JUST JUMP! Lessons for Wannabe Social Engineers

all right so this is uh just jump lessons for wannabe social engineers by a recent wannabe social engineer it's interesting this was uh in my mind earlier because we're talking about pen testers refusing to do certain things and social engineering was one of those things like on an ethical level we actually had a few people that would not do social engineering because it required you to lie to people and they just weren't comfortable doing that so we had this one guy that just loved it he was actually an intern for a while and then turned into like a junior pentester but he was excellent at it just absolutely loved it and uh yeah maybe a sophie sociopath i don't

know but he had no quandaries uh lying to people and and putting on that role so yeah interested to uh to check out your your talks almost like you've seen my slides already oh yeah all right i hope i didn't address that all right yeah it's tough it's i i know i get the adrenaline going anytime i have to do it oh yeah yeah absolutely all right floor is all yours awesome hi everybody thank you so much um great to be here at b-sides knoxville thank you for having me um this is just jump lessons for one of these social engineers by a recent wannabe social engineer um i like giving this talk um because it's one of the first things

i kind of felt like i had a knack for within pen testing like i do a lot of pen testing internal external social engineering right all that good stuff but like i get super jazzed up about this um just because it's it's almost like you're you're acting you know what i mean i mean you are acting obviously but it's like the closest you can get to that without there being any real like um you know a director and a script and uh well you get to kind of make it up as you go somewhat i mean there's planning that's involved which we'll get to but it's just it's a super interesting topic i really enjoy doing it

it stings because you know because of cove and it's hard to go on site and do this stuff now that seems to be coming back a little but i digress anyway um i'm the lead pen tester at wolf and company pc in boston um my views are not theirs right um newish social engineers so i've been doing it for you know close to somewhere around three years at this point um i am jaysark983 on twitter and it's my first time here awesome so why listen to this does sc scare you social engineering um has adrian just pointed out it scares a lot of people it scares me honestly i mean it should i mean it's

it's not an easy thing to do but it's an exhilarating thing to do and there's always going to be fear right um are you interested in this i'm just not sure how to pave a path right i i personally think that you know doing this philip was talking about red teaming he was talking about getting it some there were questions about how you get into red teaming things like that right this could be another avenue for you right if you're a good social engineer trust me red teams need social engineers um and not everybody is perfect and great at everything so if you end up being good at it that could be your foot in the door to other

things uh not sure which skills are relevant right i mean there's a lot out there who knows you know if you're watching this you maybe probably are new to this and you're not necessarily sure what applies and what does not what you may need to work on if you are new to this and you've started but you want more info you were bored and this sounded interesting all right common misconceptions and falsehoods right they're on to you everybody always thinks that before they even get out of the car or approach the building or whatever that they have this giant mark on them that says you're not supposed to be here you're a bad guy right you're a criminal

everybody knows who you are and you're gonna get caught it's gonna happen right um not true for one um and to be honest it's not the right frame of mind essentially because the idea is you want to get caught right you want the client to catch you because that's how you know you're doing your job and that's how you know that they have a vested interest in getting better over time there's just more and if if you go back year over year and you're getting better and better right uh another one there's only one path for learning right there's a lot of different ways to go about this um you don't have to have like a certain

degree or a certain um you know technical pedigree necessarily to do this stuff oops uh alright whatever that's getting caught is a bad thing it's not a bad thing right i mean it's as as someone who just kind of like if you're a red teamer right you want to get caught but you don't want to get caught because you want to be really really smooth like a smooth operator but at the same time you're also providing value to the client uh you need to be more technical right another one it can help um but it's not everything right and we'll get into this a little bit more um you know when i started i wasn't

extremely you know technical um and we had this kind of a this is back in a time we were still kind of like fresh on the block for performing these engagements for clients and you know essentially it was make your you know pave your own way figure this stuff out and you know we kind of adapted and developed our procedures over time um but most of the stuff was you know if you know how to use a call spoofing app and you know you have a certain set of skills you know which we'll go over you can kind of i guess make it fake until you make it in a way i mean that sounds bad but i'm

trying to think of a better term um the bigger the org the hardest less carrier of the job i personally do not believe that at all because i'll give you an example let's say you're doing a pen test against the bank right that bank has say 10 branches and one main office that's huge right let's say it takes up an entire city block uh in boston or something if i have to go to the branches and let's say they're like yeah we want you to say three branches okay you're walking in that unless it's a shared building space with other businesses and there's like a back door that you can get into the bank the back way or something right

you're going through the front door and there's gonna be a teller line right in front of you and you're on like spotlight's on you and it's you know that first part is going to be make it or break it right whereas if you're doing a test against like the main office right on that big city block there could be so many different ways inside that building right there might be a lobby it might be shared um you know scanning somebody's badge for use later is probably gonna be a lot easier if you stake them out at the starbucks across the street right um and we'll get into some more of that stuff but the point being is there are

so many more options and so many different ways of entry and ways of proving uh value to the client from that perspective as opposed to just going into that tiny little spot that you're supposed to try to get into right all right let's talk about some basic skills right what you may have now that definitely translate are you funny right uh levity in any situation is obviously a good thing um you know if things get awkward can you crack a joke or uh you know break the tension in some way are you good at that can you engage people in conversation this is a big one right i mean you have to be able to talk

especially on physical social engineering engagements where you're going to interface with several people potentially you may have to switch your story up um and you know being able to flow in conversation is going to be a huge bonus instead of you know being caught flat-footed and really not really knowing where to go in your head because you're not comfortable speaking um can you look more or less approachable when you need to right like can you seem like you don't want to be bothered can do you have a are you give a kind of a sense about you where you know how to make that how to come off like that right or are you good at you know kind of like

opening up your body language and making yourself appear more approachable when you want someone to notice you and you want someone to interact with you do you work well under pressure i mean like we kind of said earlier like yes it is i don't it is nerve-wracking but it's also exhilarating and obviously there's a lot of practice involved right in order to get more comfortable and not get as nervous you know but there's always going to be pressure right i don't think there's a social engineer alive that's like oh yeah i don't worry about anything anymore ever i'm never scared i'm never nervous about how engage is going to go right uh can you appear confident and weak

when necessary um so it was kind of ties into the more or less approachable but like you know or can you you know chest out you know walk around like you own the place if that if the moment calls for it right or can you kind of uh tone it down and look you know a little weaker you know not necessarily someone who's sure of themselves um maybe that helps to you know garner pity from under from uh from one of your targets right so you probably do have so many skills you just haven't consciously put them to use yet or you didn't realize that they were applicable so getting started uh so regardless of your experience

level right uh let's talk about things that could help you um again get comfortable talking to people smile at strangers sounds weird you'd be surprised how quickly that can open up a conversation right strike up a conversation cafe i mean it's obviously easier than done these days hopefully we'll get back to that um however i think this is a big one right there's a lot of good practice here who knows might even make a new friend out of it and you know social engineering practice aside right um gets out outside of your friend group you're comfortable talking to those people so why would you assume that just because you're comfortable talking to those people that that's going to translate into

talking to a stranger on site who's mad at you for whatever reason or is on to you in some way uh try harmless influence techniques on people now i have some resources about this um these things called mirroring and labeling right so that's something that chris voss who's an ex-fbi uh hostage negotiator um his book never splits a difference he's a great book in that he talks about essentially you know in a nice way you know kind of bending people to your will right so mirroring for instance is something where someone says you know i'm i'm really upset you didn't call me back to their day like upset i didn't call you back the other day right so like it's kind of

this way of like making them know that you understand what they're saying and that they've been heard right and it has this weird psychological effect with that person that well this person's really paying attention they they value this interaction they value me right and then labeling similar situation or similar thing where you know you're you're showing you're building rapport you're showing empathy labeling is essentially when someone says that same thing um you know or i'm really upset that you stood me up for dinner last night so it sounds like you're really upset because you know you maybe you don't think i value our our time together right so that's more of that rapport building that's more of that getting

someone to feel comfortable with you and make them feel as though you understand them and you care about them and value the interaction of the relationship things like that um and again i'll have a book reference uh books podcast twitter right i think this is probably where a lot of people start and how they kind of it's resources built right so it's like if you start with like say chris hadn't aggie's podcast we'll get to that um very uh very well-known social engineer probably one of the most well-known um you know he has a lot of different people on the tackle about a lot of different things there's a lot of resources provided and you know it kind

of grows from that where it's like okay i started listening to just just pick one pick a good podcast and again i have references but pick one start listening to it and you will kind of uh the the roots will kind of take place and you'll be able to say okay well i'm going to check out that book that that person mentioned or this person has another podcast i'm going to listen to that one right and you start to slowly kind of get acclimated to the environment and how things work uh you know um terminology right things like that internships right never too old um unless you have pills to pay that makes it hard

but um you know if there's an opportunity there and it works right see and even if there isn't an internship somewhere for something like this like let's say you know there's a security company that's hiring uh you know security staff on some like generic basis and then it turns out um you know they have a social engineering team maybe the social engineering team is uh overworked there's not enough of them or it's fledgling you know maybe broke the topic of like you know would you be willing to have me on as an intern as part of the social engineering team i mean part of this is social engineering itself right because you're trying to convince them that they

need you to do that and that therefore you're getting that experience right but there's also just straight-up internships that are exist that you know you could probably apply to um and then once you have some you know practice write about it linkedin personal blogs twitter etc you're building out a case for uh your own enthusiasm so that when recruiters come knocking or when you're job hunting you can put these things down like hey i have a blog over here this is my linkedin page this is my twitter i'm active i'm engaged right like i'm passionate about this i know what i'm talking about right and over time that builds up and it could lead to job offers or it

could lead to better job offers right um so that's kind of like if you're if you're looking to get in but what if you already have one like a job in the security space but not necessarily as a social engineer um do they have a team some of the bigger security houses definitely probably have well i know they do it dedicated social engineering teams right or people who specifically focus on that more than anything else ask them if you can help right with like open source intelligence gathering that's a thing that very closely ties to social engineering because before they go on site or before they start making calls or sending emails they're going to need to

know you know okay well where are the entrances to the building right what kind of a street is the place on um you know what hours are they open you know what's the general time people go to lunch maybe where do they go do they where do coffee breaks happen um when and when right um so you can i mean that's something that doesn't take a ton of technical skill to do but it also shows that you're a team player it's a good way to get your foot in the door um and sooner or later maybe you'll be asked to go on you know uh physical side visits with them as like a support person

or a point of con a fake point of contact which we'll get into it's just kind of like ways to help ways to show your interest you know where they don't necessarily trust you do the full job yet but they're want to see what you're made of and this is a good way to kind of start um logistics i kind of just went over that point of contact right we'll talk about that too for a fake it out of jail free card um and honestly like take somebody to coffee i mean again kovid are easier said than done virtual coffee who knows but uh pick their brains you know about what they what their day-to-day is like

um you know ask ask the people at that specific company that you work for what their unique engagements look like because not every place is going to do things the same right there's going to be the same general uh engagement engagement procedures but they're you know there's going to be variants so figure out what it's like there for them and figure out you know maybe the gaps that they have uh and you know what they need on the team that they're you know the skill sets or maybe you know something like that that they're lacking um because that can kind of set off a check box or like a like a light bulb in your head like

maybe i should learn that right because that adds value to the team so if i ever want to be on it it would be good to have that skill oops what did i just do sorry okay uh yeah okay here we are um if your company does not have a social engineering team be the champion for one right what do i mean by champion meaning the person who wants to essentially set plans in motion to create that team right be the one who is championing the idea this is especially you know an infosec because like i mean if you're doing an internal pan external pen if you do that all that stuff you can add value to places um

you can add value for your clients if you have a social engineering team right so if you don't have one talk your leadership about your budding social engineering knowledge because remember you've been learning about it you've been writing those blog posts right you've got all that all that uh that background uh prep uh for this point in time um create a formal proposal for starting a small team right so make it make it real make it real for them like you took the time to do this um you're you're using a certain professional uh your professional acumen to show that you're serious and that you know this is important to you and it's important for the company

right that proposal might have things like you know uh you know i've been on or you know we i know that we've been on jobs before where they asked if we do this you know we don't do it right so it's like okay well there's money being left on the table right so there are ways to entice management um you know and if maybe they're on the fence or you know they want to try you out first or you know offer to perform an assessment of your own company to show you have some skills right um that could be something like clean checking for clean death policy like you know we haven't you know finding out

their issues where people are leaving like post-it notes with their passwords under their keyboards things like that now do all this with authorization even from your own company it's another thing we'll get into when you're doing this stuff um but yeah i mean there's just be creative you know uh if you have old doors like prove why they're a risk why you know a lot of the locks can easily be bypassed um you know and then maybe create like a kind of a formal report to give to management be like look like i have the skills i'm you know look what i found these are problems right so kind of make yourself create an air of importance around this

idea um and you might be surprised where you get so fear we were talking about this well adrian and i before the talk but everybody this is very friend center everybody's mind with social sharing is the fear right fear is not just when you're going on site fear comes in many different ways with social engineering i think the easiest thing to do is a phishing campaign but phone calls as well right there they can be a nightmare but the one thing that helps you overcome my fear is this i'm being paid to be the bad guy right um if i don't do it and if i don't help that client realize where the holes are in their

potential physical infrastructure or you know their people with phishing engagements phone calls things like that then the bad guy will do it for free and he'll make a lot of profit right um and there's the bad guy just in case you didn't know what that was um so remember adrian is why i thought adrian read my slides unless you're a sociopath you'll never be fearless during engagements right like i am still nervous before uh you know before any engagement except for phishing because there's like hardly any interaction um but wishing so like phone calls right um in-person engagements going on site right to those clients yeah that you get nervous right but preparation helps you deal

with that um fear's natural don't let it [ __ ] you right this comes over time obviously practice right uh like i was saying i hate vision calls more than i hate physical visits that's my fear right for some reason i think it's just the fact that like when you pick up that phone and that person answers at the other end like there's no body language to feed off of there's no hints clues whatever that you know any distractions it's just you and them it's a very binary back and forth and you just gotta be on you gotta have it together otherwise it's not gonna go well you can always hide in the bathroom right so people were talking about

uh tinker sack earlier in the discord he has i believe i have the link to it at the end of my slides he has a talk where he talks about hiding in the bathroom for like 30 minutes to an hour after he got inside just to like decompress i think he says he keeps i think it's him he brings a snickers bar or maybe that's brent white i don't know but they eat a snickers bar for blood sugar right just to like calm down like get in the right frame of mind before they continue after that initial access right uh and again just from that street

yeah i think i i and i i say this not being hundreds and sure but i'm almost certain i've heard it from multiple people maybe snow in one of her presentations mentioned the same thing it wouldn't surprise me if more than one people use that same tactic all right all right let that adrenaline dump kind of subside exactly exactly sorry um no no worries uh and again remember you're supposed to be there right you're being paid there is a signed contract with your company at least there better be um that you're supposed to be there you're not the bad guy right like don't like like it's hard but get that mindset out more about fear confidence boosters in

order to deal uh with the fear and help you feel more confident when you go um sooner or later this will be necessities but as you start right um badge makers uh for instance you know there are there are um what's what i'm looking for not industrial but like uh you know badge makers the companies buy for like a thousand bucks you know and they're just used to print uh whatever the company's logo the person's headshot um any barcodes whatever right like on their on their actual like a piece of plastic right so like maybe like a um like an hid card if they go that if that's what they use right but buy one go online

or not even buy one new like i bought one for like 150 bucks right and basically to get it running i had to buy a new ribbon and like one other part and for a combined two hundred dollars i have a working working badge maker for any engagement that i need it for um and i say it's a confidence booster because if you walk in the front door and everybody's wearing that badge and you're pretending that you're supposed to be there and you work there and you're not wearing one that's going to call you out or that somebody might call you out security whatever but if you have one people are not even going to look twice

at you so that can help um proxmark badge cloners right everybody's heard of the thing the super sneaky scan thing that people put in a bag and brush up against an employee as they're going on their starbucks break and now you have you know a copy of their uh their badge and you can use the badge into the building right bonus points if you're using a badge that you've made with your badge maker which is also an hid card and you can use to scan into the building because now you have like real you know leak read so to speak and most people are not going to question you um practicing with your bypass tools

right i've heard social engineers say that with bypass so bypass tools meaning like all-encompassing not just log pics but like actual tools um you know they're not lock picks that will help you like um get into breaker bar doors from the outside i have one of those um the under the door tool you may have heard of where you stick it under the door and you pull the thing on the handle on the other side the latch on the other side and it opens and you can get it and stuff like that if you have any of those practice with them so that by the time it when the time comes to use them you're not fiddling around right

nervously like wiping sweat off your forehead hoping you don't hoping you know somebody doesn't come down the hallway um one thing about lockpicks real quick i would say they are not necessarily a tool that you're going to be reaching for very often in the sense that if you are doing this during business hours and you're standing there trying to pick a lock you know while people are walking around it's not a good look right however maybe after hours if you're allowed to test and it's you know wherever it may be probably not a bank but let's say it's a warehouse or you know for some company and there are file cabinets that's different maybe that works

you know you have all the time in the world potentially try to pick that lock and get in there if no other methods work um brent white i brought him up before one of his favorite go-to tools for bypasses is a piece of plastic you can buy for a few bucks from a company called sparrows right and so basically it's a strong but thin piece of plastic if you buy the kit they come in like varying levels of density but you can cut them and then basically like shim them into a doorway in between the latch and uh and the door of the uh the door frame and if the lock is not installed correctly you can just push

that lock in and pull the door open right i think he one of his talks you mentioned he probably used that more than any other bypass tool so don't always think you're going to be picking locks and all this crazy stuff but like be ready to go with some of those bypass tools um and it'll definitely help you with your confidence when you see that doing like yeah no problem i can get into that uh fake business cards right so you've got your badge you've got potentially a badge cloner how about a business card right to go with it it's like 10 15 bucks i think at uh i can't remember from the company now

online but it's like just a print i think like 10 15 bucks to make like 500 business cards um and that you can put like whatever logo you want on them your name make up a fake certification you have maybe you're going in as like a network tech or something like that right carry one of those like it's just another piece of evidence that you are you belong there and you are who you say you are depending upon your pretext all right let's keep going heavy metal that's my last one like on my way to a quiet in the car like to get myself jazzed up it doesn't have to be heavy metal it could be you know whatever you listen

to to get yourself amped like heavy metal does it for me you know there's something like a little iron maiden or slayer or whatever to get you jazzed up to walk into a bank when you're not supposed to be there technically planning and when not to so this i mean maybe this is going to be a controversial statement but what i'm about to say but fearless overthinking right um which in my opinion leads to over planning right which leads to failing so what do i mean by that imagine the following scenario your pretext to go on site if you're doing a site visit is as a firewall technician right somewhat common the goal is to get in the server room

prove you were there uh which basically a lot of people just leave like a business card right to prove that they got in there um and then you know you've rehearsed every possible question interaction etc right you've like you've planned like you know everybody that works there you're on linkedin like you know who you're gonna like i'm gonna end like encounter marcy here bob here right like you've got this all down um you performed your ocean right like i said you know that uh mike l is the network admin so you expect a conversation with a receptionist when you walk in um to go like this she said hello can i help you yeah i'm a super secure firewall company

i'm here to perform the annual inspection of the device i need to access the server room for about five minutes cool who's your contact here oh i spoke with mike l today uh he said to let you know why i'm here and that he'll check in with me after the inspection my gal hasn't worked here for three months uh-oh right so you did a lot of planning but you missed this part all you were doing all you were planning on doing was encountering this receptionist and you had your contact name which was mike l and that was going to be your way in right panic ensues you hadn't planned on this happening right so you pause stutter can't pivot

snapchat subconsciously picks up on this right so now she's suspicious and you're likely blown okay game over so what i take from that is and we'll go over this but just like high level i think that and like i said it's controversial people work differently but from my perspective i like to know the broad strokes of who i may encounter right what the place looks like the you know the in the entrances the exits um if you're a social engineer they could be the same thing um general general understanding of you know where i'm going and who i may interact with and what my pretext is going to be right um i personally feel like if i over study

if i plan for what i think i'm planning for every contingency right like i feel like if i do that i'm not able to to flip it you know when it needs to be flipped flip the script when it has to be done right and i have some examples here so what i don't like to do is rehearse expected conversations verbatim right like oh like this is how it's gonna go she's like this person's gonna say this and then i'll say this and blah blah blah right um don't plan your exact movements right from like location a b c light right like i'm gonna get out of my car i'm gonna go to this door

which i know is likely to be open then i'm gonna go over here right i would say generally speaking know the doors right know your general idea for your primary goal of attack right so what happens if the reason for that is what if you're like okay my plan is abc but you miss in between a and b that there is a door that somebody just came out of for a smoke break that they propped open and then walked away right so if you have this like this tunnel vision into what your plan is going to be and you've over planned the hell out of it you're going to miss that which is potentially a much better way in

than the way you thought you were going to get you were that you thought you were going to get in right planning go through front door means you missed it when someone someone came out the side um don't only ring gear for one pretext now this is heavily like situational right like if it's a small engagement you may only need your own pretext depends on the budget right things like that um but if you have a lot of time if it's a big client like i said maybe there's that like downtown boston giant office space maybe your roost is a construction worker maybe that all of a sudden isn't going to work anymore right maybe then

your next one is the fight like the firewall tech like whatever it may be like have a few things and you know in in the back seat right like i have i want us like three or four different isp uh and technical company like polos with their logos on it with my name embroidered um you know it says that i have a ccna i don't even know what that stands for at this point but i have one who's gonna question me on that right so be ready essentially um don't panic and do something out of scope right and we'll get to scope in a second but the last thing you want to do is freak out and then do something out of

scope that's potentially even illegal um what you do want to do when planning is passive and active recon right and kind of the what i mean with that a passive is the stuff that where you're not touching and you know you kind of hear about this with different types of pen testing but you're not touching you're not actively interacting with the clients um with the client property or the client systems right so you're on google maps or something and you're like looking you're like doing the virtual go down the street each way around the building see from different angles uh where doors are things like that right active would be um more of like uh

you know you're going on site and maybe like they have a shared building space and you're in the lobby walking through the lobby um you know kind of seeing when people come and go seeing one lunchtime typical i mean lunchtime's always around 12 typically but seeing you know uh what the general flow is how security is are they lacks are they super stringent um how do the how do the term styles work are there you know man traps things like that man trap being like you literally physically can only go into the building one person at a time right there's no like hole hold the door and 17 people come through with no attribution right

that's a little bit more active um i would also actively communicate your ideas with your points of contact which we'll get into points of contact being the people who have promised that i have a story about that have promised that they are going to be available if things go sideways and they work at your client and are going to vouch for the fact that you're supposed to be there you're not just some like bank robber or something like that right do settle on a pretext that fits your engagement right you're not going to go in uh excuse me you're not going to go into say like you're so let's say you're doing an engagement against

a firewall company right like you're going in and you're going to try to get into their server room well your pre-tax isn't going to be as uh i don't know something not really blanking right now but something not related to that um pizza guy always works everywhere right who doesn't want pizza flowers might work those things are generally pretty generic and you know the pizza delivery thing specifically is very easy to get in the door things that get a little bit more in the weeds of like you know they have potentially only one purpose to be here right like they're sometimes harder to wiggle your way out of to you know to transition into something else

um so just all that to say make sure that whatever you're going in as you know makes sense maybe that's worked out with your points of contact and your client beforehand like if they have a pretext they want you to use right but if you have card balance use it wisely um have all your phishing campaigns set up all of your call pretexts kind of you know set like you know like what you're gonna call as have the phishing campaign uh ready to go literally like hit play and it just sends them when you want them to send them you're not trying to fiddle with that um while you're on client time um have your physical equipment ready like if

you do have bad cloners um you know whatever uh whatever clothing right all that good stuff have it ready um and then have basic answers for three types of likely questions you're going to get right not specific questions but the likely types of questions so i say who what where so who are you there to see right don't have this one name not just mike l right who are you there to see who do you generally know that works there you know so you know you're not just like i said you're not just like you know tracked or beam on like one person you've got several people to play off of in your head right you have a general

understanding you have a general knowledge of who's going to be there uh what are you there for um make sure you know that whatever your pretext is you better have it worked out in your head so that it makes sense again like you're not going to go into the firewall tech and say hey i brought pizza doesn't make any sense right so have that down for sure um and then where like where are you supposed to go once you're inside first of all part of that is going to be in the planning stages with your client points of contact um you know what do they want you to do maybe they have an idea like i want you to get access to

x room or uh this file cabinet or the server room whatever it may be right um have a general idea of you know if you can based on like if interior pictures of the building that you find on facebook or google or something like that know generally where you're going once you get inside sometimes that can be hard but at a minimum know what you're trying to get to right and then do mentally preload your pretext right so like if you're going as a certain type of character how are they going to generally behave the pizza guy is not going to be uh angry on his cell phone yelling at fellow employees right that doesn't make any

sense like what's the is gonna be happy jovial walk with the you know pep in his step uh you know like the personality kind of has to fit you know what you're giving off right um you know be comfortable using them but again like be ready to pivot as time comes and how do you get out of jail free letters ready we're gonna get to that so what to bring engagement dependent your real get out of jail free letter so what this is is basically if everything goes south you don't think you can pivot spin your way out of something like you you're make sure you're blown right and this comes with time some like

when you're new you're going to give up like this then you're gonna realize you can push it and push it and push it and like there's a line somewhere and that's just like intuitive you're gonna figure it out and when you get to that line you have your right real get into jail free letter and this basically is a signed document with uh points of contact on its signatures everything you can do to make it look official that says hey i'm so-and-so from the company this person is helping us do assessment a physical testing assessment right thank you for doing the right thing um you did you know you were supposed to do if you

have any questions call me um and the whole point is so they don't call the cops right or something worse um so definitely have those again engagement dependent i'm sorry if it's a small engagement maybe you don't need them um work it out with your points of contact beforehand so that obviously they know to be ready if they do get that call um but yeah i mean it depends on the engagement and then you're faking it at a jail free roulette letter so this this is like kind of advanced right um this is like this is the one where it looks very similar to the get out of the jail free letter but the point of contact on the bottom

might be the name of somebody who works there but the phone number that's going to be answered on the other end is your helper on this engagement that's going to pretend to be that person say yes they belong there um now let them go wherever they need to go and please escort them there right the problem that with that is and if i didn't explain that well i will in the questions if anybody has one but the the problem with that is you better be good enough to if they don't like that hand them the real one and get them to believe that that one is actually the real one right so again use the caution be

comfortable i wouldn't say on your social engineering again when you break these things out um but it's it's something you can use i have tried it a few times the one time i did they bought it and then my point of contact i think forgot they were supposed to be the point of contact and you know they were like yeah no we don't we're this this but in my market i pulled out the real the reel to get out of jail free letter and they were cool with that like they were they were nice about it you know um but again just be careful cigarettes right just in case you know remember that side door where people go

to give a smoke break well it helps if you have cigarettes and a lighter right that helps build rapport with those types of people so when they're back on the way in they hold the door for you to get inside with them hive is vest right so this is like construction right so like there's a lot of construction going on all over the place especially if you're in you know a city or a pretty well populated area maybe that hive is vest comes into handy if your other pretext if you get there and for some reason it's not going to work but you have that hype as vest and there happens to be construction going on

right or maybe there isn't construction going on but if you can look like someone who's supposed to be there to do something in unauthorized areas to fix an elevator to fix a whatever right like people are gonna not necessarily give you as much of a second look as they would otherwise plastic door shims i mentioned these so like sparrows makes a kit they have a lot of bypass tools um pretty good quality ones call spoofing app um there's a few out there some work better for for android or ios and others um but that is basically pretty self-explanatory i guess i mean you can just say uh this is the number i want to appear

that i come that i'm coming from and this is the number i want to call and that's what they see on their caller id when they answer the phone gui based fishing tool there's several out there lucy is paid go fish is free there's others it can help you with fishing campaigns um these days it's getting harder and harder to get phishing campaigns landed in people's inboxes so with us i know we're gonna have to start pivoting to you know using the cloud right like azure things like that uh and phishing engagements which have other other baked in um kind of like trusted features that a lot of people are going to let through by default into their

inboxes their password past their servers and pizza right who's gonna hold the door for you if that's your roost like if that's what you've planned it on i mean like i said engagement dependent but who's not gonna hold the door for you if you have pizza or any kind of food donuts like things anything like that business cards real and fake i mentioned those the real one for if you do get into say the server room like you're going to put those you know about the place to prove that you were there fake ones if somebody asks and you're not blown and they just want to verify who you are so that's your fate card maybe you say

you work for another verizon or something you have that verizon card the real one would be you know my wolf and company business card that i leave in the server room but not to bring this in all seriousness this is not engagement dependent sometimes i i've had i've heard of people being like you know bring like not like a gun or you know a specific weapon like oh i've got my you know a pocket knife with me that i always carry like don't ever like don't always carry it there don't bring it you don't want weapons or anything to be insured as a weapon on your person if you get caught like it's just not a good look

don't do it uh what else seriously though yeah weapons excess gear right travel as light as you can given the engagement any legal tools in state you're operating right or that break federal law the federal law one might be a little bit more obvious but there are certain states where lock picks are illegal right so be careful uh and then you're staying safe checklist are you crystal clear on your scope with the organization right there should be no daylight or as little daylight as possible between you and the people you sign the contract with about what you're allowed to do what you're not allowed to do when you're allowed to do it who you're allowed to do it to etc etc

right we do not want situations where the cops get involved a and b if they do that you can't prove that you're supposed to be there or the client doesn't have a good way of verifying that to the police right or whomever is asking right so the more clear you are the better um do you have multiple copies of your get out of jail free letter you may end up having to give that to a couple people um so make sure you bring a few double check with your points of contact that they're 100 available during testing i was on an engagement where i had two different people tell me that they were ready and waiting

if something happened and then when i got caught they called and they didn't answer also really not good right there are some places that literally build that into the engagement letter where if we get in trouble and you are not available when you say you're going to be available you're going to be responsible for legal fees or anything else that happens so this is important you're going to be responsible meeting the client are there security guards are they armed security guards right good thing to know if the building is managed right like let's say your client stand for building your clients on four six seven and eight and there's a ban and the building's managed by a third

party does anyone there know you're coming because you know hopefully not but if you get caught by just the security guards up front and they have no clue what's going on that could be a problem if you're blown right do not run especially from the cops okay nothing says nothing says you know i'm potentially a problem in a bank then if the cops show up and you just hightail it out of there right like explain yourself uh remain calm uh if you did everything right you've got your letters you've got your points of contact you've got people your own company that can vouch for you right just play it cool as possible i mean i don't

think the cops have ever been involved in any time anything i've ever done in social engineering but god forbid it happens at least you have at least you're prepared and you're you maintain you maintain your cool so that just about does it um i have a lot of resources here i will put my slides um wherever people are putting their slides i think on sketch um i'll put my slides there in pdf form but conferences and events layer 8 the human hacking conference larry 8 in providence is really awesome pretty cheap we did virtual this year i did a i did a talk there very good people a lot of you know very focused on osint

and ocean and uh social engineering specifically like that's the that's their conference layer eight meaning like the human layer human acting conference in orlando that's relatively new that's chris had naggy's team social engineering village defcon right um who to follow on twitter we've mentioned a lot of these people today uh tinker sex no jason street deviant social engineering inc um joe gray that's c three p joe um previous talks in other videos right tinker sec i think this is when i was talking about where he's in the bathroom transit of trust um pivoting and escalating privileges in a social engineering scenario that's a really interesting talk and it's really funny uh that's online i can't remember where

but you can find it if you look up the title excuse me deviantalum i'll let myself in tactical tactics of physical pen testers that's a really interesting talk about bypassing all kinds of doors locks you name it um jason street brentwhite the list goes on right that master class if you have a master class subscription which is really interesting uh you know it's kind of like little mini classes you know eight to ten episodes good production value um master class chris foss the art of negotiation based on his book right so that's i definitely recommend that one if you have a masterclass subscription or if you can afford one or you're thinking about getting one it's

definitely a one to catch books social engineering the art of human hacking chris had naggy right another one that recently came out from chris called human hacking um joe navarro also i believe fbi what every body is saying about body language reading people right daniel kahneman that's a classic thing fast and slow the social engineers playbook social engineering science yeah i mean there's like i said chris hadn't he's like you know the go-to for all things social engineering um yeah robin drake's book also xfbi uh i thought i had more than that no i don't i thought i had more more more learning but whatever there's enough there i think that started um so yeah with

that um i'm ending a minute early so this is just jump uh lessons we want to be social engineers but i want to be so recent want to be social engineer uh i'm joe wolf and company uh you can find me here and uh thank you for watching if there's any questions i'll be around thanks guys yeah yeah we've got if you want to stick around for a minute or two uh yeah we we do have at least one uh somebody said they were a professional actor for years should they put that on their resume oh yeah yeah i mean that that was my reaction too it's like yeah if you're getting into engineering yeah yeah i mean i wish i

had that skill open on my resume as a social engineer i mean that's that's big i mean you you know all kinds of things about acting which is essentially what the job is with like slightly higher stakes and my question is have you watched lupin i have because he does so much social engineering in that it's and it's it's uh so before i give my opinion what do you think of the i mean it's super it's funny because like my wife and i watched it together and she when we watch like uh she's a nurse so when we watch like like shows when like some medical situation gets involved she's like oh my god that's ridiculous that's not how you

do that i'm like it's a show chill out right right right same thing when i was watching that i'm like are you kidding me like that's not i mean in broad strokes yeah that's kind of how it works with like the the handoff of the stolen thingy or like the you know the researching people right but then there are scenes in that where he's like got like all the pew pew like lasers and things going on and all like 17 of his monitors it's like it's a little bit overblown but it's it's entertainment right it's a show but at the same time aren't you like that's what i do yeah yeah it's better but for

for night for for more valiant reasons you can say than stealing stuff right right true true enough but yeah all right uh what are some notable social engineering firms who operate in this field specifically that's all they do interesting question well i mean that's that's chris's head negan his company does specialize in that i'm gonna be really honest and say that aside from his i'm not aware of too many that do strictly that like i've heard of a lot of companies that i mean there's a lot of companies out there that like do red teaming and they have a huge component which is social engineering right but like not specifically just that i mean that's

you caught my surprise on that one i don't necessarily have any other names on the top of my head and honestly from a market standpoint i don't think it makes sense to specialize too much in it because people expect to buy it as part of a red team package right yeah like they're not going to say hey let's do a red team but let's farm it out to specialist firms and we're going to hire one firm to do social engineering one to do the web app pen test one to do the network bin but no you you just want your one shot to to do that also it probably makes more sense like i'm willing to bet there's

you know cloak and daggery operations that do those types of engagements for like government organized government agencies yeah maybe um but i mean i don't know of them and i don't think many people probably do know about that that's a different market yeah the commercial stuff yeah that that's not your average trusted sec or yeah whoever and i assume trusted sec does does quite a bit you know because they traditionally built some of the most popular tooling you know the se tool kit and all that yeah exactly was there a time where you were almost caught but were able to to wiggle out of it at the last minute um so the new part of my social

engineering is that i haven't had a ton of close calls i will say and this is not necessarily me bragging usually the thing that works is like over time you're like wait a minute i'm not going to get in trouble from my boss or from the client if i turn up the annoyance factor a little bit because they're not letting me do this thing right or if i you know get on my cell phone when i can tell that they're starting to get a little bit in like uh like feeling shady about what i'm doing there and pretend to take a call like in the middle of a conversation and be like so for instance i there was a there was

one recently where i was saying that i worked for a construction company down the street we had just burst a water main and we were checking because the in order down the block to where that location was all of the places were flooding and there was like water coming out of the toilets and the drains and nobody knows enough about like industrial plumbing right so like that was the roost and when i could tell they weren't necessarily buying it i pretended to take a call i was like okay yeah i'm there now um wait are you telling me that the gas station next door and i knew the name of the gas station because i knew this is what i was gonna

use like they're flooding the basement's flooding and then like they start to pick up on that like on that like urgence and they're like yeah i'm joking and i don't want to be the one to tell them no and then have it happen here so let's just let's just let them do it right so i've had that happen where that was kind of close but never like uh we're about to call the cops situation right you know that element of urgencies is is useful right like you don't want them thinking too much about the decision they're about to make yeah and if you can tell that they're going down that path it's like i do feel

like it's like a little bit of practice where it's like or like having the quote unquote you know gut slash experience to know that you can do that and it's not gonna get you in trouble with your boss because you're a little bit rude to the client or you're a little bit right pushy or you know something like that's what you're there for right unless you unless you start screaming and yelling and throwing things through the window i think that's the little yeah there's a line yeah what has social engineering looked like during kovid if it's exhausted at all a whole lot of phishing and phone calls yeah i think i've done non-physical stuff yeah

i think i've done since code would started maybe three or four in persons like on set like site visits where it was you know small bank locations and things like that it was it was some of those harder ones where it's like you have to go to the branch and like fake you know you're gonna make it or break it when you walk through that front door and there's a line of teller staring at you um but yeah it's been it hasn't been been great i i like those are my favorites i like i like the on-site the site visits oh yeah they're the most exhilarating right they're the most fun um they make for the best stories you

know so yeah so yeah somebody you know similar question somebody's asking how wearing masks has affected it you know because uh you know you don't have those facial cues and stuff and it sounds like it's not an issue because you know nobody's on premises anyway so you're not going anywhere right yeah i mean that the the couple of the few times that i've had to uh yeah the mask you know obviously the mask was a factor but i'll be honest with you like in the moment i didn't necessarily like think about how that might change the interaction it was more of a i'm going to do my thing i'm pretty sure i got my pretext down well

i'm pretty sure i have a good story i've got their urgency if i need to if they find if i need to use it um but to be blatantly honest i really was i really didn't put a lot of consideration into the mass thing maybe i should or should have yeah because it makes a lot of sense it's a good question all right uh i think uh if you want to pop on to the discord there's some more questions there but right now um we need to bring dan on and and talk about the the winners of the ctf awesome but thank you very much awesome presentation uh personally an area that that is just so much fun to me you know i

always enjoy hearing people talk about social engineering right yeah awesome thank you