Humans. These creatures are involved in every system that hackers encounter. Guess what - humans are the most vulnerable component and a fruitful target for information gathering. Surrepitiously gaining what you desire is called social enginneering (SE). Surrepitiously, here, does not mean without the target's knowledge. It means the target does not have knowledge of your motives or who you really are. This is not to say social engineering always occurs face-to-face. Social engineering can be used through the telephone, electronic mail, physical mail, or through another person. This article will demonstrate (and hopefully inspire) the use of social engineering, not through fictional scripts, but through real world exmaples from the author's experience or those he has witnessed. Table of contents ----------------- 1 Retail Paging Systems 2 Airport White Courtesy Phones 3 Hotels 4 Calling Technical Support 5 Calling AS Technical Support Retail Paging Systems Asda store phones have clearly marked buttons for the paging system. Asda is the exception, not the rule. So how do you get on the paging system to have a little fun when you're bored out of your mind shopping with your girlfriend? Social engineering, my whipped friend. Find a phone and dial an extension, preferably the store op. The key here is to become a harried employee, saying something similar to..."This is Bill in shoes. What's the paging extension?" More often than not, you'll get the extension without another word. Now, get some by saying something sweet over the intercom. Airport White Courtesy Phones ------------------------------ Imagine you've already been stripped searched and you're waiting for your delayed flight. Naturally, you gravitate to a phone. Is it white? Then you've got a free call right in front of you. Just pick up to get the op. "This is Bill at Southwest, Gate A5. We're swamped and our phones are tied. Can I get an outside line?" If the phone does not have DTMF, or the op wants to dial the call for you, do not call a number related to you. Hotels ------ Hotels hold such promise. Some hotels have voice mail for each room, guests receiving a PIN when they check in. Hotels also have "guest" phones; phones outside of rooms that connect only to rooms or the front desk. Pick up a guest phone, make like a friendly guest and say, "I forgot my PIN. Could I get it again? Room XXX." Knowing the registered name of the target room helps, for the Hotel and Restaurant Management Degree Program graduate may ask for it. Do not follow through with the next social engineering example. Or, like the author, try it on a friend. Go to the front desk and tell the attendant that you've locked your key (card) in your room, lost it, etc. Do not try this with the attendant that checked you in. And again, do not enter someone's room without permission. Calling Technical Support ------------------------- So you've found a new-fangled computerized phone and you want to learn more about it. Do the same thing you do when you have trouble with your AOL - call tech support. First, do a little planning (after getting the tech support number off of the phone or the web). Get some info on the phone, like phone number, model number, other identifying numbers, etc. Also, know the name of the facility in which the phone is located. Now that you've got some ammo, you're ready to make the call. Posing as an employee of the facility, call tech support and make up a problem for the phone you've identified. Act a little dumb and be apologetic, acting like you don't want to waste their time. All the while, pumping them for information - "I hate to bug you for this, but ." And so on until you reach the point where you can feel that it's time to end the call.Occasionally acting amazed at their knowledge may be helpful. Calling AS Technical Support . When you've determined what you want and where you want it from (don't call MIT as tech support, by the way), make up a "report" of a problem. More than likely, there will be a problem, or the person you call will have a question. Questions are gold! Even if you have no idea what the target is talking about, you can of course fake it and use that question as leverage to gain more information. Practice these easy-to-do examples of social engineering and then extend the skills you gain to larger projects. And no, Dude, do not be funny when social engineering - that'll get you nowhere. Most importantly, do not use you SE skills for evil. Have some fun, gain the "forbidden" knowledge, and use your skills wisely.