Social Engineering CTF Intro

what we're trying to do here today is uh provide a social engineering capture flag we have two days of it remember social engineering don't believe a word he says that's true i was in marketing too um we have two days and we want to give you guys a very unique scenario of real life situations and things to do in a way that you won't get arrested or get in trouble and practice stuff so today and tomorrow we have sign up sheets and everything today during lunch will be the first one so it's going to be partial entertainment for the lunch crowd as well as your game

so we'll get started with some info i'm going to give you some info i'm going to give you some tips uh how to read people how to do some stuff this is not a extensive social engineering how to mess with people thing uh this is just to get you guys prepped get you some ideas get some things thinking of how to approach people and do stuff so this is my bio slide i don't really care to talk too much because we got a lot to do so there's no disclaimers because you will be hacking stuff you will be getting into people's heads you will be messing with people so there's no disclaimer everything aside from

physical harm to human beings or the property is game anything you guys can do or come up with do it and use it just don't harm another person don't harm property i guarantee you'll be able to use real life scenarios and do a lot of things you probably don't get to do legally with all this so what we're doing is day one we're doing cyber speed dating so what's that's going to do for you is give you a scenario in which that you can cold read a person very quickly and try to get some information out of them what i'll do is when we're done with this i'll hand out some little questions for everyone who's

participating you have six questions with a seventh bonus question you have to go around and ask these to the people in the speed dating scenario you have two minutes to get those six pieces of information out of them so it's going to require you to plan ahead and figure some things out we'll get into some tips and pointers on that but the most important thing is is try to get as much information as the person as fast as possible when you only have two minutes when the two minutes is up a whistle or someone will yell or do a duck call or whatever get up move to the next table it starts all over again and during this scenario

i'll hand out these sheets for you you have results one through six with the seventh bonus question just write down the notes of what happened did you get the person to do it who'd you talk to would you get out of them keeping it very simple and uh easy to use later on what that feeds into is a final report just like in the real world you're going to have to do a report so in order to win both days you have to have a full report filled out uh it's just like the real world so the second day uh just to give you a preview the second day what's going to happen is you're going to line up

for a job interview what we're going to do is three minutes before your job interview i'm going to hand you a resume you have to assume that identity on that resume you're then going into the job interview with the sole point and perspective of a red team member who's trying to get information out of a company to conduct an attack this is a very very effective real life scenario just got done doing this with several people the best part about it is when you go in for a job interview think about it they ask you questions about you they interview you and everything but they also just spill out everything about their company they brag about

their company sometimes they take you on a tour of the facility it's one of the easiest ways to get into a company and wreak havoc so i want you guys to have that experience and try that not only do you have to extract information out of the people interviewing you you need to maintain your cover so someone asks you a question like where are you from and you told him one question one thing and you say another thing later on that's a red flag that could get you in trouble so again final report is a really big deal just like in the real world it's kept pretty simple i made it very very easy for you guys

we're mainly trying to get you guys into the method of thinking ahead and how to do stuff so day one results just record them down on a sheet of paper for the the people that you go through an interview hold on to that for tomorrow we'll also hand out the packet for the final report you can look through that take it home with you tonight read through it it's also uh very good to plan your attack for tomorrow so you might want to do research we've posted some fake company information even a network diagram on our website you can check out start looking through get some ideas start developing a premise and pretext to use

tomorrow so one thing to do in all this is uh to think about a few things such as pivoting your attacks how pivoting works differently from adapting adapting you simply adapt to the change and you move around and you move on pivoting is a little different pivoting your attack in social engineering i want you to think about a small child small child wants a toy they go to their mother and ask their mother hey i want this toy i want this toy i want this toy the mother provides resistance and tells the child you know go [ __ ] off go ask your dad so the kid goes but he maintains the same attack he just pivots the attack to

the father asks the same question dad dad dad i want a toy i want a toy keep that in mind when you encounter resistance in social engineering don't just sit there and drop everything and turn tail and run off stop think real quickly what you have at hand and pivot your attack maybe they said no to a question so today in the speed dating scenario maybe you directly ask a person a question maybe they just go back and say no you can't just stop right then and then go well [ __ ] they said no better move on one thing you could do is ask them another question get what their answer is on that

and maybe go back and revisit the other question or maybe take that question that failed ask it with different language or use it in a maybe a story scenario present it to them to get information out rather than directly asking them another thing to do is study your target ahead of time when you're running around for the speed dating and you sit down before you sit down take a quick look at the target and notice things about them notice things to identify commonalities and things to set up rapport and i'll introduce a little thing to help you with that also when you're going through watch for contradictions we'll get into that when language doesn't sync up with your body language

it's a key indication of either someone's lying or concealing information or it's maybe a point you need to focus on for your attack the biggest thing today and tomorrow in all these capture the flags is keep it simple we've had people over complicate things and that's when they get frustrated and lose keep everything simple in our industry we over complicate everything in our industry and as long as you keep it simple today you're just going to rip right through it if you keep it simple tomorrow you'll rip right through it so pivoting again just when you encounter an obstacle you present an idea you either plan it out and do recon so in the case

of a kid wanting a toy he knows he wants a toy he's going to go figure out well i can't buy the toy i'm going to go ask my parents so you have your plan and recon and you execute it then you get your outcome your outcome being that oh i asked mom mom said no so you have a negative outcome at that point you can go back and reevaluate the resistance and see if you can just execute the same thing again like ask mom again for the toy or maybe cry or if you have flat out resistance and there's no way in hell you're getting anywhere say you're asking the cheerleader ahead of the cheerleader squad out for a

date she just says flat out no that's probably a good point where you just want to just say hey let's just start over and go move on but again pivoting is very very powerful when you do social engineering don't just drop dead and move on stop look at what you have at hand and move around rephrase things re-ask things do things a little differently and again keep it simple and stupid k-i-s-s keep it simple stupid just keep everything simple do not do an elaborate plan if you guys watch like burn notice and leverage and [ __ ] they have these huge plans and there is no [ __ ] way in the real world that's going to work

the more you complicate a plan and the more perfect a plan it is the higher the probability it's going to fail because you have all these little things you got to make sure lines up and everything always take the direct approach so in the real world off-handed example is if you've got to pick a lock to break into somewhere far easier to take a brick and throw it through the window and go in that way that rather than pick the lock keep everything simple throughout this whole process so a quick tip on reading people i'm not getting to get into the sherlock holmes kind of crap and everything i'm going to keep it very simple for you guys

is break everything up into the rule of thirds just like in photography you break things into the role of thirds so you can frame a shot just like with that with people you can break it up into thirds so when you sit down or you approach a person divide it up with the shoulders and above for the head shoulders to the waist area being the torso and then the legs rather than you know encompassing a whole picture of a person looking at them real quick break it up into thirds you can look at their torso and above the upper top see if they got piercings see what's on their face see what their expression is

see if they're chewing gum or something the torso is always going to stay pretty static it might give you indications if someone's leaning back in a chair they might be a little more relaxed open to things if they're leaning back or if they have feet on the table they'll be more open to things but the torso is probably the easiest thing to look at and see it's also the most static legs are great because with legs you can see if a person has them crossed or if they're doing stuff or the best part is the hyperactive leg shake thing so we'll get back into that for contradictions a contradiction to this would be like yeah i'm perfectly fine

i'm i'm relaxed i'm a-okay but my leg is going a thousand miles per hour it's a key indication that well this dude might be pretty nervous or he's lying about something or there's something else a foot you need to explore that but divide people up into thirds rather than doing a whole picture or a quick scan just divide up into thirds so that way when you're going through uh even the speed dating you can read languages and changes in just little separate areas even if a person is sitting or if they are only facing you with only a bit of information say the torso or higher you can still divide it out into thirds and

get a lot of information like the eyes the face hands and torso you can see a lot of bit of information there and divide it out rather than going in for the whole picture the whole point of all this is keep things very simple because you have no time at all to do really anything there's no time for elaborate like sherlock holmes style reading of [ __ ] just go for the obvious and the plane so divide stuff out maybe when you're doing the speed dating sit down see how the people are uh sitting see how their legs are see what the expression is on their face another thing is the contradictions again what someone says to you

and what their body language is should sync up when it syncs up nine times out of ten they're telling the truth and it's a okay no one can tell the uh uh perfect lie and keep it going so that's why you want to look for little things like is the guy's leg jittering is he scratching does he do something when he talks so sometimes uh you'll see poker players do stuff or people talking and you can see when someone lies when they might do something like well i don't know you know or maybe they'd brush their mouth touch their nose or do something with their face or hands or if they talk a lot with their hands

while they're doing stuff maybe when they're lying or trying to withhold information they stop but the perfect way to tell people rather than going for micro expressions and all these other really cool high level stuff just look to see with what they're saying lines up with their body language and if you can't tell what you want to do is sit there and watch their habits see what they do over time that's what a lot of poker players do and a lot of times it happens in police interrogations and stuff they look for your habits and see what happens another thing that you can use in your arsenal is distractions or disruptions and there's a key difference here

between distraction and disruptions a distraction would be i pull down my pants right now and go you guys will just sit there and go well that was uncalled for and that solved nothing but the class is going to go on distraction doesn't do anything for the long term a disruption is what something you want to use think of it as hitting control c or like a knob sled so if you're in the middle of say talking and speed dating and someone is just yammering on and you can't get them to shut the hell up what you might do is just get up stretch violate and disrupt their space they were used to you sitting there

talking straight ahead to them they had a comfort zone and level you might just get up and stretch and go i'm sorry i've been flying all day reach around stretch get up walk around you've disrupted their space and their comfort zone or if it's an extreme you might get up and walk around to them maybe talk to them or shake their hand or do something but you're disrupting the space and what that gives you is an ability to inject something else in at that time so maybe you get up and yawn while someone's yammering on and you tell them ah you know i just was traveling a long ways by the way have you ever

fill in the blank use a question or another way to disrupt someone who is talking on and on and on do something simple and benign like look at your watch or something of that nature you don't want to go to extremes on that an extreme situation would be i used to do music magazines and interview people i had to interview a fax twin who was notoriously a shy guy and a bit of an [ __ ] and whenever you talked to him he was going to only talk about his new album he wasn't going to talk about anything else so you have to take control that situation what i did is he would not shut up i asked him hey can you draw a

picture of yourself sodomizing the virgin mary right then and there it was a dead drop and it was quiet and he asked excuse me right then and there i injected a question go so you did this album but what about your tour or what about this i don't suggest that it kind of extreme but you kind of see inject something in to disrupt take control and dominate the conversation and that's another thing you guys are going to need to be cognizant of during the speed dating is you only have two minutes and if you get someone talking too much on one question it's going to eat up all your time so think about taking control the

situation and you might have to disrupt them stand up yawn get up if you're ever in a board room one thing that works good if you have a bunch of sea level executives that are just yakking get up practice golf swings but again remember a distraction is only going to serve you for a couple seconds and forget and not serve you well disruption is going to let you inject stuff into the conversation that you want to do so you can grab control again keep it simple and stupid kiss all the cts that we've done people have over complicated stuff and it's killed them so if you have any questions this is how to reach me so what we're going to do

here and i'm going to open up the questions and stuff what we're going to do is as soon as this is done need you guys to come down we have the questions here these questions don't show it to anyone because we're still trying to get some volunteers to participate as the interviewees that you're going to interview take the questions guard them do not disclose them to anyone because if the guy across the table finds out that question he's going to make your life hell and it's already going to be hard as it is anyways we'll ask you guys to pick up several of these sheets for the day one results for the speed dating again you have slot one through

six just write down the answer to the question that you received and who the person was if you can get bonus question number seven do that and then when we move on to uh day two let's see here

you'll get more into the packets the packets have some pretty simple questions such as explain the process used on day one we're just looking for what did you do what did you think ahead of how did you ask the questions we're leaving it pretty wide open for you to interpret and put whatever in you want what we're looking for is if the report is completely filled out that's going to dictate the winner if you submit everything and a fully completed report that's how you're going to win in vegas the team that won in vegas they had a completed report and that's ultimately how they won other things here just kind of phrasing on how you felt you did what did you do

what have you done differently we're keeping it simple and very open to interpretation i just want to get you guys introduced to how you would start approaching social engineering from a reporting perspective as well as how you would use it in real life day two uh we'll make some announcements later tonight and tomorrow we're gonna have isolated classroom for day two what we're going to have you do is line up outside we have some professors at the university that will be conducting the job interviews will come out one at a time hand you your resume three minutes read the resume get your ideas assume the identity go into the job interview it's going to be a standard

job interview but sit there tonight and think about things that you could do and ask maybe ask them well is it my responsibility to do anti-virus patching or uh patching for updates and they might go well yes it is then you can lead into that and go well how often do you update the answer might be well we have wsus server and we haven't figured out how to do it yet so we don't patch that would be something to note you need to keep the perspective of going into the job interview how to get the information out for you to do a red team pen test later on because part of day two on the report

you have to write out your planned idea for an attack based off the information that you got so tonight and today go to our website check out the company info you're going to be attacking a company called cloud washer incorporated they do cloud washing they watch the cloud they get rid of malware and everything out of the cloud it's a load of crap but you can read through everything and get information that you need form an attack tonight think about it think about how you want to attack them there's a network diagram too you could use that to phrase questions like well i see you have this product line do you patch it or where is it or

where's your dmz what what how expansive is your network how many people do you have working off site things like that you can start asking questions that may seem benign during a job interview but it's going to give you a perspective of oh well they don't patch they have no idea about the geographic boundary of the network they have no testing for phishing or security awareness maybe i'll do a phishing attack and fish the [ __ ] out of them and then maybe follow up with just plugging in a laptop at their business you could ask them about if they have security policy for uh bringing your own devices in but just start thinking ahead tonight

read the information see what you can get start asking questions and get everything put in together for that because tomorrow is going to be a little more extensive today at lunch meet downstairs in the cafeteria area there's a bunch of chairs out there meet down there we'll have everything set up and start asking questions remember absolutely keep it short and simple and stupid because you have two minutes to get six questions out of a person you will not get all six but try as hard as you can and use everything in your sc toolbox again the only rules no physical harm to people no physical harm to property everything else is a go do the most malicious

things you can to get information out of people so this is going to give you an opportunity to test try do whatever you want that you haven't been able to do in the real world and tomorrow especially tomorrow anything goes again just no physical harm to people or property you might even go home tonight figure out some props or something to help out with the job interview but again the information for tomorrow's up online get the premise and pretext going and if there's no questions i'll pass out information to you guys but do any of you have any questions and two more tips for you guys if you hack my website you will not get any answers

it's been hacked two times already for this there's no answers online and um also uh offering to buy me drinks and trying to social engineer me will not get you any information for the capture flag here as well as vegas what's happening in vegas these all these little local events are leading up to vegas in 2013 we are having a massive massive ctf in las vegas b sides uh you'll be able to do all sorts of scenarios uh involving the hotel staff uh the hotel perimeter everything uh you might have to invade a call center you might have to social engineer people out of a call center you might have to attack an outlook website

it's literally going to be one of the largest ctfs ever planned anything goes if you guys want to dos other people you can do that but we're leading up to this but what happens is when you get the trophy or you win little pieces of information those are things that are going to help you out so whoever wins the squirrel trophy there's something hidden in the trophy that will help you out with uh las vegas there might be rfid in it there might be uh a transmitter of some sort there might be a who knows in there it's going to give you an advantage in vegas so if you collect all these pieces for all these ctfs or you talk to

someone else who's gotten them you can use them to your advantage in vegas if you want an example that we still have the fort worth dallas fort worth besides up and the to be a kansas uh thing up you can get on there you can play with them and figure them out so if you guys don't have any questions we'll hand out uh information here and we'll get started at lunch we'll meet downstairs in the cafeteria area and we'll get going

don't everybody jump there one