Information Gathering: Low-Tech

Information gathering is the single most important part of any social engineering engagement. Even though gathering, cataloging, and sifting through information is the least sexy part of social engineering, it is a critical phase. The more time you spend gathering information, the more information you will have. The more information you have, the better your engagement will go. Social engineers that are meticulous about their information gathering will not only be the most prepared during an engagement (read: more prepared equals less nervous!), but will also be the most successful.

A common mistake of junior social engineers is to halt the information gathering phase once some tidbits of juicy data are discovered. Don’t make this mistake. Gather as much information as possible or as time will allow. All information should be considered important and useful. Imagine a scenario where you’re physically onsite at a client doing a penetration test and you’re challenged by an employee as to why you are in a certain area or location. Having as much information as possible will allow you to better role play and not have to pull out your “get out of jail free” card.

Security: “Excuse me, sir, can I help you?”

You: “Yeah, I’m Marcus Zail, with Western Disposal, we handle your recycling efforts. I was told that the locks on your Jumbo Bins weren’t functioning properly. I’m just here to take a look and see what needs to be done next.”

Since you already knew they used Western Disposal and your research told you that Western Disposal’s large trash bins were referred to as “Jumbo Bins”, you were ready to respond to the guard’s inquisition.

Cataloging and organizing your information is just as important as actually gathering the information. What good is a pile of information if you don’t know what you have? We recommend using note-taking applications to help you organize your data. The apps basically break down into two groups: online and offline note applications. The online services are usually free, auto-syncs your notes to the cloud, and has clients for whichever operating system you’re using including all handheld devices. So when you’re in the field with just your cell phone, you can retrieve and modify your notes on the fly. The issue with these online apps is that your data is stored in the cloud and is susceptible to being hacked like Evernote was recently. There are dozens of applications that function just like Evernote. An alternative list can be found here. Offline note applications function more like traditional desktop applications and keep your notes and data local to your device. Here is a good comparison of note applications. The note application you choose depends a lot on your security concerns. If confidentiality and security is your number one concern, you should opt for the offline note applications. Also, many note applications allow you to export your notes into a multitude of formats making composing reports easier.

There are two distinct different ways to gather information: non-technical and technology based information gathering. In this newsletter, we will discuss the low-tech methods of gathering information.

Low-tech Information Gathering

One of my favorite, and often one of the more fruitful ways to gather information, is dumpster diving. We recently reported on a case of critical and sensitive patient records left in dumpsters in Georgia. Dumpster diving is the act of sifting through trash bins for information. What is the psychology when we throw something away? We consider it gone, trashed. Because of this, many organizations don’t properly dispose of and protect disposed of data. Not only do companies not properly shred their analog data, they fail to lock their dumpsters. Dumpster diving is not for the faint of heart and can get messy quickly. In addition to not protecting analog data, most places don’t bother to separate paper trash from every other type of trash you can imagine. Let’s just take a second to imagine what else we might expose ourselves to while sifting through a dumpster. Ok, grossed out yet? Well, we didn’t say it was going to be easy, or clean.

We recommend protecting yourself as much as possible. Wear dark clothing to avoid detection as well as gloves, boots (preferably steel toed), and eye protection to shield yourself. You will want to always have a flashlight on you as this work should be performed under the cover of darkness. It’s important to resist the urge to sift through data onsite. Take it with you. All of it. Your primary focus should be to get in and get out, undetected. To aid you in your goal of getting in and out undetected, you should scope out your spot during the day, before you attempt to gather information. Knowledge of security guards, cameras, lights, etc. will be invaluable to you when you’re there at night.

Sometimes the information we’re after is guarded under lock and key, like a dumpster. Picking locks is shockingly easy and most locks can be opened in about a minute when challenged by a person competent in the art of lock picking. Lock pick kits are readily available from many sources on the Internet. Also, most hacker conventions have lock pick vendors and areas specifically dedicated to lock picking where anyone can go in and hone their skills against a variety of different locks and locking mechanisms. The two methods we will discuss are lock pick kits and bump keys.

Lock pick kits come in many different shapes and sizes including mechanical lock pick guns that automatically pick the lock for you in a matter of seconds. While this sounds amazing, the downfall is that these devices cause noise. If you’re in an engagement where silence is necessary, you don’t want to use an automatic lock picker. Buy some locks and practice at home to get really good. There are many different types of locks out there, but only a handful are commonly used in an area or region. Familiarize yourself with the most commonly used locks and start with those then work your way into more obscure lock systems.

Bump-keys seem a bit archaic compared to the artistic finesse of a lock pick kit, but they’re quick, dirty, and get the job done… effectively and in seconds. A bump-key is a specially filed key that is entered into a lock, tension is applied, then you bump the end of the key with a mallet or similar device. The bumping causes the pins inside the lock to jump up and the tension prevents them from falling back down, thus enabling the plug to slide out freely. Lock bumping has been around since 1928 when the first patent appeared for a bump-key, but the technique wasn’t widely known about or used until the early 2000’s. A set of the 7 most frequently used keys in North America can be purchased for under $20 and should open a large majority of locks commercial and residential

Shoulder surfing is another great way to gather information. Shoulder surfing is where you position your body in a way that allows you to look over your target’s shoulder as he/she is doing something and see what they’re doing. Examples would be obtaining a PIN at an ATM or an electronic door code as an employee is entering. Shoulder surfing requires a good memory. After all, standing behind someone as they’re entering their PIN and you’re quickly jotting stuff down on a piece of paper is fairly suspicious. If you must write the information down on the spot, use your cell phone as a prop and record it with your phone as you pretend to be calling someone or responding to a text message. Sunglasses work well for this to as they obfuscate the direction your eyes are looking.

Shoulder surfing can be enhanced by adding in some high-tech information gathering tools like hidden cameras. Hidden cameras come in all shapes and sizes: pen cams, button cams, lighter cams, and our favorite, clipboard cams. These tools will aid you in recording and remembering information. Hidden cameras and listening devices come in all shapes and sizes. It’s important to note and understand the wiretapping laws in the state you’re working in to make sure you’re not breaking any laws. Although Federal wiretapping laws require only one party to consent to recording, other states, such as Nevada and California, require both parties to be notified.

Company badges, often worn on the outside of clothing, are a treasure trove of information. It’s all too common to surf websites like Twitter, Facebook, and Flickr and see employees posting pictures of themselves with their badge in plain view. Sometimes even the badge is the main subject of the photo! For under $1000, anyone can purchase a badge printer that would allow you to design a badge in something like Photoshop, then immediately print a real badge. We put this to the test during one of our Social Engineering for Penetration Testers class when we had a security professional from XYZ Corp as a student. During one of the breaks, we found a badge online for XYZ Corp, modified it to show our face and credentials, and printed it out. When break concluded, we presented the badge to the employee and the employee indicated it would definitely work in getting us in and around the company campus.

Observing people’s vehicles is another way to gather information about your target. What does your target’s vehicle say about him/her? Do they drive a fancy, expensive car? Do they drive a practical, affordable car? Do they have a personalized license plate? How about bumper stickers? One’s vehicle and the things they choose to adorn it with can speak loads about what kind of person they are.

As you can see, anyone can gather information. It doesn’t take a computer science degree to do this type of low-tech intelligence gathering. In the next newsletter, we’ll get into more of the high-tech side of information gathering. As always, you can learn about all this stuff and so much more at one of our live Social Engineering for Penetration Testers class. Our Black Hat class is filling up fast. Last year at Black Hat we sold out with a large chunk of people on the waiting list. We recommend you secure your spot now.

Written by: Eric “urbal” Maxwell

Don’t miss your chance to train with Chris Hadnagy, Robin Dreeke, and the Social-Engineer team!


The Art of Human Hacking by Chris Hadnagy – See 2nd Edition The Science of Human Hacking by Chris Hadnagy