Module 09: Social Engineering
Overview of Social Engineering
Social engineering is the art of manipulating people to divulge sensitive information that will be used to perform some kind of malicious action. Because social engineering targets human weakness, even organizations with strong security policies are vulnerable to being compromised by attackers. The impact of social engineering attacks on organizations can include economic losses, damage to goodwill, loss of privacy, risk of terrorism, lawsuits and arbitration, and temporary or permanent closure.
There are many ways in which companies may be vulnerable to social engineering attacks. These include:
Insufficient security training
Unregulated access to information
An organizational structure consisting of several units
Non-existent or lacking security policies
Lab 1: Perform Social Engineering using Various Techniques
Overview of Social Engineering Techniques
There are three types of social engineering attacks: human-, computer-, and mobile-based.
Human-based social engineering uses interaction to gather sensitive information, employing techniques such as impersonation, vishing, and eavesdropping
Computer-based social engineering uses computers to extract sensitive information, employing techniques such as phishing, spamming, and instant messaging
Mobile-based social engineering uses mobile applications to obtain information, employing techniques such as publishing malicious apps, repackaging legitimate apps, using fake security applications, and SMiShing (SMS Phishing)
Task 1: Sniff Credentials using the Social-Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing via social engineering. SET is particularly useful to attackers, because it is freely available and can be used to carry out a range of attacks. For example, it allows attackers to draft email messages, attach malicious files, and send them to a large number of people using spear phishing. Moreover, SET’s multi-attack method allows Java applets, the Metasploit browser, and Credential Harvester/Tabnabbing to be used simultaneously. SET categorizes attacks according to the attack vector used such as email, web, and USB.
Although many kinds of attacks can be carried out using SET, it is also a must-have tool for penetration testers to check for vulnerabilities. For this reason, SET is the standard for social engineering penetration tests, and is strongly supported within the security community.
Social-Engineer Toolkit
The SET menu appears, as shown in the screenshot. Type 1 and press Enter to choose Social-Engineering Attacks
The Social-Engineer Toolkit (SET) provides a wide range of functions and options to facilitate various social engineering attacks. Here is a list of its primary functions and options:
Main Menu Options
Social-Engineering Attacks:
Spear-Phishing Attack Vectors
Website Attack Vectors
Infectious Media Generator
Create a Payload and Listener
Mass Mailer Attack
Arduino-Based Attack Vector
Wireless Access Point Attack Vector
QRCode Generator Attack Vector
Powershell Attack Vectors
Third-Party Modules
Penetration Testing (Fast-Track):
AutoPwn Automation
Manual Exploitation
Third-Party Modules:
Integration with various third-party tools and scripts.
Social-Engineering Attack Vectors
Spear-Phishing Attack Vectors:
Perform spear-phishing attacks with various payloads and templates.
Website Attack Vectors:
Java Applet Attack Method
Metasploit Browser Exploit Method
Credential Harvester Attack Method
Tabnabbing Attack Method
Web Jacking Attack Method
Multi-Attack Web Method
HTA Attack Method
Infectious Media Generator:
Create a USB/DVD/CD with an autorun payload.
Create a Payload and Listener:
Generate payloads like Meterpreter, Shellcode, etc.
Set up listeners for payloads.
Mass Mailer Attack:
Send mass emails with custom templates and payloads.
Arduino-Based Attack Vector:
Create Arduino-based payloads for social engineering attacks.
Wireless Access Point Attack Vector:
Set up a rogue access point to capture credentials.
QRCode Generator Attack Vector:
Generate QR codes that link to malicious payloads or phishing sites.
Powershell Attack Vectors:
Execute Powershell scripts for various attack methods.
Auxiliary Functions
SMS Spoofing Attack Vector:
Send spoofed SMS messages.
Third-Party Modules:
Extend functionality with third-party modules and tools.
Configuration and Utilities
Update SET:
Check for and install updates for SET.
Change Default Settings:
Modify default configuration settings for various attack vectors and payloads.
Lab 2: Detect a Phishing Attack
Task 1: Detect Phishing using Netcraft
The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. The Netcraft Extension provides updated and extensive information about sites that users visit regularly; it also blocks dangerous sites. This information helps users to make an informed choice about the integrity of those sites.
Task 2: Detect Phishing using PhishTank
PhishTank is a free community site on which anyone can submit, verify, track, and share phishing data. As the official website notes, “it is a collaborative clearing house for data and information about phishing on the Internet.” PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications.
Lab 3: Audit Organization's Security for Phishing Attacks
Overview
In phishing attacks, attackers implement social engineering techniques to trick employees into revealing confidential information of their organization. They use social engineering to commit fraud, identity theft, industrial espionage, and so on. To guard against social engineering attacks, organizations must develop effective policies and procedures; however, merely developing them is not enough.
To be truly effective in combating social engineering attacks, an organization should do the following:
Disseminate policies among its employees and provide proper education and training.
Provide specialized training benefits to employees who are at a high risk of social engineering attacks.
Obtain signatures of employees on a statement acknowledging that they understand the policies.
Define the consequences of policy violations.
Task 1: Audit Organization's Security for Phishing Attacks using OhPhish
OhPhish is a web-based portal for testing employees’ susceptibility to social engineering attacks. It is a phishing simulation tool that provides an organization with a platform to launch phishing simulation campaigns on its employees. The platform captures the responses and provides MIS reports and trends (on a real-time basis) that can be tracked according to the user, department, or designation.
Hacker's Mantra:
Data, Creativity, Curiosity - Andrew Chen
Was this helpful?