Author: lizaib
Source: Fire Ant alliance [X. S.T]
Glossary-social engineering:
Simply put, it uses the vulnerabilities of people's psychological vulnerabilities, rules and regulations to attack, in order to obtain the information that attackers want.
Deception example: Gift
I have a new beautiful female teacher in the school newspaper department. She is not only fond of her, but also responsible for the editorial department. Before her, the school newspaper published my computer technology paper. Suddenly, I began to wonder if she would give me an unexpected gift .....
Attack prelude Information Collection
My intention is not to have face-to-face contact with her, which makes this gift more interesting, because it is her profile and her online account, such as QQ, Email .... But now, I don't even know her surname? What should I do? I said I didn't want to face her, but it was hard for me. All schools organize the contact information of different professional teachers into a teacher contact list for unified management. This report is only available in the management department of the campus, for example, the student section, the academic office, the guard, and the houleko. My plan is to start with the guard and I need to get a copy from them. But .....
Time: Guard props: <C ++ Primer> fake nickname: Student LI Yong
LI Yong: Hello, I'm LI Yong from class c323th.
Guard A: What?
LI Yong: Yes. I borrowed a book from my teacher yesterday, but I forgot his contact information.
Guard B: Oh, press it on the desk. Check it yourself.
LI Yong: I want to find it.
LI Yong: Alas, I couldn't find it, but I saw the phone numbers of some teachers I knew. Can I copy them?
Guard A: No!
Guard B: Go to the Student Affairs Section to check it.
LI Yong: Okay, thank you. Analysis: the more information this part of information is collected, the better, so that we need to know the source of the information. For example, the above instructor contact list is an entry point. Therefore, you must first consider the rules, regulations, methods, and conventions, because they are mandatory for all walks of life.
Next, we talked to THE guard about burn the source, which was deemed illegal. In fact, I did not complete my work that night. I did not consider guard A or guard B on duty at night. They were elderly people in their 50 s. Obviously, we can see that the guard initially turned to me as a denial or as a selfish old man. Guard B is fond of me, but he cannot hurt their feelings and take a neutral attitude. My original intention was to talk to the guard C, but they were on duty during the day and I was very rash about it. I made a conclusion: 1. consider emergencies as much as possible and make countermeasures. Remember, you can only talk to one person. 2. Do not leave any opportunities discovered by them. For example, my identity is completely forged.
The next day, I made a simple preparation and considered the emergency. Now I plan to use a mobile phone camera to steal the contact list. The contact list is in the interlayer of the glass table, and the guard C is friendly. Everything is in a favorable environment. I need to find a reason to stay in the guard room for 30 seconds, so that I can take a quick shot.
Time: Guard item: Mobile Phone nickname: Student Qin Li
Qin Li: Alas, what should I do? I lost my money and I still have a bank card in my wallet.
Guard C: Ah! Where did you lose the report?
Qin Li: Well, I can't find the report. I'm going to wait for my mother to send me the money. He said, let me wait here. Can I wait here?
Guard C: Yes.
One minute later, I used my cell phone to take a teacher contact list, so that I had a list of all the teachers.
Analysis: emergencies should be taken into account and solutions should be provided. This time I knew that I had met guard C. I lied that the loss of my wallet actually took advantage of his psychological weakness. He was friendly and helpful, and his wallet made him sympathize with me, and let go of my lax, I took a mobile phone to take a picture, it was very smooth to take the list.
Figure 1
Enemies around
Now, I know the name of the female teacher in the school newspaper department, but I don't want to tell her the real name, so please forgive me. Here we will call her Zhuge Qiu Yu for the time being, and her mobile phone number. But I don't want to start with her cell phone. Fortunately, her school newspaper was published. 2,
I quickly found out her e-mail and QQ contact information. At this time, do you think that the list of all school teachers I have obtained is an extra one? No, the wonderful thing is still behind me. This time I changed to a teacher and added her.
Time: Network item: QQ nickname: Network Administrator Xie Weiqiang
When I start to add her as a friend, I need to verify it. Then I enter: Network Center
Instructor Xie Weiqiang. In less than a few seconds, I passed her authentication and started the following conversation: 3.
Figure 3
Why is the nickname a teacher? The same identity is even more trustable. I knew that she had just graduated from college, so she carefully constructed questions to see if she knew very well about the computer. She was satisfied with the results and fell into my trap, 3 ..
In this way, I successfully obtained his host password. I am a LAN with her, but it is a different IP segment. I don't want to intrude into her computer. My goal is to add more information to her without any effort. Analysis: It must be strange to know the name of the teacher in the Network Center? Or if you haven't forgotten the instructor list, you should know. Well, I found the name of the teacher in the network center from the instructor list, and I also know that he is in a school affairs meeting this afternoon. Why did I start to take risks and add her QQ? No, I know that she is a new teacher. She doesn't know much about everything, and she doesn't even know where the network center is.
Next, I used her to worry too much about computer security, so she could easily tell her the password. Another point is, please do not forget to pretend that a moderator gave me an envelope the day before, and I found an eight-digit QQ from it to contact, you may ask, why don't I try another QQ? No, for those of the year, their QQ numbers were mostly six or seven, and the eight QQ numbers had a sun level, if the instructor moves his profile picture to my profile picture, the QQ grade will be displayed, and he will not doubt that an online instructor who has been working for a long time.
More and more complaints
When I added her to the blacklist, I saved her QQ personal information and some websites or email addresses. 4. A website attracted my attention, after a flip, she used to be a moderator here, responsible for [post-marriage emotional station], and started to read her post. Haha, like a very romantic girl who just came out of college.
Then you have to find a solution, because the password she gave cannot access her email address or blog, and she has more than one password. You can start with this wedding network. After I directly remove the second-level domain name, I entered chinajiehun.com. 5,
I don't see any good things in dongchaoxi, because I don't plan to get married. At this time, I opened the Word and downloaded a resume on the Internet. In a short time, I created a <list of applicants for excellent Chinese wedding network moderators>, 6, so ......
6
Time: Online item: QQ nickname: China Wedding Network Customer Service
I successfully passed her certification, so I started this conversation, 7:
However, she did not reply online. Doesn't she believe it? No, it's because she got off work, and my time is obviously insufficient. So we have to wait until tomorrow. Early in the morning, I finally got up. I often had a night owl. She was online. I started the following conversation:
As we can see from the forks, even though her sympathy has fooled her, the following details let her step by step into our trust trap.
In less than an hour, I successfully obtained the password of her forum. This password is almost generic and can be used to access her QQ, blog, email, or even, she tells me her privacy in an invisible way. I know another name of her friend. Her friend is also from the wedding forum. I know her interpersonal relationship and circle of friends, and her current difficulties. Analysis: social engineers make good use of visible information and construct traps. I knew on QQ that she was still a wedding network moderator, So I forged a password for a good moderator's selection activities.
The next step is to use the continuously obtained information. For example, I know that she has a Sina Blog, And she uses Sina friends to make a selection. At this time, she is further convinced that she also uses compassion, in fact, she is still hesitating to register. From her perspective, she knows that rejection will make my work very difficult.
Half the way, I expected her to ask me how to find her QQ number. It was very simple. The moderators and administrators of any forum had to communicate with each other, so she believed it, I even think it was recommended by someone on the forum. In terms of the password, I know that she started to have an alert. I began to fabricate a lie on the Forum of the moderator and explained the requirements after entering the Forum. For example, I talked about the problem of pictures, dispelled her doubts.