 Okay, einen großen Applaus für Alok und er möchte uns heute was über Social Engineering erzählen und warum einfaches Lügen uns nirgendwo hinbringt. Das heißt, keine Q&A heute, aber ihr könnt mich später auf der F-Axis-Talk machen. Heute reden wir über Social Engineering und ich mache diesen Talk, weil ich habe several Talks, wo die Leute auf die gute Social Engineer sind. Und der Punkt ist, Social Engineering ist eine the same Engineering as everything else. Who am I? I'm OldTacker, being here in CCC since a while, looking like this. And as I said, we have several people really getting off their self, doing some Social Engineering, thinking, yeah, when I lie to a God, I'm a Social Engineer, I'm getting in there, and I can talk in all kinds of fancy conferences and I get all audience and I'm really good guy and telling you all kinds of stories with little cameras and going in. And I saw a laptop, I stole this laptop, so I'm a Social Engineer because I got in and out. But actually, that is not what it's about. There's a slide I stole from Chris, actually I've photo-ed it and put it in my slides. And there we have some dictionary things, what says, what is Social and what is Engineering. So Social, this is actually something we have here a lot. Socializing with people, being together. Engineering for me is a process which you strictly can describe as an art, as a science, and it is repeatable. If you do engineering and you can't repeat it, this is not engineering. There's a nice example if you want to find out if somebody thinks like an engineer or if somebody thinks more like every average. If I tell you, can you do me favor and describe what you do while picking up a pen? A regular person would say, well, I'll see the pen, I pick the pen up and I have a pen. An engineer would say, well, my optical sensor sees a pen. The input is processed and I got an order to my grapping tool. So I go down, the physical sensor proves the pen is really there. So I give the order to close that and go back. So this is the engineering side. Okay, I didn't go in deep. I always have to run back to this thing. To do social engineering engagements, you need a skill set. And the skill sets I would divide in a physical, a logical. And we need to have a customer preparation, because otherwise we might end up giving the customer not what he needs. It is very important that you first look at your customer need before you're looking to get your money. Physical things, I explain this stuff later in the slides, but we have physical things like lock picking, stuff like this. We have the logical things like the NLP stuff. The customer must understand we have several things when we do attacks. We have a theoretical models of attack. We need to find out what is this business. Because that's really an important thing. A lot of people don't know really what their business is. We have people with a bright idea. A bright person has a bright idea and he opens a business. And since the idea has bright, the business grows and becomes bigger. So since it became bigger, he needs people to assist him. He gets himself a secretary and a salesman. The secretary and the salesman have bright ideas and these ideas influence the business. So the business grows ahead because he has a bright idea, as I said. And it grows and grows and grows and so he becomes a limited. So with the limited, while growing, he needed an executive board. So he has a CIO, a CFO, a COO, whatsoever. They have bright ideas. These bright ideas go back into this business. They might grow ahead. They grow and grow and grow and go to a limited or probably to something with shareholders. Now shareholders don't have bright ideas, but they won't have money. So that goes into the business. While asking this guy who first started this business what's your business about, he will tell you your bright idea and tells the story since 50 years. But the problem is the shareholder don't see it this way and maybe the business already grew out of this stage and maybe the business grew already in another business. Look at Apple, for an example. Apple started out as a little computer company with the bright idea to build a cheap computer which everybody can have. Right now an Apple product in 90% is not a cheap computer what everybody can have, but a smartphone. So this business model changed a bit. We find software right now. So the business model changed a bit. It's not the original model. So what you need to take, you need to help your customer find what is this business, what are really the assets. But we're going on that later. And last but not least, the contract. Before you go in an engagement, do a good contract. The Americans say, good friends make good neighbors. In Germany we say, good friends make good contracts. Let's go into the physical and psychological skillchats. You want to do an SE attack. You should have a good understanding of craftsmanship. If you think you can just go over there and so you lie a bit and say, oh, yeah, see, I'm your new electrician and they say, okay, you are a new electrician. That's really good because we have a power failure today. All right? You should know what you're talking about. Or you go in as the new electrician and they put you in the electrician team and they say, oh, can you give me this and that tool? And they don't call the tool the same way like you see in the workbook. But maybe they call it like they every day call that. And they say, can you hand me this over? And you stand there, what? All right? The good thing is if you do social engineering engagements and you have to go into companies, you have to find out what companies most of the time need. In my experience, the most needed person in a company is the guy who fixed the copy machine. So if you want to fix copy machines, you actually should have worked in a shop for half a year or something to get the experience how to fix a copy machine, otherwise you look quite fake. I had a few examples here of what you could do. But those are the examples. It depends on your business model, what your type of clients are. Lockpicking is a good thing. If you have an engagement, a physical engagement, let's say you go really in for recon or you go really in to steal the asset, you should know a bit of lockpicking. You don't need to be a lockpicking hero like the guys outside. But it should be good enough to open a little lock from a locker room so you maybe can wear the same clothes like the other people in the company. Stuff like this. Especially when you have a company what uses on shifts and you can find out in your recon, which shift is on. In hostile environments, I suppose it's not a bad thing, it's a bit of physical security. We're not talking about hostile environments, even being here behind enemy lines. A good rhetoric helps when you want to hack a brain. You should understand the person you approach. Sure enough, you should have a good understanding of the psychology of people. NLP right now is something what you can't miss if you really want to go into Engagements and large scale. And if you're like Dale Pearson, you can hack nosy people and go in like this. So let's go to this NLP thing that everybody is talking about. NLP, new hype word, I can heal you in 20 seconds with NLP stuff. Actually, that was founded in the 70s from these three great person. What is David Gordon, Bandler und Granger. And they used the methods of some therapists who worked with people who had certain disabilities. And they found out that we have certain patterns to help people with different disabilities and this pattern matched. So they sat together, first they met in like a little rooms, apartments, and they sat together and they came up with the name Neuro-Languist programming, where the N is for your CPU in your brain, what sure enough, do some processing over there. The L goes for your IO for both, input and output, and the programming, well, if you don't know programming, who does? And actually in NLP, what you do is you model a person take this model and use the model to help another person. So what is modeling? David said once, modeling is the process of creating useful maps of experience. People like abilities more, but experience including abilities. In this process, you want to find out how your brain operates, what it says. Actually, we can put this down a bit more in an example and we use this example from this book, the drawing of the right side of the brain from Betty Edwards, and there's a story, what Mr. Gordon used to tell all the time, is about therapists. Let's first go, why Betty wrote this book here. Actually this book got written because she was an art teacher in a university in wherever states, and she found out that some of her students are really learned to draw really, really good. And some of their students just didn't write, can come up with drawing. So she wondered, what is the difference? Well, it's really bothered her that some people just can't learn drawing while she's teaching in the same way like teach everybody else. So she actually worked out questioning for her students, what we would now call a modeling, the same questions to both types of people, the one who can draw really good and the one who can't draw really good. And then she wrote the book out of this, what she modeled there. And we had this little example of a person who works with children who has a learning disability. And Emeritus, sit down there, there's a chair for you. And this kid with the learning disabilities they come in and this the psychiatrist who helps these kids ask these kids to draw something. And those kids are totally sure they cannot learn. So these kids draw a stove whatsoever and it looks like when a kid draws. And as much as he loves the kids but when you see the first painting so, so such nice, yeah I see it's myself what of the three strokes and that's me, sure me but actually you're lying to your kid and that looks like shit. So children draw, like children draw but she talks to these kids for about 10, 15 minutes and tell them to look right at what they want to draw and tell them how to do it and what comes out are pictures like this, what I took from a website what Meredith yesterday Sie haben mir gesagt, das ist eine gute Seite, um zu erklären, was ich darüber sage. Hier ist dieses kleine Kind, ich denke, er hat nur Referenz ausgenommen. Was ihr wissen müsstet, ist, ich habe dieses Open-Office-Liber-Office-Bullshit-Fing aufgebaut, weil ich oft Linnex-Geräusche benutze. Aber die VirtualBox kann nicht auf beiden Screen-Screens machen. Aber ich wollte nicht Guter-Mann hier. Ich möchte dir zuerst was sagen, oder soll ich einfach meine Jammer aufnehmen? Ich wollte nicht zurückgehen, also die Original-Schläge haben, wo ihr diese Bilder findet. Das ist ein wirklich schlechtes Ding, dass es jetzt hier ist. Da ist ein kleines Kind, ich denke, ihr Name war Tara, und sie war 8 Jahre alt. In der Klasse, sie hat gesagt, sie sollte die Kiste oder die Kiste des besten Buches schreiben. So, das war ihre erste Attempte da oben. Hier sieht man, das ist die erste Attempte. Dann war ihre Lehrer für eine Weile zu sprechen. Das war die zweite Attempte, und wenn ihr die dritte Attempte seht, ist das toll. Das ist die dritte Attempte des selben Kindes, die nach etwa 20 Minuten reden. So kann NLP wirklich was tun. Jetzt ist die Frage, was ihr über NLP sagt. Ist es ein NLP Workshop? Nein, es ist Social Engineering. Jetzt sagt ihr, warum Modeling? I mean, Modeling, Practical, you can problems and add abilities. Adding abilities for Social Engineering is something what you really want to do. Then we have sure evolutionary things and the spiritual side, what we not go deep into that. There is an experimental array, what usually going to be used, you not really need to read through all this, because it's really not an NLP Workshop. This NLP array was drawn again, the letters are missing by Mr. David Gordon, and he got a copyright on that thing. Oh man, I really have to work hard to not be on Gutenberg here. And it actually shows what the enabling causes is, the motivation causes, and you have to actually ask the right questions to find out all these causes, what you see here, which belief template people have, which strategies to use, which emotions to use, so that we can actually in the end of the day have the same ability like the person. So that has something to do with asking the right question to a person who's doing something really good. If you want to copy something, what is really good, you have to ask the right questions. From that going to what we're using, our central processing units here, our little neck top on our heads, our heads, a little neck top, and to see what's going on, and seeing we have keywords, we have states, and we have actually attributes, we have first to understand how this little neck top works. And our neck top works this way that we actually can process, okay, this one in a trillion teraflops on my side after the ph party, or actually the final party, there's no processing on my brain no more, but usually you should have like 100, what is this, 100 billion, no trillion teraflops. Your sensors receive this 10,000 bit per second, but the problem is you only process 40 of them. So that makes making up your world. So the way I see you, like the guy sleeping over there, is not the same way he sees himself right now in Dreamland. And that makes up, if you look in the mirror, you don't see the same person what I see when I look at you. Our brain is playing with us, big time. If you want, I can put the slides online. So we need to use this in an engagement. So we're going now more direction engagement. When we talk to people, we really need to listen for keywords while talking to these persons. And we have several keywords as you see here, we have stress, freedom, love and so on and so on. And we need to find again, it was made in, it's now PowerPoint, it was made in Libra Office, so they got little problems with the adjustment of the letters. We have to find out what's your internal state, what means, what do you think in which state you are. Like, I'm standing here thinking I'm awake, but I sure have, I can't be awake after these three days. And this is versus all against what your totally right state is, what I will see when I look this on video later on. Probably going to be totally disappointed about myself that I'm not the hero, I think I am. And you have to pay attention to the micro expressions people do. Every time when you talk to somebody, people do micro expressions about, except a few guys who are sleeping here, they do a micro expression. You have to understand these difference between the states. And you see this difference between the words, when they use the words, like here we have the difference between he feels like he is really doing this and that, or he has done it. That's a difference between an attribute and a state. The thing is, if you want to learn all these stuff and use this for an engagement, you should first use yourself as an example. So, you should try to generate a state. So you try to get yourself into a state by self-suggestions, before you go and play with others. You can actually use the words, what people actually telling you to convert them into a state, when you use the wise words in the right term. But this is not a pickup guide here, but a social engineering talk. So you should not forget, you have several millions of these messages you get in by your sensors. You cannot really process more than seven, more or less, one, two, one at a time. So you have an overwhelming income on information, and you store a lot of this income on information, of this information you just gathered. The problem is, you cannot process them. Your necktop is quite good, but the memory readouts, we should really work on our stack. That's not really good working. So, the question is, what is this cold reading I'm talking about, with the micro expression and all this stuff. Well, when you come first enter a room, there's the saying, there is no second chance for the first impression. And that's what it is. You approach the guard, and your first impression is, well, this person sitting here is dressed in a God's uniform. His nails are clean. His teeth are brushed. He don't smell like cigarettes. He's very proper in state. You approach him and say, sir, how can I help you, sir? And you know this man is well trained, know his business. You maybe not fuck around with him, and he's not sloppy and takes care about himself. So we have several things where you should take a look when you approach a person. The uniform type he wears is his casual. This is a military uniform. This is a doctor's uniform. Which cloth does he have on? Which type of body he has? Is he more like a geek? Or is this a sportsman? Is this a fat man? Is this a woman? Big, tall whatsoever? Gender, age? I wouldn't approach a young woman the same way like an old man. Definitely not. So, ethnical, and this is not about racism. It's about histories. So people would react different to different words if they have different ethnics. So you should put this in your engagement. The manners and discipline, as I said, is a well trained person. Is he pretending to be a high class person? Is he an high class person? Do you expect him to do what he says doing? Or do you know? It's like I'm working in a company and we work a lot with people from Bosnia, actually in Bosnia. And I got the experience, when you tell the person in Bosnia, please, would you do me a favor, do that? The person says, sure, no problem. As long as you look at him. And when you turn around and be in your plane back at home, you find out it's haven't been done. So yes, you have to take a look at this, a manner and discipline. Markings. Markings could be tattoos, piercing, scars. All kinds of markings. The smell. Don't underestimate what you can find out by smell. Somebody smells heavy for cigarettes and yellow teeth. So I know he needs to get out for a next cigarette soon. And probably not there when I need it. Hands. Be sure you can't tell a fighter by his hands. Always look at hands. If you're going in an engagement physical, you should not underestimate what can happen. Sometimes when an act of compromise, you maybe get even a fight with the guard until you can pull out your little letter. Hey, I'm here because you asked me to. So hands is something what you could look at and the interaction with you. Does it take notice when you walk in? May not. There's a guy, Dr. Friesen, and I have to read this because I usually, yeah, a thousand. There are a thousand unical expressions, but I think more or less you're using of the thousand probably really proper a lot reading out 128. You have 30, 43 Muscles in your face, and there is a strange connection between your neural cortex and your Muscles in your face. So instantly, when I put your hand on a hot stove, you will react in your face. Not even thinking about it. So that's where they made up these things and looked it up and had big studies about it and found out there is something what we call micro expressions. Micro expressions, you know, from when somebody lifts his eyebrow, when you say something, stuff like this, and there's even a TV series called I Am Me. I'm not really sure because I don't own a TV. I'm a poor guy. And there are some charts actually showing what I'm talking about. These expressions are very important when you approach somebody to social engineering. Yes, I know social engineering is not just this, but we got deeper in that later on. So you see different, different expressions like disgust, fear, sadness, surprise, and so on. And you see, the most where you see things is actually in the eyes and the eyebrows and the mouth. This way you get the most expressions out. Okay, before I approach my client, I first do this investment and know who I am approaching. So this is an investment from what cost me probably one week. I know most guys who are really in pentesting, a week is expensive, but this week is very well spent money. There's one, my most favorite friend, his name is Google, and he got the brother's LinkedIn. Those two guys are so cool. You just ask anything and you know the co-workers, the former co-workers, the next co-workers to come, and who is the admin, the who whatsoever. So those two guys, Google and LinkedIn, can tell you a lot. Facebook too. And Facebook is even better because Facebook, you don't need even a browser. You do this by script. These information is what you will find out. You should use actually in your first approach to the customer because you have now, you know the customer better than the customer knows you. For an instance, you get into the customer and he say, yeah, I'm scared about APT. And you say, well, APT, nothing to be scared about. This is just a word for Chinese attacks. It doesn't matter how cheap the SSL script is. Well, this guy is calling you in because he got the fear. He would not spend this heaps of money on a pentest when he wouldn't fear that something get lost, right? If the person fears that his business probably get problems and he gets himself a pentesting team, you could probably use this by the first approach when you talk to him. Hey, Mr. So and So, how is your daughter doing? Is she back good? Is her health back again? So he sees that you know your business. You come in and you talk to somebody and the person already see that you did interact with him before you saw him. Another important thing is the physical recon. Oh, I did a little hook in there again. Every time I look through the slides, this little hook is gone by physical recon. And every time I have the slides on, it's back on. Isn't that funny? Yeah. The physical recon is that you see or you go in, you jump in into your engagement's place, wherever the customer has it. If it's a facility where they build stuff or if it's whatsoever, a shop, a high tower. And you look at this facility. You look for things like cameras. You look for things like alarm systems. You check out backups types of alarm systems. You check out which type of guards do they have. Do they have guards like get overpaid, like most of the guards with six euro an hour? We have a little thing like if in Germany, we got some CIA type of thing and they have guards. They call themselves BND. What's intelligence service. And they have well overpaid guards. They get almost, I think, six euros an hour. And I think you really can buy yourself in. I mean, some of these guys have to get welfare because the state, the country, the government try to be cheap. The problem is the welfare is paid for by the government too. But well. And they had to get stolen some of their little drawings, how their buildings looks like, but nothing important. You should check for video surveillance. Definitely if this is a video surveillance that follows you or it's just a regular video surveillance, if it's intrarat, how does it work? Do you have tripplates whatsoever? And you should check for security systems at all. Dogs are security systems too. And they can really hurt. Then you meet the client and now you really need your NLP because the whole story, what I told you about the first time when he opened his business until your entry point is, you need to evaluate the story. And then you need the relations to his customers and the relations to his vendors. Why is this so important? Because we have a business like the car business. Is anybody here working in the car business? You all smart people. The car business is like this. We have an OEM vendor. This is the car maker. Call them dollar random car maker. And we have our vendor. This is let's say producer, glass producer, fabric producer, X, Y. Z. If you in the car business as a vendor, you call the car business and say, oh, you know what, I want to sell you whatsoever. You want to sell him. And you say, okay, when you want to sell me, what you ever want to sell me, you're going to buy your stuff there on this vendor, where you're going to buy because we trust this vendor for this price. You see this? You have to buy a vendor, that's Magna. You have to go to Magna and buy by Magna for the price, what your customer tells you. A few days later, your customer said, ah, it's too expensive for myself. And goes to Magna, negotiates a new price and you get from your customer the new price and have to pay the old price. So car business is not really what you want to be in. But these are relationships you need to find out. But because these relationships make decisions, people in the car business will be very, very, very orientated on saving money because of that. And this is what you need to find and this is what you need to see in your recon. You need to find out which assets you got. Finding out assets, you can do first and most by talking to the middle management because those are the people running the company. The middle management is running the company. So you need to associate with them and you really need to talk with them. You really need to engineer them because those are the people who know what's going in and out and those are people who really know what the asset is. For an instant, there's this talk from Nickerson, again him. Five ways to destruct a company. Anyone knows this truck? Five ways to destroy a company, Brookhorn, last year, do you know it? Actually Nickerson got boot out on it because people felt us too offending but he made a clear point. He was talking about a company, what is a hospital? Well, we are all people and we have feelings and say oh hospital, you can't attack a hospital. What if I ask a hospital, what is your asset? The answer would be yes, customer data is an asset, a very important asset. Credit card information is the most important asset. No, the most important asset you have in a hospital is the life of your customer. So if an attacker would just mix up the machine, what mixes the medicine, I tell you one thing, after a few deaths, your business ain't running anymore. No, so this is an asset what you should protect more than other assets and that's what you find out in a threat modeling. Threat modeling, we had a really nice talk in Berlin since from the famous Stift, who was really into that. And the threat modeling, you actually find out where are the vulnerabilities? Does the vulnerability hurt? Is the stuff what you can hurt users? Does the stuff hurt the business? And that's what for us as an attacker is the most important point, finding out when does it hurt the business because we have to protect our customer. So we need to do a threat modeling before we go into our engagement. Sure, there are several models of the threat modeling. I'm not really going deep into that because that's not a threat modeling talk, but you should have seen that we really should use this as an engineering background for our social engineering attack, what we later launched. And those are the stride model. I know now people say, oh yeah, but what do you think about the other models and the Microsoft and CIA? Yes, sure, we have the threat model and to upset some people, we even have an attack tree. I know attack trees are not really used no more, but I hear from a company who has really a well thought out attack tree and they're instantly being noticed. When some systems are compromised, how much does it cost to fix, how much does it cost not to fix and all these kinds of stuff. So an attack tree is not the worst thing you can have. Now we go to the assessment. What do you need? Why does the social engineer to go to the assessment? What's that about? Well, you need to be with the assessment because you did the recon, because you talked to the people, because you are the one who has the plan where to walk, because you know where the assets are. So the first thing before the assessment is you have to work out in storyboard. The storyboard includes the backup plan, sure enough. I know I wrote it extra, but this is for certain people, I know that they really appreciate that I put this in. You put together a team. Now thinking about an assessment. We found out we have a client and his asset, he is probably a software vendor. His asset is a brand new software and I have a person like FX in my team and he's a brilliant brain and he probably has an exploit prepared, but I'm just a dumb social engineer and I cannot deploy this exploit. So I need to take him and my team but if I have a person like FX, who knows FX? That's not a lot for this big room. If I have a person like FX in the team, one need to know he's not the best sportsman in the world. Well, I would think that if your plan, your landing zone somehow involves climbing and running FX, probably should have somebody who carries him. So you should have in your team probably two strong men. The next thing what you need is your landing zone, the insert point. And the insert point is not the infiltration point. The insert point could be the main hall of a high tower. The insert point could be the backyard of whatever you are attacking. Let's say it's the main hall from a high tower. That's the insert point. So your team gathers there, right? With a Proxima tree, you already have the badges prepared and you go now one by one by one in and meet at the rally point and wait there if somebody has made an active compromise. So you stay in the rally point, check your plans, check back if everything works fine, check the equipment before you start your assessment. Okay, nobody found you. You are not compromised. You can go ahead with your business. You go out and the hideout maybe is not used in every assessment, but we should mention it. Let's say we have a company with shifts or let's say what's even better. We have a company with no shifts. So let's see, we already know by social engineering that the administration group leaves building at 7 p.m. And through our recon we know the fastest response from an administrator could be within 25 minutes. We know more through the social media that the lead admin who really got the knowledge goes to his most favorite pub directly after he was training after work. So he goes from work to training what's more unlikely when it's a real admin. One from them, from there he goes to his most favorite pub and he has a few beers. A few more, sometimes even what gamate. So you just find a place where you can hide out and where tell the people are gone. Now you can estimate the time if you get compromised what you have for extraction. The next thing is you have to do the infiltration because the insertion is not the infiltration. Infiltration is directly when you bring your engineer to the server room. When you use the stolen fingerprint or when you use your copied entry card your stolen punch and code whatsoever to get in the server room. When you use your little Mac light to make sure that the camera didn't see you while you go in. And trust me all these IP cameras have times where you just blank out. Once a while you just be blank so the guard really wouldn't notice if this is just a short time when you blank it out. If you have tripwires, that's a different story. And that's the time what you actually do your direct infiltration into the server room. Then you have to find and fetch the data, use your exploit, however you're going to do that. And then you have to exfiltrate data. All these points will be named later in the slides. After, if you exfiltrate the data, there are several ways to exfiltrate them, you are good. And there is a difference in between exfiltration and extraction. As long as you exfiltrate, that's very good because you're an asset. As soon as you be extracted, you are liability. So there is a difference between it. And this difference makes if you have an active passive compromise or not. If you're being compromised, you have to do it again or your customer wins. Sure enough, you have to have a backup plan, as I said before. And then there's something what bloggers know, writing. But they don't know it this way because this is useful writing. Yes, this is a writing report. Every one of us should really understand one thing. Your long hair, big glasses, thinny guy, writing, I got root on your shell. I found the exploit 1187. And the top manager say, yeah? So, that's not a way to talk to management. If you want to talk to management, you say, I found this and this compromise in your machine, which cost you yearly this amount on dollars. Brings you this business in danger. I found this exploit. This cost you that amount of money. Don't really bring your business in danger. You tell them how much it costs. If they leave it, you tell them how much it costs. If it's fixed. And you tell them what it costs if you don't fix it. That is how to talk to management. There's one thing what we should know. We all should be capable to talk to bloggers because they don't understand shit. If we are nosy enough as an industry to say, oh, they should learn what Nessos just printed out. Ah, fuck you. We need to talk the language of our customer because he pays us. That's the point. And that's why it's so important to write a good, proper report. Because if he gets out of business because our report was fucked up, he can't fucking pay us. Right? Then we do another business impact analysis with the customer together to say, see, you thought that's your business. My recon actually found out your business something total different. And if that and that happens and APT comes over the way, well, this is the impact. You need to do more than one customer meeting, not your money and go. You should have a good relationship with your customer. I once had a talk in Brucon where I talked about an incident response. And I say, if you have a forensic in your company, it's good. But you should have another forensic company and you pay him for nothing every fucking day until something happens. But if something happens, you have a team, you worked with for years. They know your assets. They know what they can talk about to police and they know what to hide because this is your business data is what nobody should know. If you just get a forensic or a team, a red team, the day when you need them, it's too late. You have to have a relationship. And this relationship most of the time not comes from the CIO, CSO, because they don't have the funding. They have to come from you. You have to convince. So you have to do more customer meetings than one. And most important, train the customer. What did he say? If you give a man a fire, he's warm. If you set him on fire, he's warm for the rest of his life. You have to train these people. I have always in my agreements, when I did Red Team, I said, if I find anything mistakes by your employees, if it's not on purpose made, you're not allowed to fire them, but to train them. Because if you fire them, you get a new one doing the same mistake. If you have a guard, you trained him well and you told him that it was a big mistake. It cost me heaps of dollars. But while I train you and now you know better, he will appreciate that you didn't fire him. And there's one thing, what you really need in your company, what you can't buy with money, is loyalty. So training is an important thing. Let's go a bit to infiltration. Which type of infiltrations we have? We have the physical infiltration. What is the tailgating? What today and nowadays shouldn't work really good. And we have the logical by piggy-bagging. We have stealing fingerprints during RFID-Skimmers. And those skimmers are really good. I like them. You can copy entry batches with the Proxmark for an sample. You have cast key skimmers. That is important for recon. You can drop a key, at least put a sticker on it, what says 32 gig and above. Because no one gonna care for 8 gig stick. Oh, es ist schieb. You can pick locks to get in. Even nowadays, the new electronic locks, you're picking more of a skimmer, I know. You can enter as an vendor and as a client. Here are some examples that I don't make that up by myself. Yes, these tools exist. Here we have this USB key. Oops. Does it go back? Yes. We have this USB key. And please do not tell me that one person, not even one person in your company, wouldn't pick up this cute guy. There's a little story. There's this group, they call French police. And they got conflicted, because somebody was too lazy to use the network. He plucked the key out, put it in a computer from work, and boom, they had it. It's sad that Stuxnet was laying around on a USB key for a while, but I can't prove that. Well, this is the Proxmark 3 disassembled. So you see on this little coin here how small it is, and that is assembled for the self-built antenna. It's my lockpick set. And up here, we have this car skimmers. And on the CDs, we have already the calculation codes from all brands, vendors from cars. So don't really change the key every time I hit the button. Here, but the patterns are known. So fuck that shit. What do I would steal a car? No, I don't steal. I'm a social engineer. I'm not capable to steal, but I can put a GPS sensor on it and I see how far the admin has to drive to work. I'll stow every morning. Very good. Yes, don't working. Finding fetching data, except the bloggers of us, everybody knows that stuff. We're going to the printer. In the printer are hard drives, and the hard drives, all the data are stored. But please do not get the printer from the marketing unit. That's stupid. You can spearfisch. And spearfishing isn't an attack, a social engineering attack, but you cannot avoid. If somebody in your company says, I'm sending you tomorrow a presentation for the bus and you should look after it. And then the next day, you're sending me the presentation, you will open it. No doubt about it. It's an internal mail. Yeah, we have this buffer overflow, so it's hacker stuff. It's not for really nobody hacks here. We have Key Lager. We can steal keys with Lobcrack. What they'll get back from Symantec, so it's not evil no more. And then we can exfiltrate, or have to exfiltrate the data. We can use USB stick. We can put a print out in a trash, but now you need to know, if you print out something, and it says business name, business unit, number. Some good worker would pick it up, oh shit, and put it in the shred. What you do is, you see the text, print it out in base 64, and then put it in the trash. Everybody now thinks, oh, that's just misprinted, and forget about it. Sure enough, you can take pictures. That's the oldest way to exfiltrate. Use a GSM, what you just put somewhere, and go to data's over that. Or noise, there's this, you know this bald, ugly Israeli guy, Ian? Well, he got a really nice way to exfiltrate. They put this on noise, and then they put this on their answering machine, and decode it. You have to see his talk, it's really good. And there's another thing with noise, there's this talk from, what was his name again? Sage, do you know the name from the guy, who actually recorded the noise from a CPU, while decoding a text? It doesn't matter, the slides are up later, and you have to go to this website, there's a really nice article about that. Let's go to Active Compromise. What is an Active Compromise? An Active Compromise is when the dog bites you in the butt, I would say. An Active Compromise is when your alarm system sounds. So, what can you do? You can cut the alarm system's landline and use a GSM blocker to make sure the backup line don't work. We don't use GSM blockers here, sure enough. Video Surveillance is an Active Compromise. Every one of you know what an Active Compromise is at latest when the police is at your house and rates your computers, right? But what the hell is a passive compromise? A passive compromise is you are in the hired out, somebody walks by and goes ahead. So, now, did he see you? Or didn't he see you? You don't know, so it's a passive compromise. A passive compromise is you are in the fucking box, you got a shell and then boom, you're out. That's the head to just change the password. Did they find you? What is it? So, it's a passive compromise. It's a no, not no. Actually, it's a not no, no. Not no, no. It's a passive compromise. And you have a machine network, it's kicked out, you get the message, right? Oh, well, I make it before time because I want to go back to FX. Don't worry about the five minutes. Yeah, actually, that was more or less an overview of what you should be capable of doing as a social engineer because you are the one who leads the team in. You don't do the exploit, but you lead the team in, you bring the team to the exit and you bring them back out because you're the one who can talk the guard in and out. You are the one who did the physical recon through the hall. You should be the one who is capable to tell the assets because you are the one who engineered the people. That's the reason why you go with the engineering team if you have a physical assessment and that's why you support your team if you have a non-physical assessment okay, they use this email system and that's the person really you should talk to when you want to approach whatsoever you want to and you are the one who is actually talking to your team members and train your team members so you as a social engineer have to know all these things otherwise you're just a retard you're stealing on your customers and one more thing okay, I'm not planning on dying this year one more thing you dare sell a social engineering engagement this is stealing from your customer I go in and out everywhere that doesn't matter because going in and out they are brochures for from your customer they print this, they have a marketing public relations and stuff like this if you cannot find assets your whole engagement is worthless and the customer don't need to be worried about it so just selling a social engineering engagement is stealing from your customer you want to help these people to get secure not fuck them over and that's it, thank you for listening