For years security professionals have been telling us not to follow links or open attachments from untrusted sources, not to click “Ignore” on your browser’s security pop-ups, and not to insert untrusted thumb drives into your USB ports. Do you want to see what can happen with your own eyes? This lunch hour session will show you how to download, install, configure, and use the basic features of Dave Kennedy’s open source hacker tool, the Social Engineering Toolkit.
1. Hacker tool talk: SET
The Social Engineering Toolkit
“Or how I learned to put tape over my webcam”
Chris Hammond-Thrasher
chris.hammond-thrasher <at> ca.fujitsu.com
Fujitsu Edmonton Security Lab
December 2011
Fujitsu Edmonton Security Lab 1
2. Agenda
• Why are we here?
• What is social engineering?
• Setting up a security lab
• About SET and its dependencies
• Installing SET
• SET demo
• What’s next?
Fujitsu Edmonton Security Lab 2
3. Why are we here?
Fujitsu Edmonton Security Lab 3
4. Ethics and motives
“Every single scam in human history has
worked for one key reason; the victim did
not recognize it as a scam.”
- R. Paul Wilson
Fujitsu Edmonton Security Lab 4
5. What is social engineering?
Fujitsu Edmonton Security Lab 5
6. Social science definition
• “Social engineering is a discipline in political science that
refers to efforts to influence popular attitudes and social
behaviors on a large scale, whether by governments or
private groups… For various reasons, the term has been
imbued with negative connotations. However, virtually all law
and governance has the effect of changing behavior and can
be considered "social engineering" to some extent.
Prohibitions on murder, rape, suicide and littering are all
policies aimed at discouraging undesirable behaviors. In
British and Canadian jurisprudence, changing public attitudes
about a behaviour is accepted as one of the key functions of
laws prohibiting it. Governments also influence behavior more
subtly through incentives and disincentives built into economic
policy and tax policy, for instance, and have done so for
centuries.”
- Wikipedia (“social engineering (political science)” 26 October 2011)
Fujitsu Edmonton Security Lab 6
7. Information security definition
• “We define it as the act of manipulating a
person to accomplish goals that may or
may not be in the “target’s” best interest.
This may include obtaining information,
gaining access, or getting the target to
take certain action.”
- Chris Hadnagy (social-engineer.org)
Fujitsu Edmonton Security Lab 7
8. Setting up a security lab
Fujitsu Edmonton Security Lab 8
9. Security lab reqs
• It’s actually pretty easy to setup
– A network
• Isolated from other networks
• Any wired hub, switch, or router and cable; wireless is an option;
or the virtual network created by virtualization tools is also OK.
• Recommendation: Keep it simple and go wired if you can
– Attack/dev box
• Linux or Unix is generally the best option, OS X is getting better
support, or Windows as the least desirable OS.
• Recommendation: OS: Backtrack Linux, Packet tool: Wireshark
– Target box
• Recommendation: OS: Windows (any) and VMWare (or your
favorite virtualization tool)
– Logging/monitoring box (Optional)
• Recommendation: OS: Any, Packet tool: Wireshark
Fujitsu Edmonton Security Lab 9
10. Caution
• This is not a game. Attacking machines
with the tools in this presentation without
permission is not only unethical, but is a
criminal offense in many jurisdictions.
Fujitsu Edmonton Security Lab 10
12. History
• The Social Engineering Toolkit (SET)
– An open source project lead by Dave Kennedy, Chief
Information Security Officer of a Fortune 1000
company
– Leverages the Metasploit Framework, FastTrack
(another Dave Kennedy lead project), and other open
source tools
– Originally released in 2009 to coincide with the launch
of social-engineer.org
– “The Social-Engineering Toolkit (SET) is a python-
driven suite of custom tools which solely focuses on
attacking the human element of pentesting. It’s main
purpose is to augment and simulate social-
engineering attacks and allow the tester to effectively
test how a targeted attack may succeed.”
- from the secmaniac.org download page
Fujitsu Edmonton Security Lab 12
13. Features
• SET implements a variety of targeted
attacks that fall into three main categories
1. Create malicious websites through site
cloning or templates that launch Metasploit
or Java applet attacks at clients
2. Create and send phishing and
spearphishing emails
3. Create malicious files – PDFs, MS Office
docs, EXEs, etc.
• Free as in speech and beer
Fujitsu Edmonton Security Lab 13
14. Legit uses of SET
• Penetration testing – with or without social
engineering in scope
– “Can an attacker still get shell when my firewall, IDS,
and antivirus are awesome?”
– “Can an attacker get shell on privately addressed
machines behind my NATed firewall?”
– “How can I check if my staff can be fooled into doing
something stupid and placing the entire enterprise
and our clients at risk?”
Fujitsu Edmonton Security Lab 14
15. h4X0r$
• Provide the technical components of social
engineering attacks
– “I think I can trick the CEO/CFO/Financial
Analyst/DBA into clicking on a link or opening a file
attachment that I email to her, but how do I create an
evil site or file for her to hit?”
– “If I am going to drop USB thumb drives in the target’s
parking lot, what evil file should I put on it?”
– “How can I encode my evil payload to evade
antivirus?”
Fujitsu Edmonton Security Lab 15
17. Choices
• Easiest: Get latest Backtrack (BT5R1)
http://www.backtrack-linux.org/downloads/
• Linux power user: Use svn to install the
latest build (no compile required – it’s
Python)
svn co http://svn.secmaniac.com/social_engineering_toolkit set/
and
firefox http://metasploit.com/download/ &
(grab the latest stable Metasploit release and follow installation instructions)
Fujitsu Edmonton Security Lab 17
18. Configuration
• Regardless of your installation method,
open and edit the set_config file in the
config directory of your SET installation (in
Backtrack this is
pentest/exploits/SET/config/set_config)
• The configuration file is well commented –
don’t be afraid
Fujitsu Edmonton Security Lab 18
20. SET demo
• Starting it up
• Updating SET and Metasploit
• Menu tour
• The Java applet attack vector
• A quick look at post exploitation (or why I
have tape over my webcam lens)
Fujitsu Edmonton Security Lab 20
21. 1. HTTP GET request on port 80 (initiated by the user)
2. HTTP RESPONSES with HTML and Java payload
3. Anti-
Attacker’s Web Server
virus?
Victim’s Browser
Victim’s Firewall
4. Run
unsigned
Java
4. Request TCP connection on port 443 applet?
5. Command and control session established
Fujitsu Edmonton Security Lab 21
23. Learn more
• Read social-engineer.org and listen to
their podcast
• Read Chris Hadnagy’s Social Engineering:
The Art of Human Hacking
Fujitsu Edmonton Security Lab 23
24. Act locally
• At work
– Show your colleagues how clicking on an
innocent URL and then ignoring the Java
applet warning can lead to their laptop turning
into a spy-cam
– Show your colleagues how scam emails can
lead to your computer being compromised if
you open attachments or follow links – even if
you don’t reply to their pleas for financial help
Fujitsu Edmonton Security Lab 24
25. Act locally
• At home
– My family used to ignore my warnings about
strange email attachments and URLs. Then
one day I fired up the SET Java applet attack
and emailed my daughter a URL with a
message to check out “something cool”. Two
minutes later I called her over to my machine
and showed her a picture of herself that I had
captured through her laptop’s webcam. Not
only will she never follow a strange link again
but she has covered her webcam lens with
masking tape.
Fujitsu Edmonton Security Lab 25
26. Thank you!
Want more presentations like this?
Is there a particular tool or hack that you would like to see demoed?
Fujitsu Edmonton Security Lab
Chris Hammond-Thrasher
Email: chris.hammond-thrasher <at> ca.fujitsu.com
Twitter: @thrashor
Yetunde Oladunni
Email: yetundefashoro@gmail.com
Fujitsu Edmonton Security Lab 26