How I break into Casinos, Airports and CNI: The Basics of Social Engineering - Chris Pritchard

hello how is everybody enjoy your lunch cool my name's Chris and I'm here to talk to you about the basics of social engineering the whole premise of this talk is I do not want to talk about micro-expressions or psychology or body language or anything like that because I don't think you need it show of hands how many people in this room are interested in social engineering cool nice how many people in this room have done some social engineering cool okay how many people in this room have not done so most social engineering but really really wants it okay so some tentative hands there be a bit more prouder with that but that's cool okay um so first of all I want to clear up

some terminology some words I'm obviously going to use but just in case people don't understand them I thought I'd go through them so I see social engineering relatively straightforward I think C&I critical national infrastructure this could be water this could be power this could be trains this could also be airports which I'll talk about in a bit OSINT open source intelligence this is using things like Google etc to find useful pieces of information again I'll talk about that in a bit pretext I'm not going to read this exact wording here but this is a story this is a story that you are going to tell your target about why you are potentially supposed to be there

normally it's complete lie but you need to think about it and the last one MBA everyone probably here knows about MBAs if you ask me a question and I say no comment it's probably because I'm going to reveal some information about our client and I can't do that so I'm sorry and I'll try and answer your question as best as possible but if I say no comment there's probably a reason for it so the first step that I always do is reconnaissance and I'm going to perform some kind of Oh since some open-source intelligence against my target so we use things like Google Maps I will use Street View or use their websites I'll even use their social media website if

possible and look at things look at what is the building look like where is it what's around it what can I use what's there was what other facilities are in the area really useful bits of information that you can get from oesn't ah definitely worth doing first time round the next thing I will do is I will actually gold probably a week before day before maybe on a walk round the target I'll walk around the premises and see what I can see and things that I'm interested in ah where's the CCTV cameras when security all those kind of things where are the back entrances where's the smoking sheds all really useful things to be able to normally

outside of the perimeter of the property that will allow you to interact with staff and get in with them hopefully is it a shared office so London is a prime example of that often there are big buildings lots of shared offices one of the great things about shared offices is Darwin sitting reception just sit there there's normally seats or sofas or something along those lines just go and sit in reception and observe see what is happening see what's going on around you when you're in that area and you're walking around the perimeter what are the staff wearing how do they dress are they wearing suits are they wearing smart houses smart so I smart shirts but

no ties for example if so and this is all pretext depends and you probably want to match that in some way because if you want to blend in there was no point turning up in a fireman's uniform to a smart office you're gonna stand out you don't want to stand out you want to blend in so look at what they're wearing then what might be a very cool company that just wears jeans and t-shirts if so know about it we're the same thing what else do you notice ID badges where do they wear them do they have any they've got them on a lanyard like this are they wearing them from their belt color are they do they

have any metal pins on the side of them so I went to one place and it's a bit like McDonald's where they had lots of little badges and longer along the lanyard but I thought okay I need some of those so I went and got some metal pins and just stuck them randomly on my lanyard great the eye will see that sort of thing I think it's supposed to be here he's got some metal pins metal badges the same as everybody else he must be one of us great let's let him in the other thing to be really observant about is when you were there and I spend an entire day sometimes just watching when you're there

one of the really key things and again this is pretext dependent when is the busy time because coming in and out tailgating in and out when it's busy is really really easy but if you want to go there in a quiet time you need to know when that quiet time is so have a look so once you've done all that and you've got all this amazing information about your target you know that the business or the premises that you're trying to get into the next thing you need to do is construct your pretext so this is that lie that you are telling whoever interacts with you if they interact with you why you were supposed

to be there it's a lie that's fine you're just doing a job so it's okay well what it would suggest if you were just starting to get into social engineering and you're a little bit unsure or a little bit unconfident about it as I would make your pretext fit your knowledge so if you've got an IT support background great use that make that your pretext if you've got a support background or if you're a sysadmin or a DBE engineer or anything whatever it is whatever your knowledge is that you've got a really strong background in use that as your pretext if this is the first kind of job that you've ever done and the reason I say

that is guitar players in the room will probably understand this muscle memory if you practice something on a guitar over and over and over again eventually your fingers know it your brain doesn't think about it you're doing the same thing here your knowledge is already embedded in the back of your brain and it comes straight out so if somebody asks you a question oh what are you doing oh I'm here to fix so-and-so I'm here to look at the printer I'm here to look at the network if you've got that knowledge those answers will already be in your brain and you won't be nervous about it and you won't be hesitant and that's really really

crucial because you need to be able to fire back an answer to a question quickly so use what you've already got in your brain and use that as your pretext and again the other reason to doing this is if you shroud a lie in part truth it becomes believable not only believable to the client and the target or the person that you're interacting with but yourself you believe it as well get your outfit on so if you were going into a customer who is wearing smart outfits where a smart outfit again this is pretext dependent if you are going somewhere that or your pretext is saying that you are doing something that is not the same outfit or the same uniform that

the client is wearing and let's say maybe you were going to pretend to be a cleaner which is a common one wear that outfit get it on one of the other things that I do quite a lot as well is talk to myself in the mirror I know that sounds a little crazy one of my alter egos when I do social engineering is Leon I've made up a guy in my mind called Leon and Leon is an IT network engineer and so I was sat sit there in front of a mirror before doing any of this and say hi I'm Leon from 19 ette works come to help you with your networking your Internet's going slow and I will sit there and I

will repeat that in my mind five ten times and the reason I do that is because again I want that information to come back from my subconscious and I don't want any hesitation I could use my real name but I try not to the other thing is if you are going to go in as an IT support engineer remember your props so you wouldn't turn up to fix a networking problem without a laptop and a cat5 cable right no so bring it with you and whatever other props you need again based on that pretext if you're a cleaner you wouldn't turn up with a laptop and a cat5 cable so think about that think about what your story is and

your pretext is bring things to support it because the people that you interact with in that building in the office are going to look at those things casually they will casually glance at those things and go oh he's got a laptop and a cat5 cable he must be the IT support engineer great let's let him in and they do the other thing I'd say is I'm I've had this before excuse me get there on time by that I mean get there at the time that you want to go in so if you want to go in at a quiet time be there at a quiet time if you want to get there at a busy time make sure you are there at a

busy time and I'll tell you why I tell you this story I had to get into an office in Edinburgh I live happily at Bristol I flew I flew on the morning I thought I can get a six o'clock flight and I can get to Edinburgh before nine o'clock in the morning and looking at times yeah it should have been able to do that unfortunately easyJet wasn't particularly reliable on that day and I got there late and I had a problem I wanted to get there at nine o'clock in the morning and get in there with the busy rush-hour traffic I couldn't do it because I was late something that was completely out of my

control luckily I was able to try again so that wasn't too much of a problem but it can throw you it can really mess with your mind and the way that you're thinking so get there at a time that you want to get there so I'm going to skip a massive bit here and the massive bit is you actually getting it because I want you to do that and work that out yourself but let's assume you're in and there's a good chance you will be there's a good chance so most of the places that I've been into have required no complex pretext or II no complex outfits uniforms are literary you've just basically tailgated into most

places by following these simple simple rules so you're in what happens next well I tell you what happens next and what many people really realize it but you get this massive adrenaline buzz and I mean massive I don't your hands will shake and you will not start thinking clearly and you will not know what to do you don't know what you're supposed to be there for so Keep Calm really cut and if you can find a toilet I'll come to that in a minute so going back to the OSINT you know where you are in a building relate that to the maps and the designs and the drawings or whatever it is that you saw and think about where

you are remind yourself of that you need to start building a mental map in your brain of where you are because it's really really useful you are supposed to be an employee in somebody else's company you've probably no idea where the cafe is or anything like that but you need to pretend that you do so start building a mental image of the location of the layout look at signs look at where the toilets are I'll come to the toilet be observant none of us do this really really well I've done some tests on this with my colleagues and we are not amazingly observant this is one of the key things I would tell anybody to

really really practice being more observant look at where the signs are look at what people are wearing look where they're going traffic flow inside an office is amazingly useful but we don't look at it we should it helps so the toilets have another colleague who has a laminated sign that says out of order that he takes with him on social engineering jobs and the first thing he does and I do exactly the same thing is go and hide in the toilets because that adrenaline is making you very very nervous but also very very excited it's best to calm down because you will give yourself away if you don't once that adrenaline is have subsided and gone out of your system the other

thing to look for is your escape route because this is a potential that you might want to get out of here and if you do find that escape route what kind of buttons are the exits there are they swipe card controlled that could be an issue if you don't have a swipe card and you won't have to tell somebody out again but that's fine you can work on that or they'll just push button exits if the push button exits brilliant that's really really useful because you can just escape whenever you want by pushing a button what else do you need to know so nine times out of ten a client will give you a target a

target could be anything it could be a folder in the CFO's office it could be their server room well you need to know where it is what's the best way do you think finding that target yes I wanted to find out where the server room was what's the best way of finding out ask somebody absolutely don't be afraid to ask for help nine times out of 10 if you are inside a swipe controlled access area and you've gone past reception you've gone past security nearly everybody that I've come across assumes that you should be there and if you are supposed to be there because you've bypassed all of these other controls someone else has done their job

so that's cool this guy is inside he's supposed to be here so that's okay I can give him help so don't be afraid to ask for help because nine times out of ten we as human beings are very very helpful and we hold doors open for people but we also will tell them things I went to one customer once couldn't find the server room ask somebody where it was they showed me but not only did they show me they went to get their swipe card on the door it didn't work because they were just aa non IT person they went round the entire office for me asking every single person in the office who's got

access to the server room can I borrow us what god nobody in there did so she went to the CFO took a swipe card off his desk and came back and open the server room door for me so don't be afraid to ask for help because nine times out of ten people will help you if you manage to sit down at a desk or hot desk or an empty desk and you're you know pretending to fix that IT network issue engage in colleague related chitchat if somebody is talking about their holidays or talking about recent pension changes from this from the company or anything like that engaging it because you're supposed to be there but it also

reinforces that thing that you are supposed to be there as well

this one's an interesting one to explain Chris saganaki who knows Chris had nagging so I went to his advanced practical social engineering course last year and this is one of the things not the only thing obviously but one of the really cool things that he taught me I didn't understand it at a time and now I do but always leave people better for feeling feeling better for having met you and the reason for that is so I went to an airport and obviously I can't tell you which one in this particular instance and got into the main offices and I wanted to plug into the network because that was my target I walked along and again I was being observant

I saw numbers on the desks and I thought all that's useful I saw a lady at the very very end of the office who was obviously in a position of power authorities knew what she was doing I'm assuming she was somebody important secretary or something along those lines but she was powerful she didn't she was in control so I purposely made myself look lost and she spotted this and because people are helpful she came out to me she would are you ok you're looking a bit lost I said yeah I am a bit lost Leon here from the IT networks team I need to find desk number 1049 can he help me oh yeah yeah

yeah hold on a minute and she literally scurry scurried around the office looking for desk number 10 49 for me so she found it I plugged into the network I did all the stuff I used to do brilliant thank you very much but the thing is I was nice to her and she was nice to me so we built a rapport and then we sat and talked and what's really really great about that is I then left that particular area and went somewhere else but because I'd left her better for feeling or sorry feeling better for having met me it was really really to go back and talk to her again and just engage in chit chat because it

gained really useful to return back to that new friend because they can help you but not only that it builds acceptance from everybody else who's around in the office that you should be there because I was talking to somebody as if I knew them so that helps everybody else in that office reinforce the fact mentally that you should be there great that's what you want so I am going to talk about and I said I probably wouldn't I'm going to talk about one piece of psychological related advice I won't go too deep into it but the frames when we talk about things we tend to frame things the one key thing about framing is and I would say this in

this particular way don't negate the frame and by that I mean if I tell you not think about pink elephants you're probably thinking about pink elephants similarly if you walk up into somewhere and say hey it's Leone here from the IT support team I've come to look at your network and somebody looks at you a little bit confused or a little bit dodgy if you then say don't worry I'm not here to hack your network what's the first thing they're going to be thinking exactly yep they're thinking oh crap he's hit back cool so you've done it you in you've got the thing you wanted to do you've got your target what else do you

need to know so these are just some little tips based on experience it is really really scary it takes I don't know what it takes it takes something to do this to overcome the fact that you should probably shouldn't be breaking in essentially into somewhere

my suggestion would be practice and and do it in other ways in safe ways but don't worry about it nerves are natural they are a natural natural thing who in this room thinks I see rehearse have some hands actually who in this room thinks that at this precise moment in time I am NOT nervous yeah you're right not a single hand and you're absolutely right I am dead nervous but sometimes you just have to do these things and what's good is the more times you do it the better you become at it and the nerves just are they say the subside they've done subside they're still there you learn to deal with them go and hide

in the toilet this is a very odd piece of advice I admit but it really works go and sit in that toilet I don't know how long it will take you 15 minutes 20 minutes it doesn't matter go and hide in that toilet and let that adrenaline subside out of your body you will be more successful if you do that the other thing that I don't think many people really appreciate when they do social engineering is it's absolutely exhausting you are essentially pretending to be somebody else for an entire day so not only if you've got the adrenaline which you have a massive spike and then you have a massive load which drained you you were then

pretending to be someone else you then have to be really really observant you then have to build a mental map of where everything is in this building you don't have to learn where the toilets are you've got all of this stuff that you have to do in one particular day or maybe over a couple of days I guarantee you the first couple of times you do it at the end of the session or the end of the time that you are breaking in you will be exhausted it is tiring really really tiring though really it is tiring really really tired so give yourself time to come down after the job one particular place I went to

was a three and a half hour drive home there's probably silly of me to drive home after doing that because I had been in there an entire day this was a high-pressure environment where we're talking men with guns and three and a half hour drive home after that not a good idea I stopped I had to sleep in a service station that was a better idea so be prepared add back into your schedule English goping whatever you want to call it but it is exhausting don't be surprised if you are absolutely knackered at the end of it so going back to the fear the other thing that I struggled with is the ethics most of us

most and I appreciate I'm in a room full of hackers here most of us have ethics most of us have been taught you can't go into that room you're not supposed to be there and that is a very difficult mental barrier to overcome if you do have that issue and I definitely did this is how I go of it this is how I tell myself mentally I've convinced myself mentally that it's okay to do this tell yourself you're acting I am acting my name is Liam I'm Leon from the IT support team so that really helps still a bit of a struggle mentally but it helps definitely helps so next steps for those of you that are

interested in want to take this a little bit further read some books here's some really really great suggestions there's a lovely book by a lady called Amy cootie book called presence does anybody remember the original Wonder Woman the TV series no oh there is somebody good I carry recently good the original Wonder Woman used to have a pose and it was basically like that and Amy talks about how that is mentally reaffirming and gives you confidence and it's a brilliant book definitely worth reading the other one so charisma is useful in social engineering obviously a lovely book by Olivia called the charisma myth talks to you and helps you develop your own charisma and how to break down your

own mental barriers brilliant book really really worth reading Ian man Ian man works for a company called ECSC if you go and see him he's in InfoSec at the moment and if you ask him nicely he will sign his book for you Ian has been doing social engineering for 17 years that's a long time he stopped doing it now and he's mentoring some own guys within his team he's still a really really knowledgeable bloke and he's also really nice bloke as well go talk to him he's nice and his book his first book and the second book are both really really interesting obviously I couldn't talk about books without lecturing Chris had Maggie's book as

well I'm not sure if you know but Chris had to release two versions of his first book the first version had a picture of salmon simon cowell in it a lot of trouble because he didn't have permission to use Simon Cowell's picture unfortunately and I think they shipped about a thousand copies and he had recall them all and some people have still got that one the other thing might suggest to do same with everything in the world practice practicing social engineering is difficult but one of the things I would suggest to do is push yourself to do things you wouldn't necessarily do to build your confidence and that could be really really silly things like go and

stand outside of a queue of a gig so if you earn a gig and you're in the queue as a massive long line and it's a barrier just to guide people cuz I understand the other side of it what happens do you get in trouble no probably not you probably get a burly security guard telling you get back in the line or something along those lines but mentally you've just pushed yourself to be somewhere you're not supposed to be and that is good practice so try that sort of thing the other thing I definitely say it's practice being observant stupid things when I came and arrived here I walked round the premises bad habit and I

counted how many security cameras there were and where they were pointing but do that sort of stuff have a look around see what you see take note of things even going to silly places that you would go to every day have a look look at where the exit signs up have a look at the the swipe buttons are those white buttons to get out are they push buttons to get out take mental note of that kind of stuff and that's it I want to say thank you I want to say thank you because I first came to b-sides London in 2010 it's a great community I didn't know anybody I turned up on my own and just starting talking

to people and what's amazing is that everybody here is always really really friendly and accepting so I just wanted to say thank you for that because you really encouraged me in my security career any questions