SE'ing With A USB Stick


Physically SE Personal Information With A USB Stick.

When social engineering In person with the objective of obtaining personal Information, by having physical access to the entity In question, It can be somewhat more difficult as opposed to (for example) generating emails back and forth. The former (emails), gives you ample time to prepare yourself and reply at your convenience, whereas the latter requires Immediate action, which Is prone to error.

That being said and on the grounds that you want to grab every bit of detail about a particular company and Its workers, the process can be achieved with hardly any effort on your part, by simply "using a USB Stick to do the job for you". Social engineers use this method quite often, when they can "access the company In person". No doubt you're wondering how this Is done, but prior to going Into the method, let's first have a look at the USB Stick that you'll be using.

The USB Stick Required For The Job:

There are many USB Sticks that are developed and configured to steal passwords, grab documents, record keystrokes etc the moment they're plugged Into the target computer. Whilst you can make one of your own, to save you the hassle In doing so, checkout the good old USB Rubber Ducky. This Is one very Impressive tool. Now I'm not going to elaborate on every detail pertaining to Its usage- as It's way beyond the scope of this article to do so. 

In short, once It's plugged Into the PC, It actually registers Itself as a "USB keyboard" and Injects a payload that can retrieve data, open backdoors, steal user credentials and a lot more. At the time of writing, It only costs around 45$, so It's certainly well worth the money spent. The purpose of this guide however, Is to show you "how to social engineer your victim Into plugging In your USB Stick", so let's check It out now.

Social Engineering Your Victim:

Let's assume that you're pretending to find employment, by applying for a job that's currently accepting applicants at a company on a pretty large scale. You obviously have physical access to the building, so you're good to go. It's 4:20 pm on a Friday, and you've dressed In a suit & tie and have your USB Stick prepared and ready for the attack. You've also "copied & pasted your (fake) CV/Resume onto the drive"- you'll see the Intention of this In a few moments.

After jumping In your car and driving to the company In question, the time Is 4:47 pm, which Is precisely 13 minutes before close of business for the day. Upon walking through the main entrance, you've noticed a few ladies sitting at the reception desk, one of which looks very young- probably In her late teens, thus you're going to SE her Instead of the others. 

You greet her with a smile, and she says: "Hello, how may I help you?". You've replied: "I'm sorry to bother you, but I've emailed and faxed my CV/Resume several times for the store person position that you currently have available, but I'm told that you haven't received It". She says: "Oh, that's no good, you can bring It In next time you're In the area". Now this Is when the SEing attack takes place!  Your response Is: "Actually, I have It on my USB Stick here. Do you mind copying & pasting It onto your computer?". 

She has no hesitation In doing that, "plugs In your USB Stick, copies your Resume and hands back your device". You've thanked her kindly, also wished her a great weekend then made your way back home. Unbeknownst to the Innocent young receptionist, not only Is her computer Infected, but because It's hooked onto the network, so too are their entire systems. Moreover, your USB Rubber Ducky has just grabbed every login credential stored on her PC. A job well done Indeed.

Why The SE Succeeded: 

There are a few reasons as to why the SE resulted In a successful outcome as follows.

* You dressed In a very well-presented manner with a suit and tie.
* You arrived just before close of business. Workers are usually In a hurry to get home.
* You selected the youngest female- they're the most naive.
* You were very cool and calm with your approach, thus executed your SE accordingly. 
* You were polite and without demand, therefore respectfully asked your request.
* You finished on a very good note. This ensured that no suspicion was raised. 

Be sure to take the above Into consideration, when performing SEs of a similar nature. You can also use this entire tutorial as a general guide, by manipulating and adjusting Its contents according to your SE In question.





Comments


Popular Social Engineering Posts