Hello, everyone. This is Dean Pompey, Leo,
your social engineering
subject matter expert.
And this demo. We're going to take a look at thesis. Oh, Shal engineering tool kit.
You can find the tool kit by going to your applications menu.
and it should be under exploitation tools
I generally just launch a command show.
We'll make this full screen
if we go to user share Set.
As I mentioned in some previous demos,
most of your Callie tools are
and that's a good standard to follow if you decide to install additional tools later.
you may not need to run that
you can usually use set as is. It's included with Callie.
Of course you can update it.
So we're just gonna run
And in this first part of the demonstration,
what I'm going to do it is
show how you can trick someone
signing into a copy of a website.
And of course, you would do this in order to
gather their credentials.
It's actually very easy to do using set,
so we'll start off by selecting number Item number one for social engineering attacks.
recommend exploring the other options. Like the fast track pen testing or third party modules.
You could update set. You can also update your configuration.
Some of these other capabilities have set We will look at in the advanced course,
but we'll do some simpler things in the introductory demonstrations
anyway, So we're going to select social engineering attacks.
Notice that we have several choices here. Spear, phishing, attack factors,
websites, infectious media, creating a payload mass mailer.
A lot of these air really interesting and can produce terrific results.
But for our purposes, we're gonna is gonna go with website attack factors.
Now what we want to do.
Ah, you could have a look at
the actual list of the attacks
so you can create a a malicious job. Apple it. You can try to
exploit weaknesses in a browser
trying to get the interpreter
Or he could do something where you're you're playing games with the tabs in the browser. Refreshing the page
as the user switches tab. There's lots of different things to explore here.
We are just gonna go for the credential harvester
because that's our initial goal. We want to try to get credentials
and trick the user into
Notice that there are a couple of choices here is Well, um,
Cyclone er is pretty obvious. You pick a site that has some kind of a log in form,
you give it the I P. Address that you want
the information to be written to. So in general, that's going to be your instance of Cali that we have running here.
So I don't actually want that. So I'm gonna go back out,
go ahead and select credential harvester again.
And when I want to do is actually pick a template.
The template is more of a quick and dirty approach. If you need to actually clone a website in order for that to fit with your pretext
for the social engineering audit,
then of course, colonial website is a good idea.
But to make things easy, we'll just pick from one of the templates.
And now it's gonna ask us again For that I p address, notice
the credential harvester or the tab nabbing tool requires this I p address because this is the host that will be
getting sent to the data.
So that is our Callie I P. Address. Double check that
control shift. He opens a new tab in my browser.
So I'm just gonna run the f Confed command to verified my I p address. I can see that it's 1 28
Go ahead and pace that.
Now what I'd like to do is choose from my
templates. Google's a nice, quick and easy one to you, so we'll go ahead and do that. But otherwise we can choose from Facebook, Twitter, yahoo
or some other site that requires job.
Keep things simple. We'll just pick Google.
So notice that the cloning actually happened very quickly.
It tells us that we need a user name and password field
because this this exploit will try to capture that data when it's
Depending on how you have social engineering tool kit and figured you could use the built in Web server or you can tell it to use the Apache Web server.
I've set mine to use Apache. This provides better performance,
So if you were doing
or some other kind of mass email attack you might wanna have, the more
the more powerful Web server running. Keep that in mind.
If Apaches not running, then it will prompt you to start the service. So I've already done that. That's why we don't get that prompt.
So it tells me the Web servers on it's copied over the PHP files to the Target Directory,
and these files go under your Apache directory.
And the output from the fake website goes into a file called Harvester and that'll have a date stamp associated with it.
So it tells us everything has been moved too far, Dub, Dub, Dub
and we can go ahead and in return.
So this basically has built
a copy of the Google Web page,
the Web server now is serving that page,
so there's no more work to do
immediately on this. On this system, I can go to
to go look at my files
and the index dot html on the post op PHP.
These were both just created
bye set social engineering tool kit.
It also created the harvester file and you'll notice that it gives me today's date and time.
The file's empty, of course, because I haven't done anything yet.
Now what I can do is go over to my victim machine
victim machine A verified my a p address there 0.1 31.
A neat trick to use, which I definitely recommend. You can obviously obscure your link in various different ways.
But one simple trick to use that that doesn't take much time at all is to use the tiny your oral website.
I'm doing this on the victim machine for convenience
s so I don't have to manually type in the link.
I've got a copy and paste features disabled within my V EMS for security reasons.
for just demonstrating the concept, we can go to tiny You are well
the Cali instance that's running the Apache server, which is serving up this copy of the web page.
So that's the I P address,
and I can turn that into a tiny you are. Well,
if you haven't used this service before, it is pretty convenient because you can take really large u R L's and condense them down to something like this. But of course,
there are security risks. That's one of the reasons why this preview option has been has been added
to give people a bit more confidence to use, the actual
now I can pace that you are l into my browser window.
ideally, you would include this. U R L
in an email to the victim.
You might change the actual screen text to say something else,
and then the actual anchor tagged the A tag points, too,
to this actual tinyurl
string of characters.
There's lots of other ways to trigger someone going to this this Web link. But this is a really easy way. At least the they don't see that it's an I P address. It's obscured basically,
so we can go ahead and hit Enter
the victim believes they are going to their to their Google mail account,
and that's what they see on the screen that looks like a perfect copy.
There's no reason to believe
that this is not the official Google Web site, of course, unless the victim happens to glance up at the browser window
temporarily before or rather the browser address bar before they actually enter their data. If they if they do that, then they see that this is an I P address
that might cause them to become a little bit suspicious.
Especially since the I P address is an internal non row doble i p. This is not an I P address you would associate with a public Internet server.
These are just kind of some little warnings.
But Dad, we're going to assume that the victim is not paying that much attention. They just think they're logging into Google.
will call their, uh,
email address blah, blah, blah,
and we'll enter a password.
You know, Go ahead and click. Sign it.
Notice what happened there.
I didn't actually sign in, of course,
because this was a copy of the Google page.
was after it harvested the credentials, which happens in a split second.
I was then redirected to the actual google dot com.
If I were to actually try to sign in here,
I would see that same page again. This looks a little bit different, so maybe there's a little something that didn't get captured
when we did the original grab. But this is the rial
website to sign in with your Google account.
So most likely the victim, when they get presented with this screen, will just think. Huh? That's weird, I know. Enter the password correctly. I don't know why. Didn't work. But maybe they click the sign in button again, and now they get logged in. They think everything is fine.
So what we really need to do is go back to our Callie instance,
and I'm still sitting at the same menu and social engineering tool kit. Nothing's changed there. It's waiting for me to do something else, however,
in Vire Dub, Dub Dub,
I should have some data in my harvester file, and I do
so. What we can do is
do amore on that file to see what we picked up.
You can see that we went to account stock google dot com.
There's some session I d information here.
I don't really care too much about that. We're really interested in
is the email and the password.
So this was very easily captured by just harvesting
those two data fields from the form
that was built as a copy of the Google Web site.
So if this works successfully now, you should be able to authenticate
with two that Target's website using their own credentials.