CEH v8 Labs Module 09 Social Engineering PDF

CEH Lab Manual
S o c ia l E n g in e e r in g
M o d u le 0 9
M odule 09 - S o c ia l Engineering
Social Engineering
S o c ia l en g in eerin g is th e a r t o f co n vin cin g p eo p le to re v e a l c o n fid e n tia l in fo n m tio n .
ICON KEY L a b S c e n a r io
/ V a lu a b le in f o r m a tio n
Source: http:/ / monev.cnn.com/2012/08/O/technology/walmart-liackde Icon/index, htm Social engineering is essentially the art of gaining access to buildings, systems, by exploiting human psychology, rather than by breaking 111 01 using technical hacking techniques. The term social engineering can also mean an attempt to gain access to information, primarily through misrepresentation, and often relies 011 the trusting nature of most individuals. For example, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to tiick the employee into divulging 111s password.
01 data
Test your
*5
W eb exercise
Q W orkbook revie
Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving 111111 information that could be used 111 a hacker attack to win a coveted black badge 111 the social engineering contest at the Deleon hackers conference 111 Las Vegas. 1 1 1 tins year's Capture the Flag social engineering contest at Defcon, champion Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and 111s talent for self-effacing small talk to squeeze the following information out of Wal-Mart: The small-town Canadian Wal-Mart store's janitorial contractor Its cafeteria food-services provider Its employee pay cycle Its staff shift schedule The time managers take then breaks Where they usually go for lunch Type of PC used by the manager Make and version numbers of the computer's operating system, and Its web browser and antivirus software Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111 to the extent of coughing up so much scam-worthy treasure. Calling from 111s sound-proofed booth at Defcon MacDougall placed an urgent call, broadcast to the entire Deleon audience, to a Wal-Mart store manager 111 Canada, introducing liinisell as "Gan Darnell" from Wal-Mart's home office 111 Bentonville, Ark.
C E H Lab Manual Page 675
Ethical Hacking and Countenneasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
The role-playing visher (visliing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract. Darnell' said that 111 s job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations. But first, he told the store manager, he needed a thorough picture of how the store operated. 1 1 1 the conversation, which lasted about 10 minutes, Darnell described himself as a newly lured manager of government logistics. He also spoke offhand about the contract: All I know is Wal-Mart can make a ton of cash off it, he said, then went on to talk about his upcoming visit, keeping up a steady patter about the project and life 111 Bentonville, Crowley writes. As if tins wasn't bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey 111 preparation for 111s upcoming visit. The compliant manager obliged, plugging the address into 111s browser. When his computer blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT department and get the site unlocked. After ending the call, stepping out of the booth and accepting 111s well-earned applause, MacDougall became the first Capture the Flag champion to capture even data point, or flag, on the competition checklist 111 the three years it has been held at Defcon. Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head. Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law. However, there's no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as ]MacDougall pulled down Wal-Mart's pants. MacDougall said, Companies are way more aware about their security. Theyve got firewalls, intrusion detection, log-in systems going into place, so its a lot harder for a hacker to break 111 these days, or to at least break in undetected. So a bunch of hackers now are going to the weakest link, and the link that companies just arent protecting, which is the people.\ MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer: Never be afraid to say no. If something feels wrong, something is wrong An IT department should never be calling asking about operating systems, machines, passwords or email systemsthey already know
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
Set up an internal company security word of the day and dont give any information to anyone who doesnt know it Keep tabs 011 whats 011 the web. Companies inadvertently release tons of information online, including through employees social media sites As an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate the best practices to be followed among the employees.
& T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e rin g
L a b O b je c t iv e s
The objective of this lab is to: Detect phishing sites Protect the network from phishing attacks To earn* out diis lab, you need: A computer nuuiing Window Seiver 2012 A web browser with Internet access
L a b D u r a t io n
Time: 20 Minutes
O T A S K 1 v e r v ie w S o c ia l E n g in e e r in g
O v e rv ie w
Social engineering is die art of convincing people to reveal confidential information. Social engineers depend 011 the fact that people are aware of certain valuable information and are careless 111 protecting it.
L a b T a s k s
Recommended labs to assist you 111 social engineering: Social engineering Detecting plusliuig using Netcraft Detecting phishing using PliishTank
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets security posture and exposure.
P LE A S E
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
Delecting Phishing Using Netcraft

N e trm ftp ro v id e s n eb se rve r a n d n eb h o stin g w a rk e t- sh a re a n a ly s is , in c lu d in g n ' eb se rve r a n d o p eratin g system d etectio n .
ICON KEY L a b S c e n a r io
Valuable / information .*v Test vour
By now you are familiar with how social engineering is performed and what sort ot information can be gathered by a social engineer. Phishing is an example of a social engineering technique used to deceive users, and it exploits the poor usability of current web security technologies. Phishing is the act of attempting to acquire information such as user names, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity 111 an electronic communication. Communications claiming to be from popular social websites, auction sites, online payment processors, 01 IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing 01 instant messaging and it often directs users to enter details at a fake website whose look and feel is almost identical to the legitimate one. Phishers are targeting the customers of banks and online payment services. They send messages to the bank customers by manipulating URLs and website forger\T . The messages sent claim to be from a bank and they look legitimate; users, not realizing that it is a fake website, provide their personal information and bank details. Not all phishing attacks require a fake website; messages that claim to be from a bank tell users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the plusher, and provided by a Voice over IP service) is dialed, it prompts users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization. Since you are an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you must be aware of phishing attacks occurring 011 the network and implement antiphishing measures. 111 an organization, proper training must be provided to people to deal with phishing attacks. 111 this lab you will be learning to detect phishing using Netcraft.
*a
W eb exercise
f f i! W orkbook revi!
L a b
b je c t iv e s
Tins kb will show you phishing sites using a web browser and show you how to use them. It will teach you how to: Detect phishing sites Protect the network from phishing attack
^ ~ T o o ls
To carry out tins lab you need:

N e t c r a f t is located at D :\C E H -T o o ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e r in g \A n ti- P h is h in g T o o lb a r \ N e tc r a f t T o o lb a r N e t c r a f t T o o lb a r
d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e rin g
You can also download the latest version of link http://toolbar.netcralt.com/

111
from the
If you decide to download the the lab might differ
l a t e s t v e rs io n ,
then screenshots shown
A computer running Windows Server 2012 A web browser (Firefox, Internet explorer, etc.) with Internet access Administrative privileges to run the Netcraft toolbar
Time: 10 Minutes
O v e r v ie w o f N e t c r a f t T o o lb a r
Netcraft Toolbar provides I n t e r n e t s e c u r ity s e r v ic e s , including anti-fraud and anti-phishing services, a p p lic a tio n t e s ti n g , code reviews, automated penetration testing, and r e s e a r c h d a t a a n d a n a ly s is on many aspects of the Internet.
L a b ^ T A S K 1 T a s k s
A n ti-P h ish in g T oo l bar
1. To start this lab, you need to launch a web browser first. 1 1 1 this lab we have used M o z illa F ire fo x . 2. Launch the S t a r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
JL 5
Q = JY ou cau also download the Netcraft toolbar form http://toolbar. etcraft.com
11
* | Windows Server 2012

! m i 2012R c Icak CanJiaatr D ot*cnvtiftlmHon copy BwO M W
F IG U R E 1.1: Windows Server 2012-Start Menu
3. Click the
M o z illa F ir e f o x
app to launch the browser.
F IG U R E 1.2: Windows Server 2012-Start Menu Apps view
4. To download the N e t c r a f t T o o lb a r for M o z illa F ir e fo x , enter h ttp :// toolbar.11etcraft.com 111 the address bar of the browser or drag and drop the n e t c r a f t _ t o o l b a r - 1. 7-fx .x p i file 111 Firefox. 5. 1 1 1 tins lab, we are downloading the toolbar from the Internet. 6. 1 1 1 Firefox browser, click the add-on.
Netcraft provides Internet security services, including anti-fraud and anti-phishing services.
D o w n lo a d t h e N e t c r a f t T o o lb a r
to install as
etc M i f t
SIN G LE H 3 P n , ,
Mtc-ft Toolbar
Why u tt Ntcraft Toolbar?
as e ethe hoittnq totat)or1and H te fcMataiq 0 1e < OH e lpdefend tt*c Internet commultytrooi Ira
U Protect your taviitQf fromI'hM htnq attack*,
F IG U R E 1.3: Netcraft toolbar downloading Page
7. On the
im a g e
fc 4
I n s ta ll page of the Netcraft Toolbar site, click the to continue with installation.
c
F ir e fo x
P ftO l
nETCIÂFT
,.( . D ow nload Now Netcraft Anti Phithing Toolbar
[QQ Netcraft is an Internet services company based in Bath, England.
&
System Raqulramanla
F IG U R E 1.4: Netcraft toolbar Installation Page
8. Click A llo w to download Netcraft Toolbar.

^ * ye.et* d th
a t 1 0 c * .n e < r< ft< o m )I d < ti

1 -- 1
D ow nload Now
SNGLEH2r
Teotbir
N*teH Antl-PNhl0< Todhtr
r= rs
Systam Kaquirtmanti > r> a *p l tfc # rre(AMnn/HMnji) cwitnn rv a > < e > $ 1cnsorthe tootta rr ar orte b w t 1 nxdrg > tu w ooea. andvaran Help & Support ro M o m in a tllin Q ? fm idtr ...l.ll.l. a lsoh a i 8 rtt1 n0 tu to fw is< yo uw1 togt t*emt oa tf 1 wanrttoofcx
'oolba <uppor
F IG U R E 1.5: Netcraft toolbar Installation-Allow button
9. When the
S o ftw a r e In s ta lla tio n
dialog box appears, click I n s ta ll
N ow .
Software Installation Install add-ons only from authors w ho m you trust. Malicious software can damage your computer or violate your privacy.
You have asked to install the following item: Netcraft Anti-Phishing Toolbar (Netcraft Ltd)
Q Netcraft Toolbar provides a wealth o f information about the sites you visit.
http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi
Install Now
Cancel
F IG U R E 1.6: Installing Netcraft Toolbar
10. To complete the installation it will ask you to restart the browser. Click
R e s ta r t N ow .
l __ Risk Rating displays the trustworthiness of die current
A < on o t(ifT cntt/ K H p & Support l* 1gUHnIm lnilM iu1 1 l w I iui InilaMu *Mr Ao jlec h 1 v jM laclKM x/ iito ijit tfyo uit 0with* non < u t0 1 9 M M toabJt ot 1 Oimmh'it > n < vM n 1 w 4 rdn air M tU h M O ir (juM O tm
F IG U R E 1.7: Restarting Firefox browser
11.
N e t c r a f t T o o lb a r is now visible. Once the T o o lb a r is installed, it looks similar to the following figure.
p \U--->rw t SatejtfuaitontiltiOflC1 *1 1 * -
F IG U R E 1.8: Netcraft Toolbar on Mozilla Firefox web browser
12. When you visit a site, the following information displays 111 the Toolbar (unless the page has been blocked): R is k r a t in g , R a n k , and F la g . 13. Click S it e
R e p o rt
to show the report of the site.
0=5! Site report links to : detailed report for die
F IG U R E 1.9: Report generated by Netcraft Toolbar
14. If you attempt to visit a page that has been identified as a pliishing page by Netcraft Toolbar you will see a w a r n in g d ia lo g that looks similar to the one in the following figure. 15. Type, as an example: http: / / www.pavpal.ca.6551 .secure7c.mx / images / cgi.bin
0 . Phishing a site feeds continuously updated encrypted database of patterns diat match phishing URLs reported by the Netcraft Toolbar.
F IG U R E 1.10: Warning dialog for blocked site
16. If you trust that page click Y e s to open it and if you dont, click N o ( R e c o m m e n d e d ) to block that page. 17. If you click N o the following page will be displayed.
4 K ln l c C o o f b
fi ft C -
. ! ! ! ! ! P h K M n gS *oH lo c k c x l %lll t ... :m;.
L
F IG U R E 1.11: Web page blocked by N etcraft Toolbar
L a b
A n a ly s is
Document all die results and report gathered during die lab. Tool/Utility Netcraft Information Collected/Objectives Achieved Phishing site detected
P LE A S E
TA LK
TO
H A V E
Q U E ST IO N S
u e s t io n s
1. Evaluate whether the Netcraft Toolbar works if you use a transparent proxy.
C E H Lab Manual Page 683 Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
2. Determine it you can make the Netcraft Toolbar coexist on the same line as other toolbars. If so, how? 3. How can you stop the Toolbar warning if a site is trusted? Internet Connection Required N< Platform Supported 0 Classroom !Labs
3
Detecting Phishing Using PhishTank
P h is h T a n k is a c o lla b o ra tiv e clearin g h o u se fo r d a ta a n d in fo rm a tio n reg ard in g p h is h in g on th e In te rn e t.
ICON KEY L a b S c e n a r io Valuable _____ information
. >* Test yo u r
gfe W eb exercise W orkbook re \
Phishing is an attempt by an individual 01 group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization 01 known individual. These emails often attempt to entice users to click 011 a link that will take the user to a fraudulent website that appears legitimate. Hie user then may be asked to provide personal information such as account user names and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code. With the tremendous increase 111 the use of online banking, online share trading, and ecommerce, there has been a corresponding growth 111 the incidents of phishing being used to carry out financial frauds. Phisliing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details etc.) by masquerading as a masted entity.
111 the previous lab you have already seen how a phishing site can be detected using the Netcraft tool.
The usual scenario is that the victim receives an email that appears to have been sent from 111s bank. The email urges the victim to click 011 the link 111 the email. When the victim does so, he is taken to a secure page 011 the banks website. The victim believes the web page to be authentic and he enters 11 1 s user name, password, and other information. 111 reality, the website is a fake and the victims information is stolen and misused. Being an administrator 01 penetration tester, you might implement all the most sophisticated and expensive technology solutions 111 the world; all of it can be bypassed if your employees fall for simple social engineering scams. It become
your responsibility to educate employees information.
011
best practices for protecting
Phishing sites 01 emails can be reported to plusl11ng-report@us-cert.gov http: / / www.us-cert.gov/ 11av/report ph 1sh111g.html US-CERT (United States Computer Emergency Readiness Team) is collecting phishing email messages and website locations so that they can help people avoid becoming victims of phishing scams.
[C T T ools d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT oo ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e rin g
This lab will show you how to use phishing sites using a web browser. It will teach you how to: Detect phishing sites Protect the network from phishing attacks
L a b E n v ir o n m e n t
To carry out the lab you need: A computer running Windows Server 2012 A web browser (Firefox, Internet Explorer, etc.) with Internet access
Tune: 10 Minutes
O
Q PhishTank U R L: http.//www.phishtank.com
v e r v ie w
o f
P h is k T a n k
PhishTank is a f r e e c o m m u n ity s i t e where anyone can submit, verity, track, and s!1are p h is h in g d a ta . PhishTank is a collaborative clearing house for data and information regarding phishing 011 the Internet. Also, PhishTank provides an o p e n API tor developers and researchers to integrate anti-phishing data into their applications at 110 charge.
L a b T a s k s
m.
T A S K
1. To start this lab you need to launch a web browser first. 1 1 1 this lab we have used M o z illa F ire fo x . 2. Launch the S t a r t menu by hovering the mouse cursor corner of desktop.
011
P h is h T a n k
the lower-left
jw
$
23 Windows Server 2012

W ndow a icrrct 2 0 1 2IUIe.mC > vl!u atr 0*tcn* kialualoncop yH u!a MW
- g *fa
F IG U R E 2.1: Windows Server 2012-Start Menu
3. Click the
M o z illa F ir e f o x
app to launch the browser.
01 PlushTaiik provides an open A P I for developers and researchers to integrate antiphishing data into dieir applications at no charge.
F IG U R E 2.2: Windows Server 2012-Start Menu Apps view
4. Type h tt p :/ /w w w .p h is h ta n k .c o m and press E n te r. 5. You will see the follow ing
111 the
address bar of the web browser
PhishTank
. ..
Jo in tie fiylitayaiittt ptiialiiiKj

Verfy
S u to m rts ts p sd g d p h sh e s Track th eUatis o fy o u rsuhmfyaons Develop s o ftw a r ew itho u rfr e eAPI.
< A \ c rj s e n 's u b m a a t o n .
R ecertSu b n issb rs
1 S 7 : S 1
lPiOO lg liia
rtn J r niT K rs fjnn .iT V M e t/ie y a 'A ija a a ^*:/VrstM .axVsy *rt>-r tom rtc usemncs.aebfu.ictscmnsraurAxroim
m .cvnPM /iM lct.K n i
F IG U R E 2.3: Welcome screen o f PhishTank
PliishTauk s operated by Open D N S to improve the Internet through safer, faster, and smarter D N S.
6. Type the w e b s i t e URL to be checked for phishing, for example, http: / / sdapld21.host21.com. 7. Click I s
it a p h is h ? .
Jo in the fight against phishing

Submrt tu w c d phsftua. Rack the ttatic of 1 /cur submissions Vecfyoher jscts suonssnns Develop software wim our ftee API.
r ttp //K iJ p ta V .ItM tU c e m

d im )fjst) lu
R#c*r< SubTKSors
> m iftLIm m u p > .le 0p irn
*MhTink provttet oh An tar
'
ImiTVl. J 4 C IU Y ...
F IG U R E 2.4: Checking for site
If the site is a p h is h in g
s ite ,
you see the following warning dialog box.
PhishTank
O k of it* NM.io*MTw*
Submission #1571567 is aimentty ONLINE
0 2 Open D N S is
interested in having die best available information about phishing websites.
S01 n or Hcgcto tovert, t !6 sutxnssior.
No screenshot yet
We have not ye! successfully taken a screeasltol f the submitted website.
F IG U R E 2.5: Warning dialog for phishing site
L a b
A n a ly s is
Document all die websites and verify whether diey are phishing sites. Tool/Utility PhiskTank Information Collected/Objectives Achieved Phishing site detected
PLE A SE
TA LK
TO
H A V E
Q U E ST IO N S
u e s t io n s
1. Evaluate what PhishTank wants to hear about spam. 2. Does PhishTank protect you from phishing? 3. Why is Open DNS blocking a phish site that PhishTank doesn't list or has not vet verified? Internet Connection Required
0 Yes
Platform Supported 0 Classroom
No
!Labs
3
Social Engineering Penetration Testing using Social Engineering Toolkit (SET)
T h e S o c ia / E n g in e e r T o o / k it (S E T ) is a n open-source P yth o n - d rive n to o l aim e d a t p e n e tra tio n te stin g a ro u n d s o c ia l en g in eerin g
c o n
k e y
L a b
S c e n a r io
__ Valuable information Test your knowledge W eb exercise W orkbook review
Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies even day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-pliishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to a large number of people using the spear-pliishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once. Though numerous sorts ot attacks can be performed using tins toolkit, tins is also a must-liave tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily witlun the security community. As an e t h i c a l h a c k e r , penetration tester, or s e c u r i t y a d m i n i s t r a t o r you should be extremely familiar with the Social Engineering Toolkit to perform various tests for vulnerabilities 011 the network.
The objective of tins lab is to help sUidents learn to: Clone a website Obtain user names and passwords using the Credential Harvester method Generate reports for conducted penetration tests
C E H Lab Manual Page 690 Ethical Hacking and Countemieasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.]
& T o o ls d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e rin g
L a b
E n v ir o n m
e n t
To earn out die kb, you need: Run this tool 111 B a c k T r a c k Virtual Machine Web browser with Internet access Administrative privileges to mn tools
L a b
D u r a t io n
Tune: 10 Minutes
O v e r v ie w o f S o c ia l E n g in e e r in g T o o lk it
Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. The (SET) is specifically designed to perform advanced attacks against die human element. The attacks built into die toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
L a b T a s k s
1. Log in to your B a c k T r a c k virtual machine.

T A S K 1
2. Select A p p lic a t io n s
^ Applications[ Places System [>7]
^B a c k T r a c k Ê x p lo ita tio n T o o ls ^S o c ia l
E x e c u te S o c ia l E n g in e e rin g T o o lk it
E n g in e e r in g T o o ls ^S o c ia l E n g in e e r in g T o o lk it
3 Tue Sep 25. 7:10 PM
and click S e t.
|Q ^ In fo rm a tio nG a th e rin g r v u ln e ra b ilityA s s e s s m e n t J0 E x p lo ita tio nT o o ls P rivile g eE s c a la tio n Ef M a in ta in in gA c c e s s ^ R e v e rs eE n g in e e rin g I R F ID T O o ls O

Forensic!* KCporting Tools ( P services y Miscellaneous
.-f * Network Exploitanor Tools Web Exploitation Tools
D a ta b a s eE x p lo ita tio nT o o ls ^
Wireless Exploitation Tools Social E jifM 9 | Physical Exploitation Open Source Exp loited ,h set \ 3
a
9 9
BEEF XSS Framework HoneyPots
11 Social Engineering Toolkit
<< back track
F IG U R E 3.1: Launching S E T in BackTrack
3.
f f is E T has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon.
A T e r m in a l window for SET will appear. Type agree to the terms of service.
File Edit V iew Term inal Help THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
and press
E n te r
to
DAMAGE.
The above li c e n s i n g was ta k e n fro m th e BSD lic e n s i n g a n d ^ is a p p lie d t o S o c ia l-E n g in e e r T o o l k i t as w e l l . ___ " * ^ 1 N ote t h a t th e S o c ia l- E n g in e e r T o o l k i t i s p r o v id e d as i s , and i s p e n -s o u rc e a p p lic a t i o n . M r
3
r o y a lt y f r e e
F e e l f r e e t o m o d ify , u s e , c han ge, m a rk e t, do w h a te v e r u w a n t w i t h i t a f lo n g a s you g iv e th e a p p r o p r ia te c r e d i t w here c r e d i t i s due (w h ic h means g i v in g th e a u th o r s th e c r e d i t t h e y ife s e r v e f o r w r i t i n g i t ) . A ls o n o te t h a t by u s in g t h i s s o f tw a r e , i f you e v e r see th e c r e a t o r o f SET i n a b a r , you a re r e q u ir e d t o g iv e him a hug and buy him a b e e r. Hug m ust l a s t a t le a s t 5 s e c o n d s . A u th o r h o ld s th e r i g f t t t o re fip s e th e hug o r th e b e e r . f | ^ \ \ T ^ ^ * c M 1- E t l^ e e r T A lk it W s r y T ig f lf ijp y e ly good pn<r f l o t ' B k i l . I f y o u \a r e J t a ^ op I ^ S 4a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c 1 \ n W c r a t h O T f t f l b ^ t h e l: o m p a n y * y m j a r e ^ r e r f O T ll a ^ e s s e r r ^ J ou a r e v i o l a t in g t h e te rm s o f s e r v i e and li c e n s e o f t h i s t o o l s e t . B^ r t tin q X yes ( o n ly one t im e ) , you a g re e t o th e te rm s o f s e r v ic e a n d T n a t y o u w i l l o n ly us e t h i s t o o l f o r l a w f u l p u rp o s e s o n ly .
Q The web jacking attack is performed by replacing the victim s browser with another window that is made to look and appear to be a legitimate site.
F IG U R E 3.2: S E T Service Agreement option
4.
You will be presented will a list of menus to select the task. Type 1 and press E n te r to select the S o c ia l - E n g in e e r in g A t t a c k s option.
File Edit V iew Term inal Help Homepage: h ttp s : / /w w w . t r u s t e d s e c . c o m [
Welcome t o th e S o c ia l- E n g in e e r T o o l k i t ( S E T J j.Y o u r one s to p shop f o r a l l o f y o u r s o c ia l- e n g in e e r in g n e e d s . ^ , J o in us on ir c . f r e e n o d e . n e t i n c h a n n e l # s e J o lk it
f f is E T allows you to specially craft email messages and send them to a large (or small) number of people with attached file format malicious payloads.
The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trusted5ec.com

S e le c t fro m th e menu: J 1) S o c ia l- E n g in e e r in g A t ta c k s I 2) F a s t- T ra c k P e & t r a t io n T e s t in g 3 T h ir d p .n rty M odules 4) U p date th e M e ta s p lo it S ra n e i/o rk 5 ) U p date th e S o c ia l- E n g in e e r T o o lk it 6 ) U pdate SET c o n f ig u r a t i o n 7) H e lp , C r e d it s , and A b out 99) E x i t t h e S o c ia l- E n g in e e r T o o lk it _
F IG U R E 3.3: S E T Main menu
5.
A list of menus 111 Social-Enguieermg Attacks will appear; type 2 and press E n te r to select W e b s i te A t t a c k V e c to r s .
T e r m in a l File Edit V iew Term inal Help J o in us on ir c . f r e e n o d e . n e t i n c h a n n e l # s e t o o lk 1 t
The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com C Q t i! e Social-Engineer Toolkit "W eb Attack" vector is a unique way of utilizing multiple webbased attacks in order to compromise the intended victim.
S e le c t fro m th e menu: 1) S p e a r -P h is h in q A t ta c k Vec t o r s | 2) W e b s ite A t ta c k V e c to r s | 3) I n f e c t io u s M edia G e n e ra to r 4 ) C re a te a P a y lo a d and L is t e n e r _ 5) Hass M a ile r A t ta c k I 6 ) A rd u in o -B a s e d A t t a c k v e c t o r g | ^ % S M S S p o o fin g A tta c k V e c t o r 8) W ir e le s s A c c e s s P o in t A t ta c k V e c to r 9 ) QRCode G e n e ra to r A t t a c | V e c to r 10) P o w e rs h e ll A t ta c k V e c t l r s 11) T h ir d P a r ty M odules 99) R e tu rn b ack t o t h e m ain menu.
I A
>r5s____________________________________________________
F IG U R E 3.4: Social Engineering Attacks menu
6. 1 1 1 the next set of menus that appears, type 3 and press the C r e d e n tia l H a r v e s t e r A t ta c k M e th o d
File Edit View Term inal Help
E n te r
to select
0 3 Th e Credential Harvester Method w ill utilize web cloning o f a website that has a username and password field and harvest all die information posted to die website.
and th e B a c k |T ra c k team . T h is method u t i l i z e s !fr a m e re p la c e m e n ts t o make th e h ig h li g h t e d URL l i n k t o a p p e a r l e g it im a t e how ever *tf 1en c lic k e d a w indow pops up th e n i s re p la c e d w i t h th e m a lic io u s l i n k . You can e d i t th e l i n k re p la c e m e n t s e t t i n g s i n th e s e t^ c o n F ig i f i t s to n fc * k o /f a s t. The M u lt i- A t t a c k method w i l l add a c o m b in a tio n o f a t ta c k s th ro u g h th e web a t t a c Jr menu. F o r exam ple you can u t i l i z e th e Java A p p le t , M e t a s p lo it B ro w s e r, C r e d e n tia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t i n th e M id d le a t t a c k a l l a t once t o see w h ic h i s s u c c e s s f u l. m. 1) Java A p p le t A t ta c k Method 2) M e ta s p lo it B row ser E x p lo i t Method I 3) C r e d e n tia l H a rv e s te r A t ta c k Method |
4) Tabnabbing Attack Method

5) 6) 7) 8) 9) Man l e f t i n t h e M id d le A t ta c k M ethod Web J a c k in g A t ta c k Method M u lt i- A t t a c k Web H e th o l V ic t im Web P r o f i l e r C re a te o r im p o r t a C o d e S ig n in g C e r t i f i c a t e
a c k U
99) R e tu rn t o M ain Menu

s e t :w e b a tta c k j3 B 1
F IG U R E 3.5: website Attack Vectors menu
7. Now, type 2 and press menu.
E n te r
to select the S i t e
C lo n e r
option from the
T e r m in a l File Edit V iew Term inal Help 9 ) C re a te o r im p o r t a C o d e S ig n in g 99) R e tu rn t o M ain Menu M
CQt1 1 e Site Cloner is used to done a website o f your choice.
s e t : w e b a tta c k >3 The f i r s t m ethod w i l l a llo w SET t o im p o r t *!' l i s t o f p r e - d e f in e d web a p p lic a t i o n s t h a t i t can u t i l i z e w i t h i n th e a t t a c k . The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e . I h e t h i r d m ethod a U o w s y o u jt o im p o r t y o u r own w e b s ip ;, n o te t ^ a t you S h o u ld o n ly have a lt' in d e x . h tm l when u s in g th e im p o r t W e b s ite
fu n c tio n a lity ^ ^ * Y jF
1) Web T e m p la te s 12) S i t e C lo n e r ! 3) Custom Im p o rt v I I
^ 3 4
IV
) /
\ -
99) R e tu rn t o W e b a tta c k Menu ;e t: w e b a tt a c k a E f| _______________
F IG U R E 3.6: Credential Harvester Attack menu
Type the
of your BackTrack virtual PC 111 the prompt lor IP and press E n te r. 1 1 1 tins example, the IP is 10.0.0.15
IP a d d r e s s a d d r e s s f o r t h e P O S T b a c k in H a r v e s t e r /T a b n a b b i n g
* T e r m in a l
File Edit V iew Term inal Help
COS t 1 1 e tabnabbing attack mediod is used when a victim has multiple tabs open, when the user clicks die link, die victim w ill be presented with a Please wait while the page loads . W hen the victim switches tabs because he/she is multi-tasking, die website detects that a different tab is present and rewrites die webpage to a website you specify. The victim clicks back on the tab after a period o f time and diinks diey were signed out o f their email program or their business application and types the credentials in. W hen the credentials are inserts, diey are harvested and the user is redirected back to the original website.
a p p lic a t i o n s t h a t i t
can u t i l i z e
w ith in th e a tta c k .
The second m ethod w i l l c o m p le te ly c lo n e a w e b s ite o f y o u r c h o o s in g and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c lo n e . The t h i r d m ethod a llo w s you t o im p o r t y o u r own w e b s ite , n o te t h a t you s h o u ld o n ly have an in d e x . h tm l when u s in g th e im p o r t w e b s ite f u n c tio n a lit y . 1) Web T e m p la te s 2 ) S i t e C lo n e r 3) Custom Im p o rt 1 9 9 ) R e tu rn t o W e b A ta c k Menu I / . * |
'
J[jL S ir br
set
:
t - 1 C r e d e n tia l h a r v e s t e r w i l t a llo w you t o u t i l i z e
r3
t h e c lo n e c a p a b i l i t i e s w i t h in
[-1 t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p ie c e them in * to a re p o rt [-1 T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o . [ - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s
> IP address for the POST back in Harvester/Tabnabbina:110. 0.0 . 1s|

F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing
Now, you will be prompted for a URL to be cloned, type the desired URL for E n t e r t h e u rl t o c l o n e and press E n te r . 1 1 1 tins example, we have used w w w . f a c e b o o k . c o m . Tins will nntiate the cloning of the specified website.
T e r m in a l
File Edit View Term inal Help and a llo w you t o u t i l i z e th e a t t a c k v e c t o r s w i t h i n th e c o m p le te ly same web a p p lic a t i o n you w e re a t te m p t in g t o c l o n e T ^ ^ ^ ^ ^ ^ ^ The t h i r d m ethod a llo w s you t o im p o r t - y m jr own w e b s it e , n o te t h a t you s h o u ld o n ly have an in d e x . h tm l when u s in g t h e im p o r t w e b s ite f u n c tio n a lit y . 1) Web T e m p la te s 2 ) S i t e C lo n e r 3) Custom Im p o rt 99) R e tu rn t o W e b a tta c k Menu : w e b a tta c k >2 C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e
CQ t1 1 e web jacking attack method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to version 0.7.
[]
c r e d e n t ia ls f rom a w e b s ite as w e ll a s p la c e them i r to a re p o rt I ^ % I % I V J 1 a t IP th e s e r v e r w i l l POST t o . V ^ [-] T h is o p t io n i s used f o r | hha [ ] I f y o u 'r e u s in g an e x t e r n a l IP , use y o u r e x t e r n a l IP f o r t h i s s e t : w e b a tta c k > IP a d d re s s f o r t h e POST back i n H a r v e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 [ ] SET s u p p o rts b o th HTTP and HTTPS [ - ] Exam ple: h t t p : //w w w . t h i s i s a f a k e s i t e . com____________ ; e t : w e b a tta c k > E n te r th e u r l t o c lo n e :Rvww. fa c e b o o k . com !
Jr> [ ] to h a rv e s t
1 T JT o r p a ra m e te rs
t h e c lo n e c a p a b i l i t i e s w i t h i r
3r A
F IG U R E 3.8: Providing U R L to be cloned
10. Alter cloning is completed, the highlighted message, as shown 111 die following screenshot, will appear on the T e r m in a l screen ot S E T . Press E n te r to continue. 11. It will start Credential Harvester.
1333I f you re doing a penetration test, register a name thats similar to the victim, for Gm ail you could do gmail.com (notice the 1), something similar diat can mistake the user into thinking its die legitimate
File Edit V iew Term inal Help 99) R e tu rn t o W e b a tta c k Menu s e t : w e b a tta c k >2 [-1 C r e d e n tia l h a r v e s t e r w i l l a llo w you t o u t i l i z e
51
th e c lo n e c a p a b i l i t i e s w i t h i n
SET
[ - ] t o h a r v e s t c r e d e n t ia ls o r p a ra m e te rs fro m a w e b s ite as w e ll as p la c e them i n to a re p o rt [ - ] T h is o p t io n i s used f o r w h a t IP th e s e r v e r w i l l POST t o . t - J I f y o u 'r e u s in g an e x t e r n a l I P , use y o u r e x t e r n a l IP f o r t h i s s e t : w e b a tta c k > IP a d d re s s f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5 { - ] SET s u p p o rts b o th HTTP and HTTPS I - ] Exam ple: h t t p : / / w w w . t h is i s a f a k e s it e . c o m I s e t : w e b a tta c k > E n te r t h e u r l t o c lo n e : w w w .fa cebook.com
b
[*] [* j
C lo n in g th e w e b s ite : h t t p s : / / l o g in . f a c e b o o k . c o m / lo g i n . p h p T h is c o u ld ta k e lit t le b it... 1 I J
Trie b e v Ttoaie fteu tfm.k i J
11
fokc
f i e l d s a r e a v a i la b le . R e g a rd le s s , K h i [ ! ] I have read th e above message. P re s s < r e t u r i t o c o n tin u e
POSTs on a w e b s ite .
F IG U R E 3.9: S E T Website Cloning
12. Leave the Credential Harvester Attack to fetch information from the victims machine.
* Terminal File Edit View Terminal Help

m When you hover over the link, die U R L will be presented with the real URL, not the attackers machine. So for example if youre cloning gmail.com, the U R L when hovered over it would be gmail.com. When the user clicks the moved link, Gmail opens and then is quickly replaced with your malicious Webserver. Remember you can change the timing of the webjacking attack in die config/set_config flags.
[-] Cred en tial harvester w i l l allow you to u t i l iz e the clone c a p a b ilit ie s w ith in [-] to harvest cred e n tia ls or parameters from a website as w e ll as place them in to a report [] This option i s used fo r what IP the se rv e r w i l l POST to . _ * a * * ' [-] I f you 're using an extern al IP , use your external IP fo r th is s e t :webattack> IP address fo r the POST back in H a r v e s t e r / T a b n a b b in g :lf^ ^ ^ ^ ^ [-] SET supports both HTTP and HTTPS [-1 Example: http://w w w .thisisafakesite.com s e t :webattack> Enter the u r l to clo n e :www.facebook.com [* ] Cloning the w ebsite: https://login.facebook.com /login.php [*j This could take a l i t t l e b i t . . . The beat way to use t h is a t t a c k i i f f ie ld s f t r g ava ila b le . R e jr d le s s . hi l ! ] I have read the above message. sername and password torm ftp tu res al POSTs A a webs
SE T
Press
to continue
] Social-Engineer T o o lk it Cred en tial Harvester A ttack , j Cred en tial Harvester i s running on port 80 ] Information w i l l be displayed to you as i t a rriv e s below:
F IG U R E 3.10: SET Credential Harvester Attack
13. N o w , y o u h a v e to s e n d th e IP a d d r e s s o f y o u r B a c k T r a c k m a c h in e to a v ic tim a n d tric k h im o r h e r to c l i c k t o b r o w s e th e I P a d d re s s . 14. F o r tin s d e m o , la u n c h y o u r w e b b r o w s e r 111 th e B a c k T r a c k m a c h in e ; la u n c h y o u r fa v o rite e m a il se rv ic e . 1 1 1 th is e x a m p le w e h a v e u s e d w w w .g m a i l.c o m . L o g in to y o u r g m a il a c c o u n t a n d c o m p o s e a n em ail.
0=5! Most of the time they wont even notice the IP but its just another way to ensure it goes on without a hitch. Now that the victim enters the username and password in die fields, you will notice that we can intercept the credentials now.
F IG U R E 3.11: Composing email in Gmail
15. P la c e th e c u r s o r 111 th e b o d y o f t 1 e e m a il w h e r e y o u w is h to p la c e th e fa k e U R L . T h e n , clic k th e L in k

CO
ic o n .
Compose Mail 9 ) >flma1l.com * Gmail Mozilla Firetox Ejle Edit yiew H is to ry flook marks Ipols Help
S' ^
f i http
google.com/nîl,
T C | 121 Google
Q,
|BackTrack Lnux Hotfe nsiwe Security |lExploit DB Âircrack-ng J^SomaFM Gmail Documents Calendar More 0 D iscard Labh Dr a f tautosaveti at 10:4a A M ( 0 minutes ago) + Share
G 0 v g le
o
I
Inbox SUrrwJ Important Sert Mail Drafts ( 2 ) C i r c l e s
j@yahoo.com,
Add Cc Add Bcc Su bject @TOI F -Party Pict u r e s
A tta c han o
B H oilo Sam. PI4m c l i c kt h i sl i n kl o view U > * w # k t 11d ( v t r t yp i c t ure* a t TGIF wflh thw cmMxMim* Regards. I y T rT * A T [ oo|t= IE 5 i* 5 s * ^ 1% Plain T oxt chock s p o i l i n g
m.
Search chat or SU'
F IG U R E 3.12: Linking Fake U R L to Actual U RL
16. 111 th e E d it L in k w in d o w , firs t ty p e d ie a c tu a l a d d re s s 111 th e W e b a d d r e s s fie ld u n d e r th e L in k t o o p ti o n a n d th e n ty p e d ie fa k e U R L 111 d ie T e x t t o d i s p l a y h e ld . 111 th is e x a m p le , th e w e b a d d re s s w e h a v e u s e d is h tt p :/ / 1 0 .0 .0 .1 5 a n d te x t to d is p la y is w w w .f a c e b o o k .c o m / R in i TG IF. C lic k OK

Compose Mail < . ) g)gmail.com - Gmail Mozilla Firetox
tile Edit yiew History flookmarks !pols Help

IMC Compose Mail *
3 !5
|BackTrack Lnux Rlni Search
rap
googie.com Âircrack-ng j^r >omaFM
I f l r Google
Q .
ensiwe Security ||Fxploit DB Images Maps Play YouTube
G o .)g Ie
Dr a f teutosaved at 10:45 A M ( 0 minutes ago)
Inbox Starred Important Sent Mai Drafts ( 2 ) C i r c l e s JunkE-mal
X Edit Link Toxt t oa i e p i a y :Lw ( Vfacebook com/Rini TG 1f ] Q Ur* t o . 0 Web address C Email *** To what URL should this link go? |wtp0.0.15 10 / | Q Th > I( 1 | IK* Not ure w r h a ttoput I ntheboxT rm f hdt * * imgeant h et * o bfat youw a n rt oI n kt o( A s c a r cheroine m o t t tbe u s e f u l . )Then ceoy 1 e ate addr e s s*romt h ebox h y o u rb r o w s e r ' s a dd r o s oQ o r and p o t t oi t 140t n obox aoov
OK
Cancel
F IG U R E 3.13: Edit Link window
17. T h e fa k e U R L s h o u ld a p p e a r 111 th e e m a il b o d y , as s h o w n 111 th e fo llo w in g s c r e e n s h o t.
Ejle Edit
Compose Mail ......... (g>gm a1l.com * Gmail Mozilla Firefox H is to ry flook marks Ipols Help
gBackTrack Linux |*|Offensive Security |[JjExploit-DB Âircrack-ng jgjjSomaFM
G 0 v g le
Saved D iscard Labels Dr a f tautnsaved at 11:01 A M ( 0 minutes ago)
c a The Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all die information posted to the website.
To Inbox
@yahoo com, Add Cc Add Bcc
SUrred
Important Serf Mail Drafts ( 2 ) C i r c l e s Subjed
TGIF- Party Pict u r e s Attach a 1 0
Sf B Hello Sam.
U T - T - A, T - oo | - IE 3
is H
=3 ^
, piain roxt
chock s p o i l i n g '
Pt-*M c l i c kt h i sI l f i k jwww
t : < m 1. R l n l TfilFjl ov l t wI I * -
pa r l y picture a t TGIF with th* ceMvttlM
Koqaroe.
S e a rc h1
9 *
F IG U R E 3.14: Adding Fake U R L in the email content
18. T o v e rity th a t th e fa k e U R L is lin k e d to d ie a c tu a l U R L , c lick th e fa k e U R L a n d it w ill d is p la y th e a c tu a l U R L as G o t o lin k : w ith th e a c tu a l U R L . S e n d th e e m a il to th e in t e n d e d u se r.

x Co m p o s e Mail ipgmml.com - Gmail Mozilla Firefox
File d 1 t yie* History gookmarks !0015 ftelp
M Compose Mail -
5r'
oogle.com
rg| |>|t r.o cin le Q ,

YouTube + Share D iscard Labels D r a f t autosaved at 11 : 0 1 AM ( 0 minutes ago) FI
A Track Linux |Offensive Security |lExploit-DB JÂircrack-ng fefiSomaFM ages Maps Play
G o u g le
@yahoo.c
L i some cases when youre performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes die attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the W EBA TTA C K _SSL to ON. If you want to use self-signed certificates you can as well however there will be an untrusted warning when a victim goes to your website
m
Inbox Starred Important Serf M s Drafts ( 2 ) Ci r c l e s JunkE-mal
Add Cc Add Bcc Sucject @TGi F - Party P ictures Attach a no B I U T tT * A M jE IE = 1 M E = 1 /x Plain Text Check Spelling-
Please c l i c kt h i sl i n k ww\v.facebook.CQfr!<Rini TGIF 10 view the wee*end party p i c t u r e sa t TGIF with the c e l e b r i t i e s r c p g j r c f c | Go to l i n k . htlp:f/10.0.0.1y -Chanoo Remove y |
F IG U R E 3.15: Actual U R L linked to Fake U RL
19. W h e n th e v ic tim c lick s th e U R L , h e o r sh e w ill b e p r e s e n te d w ith a re p lic a o f F a c e b o o k .c o m 2 0. T h e v ic tim w ill b e e n tic e d to e n te r 111s o r h e r u s e r n a m e a n d p a s s w o r d in to th e f o r m field s as it a p p e a rs to b e a g e n u in e w e b s ite . W h e n th e v ic tim e n te r s th e U s e r n a m e a n d P a s s w o r d a n d click s L o g In, it d o e s n o t a llo w lo g g in g in ; in s te a d , it r e d ire c ts to th e le g itim a te F a c e b o o k lo g in p a g e . O b s e r v e th e U R L in th e b ro w s e r.
m H ie multi-attack vector allows you to turn on and off different vectors and combine the attacks all into one specific webpage. So when the user clicks the link he will be targeted by each of the attack vectors you specify. One tiling to note with the attack vector is you cant utilize Tabnabbing, Cred Harvester, or Web Jacking with the Man Left in the Middle attack.
facebook
Sign Up Connect and share with the people in your Ife.
Tarpbook 1ogin (m art or t*h o n *: Passw ord: ---| 1Keepme lowed in
o r Sigau pfor taceto oo k

Forgoty o u ro s s s *v o rd ?
f c n g i s t ) !kwo fflOjOge =33and Rrtugjes ( = t
F3Lcb5x S 2012
Moble F i n dF r i e n d s Eodces Peo p l e Poqcs A f c c u t Crca* er Ad C reate a Page Developers Careers P r i v a c y C o a t s e s Terre
Q log1n |h > cbook
m
\1
|Save password Never for this site
<
1< H C S|hnp3:;;www.face&oolccom/10gm.php| | ^ Do you want Google Chrome to save your password? facebook
Skjii Up C u arM H .1 and slur** with the p tM ip k* 1 1 1your lit*.
Facebook Login
The multi attack vector utilizes each combination of attacks and allows the user to choose the method for the attack. Once you select one of the attacks, it will be added to your attack profile to be used to stage die attack vector. When youre finished be sure to select the I m finished' option.
m
Em ai or Phone;
Password:
Keepme l oggedm
c Sum upforTaccbook
Fo r g o tr o u tD s*crcP
C n g la h(U S] VMI
*In -JI
O v/u & A j< B D
[xa'd Fwtuje OwO
r arK ab(F ra n ce )
Ftctboot e
2012
M odI * h i n di n * n d cB a t i g c cpl Hg*c A f c c u t
j *1 ar A d
C raaca a P*g L ' / * cprc L ar* * r c! * r v a c y4 _! o o k c !*rr*
m
FIG U R E 3.16: Fake and Legitimate Facebook login page
2 1 . A s s o o n th e v ic tim ty p e s 111 th e e m a il a d d re s s a n d p a s s w o rd , th e S E T T e r m in a l 111 B a c k T r a c k f e tc h e s th e ty p e d u s e r n a m e a n d p a s s w o rd , w h ic h c a n b e u s e d b y a n a tta c k e r to g a m u n a u th o r iz e d a c c e ss to th e v ic tim s a c c o u n t.
* v x Terminal
[ * ] Social-Engineer Toolkit Credential Harvester Attack. [* j Credential Harvester is running on port 80 [ * j Information will be displayed to you as i* ~ hrl" 10.0.0.2 - - [26/Sep/2012 11:10:41] GET / HTTP/1.1 200 [* ] WE GOT A HIT! P rin tin g the output:
Social Engineer Toolkit Mass E-Mailer

m
There are two options on the mass e-mailer; the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list.
PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM PARAM PARAM PARAM
lsd=AVqgmkGh return session=0 legacy return=l display session key only=0 trynu!n=l charset test=, timezone=-330 lgnrnd=224034 ArY/U
f l ,
0OSSI POSSIBfe p J ^ n m | F K L D F * % ) :
PARAM: default persistent= Q

POSSIBLE USERNAME FIELD FOUND: lo.n=Log+In [ ] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
F IG U R E 3.17: SET found Username and Password
2 2. P re s s C TR L +C to g e n e ra te a r e p o r t t o r th is a tta c k p e rf o rm e d .
/v v x Terminal
m The multi-attack will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.
PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM: PARAM:
lsd=AVqgmkGh return session=0 legacy return=l display session key only=0 trynu1 =l charset t e s t = , / K , f l , tiraezone=-540 Ignrnd=224034 ArYA lgnjs=n
POSSIBLE USERNAME FIELD FOUND: emai l ' POSSIBLE PASSWORD FIELD FOUND: pass=test
PARAM: default persistent=0

POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In [* ] WHEN YOU'RE FIN ISHED -HIT C0N1R0L-C C TO GENERATE A REPOftf.
'C[*] ftle exported to r Jwkts/20-09-fc ts/20K-09-26 1 15::49:15.S4ftl5.lfL for
H IE * * RasnM r w i W IV
W l WA V f I X
your
[ ] File in XML format exported t ( | reports/2012-09-26 15:49:15.5464l^.x j r reading pleasure... Press <retur1 to continue
F IG U R E 3.18: Generating Reports through SET
L a b A n a ly s is
A n a ly ze a n d d o c u m e n t d ie resu lts re la te d to d ie la b exercise.
T o o l/U tility
I n f o r m a tio n C o ll e c te d / O b j e c ti v e s A c h ie v e d P A R A M : ls d = A V q g m k G 1 1 P A R A M : r e t u r n _ s e s s io n = 0 P A R A M : le g a c y _ re tu r n = 1 P A R A M : d is p la y s P A R A M : s e s s io n _ k e y _ o n ly = 0
S o c ia l E n g in e e r in g T o o lk it
P A R A M : tr v n u m = 1 P A R A M : c h a r s e t_ te s t= ,', ,', P A R A M : tim e z o n e = - 5 4 0 P A R A M : lg n r n d = 2 2 4 0 3 4 _ A rY A P A R A M : lg n j s = n e m a 11 = s a m c h o a n g @ y a h o o .c o m p a s s = te s t@ 1 2 3
P L E A S E
T A L K
T O
Y O U R
I N S T R U C T O R T O T H I S
I F
Y O U
H A V E
Q U E S T I O N S
R E L A T E D
L A B .
Q u e s t io n s
1. E v a lu a te e a c h o f th e fo llo w in g P a ro s p ro x y o p tio n s: a. b. c. d. T ra p R e q u e st T ra p R e sp o n se C o n tin u e b u tto n D r o p b u tto n
I n te r n e t C o n n e c tio n R e q u ire d 0 Y es P la tfo rm S u p p o rte d 0 C la s s ro o m !L a b s No

CEH v8 Labs Module 09 Social Engineering PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CEH v8 Labs Module 09 Social Engineering PDF

Caricato da

Copyright:

Formati disponibili

CEH Lab Manual

C E H Lab Manual Page 675

C E H Lab Manual Page 676

C E H Lab Manual Page 677

Delecting Phishing Using Netcraft

Valuable / information .*v Test vour

C E H Lab Manual Page 678

To carry out tins lab you need:

d e m o n s tr a t e d in t h i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 09 S o c ia l E n g in e e rin g

You can also download the latest version of link http://toolbar.netcralt.com/

If you decide to download the the lab might differ

then screenshots shown

A n ti-P h ish in g T oo l bar

C E H Lab Manual Page 679

* | Windows Server 2012

F IG U R E 1.1: Windows Server 2012-Start Menu

app to launch the browser.

F IG U R E 1.2: Windows Server 2012-Start Menu Apps view

Why u tt Ntcraft Toolbar?

U Protect your taviitQf fromI'hM htnq attack*,

F IG U R E 1.3: Netcraft toolbar downloading Page

C E H Lab Manual Page 680

[QQ Netcraft is an Internet services company based in Bath, England.

F IG U R E 1.4: Netcraft toolbar Installation Page

8. Click A llo w to download Netcraft Toolbar.

a t 1 0 c * .n e < r< ft< o m )I d < ti

N*teH Antl-PNhl0< Todhtr

F IG U R E 1.5: Netcraft toolbar Installation-Allow button

S o ftw a r e In s ta lla tio n

dialog box appears, click I n s ta ll

F IG U R E 1.6: Installing Netcraft Toolbar

C E H Lab Manual Page 681

l __ Risk Rating displays the trustworthiness of die current

F IG U R E 1.7: Restarting Firefox browser

F IG U R E 1.8: Netcraft Toolbar on Mozilla Firefox web browser

to show the report of the site.

0=5! Site report links to : detailed report for die

F IG U R E 1.9: Report generated by Netcraft Toolbar

C E H Lab Manual Page 682

F IG U R E 1.10: Warning dialog for blocked site

. ! ! ! ! ! P h K M n gS *oH lo c k c x l %lll t ... :m;.

C E H Lab Manual Page 684

gfe W eb exercise W orkbook re \

C E H Lab Manual Page 685

your responsibility to educate employees information.

best practices for protecting

C E H Lab Manual Page 686

23 Windows Server 2012

app to launch the browser.

F IG U R E 2.2: Windows Server 2012-Start Menu Apps view

4. Type h tt p :/ /w w w .p h is h ta n k .c o m and press E n te r. 5. You will see the follow ing

address bar of the web browser

Jo in tie fiylitayaiittt ptiialiiiKj

S u to m rts ts p sd g d p h sh e s Track th eUatis o fy o u rsuhmfyaons Develop s o ftw a r ew itho u rfr e eAPI.

m .cvnPM /iM lct.K n i

F IG U R E 2.3: Welcome screen o f PhishTank

C E H Lab Manual Page 687

Jo in the fight against phishing

r ttp //K iJ p ta V .ItM tU c e m

> m iftLIm m u p > .le 0p irn

*MhTink provttet oh An tar

F IG U R E 2.4: Checking for site