All right, let's have a little bit of social engineering. Sometimes social engineering could be completely non technical. Some the best social engineers I know just kind of asked people if they can do things, or better yet, just do them and
say they'll apologize later, I managed to do very well at it. Break into banks, hotels. Things like that can be just a matter of your people skills. But
perhaps it's a little bit of a story of a time to say Aztec people don't have very good social skills. So for some of us, the technical approach may be better. I personally I'm terrible with the human interaction. Social engineering can't want anybody without sweating,
so that's not anything I'm particularly good at.
But if you do have the great social skills and can convince people to do what you want, it might be a route that you would be good at making cold calls and asking people for information, just walking into the building and pretending like you belong. Things like that is a
a valid for penetration testing, and some of your clients may want you to do that.
On the other hand, some of them may want something like, Ah, phishing attack. So you get phishing attacks, probably from time to time. But, hey, open this page or download this or something like that You can get really fancy ones, like, have all the right pictures from Amazon and say,
you know, your television that you bought has shipped, at which point you kind of freak out. What? I didn't buy a television
or, you know, it comes from the bank and looks like it's from a bank says, Oh, your card
um, compromised. Here is a pdf of all your charges that you've made
download and look at them and see if they're right and the pdf is malicious or go to this site because your password has been compromised. Please change your password and you click on a link, and it actually takes you to clue in of the website. And then when you update your information
site on the other end actually gets theory, Jinnah ll. So it would be like give it your user name your old password, then update your passwords. So the
so the attacker site will grab the old password and then be ableto log in issue on the rial site. So these are things that happen in the wild. So, like everything else in been dusting, we try and simulate the sorts of attacks. And
she who falls for them if nobody falls for them, which I've never had happened in my career than good job on the company. If everybody falls for it, we need some more security awareness training for sure.
I'm so a tool that we can use. That'll help us automate social engineering attacks like you is the social engineer took it
as you tool kit in Cali.
social engineer. Tool kit is updated a lot. Do you agree to the terms of service? Sure.
So it also has other things and emphasized it's social engineering. The altar of this tool did something called fast track before the
So all the fast track stuff is in here.
Next up, the update, things like that. Let's go toe one social engineering attacks.
There's a host of different things you can do here.
Um, the spear phishing attack vectors
basically just help us set up medicine. White model. So just kind of look at one.
Perform a mass email attack. And basically the problem with these is at least put Gmail and probably any of your other providers that are worth their salt.
So if they're using Google ups, this isn't going to work. But some of them that use their own
you can long into there.
Mail servers may work, but all the stuff gets popped. It's like that's malicious,
but you can set up something like
Let's do this one pdf embedded e x e social engineering So it's really similar to what we did with the Java apple. It it's going to prompt the user and say, Hey, can I run this E x C? That's in the
PDS. You also see stuff like this with, like Excel and other like my purse upward things. They have, like visual basic scripts and them that have to run, which I've had actually worked for someone once
subcontractor where it was,
they took Excel spreadsheet with all of the vulnerabilities in it, and it
would run a visual basic strip. It would run the macro, and it would turn it into the template for the report.
So that was nice so there are legitimate uses for this. I mean, there's a lot of reasons why you would have a visual basic ship enabled
or Excel files or things like that.
But you can also use it maliciously and put in a malicious macro that create interpreter. Even
so, if you have Microsoft Office, that might be one to check out
We'll just use a blank PDS What I want the payload to bay.
typical interpreters here,
Windows Interpreter Reverse TCP What's the I P address for the listener?
So it basically just automates the task of this. So I mean, as far as I can tell with these, it's really for people who are lazy or don't know how to use medicine. Boyd. Very well, because all of this is basically just hooking up to intercept Finn. Um,
anonymous. If in a mimosa steel I rather on DDE
you should keep the following my care
and then you can have it mail for you.
You can give it a list of e mail addresses that you probably get from their client or you'll have to find them online through our harvester and multi go on other tools that we saw previously when we did information gathering
find the signs what has been built in email templates. You could send Dan Brown's age angels and demons. That was a long time ago.
Melted your building Security come
so you can use your own metal server. Or you can use Gmail
Convergent Home Security
So it does say, unable to deliver mail. Because Gina Ocon telling PS is malicious
that has been caught for a while. We'll see. Avoiding anti virus a bit later on. You could take the output of this and then run it through anti virus avoidance techniques.
So then you could set up a listener. So if it worked, it'll automatically set up a list or four years ago. When someone clicks on it,
So we're gonna just kind of automates things. So you're lazy.
Which hanging is waiting for medicine, boy, because for whatever reason, my medicine played on Here's the slowest I've ever seen it, which is,
I suppose, pretty typical for something you're gonna make videos with.
You got the picture, all this killing
and give it to me and menu. So the ones I really like to use on here
are the website attack Directors number two. These are the ones that I use day to day life. It can do the job, the apple, it attack method. We saw that
credential harvester. I use this baton. So number three credential harvesters You could use Web templates. Let's just start with the template and also do site cloner
and custom import so you can make your own show. Start with just a web template.
I p address for the post back.
All right, P address.
We want something with a log in. Page on Facebook
service. Is that you? Tues Er
Okay, so this has changed since the last time I used it.
It actually puts it in. Apache Don't really like that, But okay, if you say, sir,
service capacity to start
God of our weary Www.
what's it called? Facebook.
Stop here. It's free.
Yeah, that doesn't look anything like Facebook, obviously.
Okay, that's weird. It didn't used to do that.
I used to just set up its own Web server.
It's not gonna be very useful to look at until I figure out how to make it work, Which
in there. Yeah, I don't really know what it's done. Or maybe
if it's broken. Cloning the website.
But where did it put it? I wonder.
Apaches on everything will be replaced in your Web loot directory on Apache files, but written out to the Root Directory of Apache. All files hooking
set to start the process.
You're free to customers pushed not BHP a post our village. He does not look like
Facebook, so that's not very helpful.
Well, entirely sure. What's up with that?
That's what I get for switching versions of Cali.
Well, let's see what happens if I change the config far.
No, no, we'll go there first User share,
see if I could make it go back to the way it used to work Issue. Tool kit.
groups. Know what I was here?
fuse Apache instead of standard Python Web server? I'm sure there's a way to make this work. I just don't know what it is, all the said it toe off. So it works the way I'm used to it working.
Says Apaches Barnes. It'll stop it for May.
All right, so now you should work.
So I just goto level Hearst
her. Mr is ready. Have the victim browse your sight
area. Okay. I'm not sure what the deal was there
that there might be. EMS don't seem to want to browse to Web servers right now. For whatever reason, I am able to make Facebook. It's not a very attractive version of Facebook planned. Dixit doesn't have any pictures.
It's certainly do better.
But if I gave it Georgia and password and do a log in, it's gonna have course in the post page back to May. But then, actually, even redirects may back to the original Facebook.
special engineer toolkit grabbed the Eugene have a password as well as the rest of the post replaced.
So what I like to d'oh
next. Just do like a website clue. Nurse. Let's see what has a log in page
So imagine gmail dot com is your client
you skin and your sight cloner.
I was actually gonna call it the Internet and download the site.
didn't figured your brother
I don't like, tried to read it to the same page.
Not what I was going for.
who's used to do a much better job than its during today
pages it ratings, too.
It's like adding the pages together.
So again, if I did well again
sends me back to the real Google
on, I should have gotten my credentials. Apparently, I didn't
be careful when using restricts, it may just decide not to work for you that I
It would probably help if I updated it.
It probably has, like, certain settings and that they weren't compatible. Callie, 1.0 point nine. And I haven't updated it. Which, you know, that certainly happened to me. Let's see you
that fictions Any claims
always update things
So very religious reloads it.
there would be cool if we could get it to work.
And another thing I like to use is mass Mailer.
Let's allow me to send out a bunch of emails. Before I started using this, I was lazy and I would just like Blind Carbon Copy everybody. Which one light set people off? The something's
possibly wrong with this email. It might also get help us band filters.
But if I use this will actually send the emails one by one. I could just give it a list of e mails, and then it will send them
uh, gold security dot com Georgia medicine slate dot com
Pure. Have other email addresses
so we can tell it root. You know, tux. So
read each of these are from the email.
We are pleased to now
look, with your a d Dr directory
credit in So which is probably spelled wrong,
we'll do a link h rough equals and then
don't You don't want to create the wonder of 77.
We could do something like this. It would appear us to really be a train and star calms luxury be in total.
So the link would appear to be this.
But if you hovered over, it would actually show that it went here
So, I mean, obviously you need an Internet facing Web server to do this or do it internally.
But, you know, you can do it on, like, Amazon Cloud or something.
something like that. I mean, that's relation Bull in Chile, kind of, But you'd be surprised how often it works
if we did something like went and it's got the train age website of cyber ery site and, ah,
I think the cyber race I probably has a log in in it, but if they don't have a log in and it was what I was gonna show you next if this site cloner would work is that what you can do is actually bring in a site on DDE
like a log in the form to it, like find the moon frame and
right in the middle, take out whatever's there and put a log in form there. So it looks like the real website. It just looks like it has a log inform added to it. So if they have no Logan form for you to use, you can just add one.
I'll do that fairly regularly. I mean, usually my social engineer. Really, The only things I do are send out your mouth and clone websites on occasionally some stuff with text messages.
Q R code generator. That could be fun. Um, publishing cure codes lying around. But you could make a Q R code that goes to anywhere and pushed it wherever you like. So just because it
says that it goes to the store, that it's on the store's window and it says WW dot stored all calm underneath it. There's nothing to stop you from making it go like we did here.
Our own Web server. The gesture did that with his Twitter iPhone a few years back, and it
exploits for IOS browsers in it and
certainly viable way to do things
just a little bit about social engineering in the core of social engineering is that you're trying to get people to do things that they shouldn't
like. We saw with their Java applet one previous video, and that really just relies upon the user saying, Yes, there's no particular vulnerability. So as long as we can get users to say yes to running code, no matter how security things get, there's still be a way to get in another one. I liked
back when most computers actually had DVD drives. It's kind of hard to do with the USB stick was go in the bathroom and drop DVDs. It's like payroll from the previous year
on. It would have the Excels Bridge shoot that I mentioned with the visual basic and it somebody would open it. And I would say it needs to run this macro and they'd say Yes, and suddenly we would have control of their system.
So when you just gotta be kind of creative about it that your clients may say they know exactly what they want,
you know, they might be after a particular kind of phishing attacks
made this readable, do exactly what they're saying that every creative it'll religious depends