Hacker tooltalk: Social Engineering Toolkit (SET)

Hacker tool talk: SET
The Social Engineering Toolkit
“Or how I learned to put tape over my webcam”

Chris Hammond-Thrasher
chris.hammond-thrasher <at> ca.fujitsu.com
Fujitsu Edmonton Security Lab
December 2011

Fujitsu Edmonton Security Lab 1

Agenda
• Why are we here?
• What is social engineering?
• Setting up a security lab
• About SET and its dependencies
• Installing SET
• SET demo
• What’s next?


Why are we here?


Ethics and motives
“Every single scam in human history has
worked for one key reason; the victim did
not recognize it as a scam.”
- R. Paul Wilson


What is social engineering?


Social science definition
• “Social engineering is a discipline in political science that
refers to efforts to influence popular attitudes and social
behaviors on a large scale, whether by governments or
private groups… For various reasons, the term has been
imbued with negative connotations. However, virtually all law
and governance has the effect of changing behavior and can
be considered "social engineering" to some extent.
Prohibitions on murder, rape, suicide and littering are all
policies aimed at discouraging undesirable behaviors. In
British and Canadian jurisprudence, changing public attitudes
about a behaviour is accepted as one of the key functions of
laws prohibiting it. Governments also influence behavior more
subtly through incentives and disincentives built into economic
policy and tax policy, for instance, and have done so for
centuries.”
- Wikipedia (“social engineering (political science)” 26 October 2011)


Information security definition
• “We define it as the act of manipulating a
person to accomplish goals that may or
may not be in the “target’s” best interest.
This may include obtaining information,
gaining access, or getting the target to
take certain action.”
- Chris Hadnagy (social-engineer.org)


Setting up a security lab


Security lab reqs
• It’s actually pretty easy to setup
– A network
• Isolated from other networks
• Any wired hub, switch, or router and cable; wireless is an option;
or the virtual network created by virtualization tools is also OK.
• Recommendation: Keep it simple and go wired if you can
– Attack/dev box
• Linux or Unix is generally the best option, OS X is getting better
support, or Windows as the least desirable OS.
• Recommendation: OS: Backtrack Linux, Packet tool: Wireshark
– Target box
• Recommendation: OS: Windows (any) and VMWare (or your
favorite virtualization tool)
– Logging/monitoring box (Optional)
• Recommendation: OS: Any, Packet tool: Wireshark


Caution
• This is not a game. Attacking machines
with the tools in this presentation without
permission is not only unethical, but is a
criminal offense in many jurisdictions.


About SET


History
• The Social Engineering Toolkit (SET)
– An open source project lead by Dave Kennedy, Chief
Information Security Officer of a Fortune 1000
company
– Leverages the Metasploit Framework, FastTrack
(another Dave Kennedy lead project), and other open
source tools
– Originally released in 2009 to coincide with the launch
of social-engineer.org
– “The Social-Engineering Toolkit (SET) is a python-
driven suite of custom tools which solely focuses on
attacking the human element of pentesting. It’s main
purpose is to augment and simulate social-
engineering attacks and allow the tester to effectively
test how a targeted attack may succeed.”
- from the secmaniac.org download page

Features
• SET implements a variety of targeted
attacks that fall into three main categories
1. Create malicious websites through site
cloning or templates that launch Metasploit
or Java applet attacks at clients
2. Create and send phishing and
spearphishing emails
3. Create malicious files – PDFs, MS Office
docs, EXEs, etc.
• Free as in speech and beer

Legit uses of SET
• Penetration testing – with or without social
engineering in scope
– “Can an attacker still get shell when my firewall, IDS,
and antivirus are awesome?”
– “Can an attacker get shell on privately addressed
machines behind my NATed firewall?”
– “How can I check if my staff can be fooled into doing
something stupid and placing the entire enterprise
and our clients at risk?”


h4X0r$
• Provide the technical components of social
engineering attacks
– “I think I can trick the CEO/CFO/Financial
Analyst/DBA into clicking on a link or opening a file
attachment that I email to her, but how do I create an
evil site or file for her to hit?”
– “If I am going to drop USB thumb drives in the target’s
parking lot, what evil file should I put on it?”
– “How can I encode my evil payload to evade
antivirus?”


Installing SET


Choices
• Easiest: Get latest Backtrack (BT5R1)
http://www.backtrack-linux.org/downloads/

• Linux power user: Use svn to install the
latest build (no compile required – it’s
Python)
svn co http://svn.secmaniac.com/social_engineering_toolkit set/

and

firefox http://metasploit.com/download/ &

(grab the latest stable Metasploit release and follow installation instructions)

Configuration
• Regardless of your installation method,
open and edit the set_config file in the
config directory of your SET installation (in
Backtrack this is
pentest/exploits/SET/config/set_config)
• The configuration file is well commented –
don’t be afraid


SET demo


SET demo
• Starting it up
• Updating SET and Metasploit
• Menu tour
• The Java applet attack vector
• A quick look at post exploitation (or why I
have tape over my webcam lens)


1. HTTP GET request on port 80 (initiated by the user)

2. HTTP RESPONSES with HTML and Java payload

3. Anti-
Attacker’s Web Server

virus?

Victim’s Browser
Victim’s Firewall
4. Run
unsigned
Java
4. Request TCP connection on port 443 applet?

5. Command and control session established


What’s next


Learn more
• Read social-engineer.org and listen to
their podcast
• Read Chris Hadnagy’s Social Engineering:
The Art of Human Hacking


Act locally
• At work
– Show your colleagues how clicking on an
innocent URL and then ignoring the Java
applet warning can lead to their laptop turning
into a spy-cam
– Show your colleagues how scam emails can
lead to your computer being compromised if
you open attachments or follow links – even if
you don’t reply to their pleas for financial help


Act locally
• At home
– My family used to ignore my warnings about
strange email attachments and URLs. Then
one day I fired up the SET Java applet attack
and emailed my daughter a URL with a
message to check out “something cool”. Two
minutes later I called her over to my machine
and showed her a picture of herself that I had
captured through her laptop’s webcam. Not
only will she never follow a strange link again
but she has covered her webcam lens with
masking tape.

Thank you!

Want more presentations like this?
Is there a particular tool or hack that you would like to see demoed?

Fujitsu Edmonton Security Lab
Chris Hammond-Thrasher
Email: chris.hammond-thrasher <at> ca.fujitsu.com
Twitter: @thrashor

Yetunde Oladunni
Email: yetundefashoro@gmail.com


Hacker tooltalk: Social Engineering Toolkit (SET)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Hacker tooltalk: Social Engineering Toolkit (SET)

Similar to Hacker tooltalk: Social Engineering Toolkit (SET) (20)

More from Chris Hammond-Thrasher

More from Chris Hammond-Thrasher (13)

Recently uploaded

Recently uploaded (20)

Hacker tooltalk: Social Engineering Toolkit (SET)