Advanced Exploitation (part 4) Social Engineering
Video Activity
This lesson discusses social engineering. Social engineering is not necessarily a technical field; it can also be a matter of people skills. Social engineering involves stimulating the source of the attacks. A tool that can help with social engineering is the Social Engineering (SE) tool kit in Kali Linux. Social engineering can involve phishing at...
Video Description
This lesson discusses social engineering. Social engineering is not necessarily a technical field; it can also be a matter of people skills. Social engineering involves stimulating the source of the attacks. A tool that can help with social engineering is the Social Engineering (SE) tool kit in Kali Linux. Social engineering can involve phishing attacks or a mass e mail attack.
Video Transcription
00:04
All right, let's have a little bit of social engineering. Sometimes social engineering could be completely non technical. Some the best social engineers I know just kind of asked people if they can do things, or better yet, just do them and
00:19
say they'll apologize later, I managed to do very well at it. Break into banks, hotels. Things like that can be just a matter of your people skills. But
00:32
perhaps it's a little bit of a story of a time to say Aztec people don't have very good social skills. So for some of us, the technical approach may be better. I personally I'm terrible with the human interaction. Social engineering can't want anybody without sweating,
00:49
so that's not anything I'm particularly good at.
00:52
But if you do have the great social skills and can convince people to do what you want, it might be a route that you would be good at making cold calls and asking people for information, just walking into the building and pretending like you belong. Things like that is a
01:07
a valid for penetration testing, and some of your clients may want you to do that.
01:15
On the other hand, some of them may want something like, Ah, phishing attack. So you get phishing attacks, probably from time to time. But, hey, open this page or download this or something like that You can get really fancy ones, like, have all the right pictures from Amazon and say,
01:30
you know, your television that you bought has shipped, at which point you kind of freak out. What? I didn't buy a television
01:38
or, you know, it comes from the bank and looks like it's from a bank says, Oh, your card
01:42
may have been,
01:45
um, compromised. Here is a pdf of all your charges that you've made
01:51
download and look at them and see if they're right and the pdf is malicious or go to this site because your password has been compromised. Please change your password and you click on a link, and it actually takes you to clue in of the website. And then when you update your information
02:07
day
02:09
site on the other end actually gets theory, Jinnah ll. So it would be like give it your user name your old password, then update your passwords. So the
02:19
so the attacker site will grab the old password and then be ableto log in issue on the rial site. So these are things that happen in the wild. So, like everything else in been dusting, we try and simulate the sorts of attacks. And
02:31
she who falls for them if nobody falls for them, which I've never had happened in my career than good job on the company. If everybody falls for it, we need some more security awareness training for sure.
02:45
I'm so a tool that we can use. That'll help us automate social engineering attacks like you is the social engineer took it
02:53
as you tool kit in Cali.
02:59
Mostly, this is now
03:01
social engineer. Tool kit is updated a lot. Do you agree to the terms of service? Sure.
03:07
So it also has other things and emphasized it's social engineering. The altar of this tool did something called fast track before the
03:15
So all the fast track stuff is in here.
03:19
Next up, the update, things like that. Let's go toe one social engineering attacks.
03:25
There's a host of different things you can do here.
03:29
Um, the spear phishing attack vectors
03:31
basically just help us set up medicine. White model. So just kind of look at one.
03:38
So let's do it.
03:43
Perform a mass email attack. And basically the problem with these is at least put Gmail and probably any of your other providers that are worth their salt.
03:53
So if they're using Google ups, this isn't going to work. But some of them that use their own
03:59
stuff
04:00
you can long into there.
04:02
Mail servers may work, but all the stuff gets popped. It's like that's malicious,
04:09
but you can set up something like
04:14
Let's do this one pdf embedded e x e social engineering So it's really similar to what we did with the Java apple. It it's going to prompt the user and say, Hey, can I run this E x C? That's in the
04:27
PDS. You also see stuff like this with, like Excel and other like my purse upward things. They have, like visual basic scripts and them that have to run, which I've had actually worked for someone once
04:39
subcontractor where it was,
04:42
they took Excel spreadsheet with all of the vulnerabilities in it, and it
04:47
would run a visual basic strip. It would run the macro, and it would turn it into the template for the report.
04:55
So that was nice so there are legitimate uses for this. I mean, there's a lot of reasons why you would have a visual basic ship enabled
05:01
in your word files
05:03
or Excel files or things like that.
05:06
But you can also use it maliciously and put in a malicious macro that create interpreter. Even
05:14
so, if you have Microsoft Office, that might be one to check out
05:18
as well.
05:23
We'll just use a blank PDS What I want the payload to bay.
05:29
All of my
05:30
typical interpreters here,
05:33
Windows Interpreter Reverse TCP What's the I P address for the listener?
05:41
Poor.
05:42
So it basically just automates the task of this. So I mean, as far as I can tell with these, it's really for people who are lazy or don't know how to use medicine. Boyd. Very well, because all of this is basically just hooking up to intercept Finn. Um,
05:55
anonymous. If in a mimosa steel I rather on DDE
06:00
automating,
06:00
you should keep the following my care
06:04
and then you can have it mail for you.
06:08
You can give it a list of e mail addresses that you probably get from their client or you'll have to find them online through our harvester and multi go on other tools that we saw previously when we did information gathering
06:23
find the signs what has been built in email templates. You could send Dan Brown's age angels and demons. That was a long time ago.
06:30
Melted your building Security come
06:35
so you can use your own metal server. Or you can use Gmail
06:41
Convergent Home Security
06:50
help desk
07:01
So it does say, unable to deliver mail. Because Gina Ocon telling PS is malicious
07:08
that has been caught for a while. We'll see. Avoiding anti virus a bit later on. You could take the output of this and then run it through anti virus avoidance techniques.
07:20
So then you could set up a listener. So if it worked, it'll automatically set up a list or four years ago. When someone clicks on it,
07:28
come back to you.
07:30
So we're gonna just kind of automates things. So you're lazy.
07:38
Which hanging is waiting for medicine, boy, because for whatever reason, my medicine played on Here's the slowest I've ever seen it, which is,
07:46
I suppose, pretty typical for something you're gonna make videos with.
07:54
You got the picture, all this killing
07:57
and give it to me and menu. So the ones I really like to use on here
08:01
are the website attack Directors number two. These are the ones that I use day to day life. It can do the job, the apple, it attack method. We saw that
08:11
credential harvester. I use this baton. So number three credential harvesters You could use Web templates. Let's just start with the template and also do site cloner
08:22
and custom import so you can make your own show. Start with just a web template.
08:30
I p address for the post back.
08:33
All right, P address.
08:37
We want something with a log in. Page on Facebook
08:39
says Apache is on.
08:56
Why did it die?
08:58
Let me kill Apache
09:00
service. Is that you? Tues Er
09:33
Okay, so this has changed since the last time I used it.
09:39
It actually puts it in. Apache Don't really like that, But okay, if you say, sir,
09:46
service capacity to start
09:48
God of our weary Www.
10:03
Okay. You say, sir,
10:11
what's it called? Facebook.
10:22
Stop here. It's free.
10:28
Yeah, that doesn't look anything like Facebook, obviously.
10:35
Okay, that's weird. It didn't used to do that.
10:39
I used to just set up its own Web server.
10:52
It's not gonna be very useful to look at until I figure out how to make it work, Which
10:58
it's just Hello,
11:01
mine
11:15
in there. Yeah, I don't really know what it's done. Or maybe
11:18
if it's broken. Cloning the website.
11:22
But where did it put it? I wonder.
11:24
Apaches on everything will be replaced in your Web loot directory on Apache files, but written out to the Root Directory of Apache. All files hooking
11:35
set to start the process.
11:43
You're free to customers pushed not BHP a post our village. He does not look like
11:48
Facebook, so that's not very helpful.
11:52
Well, entirely sure. What's up with that?
11:54
That's what I get for switching versions of Cali.
11:56
Well, let's see what happens if I change the config far.
12:05
No, no, we'll go there first User share,
12:11
see if I could make it go back to the way it used to work Issue. Tool kit.
12:16
Yeah.
12:24
No, no.
12:31
And let's look for
12:33
groups. Know what I was here?
12:37
How are you
12:41
fuse Apache instead of standard Python Web server? I'm sure there's a way to make this work. I just don't know what it is, all the said it toe off. So it works the way I'm used to it working.
13:01
Okay,
13:11
Okay.
13:11
Says Apaches Barnes. It'll stop it for May.
13:16
All right, so now you should work.
13:20
So I just goto level Hearst
13:26
her. Mr is ready. Have the victim browse your sight
13:39
area. Okay. I'm not sure what the deal was there
13:43
that there might be. EMS don't seem to want to browse to Web servers right now. For whatever reason, I am able to make Facebook. It's not a very attractive version of Facebook planned. Dixit doesn't have any pictures.
13:56
It's certainly do better.
13:58
But if I gave it Georgia and password and do a log in, it's gonna have course in the post page back to May. But then, actually, even redirects may back to the original Facebook.
14:13
But if I look back
14:16
at my
14:18
special engineer toolkit grabbed the Eugene have a password as well as the rest of the post replaced.
14:28
So what I like to d'oh
14:31
next. Just do like a website clue. Nurse. Let's see what has a log in page
14:39
calm
14:43
log in page.
14:46
So imagine gmail dot com is your client
14:56
you skin and your sight cloner.
15:00
I was actually gonna call it the Internet and download the site.
15:18
Ah,
15:26
didn't figured your brother
15:31
I don't like, tried to read it to the same page.
15:35
Okay,
15:37
Not what I was going for.
15:41
Your clone, Google,
15:43
who's used to do a much better job than its during today
15:52
pages it ratings, too.
15:56
It's like adding the pages together.
16:02
So again, if I did well again
16:07
sends me back to the real Google
16:08
on, I should have gotten my credentials. Apparently, I didn't
16:15
So
16:15
August
16:17
be careful when using restricts, it may just decide not to work for you that I
16:22
It would probably help if I updated it.
16:26
It probably has, like, certain settings and that they weren't compatible. Callie, 1.0 point nine. And I haven't updated it. Which, you know, that certainly happened to me. Let's see you
16:37
that fictions Any claims
16:40
always update things
16:44
doot
16:49
***.
16:52
So very religious reloads it.
16:56
Update failed.
17:06
Okay,
17:07
well,
17:07
there would be cool if we could get it to work.
17:12
And another thing I like to use is mass Mailer.
17:18
Let's allow me to send out a bunch of emails. Before I started using this, I was lazy and I would just like Blind Carbon Copy everybody. Which one light set people off? The something's
17:30
possibly wrong with this email. It might also get help us band filters.
17:36
But if I use this will actually send the emails one by one. I could just give it a list of e mails, and then it will send them
17:42
over. And
17:45
no, don't,
17:48
uh, gold security dot com Georgia medicine slate dot com
18:00
Pure. Have other email addresses
18:07
so we can tell it root. You know, tux. So
18:11
read each of these are from the email.
18:34
Levian portal,
18:41
Britain HTML
18:45
Oh, please.
18:48
We are pleased to now
18:52
a new worker.
18:55
You pee in a bottle
18:59
for
19:02
counting payroll.
19:06
It's a vacation.
19:08
Uh, please
19:11
look, with your a d Dr directory
19:15
credit in So which is probably spelled wrong,
19:19
we'll do a link h rough equals and then
19:26
don't You don't want to create the wonder of 77.
19:33
We could do something like this. It would appear us to really be a train and star calms luxury be in total.
19:44
So the link would appear to be this.
19:47
But if you hovered over, it would actually show that it went here
19:49
So, I mean, obviously you need an Internet facing Web server to do this or do it internally.
19:56
But, you know, you can do it on, like, Amazon Cloud or something.
20:02
Uh,
20:03
you
20:06
cheese stare
20:08
something like that. I mean, that's relation Bull in Chile, kind of, But you'd be surprised how often it works
20:18
if we did something like went and it's got the train age website of cyber ery site and, ah,
20:25
I think the cyber race I probably has a log in in it, but if they don't have a log in and it was what I was gonna show you next if this site cloner would work is that what you can do is actually bring in a site on DDE
20:38
at a
20:41
like a log in the form to it, like find the moon frame and
20:45
right in the middle, take out whatever's there and put a log in form there. So it looks like the real website. It just looks like it has a log inform added to it. So if they have no Logan form for you to use, you can just add one.
20:57
I'll do that fairly regularly. I mean, usually my social engineer. Really, The only things I do are send out your mouth and clone websites on occasionally some stuff with text messages.
21:11
Q R code generator. That could be fun. Um, publishing cure codes lying around. But you could make a Q R code that goes to anywhere and pushed it wherever you like. So just because it
21:22
says that it goes to the store, that it's on the store's window and it says WW dot stored all calm underneath it. There's nothing to stop you from making it go like we did here.
21:37
Two.
21:37
Our own Web server. The gesture did that with his Twitter iPhone a few years back, and it
21:44
had
21:45
exploits for IOS browsers in it and
21:48
at the time, so
21:51
certainly viable way to do things
21:53
as well. So
21:56
just a little bit about social engineering in the core of social engineering is that you're trying to get people to do things that they shouldn't
22:03
like. We saw with their Java applet one previous video, and that really just relies upon the user saying, Yes, there's no particular vulnerability. So as long as we can get users to say yes to running code, no matter how security things get, there's still be a way to get in another one. I liked
22:22
back when most computers actually had DVD drives. It's kind of hard to do with the USB stick was go in the bathroom and drop DVDs. It's like payroll from the previous year
22:33
on. It would have the Excels Bridge shoot that I mentioned with the visual basic and it somebody would open it. And I would say it needs to run this macro and they'd say Yes, and suddenly we would have control of their system.
22:45
So when you just gotta be kind of creative about it that your clients may say they know exactly what they want,
22:53
you know, they might be after a particular kind of phishing attacks
22:59
made this readable, do exactly what they're saying that every creative it'll religious depends
Up Next
Advanced Penetration Testing
The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.
Instructed By
Similar Content
