Social Engineering - Christopher Hadnagy [152]
Dave thought it over and decided that he could create a few easy Python scripts that would allow the social engineer to create PDFs and send emails with malicious code embedded in them. This was the birth of the Social Engineer Toolkit (SET). At the time of writing, SET had been downloaded more than 1.5 million times, and had quickly become the standard toolkit for social engineering audits. This section walks you through some of the main points of SET and how to employ them.
Installation
Installation is simple. All you need to have installed are Python and the Metasploit framework. Both of these are installed in the BackTrack distribution and there is no setup to worry about—in BackTrack 4 even the SET tool is installed. In case it is not or you are starting from scratch, installation is simple. Navigate to the directory you want it in and run this command in a console window:
svn co http://svn.secmaniac.com/social_engineering_toolkit set/
After executing this command, you will have a directory called set that will contain all the SET tools.
Running SET
Running SET is, again, an easy process. Simply typing ./set while in the set directory starts the initial SET menu.
This shows you exactly what the SET menu looks like. A comprehensive, in-depth tutorial about each menu option is available at www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29, but the following sections explain two of the most widely used aspects of SET.
First up is discussion the spear phishing attack, and following that is discussion of the website cloning attack.
Spear Phishing with SET
Phishing is a term coined to describe how malicious scammers will “cast a wide net” using targeted emails to try to draw people to websites, open malicious files, or disclose information that can be used for later attacks. Being able to detect and mitigate these attacks is essential for survival in the Internet world today.
SET allows the auditor to test their clients by developing targeted emails and then logging how many employees fall for these attacks. This information can then be used in training to help employees see how to spot and avoid these traps.
To perform a spear phishing attack in SET, chose option 1. After pressing that number you are presented with a few options:
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
The first option is where you actually launch an e-mail-based spear phishing attack. The second option is where you create a malicious PDF or other file to send in your emails. Finally, option 3 is where you can create templates for use later on.
Launching an attack in SET is as simple as choosing the right options in the menus then clicking Launch. For example, if I wanted to launch an e-mail attack that would send a victim a malicious PDF disguised as a tech report, I would chose option 1, Perform a Mass Email Attack.
Next, I would choose an attack vector (option 6) that was present in many versions of Adobe Acrobat Reader: Adobe util.printf() Buffer Overflow.
The next few choices set up the technical side of the attack. Using Metasploit to receive the reverse shell, or connection back from the victim’s computer, and the port to come back on to avoid IDS or other systems, choose option 2, Windows Meterpreter Reverse_TCP.
Select port 443 so the traffic looks as if it is SSL traffic. The SET makes the malicious PDF and sets up the listener.
After doing so, SET asks you if you want to change the name of the PDF to something more devious like TechnicalSupport.pdf and then asks you to fill in the email information for both sending and receiving. Finally, SET sends out a professional-looking email that will try to trick the user into opening the attached PDF. A sample of what the victim receives is shown in Figure 7-24.
Figure 7-24: An innocuous email with a simple attachment.
After the e-mail