NTW600 Social engineering attacks Assessment
- Subject Code :
NTW600
- Country :
Australia
Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks, or even months trying to penetrate layers of network security when we can just trick a user into running a file that allows us full access to their machine and bypass antivirus, firewalls, and many intrusion detection systems? This is most commonly used in phishing attacks today, craft an e-mail or create a fake website that tricks user into running , malicious file that creates a backdoor into their system. Kali Linux includes one of the popular social engineering attack toolkit available, Devid kennedy's Social Engineering Toolkit (SET). Devid's team is very active on SET, there are always new features and attacks being added, More recently several non-social engineering tools have been also added to SET making it a very robust attack tool.
type following command in a terminal :
The Screenshot is following :
We can see the Social-Engineering Attacks in the top of the menu, so we choose number 1 and hit Enter. Then we will be displayed social engineering options as we can see in the following screenshot:
Here in this lab we choose options 5. That is Mass Mailer Attack.
One way a Social Engineer will attack a network is to send out a flood of e-,ails to company address and see who will respond or run the malicious attachment we sent with it.
After entering in option 5 in SET we got two options
- E-mail Attack single E-mail Address
- E-mail Attack Mass Mailer
The screenshot is following:
For this example let's just send one. We press 1 and hit "Enter". Then we enter a target e-mail address. See the following screenshot :
For this example, let's just send one. We press 1 and hit "Enter". Now we select option 1 to use a Gmail account or another server. For this lab we will use a fake Gmail account. The Gmail address and password must be correct.
Then we choose a spoofed name to use for the 'from' line of the message. Let's use "supporrt@google.com" so it look that it's from Google. Pay special attention to this field, as this where the real social engineering takes place. Now SET asks for the password of the Gmail account.
Then we press yes at the prompt "Flag this message/s as high priority ?" We don't want to attach any malicious file so we choose "no" when prompt "Do you want to attach a file ?"
Next enter an e-mail subject line. What about "Important update"
Enter "p" when prompted to "Send the message as html or plain ?" Now type-in a fake message, preferably one that will entice our victim to click on a malicious link included or entice them surf to a malicious web page. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page. That way as a security expert we know who in our organization needs to be better educated on the risks of malicious e-mails.
When finished we type "END" in the last line. Just like following screenshot.
Then press "Enter" and SET will send out the e-mail to victim. The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee's ability to detect, resist and report phishing attempts.
So far we have just sent a fake e-mail that could redirect someone to a bogus site. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user.