Advanced Exploitation (part 4) Social Engineering | Cybrary

.banner-container.gbi--603247763-jmq7EwK4Jf9sSJo8PAsnEi:before { opacity: 1; background-image: url('//images.ctfassets.net/kvf8rpi09wgk/35qIdAHRipqpuxr57I2zmC/eec6456c485d89e02ef5a4661cd22c04/Advanced_Pen_Test.jpg?w=500&q=55'); }

Video Activity

Create Free Account

This lesson discusses social engineering. Social engineering is not necessarily a technical field; it can also be a matter of people skills. Social engineering involves stimulating the source of the attacks. A tool that can help with social engineering is the Social Engineering (SE) tool kit in Kali Linux. Social engineering can involve phishing at...

OR

Already have an account? Sign In »

Time

14 hours 26 minutes

Difficulty

Advanced

CEU/CPE

15

Create Free Account

This lesson discusses social engineering. Social engineering is not necessarily a technical field; it can also be a matter of people skills. Social engineering involves stimulating the source of the attacks. A tool that can help with social engineering is the Social Engineering (SE) tool kit in Kali Linux. Social engineering can involve phishing attacks or a mass e mail attack.

00:04

All right, let's have a little bit of social engineering. Sometimes social engineering could be completely non technical. Some the best social engineers I know just kind of asked people if they can do things, or better yet, just do them and

00:19

say they'll apologize later, I managed to do very well at it. Break into banks, hotels. Things like that can be just a matter of your people skills. But

00:32

perhaps it's a little bit of a story of a time to say Aztec people don't have very good social skills. So for some of us, the technical approach may be better. I personally I'm terrible with the human interaction. Social engineering can't want anybody without sweating,

00:49

so that's not anything I'm particularly good at.

00:52

But if you do have the great social skills and can convince people to do what you want, it might be a route that you would be good at making cold calls and asking people for information, just walking into the building and pretending like you belong. Things like that is a

01:07

a valid for penetration testing, and some of your clients may want you to do that.

01:15

On the other hand, some of them may want something like, Ah, phishing attack. So you get phishing attacks, probably from time to time. But, hey, open this page or download this or something like that You can get really fancy ones, like, have all the right pictures from Amazon and say,

01:30

you know, your television that you bought has shipped, at which point you kind of freak out. What? I didn't buy a television

01:38

or, you know, it comes from the bank and looks like it's from a bank says, Oh, your card

01:42

may have been,

01:45

um, compromised. Here is a pdf of all your charges that you've made

01:51

download and look at them and see if they're right and the pdf is malicious or go to this site because your password has been compromised. Please change your password and you click on a link, and it actually takes you to clue in of the website. And then when you update your information

02:07

day

02:09

site on the other end actually gets theory, Jinnah ll. So it would be like give it your user name your old password, then update your passwords. So the

02:19

so the attacker site will grab the old password and then be ableto log in issue on the rial site. So these are things that happen in the wild. So, like everything else in been dusting, we try and simulate the sorts of attacks. And

02:31

she who falls for them if nobody falls for them, which I've never had happened in my career than good job on the company. If everybody falls for it, we need some more security awareness training for sure.

02:45

I'm so a tool that we can use. That'll help us automate social engineering attacks like you is the social engineer took it

02:53

as you tool kit in Cali.

02:59

Mostly, this is now

03:01

social engineer. Tool kit is updated a lot. Do you agree to the terms of service? Sure.

03:07

So it also has other things and emphasized it's social engineering. The altar of this tool did something called fast track before the

03:15

So all the fast track stuff is in here.

03:19

Next up, the update, things like that. Let's go toe one social engineering attacks.

03:25

There's a host of different things you can do here.

03:29

Um, the spear phishing attack vectors

03:31

basically just help us set up medicine. White model. So just kind of look at one.

03:38

So let's do it.

03:43

Perform a mass email attack. And basically the problem with these is at least put Gmail and probably any of your other providers that are worth their salt.

03:53

So if they're using Google ups, this isn't going to work. But some of them that use their own

03:59

stuff

04:00

you can long into there.

04:02

Mail servers may work, but all the stuff gets popped. It's like that's malicious,

04:09

but you can set up something like

04:14

Let's do this one pdf embedded e x e social engineering So it's really similar to what we did with the Java apple. It it's going to prompt the user and say, Hey, can I run this E x C? That's in the

04:27

PDS. You also see stuff like this with, like Excel and other like my purse upward things. They have, like visual basic scripts and them that have to run, which I've had actually worked for someone once

04:39

subcontractor where it was,

04:42

they took Excel spreadsheet with all of the vulnerabilities in it, and it

04:47

would run a visual basic strip. It would run the macro, and it would turn it into the template for the report.

04:55

So that was nice so there are legitimate uses for this. I mean, there's a lot of reasons why you would have a visual basic ship enabled

05:01

in your word files

05:03

or Excel files or things like that.

05:06

But you can also use it maliciously and put in a malicious macro that create interpreter. Even

05:14

so, if you have Microsoft Office, that might be one to check out

05:18

as well.

05:23

We'll just use a blank PDS What I want the payload to bay.

05:29

All of my

05:30

typical interpreters here,

05:33

Windows Interpreter Reverse TCP What's the I P address for the listener?

05:41

Poor.

05:42

So it basically just automates the task of this. So I mean, as far as I can tell with these, it's really for people who are lazy or don't know how to use medicine. Boyd. Very well, because all of this is basically just hooking up to intercept Finn. Um,

05:55

anonymous. If in a mimosa steel I rather on DDE

06:00

automating,

06:00

you should keep the following my care

06:04

and then you can have it mail for you.

06:08

You can give it a list of e mail addresses that you probably get from their client or you'll have to find them online through our harvester and multi go on other tools that we saw previously when we did information gathering

06:23

find the signs what has been built in email templates. You could send Dan Brown's age angels and demons. That was a long time ago.

06:30

Melted your building Security come

06:35

so you can use your own metal server. Or you can use Gmail

06:41

Convergent Home Security

06:50

help desk

07:01

So it does say, unable to deliver mail. Because Gina Ocon telling PS is malicious

07:08

that has been caught for a while. We'll see. Avoiding anti virus a bit later on. You could take the output of this and then run it through anti virus avoidance techniques.

07:20

So then you could set up a listener. So if it worked, it'll automatically set up a list or four years ago. When someone clicks on it,

07:28

come back to you.

07:30

So we're gonna just kind of automates things. So you're lazy.

07:38

Which hanging is waiting for medicine, boy, because for whatever reason, my medicine played on Here's the slowest I've ever seen it, which is,

07:46

I suppose, pretty typical for something you're gonna make videos with.

07:54

You got the picture, all this killing

07:57

and give it to me and menu. So the ones I really like to use on here

08:01

are the website attack Directors number two. These are the ones that I use day to day life. It can do the job, the apple, it attack method. We saw that

08:11

credential harvester. I use this baton. So number three credential harvesters You could use Web templates. Let's just start with the template and also do site cloner

08:22

and custom import so you can make your own show. Start with just a web template.

08:30

I p address for the post back.

08:33

All right, P address.

08:37

We want something with a log in. Page on Facebook

08:39

says Apache is on.

08:56

Why did it die?

08:58

Let me kill Apache

09:00

service. Is that you? Tues Er

09:33

Okay, so this has changed since the last time I used it.

09:39

It actually puts it in. Apache Don't really like that, But okay, if you say, sir,

09:46

service capacity to start

09:48

God of our weary Www.

10:03

Okay. You say, sir,

10:11

what's it called? Facebook.

10:22

Stop here. It's free.

10:28

Yeah, that doesn't look anything like Facebook, obviously.

10:35

Okay, that's weird. It didn't used to do that.

10:39

I used to just set up its own Web server.

10:52

It's not gonna be very useful to look at until I figure out how to make it work, Which

10:58

it's just Hello,

11:01

mine

11:15

in there. Yeah, I don't really know what it's done. Or maybe

11:18

if it's broken. Cloning the website.

11:22

But where did it put it? I wonder.

11:24

Apaches on everything will be replaced in your Web loot directory on Apache files, but written out to the Root Directory of Apache. All files hooking

11:35

set to start the process.

11:43

You're free to customers pushed not BHP a post our village. He does not look like

11:48

Facebook, so that's not very helpful.

11:52

Well, entirely sure. What's up with that?

11:54

That's what I get for switching versions of Cali.

11:56

Well, let's see what happens if I change the config far.

12:05

No, no, we'll go there first User share,

12:11

see if I could make it go back to the way it used to work Issue. Tool kit.

12:16

Yeah.

12:24

No, no.

12:31

And let's look for

12:33

groups. Know what I was here?

12:37

How are you

12:41

fuse Apache instead of standard Python Web server? I'm sure there's a way to make this work. I just don't know what it is, all the said it toe off. So it works the way I'm used to it working.

13:01

Okay,

13:11

Okay.

13:11

Says Apaches Barnes. It'll stop it for May.

13:16

All right, so now you should work.

13:20

So I just goto level Hearst

13:26

her. Mr is ready. Have the victim browse your sight

13:39

area. Okay. I'm not sure what the deal was there

13:43

that there might be. EMS don't seem to want to browse to Web servers right now. For whatever reason, I am able to make Facebook. It's not a very attractive version of Facebook planned. Dixit doesn't have any pictures.

13:56

It's certainly do better.

13:58

But if I gave it Georgia and password and do a log in, it's gonna have course in the post page back to May. But then, actually, even redirects may back to the original Facebook.

14:13

But if I look back

14:16

at my

14:18

special engineer toolkit grabbed the Eugene have a password as well as the rest of the post replaced.

14:28

So what I like to d'oh

14:31

next. Just do like a website clue. Nurse. Let's see what has a log in page

14:39

calm

14:43

log in page.

14:46

So imagine gmail dot com is your client

14:56

you skin and your sight cloner.

15:00

I was actually gonna call it the Internet and download the site.

15:18

Ah,

15:26

didn't figured your brother

15:31

I don't like, tried to read it to the same page.

15:35

Okay,

15:37

Not what I was going for.

15:41

Your clone, Google,

15:43

who's used to do a much better job than its during today

15:52

pages it ratings, too.

15:56

It's like adding the pages together.

16:02

So again, if I did well again

16:07

sends me back to the real Google

16:08

on, I should have gotten my credentials. Apparently, I didn't

16:15

So

16:15

August

16:17

be careful when using restricts, it may just decide not to work for you that I

16:22

It would probably help if I updated it.

16:26

It probably has, like, certain settings and that they weren't compatible. Callie, 1.0 point nine. And I haven't updated it. Which, you know, that certainly happened to me. Let's see you

16:37

that fictions Any claims

16:40

always update things

16:44

doot

16:49

***.

16:52

So very religious reloads it.

16:56

Update failed.

17:06

Okay,

17:07

well,

17:07

there would be cool if we could get it to work.

17:12

And another thing I like to use is mass Mailer.

17:18

Let's allow me to send out a bunch of emails. Before I started using this, I was lazy and I would just like Blind Carbon Copy everybody. Which one light set people off? The something's

17:30

possibly wrong with this email. It might also get help us band filters.

17:36

But if I use this will actually send the emails one by one. I could just give it a list of e mails, and then it will send them

17:42

over. And

17:45

no, don't,

17:48

uh, gold security dot com Georgia medicine slate dot com

18:00

Pure. Have other email addresses

18:07

so we can tell it root. You know, tux. So

18:11

read each of these are from the email.

18:34

Levian portal,

18:41

Britain HTML

18:45

Oh, please.

18:48

We are pleased to now

18:52

a new worker.

18:55

You pee in a bottle

18:59

for

19:02

counting payroll.

19:06

It's a vacation.

19:08

Uh, please

19:11

look, with your a d Dr directory

19:15

credit in So which is probably spelled wrong,

19:19

we'll do a link h rough equals and then

19:26

don't You don't want to create the wonder of 77.

19:33

We could do something like this. It would appear us to really be a train and star calms luxury be in total.

19:44

So the link would appear to be this.

19:47

But if you hovered over, it would actually show that it went here

19:49

So, I mean, obviously you need an Internet facing Web server to do this or do it internally.

19:56

But, you know, you can do it on, like, Amazon Cloud or something.

20:02

Uh,

20:03

you

20:06

cheese stare

20:08

something like that. I mean, that's relation Bull in Chile, kind of, But you'd be surprised how often it works

20:18

if we did something like went and it's got the train age website of cyber ery site and, ah,

20:25

I think the cyber race I probably has a log in in it, but if they don't have a log in and it was what I was gonna show you next if this site cloner would work is that what you can do is actually bring in a site on DDE

20:38

at a

20:41

like a log in the form to it, like find the moon frame and

20:45

right in the middle, take out whatever's there and put a log in form there. So it looks like the real website. It just looks like it has a log inform added to it. So if they have no Logan form for you to use, you can just add one.

20:57

I'll do that fairly regularly. I mean, usually my social engineer. Really, The only things I do are send out your mouth and clone websites on occasionally some stuff with text messages.

21:11

Q R code generator. That could be fun. Um, publishing cure codes lying around. But you could make a Q R code that goes to anywhere and pushed it wherever you like. So just because it

21:22

says that it goes to the store, that it's on the store's window and it says WW dot stored all calm underneath it. There's nothing to stop you from making it go like we did here.

21:37

Two.

21:37

Our own Web server. The gesture did that with his Twitter iPhone a few years back, and it

21:44

had

21:45

exploits for IOS browsers in it and

21:48

at the time, so

21:51

certainly viable way to do things

21:53

as well. So

21:56

just a little bit about social engineering in the core of social engineering is that you're trying to get people to do things that they shouldn't

22:03

like. We saw with their Java applet one previous video, and that really just relies upon the user saying, Yes, there's no particular vulnerability. So as long as we can get users to say yes to running code, no matter how security things get, there's still be a way to get in another one. I liked

22:22

back when most computers actually had DVD drives. It's kind of hard to do with the USB stick was go in the bathroom and drop DVDs. It's like payroll from the previous year

22:33

on. It would have the Excels Bridge shoot that I mentioned with the visual basic and it somebody would open it. And I would say it needs to run this macro and they'd say Yes, and suddenly we would have control of their system.

22:45

So when you just gotta be kind of creative about it that your clients may say they know exactly what they want,

22:53

you know, they might be after a particular kind of phishing attacks

22:59

made this readable, do exactly what they're saying that every creative it'll religious depends

Advanced Exploitation (part 5) Bypassing Antivirus Software

Post Exploitation (part 1) File Transfer without and Interactive Shell

Post Exploitation (part 2) Exploit Development

Post Exploitation (part 3) Pivoting

Post Exploitation (part 4) Setting Up a Domain Controller

This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you're breaking into to. You'll also learn tricks for exploiting a network.

Founder and CTO at Shevirah and Bulb Security