💾 Archived View for spam.works › mirrors › textfiles › phreak › social.txt captured on 2023-06-16 at 19:49:41.
-=-=-=-=-=-=-
/ /
/ File 04 / NIA070 /
/ Social Engineering A Way of Life /
/ Written by - Malefactor [OC] /
/ /
Disclaimer
------------
I take no responsibility for any of the information contained hearin
neither expressed nor implied. I also assume no responsibility for the actions
or interpretations of the end user neither expressed or implied. This file is
for informational purposes only and is an exercise of my right to freedom of
the press. Although a few people out there get turned on by a good book
burning.
Introduction
--------------
What exactly is social engineering? Social engineering is basically
the delicate art of deception and manipulation for your own personnel gain.
Social engineering can be used in every aspect of life to avoid a "F" when you
withdraw from some insidious class, to convice a friend to loan you money, or
where we are concerned to convice a company that you are who you say you are,
and to give you what you want or need. Through social engineering I have
gained accounts, dialups, and information on various things. This file is
meant to introduce you and familiarize you to social engineering, and where you
take it from there is your own concern.
Guidlines for Social Engineering
----------------------------------
1] When you know little or nothing about a company you are trying to get
accounts for never try to find out that information by asking local offices.
This not only ruins future sites that you could of gained accounts from, but
also may alert them as to your intentions. By calling out of state offices
the worst thing that can happen is you can raise suspicions in the Akron,
Ohio office and not your local Palm Springs,Ca. office.
2] Never hang up or panic. A few handy phrases are listed below
A] "Ohh I'm sorry I just started last week and am new here"
B] Or if they ask for a number where they can reach you say, "I'm sorry
but I am calling from an OutWATS line and cannot recieve incoming
calls" (although sometimes this does raise suspicions)
C] If you have a loop say, "Sure you can reach me at NPA-PRE-SUFF"
D] "Excuse me one moment let me get my supervisor"
E] begin to answer there question and mid-sentance say, "Please hold
I have another call"
3] Whenever possible do it in a team with a friend then in the event of a
"fuck-up" your friend can proceed to be either your supervisor, enraged boss
for your indiscretion, or the person who says, "Hello who are you holding
for?, I will have him/her call you back I need this line"
4] Never give them your home address or phone number, give them a busy number,
and a fake address. Unless you are getting manuals in that case you will
need a loop line and a drop site, PO Box, etc....
5] Always take control of the conversation the more confident you sound the
more apt they are to believe you. Always keep talking don't give them the
opportunity to get a word in edgewise and question you. If you stutter for
a moment some people will question you. Be firm, but not rude or
discourteous unless of course the situation calls for it.
Gaining information about an unknown service or company
---------------------------------------------------------
First off you will need to get a little information before you can
start doing anything. There are many avenues you can take, and I will list but
a few of the better ones.
Method 1
--------
T=Target Company
Y=You
Call the company or information and get the number to the company.
T=Hello Joe Blow's Aerospace.
Y=Hello this is richard weiss and I was recently considering investing in your
corporation, but would like to find out a little more about it. Can you tell
me where to call?
T=Ok, Mr. Weiss call 1-800-XXX-XXXX that is our stockholder information line.
Y=Thank you, and have a nice day
Now you may direct any questions about products, where their main office is
located, whether or not thier computerized, whether or not they utilize the
networks i.e. tymnet, telenet, etc..., quarterly reports (for what their
worth), etc...
Note:Another variation on this theme is to actually call and say you are a
stockholder and would like information usually they will send you out pamplets
and brochures on products and services they offer, but this could take weeks
and is 9 times out of 10 totally useless.
----
Now you should know whether or not they have a system, where their main office
is, and whether or not its accessible through telenet or tymnet (in some cases
they are reluctant to give out this information.) Now you are almost ready to
begin.
----
Call up a out of state office of your targeted corporation
T=Hello Joe Blow's Aerospace?
Y=Yes this is Edwin Meese from the Joe Blows Aerospace main office in super
city I need to speak with your computer division (or if it is a small
organization say I need to speak with your computer account operator)
T=One moment please (or the number is XXX-XXXX)
T=Hello this is john oberheim I operate the computer how many I help you?
Y=Well sir as you may or may not know we are recently updating your account and
I need to know which of our dialups you use to access the central system?
T=Well we call TEL-ENET.
(at this point you should be prepared if he gives you the local telenet or
tymnet dialup to recognize it)
Y=Ok yes sir, and after you connect to telenet which of our NUA's do you
connect to?
(At this point be prepared to explain what an NUA is and what a PSN is)
T=We connect to 212440
Y=Ok thank you sir for your cooperation and have a nice day.
T=No problem bye.
<click.>
----
Now you are ready to begin getting accounts you should have a dialup via
telenet or tymnet and an address, or an out-of-state dialup in which case
you can call another office in that city and get an account and password.
Hopefully by this point the first fool you called would of blurted out the
name of the system if he did not it might be a good idea to call another
office and find out what the system name is say something along the same lines
except add in their local port or telenet address and NUA and when you get to
the computer/system part say, "after you call xxx-xxxx and type 212440 you
connect with uhhh I forgot the name of our system it's on the tip of my tongue
I'm drawing a blank here etc..." at which point they blurt it out and you say
"thats it ohh i cant believe I forgot I need to get more sleep" after
this you can proceed to get this persons account and password using the below
method
----
Method 2
--------
This is method is best when you know everthing, and can skip the first
part.
T=Hello Joe Blow's Aerospace may I help you?
Y=Hello this is Ed McMan from Joe Blow's Aerospace main office in super city I
need to speak with your X account operator.
T=One moment please
T=This is ed how may I help you?
Y=Yes this is Ed McMan from Joe Blow's Aerospace main office in super city, and
we are currently updating your account on X (system name)
T=Uh huh?
Y=Our records show you are using our xxx-xxxx dialup and using X (system name)
at NUA 212440.
T=Yes.
Y=We need your account so we can update our records.
T=Sure no problem its 12ASFD21.
(This is where it gets tricky most people 9 out of 10 say yes unless you are
calling new york where they are dicks don't even bother)
Y=Ok and I also need your password.
T=Ok it's "secret"
(usually if it's user selected its pretty pathetic but most corporate systems
dont allow user selected passwords anymore if he says no then you have to say,
"I understand sir I will have my supervisor Bob Hope call you back whenever he
is free" or you can say, "I understand can you call me back at 212-222-LOOP?"
an added note here is if your calling from the main office supposedly in
chicago DONT GIVE THEM A 212 LOOP)
----
Vica-Versa: A good ploy when employees are reluctant to give out passwords is
to call the main office get connected w/the computer department and say you are
having problems by now you should at least be able to give them a dialup an nua
and an account, but no password. This they will provide for you say something
to the effect that your new and everyone is out of the office etc... and that
you lost the password to the account. Be real computer naive it works about
50% of the time depending on how convincing you sound.
----
Well that's the basics down now that you are aware of the basic principles
behind social engineering I will cite a more prevalent example.
----
Social Engineering Dialog Accounts
----------------------------------
What is dialog? Well according to thomas jefferson Dialog is Power.
Not really; just good for research and reports. If you want dialogs try
Libraries, Engineers, and Large Research Companies.
Here is what you say word for word.
L=Library, Engineering Firm, Large Research Company.
Y=You
L=Hello this is X company how may I help you?
Y=Yes this is Pia Zadora from dialog I need to speak with your dialog account
operator?
L=One moment please transferring your call..
L=Hello this is Charles Manson how may I help you?
Y=Yes this is Pia Zadore from dialog recently as you may or may not know there
was an earthquake in San Fransisco where all of our billing information is
stored and your account information is outdated as we had to use tape backups
from six months ago.
(This is where it gets tricky a company called "AIMES" does a lot of dialogs
billing in that case say you still need the information for your records)
L=Ohh yes I heard it was awful. How can I help you?
Y=Well I need to find out when you were last billed by us and on what account?
(On Dialog bills the account number is used as a cover sheet on the bill)
L=One moment please (or they might say their accountant isn't in or that it
will take some time to dig up)
(Option one if she's got it. Option two if she says it will take some time)
Option 1
--------
T=Hello?
Y=Yes.
T=We were last billed August 13, on account 203247 and we were also billed
August 13 on our other account 103452.
Y=Thank you and what are the passwords on those two accounts?
T=They are both "ursula"
Y=Ok thank you very much have a nice day.
Option 2
--------
L=Ok well I need this information now I have a lot of other calls to make whats
your account and password and I will try to pull it up through the network?
T=The account is 292910 and the password is "bubba"
L=Ok hold on for one moment.
L=I was unable to pull up the information. When do you think you will have
the records and when would be a good time to call back I really need the last
billing period?
T=4 o'clock.
(Ok so you call back and get the worthless information but they trust you more
not every place you call will be easy if they are the least bit reluctant or
untrusting lead them for ahwile talk and chat about the earthquake the weather
or whatever turns em on. The reason you call back later is so that they don't
call dialog with the last billing period trying to be helpful and killing your
accounts)
Social Engineering and the buisness office
------------------------------------------
Ok to find out information on a line listed or unlisted you can call
the buisness office. Occassionally they won't give out information or they
will want your local CNA or to actually call you back. Most of the time
however they don't. The only ones that seem to be a bit fickle are 612 and 713
that I have encountered. It's just a matter of who you get. This works better
than CNA and usually isn't as hard to get through to.
B=Buisness Office
Y=You
----
B=Hello this is the buisness office how may I help you?
Y=Hello this is richard weiss of michigan bell I need a CNA Listing (or just a
listing) on NPA-PRE-SUFF.
B=Ok that number is billed to joe blow.
Y=Ok and do you have an address on that?
B=Yes its 1234 laurel lane.
Y=And are there any other numbers billed to that account?
B=Yes there is 123-456-6789 and 123-456-1234
Y=Thank you have a nice day.
<click.>
----
Socially Engineering Mcdonalds Accounts
---------------------------------------
This is the best one for you to practice your art on their are a
multitude of Mcdonalds all across the nation and if they arn't a franchise they
have a TI and ISP account on their mainframe accesible through telenet. A
little background information their computer is at NUA 313160, and you enter
your password then account. The passwords are in the format 1,XRRRRRR, and the
accounts are usually MSNNNNNN. (The R's represent Randomn mixture of Letters
and Numbers and the N's represent Numbers)
M=Mcdonalds
Y=You
M=Hello this is Mcdonalds I am McChuck can I McHelp McYou?
Y=Yes this is McGandi from the main McOffice in McChicago I need to speak with
the McManager.
M=This is the McManager McZsa Zsa Gabor how can I McHelp McYou?
Y=We are currently updating your account are you the one who actually calls in
and does the tandem reports?
M=McYes that's me.
Y=Allright so you call McTEL-NET (give em the number to telenet) and McConnect
to McNUA 313160?
M=McYes that's McRight.
Y=Ok well I need your ISP Account and Password.
M=Ok my account is 1,X23T2NN and my McAccount is MS629191.
Y=Ok thank you and have a nice day.
(A variation on this theme is to ask for the TI account and password another
account type I have found they have with less priveleges than the ISP accounts.
Unfortunatly the Mc's are all necessary it is a specialized McCode they use,
and if you don't use it they McSpit in your McFace, and if you Mcbelieve that
don't McTry McShit cause noone will McBelieve McYou. Seriously though the TI's
are easier to get and more people than just the manager use them sometimes the
managers make careers moves out of McDonalds (really brilliant individuals
lemme tell ya) so they are fickle, so if the manager isn't in ask if they call
in to the computer in the main office and then proceed to get their account.)
----
Variations on the themes
------------------------
1] If you want manuals call up a location pretending to be someone else and say
we are currently updating our manuals, and if you send us your manual you
will recieve one for free blah blah blah.
2] If you need to find out commands or information on a system call up and say
something to the effect I am calling from the main office and we are
re-doing our system and taking a survey on it to see what changes to make
which commands do you use the most often, and what commands do you feel are
difficult to use and why?
3] Call up one office pretending to be from another and say your account is
being updated or your computer system is down and you need theirs.
This works excellently!
-----------------------
4] Call up large company buildings get transferred from about three departments
until you are where you want to be and say, "Hello this is Tammy Fae Baker
up in marketing on the third floor I need the code to the PBX, computer, or
whatever you want.
5] Call up big department stores around christmas and get transferred a few
times and when you get to a sales department say, "This is Joe in childrens
clothes I need the tele-check number (or whatever credit check service they
use)" If they give you any lip say look some kid tore off the sticker and
I am going nuts down here.
6] Be creative and if you think you have something special figured out leave me
mail I'd like to hear about it.
Note: Unauthorized distribution or alteration of this file may result in severe
credit damage.