CompTIA Pentest+ PT0-002 – Section 8: Social Engineering and Physical Attacks Part 2

64. Phishing Campaigns (OBJ 3.6)

In this lesson I’m going to show you how easy it is to conduct your own phishing campaign, so you can test your users and see if they know the correct practices and how to avoid a phishing scam. Now, in this campaign, what we’re going to do is create our own email, we’re going to send it out to our users inside our organization, see if they click on any of those links, and if they do, we’re going to provide them remedial training. To do all of this, it’s not complicated at all. In fact, you can use a free program that’s provided by Trend Micro to do this for you. This program is called Phish Insight. To access Phish Insight, you simply need to go to phishinsight.trendmicro.com. If you’ve never used it before, you’ll have to sign up and create an account. Again, this is a wonderful free tool.

Next, you’ll log into your account. So if we want to create a campaign for ourself, we’re just going to click on, “Create A Campaign.” Now, I’m going to make a very small campaign here of just one target, so I’m just going to key in the recipient of who I want to send this message to. And the person I’m going to send it to is Jason, so I’m just going to call my listing Jason, and I’m going to put Jason,Dion, Jason@diontraining.com, and his title, which is Instructor, and that should be fine. And then we’ll hit Continue, and you’ll see that I now have first name Jason, last name Dion, department is Instructor and his email address. Go ahead and hit Done. Next, I’ll go down to step two, which is so selecting a template. What I’m going to do is I’m going to select one that looks like a LinkedIn connection request, ’cause we get those all day long, and most of us don’t think twice about clicking on them. So if I just click on that this is the email they’re going to get. It’s going to say, “Jason, please add me to your LinkedIn network.” And all these places would add in Jason Dion. “Hi Jason Dion, I’d like to join in your LinkedIn network.” And there’s the Accept or the View profile, the Update, Subscribe, all that kind of good stuff. And this looks like a very realistic email and it’s already done for us. If we wanted to, we could customize it, to make it look less like LinkedIn or more like something else, but for now, we’re going to use this default. Next, we’re going to go through and specify what the email address is going to come from. In my case, it’s going to come from invitations@linkein.com. Notice the email is not actually spelled out LinkedIn, they’re missing a D.

This is something that our user should see and hopefully flag it as a phishing scam, as opposed to a real one. And notice that invitations is also spelled wrong. But if you wanted to make this look very, very realistic, you could actually put the exact, correct invitations@linkedin.com and spell it all correctly. Next, you can set up a schedule and run your campaign over several weeks or over one week or two weeks or even a month. And this is good if you have a large organization where you’re doing this with hundreds or thousands of employees. You want to see if they learn over time, and so by doing that, you can set up a schedule. You can also then decide what happens if they click on one of the links. So I can have When the campaign ends they will get training and be told, “Yes, you clicked on a link and you shouldn’t have”, or “No you didn’t”. Or you can do it immediately, when they click on a link and they’re phished. They might get something that looks like this.

This is a webpage that would come up and say, “Hey, you’ve been phished. You need some remedial training, click here and you’ll get the training.” Something of that nature. So that’s the way you can do that. And if we go back up here to our invitation, setting our schedule, or you can do it without notice. So I’m going to leave it with When Phished and then you can send yourself a text message or confirm to start the campaign. So now you’ll see that that campaign is upcoming and it will start in about an hour from now. Once that happens, we’ll be able to see who gets fooled, analyze those results and give those people training. So let’s look at an example phishing email. I just sent one out that showed it was coming from LinkedIn. Now this is what the user is going to see. From all looks, it looks like a legitimate email. If I look at the subject line, it says, “Jason, please add me to your LinkedIn network.” If I look at who it came from, it came from Invitations. And if I look at the message, it’s got the LinkedIn logo. It’s got things that look just like a LinkedIn message, but it’s not. If I click on any of these links it’s not going to take me to LinkedIn, instead, it’s going to take me to a phishing website.

And as you see, as I hover over it, notice what the link is. It’s not linkedin.com, it’s websitefun.club. Then go over here to the profile one, same thing, it brings me to another area of that website. Changing the frequency, same thing. This is a classic phishing scam, where it looks like one thing, but when you click on it it goes to another. Notice this email is well crafted, it’s crafted to look exactly like LinkedIn and it will trick a lot of your users. So one of the things we want to do with our phishing campaigns is to train our users that clicking links is bad. Instead, if I got this as a user, what should I do? I should open up a new web browser and I should go to linkedin.com, the site I know. And from there I can accept or reject that friend request. But just getting an email, you don’t want to click on those links, because that is an easy way to get yourself into trouble, because it can download malware or it might just collect information from you. Like you click on it, it says, “We need your username and password to log into LinkedIn.” And they have a website sitting there, that looks just like LinkedIn.

65. Social Engineering Toolkit (OBJ 3.6)

In this lesson, we’re going to be using the social engineering toolkit. The social engineering toolkit, also known as SET, is installed by default inside of Kali Linux. To launch it, we are simply going to be inside of our root@kali terminal, which you can access by using the root terminal emulator from your Kali desktop. Once you’re there, type in setoolkit for a social engineering toolkit and hit enter. Once you do that, it will go ahead and log in. And the first time, you do need to agree to the terms and conditions. Now that you’re at the main menu of the social engineering toolkit, we can use the menu system to navigate and configure the different tools. There are lots of different tools inside the social engineering toolkit, and for the exam you don’t need you to be familiar with all of them. But you should realize that if you’re conducting something like farming or phishing, the social engineering toolkit is the tool that’s going to help you do that. In this particular video, I’m going to show you how we can direct users to a site that we control to try to collect their username and password when they try to log into a site that they believe is legitimate, something like Facebook or LinkedIn.

To do this, we want to go ahead and use the social engineering attacks, which is option one. You’ll see you’re greeted by, again, another menu. Here we can see things like Spear-Phishing Attack Vectors, Website Attack Vectors, Infectious Media Generator, Create a Payload and Listener, Mass Mailer Attacks, Arduino-Based Attack Vectors, Wireless Access Point Vectors, QR Code Generator Attack Vectors, Powershell Attack Vectors, and Third Party Modules. Now, even though we’re going to be doing a spear-phishing attack, I want to be able to create a website that’s going to collect their credentials from people. So we’re going to go under Website Attack Vectors first, which is number two. Once we get here, you’ll see a short description of each of the different functions listed on the screen. The one we’re going to be using is the credential harvester, which is number three. When we do this, it’s going to utilize web cloning of a website that has a username and password field, harvest all that information that’s being posted to the website, and allow us to collect it.

So I’m going to hit three. Once I’m there, we’re going to see that this tells us the first method will allow SET, or the social engineering toolkit, to import a list of predefined web applications that it can utilize within the attack. The second method would completely clone a website of your choosing, and allow you to utilize the attack vectors within the completely same web application that you’re attempting to clone. The third method allows you to import your own website. Note, you should only do this when you have an index.html site when you’re importing the website functionality. Now, what we’re going to use is number two, which is the site cloner. Now that we’ve done that, you’ll see additional information on the screen. It’s saying that credential harvester is going to allow you to utilize the clone capabilities within the social engineering toolkit to harvest credentials or parameters from a website, as well as place them into a report. Now, before you enter your IP address, you need to read this important note. This note says that if you’re using an external IP address you need to place the external IP address below and not your NAT address. Now in our particular live environment, I am going to stay with my NAT address, which is my local system because I’m not putting this out on the internet to try to actually exploit people.

But if I was, I would have to use my public facing external IP address instead of my private IP address that you see selected here. I’m going to go ahead and hit enter, which will end up using the default address of 10.0.2.15, which is my at Kali Linux IP. And then it says it supports both HTTP and HTTPS. Now, what do we want this URL to be cloned? Well, I’m going to make it easy on myself and I’m just going to use something everybody uses, which is facebook.com. All right, it’s going off to Facebook, it’s capturing that site, it’s cloning the login page and getting everything set up for me. Okay, at this point, it is running in the background and you can see it says, the information will be displayed below as it arrives. So what we need to do is actually have a victim go to the IP address of this Kali machine so we can see what that form looks like. Okay, to do that, I’m going to go ahead and make this not full screen anymore. I’m going to move this over to the right corner so we can still see it. And any information we gather should be displayed right here underneath the blue text.

And then I’m going to open up Firefox. Now that I have Firefox, I’m going to go to 10.0.2.15, which was our website on our Kali machine. And there it is. We now see that we are at facebook.com, and the reason it’s showing in Spanish is because I’m located in Puerto Rico. So when I went to Facebook to grab that, it actually grabbed the Spanish version of the site. Now, if I wanted to make sure this was in English, I could do that through a VPN when I was grabbing this originally to make sure that I got the English version. At this point, if somebody tries to log in, for instance, jason@diontraining with the password, password, what’s going to happen is it is actually are going to go and take their password. And it redirected them over to facebook.com so they can try again. Now in the background, the social engineering toolkit has actually grabbed that information. So let’s go ahead and take a look at that.

Okay, so now that we have social engineering toolkit has grabbed that information, we’re going to hit Control + C. And this is actually going to go ahead and put that information into a report at root, slash, .set, slash, reports, slash, the date and time for our reading after the fact. So I’m going to go ahead and hit enter and there we go. Now, if I want to go and see that, we’re going to go ahead and open up another terminal. From here, we are going to go into root, slash, .set, slash, reports, and then hit enter. And there is our report. So let me go ahead and make that a little bit bigger for us. If we want to display it to the screen, we’ll just use cat. And I’m just going to do pipe, more, and that way we’ll see one page at a time. So what are we seeing here? Well, we’re seeing in XML file. Now this can be shown in all different formats because it is XML, but I’m just showing it here in TXT format to make it easy for us to look through. Now, as we go through, we’re going to see information based on each individual person. In this case, the first one we have was user zero.

This is a parameter that we’re getting set here so we can keep track of the users we’ve collected, because we might run this for a week and collect all that information. You’ll see over and over that user zero is there because that’s the person that we were dealing with. User zero, user zero, but so far, I don’t see that username and password so I’m going to keep on looking. And as I go down, we see that there it is. We have the username and the password, email and password right there that was collected. And that’s just a really simple example of how you can use the social engineering toolkit to be able to collect information by cloning a website and doing what is known as a farming attack. Now that we know the website works, we could create a spear-phishing email, send that to our victims and try to get them to go to our web link. Now, this is where it’s helpful if you have a web domain that looks like the original, like facebooks.com instead of facebook.com. So that way, it’s easier to trick users into clicking that link. Now, in addition to this we could go back into our social engineering toolkit.

We close this window, and now we want to get that website over to our end users to click on the link and get there. How would we do that? Well, if we go back a menu and we go up to our spear-phishing attack vectors, you could see here that we could perform a mass email attack which would be phishing. We could create a file format payload, or we could create a social engineering template. In our case, we’re going to perform a mass email attack. And from here, we can start setting out what those payloads are going to be. Now, by default, the social engineering toolkit’s spear-phishing campaigns or mass emailing campaigns are going to try to attach a file, such as a PDF with an embedded EXE. And so it’s asking us, which payload do we want to deliver as part of this exploit. As you go into your attacks and exploits phase, you’ll be able to pick which of these is most relevant. For example, if you’re looking at number six, which is Microsoft Word RTF, that only applies if the person is running Microsoft Word.

If we’re running something like OpenOffice, it’s not going to be vulnerable to that attack. So going back to your reconnaissance and information gathering is going to be important to decide what you want to do. Additionally, all of these are using an embedded EXE. Now that means it’s only going to be vulnerable against Windows systems. I run a Mac computer, and so this attack would not work on my personal system. Now, as we pick one, let’s go ahead and say we’re going to pick number six, which is the Microsoft Word vulnerability because a lot of people use Word, and then we can choose what payload we want. Whether that’s a reverse shell, a meterpreter shell, or other types of shells like that. Personally, I like I’m meterpreter reverse shell, so I’m just going to hit number two. And then, we are going to set up our payload listener. Now this, again, would need to be a public facing IP if you’re going to be doing this attack over the internet. In my case, I’m doing it locally inside my lab.

So I can use the default of 10.0.2.15, which is the IP of my Kali machine. And then what port do we want them to connect over? I personally like using 443, just like it recommends, because that looks normal to a network defender when they’re looking through their logs, that a workstation in their network is connecting to some web server over 443, which would be some kind of a secure HTTPS connection. So using 443 works for us. And there we go. It’s going to go ahead and do you all the hard work for you and get everything created for you. All right, now that it’s done creating that payload and creating that malware for us, we’re able to start sending this out. And you’ll notice here it says, if you’re using Gmail, you need to create an application password using Google to be able to set that up. If you’re using your own SMTP server, that won’t be an issue for you. Now, the next option it has is the ability for us to change the file name. For example, right now it’s named template.whatever.pdf.

Now, if I’m going to do something where I’m trying to say, this is an invoice that the company needs to pay, I might want to call it something like invoice. So I’m going to go ahead and hit number two to rename the file and we’re going to enter in the new file name of invoice1645.pdf, and hit enter. All right, we now have this file that is now called invoice1645.pdf, which would be something that looks like somebody would be able to click on as an attachment in their email. And that would be something that most people in a business environment would open up if you were sending it to something like the accounting department. All right, the next thing we have to do is look at the mass mailer. At this point, we can send an email to a single address or to everybody. Now, in my case, I’m going to do a targeted campaign. Maybe I’m going towards the CFO, the chief financial officer, so I’m just going to go after a single email address. At this point, we can use a predefined template or we can craft one of our own. I’m going to go ahead and do a crafting of my own. The subject of the email, Invoice from Dion Training #1645. Will the message be plain text or HTML? I’m going to use plain text. And I prefer plain text, because a lot of corporations will actually strip out HTML. And so, using plain text is going to be a better option to get through a lot of defenses.

And now, we’re going to enter the body of the message. Mr. Smith, comma, enter. Attached is the copy of your invoice, please remit payment within 30 days per our NET30 terms. Enter, enter. Thank you, Alexandra Cortez, CFO. There we go. Okay, now that we’re done, we’ll hit Control + C. And we’re going to say, who are we going to send this email to? Let’s say my target was john.smith@bigcorp.com. And there we go. Now in this email, I didn’t provide the link to the website that we just set up, but I could just as easily say, this is a email from Facebook, provide them the link to go to facebooks.com, which goes to my site, which is capturing their logging credentials. It really is up to you to get creative with how you want to do your targeting, whaling, spear-phishing and phishing emails using the social engineering toolkit. But my purpose in this video is just to show you the basics of how to use it. Now, we need to figure out how we’re going to send this. Are we going to use a Gmail account or use our own server or open relay? At this point, we’ll just hit number two for our own server or our own open relay. And then we’re going to say, what is our from address? In this case, it was alexandra@diontraining. What was the from name? Alexandra Cortez.

And then the open relay will go ahead and hit blank, ’cause an open relay password is blank because it’s an open relay. And then the server we’re going to be using. For instance, smtp.diontraining.com, for whatever open relay you have. Now in this case, this is not a real SMTP server so we’re going to get an error. And then the port we’re going to use is 25. And then flag this as high priority or not. We’re going to say no. And then we’re going to say, do we want to set up a listener? Yes, because we are attaching that reverse shell inside that PDF. So by setting up a listener we’re now sitting here waiting for somebody to connect.

As soon as they open up that PDF, it’s going to try to run that executable inside of it that’s embedded and be able to create that reverse shell with meterpreter’s payload, and connect back to my system so I can do further exploitation. Now, we’re not going to talk about Metasploit right now in this particular lesson. We’re going to spend some time in Metasploit later on when we get into attacks and exploits, specifically focused on network attacks and application attacks. At this point, that email is going, it is being sent. And at this point, we are sitting here just waiting for somebody to connect. If they connected, we would see a connection come on and then we’d have remote access to their system.

66. Pretexting (OBJ 3.6)

In this demonstration, I’m going to show you how pretexting works as part of a larger social engineering campaign. Now, to help me with this short example, let’s call up a company on my speaker phone here and see if we can trick the receptionist into giving me some details about the model of printers that they have, and maybe I can figure out a good attack vector to use against them as part of my pen test. (ringing) Hi, Big Old corporate headquarters. This is Sally. How may I help you? Yes, hello. My name is Bob Smith with Ink and Toner Express. Our offices received your order for toner last night but we’re having a slight delay in shipping your printers’ toner cartridges.

Now I’m pretty sure I can get you an alternative shipped out this afternoon and to your offices by the morning, but I need to verify your printer model. I would hate to send couple of cases of the wrong toner, you know? Are you guys still using the HP LaserJet as your multifunction printer? Could you double check the model number for me? Let me check. Hold on one second, please. All right, now while she’s off looking for that, let’s talk about this pretext for a second. I have no idea what kind of printer they’re even using but I bet she has no idea either. So if I just pick one of the big brands like Epson or HP or Lexmark, hopefully she’s going to go check for me, and if I get it wrong, she’s going to fill the details in for me. Mr. Smith, I just checked and it says it’s a Konica Minolta C368, not an HP.

Oh, right, I see that now. I’m sorry, I had your order mixed up with somebody else’s. They have the HPs over there. You’ve got those wonderful Konica Minoltas last year, I remember that. Let me double check my system a second here. Ah, yes, yes, yes, I see it now. The Konica Minolta bizhub C368, perfect, perfect. I see your order was for two cases of black, one case of cyan, one case of magenta, and only half a case of yellow. Now here is where I’m going to to try to push my luck and get some additional details from her. So Sally, you know that normally, the printer sends us the request for auto-shipment as it gets low in supplies. But unfortunately, I was surprised when Jimmy called us yesterday to tell us that you guys were running low. It seems our connection between your system and ours is not working quite right. I was wondering if you could do me a really big favor so we can get this fixed. I just need you to double check the IP address on the printer and make sure that I have it right in our system.

I would hate for the company to run out of supplies when you’re up against a deadline. Do you think you have just a moment that you can help me out real quick? It’ll just take a second. Yeah, I guess so. How do I check the IP address on a printer? Oh, it’s really, really easy. All you have to do is go over to the printer. On the touch screen, press the I in the upper right corner. When that comes up, just snap a picture with your cell phone, bring it back here, and you can read me the details of what I need. Do you think you could do that for me? Oh, sure, that seems easy enough. I’ll be right back. All right, so that’s the basic idea of a pretexting call. I didn’t know anything about the organization, but giving this receptionist some kind of likely facts like the fact that she’s running an HP system or a large printer in the copy room, which most businesses have, then I can trick her into giving me some kind of information. Now, if you’ve ever gotten one of those calls that says, “Hey, this is John from Microsoft and your Windows machine has been reporting that’s been infected with malware.

I’m calling you to help clean it up. I just need you to do step one, two, and three.” This is a pretexting call. In fact, this is one of the more common pretexts out there. The reason why I even used this example of a Windows machine calling out with malware is because I had the conversation with my mom earlier this week. She had gotten one of these calls a couple of days ago and they were telling her that her computer was infected with malware and that her Windows machine was calling out. And so she started playing along with them for about 20 minutes eating up their time because she knew it was false.

She knew it was a pretext and they were trying to get to a scam and try to coerce her for money or to get remote control of her computer. Now how did she know this? Because she’s one of those people in the 10% that doesn’t run Windows, she has an iMac. And so for her, it wasn’t something that she was going to fall for because she knew she didn’t have a Windows machine. Even information that seems innocent, like a model number for a printer or an IP address for a printer can be used as part of a further attack. And so we want to make sure we train our employees to not fall for pretexts and don’t fill in the gaps for other people when they’re calling you or even if they’re doing it in-person because pretexting is a way that we give some amount of information that seems true so that you’ll give us more information to fill in the gaps.

• Category: Uncategorized