570 likes | 640 Views
Social engineering. By Joshua Vansickles. The game plan. What is social engineering? Common forms of social engineering to be aware of What might a hacker be doing, exactly? Tips to help prevent being socially engineered. What is social engineering?.
E N D
Social engineering By Joshua Vansickles
The game plan • What is social engineering? • Common forms of social engineering to be aware of • What might a hacker be doing, exactly? • Tips to help prevent being socially engineered.
What is social engineering? • The psychological manipulation of people into performing actions or divulging confidential information. • Any act that influences a person to take an action that may or may not be in his/her best interest.
Common forms of social engineering • Pretexting • Baiting • Quid Pro Quo • Tailgating (Piggybacking) • Phishing
Pretexting • The attacker creates a new identity for him/herself, finds information about you, uses that knowledge to gain your trust, and then asks you questions to prove your identity (parts about you that he/she doesn’t already know). • More complex form as it requires creating a flawlessly fabricated scenario. • Relies on creating a false sense of trust between the attacker and the victim. • Takes time and research to create the perfect plan. If there are any holes in the logical formation of the scenario, then the attack will most likely fail.
Baiting • The attacker offers a good to the victim in return for their login credentials. • Ex. Win a free iPad just by logging into this site! • Better known as leaving malware infected physical devices (USB drives, CDs, etc.) in places where people will easily locate them. • Sometimes, these devices are marked with attention grabbing phrases in order to peak the curiosity of the victim even further, so that the person is more likely to use the device.
Quid pro quo • An attack in which the victim is offered a service in return for credentials, deactivation of antivirus, etc. • In the physical world, employees have been known to give up their passwords in return for a candy bar or a small cash prize. • In the cyber world, victims may be called by an “IT expert” who will offer to fix a computer, but only if the victim disables his/her firewall.
Tailgating (Piggybacking) • An attack where the attacker does not have the proper authentication to enter a site, therefore he/she simply follows a person who does have authentication into the site. • Many people hold the door for each other when walking into work, so this type of attack is quite easy to accomplish. • Posing as a delivery person is a very easy way to take advantage of this type of attack.
Phishing • Involves an individual or group that poses as a trustworthy organization in order to obtain sensitive information. • Usually done through the use of electronic communication, such as email or a URL to a website that has malicious intent. • Usually generalized (Dear Mr., Dear Miss, etc.), has an obviously “fishy” (no pun intended) vibe to it, and can use a link to a website that doesn’t look too realistic.
Time to switch up the spectrum • By using Social Engineering Toolkit, an open-source penetration testing framework designed for social engineering, let’s see how an attacker may break into a victim’s Facebook account! • 1st attack – Credential Harvester • 2nd attack – Java applet injection
How to use these slides • The explanation will be on the first slide. • The screenshot to go with the explanation will be on the next slide (so that the pictures are easier to see).
Let’s get started • Boot up a version of Kali Linux and start Social Engineering Toolkit (depending on the version, the mapping may be different)
Credential harvester attack • First, when we open SE Toolkit, we will see many options to choose from. For this demonstration, we will press 1 for Social Engineering Attacks and hit Enter.
Credential Harvester Attack • Again, we see many options, but the objective that we have in mind is to clone www.facebook.com so that the victim will believe that the site we show them is the real thing. • Press 2 for Website Attack Vectors and hit Enter. • An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. • http://searchsecurity.techtarget.com/definition/attack-vector
Credential harvester attack • Since we want to steal the username and password of the victim through a fake Facebook login, we need an attack that harvests the username and password fields on a webpage. • Press 3 for Credential Harvester Attack Method and hit Enter.
Credential harvester attack • As mentioned before, we want to clone Facebook, so we need a site cloner. • Press 2 for Site Cloner and hit enter.
Credential harvester attack • When the harvester gathers the credentials from the cloned site, it will need a place to send the report. This is where we want to specify our IP address of the attack machine so that we can see the report. • Type or paste the IP into SE Toolkit and hit Enter. • To find your IP address in Linux: Open a new terminal and enter the command ifconfig • Your IP address will be in the eth0 group if using a wired connection and wlan0 if using wireless, found after inetaddr: • DO NOT use the lo group for this, as this is the loop back address.
Credential harvester attack • Now we need to tell SE Toolkit what the name of the site is that we want to clone. • Enter http://www.facebook.com and hit Enter.
Credential harvester attack • Now we can see that the harvester has cloned Facebook and it is ready to report information. We can also see that it is running on port 80, which is the port that HTTP is assigned to. • Just a few more objectives to complete and we’re ready to practice our social engineering skills!
Credential harvester attack • To make our link that we will be sending to our victim a bit more believable, we will use the website tinyurl.com and type in our IP address. • Tinyurl.com is able to turn our IP address into a more believable web address.
Credential harvester attack • Now that we have a more believable link, let’s practice our social engineering skills. In this demonstration, we will try to manipulate a fake Facebook account, Gilbert McGullible, into clicking our link. • In order to do this, we may need a bit more information about him, just to ensure that he is more likely to click it. When we go his Facebook page, we find that he really likes Harambe memes. Maybe we can use this to our advantage!
Credential harvester attack • Since we know that he likes Harambe memes, maybe we can trick him into clicking a link that links him to a “Harambe meme site,” but really it will just be our IP address where the reports are being sent. Let’s create a conversation!
Credential harvester attack • Right…alright then. Nothing suspicious there, right? Let’s just see if he did it or not… • If he signed in, we should get a report on our end and he should tell us that it didn’t work for some reason.
Credential harvester attack • Well, well, well….Thanks Gilbert! I now know that your email is gmcgullible@gmail.com and your password is Harambe4Prez2016 • And that was the Credential Harvester Attack!
Let’s prepare for the next attack • Go ahead and start up SE Toolkit just like you did for the Credential Harvester Attack. • For the most part, this next attack is very similar to the Credential Harvester Attack, but there are some minor differences.
Java applet attack • After opening SE Toolkit, go through the same process as the Credential Harvester Attack. Press 1 for Social Engineering Attacks, 2 for Website Attack Vectors. • Now we will need a Java app that will get injected into the victims computer and allow us to completely take it over. • Press 1 for Java Applet Attack Method and hit Enter.
Java applet attack • Press 2 for Site Cloner just like in the Credential Harvester Attack, but this time it asks if we are going to be using NAT or Port Forwarding. Since we are using the same machine to listen and send out the attack, and since we do not have NAT set up in our network, we will not be using this. • Answer no and hit Enter.
Java applet attack • Enter your IP address, Enter http://www.facebook.com and then you’ll see a list of different attack methods to choose from. Since the victim’s computer’s firewall is most likely blocking all ports, we won’t be able to send out a TCP connection. However, the victim can establish a connection first, and we can, instead, send out a listener. This is what’s known as Reverse_TCP. • Press 2 for Windows Reverse_TCP Meterpreter and hit Enter. • Meterpreter is a tool that is packaged together with the metasploitframework. It runs on memory, attaches itself to a process, encrypts communication, and provides a platform to write extensions. • https://cyruslab.net/2012/03/07/metasploit-about-meterpreter/
Java applet attack • Again, now we see a bunch of options to choose from, but we’re looking for a backdoor into the victim machine. • Press 16 for Backdoor Executable and hit Enter. • Enter 443 for the port number in order to listen to all ports and hit Enter.
Java applet attack • At this point, SE Toolkit is generating the injection codes for each port and is preparing for the reporting process. • Now we can make a tinyurl just like in the Credential Harvester Attack and start the attack on the victim. • This time, however, we might say that we have a Facebook game to show him/her and that he/she will have to accept to the java application popup in order to run the game.
Java applet attack • If the victim has an installation of Java that is below 7.0 and if his/her antivirus is offline, then he/she will get the Java popup like in the next slide. • After the user accepts the terms and clicks “Ok” to the Java app, we can start to do some damage.
Java applet attack • Now we have quite a lot of access to this person’s computer and we can view some system information or even monitor what he/she is doing. • In SE Toolkit, type Sessions to see the available sessions. • Type Sessions –i 1 to open the first session • Type sysinfo to view system info