Blog Date: 9/15/2017
Author: Ray Coulombe
During my course, we focused on the Social-Engineer Toolkit (SET), or setoolkit, available as an open source download here.
The exercise we performed during my class was to clone a website in order to set up a phony phishing site. Spear-phishing attacks perform targeted email attacks using points of familiarity from public information, social media, or other sources. A group of emails can be sent based on harvested information from lists or scans, or individuals can be directly targeted. The emails can send malicious files or links, and the sender’s email address can be spoofed. Entering login credentials in the phony site allowed my listener site to capture the data, a technique known as Credential Harvesting.
Using a Website Attack, we also demonstrated how to use the phony site to get a user to download and run a file, in this case a keylogger. Other types of phishing-based website attacks are based upon getting a victim to click on a web link. Using the Metasploit framework (see side note), a web server can be set up on the attacking machine to host various exploit payloads. Clicking the link directs the victim to this server, whereupon the payload, e.g., a keylogger, is delivered. A Java Applet attack will spoof a Java Certificate and deliver the payload. Techniques exist to digitally sign these certificates.
The TabNabbing Method will wait for a user to move to a different tab, then refresh the page to something different. The Web Jacking attack method utilizes iframe replacements to make the highlighted URL link appear legitimate. However, when clicked, a window pops up and is replaced with the malicious link. (iframe is the technique to display information from another web page within the same (current) page and is commonly used in social media.) All of this occurs through the use of port 80 (http) on the attacking machine which is commonly allowed through firewalls. If a browser has not been fully patched, known exploits can take advantage. Many exist for Internet Explorer.
Let’s look at some of the other options the Social Engineer Toolkit provides a hacker to easily compromise a careless victim.
- Infectious Media Generator - This USB/DVD creator will develop a payload that, when placed on a USB port, will trigger an autorun feature to compromise the system.
- Mass Mailer Attack - The mass mailer attack will allow multiple customized emails to be sent in a mass phishing attack.
- SMS Spoofing Attack - The SMS option allows the creation and sending of customized text messages. The SMS source can be spoofed and there is a choice of predefined or make-your-own templates.
- Wireless Access Point Attack Vector - This will create an access point from a wireless interface card on the attacking machine and leverage DNSSpoof to redirect a victim’s browser requests to the attacker.
- QR Code Generator Attack – Generates QR codes so that, when scanned, redirect the victim to the attacker’s site.
- PowerShell Attacks – PowerShell provides easy access to all major functions of an operating system. It is a framework, based on .NET, that offers a command line shell and a scripting language for automating and managing tasks. Installed by default on all new Windows machines, its management features can also work with virtual or Linux environments. It is attractive to hackers for many reasons, including stealth, obscurity, forensic resistance, and hacker community tools and support. It has been the means of choice to go after banks, governments, and corporations.
- Multi-pronged Attacks – Allows multiple attack vectors to be combined.
I think it’s important for security professionals to be aware of the types of tools that they’re up against. If this doesn’t get you and your coworkers to be extra-vigilant about what you open or click on, it’s only a matter of time before you’re a victim. Understanding and vigilance about social engineering attacks are the low hanging fruit in cyber-security…on both sides of the ball.