• In both of the earlier scenarios, not having enough a good enough plan and model will lead to failure. A good way to practice communication modeling is to write out a model for manipulating people you know well—a husband, wife, parent, child, boss, or friend—to do something you want, to take some action you desire.

    List the following five points and fill them out one by one, connecting the dots as you go along.
    • Source
    • Message
    • Channel
    • Receivers
    • Feedback
    Learn to become a master at information gathering and then practice putting that into action with communication modeling.
    One key aspect of learning how to communicate, how to manipulate, and how to be a social engineer is learning how to use questions.
    *Being able to effectively draw people out is a skill that can make or break a social engineer. When people see you and talk to you they should feel at ease and want to open up.*
    Have you ever met someone and instantly felt, "Wow I like that person"? Why? What was it about him that made you feel that way? Was it his smile? The way he looked? The way he treated you? His body language?
    Maybe he even seemed to be "in tune" with your thoughts and desires. The way he looked at you was non-judgmental and right away you felt at ease with him.
    *Elicitation means to bring or draw out, or to arrive at a conclusion (truth, for instance) by logic. Alternatively, it is defined as a stimulation that calls up (or draws forth) a particular class of behaviors, as in "the elicitation of his testimony was not easy."*
    Being able to effectively use elicitation means you can fashion questions that draw people out and stimulate them to take a path of a behavior you want. Ps a social engineer, what does this mean? Being effective at elicitation means you can fashion your words and your questions in such a way that it will enhance your skill level to a whole new level. In terms of information gathering, expert elicitation can trans late i nto you target wanting to answer your every request.
    In training materials, the National Security Agency of the United States government defines elicitation as "the subtle extraction of information during an apparently normal and innocent conversation."
    These conversations can occur anywhere that the target is—a restaurant, the gym, a daycare—anywhere. Elicitation works well because it is low risk and often very hard to detect. Most of the time, the targets don't ever know where the information leak came from. Even if a suspicion exists that there is some wrong intent, one can easily pass it off as an angry stranger being accused of wrong doing for just asking a question.
    Elicitation works so well for several reasons:
    • Most people have the desire to be polite, especiallyto strangers.
    • Professionals want to appear well informed and intelligent.
    • If you are praised, you will often talk more and divulge more.
    • Most people would not lie for the sake of lying.
    • Most people respond kindly to people who appear concerned about them.

    These key factors about most humans are whyelicitation works so well. Getting people to talk about their accomplishments is too easy.
    Asocial engineer wants the target to take an action, whether that action be as simple as answering a question or as big as allowing access to a certain restricted area. To get the target to comply the social engineer will ask a series of questions or hold a conversation that will motivate the target to that path.
    Some experts agree that mastering the art of conversation has three main steps:
    1. Be natural. Nothing can kill a conversation quicker than seeming to be uncomfortable or unnatural in the conversation. To see this for yourself try this exercise. Have a conversation with someone about
    something you know a lot about. If you can record it somehow or have someone else take notice, see how you stand, your posture, and the way you assert your knowledge. All of these things will scream confidence and naturalness. Then inject yourself in a conversation you know nothing about and have the same recording or friend observing. See how all those nonverbal aspects change for you when you try to inject an intelligent thought into a conversation you know nothing about. This exercise shows you the difference in being natural and not being natural. The person(s) you are conversing with will be able to see it easily which will kill all chances of successful elicitation. How do you seem natural in conversations? Thus we arrive at step 2.
    2. Educate yourself. You must have knowledge of what it is you will be talking to your targets about. This section should come with a big fat red neon light warning, but because every book can't include one let me emphasize this part:
    It is imperative that you not pretend you are more than you can reasonably be believed you are.
    Confused? Here's an example to break it down. If you wanted to obtain the chemical composition for a top-secret product and your elicitation target is one of the chemists involved in making the product, and you decide to start talking chemistry do not play yourself off as a worldclass chemist (unless you are). He may throw something at you that will show you know nothing and then your cover is blown and so is the elicitation.
    A more realistic approach may be that you are a research student studying XvZ, and was told he had amazing knowledge in this area. Due to his expertise, you just wanted to ask him a question on a chemical formula you are working on and why it doesn't seem to be working out.
    The point is that whatever you chose to converse about and whomever with, do research, practice, and be prepared. Have enough knowledge to speak intelligently intelligently about a topic that will interest the target.
    3. Don't be greedy. Of course, the goal is toger information, get answers, and be given the key to the kingdom. Yet, do not let that be the
    focus. That you are only there for yourself will quickly become evident and the target will lose interest. Often, giving someone something will elicit the feeling of reciprocation (discussed in Chapter 6), where he or she now feels obligated to give you something in return. Being this way in conversation is important. Make the conversation a give and take, unless you are conversing with a person who wants to dominate the conversation. If he wants to dominate, let him. But if you get a few answers, feel the conversation out and don't get greedy trying to go deeper and deeper, which can raise a red flag. Sometimes the people who are labeled as the "best conversationalists" in the world are those who do more listening than talking. These three steps to successful elicitation can literally change the way you converse with people daily, and not just as a social engineer or a security auditor, but as an everyday person. I personally like to add one or two steps to the "top three."
    For example, an important aspect to elicitation is facial expressions during a conversation. Having your gaze be too intense or too relaxed can affect the way people react to your questions. If your words are calm and you have engaged the target in a conversation but your body language or facial expressions show disinterest, it can affect the mood of the person, even if she doesn't realize it.
    This may seem odd to bring up here, but I am a fan of Cesar Mian, aka, The Dog Whisperer. I think that guy is a genius. He takes dogs that seem unruly and in a matter of minutes has both the dogs and their owners produce high-quality personality traits that will merit a very successful relationship for both. He basically teaches people how to communicate with a dog—how to ask and tell it to do things in a language it understands. One of the things he preaches that I fully believe in is that the "spirit" or energy of the person affects the "spirit' or energy of the dog. In other words, if the person approaches the dog all tense and anxious, even if the words are calm, the dog will act tense, bark more, and be more on edge.
    Obviously people are not the same as dogs but I truly believe that this philosophy applies./te a social engineer approaches a target her "spirit" or energy will affect the person's perception. The energy is portrayed through
    body language, facial expressions, dress, and grooming, and then the words spoken to back that up. Without even knowing it, people pick up on these things. Have you ever thought or heard someone say "That guy gave me the creeps" or "She looked like such a nice person"?
    How does that work? The person's spirit or energy is relayed to your "sensors," that data is correlated correlated with past experiences, and then a judgment is formed. People do it instantaneously many times without even knowing it. So your energy when you are going to elicit must match the role you are going to play If your personality or mental makeup doesn't enable you to easily play a manager then don't try. Work with what you have. Personally I have always been a people person and my strong suit is nor topics like chemistry or advanced math. If I were in the situation mentioned earlier I would not try to play the role of a person who knows about those things. Instead my elicitation might be as simple as a stranger interested in starting a conversation about the weather.
    Whatever methods you chose to use, you can take certain steps to have the upper edge. One of these steps is called preloading.
    Sometimes movies aren't even in production yet, but the announcer comes on and says, "The funniest movie since..." or the music starts with an ominous tone, a dense fog fills the screen, and the voiceover intones, "You thought it was over in Teenage Killer Part 45...."
    Whatever the movie is, the marketers are telling you how to feel—in other words, preloading what you should be thinking about this movie—before the preview starts. Then the short 1-3 minutes they have to show you what the movie is about is spent showing you clips to entice your desire to see the movie and to appeal to the crowd that wants the comedy, horror, or love story.
    Not much has been written about preloading, but it is a very serious topic. Preloading denotes that you can do just what it says—preload targets with information or ideas on how you want them to react to certain information. Preloading is often used in marketing messages; for example, in the national restaurant chain ads that show beautiful people laughing and enjoying the meal that looks so beautiful and perfect. As they say "yummm!" and "ohhh!" you can almost taste the food.
    Of course as a social engineer you can't run a commercial for your targets so how can you use preloading?
    As with much in the social engineering world, you have to start from the end results and work backward. What is your goal? You might have the standard goal of elicitation to gain information from a target on a project she is working on or dates she will be in the office or on vacation. Whatever it is, you must set the goal first. Next you decide the type of questions that you want to ask, and then decide what type of information can preload a person to want to answer those questions.
    For example, if you know that later tonight you want to go to a steak place that your coupon-loving wife doesn't really enjoy but you are in the mood for a rib eye, you can preload to get a response that maybe in your favor. Maybe earlier in the day you can say something like, "Honey, you know what I am in the mood for? Abig, juicy grilled steak. The other day I was driving to the post office and Fred down the road had his grill out. He had just started cooking the steaks on charcoal and the smell came in the car window and it has been haunting me ever since." Whether this elicits a response at this exact moment is not important; what you did is plant a seed that touched every sense. You made her imagine the steaks sizzling on the grill, talked about seeing them go on, talked about smelling the smoke, and about how much you wanted one.
    Suppose then you bring home the paper and as you're going through it you see an ad with a coupon for the restaurant you want to go to. You simply leave that page folded on the table. Again, maybe your wife sees it or maybe she doesn't, but chances are that because you left it with the mail, because you mentioned steak, and because she loves coupons she will see the coupon left on the table.
    Now later on she comes to you and says, "What do you want for dinner tonight?" Here is where all your preloading comes in—you mentioned the smell, sight, and desire for steak. You left an easy-to-find coupon on the table for the steak restaurant of choice and now it is dinner discussion time. You answer her with, "Instead of making you cook and having a mess to clean up tonight, we haven't been to XYZ Steaks in a while. What if we just hit that place tonight?"
    Knowing she doesn't like that place all you can hope is the preloading is working. She responds, "I saw a coupon for that place in the newspaper. It had a buy one meal get a second half off. But you know I don't like...."
    she is speaking you can jump in and offer praise: "Ha! Coupon queen strikes again. Heck, I know you don't like steak too much but I hear from Sally that they have awesome chicken meals there, too."
    Afew minutes later you are on the way to steak heaven. Whereas a frontal assault stating your desire to go to XYZ would have most likely met with a resounding "No!" preloading helped set her mind up to accept your input and it worked.
    One other really simplistic example before moving on: Afriend walks up and says, "I have to tell you a really funny story" What happens to you? You might even start smiling before the story starts and your anticipation is to hear something funny so you look and wait for opportunities to laugh. He preloaded you and you anticipated the humor.
    How do these principles work within the social engineering world?
    Preloading is a skill in itself. Being able to plant ideas or thoughts in a way that is not obvious or overbearing sometimes takes more skill than the elicitation itself. Other times, depending on the goal, preloading can be quite complex The earlier steak scenario is a complex problem. The preload took some time and energy, where a simplistic preload might be something as simple as finding out what kind of car they drive or some other innocuous piece of information. In a very casual conversation where you "happen" to be in the same deli at the same time as your target you start a casual conversation with something like, "Man, I love my Toyota. This guy in a Chevy just backed into me in the parking lot, not even a scratch." With any luck as you engage the target in conversation, your exclamation about your car might
    warm him up to the questions that you can then place about types of cars or other topics you want to gather intel on.
    The topic of preloading makes more sense as you start to analyze how you can utilize elicitation. Social engineers have been mastering this skill for as long as social engineering has been around. Many times the social engineer realia=s he has this skill way before he turns to a life of social engineering, engineering, fie a youth or a young adult he finds interacting with people easy and later finds that he gravitates toward employment that uses these skills. Maybe he is the center of his group of friends and people seem to tell him all their problems and have no problem talking to him about everything. He realizes later that these skills are what gets him through doors that might be closed otherwise.
    One other example is there is a guy who tells everything to him for straight 3months and: The point is that I developed a rapport, a trust, with someone and without trying and without malicious intent, I had a chance to preload him over months with the ideas that I was kind and compassionate and intelligent. Then when the time arose I was able to present an absurd idea, and because of the months of preloading, it was accepted.
    In most social engineering cases it would much quicker, but I think the principles apply Being as genuine as you can is essential. Because preloading involves the person's emotions and senses, give them no reason to doubt. The question you ask should match your pretext. For preloading to work you have to askfor something that matches the belief you built into them. For example, if my offer was to have me go visit my client's family and take pictures rather than manage his apartment complex, it wouldn't have matched the belief system he had of me, namely that I was a smart, business-minded, caring young man. Finally the offer, when made, must be of benefit to the target, or at least perceived as benefit. In my case, there was lots of benefit to my client. But in social engineering the benefit can be as little as "bragging rights": giving the person a platform to brag a bit. Or the benefit can be much more and involve physical, monetary or psychological benefits.
    Appealing to Someone's Ego
    The scenario painted in the DHS brochure goes like this:
    /stacker: "You must have an important job; so and so seems to think very highly of you."
    Target: "Thank you, that is nice of you to say, but my job isn't that important. All I do here is..."
    The method of appealing to someone's ego is simplistic but effective. One caution, though: Stroking someone's ego is a powerful tool but if you overdo it or do it without sincerity it just turns people off.
    Using ego appeals needs to be done subtly, and if you are talking to a true narcissist avoid eye rolls, sighs, or argumentativeness when she brags of her accomplishments. Subtle ego appeals are things like, "That research you did really changed a lot of people's viewpoints on..." or "I overheard Ivt. Smith telling that group over there that you are one of the most keen data
    analysts he has." Don't make the approach so over the top that it is obvious.
    Subtle flattery can coax a person into a conversation that might have never taken place.
    Expressing a Mutual Interest
    Consider this mock scenario:
    /backer: "Wow, you have a background in ISO 9001 compliance databases? You should see the model we built for a reporting engine to assist with that certification. I can get you a copy."
    Target: "I would love to see that. We have been toying with the idea of adding a reporting engine to our system."
    Expressing mutual interest is an important aspect of elicitation. This particular scenario is even more powerful than appealing to someone's ego because it extends the relationship beyond the initial conversation. The target agreed to further contact, to accept software from the attacker, and expressed interest in discussing plans for the company's software in the future. Pi\ of this can lead to a massive breach in security.
    The danger in this situation is that now the attacker has full control. He controls the next steps, what information is sent, how much, and when it is released. This is a very powerful move for the social engineer. Of course, if the engagement were long-term, then having a literal piece of software that can be shared would prove even more advantageous. Sharing usable and non-malicious software would build trust, build rapport, and make the target have a sense of obligation.
    Making a Deliberate False Statement
    Delivering a false statement seems like it would backfire off the top, but it can prove to be a powerful force to be reckoned with.
    Pttacker. "Everybody knows that XYZ Company produced the highestselling software for this widget on earth."
    Target: "Alually that isn't true. Our company started selling a similar
    product in 1998 and our sales records have beaten them routinely by more than 23%."
    These statements, if used effectively can elicit a response from the target with real facts. Most people must correct wrong statements when they hear them. It's almost as if they are challenged to prove they are correct. The desire to inform others, appear knowledgeable, and be intolerant of misstatements seems to be built into human nature. Understanding this trait can make this scenario a powerful one. You can use this method to pull out full details from the target about real facts and also to discern who in a group might have the most knowledge about a topic.
    Volunteering Information
    The DHS brochure makes a good point about a personality trait many of us have. Afew mentions of it have appeared in the book already and it's covered in much more detail later on, but obligation is a strong force. As a social engineer, offering up information in a conversation almost compels the target to replywith equally useful information.
    Want to try this one out? Next time you are with your friends say something like, "Did you hear about Ruth? I heard she just got laid off from work and is having serious problems finding more work."
    Most of the time you will get, "Wow, I didn't hear that. That is terrible news. I heard that Joe is getting divorced and they are going to lose the house, too."
    Asad aspect of humanity is that we tend to live the saying "misery loves company—how true it is in this case. People tend to want to share similar news. Social engineers can utilize this proclivity to set the tone or mood of a conversation and build a sense of obligation.
    Using Intelligent Questions
    As a social engineer you must realize that the goal with elicitation is not to walk up and say, "What is the password to your servers?"
    The goal is getting small and seemingly useless bits of information that help build a clear picture of the answers you are seeking or the path to gaining those answers. Either way, this type of information gathering can help give the social engineer a very clear path to the target goal.
    How do you know what type of questions to use?
    The fol lowi ng sections analyze the types of questions that exist and how a social engineer can use them.
    Open-Ended Questions
    Open-ended questions cannot be answered with yes or no. Asking, "Pretty cold out today huh?" will lead to a "Yes," "Uh-uh," "Yep," or some other similar affirmative guttural utterance, whereas asking, "What do you think of the weather today?" will elicit a real response: the person must answer with more than a yes or no.
    One way a social engineer can learn about how to use open-ended questions is to analyze and study good reporters. Agood reporter must use open-ended questions to continue eliciting responses from his or her interviewee.
    Suppose I had plans to meet a friend and he canceled, and I wanted to know why I can ask a question like, "I was curious about what happened to our plans the other night."
    "I wasn'tfeeling too well."
    "Oh, I hope you are better now. What was wrong?"
    This line of questioning usually gets more results than doing an all-out assault on the person and saying something like, "What the heck, man? You ditched me the other night!"
    Another aspect of open-ended questions that adds power is the use of why and how. Following up a question with how or why can lead to a much more in-depth explanation of what you were originally asking.
    This question again is not "yes" or "no" answerable, and the person will reveal other details you mayfind interesting.
    Sometimes open-ended questions can meet with some resistance, so using the pyramid approach might be good. The pyramid approach is where you start with narrow questions and then ask broader questions at the end of the line of questioning. If you really want to get great at this technique learn to use it with teenagers. For example, many times open-ended questions such as, "How was school today?" will be met with an "OK" and nothing more, so asking a narrow question might open up the flow of information better.
    "What are you doing in math this year?" This question is very narrow and can be answered only with a veryspecific answer: "Algebra II."
    "Ah, I always hated that. How do you like it?"
    From there you can always branch out into broader questions, and after you get the target talking, getting more info generally becomes easier.
    Closed-Ended Questions
    Obviously closed-ended questions are the opposite of open-ended questions but are a very effective way to lead a target where you want. Closed-ended questions often cannot be answered with more than one or two possibilities.
    In an open-ended question one might ask, "What is your relationship with your manager?" but a closed-ended question might be worded, "Is your relationship with your manager good?"
    Detailed information is usually not the goal with closed-ended questions; rather, leading the target
    target is the goal.
    Law enforcement and attorneys use this type of reasoning often. If they want to lead their target down a particular path they ask very closed questions that do not allow for freedom of answers. Something like this:
    "Do you know the defendant, Mr. Smith?"
    "Yes I do."
    "On the night of June 14th, did you see Mr. Smith at the ABC Tavern?" "I did."
    "Aid at what time was that?" "11:45pm."
    All of these questions are very closed ended and only allow for one or two types of responses.
    Leading Questions
    Combining aspects from both open- and closed-ended questions, leading questions are open ended with a hint leading toward the answer. Something like, "You were at the ABC Tavern with Mr. Smith on June 14th at around 11:45pm, weren't you?" This type of question leads the target where you want but also offers him the opportunity to express his views, but very narrowly It also preloads the target with the idea that you have knowledge of the events being asked about. Leading questions often can be answered with a yes or no but are different from closed-ended questions because more information is planted in the question that when answered gives the social engineer more information to work with. Leading questions state some facts and then ask the target to agree or disagree with them.
    In 1932 the British psychologist Frederic C. Bartlett concluded a study on reconstructive memory He told subjects a story and then asked them to recall the facts immediately two weeks later, and then four weeks later. Bartlett found that subjects modified the story based on their culture and beliefs as well as personality None were able to recall the story accurately and in its entirety. It was determined that memories are not accurate records of our past. It seems that humans try to make the memory fit into our existing representations of the world. When asked questions, many times we respond from memory based on our perceptions and what is important to us.
    Because of this, asking people a leading question and manipulating their memory is possible. Elizabeth Loftus, a leadinq fiqure in the field of eyewitness testimony research, has demonstrated through the use of leading questions how distorting a person's memory of an event is easily possible. For example, if you showed a person a picture of a child's room that contained no teddy bear, and then asked her, "Did you see a teddy bear?" you are not implying that one was in the room, and the person is free to answer yes or no as they wish. However, asking, "Did you see the teddy bear?" implies that one was in the room and the person is more likely to answer "yes," because the presence of a teddy bear is consistent with that person's schema of a child's room.
    Because of this research the use of leading questions can be a powerful tool in the hands of a skilled social engineer. Learning how to lead the target can also enhance a social engineer's abilityto gather information.
    Assumptive Questions
    /Assumptive questions are just what they sound like—where you assume that certain knowledge is already in the possession of the target. The way a social engineer can determine whether or not a target possesses the information he is after is by asking an assumptive question. For example, one skill employed by law enforcement is to assume the target already has knowledge—for example, of a person—and ask something like, "Where does Mr. Smith live?" Depending on the answer given, the officer can determine whether the target knows the person and how much she knows about him.
    A good point to note is that when a social engineer uses assumptive questions the whole picture should never be given to the target. Doing so gives all the power to the target and removes much of the social engineer's ability to control the environment. The social engineer never wants to use assumptive questions to accuse the target of a wrong. Doing so alienates the target and again costs the social engineer power.
    Asocial engineer should use assumptive questions when he has some idea of the real facts he can use in the question. Using an assumptive question with bogus information may turn the target off and will only confirm that the target doesn't know about something that didn't happen. Back to an
    earlier example, if I wanted to gain information from a leading chemist and I did some research and knew enough to formulate one intelligent sentence I could make an assumptive question but it would ruin future follow up if I was not able to back up the assumption the target would make of my knowledge.
    For example, if I were to ask, "Because deuterium and tritium have such low temperature thresholds, how does one handle these materials to avoid ignition?" The follow-up information might be hard to follow if I am not a nuclear physicist. This is counterproductive and not too useful. Plan your assumptive questions to have the maximum effect. One adjunct that is taught to law enforcement officials that comes in very handy when using assumptive questions is to say "Now think carefully before you answer the next question..." This kind of a statement preloads the target's mind with the idea that he must be truthful with his next statement.
    It can take months or years to master these skills. Don't get disheartened if the first few attempts are not successful, and keep trying. Don't fear, though, there are some tips to mastering this skill. I will review these in closing.
    Mastering Bicitation This chapter has a lot of information for you to absorb, and if you are not a people person, employing the techniques covered might seem like a daunting task. Like most aspects of social engineering, elicitation has a set of principles that when applied will enhance your skill level. To help you master these principles, remember these pointers:
    • Too many questions can shut down the target. Peppering the target with a barrage of questions will do nothing but turn off the target. Remember, conversation is a give and take. You want to ask, but you have to give to make the target feel at ease.
    • Too few questions will make the target feel uncomfortable. Have you ever been in a conversation that is filled with "awkward silences"? It isn't good is it? Don't assume that your target is a skilled and willing
    conversationalist. You must work at making a conversation an enjoyable experience. • /Ask only one question at a time. Chapter 5 covers buffer overflows on the human mind, but at this time your goal is nor to overflow the target. It is to merely gather information and build a profile. To do this you can't seem too eager or non-interested. As you have probably gathered, making elicitation work right is a delicate balance. Too much, too little, too much at once, not enough—any one of them will kill your chances at success.
    However, these principles can help you master this amazing talent. Whether you use this method for social engineering or just learning how to interact with people, try this: Think of conversation as a funnel, where on the top is the largest, most "neutral" part and at the bottom is the very narrow, direct ending.
    Start by asking the target very neutral questions, and gather some intel using these questions. Give and take in your conversation, and then move to a few open-ended questions. If needed, use a few closed-ended questions to direct the target to where you want to go and then if the situation fits, move to highly directed questions as you reach the end of funnel. What will pour out of the "spout" of that funnel is a river of information.
    Think about it in the situation discussed in this chapter of my target at the chamber of commerce gathering. IVtygoal was to gather intel on anything that might lead to a security breach.
    I started off the conversation with a very neutral question. "Escaping the vultures?" This question broke the ice on the conversation as well as used a little humor to create a bridge that allowed us to exist on the same plane of thought. I asked a few more neutral questions and handed him my card while inquiring what he does. This segues smoothly into the open-ended questions.
    Abrief information-gathering session that occurred earlier, using carefully placed closed-ended or assumptive questions was key After hearing about the company's recent purchase for new accounting software and network upgrades I wanted to go in for the kill. Having scoped out the building I knew it used RFID, but I wasn't sure if the target would go so far as to describe the
    card and show it to me.
    This is where the use of direct questions played a role: coming right out and asking what security the company used. By the time I used that type of question our rapport and trust factor was so high he probably would have answered anyquestions I asked.
    Understanding how to communicate with people is an essential skill for an elicitor. The social engineer must be adaptive and able to match the conversation to his or her environment and situation. Quickly building even the smallest amount of trust with the target is crucial. Without that rapport, the conversation will most likely fail.
    Other key factors include making sure that your communication style, the questions used, and the manner in which you speak all match your pretext. Knowing how to ask questions that force a response is a key to successful elicitation, but if all that skill and all those questions do not match your pretext then the elicitation attempt will most surely fail.
    Practice Dialects or Expressions
    Learning to speak in a different dialect cannot be glanced over quickly Depending on where you live, learning to speak a different dialect or with an accent can take some time. Putting on a southern drawl or an Asian accent can be very difficult, if not impossible. Once I was in a training class with an international sales organization and it had some statistics that said 70% of Americans prefer to listen to people with a British accent. I am not sure if that statistic is true or not, but I can say that I enjoy the accent myself.
    • Find native examples of the accent you want to learn, to listen to. Books like Dialects for the Stage often come with audiotapes full of accents to listen to.
    • Try speaking along with the recording you have, to practice sounding like that person.
    • /^fter you feel somewhat confident, record yourself speaking in that accent so you can listen to it later on and correct errors.
    • Create a scenario and practice your new accent with a partner.
    • App!y y°ur accent in public to see if people find it believable.
    There are innumerable dialects and accents, and I personally find it helpful to write out phonetically some of the sentences I will speak. This enables me to practice reading them and get the ideas sunk into my brain to make my accent more natural. learning expressions that are used in the area in which you are working can make a difference. Cne idea
    is to spend some time listening to people in public talk to one another. A great place for this is a diner or a shopping mall, or any place you might find groups of people sitting and chatting. Listen closelyto phrases or keywords. If you hear them used in a few conversations you might want to find a way to incorporate these into your pretext to add believability Again, this exercise takes research and practice.
    Practice Dialects or Expressions
    Learning to speak in a different dialect cannot be glanced over quickly Depending on where you live, learning to speak a different dialect or with an accent can take some time. Putting on a southern drawl or an Asian accent can be very difficult, if not impossible. Once I was in a training class with an international sales organization and it had some statistics that said 70% of Americans prefer to listen to people with a British accent. I am not sure if that statistic is true or not, but I can say that I enjoy the accent myself.
    • Find native examples of the accent you want to learn, to listen to. Books like Dialects for the Stage often come with audiotapes full of accents to listen to.
    • Try speaking along with the recording you have, to practice sounding like that person.
    • /^fter you feel somewhat confident, record yourself speaking in that accent so you can listen to it later on and correct errors.
    • Create a scenario and practice your new accent with a partner.
    • App!y y°ur accent in public to see if people find it believable.
    There are innumerable dialects and accents, and I personally find it helpful to write out phonetically some of the sentences I will speak. This enables me to practice reading them and get the ideas sunk into my brain to make my accent more natural. learning expressions that are used in the area in which you are working can make a difference. Cne idea
    is to spend some time listening to people in public talk to one another. A great place for this is a diner or a shopping mall, or any place you might find groups of people sitting and chatting. Listen closelyto phrases or keywords. If you hear them used in a few conversations you might want to find a way to incorporate these into your pretext to add believability Again, this exercise takes research and practice.
    Try calling family or friends to see how far
    you can get manipulating them. Another way to practice is to record yourself as if you were on the phone and then play it back later to hear how you sound.
    I personally feel that using an outlined script is very important. Here is an illustration: suppose you had to call your phone company or another utility Maybe they messed up a bill or you had another service problem and you are going to complain. After you explain yourself to the rep, telling her how upset and disappointed you are, and the rep does absolutely nothing for you, she says something like, "XY&Z is committed to excellent service; have I answered all your questions today?" If the drone behind the phone thought for one second about what she was asking she would realize how silly it is, right? This is what happens when you use a written-out script instead of an outline. An outline allows you "creative artistic freedom" to move around in the conversation and not be so worried about what must come next.
    Using the phone to solidify your pretext is one of the quickest methods inside your target's door.
    Provide a Logical Conclusion or Follow-through for the Target
    Believe it or not people want to be told what to do. Imagine if you went to a doctor and he walked in, checked you over, wrote some things on his chart, and said, "Okay; see you in a month." That would be unacceptable. Even in the event of bad news, people want to be told the next step and what to do.
    a social engineer, when you leave the target, you may need him to take or not take an action, or you may have gotten what you came for and just need to leave. Whatever the circumstance, giving the target a conclusion or follow-through fills in the expected gaps for the target.
    Just as if a doctor checked you over and sent you home with no directions, if you engineer your way into a facility as a tech support guy and just walk out without saying anything to anyone after cloning the database, you leave everyone wondering what happened. Someone may even call the "tech support company' and ask whether he needed to do anything, or at worst you just leave the workers wondering. Either way leaving everyone hanging is not the way to leave. Even a simple, "I checked over the servers and repaired the file system; you should see a 22% increase in speed over the next couple days," leaves the targets feeling as if they "got their money's worth."
    The tricky part for a social engineer is getting the target to take an action after he or she is gone. If the action is vital for completion of the social engineer audit, then you may want to take that role upon yourself. For example, in the account in Chapter 3 of my information-gathering session at the chamber of commerce event, if I wanted that target to follow-up with me through email I could have said, "Here is my card; will you email me some details on Monday about XYZ?" He verywell may have, or he could have gone to the office, forgotten about me completely completely and the whole gig would have failed. What would be better is to say "I would love to get some more information from you. On Monday could I perhaps call you or shoot you an email to get some more details?"
    The requests you make should match the pretext, too. If your pretext is being a tech support guy, you won't "order" people around with what they must and must not do; you work for them. If you are a UPS delivery person, you don't demand access to the server room.
    /As mentioned earlier, more steps may exist for perfecting a pretext, but the ones listed in this chapter can give a social engineer a solid foundation to build a perfectly believable pretext.
    You might be asking, "Okay so you listed all these principles, but now what?" How can a social engineer build a well-researched, believable, spontaneous-sounding, simple pretext that can work either on the phone or in person and get the desired results? Read on.
    Additional Pretexting Tools
    Other tools exist that can enhance a pretext.
    Props can go a long way in convincing a target of the reality of your pretext; for example, magnetic signs for your vehicle, matching uniforms or outfits, tools or other carry-ons, and the most important a business card.
    The power of the business card hit me when I was recently flying to Las \&gas on business, ivy laptop bag usually gets scanned, rescanned, then swabbed for bomb dust or whatever. I am one of those guys who doesn't really mind the extra security precautions because they keep me from blowing up in the air, and I am happywith that.
    Yet I realize that 90 percent of the time I am going to get extra attention by Transportation Security Administration (TSA). On this particular trip I had forgotten to take my lock picks, RFID scanner, four extra hard drives, bump keys (see Chapter 7), and plethora of wireless hacking gear out of my carryon laptop bag. As it goes through the scanner I hear the lady working the xraysay, "What the heck?"
    She then calls over another gentlemen who stares at the screen and says, "I have no clue what the heck that stuff is." He then looks around, sees mysmiling face, and says, "Is this you?"
    I walk over to the table with him as he is emptying my RFID scanner and my large case of lock picks and he says, "Why do you have all of these items and what are they?"
    I had nothing planned but decided at the last second to try this move: I pulled out a business card and said, "I am security professional who specializes in testing networks, buildings, and people for security holes. These are the tools of my business." I said this as I handed him a business card and he looked at it for about five seconds and then said, "Oh, excellent.
    Thanks for the explanation."
    He neatly put all my items back in, zipped the bag up, and let me go. Usually I go through the bomb screening, the little dust machine, and then a patdown, but this time all I got was a thank you and a quick release. I began to analyze what I did differently than normal.
    The only difference was that I had given him a business card. Granted, my business card is not the $9.99 special from an online card printer, but I was amazed that what seemed to haws happened was that a business card added a sense of license to my claims.
    My next four flights I purposely packed every "hacking" device into my bags I could find and then kept a business card in my pocket. Each time my bag was examined and I was asked about the contents, I flipped out the card. Each time I was apologized to, had my items packed in neatly, and let go.
    Chapter 5
    Mind Tricks: Psychological Principles Used in Social Engineering
    It all depends on how we look at things, and not on how they are themselves.
    —Carl Gustav Jung

    This chapter could be a book unto itself, but I will condense this information down to principles that will truly change the way you interact with people. Some of the topics in this chapter are based on research done by the brightest minds in their respective fields. The techniques discussed in these topics were tested and put through the paces in social engineering environments. For example, the topic of microexpressions is based on the research of the world-renowned psychologist and researcher, Dr. Paul Ekman, who used his genius to develop techniques into reading facial expressions that can literally change the way law enforcement, governments, doctors, and everyday people interact with others.

    Some of the topics in this chapter are based on research done by the brightest minds in their respective fields. The techniques discussed in these topics were tested and put through the paces in social engineering Some of the principles of Richard Brandler and John Grinder, the
    originators of neurolinguistic programming, changed people's understanding about thought patterns and the power of words.
    These topics are subjects for much debate, and this chapter attempts to demystify this subject and explain how you can use them in social engineering.
    Some of the best interrogators on the planet developed training and frameworks to help law enforcement learn how to effectively interrogate suspects. These principles have such deep psychological roots that learning the methods used can literally unlock the doors to the minds of your targets.
    Using cues that people give in their speech, gestures, eyes, and faces can make you appear to be a mind reader.
    Learning social engineering skills is not a quick process, so don't be impatient. The methods of learning some of these skills can take years to perfect and a lot of practice to even become proficient. Of course, you may possess a skill for a certain aspect but if you do not, don't become impatient with trying to learn it. Keep on trying harder and practicing and you will get it.
    Before you get into the meat of this chapter, the following section sets the stage for why and how these principles will work. You must understand the modes of thinking that exist. After you understand more clearly how people take in and process information you can begin to understand the emotional, psychological, and physical representations of that process.
    Modes of Thinking
    To alter someone's way of thinking you must understand the way people think and in what modes they think. This seems a logical first step to even attempting this aspect of social engineering.
    You might think you need to be a psychologist or a neurologist to understand the many aspects of how a person can think. Although that can help, it is not necessary With a little research and some practical application you can delve into the inner workings of the human mind.
    Simply confirming your nonverbal behavior to the client, using language from the client's preferred representational system and matching speech volume, tone, and area of speech often overcomes client reluctance to communicate. This simple statement has a lot of depth in it. Basically it is saying that if you can first figure out the target's dominant mode of thinking and then confirm it in subtle ways, you can unlock the doors of the target's mind and help him actually feel at ease when telling you even intimate details. Logically you may ask then, "How do I figure out a target's dominant mode of thinking?"
    Even asking people what their mode of thinking is will not offer a clear answer, because many people do not know what mode of thinking they often reside in. Due to that, as asocial engineer you must have some tools to help you determine this mode and then quickly switch gears to match that mode. Aclear and easy path exists to this answer but you need to know the basics first.
    The Senses
    For centuries philosophers have argued the value of perception. Some go so far as to say that reality is not "real" but just what our senses build into our perceptions. Personally I do not subscribe to that idea, but I believe that the world is brought to our brain by our senses. People interpret those senses for their perception of reality In the traditional classification we have five senses: sight, hearing, touch, smell, and taste.
    People tend to favor one of these senses and that is the one that is dominant. It is also the way people tend to remember things. As one exercise to determine your dominant sense, close your eyes and picture yourself waking up this morning—what is the veryfirst thing you remember?
    Was the feeling of the warm sun on your face? Or maybe you remember the sound of the voice of your spouse or children calling you? Do you remember clearly the smell of coffee downstairs? Or quite possibly the bad taste in your mouth, reminding you that you need to brush yourteeth?
    Of course, this science is not exact and realizing what your dominant sense is may take a few tries to figure out. I once talked to a couple about this concept and it was interesting to watch their expressions. The wife first remembered waking up and seeing the clock and then worrying that she was running late, whereas the husband first remembered rolling over and
    not feeling his wife next to him. After some more questions it became evident that the husband was a kinesthetic, or his dominant sense was his feeling, whereas his wife was very visual.
    Of course, walking up to your target and saying, "Close your eyes and tell me the first thing you remember this morning," doesn't seem reasonable. Unless, of course, your pretext is the family shrink, you might meet with some opposition on this route.
    How can you determine without going through an embarrassing interrogation about their morning rituals what a target's dominant sense is?
    The Three Main Modes of Thinking
    Although we have five senses, the modes of thinking are associated with onlythreeofthem:
    • Sight, or a visual thinker
    • Hearing, or an auditory thinker
    • Feeling, or a kinesthetic thinker
    Each sense has a range within which it works, or a sub-modality. Is something too loud or too soft? Too bright or too dark? Too hot or too cold? Examples of these are as follows: staring at the sun is too bright, jet engines are too loud, and -30 degrees Fahrenheit is too cold. Ivan Pavlov ran an experiment where he rang a bell every time he fed a dog. In the end the dog would hear the sound of the bell, then salivate. What most people don't know is that he was more interested in the physical and emotional aspects of submodalities. The interesting point is that the louder the bell rang the more the dog salivated. The range change of the sub-modality produced a direct physical change. Even though people are very different from dogs, Pavlov's research is very important in understanding how a person thinks. Many of us can think in all three modes, but we dominate in one—one "rings" the loudest. Even within our dominant mode, we might have varying degrees of depth for that dominant sense.
    Following I will discuss some of the details of each of these modes in
    more depth.
    The majority of people are usually visual thinkers, in that they usually remember what something looked like. They remember the scene clearly— the colors, the textures, the brightness or darkness. They can clearly picture a past event and even build a picture for a future event. When they are presented with material to decide upon they often need something to see because visual input is directly linked to decision making. Many times a visual thinker will make a decision based on what is visually appealing to him regardless of what is really"better"forhim.
    Athough men tend to be visual, this does not mean that all men are always visual. That visual marketing or visual aspects normally appeal to men is true, but do not assume all men are visual.
    Avisual person often uses certain words in his speech, such as:
    • "I see what you mean."
    • "That looks good to me."
    • "I get the picture now."
    And the range that the dominant sense works in for a visual thinker can have certain characteristics, or sub-modalities, such as:
    • Light (bright or dim)
    • Size (large or small)
    • Color (black and white or color)
    • Movement (fast or slow)
    • Focus (clear or hazy)
    Trying to debate, sell, negotiate, manipulate, or influence a visual thinker with no visual input is very difficult if not impossible. Visual thinkers need visual input to make decisions.
    Auditory thinkers remember the sounds of an event. They remember that the
    alarm was too loud or the woman whispered too low. They recall the sweetness of the child's voice or the scary bark of the dog. Auditory people learn better from what they hear and can retain far more from being told things than being shown things.
    Because an auditory thinker remembers the way something sounded, or because the sounds themselves help recall memories, he may use phrases such as:
    • "Loud and clear..."
    • "Something tells me..."
    • "That sounds okay to me."
    Aid the range of this dominant sense can be within these sub-modalities:
    • Volume (loud or soft)
    • Tone (base or treble)
    • Pitch (high or low)
    • Tempo (fast or slow)
    • Distance (near or far)
    It is imperative to choose your words carefullywith auditory thinkers. The words they hear will make or break the deal. I have seen whole encounters go from great to a disaster with one wrong word spoken to an auditory thinker.
    Kinesthetic thinkers are concerned with feelings. They remember how an event made them feel—the warmth of the room, the beautiful breeze on their skin, how the movie made them jump out of their seat with fear. Often kinesthetic kinesthetic thinkers feel things with their hands to get the sense of the objects. Msrely telling them something is soft isn't as real as letting them touch it. But helping recall a soft item they touched before can recall emotions and feelings that are very real to a kinesthetic thinker.
    The term "kinesthetic" relates to tactile, visceral, and sense-of-self sensations of the body—basically, where a person's body is in space and the self-awareness of how something made him feel. A kinesthetic thinker
    uses phrases such as:
    • "I can grasp that idea."
    • "How does that grab you?"
    • "I'll get in touch with you."
    • "I just wanted to touch base."
    • "How does this feel?"
    Aid the range for this type can have the following sub-modalities:
    • Intensity (strong or weak)
    • Aea (large or small)
    • Texture (rough or smooth)
    • Temperature (hot or cold)
    • Weight (heavyor light)
    Helping a kinesthetic thinker recall a feeling or emotion tied to something can make those emotions reappear as real as the first time they occurred. Kinesthetic thinkers are probably the most difficult for non-kinesthetic thinkers to deal with because they do not react to sights and sounds and social engineers have to get in touch with their feelings to communicate with this type of thinker.
    Understanding these basic principles can go a long way toward being able to quickly discern the type of person you are talking to. Again, without asking the target to picture his morning rituals how can you discern the dominant sense? Even more so, why is this so important?
    Discerning the Dominant Sense
    The key to determining someone's dominant sense is to try to introduce yourself, start a small conversation, and pay close attention to what is being said. As you walk up to the target and lean in to say good morning, maybe she barely looks at you. She might be rude, or she just may not be a visual. Visuals need to look at the person speaking to communicate properly so this behavior would seem to lend to the fact she is not visual. Now ask a simple question such as, "Don't you just love the feel of a beautiful day like today?" and notice her response, particularly whether she seems to light up or not.
    Maybe you wear a large, shiny silver ring, /is you talk you gesture; maybe you see that the ring catches her eye. Does she reach out, interested, and need to hold the ring or get close to observe it? Kinesthetics are very touchyfeely when it comes to these things. I know a woman who is a strong kinesthetic and when she sees something she thinks is soft or high quality she must touch it. She will say "Wow, that sweater looks so soft!" From that statement one might assume she is a visual, but what happens next is what solidifies it. She then walks up to the person and touches the sweater and feels it. This shows her dominant sense is kinesthetic. The same woman must touch everything in the grocery store when she shops, whether she needs it or not. By touching the objects, she makes a connection and that connection makes it real to her. Often she cannot remember things very well that she did not come into physical contact with.
    /Asking questions that contain some of the key dominant words, observing a target's reactions, and listening can reveal what dominant sense he or she uses. Listening for keywords such as see, look, bright, dark can lead you to treat a target like a visual. As mentioned earlier this is not an exact science. There isn't a general rule that states if a person says, "I can see what you are saying..." then he is always a visual. Each clue should lead you down the path toward verifying your hunch with more questions or statements. One word of caution: talking to someone in a different mode than they think in can be irritating to some. Using questions to determine a person's mode of thinking can be off-putting. Use questions sparingly and rely more on observation.
    Why Understanding the Mode Is Important
    I once worked with a guy, Tony, who could sell a cup of water to a drowning man. Tony was a big believer in seeking out and then using a person's dominant sense in sales. He had a few methods that he used that you may learn from. When he first engaged the target he had a very shiny silver-andgold pen he would hold in his hand. He would gesture a lot and notice whether the person followed the pen with her eyes; if she did slightly Tony would continually make the gestures bigger to see whether her eyes
    followed. If that didn't seem to work in the first few seconds he would click the pen open and closed. It wasn't a loud noise, but loud enough to disrupt a thought and draw someone's attention if she were an auditory If he thought that was working he would click it with every important thought, causing the target to have a psychological reaction to the sound and what was being said. If that didn't seem to work he would reach out over the table and tap her wrist or forearm, or if he was close enough touch her shoulder. He didn't touch excessively but enough to see whether she would shy away or seemed overly happy or disturbed bythe touch.
    With these subtle methods he could quickly discern what the person's dominant sense most likely was. This whole act would take under 60 seconds. After he found the information he was looking for, he would then start to move his conversation to that dominant sense, even taking on the traits of that sense in the words he spoke and way he acted and reacted to the conversation. Cne thing about Tony is that he outsold any person I have ever met. People would often say about him, "It is like he knew exactly what I needed."
    Tony would talk to the person and treat the person the way they wanted to be talked to. If the person was a visual thinker, Tony would use phrases like "Can you see what I am saying?" or "How does this look to you?" He would use illustrations that involved "seeing" things or visualizing scenarios. He would put people in their comfort zone.
    People feel at ease when they are in their comfort zone. The more you can do as a social engineer to put people in their comfort zone, the better chance you have at success. People gravitate towards those with whom they are comfortable; it is human nature. For example, if someone makes you feel "warm and fuzzy," or seems to understand what you are saying, or seems to see where you are coming from, you easily open up to, trust, and let that person in your circle.
    I want to reiterate this point: finding and using someone's dominant sense is not an exact science. Asocial engineer should use it as a tool in the arsenal and not rely on it as something magical or scientific. Certain psychological aspects of human nature are based on proven science and can be relied upon. As a matter of fact, some of these aspects are so
    impressive that they can make you seem like a mind reader. Some of them have been a topic of serious debate and some accepted by psychologists, law enforcement, and social engineers for years. The next section of this chapter discusses these, starting with microexpressions.
    You are probably familiar with the idea of reading facial expressions. When someone is happy sad, angry or whatever, when someone feels it you can look at his or her face and see that emotion. What if someone tries to fake that expression, like a fake smile? We have all done it, walking through the market and bumping into someone we just don't like that much—we put on a "smile" and say, "Hey John, nice to see you. Say hi to Sally."
    We may act very pleasant and cordial, but inside we are feeling nothing but irritation. The expressions that we show for longer periods of time on our face are called macroexpressions and are generally easier for people to see the emotion that is being conveyed. Similar to microexpressions, macroexpressions are controlled by our emotions, but are not involuntary and often can be faked.
    A certain few pioneers into the study of human behavior have spent decades researching something, coined microexpressions, to understand how humans relay emotions.
    Mcroexpressions are expressions that are not easily controllable and occur in reaction to emotions. An emotion triggers certain muscular reactions in a face and those reactions cause certain expressions to appear. Many times these expressions last for as short as one-twenty-fifth of a second. Because they are involuntary muscular movements due to an emotional response, they are nearly impossible to control.
    Probably one of the most influential researchers in the field of microexpressions is Dr. Paul Ekman. Dr. Ekman pioneered microexpressions into the science it is today. Dr. Ekman has been studying microexpressions for more than 40 years. In the 1970s Dr. Ekman developed FADS (Facial Action Coding System) to label and number each conceivable human expression. His work branched out to not only include facial expressions but also how the whole bodywas involved in deception.
    By 1972, Dr. Ekman had identified a list of expressions that were linked with basic or biologically universal emotions:
    • Aiger
    • Disgust
    • Fear
    • Joy
    • Sadness
    • Surprise
    Anger is usually easier to spot than some other expressions. In anger the lips become narrow and tense. The eyebrows slant downward
    downward and are pushed together—then comes the most noticeable characteristic of an