Results 1 to 5 of 5
  1. #1

    The technology of Social Engineering

    Yes social engineering has its technology too. One of the most useful devices of the modern age is the telephone and it is the core tool of the Social Engineer. In the next few articles I'd like to Selective Call Interception. Its undoubtedly the most useful box for the social engineer as it gives you instant credibility.

    In fact, it is SO useful that MI5 use the technique extensively (Albeit mostly at the exchange rather than the connection point)

    Okay, I know you're itching for the juice so lets dive in:

    NOTE: The first parts of the article are going to show the various modules, their purpose and how they generally fit together. There will be a number of ways to put these modules together and we will look at each. Don't be dismayed by the apparent lack of actual circuit diagrams - Those will come towards the end

  2. #2

    The technology of Social Engineering


    We begin with a scenario:

    Lets put you in the place of a corporate spy. Your target is the rival office of your client and although its so easy to place a member of staff (employee positioning) it is costly and you cant get into management very easily. The best you have so far managed is to place a minimum-wage phone-monkey who, for the past week, has been answering phones and wants out pretty soon.

    Your phone monkey (when not answering endless customer complaint calls) has found that there is an office laser printer which would be great to tap as it is used for the printing of client proposals, contracts, meeting notes, etc.

    Now although you can tap an ethernet printer using a 802.11 wireless module (re-tuned illegally to be off-band) and use a similarly modded device attached to a parabolic or VAGI antenna to listen in to printer traffic at range, there are some problems.

    Unfortunately, there’s no way she can open the printer, unscrew some panels, and start poking around in there with a screwdriver. You need to get an engineer on the inside without anyone getting suspicious, but how? Lets face it - if you just call the office and claim to be 'maintenance group' sending someone over for the printers annual check-up it just ain’t gonna fly.

    Time to grease the wheels with a little hacker magic...

  3. #3

    The technology of Social Engineering

    Your monkey takes her timetable and asks if she can print it... no problem. Takes a walk over to the printer and looks puzzled. Goes back to her PC... sends again, goes back to the printer and looks more puzzled!

    Why? Because a little clear nail varnish works wonders at insulating the pins of an ethernet socket, that’s why... and so the printer isn't working. Now the IT Deptartment probably fix all the computers onsite but a laser printer is always an outside job ... Time to call an offsite maintenance contractor. If only we could intercept that call.

    I mean, they are *never* going to be suspicious of an offsite worker that they called in themselves. They just issue a guest pass and show them where the problem is. So, with that as our goal lets take a look at how a professional corporate spy would leverage this to get their own 'technician' invited on-site.

    NOTE: I really don't want to get into the usefulness of bugging printers, since that's not what this article is about... If you have a problem with this imagine that the printer usage is uninteresting. Instead, we're using a WiFi tap to give us a concealed node onto the sensitive LAN without negotiating the perimiter - the printer is just a convenient box to put it in. If you still have a problem with the whole concept, PM me, and I'll write up an article on miniature 802.11 modules and how we can build passive ethernet taps designed for rapid deployment.

  4. #4
    Junior Member
    Join Date
    Mar 2016

    The technology of Social Engineering


    There’s a handy device called a 'Selective Intercept Box' (Somehow it missed being given a 'box colour'), which sits between the subscriber and the exchange and selectively diverts calls based on dialled number. It’s so damned useful at creating credibility in any given situation that I'm quite frankly surprised very little has been written about it. Essentially they work by monitoring line activity (incoming, outgoing or both) until a call condition arises which needs to be intercepted - It then removes the physical connection between the target and the exchange, and connects to call to a fake endpoint (or, alternatively, routes the call via the exchange to an endpoint other than the one dialled)

    The simpler boxes allow digits through till the last digit is dialled. Then, if the dialled digits match the target number, they disconnect the user from the exchange... pick up the exchange side ... speed-dial the divert number ... and then reconnect the subscriber to the line to hear the ring. The boxes of this type I have seen generally use salvaged automotive relays for the switching but this is noisy... others switch via capacitors to soften any 'clicks' on the line. And some very early ones used use complex arrangements of CMOS counters and logic ICs rather than a dedicated microcontroller.

    Whilst this works it is cheap and dirty and has a few problems...

    Firstly it will cause a delay and a 2 second drop in background audio for the subscriber. It tends to click loudly on reconnect. It also causes the real number to ring for a brief moment which may be enough to have them call back (Although, it must be said that it normally wouldn't be enough to get CallerID which occurs between the first and second ring)

    The more modern devices don't cause the line to lose power, are microcontroller based, can be programmed with multiple numbers to divert and can watch multiple outgoing lines. They are also completely transparent in operation.

    All are homebrew.

  5. #5
    Junior Member
    Join Date
    Mar 2016

    The technology of Social Engineering



    We’re going to build a device that sits between the subscriber and the exchange. It will prevent audio in either direction whilst allowing the DC voltage through to power the subscribers equipment. It will also allow the RING voltage through so that the subscribers equipment rings normally. This will free us from having to generate line voltages ourselves. When the subscriber lifts their handset they will draw power from the line and this will alert the exchange as normal. Essentially, everything works but the audio.

    Since the audio cannot pass through our device the subscriber will hear no dialtone. Our device will therefore present a dialtone onto the subscribers side of the circuit whenever an off-hook condition is detected.

    When the subscriber dials we will halt this dialtone – thus emulating the exchanges normal behaviour.

    Outgoing calls…

    The dialled digits from the subscriber cannot reach the exchange. However, our device will detect these digits and buffer them. Our device will keep checking the number against its own internal phonebook.

    The phonebook is a list of numbers that we wish the device to divert.

    If the device determines that a number is NOT in our phonebook it then begins to empty its buffer of dialled digits towards the exchange thus relaying the subscribers original intentions. During this time it continues to add any additional digits onto the end of this buffer. When the buffer is empty (Whether the number has been completely dialled or not) the exchange is assumed to be ‘synchronised’ with the subscriber – The device then bypasses the audio block on the line, and by doing so allows the remaining dialled digits to reach the exchange directly. This will be entirely transparent to the subscriber.

    If we determine that a number IS in our phonebook (ie, the dialled digits match a complete entry in our devices phonebook) then we must take some form of action on this call. The action to take is also listed in the phonebook, and includes:

    • - Substitute the dialled number for another of our choice
      - Connect the subscriber to our live operator via DECT

    The device continues to monitor the line until the call is terminated. It then resets and returns to its waiting state. This may involve disabling the audio path between subscriber and exchange (If it were opened to let a normal call go through). The cycle will begin again should the line go off-hook.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts