CEH Lab Manual
Social Engineering
Module 09
Module 09 - Social Engineering
Social Engineering
Social engineering is the art of convincingpeople to reveal confidential infonmtion.
I CON KEY
/ Valuable
information
^
Test your
Lab Scenario
Source: http:/ / m onev.cnn.com /2012 /0 8 /O־־/technology/walm art-hackde Icon/index.litni
Social engineering is essentially the art o f gaining access to buildings, systems,
data by exploiting human psychology, rather than by breaking 111 01 ־using
technical hacking techniques. The term “social engineering” can also mean an
attem pt to gain access to information, primarily through misrepresentation, and
often relies 011 the trusting nature o f m ost individuals. For example, instead o f
trying to find software vulnerability, a social engineer might call an employee
and pose as an IT support person, trying to tiick the employee into divulging
111s password.
01־
*5 Web exercise
£ Q Workbook revie
Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee
into giving 111111 inform ation that could be used 111 a hacker attack to win a
coveted “black badge” 111 the “social engineering” contest at the D eleon
hackers’ conference 111 Las Vegas.
111 tins year's Capture the Flag social engineering contest at D eleon, champion
Shane MacDougall used lying, a lucrative (albeit bogus) government contract,
and 111s talent for self-effacing small talk to squeeze the following inform ation
out o f Wal-Mart:
■
The small-town Canadian Wal-Mart store's janitorial contractor
■
Its cafeteria food-seivices provider
■ Its employee pay cycle
■ Its staff sliilt schedule
■
The time managers take then ־breaks
■ W here they usually go for lunch
■ Type o f PC used by the manager
■ Make and version numbers o f the computer's operating system, and
■
Its web browser and antivirus software
Stacy Cowley at CNNM oney wrote up the details o f how Wal-Mart got taken
to the extent o f coughing up so m uch scam-worthy treasure.
111
Calling from 111s sound-proofed booth at D eleon MacDougall placed an
“urgent” call, broadcast to the entire D eleon audience, to a Wal-Mart store
manager 111 Canada, introducing liiinsell as "G an ־Darnell" from Wal-Mart's
hom e oflice 111 Bentonville, Ark.
C E H L ab M an u al Page 675
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
The role-playing visher (visliing being phone-based phishing) told the manager
that Wal-Mart was looking at the possibility o f winning a multimillion-dollar
government contract.
“Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been
chosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture o f how the
store operated.
111 the conversation, which lasted about 10 minutes, “Darnell” described
himself as a newly lured manager o f government logistics.
He also spoke offhand about the contract: “All I know is Wal-Mart can make a
ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit,
keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley
writes.
As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an
external site to fill out a survey 111 preparation for 111s upcom ing visit.
The compliant manager obliged, plugging the address into 111s browser.
W hen his com puter blocked the connection, MacDougall didn't miss a beat,
telling the manager that he'd call the IT departm ent and get the site unlocked.
After ending the call, stepping out o f the booth and accepting 111s well-earned
applause, MacDougall became the first Capture the Flag champion to capture
even ״data point, or flag, on the competition checklist 111 the three years it has
been held at Defcon. D efcon gives contestants two weeks to research their
targets. Touchy inform ation such as social security numbers and credit card
num bers are verboten, given that D efcon has no great desire to bring the law
down on its head.
D efcon also keeps its nose clean by abstaining from recording the calls, which
is against Nevada law. However, there's no law against broadcasting calls live to
an audience, which makes it legal for the D efcon audience to have listened as
]MacDougall pulled down Wal-Mart's pants.
MacDougall said, “Companies are way more aware about their security. They’ve
got firewalls, intrusion detection, log-in systems going into place, so it’s a lot
harder for a hacker to break 111 these days, or to at least break in undetected. So
a bunch o f hackers now are going to the weakest link, and the link that
companies just aren’t protecting, which is the people.”\
MacDougall also shared few best practices to be followed to avoid falling victim
to a social engineer:
C E H L ab M an u al Page 676
■
Never be afraid to say no. If something feels wrong, something is
wrong
■
A 11 IT departm ent should never be calling asking about operating
systems, machines, passwords or email systems— they already know
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
■
Set up an internal company security word o f the day and don’t give any
information to anyone who doesn’t know it
■
Keep tabs 011 w hat’s 011 the web. Companies inadvertently release tons
o f inform ation online, including through employees’ social media sites
As an expert eth ical hacker and penetration tester, you should circulate the
best practices to be followed among the employees.
& T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering
Lab Objectives
The objective o f this lab is to:
■
D etect phishing sites
■
Protect the network from phishing attacks
To earn* out tins lab, you need:
■
A computer mmnng Window Seiver 2012
■
A web browser with Internet access
Lab Duration
Time: 20 Minutes
» TASK 1
Overview
Overview Social Engineering
Social engineering is die art of convincing people to reveal confidential information.
Social engineers depend 011 the fact that people are aware of certain valuable
information and are careless 111 protecting it.
Lab Tasks
Recommended labs to assist you 111 social engineering:
■
Social engineering
■
Detecting plushing using Netcraft
■
Detecting phishing using PliishTank
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion
your target’s security posture and exposure.
011
P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S
R E L A T E D T O T H I S L AB .
C E H L ab M an u al Page 677
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
Delecting Phishing Using Netcraft
Netrmftprovides n׳eb server and n׳eb hosting warket-share analysis, including n'eb
server and operating system detection.
I CON KEY
Valuable /
information
.״*־v Test your
*a Web exercise
ffi! Workbook revi!
Lab Scenario
By now you are familiar with how social engineering is perform ed and what sort
ot inform ation can be gathered by a social engineer.
Phishing is an example o f a social engineering technique used to deceive users,
and it exploits the poor usability o f current web security technologies.
Phishing is the act o f attempting to acquire information such as user names,
passwords, and credit card details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an electronic communication.
Communications claiming to be from popular social websites, auction sites,
online payment processors, 01 ־IT administrators are commonly used to lure the
unsuspecting public. Phishing emails may contain links to websites that are
infected with malware. Phishing is typically carried out by email spoofing 01־
instant messaging and it often directs users to enter details at a fake website
whose look and feel is almost identical to the legitimate one.
Phishers are targeting the customers o f banks and online payment services.
They send messages to the bank customers by manipulating URLs and website
forger\T. The messages sent claim to be from a bank and they look legitimate;
users, not realizing that it is a fake website, provide their personal information
and bank details. N o t all phishing attacks require a fake website; messages that
claim to be from a bank tell users to dial a phone num ber regarding problems
with their bank accounts. Once the phone num ber (owned by the plusher, and
provided by a Voice over IP service) is dialed, it prom pts users to enter their
account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization.
Since you are an expert eth ical hacker and penetration tester, you m ust be
aware o f phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to
people to deal with phishing attacks. 111 this lab you will be learning to detect
phishing using Netcraft.
C E H L ab M an u al Page 678
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
Lab Objectives
T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to
use th e m . I t w ill te a c h y o u h o w to:
■
D e te c t p h ish in g sites
■
P ro te c t th e n e tw o rk fro m p h ish in g attack
T o carry o u t tins lab y o u need:
^ ~ T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering
■
N etcraft is lo c a te d at D:\CEH-Tools\CEHv8 Module 09 Social
Engineering\Anti-Phishing Toolbar\Netcraft Toolbar
■
Y o u can also d o w n lo a d th e la test v e rsio n o f Netcraft Toolbar fro m th e
link h t t p : / /to o lb a r .n e tc r a lt.c o m /
■
I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer
■
A c o m p u te r ru n n in g W in d o w s S erv er 2012
■
A w e b b ro w se r (F irefox, I n te r n e t ex p lo rer, etc.) w ith In te rn e t access
■
A d m in istra tiv e privileges to r u n th e N e tc r a lt to o lb a r
Lab Duration
Tim e: 10 M inutes
Overview of N etcraft Toolbar
N etc raft T o o lb a r provides Internet security services, including anti-fraud an d
anti-phishing services, application testing, code reviews, au to m ated p en etratio n
testing, and research data and analysis o n m an y aspects o f the Internet.
Lab Tasks
^
T A S K
1
Anti-Phishing Tool
bar
C E H L ab M an u al Page 679
1.
T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first. 111 this lab w e
hav e u se d Mozilla Firefox.
2.
L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left
c o rn e r o f th e d esk to p .
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
JL
5
״
Q = J Y o u cau also
download the Netcraft
toolbar form
h ttp ://toolbar.netcraft.com
* | Windows Server 2012
Wiwfciwo “erfci2012 IUIc.m C1n4llMI( Dot*c«nV
tiftlaatoncopv BmO MW
FIGU RE 1.1: Windows Server 2012-Start Menu
3.
Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.
FIGU RE 1.2: Windows Server 2012-Start Menu Apps view
N etcraft provides
Internet security services,
including anti-fraud and
anti-phishing services.
4.
T o d o w n lo a d th e Netcraft Toolbar fo r Mozilla Firefox, e n te r
h t t p : / / to o lb a r.n e tc ra ft.c o m in th e ad d re ss b a r o f th e b ro w s e r o r d rag
a n d d ro p th e netcraft_toolbar-1.7-fx.xpi file in F irefo x .
5.
111 tins lab, w e are d o w n lo a d in g th e to o lb a r Iro m th e In te rn e t.
6.
111 F ire fo x b ro w ser, click Download th e N etcraft Toolbar to install as
th e ad d -o n .
^
ןזח
ת
etc M i ft
SINGLEH3 P
■ ןn
, ,
M»tc׳-»ft Toolbar
• ■׳
Why u tt tn• Noicratt Toolbar?
U Protect your tavinQf Irom I'hMhtnq attack*,
a s«« the hoittnq totat)or1and Ukfc Matatq 01«י
O I1*lp defend 11*0 Internet community trooi tra
FIGURE 1.3: Netcraft toolbar downloading Page
C E H L ab M anual Page 680
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
7.
O n th e Install pag e o f th e N e tc ra ft T o o lb a r site, click th e Firefox
im age to c o n tin u e w ith in stallatio n .
fc 4
c
P
־ » ״,.(■.
ftO l
1
nETCI^AFT
D o w n lo a d N ow
Netcraft Anti Phithing Toolbar
&
CQQ1 Netcraft is an
Internet services company
based in Bath, England.
System Raqiilramania
FIGU RE 1.4: N etcraft toolbar Installation Page
8.
Click Allow to d o w n lo a d N e tc ra ft T o o lb a r.
^
at ■
10c*«.ne
«סי»*ז
1 -־Hctcraft Teotbir
SNGLEH2r
■1
D o w n lo a d N ow
N*te«H Antl-PN«hl0< ׳Todhtr
r=rs
a
Systam Kaquirtrranti
'oolba•
>r>a*pl«tfc#rre (AMnn/HMnji)
«
cwitnnrva>« .*׳sicns orthe too&ar 1«r
or«e
roujrg ««> « tu w « oo«׳a. and Mian
Help & Support
roMom• inat«llinQ?fm • ••id at#1..I.II.1.«״־mU.
« also ha»» a 8»t«t1«n 0»tutofwis
FIGU RE 1.5: Netcraft toolbar Installation-Allow button
9.
W h e n th e Softw are Installation d ialo g b o x ap p ears, click Install Now.
Software Installation
Install add-ons only from authors whom you trust.
Malicious software can damage your computer or violate your privacy.
You have asked to install the following item:
Netcraft Anti-Phishing Toolbar (Netcraft Ltd)
£ Q Netcraft Toolbar
provides a wealth o f
information about the sites
you visit.
/>
Install N o w
Cancel
FIGU RE 1.6: Installing Netcraft Toolbar
10. T o c o m p le te th e in stallatio n it w ill ask y o u to re sta rt th e b ro w ser. C lick
Restart Now.
C E H L ab M anual P ag e 681
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
l.__ Risk Rating displays die
trustworthiness o f die current
■ A•
Help & Support
• l*1gUHnImlnilMiuf 1׳
lr«m*■■•I UJ4InilaMu• *Mr
יAo jlec h1v« jMlaclKMx/ iito ijit tf you • i t «0 with* non
• o«t 1Oimmh'it >n
(juMOtm
FIGU RE 1.7: Restarting Firefox browser
11. N etcraft Toolbar is n o w visible. O n c e th e Toolbar is in stalled , it lo o k s
sim ilar to th e fo llo w in g figure.
p
\U----
>«rw •t
font
Hill•
1
*
ם-
J
FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser
12. W h e n y o u visit a site, th e fo llo w in g in fo rm a tio n displays 111 th e T o o lb a r
(unless th e pag e h as b e e n b lo ck ed ): Risk rating, Rank, a n d Flag.
13. Click S ite Report to sh o w th e r e p o rt o f th e site.
0=5!Site report links to :
detailed report for die
FIGU RE 1.9: Report generated by N etcraft Toolbar
14. I f y o u a tte m p t to visit a p ag e th a t h as b e e n id e n tified as a p liish in g page
by N e tc ra ft T o o lb a r y o u w ill see a warning dialog th a t lo o k s sim ilar to
th e o n e in th e fo llo w in g figure.
15. T ype, as an exam ple:
h ttp : / / w w w .pavpal.ca.6551 .secu re7 c.m x / im ages / cgi.bin
C E H L ab M anual Page 682
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
£ 0 . Phishing a site feeds
0011011x1011517updated
encrypted database of
patterns diat match phishing
URLs reported by the
Netcraft Toolbar.
FIGU RE 1.10: Warning dialog for blocked site
16. I f y o u tru st th a t p ag e click Y es to o p e n it a n d i f y o u d o n ’t, click No
(R ecom m ended) to b lo c k th a t page.
17. I f y o u click No th e fo llo w in g p ag e w ill be displayed.
c
.!■!•!!■!ר
Coofb
fi ft
C-
PhKMng S*o Hlockcxl
%lll t»־־
.......- : m ;
.
L
■
FIGURE 1.11: Web page blocked by Netcraft Toolbar
Lab Analysis
D o c u m e n t all die results an d rep o rt g athered d uring die lab.
T o o l/U tility
N e tc r a f t
I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
■
P h ish in g site d e te c te d
P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.
Questions
1.
C E H L ab M anual Page 683
E v alu ate w h e th e r th e N e tc ra ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t
proxy.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
2.
D e te rm in e it y o u can m ake th e N e tc ra ft T o o lb a r co e x ist o n th e sam e
line as o th e r to o lb a rs. I f so, h o w ?
3.
H o w ca n y o u sto p th e T o o lb a r w a rn in g if a site is tru ste d ?
I n t e r n e t C o n n e c t io n R e q u ir e d
□ N<
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M an u al Page 684
□ !Labs
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
3
Detecting Phishing Using
PhishTank
PhishTank is a collaborative clearinghousefor data and information regarding
phishing on the Internet.
I C O N
K E Y
Valuable
____information
. *>־Test your
gfe Web exercise
Workbook r׳e\־
Lab Scenario
P h ish in g is an a tte m p t b y an in d iv id u al 01 ־g ro u p to solicit p e rso n a l in fo rm a tio n
fro m u n su sp e c tin g u sers by em p lo y in g social en g in eerin g te ch n iq u es. P h ish in g
em ails are cra fte d to a p p e a r as if th ey h av e b ee n se n t fro m a legitim ate
o rg an iz atio n 01 ־k n o w n individual. T h e se em ails o fte n a tte m p t to en tice u sers to
click 011 a link th a t will take th e u se r to a fra u d u le n t w eb site th a t ap p ears
legitim ate. H ie u se r th e n m ay b e ask ed to p ro v id e p e rso n a l in fo rm a tio n su c h as
a c c o u n t u se r n am es a n d p a ssw o rd s th a t can fu rth e r ex p o se th e m to fu tu re
co m p ro m ises. A dditio n ally , th e se fra u d u le n t w eb sites m ay c o n ta in m alicious
code.
W ith th e tre m e n d o u s in c re ase 111 th e u se o f o n lin e b an k in g , o n lin e share trad in g ,
a n d e c o m m e rc e, th e re h as b e e n a c o rre sp o n d in g g ro w th 111 th e in c id en ts o f
p h ish in g b ein g u se d to carry o u t financial trau d s. P h isliin g in v o lv es fra u d u len tly
acq u irin g sensitive in fo rm a tio n (e.g. p assw o rd s, cre d it c a rd details etc.) b y
m a sq u erad in g as a m asted entity.
111 th e p rev io u s lab y o u h av e already seen h o w a p h ish in g site can b e d e te c te d
u sin g th e N e tc ra ft tool.
T h e u sual scen ario is th a t th e v ic tim receives an em ail th a t ap p e ars to h av e b ee n
se n t fro m 111s bank. T h e em ail u rg es th e v ictim to click 011 th e lin k 111 th e em ail.
W h e n th e v ic tim d o es so, h e is ta k en to “ a secu re p ag e 011 th e b a n k ’s w e b site .”
T h e v ic tim believes th e w e b pag e to b e a u th en tic a n d h e e n te rs 111s u se r n am e,
p a ssw o rd , a n d o th e r in fo rm a tio n . 111 reality, th e w e b site is a fake a n d th e
v ic tim ’s in fo rm a tio n is sto len a n d m isused.
B eing an ad m in istra to r 01 ־p e n e tra tio n tester, y o u m ig h t im p le m e n t all th e m o st
so p h istica te d a n d ex p en siv e te c h n o lo g y so lu tio n s 111 th e w o rld ; all o l it can be
byp assed i f y o u r em p lo y ees fall fo r sim ple social en g in ee rin g scam s. I t b ec o m e
C E H L ab M an u al Page 685
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
y o u r resp o n sib ility to e d u c ate em p lo y ees 011 b e st p ractices fo r p ro te c tin g
in fo rm a tio n .
P h ish in g sites 01 ־em ails can b e re p o rte d to p lu sl 11n g -re p o rt@ u s-c e rt.g o v
h ttp : / / w w w .u s-c e rt.g o v / 11a v /r e p o r t p h 1sh 111g .h tm l
U S -C E R T (U n ited S tates C o m p u te r E m e rg e n c y R ead in ess T eam ) is co llectin g
p h ish in g em ail m essages a n d w eb site lo c atio n s so th a t th e y can h elp p eo p le
av o id b e c o m in g v ic tim s o f p h ish in g scam s.
[CTTools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering
Lab Objectives
T h is lab w ill sh o w y o u h o w to use p h ish in g sites u sin g a w e b b ro w ser. I t w ill
teach y o u h o w to:
■
D e te c t p h ish in g sites
■
P ro te c t th e n e tw o rk fro m p h ish in g attacks
Lab Environment
T o carry o u t th e lab y o u need:
■ A c o m p u te r ru n n in g W in d o w s S erver 2012
■ A w eb b ro w se r (F irefox, In te rn e t E x p lo re r, etc.) w ith In te rn e t access
Lab Duration
T une: 10 M inutes
Overview of PhiskTank
£ Q PhishTank URL:
h ttp .//www.phishtank.com
P h ish T an k is a free community site w h ere anyone can subm it, verify, track,
s!1are phishing data. P h ish T an k is a collaborative clearing h o u se for data
and
and
inform ation regarding phish in g 011 the Internet. A lso, P h ish T an k provides an open
API to r developers an d researchers to integrate anti-phishing data into their
applications at 110 charge.
Lab Tasks
m.
T A S K
1
1.
T o sta rt th is lab y o u n e e d to la u n ch a w eb b ro w se r first. 111 th is lab w e
hav e u se d Mozilla Firefox.
2.
L a u n c h th e Start m e n u b y h o v e rin g th e m o u se c u rso r 011 th e lo w er-left
c o rn e r o f d esk to p .
PhishTank
C E H L ab M an u al Page 686
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
jw
$
23 Windows Server 2012
Wndowa icrrct 2012 IUIe.m C«>vl!uatr D*t*cn»
b
- g • *fa
FIGU RE 2.1: Windows Server 2012-Start Menu
3.
Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.
£ 0 1 PlushTank provides an
open API for developers and
researchers to integrate antiphishing data into dieir
applications at no charge.
FIGU RE 2.2: Windows Server 2012-Start Menu Apps view
4.
T y p e http://w w w.phishtank.com in th e ad d ress b a r o f th e w e b b ro w s e r
a n d p ress Enter.
5.
Y o u w ill see th e follow/ing
PhishTank ־.,״.י.,
J o in t i e fiy lita y a iittt p liia liiiK j
Sdbmrtstsopdfdohshes Track the Uatis of /a ir suhmfyaons
Verfy
Recert Subrissbrs
1S7:£S1
rtnJ «r»n
rmjmagei/
^*®:/VrstM.axVsy
lgliia
rtc usemncs.aebfu.ictscmnsraurAxroim
m.cvn’PM/iMlct.Kni
FIGU RE 2.3: Welcome screen o f PhishTank
C E H L ab M anual Page 687
E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
PliishTauk 1s operated
by O pen D N S to improve
the Internet through safer,
faster, and smarter DNS.
6.
T y p e th e w e b site URL to b e c h e ck e d fo r p h ish in g , fo r ex am p le,
h ttp : / / s d a p ld 2 1 .h o s t2 1.c o m .
7.
C lick Is it a phish?.
Join the fight against phishing
Submrt tu w c » d pheftea. ־Rack the ttatic of 1/cur submissions
Verfyongf jserV suonssons Develop software wtthourftee API.
j ntp //Kijptav. itMtucem
R#c*r» SubriKtors
*MhTinkprovttet » ׳oh ״An tar
■dim)feat)lu>miftHim »u»p«>-le0pirn
'wcpcfcetMlr-drccintיי״׳Tfl-34CTdY..
FIGU RE 2.4: Checking for site
I f th e site is a phishing site , y o u see th e fo llo w in g w a rn in g d ialo g b ox.
PhishTank
Ok of it* NM.i«o*MTw*
Submission #1571567 is aimentty ONLINE
02
O pen D N S is
interested in having die
best available information
about phishing websites.
S01 n or Hcgcto ׳to vert, t !6 sutxnsstor.
No screenshot yet
We have net yet successfully taken
a screeasltol •f the submitted website.
FIGURE 2.5: W arning dialog for phishing site
Lab Analysis
D o c u m e n t all die w ebsites an d verify w h eth e r diey are ph ish in g sites.
T o o l/U tility
P h is k T a n k
C E H L ab M anual Page 688
I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
■
P h ish in g site d e te c te d
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.
Questions
1.
E v alu ate w h a t P liisliT an k w a n ts to h e a r a b o u t spam .
2.
D o e s P liisliT an k p r o te c t y o u fro m p h ish in g ?
3.
W h y is O p e n D N S b lo ck in g a p lu sh site th a t P liisliT an k d o e s n 't list o r
has n o t v et v e n tie d ?
I n t e r n e t C o n n e c t io n R e q u ir e d
0 Y es
□ No
P la tf o r m S u p p o r te d
0 C la s s r o o m
C E H L ab M an u al Page 689
□ !Labs
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
3
Social Engineering Penetration
Testing using Social Engineering
Toolkit (SET)
The Socia/-Engineer Toolkit (SE T) is an open-source ־Python-driven tool aimed at
penetration testing around social engineering
■con
key
£_ Valuable
information
s
Test your
knowledge
Web exercise
m
Workbook review
Lab Scenario
Social en g in eerin g is an ev e r-g ro w in g th re a t to o rg an iz atio n s all o v er th e w o rld .
Social en g in ee rin g attack s are u se d to c o m p ro m ise c o m p a n ie s e v e n ־dav. E v e n
th o u g h th e re are m a n y h ac k in g to o ls available w ith u n d e rg ro u n d h ack in g
c o m m u n itie s, a social en g in eerin g to o lk it is a b o o n fo r attack ers as it is freely
available to u se to p e rfo rm sp e ar-p liish in g attack s, w eb site attack s, etc.
A tta ck e rs ca n d ra ft em ail m essag es a n d a tta c h m alicio u s files an d se n d th e m to
a large n u m b e r o f p e o p le u sin g th e sp e a r-p h ish in g attac k m e th o d . A lso , th e
m u lti-atta ck m e th o d allow s u tiliza tio n o f th e Java ap p let, M e tasp lo it b ro w ser,
C red e n tia l H a r v e s te r / T a b n a b b in g , etc. all a t once.
T h o u g h n u m e ro u s so rts o l attack s can b e p e rfo rm e d u sin g tin s to o lk it, tins is
also a m u st-h a v e to o l fo r a p e n e tra tio n te ste r to ch e ck fo r v u lnerabilities. S E T is
th e sta n d a rd fo r social-en g in eerin g p e n e tra tio n tests a n d is su p p o rte d heavily
w ith in th e security co m m u n ity .
A s an eth ical hacker, p e n e tra tio n tester, o r security adm inistrator, y o u
sh o u ld b e extrem ely fam iliar w ith th e Social E n g n ie e rin g T o o lk it to p e rfo rm
v ario u s tests fo r vulnerab ilities 011 th e n etw o rk .
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to:
C E H L ab M an u al Page 690
■
C lo n e a w eb site
■
O b ta in u se r n am es a n d p a ssw o rd s u sin g th e C red e n tia l H a rv e ste r
m e th o d
■
G e n e ra te re p o rts fo r c o n d u c te d p e n e tra tio n tests
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering
Lab Environment
T o earn ’ o u t die k b , y ou need:
■
R u n this tool 111 BackTrack V irtual M aclune
■
W eb b row ser w ith In te rn e t access
■
A dm inistrative privileges to m n tools
Lab Duration
T une: 10 M inutes
Overview of Social Engineering Toolkit
Social-Enguieer T oolkit is an o p en -so u rce P y th o n -d riv en to o l aim ed at p en etratio n
testing aro u n d Social-Engineering. T lie (SET) is specifically designed to p erfo rm
advanced attacks against die h u m a n elem ent. T lie attacks built in to d ie toolkit are
designed to be targeted and focused attacks against a p erso n o r organization used
during a pen etratio n test.
Lab Tasks
T A S K
1
Execute Social
Engineering
Toolkit
1.
L o g in to y o u r BackTrack v irtu a l m aclune.
2.
Select A pplications ^־־BackTrack ^־־Exploitation T ools ^־־Social
Engineering T ools ^־־S ocial Engineering Toolkit a n d click Set.
^ Applications[ Places System [>7]
3
Tue Sep 25. 7:10 PM
|Q ^ Information Gathering
r■ vulnerability Assessment
J0
Exploitation Tools
.-f * Network Exploitanor Tools
Web Exploitation Tools
Privilege Escalation
E f Maintaining Access
^
Reverse Engineering
I
RFID100IS
Database Exploitation Tools ^
Wireless Exploitation Tools
social E’ jifM 9 |
O
Physical
Forensics
Exploitation
יOpen Source E x p lo ite d ,h set \ 3
a
9
9
11•
BEEF XSS Framework
MoneyPots
Social Engineering Toolkit
KCporting Tools
c P services
y
Miscellaneous
►
<< back track
FIGU RE 3.1: Launching SET in BackTrack
C E H L ab M anual P ag e 691
E tliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
3.
f f i s E T has been
presented at large-scale
conferences including
Blackhat, DerbyCon,
D efcon, and ShmooCon.
A Terminal w in d o w fo r S E T w ill ap p ear. T y p e y an d p ress Enter to
agree to th e term s o f service.
File Edit View Terminal Help
THIS SOFTWARE, EVEN IF ADVISED OF THE PO SSIBILITY OF SUCH
DAMAGE.
The above lic e n s in g was taken from th e BSD lic e n s in g and ^is a p p lie d to S o c ia l-E n
g in e e r T o o lk it as w e l l .
___
" * ^ 1
Note t h a t th e S o c ia l-E n g in e e r T o o lk it i s p ro v id e d as i s , and i s
p en -so urce a p p lic a t io n .
M r
3
r o y a lt y f r e e
0
F e e l f r e e to m o d ify , use, change, m arket, do w h atever § u want w ith i t a f lo n g a
s you g iv e th e a p p ro p r ia te c r e d i t where c r e d i t
i s due (which means g iv in g th e au th o rs th e c r e d i t th e y ife s e rv e f o r w r i t in g i t ) .
A lso n ote t h a t by using t h is s o ftw a re , i f you e v e r
see th e c r e a t o r o f SET in a b a r , you a re re q u ire d to g iv e him a hugand buy
him
a b e e r. Hug must l a s t a t le a s t 5 seconds. Author
holds th e r ig ft t to refipse th e hug o r th e b e e r . ■
f
| ן
^
\ \
1
£ Q t 11e web jacking attack
is performed by replacing
the victim’s browser with
another window that is
made to look and appear to
be a legitimate site.
T ^ ^ * c M - E t l^ e e r T A lk it W s r fT iig fliiJ p y e ly
good pn
if l a
op I ^ S a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c
n W c r a t h O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^
J ׳ou a re v i o l a t
in g th e term s o f s e r v i e and lic e n s e o f t h i s t o o l s e t . B^ , r t t i n q X
yes (o n ly one t im e ) , you ag ree to th e term s o f s e r v ic e a n d T n a t y o u w i l l o n ly us
e t h i s t o o l f o r la w f u l purposes o n ly .
4
1
\
FIGU RE 3.2: SET Service Agreement option
4.
Y o u w ill b e p re s e n te d w ill a list o f m e n u s to select th e task. T y p e 1 an d
p ress Enter to select th e Social-Engineering A ttacks o p tio n .
File Edit View Terminal Help
Homepage: h ttp s ://w w w .tru s te d s e c .c o m
[
Welcome to th e S o c ia l-E n g in e e r T o o lk i t (S E T J j.Y o u r one
stop shop f o r a l l o f your s o c ia l-e n g in e e r in g n e e d s .^ ,
J o in us on i r c .f r e e n o d e .n e t i n channel # s e « J o lk it
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
f f i s E T allows you to
specially craft email
messages and send them to
a large (or small) number of
people with attached file
format malicious payloads.
V is it:
h ttp s ://w w w .tru s te d 5 e c .c o m
S e le c t from th e menu:
J 1) Social-Engineering Attacks I
_
2) F a s t-T ra c k P e & t r a t i o n T e s tin g
3 יT h i r d p.nrty Modules
4) Update the M e ta s p lo it Sranei/ork
5 ) Update th e S o c ia l-E n g in e e r T o o lk it
6 ) Update SET c o n fig u r a tio n
7) H e lp , C r e d it s , and About
99) E x it th e S o c ia l-E n g in e e r T o o lk it
FIGU RE 3.3: SET Main menu
5.
C E H L ab M anual Page 692
A list o f m e n u s 111 S o cia l-E n g in ee rin g A tta ck s w ill ap p ear; ty p e 2 an d
p ress Enter to select W ebsite A ttack V ectors.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
« T e rm in a l
File Edit View Terminal Help
1
J o in us on i r c .f r e e n o d e .n e t in channel # s e to o lk t
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
V is it:
C Q t i ! e Social-Engineer
Toolkit "Web Attack"
vector is a unique way of
utilizing multiple webbased attacks in order to
compromise the intended
victim.
h ttp s ://w w w .tru s te d s e c .c o m
S e le c t from th e menu:
1) S p e a r-P h is h in q A tta c k Vec to r s
| 2) W ebsite A tta c k V e c to rs |
3) I n fe c tio u s Media G en erato r
4 ) C re a te a Payload and L is te n e r
_ 5) Hass M a ile r A tta c k
ן
I 6 ) A rduino-B ased A tta c k v e c to r g
|^ % S M S S p oofing A tta c k V e c t o r ♦
8) W ir e le s s Access P o in t A tta c k V e c to r
9 ) QRCode G en erato r A t t a c | V e c to r
10) P o w ersh e ll A tta c k V e c tlr s
11) T h ir d P a rty Modules
_
^
I A
99) R eturn back to th e main menu.
>r5s _______________________________
FIGURE 3.4: Social Engineering Attacks menu
6.
111 th e n e x t set o f m e n u s th a t ap p ears, type 3 a n d p ress Enter to select
th e Credential Harvester Attack Method
File Edit View Terminal Help
and th e B a ck|T rack team . T h is method u t i l i z e s !fra m e replacem ents to
make th e h ig h lig h te d URL l i n k to appear l e g it i m a te however *tf en c lic k e d
a window pops up then i s re p la c e d w ith th e m a lic io u s l i n k . You can e d i t
th e l i n k replacem ent s e ttin g s in th e set^ c o n F ig i f i t s to n fc *k o « /fa s t.
1
0 3 T11e Credential
Harvester M ethod will
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to die website.
The M u lt i-A t t a c k method w i l l add a co m binatio n o f a tta c k s through th e web a tta c
k
Jr
menu. For example you can u t i l i z e th e Java A p p le t, M e ta s p lo it Browser,
C r e d e n t ia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a tta c k
a l l a t once to see which i s s u c c e s s fu l.
m.
1) Java A p p le t A tta c k Method
2) M e ta s p lo it Browser E x p lo it Method
I3) Credential Harvester Attack Method |
4) Tabnabbing Attack Method
ack
5 ) Man l e f t i n th e M id d le A tta c k Method
6) Web Jacking A tta c k Method
7 ) M u l t i - A t tack Web HethoJ
8) V ic tim Web P r o f i l e r
9 ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e
99)
Return to Main Menu
s e t :w eb attackj3B 1
FIGURE 3.5: website Attack Vectors menu
7.
C E H L ab M anual Page 693
U
N o w , type 2 an d p ress Enter to select th e S ite Cloner o p tio n fro m th e
m enu.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
« T e rm in a l
File Edit View Terminal Help
9 ) C re a te o r im p o rt a CodeSigning
M
99) R eturn to Main Menu
C Q t 11e Site Cloner is used
to d o n e a website o f your
choice.
s e t : w e b a tta c k >3
The f i r s t method w i l l a llo w SET to im p o rt *!' ׳l i s t o f p r e -d e fin e d web
a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t ta c k .
The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e c o m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
I h e t h i r d method aU ow s y o u jto im p o rt your own w e b s ip ;, n ote t ^ a t you
Should o n ly have alt' in d e x .h tm l when using th e im p o rt W ebsite
Y jF
f u n c t io n a lit y ^ ^ *
1) Web T em plates
12) S i t e C lo n e r !
3) Custom Im p o rt
♦
v
I
I
^
I V
•)
/
׳
י
^ 3 4
\
- ■«״
99) R eturn to W ebattack Menu
;e t:w e b a tta c k a E f|_______________
FIGU RE 3.6: Credential Harvester Attack menu
T y p e th e IP ad d ress o f y o u r B a ck T rac k v iru ia l P C 111 th e p r o m p t to r IP
add ress for th e POST back in Harvester/Tabnabbing a n d p ress Enter.
111 tins exam ple, th e IP is 10.0.0.15
*
T e rm in a l
File Edit View Terminal Help
COS t 11e tabnabbing attack
method is used when a
victim has multiple tabs
open, when the user clicks
die link, die victim will be
presented with a “Please
wait while the page loads”.
W hen the victim switches
tabs because h e/she is
multi-tasking, the website
detects that a different tab
is present and rewrites die
webpage to a website you
specify. The victim clicks
back on the tab after a
period o f time and diinks
diey were signed out o f
their email program or their
business application and
types the credentials in.
W hen the credentials are
inserts, diey are harvested
and the user is redirected
back to the original
website.
C E H L ab M anual Page
694
a p p lic a t io n s t h a t i t
can u t i l i z e w it h in th e a t t a c k .
The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e co m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
The t h i r d method a llo w s you to im p o rt you r own w e b s ite , n ote t h a t you
should o n ly have an in d e x .h tm l when using th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates
2 ) S i t e C lo n e r
3) Custom Im p o rt
_
1 9 9 ) R eturn to W eb A ta c k Menu
J[jLS־ir br
I
/
.
* |
'
^
r3
t -1 C r e d e n tia l h a r v e s te r w i l t a llo w you to u t i l i z e th e clone c a p a b i l i t i e s w it h in
set
J
ן
[-1 t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p ie c e them in
*
to a re p o rt
[-1 T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
[ -J I f y o u 'r e using an e x t e r n a l I P , use your e x t e r n a l IP f o r t h is
:
> IP address for the POST back in Harvester/Tabnabbina:110.0.0.15|
FIGU RE 3.7: Providing IP address in H arvester/Tabnabbing
N o w , y o u w ill be p ro m p te d fo r a U R L to b e clo n ed , type th e d esired
U R L fo r Enter th e url to clo n e a n d p ress Enter. 111 tin s ex am p le, w e
h av e u se d w w w .fa ceb o o k .co m . T in s w ill n n tia te th e clo n in g o f th e
sp ecified w eb site.
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
*
T e rm in a l
File Edit View Terminal Help
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly
same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^
C Q t 11e web jacking attack
method will create a
website clone and present
the victim with a link
stating that the website has
moved. This is a new
feature to version 0.7.
The t h i r d method a llo w s you to im p o r t-y m jr own w e b s ite , n o te t h a t you
should o n ly have an in d e x .h tm l when usin g th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates
2) S i t e C lo n e r
3) Custom Im p o rt
99) R eturn to W ebattack Menu
[•]
:w eb a tta c k >2
—
C r e d e n tia l h a r v e s te r w i l l a llo w you to u t i l i z e
J[ ] ־r to> h a rv e s t
t h e c lo n e c a p a b il i t i e s w it h i r
1 TJ T
o r param eters f rom a w e b s ite
as w e ll as p la c e them ir
c r e d e n tia ls
to a r e p o r t I ^
■ %
I
%
■
I V
J
1
[-] T h is o p tio n i s used f o3r
r A
| hhaa t IP th e s e rv e r w i l l POST t o . V
^
[■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s
s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : 1 0 . 0 . 0 . 1 5
[ • ] SET sup ports both HTTP and HTTPS
[ - ] Example: h t t p : //w w w . t h is is a f a k e s i t e . com____________
; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!
M
FIGU RE 3.8: Providing URL to be cloned
10. A fte r clo n in g is c o m p le te d , th e h ig h lig h ted m essage, as sh o w n 111 th e
follow ing sc re e n sh o t, w ill a p p e a r o n th e Terminal screen o t SET. P ress
Enter to co ntinue.
11. I t w ill sta rt C red e n tia l H arv ester.
1333If you ’re doing a
penetration test, register a
name that’s similar to the
victim, for Gmail you could
do gmail.com (notice the
1), something similar diat
can mistake the user into
thinking it’s die legitimate
File Edit View Terminal Help
99) R eturn to W ebattack Menu
s e t :w e b a tta c k >2
[-1 C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e
51
th e c lo n e c a p a b il i t i e s w it h in
SET
[ - ] to h a rv e s t c r e d e n tia ls o r param eters from a w e b s ite as w e ll as p la c e them in
to a r e p o rt
[ - ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
t -J I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5
{ - ] SET sup ports both HTTP and HTTPS
I - ] Example: h t tp ://w w w .th is is a f a k e s it e .c o m
I
s e t : w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
b
[*]
[*j
■
—ך
.
C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
T h is cou ld ta k e a l i t t l e b i t . . .
1
I J
Trie b e » « v Ttoaie fteu ■tfm .k i J 11
f i e l d s a re a v a il a b l e . R e g a rd le s s , K h i
[ ! ] I have read th e above message.
Press < r e tu r i
fo k c
-י
,
POSTs on a w e b s ite .
to c o n tin u e
FIGU RE 3.9: SET Website Cloning
12. L eave th e C red e n tia l H a rv e ste r A tta c k to fetc h in fo rm a tio n fro m th e
v ic tim ’s m achine.
C E H L ab M anual Page 695
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
*
T e rm in a l
File Edit View Terminal Help
m W hen you hover over
the link, die URL will be
presented with the real
URL, not the attacker’s
machine. So for example if
you’re cloning gmail.com,
the URL w hen hovered
over it would be gmail.com.
W hen die user clicks the
moved link, Gmail opens
and then is quickly replaced
with your malicious
Webserver. Remember you
can change the timing of
the webjacking attack in die
config/set_config flags.
[ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in
SET
[ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in
to a r e p o rt
——
[■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . _ * a * * '
[ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^
[ - ] SET sup ports both HTTP and HTTPS
[-1 Example: h t t p : //w w w .th is is a f a k e s it e .c o m
s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
[*]
C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
could ta k e a l i t t l e b i t . . .
[*j T h is
The bea t way to use t h i s a t t a c k i » i f
f i e l d s f t r g ava i l a b l e . R e j r d l e s s . ■ h i
I ' l l have read th e above message.
Press
sername and pas sw o rd torm
f tp t u r e s a l
POSTs A a webs
to co n tin u e
] ׳S o c ia l-E n g in e e r T o o lk i t C r e d e n t ia l H a rv e s te r A tta c k
, j C r e d e n t ia l H a rv e s te r i s running on p o r t 80
■] In fo rm a tio n w i l l be d is p la y e d to you as i t a r r iv e s below:
FIGU R E 3.10: SET Credential Harvester Attack
13. N o w , y o u h a v e to se n d th e IP address o f y o u r B a ck T rack m a ch in e to a
victim an d trick h im o r h e r to click to brow se th e IP ad d ress.
14. F o r tins d em o , la u n c h y o u r w e b b ro w se r 111 th e B a ck T rack m a ch in e ;
la u n c h y o u r fav o rite em ail service. 111 th is ex am p le w e h av e u se d
w w w .gm ail.com . L o g in to y o u r gm ail a c c o u n t a n d c o m p o se an email.
0 =5!Most o f die time they
w on’t even notice the IP
but it’s just another way to
ensure it goes on w ithout a
hitch. N ow that the victim
enters the username and
password in die fields, you
will notice that we can
intercept the credentials
now.
FIGURE 3.11: Composing email in Gmail
15. Place th e c u rso r 111 th e b o d y o f t 1e em ail w h e re y o u w ish to p lace th e
lake U R L . T h e n , click th e Link
C E H L ab M anual Page 696
CO
icon.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
אC o m p o s e M ail —« ־
9) • >flma 1l.c o m * C m a il • M o z illa F ire to x
Ejle Edit yiew History flook marks Ipols Help
S' ן
^
f i http״
|Ba:kTrack Lnux l i *
google.com/n^il,
T C | 121▼ Google
Gmail
Documents
Calendar
More •
0
G 0 v ׳g l e
Discard
°
Inbox
SUrrwJ
Important
Sert Mail
Drafts (2)
Q,
nsiwe Security |lE x p lo it־DB ^A ircrack-n g J^SomaFM
-
Lab«h»־
+ Share
o
Draft autosaveti at 10:4a AM (0 minutes ago)
,
I
Add Cc Add Bcc
Su bject
@TOI F - Party Pictures
Attach a no
I
־b
►Circles
y
T ־rT * A | © • ־ד ־o o |i= }= •5
is י י
*
*
^
I* « Plain Toxt
chock spoiling■״
Hoilo Sam.
PI»4m» click this link lo view tt>*♦ w»#»kt»11d (vtrty pictures at TGIF wflh thw cmMxMim*
Regards.
m.
Search chat or SU'
9«י
FIGURE 3.12: Linking Fake URL to Actual URL
16. 111 th e Edit Link w in d o w , first type th e actu al ad d ress in th e Web
add ress field u n d e r th e Link to o p tio n a n d th e n type th e fake U R L 111
th e T ext to display held. 111 tins ex am p le, th e w eb ad d re ss w e h av e
u se d is http://10 .0.0.15 a n d tex t to d isplay is
w w w .facebook.com /R ini TGIF. C lick OK
׳־י
tile
אC o m p o s e M ail •■■■ ■■«<■» ־. ) ןg )g m ail.co m - C m a il • M o z illa F ire to x
yiew History flookmarks !pols Help
Edit
IM CCompose Mail *
3 !5 ■ ״
ra p • ־
googie.com
▼©
I f l r Google
Q.
(BackTrack Lnux ensi we Security ||F x p lo it־DB ^A ircrack-n g j ^ r>omaFM
»Rlni
Search
Images
Maps
Play
YouTube
G o .)g Ie
Draft eutosaved at 10:45 AM (0 minutes ago)
Inbox
Starred
Important
Sent Ma!
Drafts (2)
E d it Link
Circles
U r* to.
X
Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q
JunkE-mal
To what URL should this link go?
0 Web address
|wtp0.0.15 10־/ | ׳Q
C Email * * ♦י י•־
T*>״l this in*
Not sure wrhat lo pul In the boxT r m fhd t**■imgean the t*ob far you wanr lo Ink to (A
acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's
acMroso Qor and potto it 140 tno box aoov•
|
OK
|
Cared
FIGU RE 3.13: Edit Link window
17. T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as sh o w n 111 th e
follow ing screen sh o t.
C E H L ab M anual Page 697
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
Module 09 - Social Engineering
Ejle Edit
אCom pose Mail —» ־............. • (g>gma1l.com * Cmail • Mozilla Firefox
History flook marks Ipols Help
|Ba:kTrack Linux |*|Offensive Security |[JjExploit-DB ^A ircrack-n g jgjjSomaFM
G 0 v ׳g l e
Saved
c a The Credential
Harvester M ethod will
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to the website.
Discard
To
Labels •»־
Draft autnsaved at 11:01 AM (0 minutes ago)
0 ־
B
@yahoo com,
Inbox
Add Cc Add Bcc
SUrred
Important
Sert Mail
Drafts (2)
(QTGIF - Party Pictures
Subjed
Attach a 10ת
►Circles
I
Sf ־B
U
T - »T - A, • T - ©
oo | -
IE 3
is
H
«
=3 ^
, piain roxt
chock spoiling■'
hello Sam.
P1-*m» click this Ilfikj ivivw U:»|>r11* t:
<1 parly picturws at TGIF wilh lh» celatarttlM
Koqaroe.
Search 1
9*
FIGURE 3.14: Adding Fake URL in the email content
18. T o v erity th a t th e fake U R L is linked to th e actual U R L , click th e fake
U R L a n d it w ill display th e actual U R L as Go to link: w ith th e actual
U R L . S end th e em ail to th e in te n d e d user.
•־
x C om pose M a il -
• • -•
ipg m m l.co m - G m ail • M o z illa F ire fo x
File Edit yie* History gookmarks !0015 Help
M Compose Mail -
V
5r'
Q B d ikT ta ckU n u *
r g | |>|t r.ocinle Q, (g
oogle.com
OffensiveSecurity |lE xplo it-D B
ages
Maps
Play
KA ircrack-ng |£SomdFM
YouTube
G o u g le
+ Share
Discard
Labels »
Draft autosaved at 11:01 AM (0 minutes ago)
[ ]־
0•
@yahoo.c
m
In some cases when
you’re performing an
advanced social-engineer
attack you may want to
register a domain and buy
an SSL cert that makes die
attack more believable. You
can incorporate SSL based
attacks with SET. You will
need to turn the
WEBATTACK_SSL to
O N . If you want to use
self-signed certificates you
can as well however there
will be an “u n tru sted ”
warning when a victim goes
to your website
Inbox
Starred
Important
Sert Ms
Drafts (2)
Circles
Add Cc Add Bcc
Sucjecl
@TGI F - Party Pictures
Attach a no
מ
■ B
I
U
T • tT * A ־T • ©
M
jE IE •= 1 ׳M E
=
1
/ x « Plain Text
Check Spelling-
JunkE-mal
Please click this link ww\v.facebQ0k.CQm
rcpgjrcfc
| Go to link. Mlp:f/10.0.0. 1y - Chanoe Remove y |
FIGURE 3.15: Actual URL linked to Fake URL
19. W h e n th e v ic tim clicks th e U R L , h e o r she will be p re se n te d w ith a
replica o f Facebook.com
20. T h e v ictim w ill b e en ticed to en te r 111s o r h e r u ser n a m e an d p assw o rd
in to th e fo rm fields as it ap p ears to be a g en u in e w ebsite. W h e n th e
v ic tim en ters the U sernam e an d Passw ord an d clicks Log In, it do es
n o t allow logging in; in stead , it red irects to th e legitim ate F a c e b o o k
login page. O b serv e th e U R L in th e brow ser.
C E H L ab M anual P ag e 698
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]