Usually I just watch, most people write down their passwords somewhere, you just have to look at what their body is pointing at. Mostly it's written on the bottom of their scratch-pad; I write bombs on the bottom of mine.
I didn't have hard-access to this guy, and I really needed his log-in stuff.
I'd checked out the log-in form, it didn't seem to be throttled—I could make multiple attempts without it locking me out. I'd throw in a random timeout and I'd use TOR, but that bit was comfortable.
He hadn't done anything mutton-headed, things like password and 1234 didn't work. I was tempted to brute-force, but that isn't elegant.
He didn't have much of an online presence. By which I mean that he just wasn't there, rather than that he was and wasn't giving away much. Which would have been the worst of all possible worlds. Still it was a problem: I didn't have a handle on what he was all about. I'd treat him as vanilla.
Social engineering requires forethought, it's no use just ringing up and asking whatever comes into your mind. I usually pretend to be selling something, that annoys people, and annoyed people make mistakes.
I wanted his daughter's name, which I got and was his password [OK, there was a bit of odd capitalization, but the script dealt with that].
Now I'm in, time to elevate...
Comments
New comment
Wow. Spooky.