CEH Lab Manual Social Engineering Module 0922 vane 2 reagent Tool Bi wevennise D wortint vi ‘demonstrated in ‘hi Ib are ‘available in Mile 09S Enghnenting Social Engineering Social ening iste at of eomvining peopl to reveal cnfidta information. Lab Scenario Social engincering is the at of convincing people to reveal sensitive information in order to perform some malicious action, Organizations fall victim 10 social engineering ticks despite having security policies and best seeutity solutions in pace, as socal engineering targets people's weaknesses or good nature, ‘Reconnaissance and socal engineering is generally an essential component of any information secatiy attack. (Cyberciminale are increasingly utilising socal engineering techniques to exploit the moct vulnetble link in information system seauig: employees. Socal ‘engineering can take many forms, including phishing emails, fake sites, and impersonation. McAfee's new “Hacking the Human Operating System” whitepaper focuses on ‘the use of social engineering wo attack home and business users and finds once again tac people are the weakest ink. The McAfee report points out uh dhere fate many organizations who develop and deliver user awareness progtams isto their business areas, but the effectiveness of such programs varies, and in some ‘denied cares, even afer the security traning has been delivered, it has done very linleso edueate thei end userswith any valued security awareness to micgate the threat of the social engineering acl. eis eatendal for you as an expert Ethical Hacker and Penetration Tester, to astest the preparedness of your organization ar the target of evahation against the socal ‘engineering stacks. Though social engineering primariy requires soft skis, the labs in this module demonstrate some techoigues that falliate or automate certain facets of sodal engineering atacks. Lab Objectives “The objective ofthis abo + Detect phishing sites * otc nrwork fom phishing tacks + esfoxn Credential Harvesting Perfo secuty sseesament on a machine using a poyoud generated by ser Lab Environment “Tocary out ly you wil ea © A computer ting Window Server 2016 Kal Linux vrwal machine “Gittaktona ee —~—~CSC~*~*~*S*S*SCSCSCS gC CO AN a Med Fe Tac koenes peactont Sey eetDrasxs ‘Gab Maal Poe it 09-ck ngineeting Windows 10 vital machine © A Web brower with Ineme access 1 Adnsiaetve pegs to run the ols Lab Duration “Vie: 30 Mines Overideve Social Enginsering Soci enacting the at of convincing peopl otevel confidential information, Soci engncers depo on the fact hat people now cain aki information yet are geneally careless in protecting i. Lab Tasks Recommended lab to ait you in Socal Engieing: * Deteing Phishing using Meter + Detecting Phishing using Prisha *ScifingPacchock Crodenasusiny Soctal Engineering Toom (ET) 1 Phishing User Cede uing SpoedPnish Framework (PI) Lab Analysis Arlye and document the resus rte o this ab exe, Provide your opinion ‘of ourtangt sec poste snd exporire. PLUASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ical aking sd Gnas Ce yamMed 09- Socal Engng Netoft proves webs and webbocting markt share ana, icing barr and perine ysen eon Lab Scenario According w Verizon's 2015 “Data Breach Investigations Report.” over wo- thirds ofall corporate espionage caves involved phishing attacks. The repor. 7 Tengo shows that about 23% of recipients now opea phishing messages, ae 11% click 7 tiie on attachments, The report further adds that i takes only 82 seconds, on an B Warewnine _a¥0g6, for hackers to trick thei ist victim in a phishing campaign, CD wattmaiserr Phishing is an example of social engineering techniques used to deceive users, eS and exploits the poor wabilty of current web security technologies. Phishing isthe aot of attempting to acquire information such es usernames, passwords, and credit card detals (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an elecironic communicaion, ‘Communications claiming to be fom popular scial web sites, auction sites, ‘online payment processors, or FT administators are commonly deed to hire the ‘unsuspecting public. Phishing emails may contain links to websites that are infected with maluare. Phishing is typealy carded out by e-mail spoofing oF instant messaging, and it often dnecs users co enter deus at a fake website, ‘whose loa an fel are almost enti! to the legitimate one PPhishers target the customers of banks and online payment service. They rend ‘messages to bank customers by manipulating URLs and website forgery. ‘The ‘messages sent claim to be from a bank and look legitimate. Uses, not realizing, that iti a fake website, provide their penonal information and bank deals. ‘Recent trend shows that hackers ae now increasingly engaging in spear phishing ‘campaigns aguinst bao employe, rather than bank cstomers, [As you are an expert Ethical Hacker and Penetration Tester, you must be aware ff phishing attics oceurting on the network, and implement Ant: phishing, measures, In an organization, proper training must be provided tothe people hep them deal with phishing atacks, In ths lab, you wil be leening t detect phishing using Neweraft “Gita SSOSOS*«U Tg GopPrr00t8 ‘demonstrated in Module 09 Soci Bran Install Netcraft moa Mei 09- Social Enghnding Lab Objectives ‘This ab provides phishing sites via web browser and shows you how to use them. Twill each you how to: + Detect phishing sites 1 Protec the network from phishing atsck Lab Environment ‘To carry out this lab, you wail nee * You can dawnload the latest version of Netcraft Toolbar from the link ttp:Mtootbarneterattcom! * Lfyou decide to download the latest version, shen screenshots show in the lb might differ + A-computer running Windows Server 2016 + Aweb browser (Firefox, Internet explorer etc) with Internet access + Administeative privileges to rue the Neteralt oolbar Lab Duration ‘Time: 5 Minus Overview of Netcraft Toolbar [Neeaft Toobar provides Internet secuity services nclading ant-raud and ani- phishing, services, application testing, code reviews, automated penetztion testing, and rerearch data and analysis on many aspects ofthe Latent. Lab Tasks 1, Before beginning this lb, you need to launch a web browses In this ab, ‘we have use Mesila Firefox. 2. To download the Netoraft Toolbar for Mosita Firefox, type inthis URT. httpsttoolbarinoteraft.com in the address bar of the brown and press Enter Tie adtng and Gommsons Cop “igh nared peso erModule 09 -Sockl ngineting 3, In Firefox browser, dick on Download the Neteraft Extension ‘0 install as Addon, © Neca pie ee ‘a plgsennes GUL 1: Ne nl dows ge 4. On the download page of the Netcraft Toolbar site, click on Firefox 10 contiove the installation, _Aiercrart =P ooanlond now Divwwpnn | oo nena cone earn ©C CE Haale Baia od Gmc Ti Rowee apwantonn ty RoeMl 09 Sect rg 5, Click Add to Firefox to download Neteralt ‘Toolbar. Netcraft Toolbar by Netra Netcraft Toolbar by Netcraft xe “Calta timate? Eig Coane Go Aut 09-Sckl ngineting 7. ‘To complete the installation, if you are asked to restart the browser cic Restart Now. Netcraft Toolbar by Netcraft iad 8. “The Neteraft Toolbar is now visible inthe browner window, as displayed inthe screenshot Note: Screnshots may differ with newer versions of Fitefox. Netcraft ToolbarMole 09-SatlEaghnetng 9. Open a new tab, type the URL httpulwww.certifedhacker.com in the adress bar, and press Enter. 10, The Cenified Hacker webpage appeats, and the following information is clsplayed inthe wolbas (znless the page hus been blocked): Risk rating, Rank, te year the website was launched, and Flag. 11, Click site Report wo view a report ofthe site Dseerpuesisne GUM 1 Repay Nea Tita ye "ied Hating ad Gramm Cap Mappa apesMedi 09- Sock Engineering 12, Ifyou auempt wo visita website that has been Mentified asa phishing ste by Netcraft Toolbar, you wil se a pop-up suing that Phishing site Detected as shown in the sercenshot Nihdatpeermeanioimre Sian eosnons oe | Et metre Sati intent Os 13,16 you trust the site, click Yea to browse it; otherwise, click Ne (Recommended to block it 14.18 you dick No, Netcraft blocks the phishing site, as shown in the screenshot ; Enea) Ma ste ses "CINE 0 eae y Nt “GHEE Mama Be —SSCSCS*~*S*S”SCS*CR gd Cs ie Am "ition epson er oeMea 9 Sock Enghentng Lab Analysis ‘Documental the resus and report gathered during the ab. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS, Se Bye ONo Platform Supported Zi Classroom Citabs ‘ct Mena Pee "Eel Hang wd Gomera Ci yO “Shpieieas Reset el MateModule 09a ngnenting Detecting Phishing using PhishTank Phin ita collaborate caringhome for dt and information rearing net phon Lab Scenario Phishing is an auemspt by an individual or group to solicit personal information fom unsuspecting users by employing social engineering techniques. Phishing ‘emails ate erafied to appear as if they have been sent {rom leptimate ‘organizations or known individuals, These emails often attempt to entice users Bi warseese _ tocick ona link that leads 1a faucilent websie that appears lepiimate. Usert [waitin MAY then be asked to provide personal information such as accotnt usernames Bitelbeitts Gnd pasrwords that can further expore them to subsequent compromises ‘Additionally, these faudulene websites may contain malicioas cade. With the tremendous inerete inthe use oF online banking, online shares trading, and ecommeres, thee bas been 4 corresponding growth ia the incidents of phishing boing used to cary out financial fraud. Phishing involves fraudulently fequiring sensitive information (eg, passwords, exedit card deuils ete) by masquerading as a wasted entity In the previous lab, you alteady saw how a phishing ste ean be detected using Netcraft. 7 Tony "The usal soar is thatthe victim receives an email that appears to have been sent from the victim’ bank The email urges the victim to click on the ink inthe ‘email. When the vitim does so, he/she is taken to “a secure page on the bank’s ‘websit," The vieuim beieves the web page to be authenti, and enters his/her username, password, and other sensitive information, In sai, dhe website is fake. The vietin’s information is then stolee and misuse ‘As an administrator oc penetmtion teste, you may have implemented the most sophisticated and expensive technology salutions in the world, but all of ir can be bypassed and compromised if employees fal fr simple social enginecring scams, Thus, it becomes your responsiblity to educate employees reparing best, practices for protecting systems and information. “Galak ama sh) —~SCS*S*~*SCS*Ci a cra Car ym Tatas lapmcn eb PoModule 09 Sock Enineting Lab Objectives ‘This lab will show you how to use phishing sites using a web browser I will teach you how ter Oreste emonstntedin Die pishing sis ed + Prt the meson fom ping acs Lab Environment tae Schl To cry om ih ah, oo wl = + A computer nioning WindowsServer 2016 + AW browser tet, ners Explore cc) without cess Lab Duration “ime:5 Noes Overview of PhishTank D mvierek um: PhistTank is a froe community site on which anyone can submit, verify, wack, agers ‘and share phishing data, Phish'Tank isa collaborative cleating house for data and infrmasonrgeling phishing on the Inte. Aso, Pshank proves a0 open API fr deep andreas tetas hing it hes spentions, a'90 care Lab Tasks Ware 1. fore heoing his ab, you neato mach we brow: hs by chy DEVE URE Grete Chrome, “osunng ‘Tipe the URL. mttwwphihtancom in ans ba, a pret isan Enter “Sam me Ti tines epmdctarnscyteMet 09-Sck ngheeting 3. "The Phiahtank webpage appears, as shown in the sereenshot: Jointhe ight agains phishing ‘Stone pece Tag nosinectraire, LD atti tee Peep otyloccke ae eee telnet soon Join the fight against phishing Cy rar Sumit uepectaspishes. Ina ests oye subi SoretMile 09a Enghnenting 4 phishing site, Phish Tank rerum a result stating tha the Domorsi Saenger Lab Analysis, Documental the webs, and vs whether they phishing ses. Tatemet Connection Requised = a Tigi tomes anePate P tocyoe te Bi weheenie D wstina vee Medio 09 Sock nginectng Sniffing Facebook Credentials using Social Engineering Toolkit (SET) “The Saal Engncring Toot (SET) ison epesoae Python drive a ged Sfx pertain iti Lab Scenario Social Engineering isan ever-growing threat to organizations allover the world Social Engineering auacke are wed to compromise companies every day. Even. though there are many hacking tools avalale chraughout underground hacking ‘communities, Socal Engineering Toolkie GET) is a boon to attackers, a: it is freely available and applicable 9 Spear phishing stacks, website anacks, and ‘many others, Attacker can draft email messages, atach malicious files, and send them to a large number of people using speat phishing In addition, the mul stick method allows utilization of Java applets, the Mctasploit browscr, and (Credential Harvester/Taboabbing all at once, “Though numerous sort of attacks ean be performed using SET, itis also a must= have tool for penetration testing to check for vulnerailes. SET's the standard for socia-engineering penetration tests, and is supported heavily in the security community ‘As an Ethical Hacker, Penetration Tester, or Security Administrator, you should be familar with the Socal Engineering “Toolkit to pesform various tests for sserwork vuloerabiits. Lab Objectives ‘The objective ofthis iso hep stad ear how wo: + Clone website * Obtain uaemume and password wing Credential Harvester method + Genenis reports for conduct pentatin et “Gaittabitamal Pystlé SSC aga Cn CO ‘Ita Namal Posie “arionend Reston seToot ‘deenonatrated in thin abare. swvaitale in 2aceH. ‘ToolaiceHvi0 Module 09 Soci! Engineering Module 09- Sct ngmccting Lab Environment "Tocany out this lab, you wil nea ‘Kali Linux Viewal Machine Windows Server 2016 host machine + Web browser with Imtemet access 1+ Administive privilege to man ros Lab Duration "Vie: 10 Minutes Overview of the Social Engineering Toolkit “The Socal Hnginceing Toot an open-outee Fthondien tol sinc at ponerntion ting, The SET is speifealy designed to perform atranced aacks Zealot human by expen, haan behavior. The atc ito the ool ate designed 1 be argted aod focused atacks spins a person or organization used ‘dung penetration te Lab Tasks 1, Login w Katt tnx virnual machine. 2, Go to Appkcations > 08 - Exploitation Toots > social engineering ‘toolkit 3. IF you ate launching se-tolkit forthe fist time, you may be asked ‘whether to enable bleedng-edge repos Type me and press Enter.Module 08 -Soci nghecting 4, "Type yand press Enter to agree to the terms of services Bram 5, You will be presented with the SET mens, resto 6. “Type # and press Enter to choote SaetaLEngineering Attacks, Cloned Website 1D sir stern ‘Etta Maal Pa aga ame Gp Smtut 09-Sckl ngineting 2 AA list of menus in Social-Eogincering Aacks will appear; type 2 and press Enter to choose Wobalte Attack Vectors 1D nesaistngoee A. In the next mena that appear, type 9 and press Hater to choose SiN Ml Pa "icing wd Cememmine yHHMott 09 Sci! Ege 9. Now, ype 2and pees Enter to choose Site Cloner froen the mens, irecnen Pegi en Dsrieion ‘ten Deron 10. Type the P address of Kal Linux viral machine in the prompe for“ address for the POST back in Harvester/Tabnabbing,” and press Enter In this le, the IP address of Kal Linux is 1010.10.44, which may vary in yout ab environment CD nestingMod 09 Soc Enghnectng 11, Now, you will be prompted for a URL tobe cloned type the desired URL, for “Enter the un to clone” and press Ente, In this example, we have ‘sed httpawww:facebook.com, This wil initinte the cloning of the specified website oe oe > Note: If you are prompred to star apache server 12, After cloning is complerd, the highlighted message as in the below screenshot will appear on the Terminal screen of SET. Press Enter to 13, Ie will sare Credential Harvester TITAER 14. Now, you most send the P addross of your Kall Linux machine 9 8 sie wet, and trick him or her to eltek to beowee the IP address. Crafted Emit La em i ‘ite Hating snd Gommnas Gp Oy 6 omaMott 09- Sci ngheeting 15, For this demo, launch a web browser in the Mall Linux machive, and Jaunch an email service of your interest. In this ab, we have used Gat Login toa Gna account and compose an emai. Dime rater ont se ee ma mete med dug teimag FIGURE 310 Cmpening anal in God Sczenamereaze™ 16, In the body of the emal, place the eusor where you wish w place the ee ‘ake URL. Then, lick the insert nk [© ion. (see ort ner coma Pt Tie Wading nd Grenson Cop “ihe iaaredpessowe seeMed 09- Socal Engng 17, Io the Bait Link window, Gast ype the actual addeess in Web address, ‘under Link to, and then type the fake URL in the Text to dieptay field. Tn this example, the Web adress we have used is httpelt0.40.4041 and "Text to display is httpasinww:tacebook.compparty ples. Click OK. Drie wale ‘on copy (is Ten ncaa capa pS 18. "The fake URI. should appear in the message body, at shown in the screenshot. Drecmtess “Ga Ea Men gS Tica Hating a Guess Spy KE Minpasraorl Repeats MeModi 09- Sek nghneeting 19, To vesfy thatthe fake URL i linked to the rel one lick the fake URL; ‘cil display the acral URI.as “Go to tin" followed by cheactual URI Send dhe emai tothe intended user. 20, Now, log in to Windows Server 2016 as a victim, lach a web browser, sgn in 10 your email account (he acount to which you sen the phishing small asan attacker) znd click the malicious link. 21. When the victim (here, you) clicks the URL, he/she will be presented ‘With a rept of faeebeok.com. 22. The victim will be prompted to enter his/her username and password ino the form fields, being that this appears to be a genuine website. When, the victim enters the Usomame and Password snd clicks Log tn is does not allow logging in; instead, ic redirects him/her to the legitimate Facebook login page. Observe the URL in the browser, Cirentine Soe een lena eins Seamgusceces el ca ign ‘Gata Maal PeDisease ceeomacie 23, As soon as the vietin types in the Email address and Password and clicks og In, the SET io Kali Linux fetches the typed Usomame sid Password, which can then be used by the attacker to gain unauthorized aneut 09-Sckl ngineting 24, The username and passwon! are displayed as shown inthe screnshot aE Lab Analysis ‘Apalyze and document the resus ofthis ab exercise. Intemet Connection Required Yes EINo ‘Platform Supported Classroom BilabsPrva F tenor ioe ED watnak evn Mot 09 Sock ngieming Phishing User Credentials using SpeedPhish Framework (SPF) SPF (SpeedPbich Framework) i apt to designed to alla for quick recon and ployment of spl social engineering phishing execs, Lab Scenario Social Engineering auacks are used to compromise companies every day. They ‘re-an increasing threat to ofpanivations all over the plobe. Even though there are ‘many hacking tools available throughout hacking communitis, SpeedPhish [Framework (SPF) is freely avaiable and applicable to Spear phishing snacks, ‘website anacks, and many others. Attackers can draft email messages, tach ‘malicious files, and send them to numerous people wing SPF. ‘As an Ethical Hacker, Penetration Tester, or Security Administato, you should be familiar with the SpoedPhish Framework w perform various sts for assessing the security posture ofan organization Lab Objectives ‘The objective of his lab sto lp students lam how to: * Clones website 4 onsivceccanene gseuatee + Generate report for conducted penetration test Lab Environment “Toscarry out this a, yo wil nee: ‘+ KaliLinox Views! Machine Windows Server 2016 machine 4 Windows 10 raoning a vetoal machine Web browser with Internet access Peet Rs Kael Raptors on het‘Mod 09 -Soct Engng Administrative privileges wo un wos Lab Duration ‘Time 10 Minus Overview of the SpeedPhish Framework. “The SpealPhish Framework (SPF isan opensource Pihon-dven tol sed at panei testy, The SPF i peciealy designed wo perform advanced phishing tack The ata bulk ino the fmework ee dese 0 be ated ed cise faggnst # person of ongization wed during & penetration test. Iineles macy Feaures hat allow you to cuikly configure and perform elleasive phishing tacks Lab Tasks earn 1. Leg: in to Malt Linux wintual machine with the fellowing relent Install the Sar Dependencies ‘Launch a Terminal window and type plp install dmspython and prest Enter Note: Ifthe dependencies are already installed, skip to step 6. 3. Now ype pip install pyerypto and it Enter. ae Oo) 4. Now toinstall python twisted. web, eype aptiget intall pythontwisted. web in the terminal window and hit Enter ae ooo] conv seach Tn He ICON ing epMile 09a Enghnenting 5. To install phantomis, type apt-get install phantoms in the terminal window aod hit Enter 6, Aer the dependencies have finished insuling ia the terminal window ‘ype ait clone ~rocursive httpadigithub.comitatanusiSPF.git and hit Install SPF oe Drssx 2 7.__Afte the dosing is finished, ype ed SPF aod hit Entor. Geist Men Tikit Gomme Cn amlMotte 09- Social Enter 8. Apaio, ype ed apf an hi Enter 9. Now w kkunch SPF, type septpy -h and hit Enter. Help page of SPF spear as shown ie the sereenshot STF PRRREAR shy 10, To check the configuration of SPF, type eat dafaulttg and hit Enter, The configuration desl appear as shown inthe screenshot.Mel 09 Schl npieeng 11, tn the terminal window ype Japt py example.com teat nd hit Enter vo run SPF. ROTOR 12, SPF starts by showing you the TEMPLATE LIST irs, and then i proceeds to Starting the phishing webserver 2s shown inthe seteenshetMl 09 Sect rg 13, SPF then proceeds to Starting the SMB server, and den it obtains the List of ema targets and displays dhem as shown in the serecashot. Ser 14, Then SPF starts Locating phishing email templates and starts Sending phishing omaite one by one as shown i the screenshotMotte 08 Soctel Engrg 15, After SPF fishes sending phishing emails, it starts Monitoring Services 1s shown i the sereenshot 16, Locate and note down the website address of Office 268 as shown in the screenshot. “Note: The website addresses may differ n your lab environment. i gad Gomera prs eaadit 09 Sckl ngineting 17, Also locate and note down the location ofthe email template for Office 365. shown in the screenshot. ‘Note: "The ile location may differ in your lab envitonment CLM Lanegan 18, Now navigate to the location of the phishing email template and open ‘office 265.txt. The file opens giving you a template, which you wil se to send a phishing cma to the victim, Use the content of this template to compose a phishing emai. TBTETE TT 19. Masquerading as an IT Sepport professional, you write an email to the ee victim with the purpose of making him/er click on the phishing link ‘Craft and Sond tained in step 16 Phishing Emat Goan Pas ‘Elica Haig an Gomammcms Cops By Ed“cea Mena eR adit 09- Sct Engioctng 20, Aer composing the email, select Cllok here and clic the Insert i ‘option as shown inthe screenshot, MUNIN Campagne 21, When the Edit Link window appeats, enter the phishing URI. in Web ‘address box and dlck OK as shown in the screenshot tine arta [ow tam "GRE bag ha "il ing an Conners Cpe Mir Roweet pactoes es aeMotte 09- Social Enter 22, The URI has been liked to Glick here text at show ia the sercenshot. ‘Now send the e-mail to the victim, In an enor o core gn you te beet avatteemnciony, cream nas ‘ace naan ign we sr a peor cae yo ne supper NGL nse re 23, Switch to Windows 10 machine asthe vietin al open the vietin eralut 09-Sckl ngineting 24, You will ee an email rom the attacker as shown inthe screenshot. ESSERE 25, Open the email and move your mouse over the Chek here text, you can see the browser shows the link to which it redirects to, a given io the screenshot, An unsuspecting user may aot be aware ofthis and will vst the malicious webpage. [Labial Peck) ——~SCSCSCSCSTSTSC ad Gi i lyMotte 09- Social Enter 26, When you click the link, you are taken to a webpage which looks exaciy ike the Office 365 logio page, bu if you take a closer look atthe URI. yom will noice that itis the malicious phishing link. Enter your set ‘credentials and click Sign i, 1D office 365 ae 27. You will get a message on your browser that an etror has occurred, as shown ia the screeashot. At this point your credentials have been sccessflly hacked by the stacker. Done 28, Now when you switch back to Kall Linux machine and open the aaa terminal, you will se that SPF has obtained the victim's credentials as Get Exploited shown in the sercenshor. Victim Details in La aa ‘ai cata Comers ga aModi 09- Social Enon 29, Press Ctrl€ to stop SPF and generate a report, SPF exits and displays the location ofthe tepor fle as showin in the sereenshor. Lab Analysis Analyze and document the results ofthis ab exercise eed Yes No ‘Platform Supported Classroom Citabs