Scripting Social Engineering Attacks - Dave Comstock

all right we got Dave Comstock here with us Dave currently is with tripwire and if when you if you want I think it's very very entertaining go read Dave's file and put down particular what I like is he actually he actually mentions the fact he's going to admit to it that he had an IBM XT that's kind of what going back there but what I really liked about it was he actually he actually talked about abusing his equipment now this is the same guy who's going to talk to us right now about social engineering right okay so I think I think he's speaking from experience that right all right here Dave all yours okay all right so so

thanks for coming um today we're going to talk about social engineering let's just take a real quick mint thanks at that or this great event so far but that a lot of good talks up block leaking villages cool I'm not gonna you guys went to that you can find me on the steno deco-style and that's leet speak so to zero I also on Twitter and Mastodon the same exact thing so this presentation is going to be I did a lot of studying of recent interesting attacks that I'd seen in social engineering going from the DEF CON you know social engineering capture the flags and general clothes from popular media Twitter post stuff like that and I

wanted to find a framework for social engineering because I'm gonna I liked framework Smith it's just one of those things that they're nice you know they help you streamline things and social anomie --rings very relative it's very it's very hard to plan it it's not you can't just have like a set in stone way of doing things so you know another good thing about it is I don't like going microwavable food instruction guides you know there's not like a oh dude this abuse this bias and all of a sudden you'll be under the most bad guy on the planet not really so script all the things right and I tried coming up with this little acronym for it and everyone will

action in acronyms so we're going to streamline fishing fishing and physical gave me physical access personal PvP and then we're going to do it by tech I see now the clowns no clown hate here okay so set up pvp by tagging ivy what the heck is I see that's bottom plate and these are the three general areas that I've found that most social engineers attacks that seem to be effective take advantage of so it's personally like sanity and the identity come down to you want to assume their role as much as possible so if you're going to pretend to be you know a construction worker you're going to have one clothes you're not going to have the new clothes

obviously you're going to have no tools you're gonna have certain tool you're gonna have calloused hands maybe there's gonna be all kinds of weird little details you need to pay attention to you're going to have certain logos and insignia so if you work for a circle company you're going to have a certain logo on your back on your jacket stuff like that method acting this is a famous klasky he was a he was an active back in the day and he made this was custom thing and he said you know one of the best things to do is just people watch so you just go out watch people patron some details of the situation and

you can kind of use that to build your character so culture jargon standard operating procedure if you're going to be trying to fish someone you're going to want to focus on call Hamiltons if you're going to be trying to trick a tech-support baiting they're going to have Reedus batteries so Dell for instance I I work with though a lot and one of the ways I've gotten their customer service reps to stop giving me crap and I want something done as I say I've done all of this I give them all the information they asked I said all the revisions or you know the newest all the firmwares are great blah blah blah because one of

the new things they have isn't already are read this stature eight and if they had to send a check out a second time the person on the phone gets a negative mark for that so of course that's going to be one of the main things and then again psychology cognitive biases and just out of curiosity how many of you guys like mr. Rogers a couple of you okay have you ever seen this Pope I always look through the helpers okay well that's a great quote but not quite for the reason you might first expect and I really like the Satanic mr. Rogers in the corner those were pretty pretty prime so and you know even Charles

finishing here he says you know my DMX four friend he says people are primed to help we want to help not even corporate corporate policy sometimes it's driven into them from almost every angle so the most and there was actually a cool article I'm going to bring it up a little later but the title of it was a hackers best friend is a helpful employee and that's almost always true so we're gonna start real simple here and this is a popular social media post from a little while back just back in December and it deals with wearing a high visiting to just three events concerts you know backstage that's like that something intense but you know what

it really relies on is two things there's a psychologist called Ralph Linton and he has different steps scribed versus achieved so ascribe status says well I'm sitting here with my cute little speaker behead and that makes me speak that makes me an expert of some kind I submitted to the CFP I got accepted obviously I had an idea what I'm talking about right now but that's the ascribes dance now the achieve status is what I achieved if after you sit here listen to my talk okay that kid Sally what he knows what he's talking about maybe I'll do that and I also uses authority bias and this is pretty common you guys probably already know it and what happens is you

automatically trust a respect authority figures so if you're going to a concert event you see a guy wearing a security vest you instantly think that guy security you're not really going to think well let's check let's make sure let's call his manager right not gonna happen and this one was a presentation by a so close employee from ipx4 2016 and basically what he did was he took a letter around he took a ladder tried to look like a maintenance worker and they've got led him to so many places he was all a surprised and again this is a really really simple example so imagine having a little bit more complexity to that situation and you're going to get into a

lot more places so now again back when I started here I like the frameworks I like the framers because they're modular they're not microwave food sets right so how many guys apply Legos mmm good Mady so I came up with this TNT and so African goes PvP by attacking ICP with Chanti okay and the TMT I cheated a little bit and instead of an a types and tactics right so I'm not going to read the slides onto you but there's five general types I came across and the first one I support staff this one's pretty broad there's gonna be IT painters construction workers cleaning staff you know any kind of support work at all and then there's four different

sort of sub groups that could fall under support but they're really their own kind of thing and then I also want to go over a couple of different tactics so abusing self-interest using tools paperwork things like that using Osen open source information cliches and banner to kind of guide the conversation and maybe misdirecting with they're not trusting you things like that and abusing cognitive biases that so the first part is abusing self interest and as you can see from Dale Carnegie up there he says you can make a lot more friends by being interested in others and trying to get them interested in you so it's just one of those things where it's a pretty universal thing

and there's a quote from a book called like what we got where it says welcome like obiga where all the women are strong all the men are good-looking and all the children are above average that kind of describe is how most people view themselves you're never the outlier you're never the below average right you're always at least a little bit about so tools on paper work and this is going to be you know you can do Osen obviously but if you see the badge there you go on LinkedIn there's a lion piglet LinkedIn open networking and people will literally just follow you back so openly let you to the network they don't care and then people will

post employee badges on I'll say oh I finally got my dream job I'm so happy and it's like a picture of their employee badge okay that probably shouldn't be on the internet guys I just want to say so again tools and you know they should show wear and tear again and again the general idea is that you want to disarm people you want to get something looking at you and saying that guy looks like a carpenter he doesn't look like an IT guy right good that's how you're going for one of the things you want to do when you're picking an identity is you want to pick an identity that will allow you potentially can show

your near better so one of the way to do that would be googling and you can just google for a company find their logo and call up a print job get the discards get shirts just say you're with the company how many of those places are actually going to call the company and verify you work there probably not many if they ask just say oh well I'm just emailing you from a personal account because my curtain one got hacked you know how that feels right most people will pride you but that makes sense so construction workers here you can see they're dirty they are literally knee-deep in concrete they're obviously going to have tools the tools

are all gonna be worn blah blah blah blah and this was an outfit I use and one of my favorites is IT gut because I'm an idea so it's very easy for me and this again when dovo share another laptop Kali Linux USB and general business casual Club now these are pretty cool if you haven't been around Twitter too much twitter is pretty cool and this left image here is some guy who literally turns his dog into a walking Wi-Fi pineapple I mean clearly talk about disguising your tools right kay turning your dog into a walking attack vector that's pretty cool there was a similar wheel attached to I forget the exactly well I think it was

for Wi-Fi networks yeah yep and if you look on the right there jekhide and tinker have this thing called hacker adventures on twitter and it's really cool if you don't follow them go check it out but you know you can see there she has cameras hidden in the sides her glasses hey do I look truck ready yeah I mean they look a little thick with the style thing you know whatever and then again now we can see here on the left here some guy took a Raspberry Pi running Kali Linux and shove it into a power adapter so he can take this with them make it look like the power adapter to his computer use it to hook into

another computer or a network or whatever and Vaughn Kelly on the right side if you guys follow mugak he's a really cool guy couple of people have mentioned today actually and my company actually does this everyone so why we do this for like uh like menu boards and signings but stuff like that but really computers are getting so small now you can stick them in a back of a TV if you can get physical access and how even anywhere just to the cafeteria the cafeteria is slight publicly open you know literally 3-d dongle kali linux plug it into a TV there you go so open source information again the general idea is you want to

look for the corporate information so you want to look at the culture you want to look at the structure this is where the ocean comes into play you might want to look at the corporate blog my one check out glass or calm but last door you're going to take a look grain of salt because you know when you go to glass door and you just came away from a bad company what are you going to write about them not positive things if you feel slighted by your prior company what are you going to write it up not positive things so not only 100% true try to correlate it try to build some baselines figure it out that way and

then the second part their VIP information again check out the corporate Facebook check out the blog check out their social media profiles the guys might say out going on vacation in two weeks okay cool well between night and Glassdoor I just figured out that you're a bit impatient so when I go in there I'm gonna say oh hi I'm Dave the IT guy I'm here to change the you know Jack out in the wall because it's in isn't working well you know how he is you know how he gets very impatient he's out of the office it's a good time to do it you know you don't want to call him in the middle of his vacation had to

bother him etcetera so he's massaging these things in and then all of a sudden you build it up and they just kind of go with a little bit and industry forms subreddits things like that you can just do general information gather and get the jargon so for instance um I did a I did a little experiment where I went out to an airport and I was a pilot and one of the things or pilots is squawking it's a way of transmitting certain things that are happening so for instance here's a whistle blow squats and if you're going to be a North American squawk in the bottom there you can see 1,200 is the standard VFR flight

clip like pleco so if you're a pilot in anywhere in North America Canada Mexico where then we go to use all the time you're gonna have to know that if you don't know that you're going to be shown as a fake so cliches and banter and again this is the idea is to drive the conversation away from the things that they might not necessarily trust about you and push it off onto Dale so banner stories excuses misdirection focus these and make them all about let's say oh I got a new employee by scheduler he's not he doesn't he might not work out you know if you if you go to the place to play oh you're not

actually scheduled to be coming in for you know repairing the steps today just like oh did he not call you that's the third time this week and then you can say you know he's a new guy I feel like he's going to work out but he just need to step it up and a lot of people will just come back with you and try to relate to you and tell you their own story and say oh I know exactly how that is I have this one guy I swear I wish I could fire but I just can't and they'll just kind of keep going with that and you can just keep rolling with it and

move it up from there so different frames to use again corporate policy sometimes corporate policy is just silly and you can say well no that's the policy I don't like it I don't understand it but at the way that social norms being a new parent being the fan of a disappointing sports team right those things can all help explain away the things that might not necessarily be going my way again overbearing boss porco work or just being simply too busy you know I'll I meant to call you but yesterday was just so awful tell them this you know real nice short story about some client you had there was you know really bad view stuff like that build empathy you know

stuff like that so cognitive biases this is going to be cool because the idea here is that you want to take these biases and you want to chain them together so the first one there but we're first we're going to talk about actually is anchoring and this is that people usually tend to rely too heavily on the very first piece of information they get about so your very first piece of amazing information is likely your how you look right I mean that's the assuming the identity portion right that's the picking the tools the making sure your tools are worn that's the making sure your shoes are bent they're dirty they have paint splatters on it's definitely that so you

start off there and then from there you say okay well I'm from X company here for y problem at the request of this person and you can use real people from your open source information right you can say okay well this boss probably to come in I'm from this company I had the logo on my shirt it's not a real shirt I print a fake employee badge you don't know what the heck that badge looks like right right in next one the kind of talk about here is ambiguity and so you want to avoid this one by giving me too much information so ambiguity up there if you look at it says you want to avoid options we're

missing info makes changes unknown so if you don't know much about me you don't really have a good baseline of me and that was actually one of the things I really liked about the conference so far Dave Kennedy mentioned it yo yo I think mentioned it first vet until 1:00 and it said that you know the basic idea is to take baselines and that's really you know even just general defense in your network find what your networks usually does find the outlier and then that's the ideal find baselines so by giving them just stupid information again just the banter the social norm is just stupid stuff oh my boss is an idiot giving them that little bit of

information tends to help them think okay well now I know him now I have a baseline plan right it's not just some random person who I'd says alway he works in this company he sounds like an IT guy he looks like an Ikea he's really going through it and Arthur Aron is a psychologist and he mentioned this study he had where he said that mutual vulnerability Foster's closeness and really what it talks about is it really just a Scott describes the natural process for friendship you know once I open up to you you open up to me and then we kind of snowball that and as it gets heavier you know a bigger snowball you Eve eventually will have a really

think you'll have a really aggressive Who I am right and again that's the baseline so after that you want to chain this into the authority and the scribes dead stuff right so if all of a sudden you're showing up you're talking to them you're you know doing banter and if you've listened to some of the the social engineering CTS banter and small talk is huge I mean that's that's really where they spend probably what 40% of the conversation it's in between parts of the face the fillings it's a void in the ambiguity the next part is the zero risk one and this one is it can be used to get you out of a situation so let's say oh geez

wrong time so let's say that you're going in to this place and the very first thing you get in there you realize that you don't have an ID and the security guard checks IDs well you can say hey look yeah I have a young son at home he wanted to see what I looked like so he was playing with it he lost it I haven't found it yet it just happened this morning here's my employee badge fake her real who knows is that good enough and for a lot of people that might that could get you in pretty easily and again it's that zero risk it actually uses that that bias and it says they prefer small risks over a larger

risk of a larger reduction so you want to make it seem there's a problem there's another thing called the hairy arm technique or talking to the rubber duck where you say you know there was a photographer configured out that when you put a certain frame in a photo of like a little bit of his hairy arm very picky clients would say hey get rid of that and then it's good there were certain client fee had that always had to find something wrong so by giving them just a little bit of something at the beginning it automatically focuses on them the one that it's almost like shortly in a sense you know they'll go okay sure that doesn't look right let's

investigate that oh okay then you already had this plan in place to be able to say oh well no look I'm dressed like it oh yeah I don't have my my real legal ID but here's my badge here's my business card go to my website create a fake website you know stuff like that

so just to go over a couple of these these two pictures here I'm in the computer man if you google computer man you'll find these two videos the left one here is just a small business guy and they're all going through dancing it was really cool and the right one you can see the cool Tron graphics there right so these Tron graphics this is from some 80s children's Canadian show or something the guy doesn't like tight robot moves to check them out what's up that exactly and so again going back to Def Con Chris Silver's from Def Con 24 he used this idea where he said okay I'm going to send someone a gift card for a

very real thing that their company did he found through up through ocean that they were doing this gift card thing and he said okay I'm going to cinema link the link isn't going to work and then when the wing link doesn't work I'm going to offer to remote in and help assist assist that person right and again appealing their interest abusing self-interest hey you want to gift art who doesn't want a free gift r3 mine even if you don't want to spend it at that place you can you know hock it for everything you did he's in price made so you know and then hmm go to the next one so auditors and new employees there was

a Def Con 20 CTF and the guy's name was chain and what he did was he pretended to be a government contractor a new government contractor for Walmart and he's working on this big project it was super-secret and he called it a target in front of everyone at Def Con obviously and said you know hey um I'm here I'm gonna you know we're profiling your store you want to just get some information about it to see if you'd be possible for you to go in this program with us and you know you'd be like the flagship store you'd be like a guinea pig in a sense and gets people excited obviously you know so they're gonna say

you know okay and he ended up going through and talking to them and just going through the general banter with them and the end up getting all the flags at once he got their suppliers you got their vendors you got you know the information about their their computer systems yeah all kinds of stupid stuff out of it just from pretending that he was some auditing and again you know you can say you can do some old sign you can say okay well I'm calling you on behalf of this real manager from your company who is a very big deal and I'm also from a reputable auditing company so that way you might not be obviously but if you build that

up you can say oh hey no no really I am and that's basically what he did and again tinker the hacker adventures there was another one where he did an internal audit and companies will oftentimes have surprised off especially in the food industry sometimes health they're not usually surprising helped them whatever so he said you know he showed up out of the blue randomly just knowing the company name just knowing the boss man and said okay hi I'm here to do a surprise about it show me around and managers all right just like that went along with now vendor reps I don't know why anyone would want to be one little loan to pretend to be one but it's definitely

some way that you could get in so if you think about what a vendor rep does they bring free stuff the free stuff always has the complete logo on it so if you're looking for the company logo look up like EPS files vector files things like that and then take them to a local print shop a buddy or you know whatever how are you going to do it and print out stuff with that if you're not using buzzwords then you don't sound like a vendor rep no symmetry no synergy no horizontal or vertical integration next gen AI or cloud right I mean you guys got a third yeah put those in there if you're going to pretending to be a

vendor it and so it looks like we're just about out of time you question conference

you