OSINT & SOCIAL ENGINEERING – F.A.Q Series with Santhosh Tuppad
“Social engineering is using deception, manipulation, and influence to convince a human who has access to a computer system to do something, like click on an attachment in an email."
What type of information on a company/ site/ person may be helpful in preparing an attack?
During my childhood days, I was a great liar and a thief who used to break-in and bypass school infrastructure and groceries shops through social engineering skills. Well, I never practiced these skills, but somehow they were ingrained deeply in my brain I guess. I never knew it was called “Social Engineering” in the first place.
So, any information is brilliant if I know how to use it and connect it to my purpose or an attack. Here is a quick list of certain information that I can think of,
- Knowing the company details by browsing through the website
- WHOIS information which gives me owners name or administrator’s name along with their contact details and the admin email address (Most of them may not have Privacy Protect flag on and being a hacker I love it)
- Know the C-Level Management and Employees through Social Media
- Know what are their likes and dislikes and also follow them to see how they react to tweets or their personal posts on LinkedIn, Instagrams, Facebook, etc. in order to understand them well and plan social engineering for elicitation purpose.
- Knowing Network details
- Sending a friend request to someone who works for a “Target’s” company and liking that new friend (Not a friend really) so much that they can provide some internal details without their knowledge.
- Knowing Mail Servers, Web Servers, Database, Firewall through Fingerprinting
- Accessing all the documents shared on the web, and see how those documents can reveal some details from history which can help me in various ways to plan.
- Telephone Numbers, Usernames, Email Records, Forums, Blogs, Public Records, and more.
- Not limited to this, but everything that’s under the nodes and subnodes of the OSINT framework mindmap which I love using always. I don’t want to just create a copy of it here and that’s why you could visit http://osintframework.com/
What tools would you use to find this information?
My favorite toolkit for social engineering:
- NMap Terminal / Command-Line - Network Mapper (ZenMap for UI)
- Passive Recon Addon (Firefox)
- WHO.IS - Find out whois information
- Using cURL - This will help me to understand the culture of developers by looking into HTTP headers for requests and responses. I can also understand technology through X-POWERED-BY and other header entities.
- Google Dorks - Search Engine Queries for Hackers
- Building my own OSINT tool using Google based on the context
- MXToolBox Utilities
- Sysinternals Utilities
- Telephone / Mobile Phones with Spoof SIM Cards or Spoof Fake Numbers
- SMTP Boxes for Email Impersonation
- Burp Suite - Commercial License
- Kali’s SET (Social Engineering Toolkit)
- Money (I know it’s illegal, but it can be a tool based on the context and laws under specific jurisdiction)
- And Packet Storm Security Tool list is amazing for me to find out a lot of information https://packetstormsecurity.com/files/tags/tool/
Do you have social engineering capabilities? If so, what capabilities?
Yes, I am a “Social Engineer” freak and have practiced it in my childhood without knowing it was “Social Engineering”. I love connecting the social engineering aspect to any software or physical infrastructure and achieving my goals.
Qualities I possess:
- Being persuasive
- Highly manipulative
- Story builder to gain access to intel
Capabilities I possess:
- Setting Email Honeypots
- Gaining access to password/username by using pinhole cameras with high resolution
- Watching someone type their password is a good skill that I possess in order to create my data to brute-force. Well, knowing the types of the keyboard can help in order to understand what kind of characters were entered and did the person use two fingers to type which can possibly be a special character.
Have you ever obtained access to a particular person? If so, how?
In my past, I have obtained access to a colleague’s email account while sitting in an office. This is how it went,
(I will be using that colleague’s name as “Dan” for reference and ease of understanding.)
Mission: To gain unauthorized access to “Dan’s” email account without having access to his computer.
Santhosh launches GMail in his web browser and visits “Forgot Password” webpage and enters Dan’s email address. Santhosh was thinking that GMail may ask “Security Question”, but it did not. That was quite disappointing for Santhosh.
I bypassed my disappointment and wanted to go to the next level. And that was initiating a “Call” which is “IVR” system which speaks One Time Password or Secret Code to the owner of the email address. Yes, I initiated a call finally and Dan was sitting 2 cubicles away from me.
After initiating the call, I watched Dan in a sneaky way. And yes, he received a ring and said “Hello”. He was just keeping quiet because it was IVR and he need not to speak because there is no person on the other side.
He finally disconnected the call and started laughing. I picked his laugh to start a conversation with him.
I said: Hey, Dan! What’s up? What happened?
Dan: Someone called and the robot said, “Hi. Your secret code is 9870989.”
I said: I am sorry, I didn't hear that. Can you please repeat? (Well, I had heard the number. But, I wanted to cross check if Dan mentioned the right numbers or something gibberish).
Dan: The IVR said, “Your secret code is 9870989”
I said: Woah, that’s funny! (and I continued gaining access to his account).
I finally entered the secret code and GMail asked me to set a new password. VOILA!