Phishing

Course
Time
1 hour 30 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:02
welcome. The module three in Cyber is crafting the perfect email course. Now that we're familiar with the use and navigation of the social Engineers tool kit, we're gonna go ahead and finish our attack.
00:15
First off, I do want to say in this video we are going to perform an actual phishing attack using the social Engineers tool kit. So we do need to remember this course and lab are for learning purposes only.
00:26
What I'm about to show you is intended to expand your knowledge and skills to make you better. Penetration tester in cybersecurity Expert. I'm not responsible if you decide to break the law.
00:38
So in order to perform our attack, we're gonna need to do a little bit of preparation. The first thing you want to do is clone our target website. And that's where we're trying to capture credentials from in this lab. We're going to use cyber. His log in page cyber dot i t slash w p dash log in
00:57
that PHP
00:59
to capture the credentials and we're gonna use the social Engineers tool Kit credential harvester in order to clone that website.
01:07
Once we get that done, we're going to prepare our email, and we need to remember the keys to a good phishing email. So the 1st 1 is tthe e email address or the senator.
01:18
In the real environment, you would want to use a fake domain to spoof email addresses. Since this is just the lab, we're going to use an email address that I have
01:26
in the subject. You need something that's catchy but not too suspicious
01:32
in the details. We're going to need to use timing, relevance and name drops. Help convince the victim that the user
01:38
the the the email is legitimate. So we can use current scams, a package delivery invoice, things like that. We're gonna want to use official logos. Those were really easy to find on the Internet.
01:49
And lastly, we're gonna need emotional by in. We're gonna need to get the user emotionally involved.
01:56
This will help limit their rational thinking. Um, for one example, we could use there's been unusual activity on your account. Please click here to log in, interview the details,
02:05
and then we're going to need to send the email.
02:07
So again, we need to remember this is just a lab environment in the real world. You'd have your own server hosting the clone website seeking capture more than just the credentials. You would also want to set up your own domain so you can have your email dresses and things like them.
02:25
So one of the best ways to capture credentials by cloning a website and you can use social engineers tool kit to do this and capture any input into that website.
02:35
So after launching the Social Engineers tool kit, you'll need to select number two website attack vectors. So let's go ahead and hop into our lab here,
02:46
all right?
02:47
And we will open the terminal
02:53
and we're gonna launch the Social Engineers tool kit with that S e t o l k I t.
03:00
All right. We're gonna wanna go one to go into our social engineering attacks
03:06
and then again to website attack vectors.
03:09
And what we're gonna want to do in this lab is capture credentials. So we're gonna do number three. They keep credential harvester attack method,
03:20
and we're gonna clone a website
03:23
which is number two
03:24
Press Center.
03:27
Oh, right. So the you are all we would like to clone was H T t P s colon slash slash www dot cyber eri got i t
03:38
slash w p dash log in dot PHP
03:44
and it will take just a minute here. Um, there is a little note. It says you may need to copy the directory files into var www dot html depending on your directory structure for hosting that listening port and website. Being this is Callie clinics. We should be fine, so we will press enter.
04:04
All right, so now that that is running
04:09
are cloned website. Let's go ahead and
04:12
minimize this cause we will need to leave that up and going.
04:16
Let's go ahead and go back to your slide show real quick.
04:20
And so our website is now cloned. It's running. We've got our listening port on our county box. So now we're gonna need to send our phishing email, and we're gonna direct that tour target directing them
04:31
it to our log in page. So let's hop back in our lab
04:38
and we're gonna open another terminal. He can right click
04:41
and do new window.
04:44
As you can see, this opens on new terminal
04:46
and we're gonna want to launch that social engineers tool kit
04:51
again. One social engineering attacks and this time we're gonna want to send out an email. So the one we're gonna do is number five, the massive mass mailer attack.
05:02
And we're just going to send it to a single address. You can bulk send phishing emails from here as well, but that single email is number one.
05:12
All right, And we're going to send the email to
05:16
one of my test emails. That's just sigh berry
05:19
dot Dustin got test and Gino come
05:25
and we're going to use our own Gmail account for that email attack, which is number one
05:30
and the one I'm gonna send it from one who sent it from the same one since this is just a lab
05:35
test
05:40
and the from name the usual. See, let's make this a little bit smaller here. I've prepared all this for us,
05:46
so it looks like we're going to send this email from the cyber ery security team.
05:56
Press enter.
05:59
And this is where you'll need to enter the email password for that Gmail account.
06:05
Press enter. We don't want to flag. It is high priority. Um, you can do that,
06:11
but this is just a regular email here. We're not gonna attach any file. So no
06:16
again? No.
06:18
So the subject of the e mail,
06:24
we're going to use
06:29
something. Catch the attention. Attention. And that's urgent
06:34
Side Berry
06:36
Server update.
06:41
You were gonna want to send this in HTML, since I did type it all out.
06:45
And here is my test email,
06:48
and I've just got it in. Ah, no, Pat here. You can't control C To copy.
06:54
Click back over your terminal,
06:57
right, Click and paste.
07:01
All right.
07:03
And then when you're done, you just type in the word end
07:13
and there you go. So you see, the social engineering tool kit has finished the sending
07:16
of the email
07:18
and that will go to our victim with Link in order to capture, could enter
07:26
home rights. Let's go back to our slide show.
07:30
And that is all for this video in the next video were actually going to watch the attack unfold and see how it looks from the user's point of view.

Up Next

Phishing

In this online course, you will learn how to craft the perfect phishing email to allow you to teach your team how to avoid actual phishing attempts.

Instructed By

Instructor Profile Image
Dustin Parry
Network Security Engineer
Instructor