8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
1/28
CEH Lab Manual
S o c i a l E n g i n e e r i n g
M o d u l e 0 9
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
2/28
Module 09 - Social Engineering
Social EngineeringS o c ia l engineering is the a rt o f con vincing peo ple to reve al co n fid en tial in fo n m tio n .
L a b S c e n a r i o
Source: http:/ / monev.cnn.com/2012/08/O/technology/walmart-liack-de Icon/index, htm
Social engineering is essentially the art of gaining access to buildings, systems,01data by exploiting human psychology, rather than by breaking 111 01usingtechnical hacking techniques. The term social engineering can also mean anattempt to gain access to information, primarily through misrepresentation, andoften relies 011 the trusting nature of most individuals. For example, instead oftrying to find software vulnerability, a social engineer might call an employee
and pose as an IT support person, trying to tiick the employee into divulging111s password.
Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employeeinto giving 111111 information that could be used 111 a hacker attack to win acoveted black badge 111 the social engineering contest at the Deleonhackers conference 111Las Vegas.
111 tins year's Capture the Flag social engineering contest at Defcon, championShane MacDougall used lying, a lucrative (albeit bogus) government contract,and 111s talent for self-effacing small talk to squeeze the following informationout of Wal-Mart:
The small-town Canadian Wal-Mart store's janitorial contractor
Its cafeteria food-services provider
Its employee pay cycle
Its staff shift schedule
The time managers take thenbreaks Where they usually go for lunch
Type of PC used by the manager
Make and version numbers of the computer's operating system, and
Its web browser and antivirus software
Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken 111to the extent of coughing up so much scam-worthy treasure.
Calling from 111s sound-proofed booth at Defcon MacDougall placed anurgent call, broadcast to the entire Deleon audience, to a Wal-Mart storemanager 111 Canada, introducing liinisell as "GanDarnell" from Wal-Mart'shome office 111Bentonville, Ark.
I C O N K E Y
/ Va l uab l e
i n f o r m a t i o n
^ Test your
*5 W eb exercise
Q Workbook revie
Eth ical H acking and Countenneasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 675
http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-http://monev.cnn.com/2012/08/O%d6%be%d6%be/technology%d6%be/walmart-liack-8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
3/28
Module 09 - Social Engineering
The role-playing visher (visliing being phone-based phishing) told the managerthat Wal-Mart was looking at the possibility of winning a multimillion-dollargovernment contract.
Darnell ' said that 111s job was to visit a few Wal-Mart stores that had beenchosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture of how thestore operated.
111 the conversation, which lasted about 10 minutes, Darnell describedhimself as a newly lured manager of government logistics.
He also spoke offhand about the contract: All I know is Wal-Mart can make aton of cash off it, he said, then went on to talk about his upcoming visit,keeping up a steady patter about the project and life 111Bentonville, Crowleywrites.
As if tins wasn't bad enough, MacDougall/Darnell directed the manager to anexternal site to fill out a survey 111preparation for 111s upcoming visit.
The compliant manager obliged, plugging the address into 111sbrowser.
When his computer blocked the connection, MacDougall didn't miss a beat,telling the manager that he'd call the IT department and get the site unlocked.
After ending the call, stepping out of the booth and accepting 111s well-earnedapplause, MacDougall became the first Capture the Flag champion to captureevendata point, or flag, on the competition checklist 111 the three years it hasbeen held at Defcon. Defcon gives contestants two weeks to research their
targets. Touchy information such as social security numbers and credit cardnumbers are verboten, given that Defcon has no great desire to bring the lawdown on its head.
Defcon also keeps its nose clean by abstaining from recording the calls, whichis against Nevada law. However, there's no law against broadcasting calls live toan audience, which makes it legal for the Defcon audience to have listened as]MacDougall pulled down Wal-Mart's pants.
MacDougall said, Companies are way more aware about their security. Theyvegot firewalls, intrusion detection, log-in systems going into place, so its a lotharder for a hacker to break 111these days, or to at least break in undetected. Soa bunch of hackers now are going to the weakest link, and the link that
companies just arent protecting, which is the people.\
MacDougall also shared few best practices to be followed to avoid falling victimto a social engineer:
Never be afraid to say no. If something feels wrong, something iswrong
An IT department should never be calling asking about operatingsystems, machines, passwords or email systemsthey already know
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 676
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
4/28
Module 09 - Social Engineering
Set up an internal company security word of the day and dont give anyinformation to anyone who doesnt know it
Keep tabs 011whats 011 the web. Companies inadvertently release tons
of information online, including through employees social media sites
As an expert e t h i c a l h a c k e r and p e n e t r a t i o n t e s t e r , you should circulate thebest practices to be followed among the employees.
L a b O b j e c t i v e s
The objective of this lab is to:
Detect phishing sites
Protect the network from phishing attacks
To earn* out diis lab, you need:
A computer nuuiing Window Seiver 2012
A web browser with Internet access
L a b D u r a t i o n
Time: 20 Minutes
O v e r v i e w S o c i a l E n g i n e e r i n g
Social engineering is die art of convincing people to reveal confidential information.Social engineers depend 011 the fact that people are aware of certain valuable
information and are careless 111protecting it.
L a b T a s k s
Recommended labs to assist you 111social engineering:
Social engineering
Detecting plusliuig using Netcraft
Detecting phishing using PliishTank
L a b A n a l y s i s
Analyze and document the results related to the lab exercise. Give your opinion 011your targets security posture and exposure.
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
& T o o l s
d e m o n s t r a t e d i n
t h i s l a b a r e
ava i lab le in
D:\CEH-
Tools \CEHv8
Module 09 Soc ia lE n g in e e r in g
T A S K 1
Overv iew
Eth ical H acking and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 677
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
5/28
Module 09 - Social Engineering
Delecting Phishing Using NetcraftN etrm ftp rov id es neb server and neb hosting w arket-sha re an a lysis, in clu d in g n 'eb
se rver an d o p erating system detection .
L a b S c e n a r i o
By now you are familiar with how social engineering is performed and what sortot information can be gathered by a social engineer.
Phishing is an example of a social engineering technique used to deceive users,and it exploits the poor usability of current web security technologies.
Phishing is the act of attempting to acquire information such as user names,passwords, and credit card details (and sometimes, indirectly, money) bymasquerading as a trustworthy entity 111 an electronic communication.Communications claiming to be from popular social websites, auction sites,online payment processors, 01IT administrators are commonly used to lure theunsuspecting public. Phishing emails may contain links to websites that areinfected with malware. Phishing is typically carried out by email spoofing 01instant messaging and it often directs users to enter details at a fake websitewhose look and feel is almost identical to the legitimate one.
Phishers are targeting the customers of banks and online payment services.They send messages to the bank customers by manipulating URLs and websiteforger\T. The messages sent claim to be from a bank and they look legitimate;users, not realizing that it is a fake website, provide their personal informationand bank details. Not all phishing attacks require a fake website; messages that
claim to be from a bank tell users to dial a phone number regarding problemswith their bank accounts. Once the phone number (owned by the plusher, andprovided by a Voice over IP service) is dialed, it prompts users to enter theiraccount numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.
Since you are an expert e t h i c a l h a c k e r and p e n e t r a t io n t e s t e r , you must beaware of phishing attacks occurring 011 the network and implement anti-
phishing measures. 111 an organization, proper training must be provided topeople to deal with phishing attacks. 111 this lab you will be learning to detectphishing using Netcraft.
I C O N K E Y
/Valuable
information
v Test vour.*
*a W eb exercise
f fi ! Workbook revi!
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 678
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
6/28
Module 09 - Social Engineering
L a b O b j e c t i v e s
Tins kb will show you phishing sites using a web browser and show you how to
use them. It will teach you how to: Detect phishing sites
Protect the network from phishing attack
To carry out tins lab you need:
N e tc r a f t is located at D:\CEH-Tools \CEHv8 M o d u le 09 S o c i a lE n g i n e e r i n g \ A n t i - P h i s h i n g T o o l b a r \ N e t c r a f t T o o l b a r
You can also download the latest version of N e tc r a f t T o o lb a r from thelink http://toolbar.netcralt.com/
If you decide to download the l a t e s t v e r s i o n , then screenshots shown111the lab might differ
A computer running Windows Server 2012
A web browser (Firefox, Internet explorer, etc.) with Internet access
Administrative privileges to run the Netcraft toolbar
L a b D u r a t i o n
Time: 10 Minutes
O v e r v i e w o f N e t c r a f t T o o l b a r
Netcraft Toolbar provides I n t e r n e t s e c u r i t y s e r v i c e s , including anti-fraud andanti-phishing services, a p p l i c a t i o n t e s t i n g , code reviews, automated penetrationtesting, and r e s e a r c h d a t a a n d a n a l y s i s on many aspects o f the Internet.
L a b T a s k s
1. To start this lab, you need to launch a web browser first. 111this lab wehave used Mozi l la Fi re fox .
2. Launch the S t a r t menu by hovering the mouse cursor on the lower-leftcorner of the desktop.
^ ~ T o o l s
d e m o n s t r a t e d i n
t h i s l a b a r e
ava i lab le in
D:\CEH-
Tools \CEHv8
Module 09 Soc ia l
E n g in e e r in g
^ T A S K 1
Anti-Phishing Tool
b a r
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 679
http://toolbar.netcralt.com/http://toolbar.netcralt.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
7/28
Module 09 - Social Engineering
JL
5
* | Windows Server 2012
!m i 2012RcIcak CanJiaatr Dot*cnv-tift lmHon copyBwOMW
Q=JYo ucau also
download the Netcraft
toolbar form
http://toolbar.11etcraft.com
F IG U R E 1.1: Windows Server 2012-Start Menu
3. Click the Mozi l la Fi re fox app to launch the browser.
F IG U R E 1.2: Windows Server 2012-Start Menu Apps view
4. To download the N e tc r a f t T o o lb a r for Mozi l la Fi re fox , enterhttp://toolbar.11etcraft.com 111 the address bar of the browser or dragand drop the n e t c r a f t _ t o o l b a r -1.7-fx .xpi file 111Firefox.
5. 111tins lab, we are downloading the toolbar from the Internet.
6. 111 Firefox browser, click D o w n l o a d t h e N e t c r a f t T o o l b a r to install asthe add-on.
SIN G LEH 3P n , ,
^
etcM i f t
Mtc-ft Toolbar
Why utt Ntcraft Toolbar?
U Protect your taviitQf fromI'hMhtnqattack*,
a seethe hoittnq tot at)or1andHtefcMataiq01evl!uatr 0*tcn*kialualon copy Hu!a MW
-g *fa
F IG U R E 2.1: Windows Server 2012-Start Menu
3. Click the Mozi l la Fi re fox app to launch the browser.
F IG U R E 2.2: Windows Server 2012-Start Menu Apps view
4. Type h t t p : / / w w w . p h i s h t a n k . c o m 111the address bar of the web browserand press E n te r .
ing5. You will see the follow
P h i s h T a n k . ..
Join tie fiylitaya iittt ptiialiiiKj
Sutomrtstspsdgdphshes TracktheUatis of yoursuhmfyaonsVerfy-r tom
lg li ia rtc usemncs.aebfu.ictscmnsraurAxroim
m.cvnPM/iMlct.Kni
01 PlushTaiik provides an
open API for developers and
researchers to integrate anti-
phishing data into dieir
applications at no charge.
F IG U R E 2.3: Welcome screen of PhishTank
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 687
http://www.phishtank.com/http://www.phishtank.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
15/28
Module 09 - Social Engineering
6. Type the w e b s i t e UR L to be checked for phishing, for example,http: / / sdapld21.host21.com.
7. Click I s i t a p h i sh ? .
*MhTinkprovttet oh An tar
Join the fight against phishing
Submrt tu wc d phsftua. Rack the ttatic of 1/cur submissions
Vecfyoherj sct s suonssnns Develop softwarewimour fteeAPI.
jrttp//KiJptaV. ItMtUcem
R#c*r< SubTKSorsdim) fjst) lu>mi ftLImmup>.le0pirn
' Imi TVl. J4CIUY...
PliishTauk 1s operatedby Open DN S to improve
the Internet through safer,
faster, and smarter DNS.
F IG U R E 2.4: Checking for site
If the site is a p h is h in g s i te , you see the following warning dialog box.
PhishTank Ok of it* NM.io*MTw*
Submission #1571567 is aimentty ONLINE
S01 n or Hcgctoto vert, t !6sutxnssior.
No screenshot yet
We have not ye! successfully takena screeasltol f the submitted website.
FIG U R E 2.5: Warn ing dialog for phishing site
L a b A n a l y s i s
Document all die websites and verify whether diey are phishing sites.
0 2 Open DN S is
interested in having die
best available information
about phishing websites.
Tool/Util ity Information Collected/Object ives Achieved
PhiskTank Phishing site detected
Eth ical Hacking and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 688
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
16/28
Module 09 - Social Engineering
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s t i o n s
1. Evaluate what PhishTank wants to hear about spam.
2. Does PhishTank protect you from phishing?
3. Why is Open DNS blocking a phish site that PhishTank doesn't list orhas not vet verified?
Internet Connection Required
0 YesPlatform Supported
0 Classroom
No
!Labs
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 689
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
17/28
Module 09 - Social Engineering
3Social Engineering PenetrationTesting using Social Engineering
Toolkit (SET)Th e So c ia/E n g in eer To o/k it (S E T ) is an open-source Python -dr iven too l a im ed a t
p en etratio n testing arou n d so cia l eng ineering
c o n k e y L a b S c e n a r i o
Social engineering is an ever-growing threat to organizations all over the world.Social engineering attacks are used to compromise companies evenday. Eventhough there are many hacking tools available with underground hackingcommunities, a social engineering toolkit is a boon for attackers as it is freely
available to use to perform spear-pliishing attacks, website attacks, etc.Attackers can draft email messages and attach malicious files and send them toa large number of people using the spear-pliishing attack method. Also, themulti-attack method allows utilization of the Java applet, Metasploit browser,Credential Harvester/ Tabnabbing, etc. all at once.
Though numerous sorts ot attacks can be performed using tins toolkit, tins isalso a must-liave tool for a penetration tester to check for vulnerabilities. SET isthe standard for social-engineering penetration tests and is supported heavilywitlun the security community.
As an e t h i c a l h a c k e r , penetration tester, or s e c u r i ty a d m i n i s t ra t o r you
should be extremely familiar with the Social Engineering Toolkit to performvarious tests for vulnerabilities 011 the network.
L a b O b j e c t i v e s
The objective of tins lab is to help sUidents learn to:
Clone a website
Obtain user names and passwords using the Credential Harvestermethod
Generate reports for conducted penetration tests
__ Valuable
information
s Test yourknowledge
Web exercise
mWorkbook review
Eth ical H acking and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 690
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
18/28
Module 09 - Social Engineering
L a b E n v i r o n m e n t
To earn out die kb, you need:
Run this tool 111B a c k T r a c k Virtual Machine
Web browser with Internet access
Administrative privileges to mn tools
L a b D u r a t i o n
Tune: 10 Minutes
O v e r v i e w o f S o c i a l E n g i n e e r in g T o o l k i t
Sockl-Enguieer Toolkit is an open-source Python-driven tool aimed at penetrationtesting around Social-Engineering. The (SET) is specifically designed to performadvanced attacks against die human element. The attacks built into die toolkit aredesigned to be targeted and focused attacks against a person or organization usedduring a penetration test.
L a b T a s k s
1. Log in to your B a c k T r a c k virtual machine.
2. Select A p p l i c a ti o n s ^ B a c k T r a c k ^ E x p l o it a ti o n T o o l s ^ S o c i a l
E n g i n e e r i n g T o o l s ^ S o c i a l E n g i n e e r i n g T o o l k i t and click Se t .
& T oo ls
d e m o n s t r a t e d in
t h i s l a b a r e
ava i lab le in
D:\CEH-
Tools\CEHv8
Module 09S o c i a lE n g in e e r in g
T A S K 1
E x e c u t e S o c i a lEngineer ing
Toolk i t
3 Tue Sep 25. 7:10 PM^Applications[ Places System [>7]
a9 BEEF XSS Framework
9 HoneyPots
11 Social Engineering Toolkit
f* Network Exploitanor Tools.-
Web Exploitation Tools
^DatabaseExploitationTools
Wireless Exploitation Tools
|9Social E jifM
Physical Exploitation
3\Open Source Expl oited ,h set
|Q InformationGathering
r vulnerability Assessment
J0ExploitationTools
Privilege Escalation
Ef MaintainingAccess
Reverse Engineering
I RFIDTOols
O
Forensic!*
KCporting Tools
(P services
y Miscellaneous
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
19/28
Module 09 - Social Engineering
3. A T e r m i n a l window for SET will appear. Type y and press E n t e r toagree to the terms of service.
File Edit View Terminal HelpTH IS SOFTWARE, EVEN IF ADVISED OF THE PO SS IB IL IT Y OF SUCH DAMAGE.
The ab o ve l ice n s in g was ta ke n f ro m th e BSD l i ce n s in g a n d ^ i s a p p l i e d to S o c ia l -E n
g i n e e r T o o l k i t as w e l l. ___ " * ^ 1
N o te t h a t t h e S o c i a l -E n g i n e e r T o o l k i t i s p r o v i d e d as i s , a nd i s 3 r o y a l ty f r e e 0
p e n - s o u r c e a p p l i c a t i o n . M r
F e e l f r e e t o m o d i fy , u s e, c ha n ge , m a r k e t , d o w h a t e ve r u w a nt w i t h i t a f l o n g a
s y o u g i v e t h e a p p r o p r i a t e c r e d i t w h e r e c r e d i t
i s d ue ( w h ic h means g i v i n g t h e a u t h o rs t h e c r e d i t t h e y i fe s e r v e f o r w r i t i n g i t ) .
A l s o n ot e t h a t b y u s in g t h i s s o f t w a r e , i f y ou ev e r
see the c re ato r o f SET in a bar , you are re qu i red to g iv e h im a hugand buy him
a beer . Hug must la s t a t le as t 5 seconds. Author
h o ld s th e r i g f t t t o r e fi p se th e h ug o r th e b e e r . f | ^ \ \f l o t ' B k i l . I f y o u \a re
1 \Jo u a r e v i o l a tt inqXn a t y o u w i l l o n ly us
T ^ ^ * c M 1 - E t l^ e e r T A l k it W s r y T i g f l f i j p y e l y good pn
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
20/28
Module 09 - Social Engineering
Te rm ina l
File Edit View Terminal Help
J o i n u s o n i r c . f r e e n o d e . n e t i n c h a n ne l # s e t o o l k 1 t
The Soci al - Engi neer Tool ki t i s a product of Trust edSec.
Vi si t : ht t ps: / / www. t rust edsec. com
Select f rom the menu:
1 ) S p e a r -P h i sh in q A t ta c k Ve c to r s
| 2 ) W e b s ite A t ta ck V e c to r s |
3 ) In fe c t i o u s Me d ia G e n e ra to r
4 ) Create a Payload and L is tener
_ 5 ) Hass M a i l e r A t ta c k _I 6 ) A r du in o -B a s e d A t t a c k v e c t o r g
|^ % S M S S po ofin g A tta ck V e c t o r ^ I A8 ) W i re l e ss A cce ss P o in t A t ta ck V e c to r
9 ) QRCode Gen era tor A t ta c | Vecto r
10) P o w e r s h e ll A t t a c k V e c t l rs
11) T h i r d P a r ty Mo du le s
99) R eturn back to the m ain menu.
>r5s____________________________________________________
a c k
U
1) Java Ap plet A t tack Method
2) M e t asp lo i t B rowser Ex p lo i t Met hodI 3) C red en t ia l H arvester At ta ck Method |
4) Tabnabbing Attack Method5) Man le f t i n t he M idd le A t t ack Method
6) Web Jacking A ttac k Method
7) M u l t i -A t t ac k Web Het ho l
8 ) V i c t im Web P ro f i l e r
9 ) C rea te o r imp or t a CodeS ign ing C e r t i f i ca t e
99) Return to Main Menu
se t :weba t tack j3B 1
F IG U R E 3.4: Social Engineering Attacks menu
6. 111the next set of menus that appears, type 3 and press E n t e r to select
the C r e d e n t i a l H a r v e s t e r A t t a c k M e t h o d
File Edit View Terminal Help
and t he Back |T rack team. Th is method u t i l i z e s ! fram e rep lacement s t o
make t he h igh l i gh t e d URL l i n k t o appear l eg i t ima t e however * tf 1en c l i c ked
a w indow pops up then i s rep laced w i t h t he m a l i c i ous l i n k . You can ed i t
t h e l i n k r e pl ac e m e nt s e t t i n g s i n t h e s e t ^ c o n F ig i f i t s t o n f c * k o / fa s t .
The M u l t i -A t t ac k method w i l l add a comb ina t i on o f a t t ack s t h rough t he web a t t ac
k J r
menu. For example you can u t i l iz e the Java A pp let , M eta sp lo i t Browser,
C re de n t ia l Harves t e r /Tabnab b ing , and t he Man L e f t i n t he M idd le a t t ack
a l l a t once t o see wh ich i s succe ss f u l . m .
F IG U R E 3.5: website Attack Vectors menu
7. Now, type 2 and press E n t e r to select the S i t e C l o n e r option from the
menu.
C Qt i!e Social-Engineer
Toolkit "Web A ttack"
vector is a unique way of
utilizing multiple web-
based attacks in order to
compromise the intended
victim.
0 3 Th e Credential
Harvester Method will
utilize web cloning of a
website that has a usernameand password field and
harvest all die information
posted to d ie website.
Eth ical Hacking and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 693
https://www.trustedsec.com/https://www.trustedsec.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
21/28
Module 09 - Social Engineering
Te rm ina l
File Edit View Terminal Help
9) Create or imp or t a CodeSign ing M
99) R eturn t o M ain Menu
s e t : w e b a t t a c k > 3
T he f i r s t m et ho d w i l l a l lo w SET t o i m p o r t '! * l i s t o f p r e - d e f i n e d w eba p p l ic a t io n s t h a t i t can u t i l i z e w i th i n t h e a tt a c k .
The seco nd metho d w i l l co m p le te l y c l o n e a we b s i te o f yo u r ch o o s in g
a nd a l l o w y ou t o u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e t e ly
same web a p p l i ca t i o n yo u we re a t te m p t i n g to c l o n e .
Ih e th i r d me th od aUo ws yo u j to im p o r t yo u r own we b s ip ; , n o te t ^a t you
Shou ld on ly have a l t' inde x.h tm l when using the imp or t Websi te
functionality^^* Y jF ^ I V ) / 1) Web T em p la te s v I ^ 3 4
1 2) S i t e C l o n e r ! I \3 ) Custom Imp or t -
99) R eturn to Web attack Menu
; e t : w e b a t t a c k a E f |_______________
C Qt 11e Site C loner is used
to done a website of your
choice.
F IG U R E 3.6: Credential Harvester Attack menu
Type the IP a d d r e s s of your BackTrack virtual PC 111the prompt lor IPa d d r e s s f o r t h e P O S T b a c k i n H a r v e s t e r /T a b n a b b i n g and press E n te r .111tins example, the IP is 10.0.0.15
*
* Te rm in a l
File Edit View Terminal Help
a p p l ic a t io n s t h a t i t can u t i l i z e w i th i n t h e a tt a c k .
The se co n d me th od w i l l co m p le te l y c l o n e a we b s i te o f yo u r ch o o s in g
a nd a l l o w y ou to u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e te l y
same web a p p l i ca t i o n yo u we re a t te m p t i n g to c l o n e .
The th i r d me th od a l l o ws you to imp o r t yo u r own we b s i te , n o te th a t yo u
sh o u ld o n l y h a ve a n i n d e x .h tm l wh en u s i n g th e im p o r t we b s i te
f u n c t i o n a l i t y .
1) Web Templates
2 ) S i t e C l o n e r
3 ) C us to m I m p o r t _ '
1 9 9 ) Re tu rn to We b A ta ck Menu I / . * | ^
J[jLSir br r 3t -1 C r e d e n t ia l h a r v e s t e r w i l t a l l o w yo u t o u t i l i z e t h e c lo n e c a p a b i l i ti e s w i t h i n
set J[ - 1 to h a r ve s t c re d e n t i a l s o r p a ra me te r s f ro m a we b s i te as we l l a s p i e ce the m in
t o a r e p o r t
[ - 1 Th i s o p t i o n i s u sed fo r wh a t IP th e se r v e r w i l l POST to .
[ - J I f y o u ' r e u s in g an e x t e r n a l I P , u se y ou r e x t e r n a l I P f o r t h i s
: > IP address for the POST back in Harvester/Tabnabbina:110.0.0.1s|
F IG U R E 3.7: Providing IP address in Harvester/Tabnabbing
Now, you will be prompted for a URL to be cloned, type the desiredURL for E n t e r t h e u rl to c l o n e and press E n te r . 111tins example, wehave used w w w . f a c e b o o k . c o m . Tins will nntiate the cloning of thespecified website.
COSt 11e tabnabbing attack
mediod is used when a
victim has multiple tabs
open, when the user clicks
die link, die victim w ill bepresented with a Please
wa it while the page loads .
Wh en the victim switches
tabs because he/she is
multi-tasking, die website
detects that a different tab
is present and rewrites die
webpage to a website you
specify. The victim clicks
back on the tab after a
period of time and diinks
diey were signed out of
their email program or their
business application and
types the credentials in.
When the credentials are
inserts, diey are harvestedand the user is redirected
back to the original
website.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 694
http://www.facebook.com/http://www.facebook.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
22/28
Module 09 - Social Engineering
* Te rm in a l
File Edit View Terminal Help
an d a l lo w y ou t o u t i l i z e t h e a t t a c k v e c t o r s w i t h i n t h e c o m p l e te l y
same web a p p l ic a t i o n y ou w ere a tt e m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^
The th i r d me th od a l lo w s yo u to im p o r t - ym j r own we b s i te , n o te th a t yoush o u ld o n l y h a ve a n in d e x .h tm l wh en u s i n g th e im p o r t we b s i te
f u n c t i o n a l i t y .
u t i l iz e t h e c lo n e c a p a b i li ti e s w i t h i r
1) Web Templates
2 ) S i t e C l o n e r
3) Custom Import
99) R eturn to Webattack Menu
:we b a t ta ck>2
h a t IP th e se r ve r w i l l POST to .
[ ] C r e d e n t i a l h a rv e s t e r w i l l a l lo w y o u t o
Jr> 1 T JT] ] t o h a r v e s t c r e d e n t i a l s o r p a ra m e t er s f
3r A
rom a we bsi te as w e l l as p lace them i r
to a r e p o r t I ^ % I % I V J 1
[-] T h i s o p t i o n i s u se d f o r | h a t I P t h e s e r v e r w i l l P OST t o . V ^ M[ ] I f y o u ' r e u s i n g an e x t e r n a l I P , u s e y o u r e x t e r n a l I P f o r t h i s
s e t :we b a t ta ck> IP a d d re ss fo r th e P OST b a ck i n H a rve s te r /Ta b n a b b in g :1 0 .0 .0 .1 5
[ ] SET su pp ort s b oth HTTP and HTTPS
[- ] Example : h t t p : / /w w w . th i s i s a f a k e s i t e . com____________
; e t :we b a t ta ck> E n te r th e u r l t o c l o n e :Rvww. fa ce b o o k . com!
FIG U R E 3.8: Providing U R L to be cloned
10. Alter cloning is completed, the highlighted message, as shown 111diefollowing screenshot, will appear on the T e r m i n a l screen ot SET. PressE n t e r to continue.
11. It will start Credential Harvester.
File Edit View Terminal Help
99) R eturn to Webattack Menu
se t :we b a t ta ck>2 5 1
[ -1 C r e d e n t ia l h a r v e s te r w i l l a l lo w y ou to u t i l i z e t h e c lo n e c a p a b i l i ti e s w i t h i n
SET[ - ] t o h a r v e s t c re d e n t i a l s o r p a ra me te r s fr o m a we b s i te as we l l as p la ce the m i n
to a r e p o r t
[ - ] Th i s o p t i o n i s u sed fo r wh a t IP th e se r ve r w i l l P OST to .
t - J I f y o u ' r e u s i n g a n e x t e r n a l I P , u s e y o u r e x t e r n a l I P f o r t h i s
se t :we b a t ta ck> IP a d d re ss fo r th e P OST b a ck i n H a rve s te r /Ta b n a b b in g :1 0 .0 .0 .1 5
{ - ] SET su pp ort s b oth HTTP and HTTPS
I - ] E xa mp le : h t t p : / /w w w . t h is i s a f a k e s i te . c o m I
s e t : w e b a t ta c k > E n t e r t h e u r l t o c l o n e : www.facebook.com
b .[ * ] C l o n in g th e w e b s it e : h t t p s : / / lo g i n . f a c e b o o k . c o m / lo g i n . p h p
[ * j T h i s c o u ld t a k e a l i t t l e b i t . . . 1 I J
fokc - ,POSTs on a we bs ite .
Trie b e v Ttoaie fteu tfm.k i J 11f i e l d s a r e a v a i la b l e . R e g a r d le s s , K h i
[ ! ] I h a ve r ea d th e ab o ve me ssag e.
t o c o n t i n u eP re ss < re tu r i
FIG U R E 3.9: SE T Website Cloning
12. Leave the Credential Harvester Attack to fetch information from thevictims machine.
C Qt 11e web jacking attack
method will create a
website clone and present
the victim w ith a link
stating that the website has
moved. This is a new
feature to version 0.7.
1333 If you re doing a
penetration test, register a
name thats similar to the
victim, for Gmail you coulddo gmail.com (notice the
1), something similar diat
can mistake the user into
thinking it s die legitimate
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 695
http://www.thisisafakesite.com/http://www.facebook.com/http://www.facebook.com/http://www.thisisafakesite.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
23/28
Module 09 - Social Engineering
* Terminal
File Edit View Terminal Help
[-] Credential harvester w ill a llow you to uti liz e the clone capa bilitie s within
SET[-] to harv est c red en tial s or parameters from a website as we ll as place them in
to a report [] This option is used for what IP the serv er w ill POST to. _ * a * * '
[-] I f you're using an extern al IP , use your external I P for th is
se t:webattack> IP address for the POST back in Ha rve ste r/T ab na bb ing :lf^^ ^^ ^[-] SET supports both HTTP and HTTPS[-1 Example: http://www.thisisafakesite.com
se t:webattack> Enter the url to clone:www.facebook.com
[*] Cloning the website: https://login.facebook.com/login.php
[*j This could take a l it t l e b it. ..
password torm
POSTs A a webssername andftptures al
The beat way to use this att ac k i i ff ie ldsf trg ava i lab le . Rej rd less . hi
l ! ] I have read the above message.
Press to continue
] Social-Engineer Toolkit Credential Harvester Attack, j Cre den tial Harv ester is running on port 80
] Information w il l be displayed to you as i t ar riv es below:
FIG U RE 3.10: SET Credential Harvester Attack
13. N o w , y o u h a v e t o s e n d t h e I P a d d r e s s o f y o u r B a c k T r a c k m a c h i n e t o a
v i ct im a n d t r ic k h im o r h e r t o c l i c k t o b r o w s e t h e I P a d d r es s .
1 4. F o r t in s d e m o , la u n c h y o u r w e b b r o w se r 11 1 t h e Ba c k T r a c k m a c h in e ;
launch your favor i te emai l se rv ice . 1 1 1 t h i s e x a m p le we h a v e u se d
w w w . g m a i l . c o m . L o g in t o y o u r g m a i l a c c o u n t a n d c o m p o se a n e m a il .
FIG URE 3.11: Composing email in Gmail
1e e m a i l w h e r e y o u w i sh t o p l a c e t h e
icon.C O
15 . Place the cursor 11 1 t h e b o d y o f t
f ake URL. Then , c l ick the L ink
m When you hover overthe link, die URL will be
presented with the realURL, not the attackers
machine. So for example if
youre cloning gmail.com,
the UR L when hovered
over it would be gmail.com.
When the user clicks the
moved link, Gmail opensand then is quickly replaced
with your malicious
Webserver. Remember you
can change the timing ofthe webjacking attack in die
config/set_config flags.
0=5! Most o f the time they
wont even notice the IP
but its just another way toensure it goes on without a
hitch. Now that the victimenters the username and
password in die fields, you
will notice that we can
intercept the credentials
now.
Eth ical H acking and Countenneasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 696
http://www.thisisafakesite.com/http://www.facebook.com/https://login.facebook.com/login.phphttp://www.gmail.com/http://www.gmail.com/https://login.facebook.com/login.phphttp://www.facebook.com/http://www.thisisafakesite.com/8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
24/28
Module 09 - Social Engineering
Compose Mail 9) >flma1l.com * Gmail Mozilla FiretoxEjle Edit yiew History flook marks Ipols Help
T C |121 Google Q,S' ^ fi http google.com/n il,|BackTrack Lnux Hot fensiwe Security |lExploitDB ^Aircrack-ng J^SomaFM
Gmail Documents Calendar More
0 + Share
oG 0 v g le
Discard Labh Draft autosaveti at 10:4a AM (0 minutes ago)
- [email protected], I
Add Cc Add Bcc
Su bject @TOI F - Party Pictures
Attachano
B I y T rT * A T [oo|t= IE 5 i* 5 ^ * s 1% Plain Toxt chock spoilingHoilo Sam.
PI4m click this link lo view U>* w#kt11d (vtrty picture* at TGIF wflh thw cmMxMim*
Regards.
m.
Inbox
SUrrwJ
Important
Sert Mail
Drafts (2)
Circles
Search chat or SU'9
FIGU RE 3.12: Linking Fake URL to Actual URL
16. 111 the Ed it Link w ind ow , f irst type die a ctua l address 11 1 t h e We b
a d d r e s s fi el d u n d e r t h e L i n k t o o p t i o n a n d t h e n t y p e d ie f a k e U R L 111
die T ex t to d isp lay he ld . 111 th is example , the w eb add ress we have
used i s h t t p : / /1 0 . 0 . 0 . 1 5 and tex t to d isp lay i s
w w w . f a c e b o o k . c o m / R i n i TGIF. Click OK
g)gmail.com -Gmail Mozilla Firetox).omaFM
IM C
Rlni Search Images Maps Play YouTube
Go . ) g I e
Draft eutosaved at 10:45 AM (0 minutes ago)
Edit Link
X
Toxt to aiepiay: L w (V facebook com/Rini TG 1f ] Q
Ur* to. To what URL should this link go?
0 Web address |wtp0.0.15 10/|QC Email *** Th>I(1|IK*
Not ure wrhat to put In the boxT rm fhd t**imgean the t*ob fat you wanr to Ink to (A
scarc heroine mottt be useful.) Then ceoy e ate address *rom the box h your browser's1addroso Qor and potto it 140 tno box aoov
| OK | Cancel
Inbox
Starred
Important
Sent Mai
Drafts (2)
Circles
JunkE-mal
FIG URE 3.13: Edit Link window
1 7 . T h e f a k e URL sh o u ld a p p e a r 11 1 t h e e m a i l b o d y , a s sh o w n 11 1 the
fo l lowing screensho t .
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
C EH Lab Manual Page 697
mailto:[email protected]://10.0.0.15/http://10.0.0.15/http://10.0.0.15/http://www.facebook.com/Rinihttp://www.facebook.com/Rinihttp://10.0.0.15/mailto:[email protected]8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
25/28
Module 09 - Social Engineering
Compose Mail ......... (g>gma1l.com * Gmail Mozilla FirefoxEjle Edit History flook marks Ipols Help
gBackTrack Linux |*|Offensive Security |[JjExploit-DB Aircrack-ng jgjjSomaFM
Saved Discard Labels Draft autnsaved at 11:01 AM (0 minutes ago) 0
To @yahoo com, BAdd Cc Add Bcc
Subjed TGI F- Party Pictures
Attach a 10
Sf B I U T - T - A, T - oo | - IE 3 i s H =3 ^ ,piain roxt chock spoiling'Hello Sam.
Pt-*M click this Ilfikj www t:|tr.ocinle Q,
x Comp os e Mail - - ipgmml.com - Gmail Mozilla FirefoxFile d1t yie* History gookmarks !0015 ftelp
M Compose Mail -
V 5r' oogle.com
+ Share F I
0
A Track Linux |Offensive Security |lExploit-DB J Aircrack-ng fefiSomaFM
G o u g l e
ages Maps Play YouTube
Discard Labels Draft autosaved at 11:01 AM (0 minutes ago)
@yahoo.c
Add Cc Add Bcc
Sucject @TGi F - Party Pictures
Attach a no
B I U T tT * A M jE IE = 1 M E = 1 /x Plain Text Check Spelling-
Please click this link ww\v.facebook.CQfr!
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
26/28
Module 09 - Social Engineering
facebookSign Up Connect and share with the people in your Ife.
Tarpbook 1ogin
(mart or t*hon*:
Password: ----
| 1 Keep me lowedin
or Siga upfor tacetoook
Forgot yourosss*vord?
!kwo fflOjOge =33and Rrtugjes (=t)fcngist
F3Lcb5x S 2012 MobleFind FriendsEodces PeoplePoqcsAfccut Crca* er Ad Create a Page Privacy Coatses TerreDevelopers Careers
mQ log1n|h>cbook \
1
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
27/28
Module 09 - Social Engineering
* v x TerminalFile Edit View Terminal Help
[*] Social-Engineer Toolkit Credential Harvester Attack.[*j Credential Harvester is running on port 80
[*j Information will be displayed to you as i*--~ hrl" 10.0.0.2 - - [26/Sep/2012 11:10:41] GET / HTTP/1.1 200 -[* ] WE GOT A HIT! Pr in tin g the output:
PARAM: lsd=AVqgmkGhPARAM: return session=0PARAM: legacy return=lPARAM: displayPARAM: session key only=0PARAM: trynu!n=l
lo.n=Log+In
HIT CONTROL-C TO GENERATE A REPORT.
charset test=, ,fltimezone=-330lgnrnd=224034 ArY/U
POSSIB fe p J^n m |FK LD F*% ) :
PARAM: default persistent=QPOSSIBLE USERNAME FIELD FOUND:
[ ] WHEN YOU'RE FINISHED,
PARAMPARAMPARAMPARAM0OSSI
FIG U RE 3.17: SE T found Username and Password
2 2 . P r e s s CT RL + C to g e n e r a t e a re p o r t t o r t h is a t t a c k p e r fo r m e d .
/v v x TerminalFile Edit View Terminal Help
PARAM: lsd=AVqgmkGhPARAM: return session=0PARAM: legacy return=lPARAM: displayPARAM: session key only=0PARAM: trynu1=lPARAM: charset test=,/K ,fl,PARAM: tiraezone=-540
PARAM: Ignrnd=224034 ArYAPARAM: lgnjs=nPOSSIBLE USERNAME FIELD FOUND: emai l ' POSSIBLE PASSWORD FIELD FOUND: pass=test
PARAM: default persistent=0POSSIBLE USERNAME FIELD FOUND: l 0 gin=L0 g+In
[* ] WHEN YOU'RE FINISHE D-H IT C0N1R0L-C TO
L . I x'C[*] ftle exported to r Jwkts/20-09-fc 15::49:15.S4ftl5.lfL for your RasnMr w i W I V W l WA V f I X - [] File in XML format exported t(| reports/2012-09-26 15:49:15.5464l .xjr reading pleasure...
C TO GENERATE A REPOftf.
ts/20K-09-26 1H IE * *
to continuePress
8/14/2019 CEH v8 Labs Module 09 Social Engineering.pdf
28/28
Module 09 - Social Engineering
T o o l / U t i l i t y I n fo rm a tio n C o l l e c t e d /O b j e c ti v e s A c h ie ve d
P A R A M : l s d = A V q g m k G 1 1
P A R A M : r e t u rn _ s e s s io n = 0P A R A M : l e g ac y _ r e tu r n = 1
P A R A M : d i s p la y s
P A R A M : s e s s i o n _ k e y _ o n l y = 0
S o c i a l
E n g i n e e r i n g
T o o l k i t
P A R A M : t rv n u m = 1
PARAM : c h a r se t_ t e s t= , ' , , ' ,
P A R A M : ti m e z o n e = - 5 4 0
P A R A M : lg n r n d = 2 2 4 03 4 _ A rY A
P A R A M : lg n j s = n
e m a11
= s a m c h o a n g @ y a h o o . c o mp a s s= te s t@ 1 2 3
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S
R E L A T E D T O T H I S L A B .
Q u e s tio n s
1. Evaluate each o f the following Paros proxy options:
a. Trap Request
b. T ra p R esp o n se
c . Co nt inue bu t ton
d . D r o p b u t to n
I n t e r n e t C o n n e c t io n R e q u i r e d
0 Y es N o
P l a tf o rm S u p p o r te d
0 C l a ss ro o m !L abs
mailto:[email protected]:[email protected]Top Related