Chain reflection-Charm of social engineering

Now I am also studying social engineering... learning with everyone...

We often intrude into the system and do not know what these permissions mean when getting webshell or even server system permissions. Many times, when we face a single goal, we simply use some technical vulnerabilities that we know little about to try to intrude into the system, and slowly lose the passion and confidence of penetration in repetitive work.

Here is a simple example:

Many friends like to steal QQ numbers. Here I will take QQ as an example to illustrate some social engineering applications.

I declare that I have not stolen anyone's QQ number. Although I sometimes perform some tests, I will eventually return it to the owner. I am here to fight against the theft of other people's accounts.

Question: QQ account theft?

How to steal? How many ways are there? How are various methods implemented?

There are only several methods to steal accounts in the form:

1. Intrusion-the system is intruded or infected, and the keyboard record class is used to obtain others' QQ passwords
2. brute-force cracking-using some brute-force cracking tools to crack the QQ number of a simple password in a large area
3. Phishing-create fake websites with a host and a free Q currency, cheat QQ users to log on and get their passwords, and send a large number of emails with Trojans or malicious webpages to lure them into being.
4 social engineering extension cracking-mostly mailbox cracking

Analyze the above four solutions:

1 intrusion type
It is applicable to specified targets and has certain information. It is better for a personal machine to combine social engineering.
The disadvantage is that once the security awareness of the other party is good, it is difficult to break through.

2 Explosive
Wide range, high performance requirements for blasting machines, only some weak password numbers can be cracked, I do not like it very much.
The disadvantage is time-consuming, labor-consuming, and blindness.

3. Fishing
This recruit is suitable for some people with considerable technical skills, which is extremely harmful and has a high success rate. It is easy for common Internet users to recruit.
Disadvantages: high technical requirements. The success rate also depends on the degree to which the bait is set to "lifelike. High requirements on the overall quality of the person who sets the trap

4 social engineering extension cracking
It is applicable to cainiao with a wide range of technical knowledge and has a high success rate. The disadvantage is long cycle and accumulation.

Here I will focus on the fourth method:

1. intrude into some forums or websites with obvious Security Vulnerabilities
2. Download the database of a forum or website
3. Export the registered users in the database: User Name, password, QQ, email address, password question, answer, birthday, and other sensitive information.
4. Select and crack some QQ numbers

As a matter of fact, everyone should understand their ideas. Bbs with vulnerabilities on the Internet has a bunch of websites. The webshell on hand has other functions. The importance of the database, the scalability of social engineering, the use of the soul, and the spread of thinking, I am afraid it is no longer difficult to use the six seven-digit QQ number.

Still not clear?

The password may be common! It doesn't matter if it's not universal. There's still a password problem! Not yet? I still have an email address. I used the forgot password function to send the password change email to the cracked email address. Hey hey! Not yet? Birthday is also very useful.

I used QQ account theft as an example to describe how to steal accounts by combining technology and thinking. The purpose is not to teach you how to steal QQ so narrowly. You may wish to think far and do more.