By GouY2k & Jokul
(www.s8s8.net)
WARNING: Please do not use any methods involved in this article to make illegal acts
Basic knowledge
Let's take a basic knowledge before leaving the topic: some malicious intrusion systems and destroyed people named Cracker, and some of them will only use others to develop tools called script kiddies. I think this is everyone know. Real hackers are people with programming capabilities and can develop tools themselves and share their spirit. A true hacker is not only a technical person, but also a master of mental tactics and people with people. For how to become a real hacker, you should see a lot, here is not nonsense.
In this article, don't tell you how to use so-called technology-including programming or other network technologies to physically invade the system. What I want to talk about is a higher skill is the so-called social engineering. It may be that you will not know how to learn this place in social engineering. Now I have to let you understand how social engineering is applied to system intrusion and how to conduct basic prevention.
What is social engineering
Social Engineering is an academic field of study to construct a theory to resolve various social problems by means of physical, social and institutional approach with special emphasis on step by step or piecemeal improvements based upon the two directional planning and designing experiences of the reality.
Haha, I don't understand, this is the basic meaning of social engineering. The big idea of the above is: social engineering is about establishing theory through nature, social and institutional channels and especially emphasizing the two-way realistic Planning and design experiences come to a step to solve a variety of social issues. Is it difficult to understand. I feel so too. Unexpected this, let us see how social engineering is explained in our field:
Social engineering is an attack behavior. Attackers use the interactivity of interpersonal relationships: Usually, if there is no way to directly obtain the information required by physical intrusion, it will pass email or telephone. The required information is defrauded, and then use these information to obtain the authority of the host to achieve its own purpose.
Is it understood now? ? ? If you still can't understand, we will list 1 of the most simplest examples.
Stealing QQ everyone knows, in addition to local and remote theft passwords, there is another way to believe that everyone must know that by chatting with each other. Oh, I haven't thought about it? ? ? You always have heard that someone will steal QQ by understanding the information of the other party, such as birthday, name, and more. If you have a new friend in QQ, you are not familiar with him, he can't wait to know everything, you have to make more heart, he wants to understand your information to crack QQ or The password of the mailbox? ? ?
The above example is easy to understand, this is the simplest example of social engineering, maybe not qualified to call social engineering, but the truth is the same.
To Be Continued ~~~~~
Next, I will list some means for so-called social engineering users:
First, proficient social engineering users are good at collecting information. Many covered information, which seems to be used, will be penetrated by these people. For example, a phone number, a person's name. The number of working IDs of the latter may be utilized. For example, such as a social engineering user wants to get some intelligence from a credit card company, but there is no relevant proof to prove that he can legally get these information from this company. At this time, he can use social engineering to collect relevant information from the bank-related banks related to this credit card company to achieve his purpose. For example, but this bank needs to obtain information from the credit card company, or the ID number prove, or the name of the staff who often contact the credit card company. Nowadays, many companies will use telephone services in some services, so it is easier to allow these attackers to be organically multiplied, just provide relevant information obtained from banks, credit card companies will give some sensitive information attacker. Many social engineering attacks are very complex, including a weekly plan, and comprehensively use considerable skills. But you can also find that some skilled social engineering attackers can often achieve his purpose with a simple approach, directly inquiry to get what the information he needs is often effective. For example, someone called the telephone company to say that because of the influence of fire, it is destroyed near the telephone line terminal, which makes the phone nearly dozens of people can't use, and he is a telephone line repair worker, maybe he can First help the repair. But repair must require some telephone company to not let the company know the ming information. But who can reject a good telephone line repair worker's selfless assistance, so that this social engineering attacker gets the telephone line information he needs.
Establish trust is also a means of social engineering, and it is a very important means. Imagine if you have established a quite strong trust relationship with a company living person, it is necessary to get some important sensitive information is relatively easy. It is not easy to get trust in a short period of time, but it is not possible. If you can prove that you can be trusted, it will not be more trusted. do not understand? ? For example: Telephone company is engaged in promotion, as long as it defines a certain amount of time and approximately a penny to get a new mobile phone, note that it is necessary to sign a mobile phone network using a period of mobile phone network usage and approx. I have thought that I can't spend money, I can get this phone with a penny. So he played a branch under this telephone company, and we called it a store. His and staff dialogue as follows:
Staff: Here is a telephone company A branch, what can help you?
And my brother, my name is the brother, I have been to your store before, I want to apply for a mobile phone service, you think that the owner of the surname Li (of course, guess) introduces a good service to me. I didn't pay attention at the time, now I decided to apply for the service, oh ~~~, the clerk is Li ~~~, I don't remember, do you know? ? ?
Shop clerk: ~~~, we have two surnames Li, do you say men or women? ? ?
God: Yes, it is male, he said that he is Li ~~, I am sorry, I forgot the name, can you tell me? ?
Housekeeper: 叫 李 x
My brother: Yes, it is called Li XX. I will go to your store to handle the relevant service. Goodbye: Goodbye.
After that, this friend called a branch, branch branch B
God: Hello, is it biting b?
Staff: Yes, what can I help you?
My brother: I am a branch of the branch A Li XX. I have a customer just signed that a penny mobile phone purchase contract, but I found that the model of the mobile phone in the store has not stored, do you have a store? ? ? ?
Staff: Some
God: Good, I have signed the line and agree with him, I am now calling him to you, you can sell the phone to him with a penny.
Staff: Ok, you call him.
For a while, the people appeared in Branch B, and used a penny to go to the mobile phone.
Do you understand now? ? ? As long as you prove that you can be believed, the deception is easy.
To Be Continued ~~~
I will definitely ask now that this is related to computer intrusion, huh, huh, it seems to have no relationship, but I speak is the principle of means. Now let's take a skilled social engineering hacker how to install Trojans in an internal network:
Location 1: Office a, phone ring
Staff: Hello, I am Xiao Wang, here is a office
Attack: Hello, I am Li XX, which is network technical support, we are carrying normal network maintenance, please ask your office to have any problems.
Staff: Well, according to what I know.
Attack: What is your problem?
Staff: no
Attack: Ok, I want to say that if there is any problem in the network to notify us is very important, my task is to determine that there is no office computer to keep online.
Staff: We have a good network here.
Attack: What I said is possible. If you have any conditions, please call us in time. Phone number is: 12345678
Staff: Ok, if there is a situation, I will inform you in time.
Attack: There is another thing. Can you tell me the number of the port connected to your computer? ?
Staff: Port? ? ?
Attack: It is behind your computer, there is a indicated port number code in the place where the network cable is inserted.
Staff: Seeing, the number is 123.
Attack: Please wait, port 123 ~~~~. Ok, thank you. Remember that there is a situation and notify us when you pass the phone, goodbye.
Venue 2: This company's network management room, telephone ring
Net management: Hello, network management room
Attack: Hello, the Xiao Wang of our office A, we are solving a problem on our computer network cable, can you temporarily stop the network connection of port 123? ? ?
Gateway: Ok, please wait a moment ~~~, ok, it has been temporarily stopped.
Attack: Thank you.
After an hour, the attacker's phone is ringing
Attack: Hello, here is the network support, I am Xiao Wang.
Staff: Hello, I am a small Lee of the office A, our network has problems, our computer can't keep online.
Attack: Well, I can help you solve it, but now I want to solve the network problem of other offices, can you wait? Staff: How long do I have to learn to use the Internet?
Attack: I will be as soon as possible. Please wait.
In this way, the attacker has played a call to the network management room, requiring network administrators to open the network connection of the office A.
For half a while, the office a, phone ring
Attack: Li XX, supported by our room network
Staff A: Hello, is it solved?
Attack: Yes, please try
Staff A: ~~~~~, yes, it is already available, thank you very much.
Attack: Ok, but there is a problem, in order not to let the network of the office computer always connect, we have designed a software, I will give you the address, please download and install this software, the URL is. . . . . . .
Then, the attacker knows the staff to a web page he implemented, and downloads a small software.
Staff A: I have implemented this software, but I didn't happen anything.
Attack: Well ~~~, maybe we have some mistakes in writing. This way, don't try it anymore, wait until we will write it back.
In this way, a Trojan is installed on this computer.
How, invaders do not have any cumbersome computer into a means to easily install a Trojan into a computer in the network, which is the power of social engineering.
In addition to the above, email is also a means. For example, you often have some spam that advertisements, this kind of email can usually be deleted. But don't have any people who are so stupid, suppose you are subject to such an email:
Dear Xiao Wang:
Attachment is the photo of the pretty girl I promised to introduce you, see it, I will introduce you if I am interested.
Xiao Li
This kind of private mail will not make people doubt in general, and most thought it is an email that is wrong, plus people's curiosity, and very few people will not go to see What kind of pretty girl is in the end. Oh, when you click on the photo, you have already tried it unconsciously.
To Be Continued ~~~
(Repost, please check the full source of the author)
