___________ ____________ ____ __ ___ ______________
|\ ____ \ |\ ____ \ |\ \|\ \|\ \ |\_____ ____\
| \ \__|\ \ | \ \__|\ \ | \ \ \ \ \ \ | | |\ \ |
\ \ ___ | \ \ ____ \ \ \ \_| \_| \ \|___| \ \__|
\ \ \_|\ \_ \ \ \__|\ \ \ \ _ \ \ \ \
\ \ \\ \ \ \ \ \ \ \ \ \ \ |\ http://www.haxworx.com
\ \___\\ \___\ \ \___\ \ \___\ \ \____| \_____\ \ \___\
\ | | \ | | \ | | \ | | \ | |\ | | \ | |
\|___| \|___| \|___| \|___| \|___| \|____| \|___|
##############################################
# Social Engineering 2 By BrainRawt #
# -------------------------------- #
# Information Retrieval from Users #
# #
# Email: brainrawt@hotmail.com #
# Site: http://www.haxworx.com #
##############################################
Updated on 5-11-02
###############################################################
# Getting Them Users to Tell You Everything You Wanna Know! #
###############################################################
There is this company that I am wanting to gain access to. So
I begin by wardialing their number range during late night hours. I find
approximately 5 machines that allowed dialin access. I need usernames/passwords.
I call a direct line to someone I dont know. I tell them I dialed the wrong number
and ask them to transfer me to the IT department.
I then tell the IT department that I have the wrong number and ask that they transfer
me to the HR department.
(Just incase she is able to see where the call came from on her phone)
Conversation with HR department
--------------------------------
blah company HR. This is Brenda.
Hi Brenda. This is Jim (the new guy in IT. haha) and I need you to do something
for me.
Jim who?
You know? Jim Black. The new Information Systems associate in the IT department?
(I really make myself sound important)
*thinking*
I met you one day last week when I started. (make her feel guilty for not remembering me. haha)
ok. yes Jim, I remember you.
(AHAH! She thanks that she has forgotten meeting me but she has never really meet me at all)
(People dont like to look bad)
brenda. I am trying to work on the server and I need your username and password so that I
can add these extra features to your long term client/server sessions.
This should also help any printing problems you all have been having in your department.
(People always have trouble printing from time to time.)
Ok Jim. Its brendac/iluvmykids. Do you need to do anything on my computer?
(wow. that was easier than i thought)
No brenda. I will make the needed changes on the server and you should start noticing a dif
by the end of the week once I get it set up for everyone.
Ok Jim. Thank you.
Thank you brenda and if you have any problems just give me a call.
(extra sense of security thrown at the user)
Ok. Thanks.
I now have a user and pass. Unfortionately it doesnt work on any of the dialins.
what to do now? hmmm AHHH YES
I have a friend that works the night shift at this place. I call him up and he knows exactly who I
talked to and where her computer is located.
My friend and I make arrangements that I meet him there one night around 2:30 in the morning.
I meet him at the door, He leads me to the desk of "brenda" and we make a plan.
I know that we should have done shit earlier but we didnt think about it. Thats ok. I already
had somewhat of a plan. I begin writing a letter to brenda that I would like to talk to her tomorrow
but I stop right in the middle of the letter.
(this is incase someone shows up outta nowhere) and thank god i did it.
My friend stands watch as I boot the computer, throw in the user/pass,
do a search on *.pwl files.
(all while holding a pencil in my hand.)
I found 3 *.pwd files.
My friend says that someone is coming, I choose copy to a:\ and turn off the monitor.
I begin writing the letter again as a dumb looking guy walks up.
What are you guys doing over here?
We were on our way to break and I wanted to leave brenda a letter.
Where do you guys work?
production (thats where my friend works)
production
Do you 2 have badges?
I dont have mine on me.
Yes I have mine. (shows it to the dumbguy)
Dont you guys be hanging out back here. You arent supposed to be in here.
*acts angry* Well if they would change their hours alittle so that us night
shift people could talk to them then I wouldnt have to come over here and
leave notes for brenda. (now he really thinks im an employee. hehe)
*smirks* I know what you mean. I know exactly what you mean.
Well... Im gonna finish this letter and then we are outta here. Besides. We have
almost wasted our entire break standing here trying to write this letter.
*smiles* ok. good night guys
cya later
bye
HOLY SHIT THAT WAS SCARY!!! I looked at my friend, continued writing the letter...
When i decided that the coast was clear, I grabbed my 3.5, turned off the computer, and left my
friend to finish his break and i went home to get back on my box.
That was pretty damn scary. I dont think that I have ever been so scared in my life but hey!!! We got
away with it. hahahaha
-----------------------------------------------------------------------------------
We have now engineered brenda out of her user/pass and we have engineered the
dumbguy into thinking that I was an employee and that we were doing absolutley
nothing wrong.
-----------------------------------------------------------------------------------
I then go home. crack them *.pwd files, get myself 2 more accounts (3 accounts total)
(couldnt crack one of them pwds).
I find 1 account that works on the dialup and I am surprised that it worked. Out
of all them employees and I got one that works out of 3 accounts? hmmmm
I then find out later on from my friend that the username I used to dial in was the name
of the IT administrator (that put his account on everything). I then found out that I could
browse the entire network with this account because it was part of the administrators group.
It had the ability to go places that other accounts didnt. haha.
ok ok. So i gained access, I looked around at things I shouldnt have seen, I didnt
harm anything, I moved on to other things.
What did I learn here? I learned that there is more to hacking then clicking on a keyboard.
FINAL NOTE: Never give your user/pass to anyone over the phone. Only give them to authorized
persons face to face. I cant say a whole lot about the dumbguy because I probably would have
chilled and not said much either. But then again, I would have never stopped to try and be a
big man to a couple of kids. haha
NOTE TO ADMIN: Never Ever use passwords as complicated as this one was admin.
Try using your noodle next time to think of a real password. Never add your normal account
to the administrators group and then give that group access to the entire company. Thats
just plain stupid.
-------------------------------
Social Engineering By BrainRawt
(
geocities.com/eljehad1)