Module 09: Social Engineering

Overview of Social Engineering

Social engineering is the art of manipulating people to divulge sensitive information that will be used to perform some kind of malicious action. Because social engineering targets human weakness, even organizations with strong security policies are vulnerable to being compromised by attackers. The impact of social engineering attacks on organizations can include economic losses, damage to goodwill, loss of privacy, risk of terrorism, lawsuits and arbitration, and temporary or permanent closure.

There are many ways in which companies may be vulnerable to social engineering attacks. These include:

• Insufficient security training

• Unregulated access to information

• An organizational structure consisting of several units

• Non-existent or lacking security policies

Lab 1: Perform Social Engineering using Various Techniques

Overview of Social Engineering Techniques

There are three types of social engineering attacks: human-, computer-, and mobile-based.

• Human-based social engineering uses interaction to gather sensitive information, employing techniques such as impersonation, vishing, and eavesdropping

• Computer-based social engineering uses computers to extract sensitive information, employing techniques such as phishing, spamming, and instant messaging

• Mobile-based social engineering uses mobile applications to obtain information, employing techniques such as publishing malicious apps, repackaging legitimate apps, using fake security applications, and SMiShing (SMS Phishing)

Task 1: Sniff Credentials using the Social-Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing via social engineering. SET is particularly useful to attackers, because it is freely available and can be used to carry out a range of attacks. For example, it allows attackers to draft email messages, attach malicious files, and send them to a large number of people using spear phishing. Moreover, SET’s multi-attack method allows Java applets, the Metasploit browser, and Credential Harvester/Tabnabbing to be used simultaneously. SET categorizes attacks according to the attack vector used such as email, web, and USB.

Although many kinds of attacks can be carried out using SET, it is also a must-have tool for penetration testers to check for vulnerabilities. For this reason, SET is the standard for social engineering penetration tests, and is strongly supported within the security community.

Social-Engineer Toolkit

 ./setoolkit

• The SET menu appears, as shown in the screenshot. Type 1 and press Enter to choose Social-Engineering Attacks

The Social-Engineer Toolkit (SET) provides a wide range of functions and options to facilitate various social engineering attacks. Here is a list of its primary functions and options:

Main Menu Options

1. Social-Engineering Attacks:

   • Spear-Phishing Attack Vectors

   • Website Attack Vectors

   • Infectious Media Generator

   • Create a Payload and Listener

   • Mass Mailer Attack

   • Arduino-Based Attack Vector

   • Wireless Access Point Attack Vector

   • QRCode Generator Attack Vector

   • Powershell Attack Vectors

   • Third-Party Modules

2. Penetration Testing (Fast-Track):

   • AutoPwn Automation

   • Manual Exploitation

3. Third-Party Modules:

   • Integration with various third-party tools and scripts.

Social-Engineering Attack Vectors

1. Spear-Phishing Attack Vectors:

   • Perform spear-phishing attacks with various payloads and templates.

2. Website Attack Vectors:

   • Java Applet Attack Method

   • Metasploit Browser Exploit Method

   • Credential Harvester Attack Method

   • Tabnabbing Attack Method

   • Web Jacking Attack Method

   • Multi-Attack Web Method

   • HTA Attack Method

3. Infectious Media Generator:

   • Create a USB/DVD/CD with an autorun payload.

4. Create a Payload and Listener:

   • Generate payloads like Meterpreter, Shellcode, etc.

   • Set up listeners for payloads.

5. Mass Mailer Attack:

   • Send mass emails with custom templates and payloads.

6. Arduino-Based Attack Vector:

   • Create Arduino-based payloads for social engineering attacks.

7. Wireless Access Point Attack Vector:

   • Set up a rogue access point to capture credentials.

8. QRCode Generator Attack Vector:

   • Generate QR codes that link to malicious payloads or phishing sites.

9. Powershell Attack Vectors:

   • Execute Powershell scripts for various attack methods.

Auxiliary Functions

1. SMS Spoofing Attack Vector:

   • Send spoofed SMS messages.

2. Third-Party Modules:

   • Extend functionality with third-party modules and tools.

Configuration and Utilities

1. Update SET:

   • Check for and install updates for SET.

2. Change Default Settings:

   • Modify default configuration settings for various attack vectors and payloads.

Lab 2: Detect a Phishing Attack

Task 1: Detect Phishing using Netcraft

The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. The Netcraft Extension provides updated and extensive information about sites that users visit regularly; it also blocks dangerous sites. This information helps users to make an informed choice about the integrity of those sites.

Task 2: Detect Phishing using PhishTank

PhishTank is a free community site on which anyone can submit, verify, track, and share phishing data. As the official website notes, “it is a collaborative clearing house for data and information about phishing on the Internet.” PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications.

Lab 3: Audit Organization's Security for Phishing Attacks

Overview

In phishing attacks, attackers implement social engineering techniques to trick employees into revealing confidential information of their organization. They use social engineering to commit fraud, identity theft, industrial espionage, and so on. To guard against social engineering attacks, organizations must develop effective policies and procedures; however, merely developing them is not enough.

To be truly effective in combating social engineering attacks, an organization should do the following:

• Disseminate policies among its employees and provide proper education and training.

• Provide specialized training benefits to employees who are at a high risk of social engineering attacks.

• Obtain signatures of employees on a statement acknowledging that they understand the policies.

• Define the consequences of policy violations.

Task 1: Audit Organization's Security for Phishing Attacks using OhPhish

OhPhish is a web-based portal for testing employees’ susceptibility to social engineering attacks. It is a phishing simulation tool that provides an organization with a platform to launch phishing simulation campaigns on its employees. The platform captures the responses and provides MIS reports and trends (on a real-time basis) that can be tracked according to the user, department, or designation.

Hacker's Mantra:Data, Creativity, Curiosity - Andrew Chen