Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lab, Subject Matter Expert Dean Pompilio demonstrates the Social Engineering Toolkit (SE Toolkit) that is built into Kali Linux and can be found by going to the Kali Linux Application Menu or by launching a command shell and going to User Share. In this Part of Module 4 you will learn how to

  • run the SE Toolkit
  • trick your target into signing into a malicious Web site so that you can obtain their credentials
  • use Web site attack factors
  • perform SE attacks such as spearfishing
  • trick your target into providing credentials by using the credential harvester
  • use the tab nabbing tool
  • use CTRL-SHIFT-T to open a new tab in your browser
  • use the various templates
  • choose the proper Web server for your activity
  • clone a Web site to use to trick your target
  • use the tiny URL Web site to streamline your process
  • understand the security risks of using the tiny URL Web site
  • communicate with your target to trigger them to go to the cloned Web site
  • authenticate to the target's true Web site using their own credentials

Video Transcription

00:04
Hello, everyone. This is Dean Pompey, Leo,
00:08
your social engineering
00:11
subject matter expert.
00:14
And this demo. We're going to take a look at thesis. Oh, Shal engineering tool kit.
00:21
You can find the tool kit by going to your applications menu.
00:25
Callie Lennox
00:33
and it should be under exploitation tools
00:39
SC tool kit.
00:40
I generally just launch a command show.
00:44
We'll make this full screen
00:47
if we go to user share Set.
00:51
As I mentioned in some previous demos,
00:56
most of your Callie tools are
00:59
in user share,
01:02
and that's a good standard to follow if you decide to install additional tools later.
01:08
Okay,
01:11
so we've got a
01:14
setup program. Um,
01:17
you may not need to run that
01:19
you can usually use set as is. It's included with Callie.
01:23
Of course you can update it.
01:26
So we're just gonna run
01:27
as he took it.
01:32
And in this first part of the demonstration,
01:36
what I'm going to do it is
01:38
show how you can trick someone
01:41
into, uh,
01:44
signing into a copy of a website.
01:46
And of course, you would do this in order to
01:49
gather their credentials.
01:52
It's actually very easy to do using set,
01:56
so we'll start off by selecting number Item number one for social engineering attacks.
02:02
Uh, I definitely
02:05
recommend exploring the other options. Like the fast track pen testing or third party modules.
02:10
You could update set. You can also update your configuration.
02:15
Some of these other capabilities have set We will look at in the advanced course,
02:21
but we'll do some simpler things in the introductory demonstrations
02:27
anyway, So we're going to select social engineering attacks.
02:30
Notice that we have several choices here. Spear, phishing, attack factors,
02:36
websites, infectious media, creating a payload mass mailer.
02:40
A lot of these air really interesting and can produce terrific results.
02:45
But for our purposes, we're gonna is gonna go with website attack factors.
02:50
We'll select too.
02:54
Now what we want to do.
02:59
Ah, you could have a look at
03:00
the actual list of the attacks
03:05
so you can create a a malicious job. Apple it. You can try to
03:09
exploit weaknesses in a browser
03:13
trying to get the interpreter
03:15
to run.
03:17
Or he could do something where you're you're playing games with the tabs in the browser. Refreshing the page
03:25
as the user switches tab. There's lots of different things to explore here.
03:30
We are just gonna go for the credential harvester
03:34
because that's our initial goal. We want to try to get credentials
03:38
and trick the user into
03:40
clicking a link.
03:44
So select three
03:47
Notice that there are a couple of choices here is Well, um,
03:52
Cyclone er is pretty obvious. You pick a site that has some kind of a log in form,
03:58
we can select that
04:00
and
04:01
you give it the I P. Address that you want
04:04
the
04:06
the information to be written to. So in general, that's going to be your instance of Cali that we have running here.
04:15
So I don't actually want that. So I'm gonna go back out,
04:19
go ahead and select credential harvester again.
04:23
And when I want to do is actually pick a template.
04:27
The template is more of a quick and dirty approach. If you need to actually clone a website in order for that to fit with your pretext
04:33
for the social engineering audit,
04:35
then of course, colonial website is a good idea.
04:40
But to make things easy, we'll just pick from one of the templates.
04:45
And now it's gonna ask us again For that I p address, notice
04:48
the credential harvester or the tab nabbing tool requires this I p address because this is the host that will be
04:58
getting sent to the data.
05:00
So that is our Callie I P. Address. Double check that
05:05
control shift. He opens a new tab in my browser.
05:10
So I'm just gonna run the f Confed command to verified my I p address. I can see that it's 1 28
05:19
Go ahead and pace that.
05:25
Now what I'd like to do is choose from my
05:29
templates. Google's a nice, quick and easy one to you, so we'll go ahead and do that. But otherwise we can choose from Facebook, Twitter, yahoo
05:35
or some other site that requires job.
05:40
Keep things simple. We'll just pick Google.
05:44
So notice that the cloning actually happened very quickly.
05:47
It tells us that we need a user name and password field
05:50
on the form
05:53
because this this exploit will try to capture that data when it's
05:57
when it's ah
05:59
entered.
06:00
Depending on how you have social engineering tool kit and figured you could use the built in Web server or you can tell it to use the Apache Web server.
06:10
I've set mine to use Apache. This provides better performance,
06:15
So if you were doing
06:17
a fishing
06:19
or some other kind of mass email attack you might wanna have, the more
06:23
the more powerful Web server running. Keep that in mind.
06:28
If Apaches not running, then it will prompt you to start the service. So I've already done that. That's why we don't get that prompt.
06:35
So it tells me the Web servers on it's copied over the PHP files to the Target Directory,
06:43
and these files go under your Apache directory.
06:46
And the output from the fake website goes into a file called Harvester and that'll have a date stamp associated with it.
06:57
So it tells us everything has been moved too far, Dub, Dub, Dub
07:01
and we can go ahead and in return.
07:03
So this basically has built
07:06
a copy of the Google Web page,
07:11
and
07:13
the Web server now is serving that page,
07:16
so there's no more work to do
07:18
immediately on this. On this system, I can go to
07:25
Var Dub, Dub Dub
07:27
to go look at my files
07:29
and the index dot html on the post op PHP.
07:33
These were both just created
07:35
bye set social engineering tool kit.
07:40
It also created the harvester file and you'll notice that it gives me today's date and time.
07:48
The file's empty, of course, because I haven't done anything yet.
07:53
Now what I can do is go over to my victim machine
08:00
victim machine A verified my a p address there 0.1 31.
08:05
A neat trick to use, which I definitely recommend. You can obviously obscure your link in various different ways.
08:13
But one simple trick to use that that doesn't take much time at all is to use the tiny your oral website.
08:22
I'm doing this on the victim machine for convenience
08:26
s so I don't have to manually type in the link.
08:30
But
08:31
I've got a copy and paste features disabled within my V EMS for security reasons.
08:35
But anyway,
08:37
for just demonstrating the concept, we can go to tiny You are well
08:41
and I can type in
08:43
the i p address
08:46
off the
08:48
the Cali instance that's running the Apache server, which is serving up this copy of the web page.
08:54
So that's the I P address,
08:56
and I can turn that into a tiny you are. Well,
09:03
if you haven't used this service before, it is pretty convenient because you can take really large u R L's and condense them down to something like this. But of course,
09:11
there are security risks. That's one of the reasons why this preview option has been has been added
09:18
to give people a bit more confidence to use, the actual
09:22
you are out.
09:24
So
09:26
now I can pace that you are l into my browser window.
09:33
And
09:33
ideally, you would include this. U R L
09:37
in an email to the victim.
09:39
You might change the actual screen text to say something else,
09:45
and then the actual anchor tagged the A tag points, too,
09:50
to this actual tinyurl
09:52
string of characters.
09:56
There's lots of other ways to trigger someone going to this this Web link. But this is a really easy way. At least the they don't see that it's an I P address. It's obscured basically,
10:07
so we can go ahead and hit Enter
10:09
and
10:11
the victim believes they are going to their to their Google mail account,
10:18
and that's what they see on the screen that looks like a perfect copy.
10:20
There's no reason to believe
10:22
that this is not the official Google Web site, of course, unless the victim happens to glance up at the browser window
10:31
temporarily before or rather the browser address bar before they actually enter their data. If they if they do that, then they see that this is an I P address
10:41
that might cause them to become a little bit suspicious.
10:45
Especially since the I P address is an internal non row doble i p. This is not an I P address you would associate with a public Internet server.
10:54
These are just kind of some little warnings.
10:58
But Dad, we're going to assume that the victim is not paying that much attention. They just think they're logging into Google.
11:05
So
11:07
will call their, uh,
11:09
email address blah, blah, blah,
11:13
and we'll enter a password.
11:24
You know, Go ahead and click. Sign it.
11:28
Notice what happened there.
11:30
I didn't actually sign in, of course,
11:33
because this was a copy of the Google page.
11:37
But
11:37
what it did d'oh
11:39
was after it harvested the credentials, which happens in a split second.
11:45
I was then redirected to the actual google dot com.
11:48
If I were to actually try to sign in here,
11:52
I would see that same page again. This looks a little bit different, so maybe there's a little something that didn't get captured
11:58
when we did the original grab. But this is the rial
12:01
Google
12:03
website to sign in with your Google account.
12:07
So most likely the victim, when they get presented with this screen, will just think. Huh? That's weird, I know. Enter the password correctly. I don't know why. Didn't work. But maybe they click the sign in button again, and now they get logged in. They think everything is fine.
12:22
So what we really need to do is go back to our Callie instance,
12:28
and I'm still sitting at the same menu and social engineering tool kit. Nothing's changed there. It's waiting for me to do something else, however,
12:37
in Vire Dub, Dub Dub,
12:39
I should have some data in my harvester file, and I do
12:43
so. What we can do is
12:46
do amore on that file to see what we picked up.
12:52
You can see that we went to account stock google dot com.
12:54
There's some session I d information here.
12:58
I don't really care too much about that. We're really interested in
13:01
is the email and the password.
13:05
So this was very easily captured by just harvesting
13:09
those two data fields from the form
13:11
that was built as a copy of the Google Web site.
13:18
So if this works successfully now, you should be able to authenticate
13:22
with two that Target's website using their own credentials.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor