation, but if all that skill and all those questions do not match your pretext then the elicitation attempt will most surely fail.