Social Engineering: Tactics and Techniques

hi everyone my name is savanna lazara and today i'm going to be doing a talk on social engineering tactics and techniques so a little bit about myself i am a security consultant at optiv um i have my oscp i am a hack the box ambassador and i'm also an advisor for verity ut at the university of tampa a few of the things that we are going to talk about today includes physical engagements uh phone pre-texting and tailgating so i'm going to try to walk everyone through some of the tips some of the tactics and techniques that i kind of use whenever i perform any of these types of engagements and i hope that everybody can get

something out of it so the first thing i'm going to be walking through today in regards to social engineering is about physical engagements so we'll go ahead and get started discussing this so with physical engagements obviously you need to gather information with the authorization of the firm whoever you're doing this for so one of the first things i would do is open source intelligence so this is where you're going to be performing that heavy recon and you can do research to see what types of jobs they have available on site is it common for employees to be on site which is something that you really do need to check right now because of um everything with coven so

sometimes a lot of the companies are now going remote so you need to have a good idea of who is going to be on site um and you can kind of check that by looking at google maps hoping that it's been updated but if it's an outdated photo i would not rely on that and once you kind of have that type of information you can start to craft relevant scenarios also based on their business type and it's also good to have a map of the facility that you are doing this engagement against um and then also technology and use is extremely important because you need to know what types of badges they are using if you're going to leverage that to try

to get into the building um and then you can assess the type of technologies through looking at instagram facebook google maps any social media that's what you can kind of target and and then how they actually look too then you'll want to make it look similar to those and also if this is something that you can't do ahead of time you want to make sure you have that equipment with you prior to kind of going on site and doing any type of social engineering to any employees another thing that is important is preparing for the actual attack that you'll be performing with proper authorization so the kind of things you want to make sure that you do check is making sure that

the point of contact is notified the correct uh personnel that need to know that this engagement is happening um making sure you have to get out of jail free cards this is something that you could have signed by somebody um that has the proper authorization that you could show to someone and they'd say okay like this is um legit like that they were authorized to be here and they could call that person directly and if there are multiple consultants you want to make sure all those areas are mapped out like i just discussed in one of the previous slides and then you want to make sure you've done absolutely everything you can related to recon on the target that you

are performing this against and making sure you also have a game plan and making sure it's been the building has been cased completely to make sure you have a full awareness of the whole entire building so on this slide i was going to kind of walk through badge creation so these are a few example badges that i have created in the past and i've obviously blurred out some information but you can kind of see that using the right tools you can really make badges that look legit and look real enough to where i even had a client one time whenever i was performing on-site pre-texting they held it up to their eyes to the point where

they legitimately thought it was one of their real badges just be by me doing extensive research going through people's instagrams facebooks trying to find people who are exposing their badges and matching it as close as possible that they genuinely thought that that was one of the real badges and they just let me right through no problem so that's where doing the types of extensive ocean comes in really handy and then you can get good badges made from it so whenever you are creating a badge this is some of the things that i do use to actually create it so you want to take a spare hotel key card or if you go on kind of based off the badge

technology then you obviously want to use the technology um in the card that you're using and then if you i'd always recommend using kind of like a generic lanyard but if you can also get your hands on a lanyard that relates to the target that you're going up against it's obviously very helpful as well um and if they do punch their cards this is where pvc card punch comes in handy and so for the actual sticker paper uh you want to print out whatever badge that you are creating and then i have it as optional for the gorilla tape but i highly recommend using the gorilla tape because this is what actually makes the finish look so real

um so what you want to do is print out the badge on sticker paper and then once you have it cut out i usually put the tape over that actual badge that i just printed out and then i'll cut that out from there so then i have the sticker paper and then the tape on top and then i cut it out and then i cut it out to be kind of just outside of the actual card um length and width and then once i stick it on you want to then uh try to get any of the bubbles out as much as possible and if you do mess up i would just recommend just restarting

printing it out and doing it i mean i would say every single time i um create badges i usually probably make two or three i go through two or three of them just because i'm trying to get it as close as possible and with no bubbles and there's no um imperfections on it because you want to make it look as real as possible and then once you get that on there you want to use the scissors or also an exacto knife to kind of cut out around the exact edges around the card and that's what will make it look all complete and then you can put it into one of those clear card holders depending on what they use so if they're

using it like landscape they'd obviously wouldn't have a landscaped one where it holds the card or portrait and it holds the card either way you want to make sure that you're kind of doing it the same way that your target has theirs on site so the next component i'm going to be talking about is tailgating so i'm going to kind of go through some tips that may be helpful for whenever you are performing tailgating as an authorized individual with the firm that you are at um and i would say that definitely a lot of the tips i've kind of walked through in previous slides relating to open source intelligence also comes in handy in relation to

tailgating so since tailgating kind of goes hand in hand with the physical engagement since it obviously is kind of a part of being a physical engagement a lot of the things i previously discussed relating to ocean is relevant to tailgating as well i would say the biggest tip with tailgating is whenever you are looking at the building and watching employees enter and exit you want to watch how many seconds that door is taking into close if the door is taking a long time to close then you might have a good shot of just going in behind someone without them even noticing but if it closes really fast it kind of creates a more difficult situation to

where you're gonna have to find a way that they're being more willing to hold that door for you and then another thing that you want to look at is um are people aware of others entering with them like are they looking behind them whenever they're walking in or are they just scanning in going in they're not looking back um these are all really important things to kind of account for because if you don't go based off of some of these things then you could lead yourself into uh not getting successfully um another thing i would say is making sure that if you are going to go in behind someone say like in a turn cell

is that turnstile gonna set off an alarm because it knows whenever somebody is tailgating behind someone else um you want to make sure that you have an idea if that does happen because you don't want to be that person that sets off the alarm and everybody's going to be staring at you because you didn't case the building right so i'd really make sure that you look at the types of technologies that they haven't used and if they do have any alarms that may trigger um another thing i would also want to mention is if they are carrying in a lot of items like an employee will they be more willing to hold that door if someone

if you were to take the route of um holding coffees holding books holding a box is someone gonna hold the door for you just based off of those characteristics if that is then that's the route that you'd want to go in through tailgating if someone doesn't hold the door for someone who has a lots of coffees or binders you name it then that's probably not going to be a route that you'd want to take because you'll probably get caught the next component that i'm going to be talking about is phone pretexting so this is basically fishing with a v fishing i just like to say with a v because sometimes it sounds like phishing whenever you're saying it over a

presentation so i would say a lot of the time people will underestimate some of the things that you have to think about whenever you are going to be performing phone pre-texting obviously as you know doing research this is basically ocean on a client you're going to be doing heavy recon you can utilize tools such as a mass showdown etc to kind of find information about a company that would be relevant to be able to use in the scenario that you're going to be using whenever you call and kind of like the other components i've discussed over this presentation you want to make relevant scenarios based on the business type and obviously go through company social

media too and one of the things i do like to do whenever i am going through company social media is look at high priority employees that you could possibly name drop and also see like who they're interacting with on linkedin to see like how often they're interacting with them um so you can kind of maybe reference somebody else as well but usually looking at the high priority names that you can drop is a really good tip and then when you're actually writing these scripts you don't want to think about it as something you're going to be reading word for word they should almost be kind of like just a few like bullet points of what you're

going to talk about that you could reference but whenever you're doing these types of calls it's not something that you can just read word for word you have to prepare yourself to kind of be asked any questions with anything that you are saying and be able to answer on the spot and if you can't answer on the spot then there's things that you can obviously do to buy yourself a small amount of time but you still need to be able to come up with an answer for the question because it would sound really odd if nancy from accounting doesn't have the answer that any typical employee would have whenever you're talking to another employee one of the things i do whenever

there i need to buy time if someone say ask me something for like an employee number i'll just get a bunch of pieces of paper and start rattling it around to make it seem like i'm actually looking for it and i'm not but i'm giving the person that's listening on the phone the impression that i am and then also you could also play uh like baby crying in the background from youtube and have that like on a medium sound setting to also kind of ramp up uh the stress level of the employee that you're talking to and giving uh them the impression that you're dealing with this baby you're trying to find this and then they'll probably be more um

likely to kind of give you the information that you need to for the engagement or that what you're ever trying to get and so that's kind of how i go about writing the scripts and then kind of going into making the calls is the next section i was going to talk about the app that i do use whenever i am doing these types of calls is called spoof card so i highly recommend checking out spoof part it does cost money but i like it because you can record the actual phone calls that you're making i find this very useful because then you can kind of one have a log of the timestamp everything that was talked about during

the conversation and if there's anything that you didn't maybe there's something that they said that you didn't remember you can always reference back that recording and be able to have that in the actual report that you're doing this for um another thing whenever you make these calls you don't want to start off with going to a whole introduction about who you are you want to make it seem like you know who like this is who you are and you don't need to say who you are because they should know who you are whenever you're doing this um you want to let the victim in this situation do a lot of the talking um whenever you

start rambling that's whenever you're start going to be able to give yourself away so say whenever you start a call you want to say like hi my name is uh jane stop don't don't talk don't talk anymore after that and once i say okay like hi jane like uh can i help you and they're once they start asking that type of question that they're wanting to do something for you then you could take advantage of that and say like i'm calling from blah blah blah and i need to do this and don't make a long long sentences whenever you're making these calls let them ask you a lot of the questions because the more they ask the questions

and you can give those answers to their questions and then that puts you in a position for you to be able to persuade them the best way to think about phone protection calls is to think of it from a sales perspective because you need to make it sound believable but not in an actual like phony way that's kind of why i haven't in the last bullet of this slide because you need to understand how sales tactics work because that's how you get good at persuading people about why they should do what you want them to do and that's how you'll get the information um at the end of the day of whatever you're trying to do but

whether that be go to a website or you're trying to obtain their credentials you want to give them a meaningful reason why they should give you that type of information um so now if anybody has any questions regarding any of the information that i went through during this presentation feel free to reach out to me on twitter at lastly or discord i put the information there or on linkedin i'd be happy to help anybody with any questions i hope that everybody that joined enjoyed the presentation and thank you for letting me do this talk today