Influence | Head Hacker

Social Engineering Zombies… Getting people playing your game

In the wonderful world of InfoSec we often talk about zombies, and the associated botnet zombie army. With our army of machines we can do our evil bidding, and wreak havoc upon the unexpected users of the Interwebs.

So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

Setting your motivation… Mind Scripts

Getting into character is an important part of being successful on a social engineering engagement. You may be physically impersonating a sales guy, engineer, employee, or you may be carrying out your fiendish work remotely gathering data, and setting up meetings. Either way you should be clear in your mind who you are, who you are engaging with, and what you want out of the activity, you need to be clear on your motivation.

When I think of this, my immature side (say nothing) hears a rather camp actor shouting at the director asking, “what’s my motivation darling”. OK so I am odd, lets use the above imagery to demonstrate the motivation to run through the opposition to score

So with this in mind I wanted to quickly talk about something a little NLP’esk that I think you will find helpful, and if full embraced will really help with your attitude, approach, body language, facial expression, tonality and more when carrying out an engagement. This little something is called Mind Scripts, and is something I first heard about when studying cold reading and hypnosis, but have also heard similar approaches from an NLP context, and in sales type books on engaging and building rapport with people. (I am not 100% sure who coined this term, I think it may have been Ian Rowland, but please don’t hold me to that).

So what is a Mind Script? Well a mind script is just a simple, short,concise and positive statement about the activity or interaction you are about to engage in. This statement you repeat to yourself mentally before and during the engagement.

Don’t reject this concept just yet please, as some pointless simplistic activity. You will actually find that you make a huge difference as to how you come across to the person(s) you are interacting with when you you run an appropriate mind script. If you think about it we are unconsciously running a mind script of some kind all of the time, simply waking up and telling yourself its going to be a crappy day, then becomes a script you will be running. This then effects how you interact, attitude and the effect you have on others unknowingly.

Here are a couple of example of a mind script to give you an idea of how simple they are. I then encourage you to try running appropriate scripts before going into meeting, interacting with people one to one as a form of practice. If you think about it, it really does make sense, but I would like to hear from people with their thoughts, comments, success and failures. Obviously remember there is NO FAIL

I know you, you know me, I belong here

I like you, you like me, this will go well

I respect you, you respect me, and we will have a good discussion

I am an expert, you know I am an expert, there will be confidence in my recommendations

Hopefully you get the general idea from these brief examples, think positive, be positive. A positive mental attitude, positive things happen to positive people, that’s what I tell myself anyway

Building Rapport and getting Buy In… Simples

Everything related to social engineering, and the various skills we have discussed all need a foundation to work from to give us the influencing power we need to have the victim / subject doing our deeds. So how do we set-up this foundation? We need to build rapport, and get the appropriate buy in. We need the person or people we are interacting with to believe 110% that we are who we say we are, and that the requests we make of them, no matter how strange are legitimate and well founded.

Wikipedia Definition – Rapport is one of the most important features or characteristics of unconscious human interaction. It is commonality of perspective: being “in sync” with, or being “on the same wavelength” as the person with whom you are talking.

Some people are better at this than others, I am sure there are various personal and cultural reasons for this, but I will go through the steps and thought processes I go through myself, when looking to build rapport, and get someone working with me to achieve my goal.

First of all consider the situation from the 3rd person, put yourself in their situation. When you start to consider your approach and communication from their perspective you can start to rehearse what your going to say and how your going to act, and give a performance you would consider believable. I appreciate alot of us will be more paranoid than the average person due to the industry we work in, but I think you get the right idea. Pitch it at the right level, and aim for success, rapport, buy in, and ultimately influence and leverage.

Then is the option of faking it. What I mean is act as if rapport already exists, and you have known the group or individual you are interacting with for years. It may sound odd, but doing this will put you at ease, and you will give off unconscious signals, and these will be picked up and mirrored by the people you are speaking with, and you can continue forward from there. Personally I would say incorporate this concept to some extent, but don’t really on it fully, and bundle it with other rapport building techniques.

First impression count. Walking up to someone, smiling and extending your hand and greeting sets up a situation of social compliance. The fact they smile back and shake your hand means you have succeeded in your initial rapport building exercise. You asked them to do something and they did, you have leverage. From here there are various possibilities to elevate your situation. Perhaps you will use information you have gathered from open source information gathering techniques, or build upon the guise you have formed for interaction. Perhaps you are playing the part of a sales man, technician, cleaner, etc.

Matching and Mirroring techniques. This is essentially mimicking, but not to a level that someone thinks your taking the piss. So what we are talking about is mirroring someone’s posture, gestures, breathing and such like. The reason for this process working is, the basis that people like people who are like themselves. From here you can change the tempo and watch for them unconsciously mirroring you, this leads to the rapport and buy in on an unconscious level.

Identifying similarities and listening. Another key element to building rapport is identifying similar interests (real or fake) and listening to the other person. Everyone likes the sound of their own voice, some more than others. This works really well at getting compliance, and all you need to do is drop in the occasional request or command, and get acceptance and confirmation and you know you are on your way.

Finally I will say that ensuring you look the part for the role you are playing, and you have the knowledge that should be associated with that role, and giving reassurance to your victim / subject. So if the role you are playing is of a telco engineer, have a basic comprehension of the lingo used, location of kit, who you should be interacting with, and wear the right clothes and badges. Take things a step further, and set expectations, and reassurance of what is going to happen, whether this is real or not doesn’t matter, this is just to get buy in.

So to summarise, I look to consider how my approach will be interpreted by the victim / subject, ensure I look the part, clothes, badges, business cards, tools, knowledge, etc. I communicate in a confident, influential manner, remain assertive, but open to discussion and listen. From here I will use appropriate opportunities to verify rapport and buy in, once confirmed go about getting what is needed. This last part is key. If you have not succeeded with getting buy in, most times its not worth pushing your luck, you would be best of rethinking your approach, and who to interact with. We will look later at reading the body signals to understand what someone is experiencing, and this is another useful skill for measuring your progression when building rapport.

Like many of the skills in SE, practice is a key element in success. I encourage you to go out and make friends with strangers you meet on the street, in bars etc. This is great practice for building rapport, you can use your other skills to spark conversation, magic, mentalism, and if its not working bosh them under and tell them YOU WILL LIKE ME

Influence.. Decision and Deception

Influence, this is a term we are all familiar with, and influencing skills are something many of us use everyday. This post is going to look at the benefit and utilisation skills that can be used day to day, and in the context of social engineering and the other skills we have already discussed, and will continue to touch on moving forward.

Wikipedia Definition – Social influence occurs when an individuals thoughts or actions are affected by other people. Social influence takes many forms and can be seen in conformity, socialization, peer pressure, obedience, leadership, persuasion, sales, and marketing. Harvard psychologist, Herbert Kelman identified three broad varieties of social influence.

Compliance is when people appear to agree with others, but actually keep their dissenting opinions private.

Identification is when people are influenced by someone who is liked and respected, such as a famous celebrity or a favorite uncle.

Internalization is when people accept a belief or behavior and agree both publicly and privately.

Morton Deutsch and Harold Gerard described two psychological needs that lead humans to conform to the expectations of others. These include our need to be right (informational social influence), and our need to be liked (normative social influence).Informational influence is an influence to accept information from another as evidence about reality. Informational influence comes into play when people are uncertain, either because stimuli are intrinsically ambiguous or because there is social disagreement. Normative influence is an influence to conform to the positive expectations of others. In terms of Kelman’s typology, normative influence leads to public compliance, whereas informational influence leads to private acceptance.

Influence can take many forms. Someone can be considered influential based on their position, their perception of knowledge, people they know and are associated with, how they behave, what they say and do, as well as how they present themselves.

I will start with presentation. This is probably obvious, but we immediately judge people by their appearance. First impressions are important, so we need to be mindful of wearing appropriate clothing for the environment we are in, or looking to infiltrate. If a company has people casually dressed, and you turn up in a suit, you will stand out like a sore thumb, and will attract attention. There is a balance to be had here, as someone smartly dressed can also represent a position of authority, so it is key to do your homework. There are subtleties when dressing that can also contribute influence. Interesting research has shown that smartness and colour of shoes, as well as tie colour can make a large difference in the perception of influence. We are are familiar with the joke of power suit, power tie, but it really is true. On the opposite side, a female could wear smart clothing, but is slightly revealing, or particularly flattering. This may attract attention (which has its place in certain circumstances), however the focus will be on attractiveness of the individual, not on the quality and value of the information being communicated, and essentially the patterns being used to facilitate influence will be ignored and go unoticed.

Communicating influence is something that is very common as it can be done on the phone and in person. Being familiar with a companies lingo, and key industry terms will resonate with the individual you are communicating with. They will believe / assume you are a person with knowledge and know how, this will lead to a position of influence. NLP patterns can be utilised when communicating to create focus on a sentence, ensure notice is taken of positives and not negatives, and bring someone around to your way of speaking. We will look at NLP patterns in the future. A hypnotist also uses influence both in body language and communication to facilitate buy in, and bring someone around to facilitate hypnotic experiences. Research has shown positioning can also have an impact on having what you say accepted and actioned upon. The left side of the brain is used for making decisions, and research has shown that speaking on the right side of an individual (so audio is received via the right ear) can lead to an increased chance in your communication being fully received and processed, and a decision being made in your favour.

Influence by association is something that can be of great use when a social engineer. When communicating dropping a name in can result in people not wanting to question your activities, as they do not want to trouble or disturb the individual of importance, and perhaps you are important and influential also as there is some association. This can also be achieved just by tail gating people of importance. I am sure if you give this some thought, you can think of the obvious scenarios where this will work, perhaps you would introduce yourself and create rapport outside of the office your looking to infiltrate, perhaps you can do it rapidly on the bus, train or elevator.

I have tried not to ramble to much in this post, but hopefully you get the idea. Having influential skills can obviously help influence people, but also build rapport, meet more people, and more valuable friends and associates. These are skills essential to a social engineer, as fitting in, getting people to do things for you, and help and facilitate are essential, and can make your life easier, and increase chances of success.

In my experience successful social engineers, come across as friendly, and confident people. This may or not be the reality, but its what is communicated that is essential for building a perception, and elevating from there. Consider what the individual you are looking to influence are interested in, dangle the appropriate worm to meet your objective. The point here is, to influence others we need to focus on their desires, to meet / get ours. Its all about perception.

Take note of peoples behaviour you consider to be influential. Examine how they carry themselves, mannerisms, vocabulary used, and the general presence. Different things work for different people, so you need to try things out for yourself. We will look at patterns, and mirroring in the future that can assist with getting people onside, and leading to influence.

Bullying, pushing, sarcastic complimanty comments may facilitate results, however I dont believe they will give long term results, this is something to be mindful of.

As ever I welcome feedback, and suggestions for content you would like to see, and information you would like to share.

Mentalism…. Psychic or Straight Jacket

Mentalism. I am sure you will have heard the term mentalism, or someone telling you they are a mentalist, and I am sure you probably agreed. Thought they are a nut case, and should be put into a straight jacket and wheeled off to the funny farm. Mentalism in this context is not quite the same.

Wikipedia Definition – In psychology, mentalism refers to those branches of study that concentrate on mental perception and thought processes, like cognitive psychology. This is in opposition to disciplines, such as behaviorism, that see psychology as a structure of causal relationships to conditioned responses and seek to prove this hypothesis through scientific methods and experimentation.

Mentalism is a performing art in which its practitioners, known as mentalists, provide their audiences with a theatrical experience of witnessing or participating in demonstrations that appear to utilize highly developed mental or intuitive ability. These demonstrations may include telepathy, clairvoyance, divination, precognition, psychokinesis, mediumship, mind control, memorization, and rapid mathematics.

When I am thinking of mentalism I am thinking of a combination of perception, performance, and direction. To categorise yourself as a mentalist is something I am sure many people would not consider doing, but many most likely fit the bill. If you are using skills to build rapport, influence behaviour, mimic and read body language, read facial expressions and other such skills, this is essentially what a mentalist performer is doing.

We will cover different levels of skills, and what forms them in later posts, but skills such as cold reading, behavioural analysis and more, can help us all day to day, and especially when we consider social engineering.

A quick example is facial expressions, eye movement that we can use to our advantage. We can use these skills when in general discussion, persuasion, questioning and more. Some of the following is also discussed in regards to NLP, but this is just a simple example to show some commonalities in people when monitoring eye movement.

The face below represents that of an individual we are looking at them straight on. When you ask someone a question you will see eye movement towards a zone that represents their representational system. Remember everyone is different so we need to build up rapport, and monitor, measure and test for accuracy.

Zone 1 represents Visualistic, Zone 2 Auditory, and Zone 3 Kinaesthetic.

When you ask someone a question that requires them to access buried information in their memory, you will notice their eyes look towards their most dominant zone. Some people remember images better (Zone 1), some people remember how something sounded (Zone 2), and others with feeling and emotion (Zone 3).

To start of you need to ask a question that will trigger old memories, and that will get an honest response. A simple example here could be what was your first pet, or who was your best friend at primary school. Someone who visualises this memory will look up, and picture an image. Those who word better off sounds will look to the side, and hear a persons voice, or associated sound. An individual who feels and experience will tend to look down, recalling the great times experienced and the emotions associated. So this demonstrates we are all different, and that the key is asking the right trigger questions to build up a baseline, before probing further. Its abit like a visual lie detector.

If we look to get a better understanding we can go abit deeper. We can look to identify if a memory is actually being recalled, or if someone is making something up.

So you have determined the predominant zone, and we now use this information to gain extra information. Most people are visualistic people, so if you do struggle to identify it clearly, zone 1 is often a safe bet, just be aware.

If we look at the diagram above, if someone is looking towards area 4 they are most likely accessing a memory, if area 1 they are making something up. Similarly if they look to area 6, this may demonstrate a conflicting issue, perhaps touching on a difficult subject. However area 3 would demonstrate a more emotional response. When we see eyes moving between areas 2 and 5, this will verify the auditory nature, and lingering in area 2 it may signal a lie is being thought up.

The key here is to experiment, identify normal behaviour, measure it against normal questioning, and then under interrogation. Obviously there are many books on this, and this is just a brief overview.

So why did I discuss all this. Well one its interesting, but two it is to demonstrate how this information can be utilised, and one of the tools a mentalist may use to convince someone of their psychic abilities.

With this information we can not only use it to spot who is cheating, we can use this information for other benefits. So when we are explaining something, trying to get someone to buy in. We can focus our language according to the visualisitic, auditory and kinaesthetic representations to improve our chances of success.

Welcome to Head Hacker

Welcome and thanks for visiting the Head Hacker website.

The goal of this site is to discuss the benefits, process, theories and qualities associated with social engineering, and what I consider to be linked skills, products and theories.

So obviously we are going are going to discuss social engineer and the spy and tech tools that we can use once we are in, but we are also going to discuss other skills that you should be aware of, and you can add to your brain toolkit to increase chances of success and take tests further. We will look at Neuro Linguistic Programming, Hypnosis, Influencing and Manipulation skills, methods of Misdirection, Mentalism, Cold Reading and more. I will also mention some possible Magic that may come in handy as part of recon, and relationship building.

The content is going to be based on my experiances, research, thoughts, theories and discussions with other practioners in the various industries.

Feel free to add comments to topics, ask questions and make requests.

I hope you enjoy the content as it develops and grows over time.

Thanks

Dale