Professional Documents
Culture Documents
CEHV8 - Module 09 - Labs Social Engineering
CEHV8 - Module 09 - Labs Social Engineering
Social Engineering
Module 09
Module 09 - Social Engineering
Social Engineering
Social engineering is the art of convincingpeople to reveal confidential infonmtion.
The role-playing visher (visliing being phone-based phishing) told the manager
that Wal-Mart was looking at the possibility o f winning a multimillion-dollar
government contract.
“Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been
chosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture o f how the
store operated.
111 the conversation, which lasted about 10 minutes, “Darnell” described
himself as a newly lured manager o f government logistics.
He also spoke offhand about the contract: “All I know is Wal-Mart can make a
ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit,
keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley
writes.
As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an
external site to fill out a survey 111 preparation for 111s upcom ing visit.
The compliant manager obliged, plugging the address into 111s browser.
W hen his com puter blocked the connection, MacDougall didn't miss a beat,
telling the manager that he'd call the IT departm ent and get the site unlocked.
After ending the call, stepping out o f the booth and accepting 111s well-earned
applause, MacDougall became the first Capture the Flag champion to capture
even ״data point, or flag, on the competition checklist 111 the three years it has
been held at Defcon. D efcon gives contestants two weeks to research their
targets. Touchy inform ation such as social security numbers and credit card
num bers are verboten, given that D efcon has no great desire to bring the law
down on its head.
D efcon also keeps its nose clean by abstaining from recording the calls, which
is against Nevada law. However, there's no law against broadcasting calls live to
an audience, which makes it legal for the D efcon audience to have listened as
]MacDougall pulled down Wal-Mart's pants.
MacDougall said, “Companies are way more aware about their security. They’ve
got firewalls, intrusion detection, log-in systems going into place, so it’s a lot
harder for a hacker to break 111 these days, or to at least break in undetected. So
a bunch o f hackers now are going to the weakest link, and the link that
companies just aren’t protecting, which is the people.”\
MacDougall also shared few best practices to be followed to avoid falling victim
to a social engineer:
■ Never be afraid to say no. If something feels wrong, something is
wrong
■ A 11 IT departm ent should never be calling asking about operating
systems, machines, passwords or email systems— they already know
■ Set up an internal company security word o f the day and don’t give any
information to anyone who doesn’t know it
■ Keep tabs 011 w hat’s 011 the web. Companies inadvertently release tons
o f inform ation online, including through employees’ social media sites
As an expert eth ical hacker and penetration tester, you should circulate the
best practices to be followed among the employees.
Lab Duration
Time: 20 Minutes
» TASK 1
Overview Social Engineering
Overview Social engineering is die art of convincing people to reveal confidential information.
Social engineers depend 011 the fact that people are aware of certain valuable
information and are careless 111 protecting it.
Lab Tasks
Recommended labs to assist you 111 social engineering:
■ Social engineering
■ Detecting plushing using Netcraft
■ Detecting phishing using PliishTank
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s security posture and exposure.
Lab Objectives
T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to
use th e m . I t w ill te a c h y o u h o w to:
■ D e te c t p h ish in g sites
■ A c o m p u te r ru n n in g W in d o w s S erv er 2012
Lab Duration
Tim e: 10 M inutes
Lab Tasks
^ T A S K 1
1. T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first. 111 this lab w e
Anti-Phishing Tool hav e u se d Mozilla Firefox.
bar
2. L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left
c o rn e r o f th e d esk to p .
JL
״5
Q = J Y o u cau also
M»tc׳-»ft Toolbar
• ■׳
1
nETCI^AFT
־ » ״,.(■. D o w n lo a d N ow
&
CQQ1 Netcraft is an
Internet services company System Raqiilramania
8. Click Allow to d o w n lo a d N e tc ra ft T o o lb a r.
^ «סי»*ז 10c*«.ne<r<ft<0»)lo*n
at ■
SNGLEH2r
1 -־- ■1
Hctcraft Teotbir D o w n lo a d N ow
« cwitnnrva>« .*׳sicns orthe too&ar 1«r or«e roujrg ««> « tu w « oo«׳a. and Mian
Help & Support
roMom• inat«llinQ?fm • ••id at#1..I.II.1.«״־mU.
« also ha»» a 8»t«t1«n 0»tutofwis <youWirt to g«t t*e m«t oa tf » • 1wanrt toofcae
Install N o w Cancel
p * ם-
\U---- >«rw •t font Hill• 1 J
FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser
c Coofb fi ft C-
%lll t»־־
.......- : m ; .
L ■
FIGURE 1.11: Web page blocked by Netcraft Toolbar
Lab Analysis
D o c u m e n t all die results an d rep o rt g athered d uring die lab.
N e tc r a f t ■ P h ish in g site d e te c te d
Questions
1. E v alu ate w h e th e r th e N e tc ra ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t
proxy.
I n t e r n e t C o n n e c t io n R e q u ir e d
□ N<
P la tf o r m S u p p o r te d
0 C la s s r o o m □ !Labs
P h ish in g sites 01 ־em ails can b e re p o rte d to p lu sl 11n g -re p o rt@ u s-c e rt.g o v
[CTTools
dem onstrated in Lab Objectives
this lab are T h is lab w ill sh o w y o u h o w to use p h ish in g sites u sin g a w e b b ro w ser. I t w ill
available in teach y o u h o w to:
D:\CEH-
Tools\CEHv8 ■ D e te c t p h ish in g sites
Module 09 Social
■ P ro te c t th e n e tw o rk fro m p h ish in g attacks
Engineering
Lab Environment
T o carry o u t th e lab y o u need:
■ A c o m p u te r ru n n in g W in d o w s S erver 2012
Lab Duration
T une: 10 M inutes
Overview of PhiskTank
£ Q PhishTank URL: P h ish T an k is a free community site w h ere anyone can subm it, verify, track, and
h ttp .//www.phishtank.com s!1are phishing data. P h ish T an k is a collaborative clearing h o u se for data and
inform ation regarding phish in g 011 the Internet. A lso, P h ish T an k provides an open
API to r developers an d researchers to integrate anti-phishing data into their
applications at 110 charge.
Lab Tasks
m. T A S K 1
1. T o sta rt th is lab y o u n e e d to la u n ch a w eb b ro w se r first. 111 th is lab w e
hav e u se d Mozilla Firefox.
PhishTank
2. L a u n c h th e Start m e n u b y h o v e rin g th e m o u se c u rso r 011 th e lo w er-left
c o rn e r o f d esk to p .
jw
- g • *fa
FIGU RE 2.1: Windows Server 2012-Start Menu
£ 0 1 PlushTank provides an
open API for developers and
researchers to integrate anti-
phishing data into dieir
applications at no charge.
PhishTank ־.,״.י.,
Recert Subrissbrs
^*®:/VrstM.axVsy
m.cvn’PM/iMlct.Kni
'wcpcfcetMlr-drccintיי״׳Tfl-34CTdY..
Lab Analysis
D o c u m e n t all die w ebsites an d verify w h eth e r diey are ph ish in g sites.
P h is k T a n k ■ P h ish in g site d e te c te d
Questions
1. E v alu ate w h a t P liisliT an k w a n ts to h e a r a b o u t spam .
I n t e r n e t C o n n e c t io n R e q u ir e d
0 Y es □ No
P la tf o r m S u p p o r te d
0 C la s s r o o m □ !Labs
Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to:
■ C lo n e a w eb site
Lab Duration
T une: 10 M inutes
Lab Tasks
1. L o g in to y o u r BackTrack v irtu a l m aclune.
r■ vulnerability Assessment
I
Reverse Engineering
RFID100IS
Wireless Exploitation Tools
social E’ jifM 9 |
a 9 BEEF XSS Framework
KCporting Tools
c P services
y Miscellaneous ►
f f i s E T has been
File Edit View Terminal Help
presented at large-scale
THIS SOFTWARE, EVEN IF ADVISED OF THE PO SSIBILITY OF SUCH DAMAGE.
conferences including
Blackhat, DerbyCon,
The above lic e n s in g was taken from th e BSD lic e n s in g and ^is a p p lie d to S o c ia l-E n
D efcon, and ShmooCon. g in e e r T o o lk it as w e l l . ___ " * ^ 1
1
T ^ ^ * c M - E t l^ e e r T A lk it W s r fT iig fliiJ p y e ly good pn<r f l o t 'B k i l . I f y o u \a re
if l a 4
op I ^ S a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c
1 \
n W c r a t h O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^ J ׳ou a re v i o l a t
in g th e term s o f s e r v i e and lic e n s e o f t h i s t o o l s e t . B^ , r t t i n q X
yes (o n ly one t im e ) , you ag ree to th e term s o f s e r v ic e a n d T n a t y o u w i l l o n ly us
£ Q t 11e web jacking attack e t h i s t o o l f o r la w f u l purposes o n ly .
is performed by replacing
the victim’s browser with
another window that is
FIGU RE 3.2: SET Service Agreement option
made to look and appear to
be a legitimate site.
4. Y o u w ill b e p re s e n te d w ill a list o f m e n u s to select th e task. T y p e 1 an d
p ress Enter to select th e Social-Engineering A ttacks o p tio n .
J o in us on i r c .f r e e n o d e .n e t i n channel # s e « J o lk it
99) E x it th e S o c ia l-E n g in e e r T o o lk it
« T e rm in a l
File Edit View Terminal Help
J o in us on i r c .f r e e n o d e .n e t in channel # s e to o lk t1
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
>r5s _______________________________
FIGURE 3.4: Social Engineering Attacks menu
ack
4) Tabnabbing Attack Method
5 ) Man l e f t i n th e M id d le A tta c k Method
6) Web Jacking A tta c k Method
7 ) M u l t i - A t tack Web HethoJ
8) V ic tim Web P r o f i l e r
9 ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e
s e t :w eb attackj3B 1
« T e rm in a l
File Edit View Terminal Help
9 ) C re a te o r im p o rt a CodeSigning M
1) Web T em plates v I ^ 3 4
12) S i t e C lo n e r ! I \
3) Custom Im p o rt - ■«״
* T e rm in a l
File Edit View Terminal Help
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly
same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^
J[ ] ־r to> h a rv e s t
c r e d e n tia ls
1 TJ T
o r param eters f rom a w e b s ite as w e ll as p la c e them ir
to a r e p o r t I ^ ■ % I % ■ I V J 1
[-] T h is o p tio n i s used f o3r r A
| hhaa t IP th e s e rv e r w i l l POST t o . V ^ M
[■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s
s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : 1 0 . 0 . 0 . 1 5
[ • ] SET sup ports both HTTP and HTTPS
[ - ] Example: h t t p : //w w w . t h is is a f a k e s i t e . com____________
; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!
* T e rm in a l
File Edit View Terminal Help
[ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in
m W hen you hover over SET
the link, die URL will be [ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in
presented with the real to a r e p o rt ——
URL, not the attacker’s [■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . _ * a * * '
machine. So for example if [ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
you’re cloning gmail.com, s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^
the URL w hen hovered [ - ] SET sup ports both HTTP and HTTPS
[-1 Example: h t t p : //w w w .th is is a f a k e s it e .c o m
over it would be gmail.com.
s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
W hen die user clicks the
moved link, Gmail opens [*] C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
and then is quickly replaced
with your malicious
[*j T h is could ta k e a l i t t l e b i t . . .
Webserver. Remember you The bea t way to use t h i s a t t a c k i » i f sername and pas sw o rd torm
can change the timing of f i e l d s f t r g ava i l a b l e . R e j r d l e s s . ■ h i f tp t u r e s a l POSTs A a webs
the webjacking attack in die I ' l l have read th e above message.
config/set_config flags.
Press to co n tin u e
0 + Share
G 0 v ׳g l e
Discard Lab«h»־ Draft autosaveti at 10:4a AM (0 minutes ago) o
° - j@yahoo.com, I
Inbox
Add Cc Add Bcc
SUrrwJ
Important Su bject @TOI F - Party Pictures
Sert Mail
Attach a no
Drafts (2)
►Circles ־b I y T ־rT * A | © • ־ד ־o o |i= }= •5 is י י * * ^ I* « Plain Toxt chock spoiling■״
Hoilo Sam.
PI»4m» click this link lo view tt>*♦ w»#»kt»11d (vtrty pictures at TGIF wflh thw cmMxMim*
Regards.
m.
Search chat or SU'
9«י
3 !5 ■ ״ ra p • ־ googie.com ▼© I f l r Google Q.
G o .)g Ie
Draft eutosaved at 10:45 AM (0 minutes ago)
Inbox
X
Starred
Important E d it Link
Sent Ma!
Drafts (2) Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q
Not sure wrhat lo pul In the boxT r m fhd t**■imgean the t*ob far you wanr lo Ink to (A
acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's
acMroso Qor and potto it 140 tno box aoov•
| OK | Cared
G 0 v ׳g l e
Saved Discard Labels •»־ Draft autnsaved at 11:01 AM (0 minutes ago) 0 ־
c a The Credential
To @yahoo com, B
Harvester M ethod will Inbox
Add Cc Add Bcc
SUrred
utilize web cloning o f a Important Subjed (QTGIF - Party Pictures
website that has a username Sert Mail
Attach a 10ת
Drafts (2)
and password field and
►Circles Sf ־B I U T - »T - A, • T - © oo | - IE 3 is H « =3 ^ , piain roxt chock spoiling■'
harvest all die information
hello Sam.
posted to the website.
P1-*m» click this Ilfikj ivivw U:»|>r11* t:<m1.Rlnl TfilFjlo vlt״w Ih* <1 parly picturws at TGIF wilh lh» celatarttlM
Koqaroe.
Search 1
9*
G o u g le + Share [ ]־
@yahoo.c
Inbox
Add Cc Add Bcc
Starred
m In some cases when Important Sucjecl @TGI F - Party Pictures
Sert Ms
you’re performing an Drafts (2)
Attach a no
advanced social-engineer Circles מ ■ B I U T • tT * A ־T • © M jE IE •= 1 ׳M E = 1 / x « Plain Text Check Spelling-
attack you may want to JunkE-mal
register a domain and buy
Please click this link ww\v.facebQ0k.CQm<Rini TGIF to view the weekend party pictures at TGIF with the celebrities
an SSL cert that makes die rcpgjrcfc | Go to link. Mlp:f/10.0.0. 1y - Chanoe Remove y |
attack more believable. You
can incorporate SSL based
attacks with SET. You will
need to turn the
WEBATTACK_SSL to
O N . If you want to use
self-signed certificates you
can as well however there
will be an “u n tru sted ”
FIGURE 3.15: Actual URL linked to Fake URL
warning when a victim goes
to your website
19. W h e n th e v ic tim clicks th e U R L , h e o r she will be p re se n te d w ith a
replica o f Facebook.com
m H ie multi-attack f a c e b o o k
vector allows you to turn Sign Up Connect and share w ith th e people in you r Ife.
on and off different vectors
and combine the attacks all
into one specific webpage.
So w hen the user clicks the
link he will be targeted by T a rp b o o k 1o g in
F3Lcb5x S 2012 Moble ־Find Friends ־Eodces People ־Poqcs Afccut Crca* cr Ad Create a Page ־Developers Careers ־Privacy Coatses Terre
m
Q lo g 1n|h>c«book \
| ^ Do you want Google Chrome to save your password? | Saver password Never for this site •<
f a c e b o o k
F acebook Login
m The multi attack
vector utilises each Emai or Phone; |
* ׳י * Terminal
File Edit View Terminal Help
Lab Analysis
A nalyze an d d o c u m e n t d ie results related to d ie lab exercise.
PA R A M : lsd= A V qgm kG 11
P A R A M : re tu rn _ s e s s io n = 0
PA R A M : le g ac y _ re tu rn = 1
P A R A M : d is p la y s
PA R A M : se ssio n _ k e y _ o n ly = 0
S o c ia l PA R A M : try n u m = 1
E n g in e e rin g
PA R A M : ch a rse t_ te st= € ,',€ ,',
T o o lk it
PA R A M : tim e z o n e = -5 4 0
PA R A M : lg n rn d = 2 2 4 0 3 4 _ A rY A
PA R A M : lg n js = n
e m a il= sa m c h o a n g @ y a h o o .c o m
p a s s = te s t@ 1 2 3
Questions
1. E valuate each o f th e follow ing P aros p ro x y options:
a. T ra p R equest
b. T ra p R esponse
c. C ontinue b u tto n
d. D ro p b u tto n
I n t e r n e t C o n n e c t io n R e q u ir e d
0 Y es □ No
P la tf o r m S u p p o r te d
0 C la s s r o o m □ !Labs