Best Social Engineering Exploit Techniques

1) Familiarity – This is one of the best and is a corner stone of social engineering. In a nutshell, you are trying to make it appear perfectly normal to everyone that you should be there. Making yourself familiar to those that you want to exploit helps to lower their guard. People react differently to people they know, have talked to or at least seen around a lot. People are way more comfortable responding and carrying out requests by familiar people than they are with complete strangers. A familiar person, in the eyes of your mark, is perfectly normal, doesn't set off alarm bells in the brain of "who is that and why are they here". Once you become familiar then you strike. Tailgating into a secure area behind someone who is familiar with you works often.


2) Creating a hostile situation – People withdraw from those that appear to be mad, upset or angry at something or someone other than themselves. For example, if you are on the phone and fake having a heated conversation with someone people around you will absolutely notice you but they will go out of their way to avoid you as well. You can create a hostile situation in a ton of different ways; just don't create a hostile situation between you and your marks. This rarely works. Instead you want the hostile situation to be between yourself and your phone, your accomplice, or mumbling to yourself as if you just had a huge argument with someone.
If you find yourself in a situation where you need to go through areas with people that are otherwise likely to stop and question your presence this technique comes in handy. If you are angry, people are much, much less likely to stop and question you. In fact, people are much more likely to obey your wishes when you are angry as well. People just want to get rid of angry people, so it works well for asking people to open doors for you or give you information on the location of things, etc. A good real world example of this is my buddy wanted to sneak some alcohol into an amusement park. The park has a guard station to check the bags and a wand to detect metal. My buddy started up a heated fight with his wife before they walked up and the guards just waved them by the checkpoint without checking or wanting them!

3) Gathering and Using Information – When it comes right down to it the key to being a successful social engineer is information gathering. The more information you have about your mark the more likely you are to get what you want from him or her, obviously. Good places to gather this info:
a. Parking lot – Cars that are unlocked (or are easily unlocked) might have security badges, uniforms, paperwork, intel, smart phones, wallets, all sorts of goodies you can use.
b. Online site like Linked In, Google, Facebook, MySpace, etc.
c. Things in their workspace area (posters, pictures, books, etc.)
d. Asking their friends and colleagues. Pretend to be a manager from another office or branch.
e. Tail them home or to their favorite watering hole. Try to figure out their patterns, interests, places they frequent. These are all good data points you can use to help make a personal connection to the mark.
f. Dumpster diving. Sure going through their trash is nasty but the gems that will be there are invaluable.

4) Get a Job There – If the reward is worth it, just get a job at your target and grab all the information you can. Most small-medium size businesses do not perform even simple background checks on new hires. Most large companies will but they are typically not very extensive. HR and hiring managers are almost never trained on how to spot warning signs they might be hiring someone with malicious intent. Once you are on the inside you become way more trusted, even if you are a lowly clerk. Social engineering a co-worker is usually a piece of cake given the assumed trust you'll have as a fellow employee.


5) Reading body language – An experienced SE will read and respond to their mark's body language. In the eyes of the master SE, Chris Nickerson, body language, used effectively, is one of the most powerful connections you can make to a person. Breathing when they breath, smile at the right times, recognize and adapt to their emotions, be friendly and polite but not to much so, if they appear nervous make them comfortable, if they are comfortable then exploit them, etc. etc.
Reading body language, if done well, can be your ticket to the crown jewels in a corporation. It makes people WANT to help you and feel good about doing so, an act of kindness on their part. And not only will they want to help you but they won't go back later and analyze what they did "Hey now that I think about it, why did I let that guy into the datacenter today?" Instead they will dwell the on the help and goodwill they provided for you.