Social Engineering - Christopher Hadnagy [153]
Surprisingly (or perhaps not, depending on your outlook), all of this was done in maybe six or seven mouse clicks, and it leaves the auditor with the freedom to focus on the actual social engineering aspect of these attacks.
This is a devastating attack because it exploits a client-side piece of software, and many times there is no indication onscreen that anything bad happened.
This is just one of the many attacks that can be launched using SET.
Web Attack Vector
SET also allows the auditor to clone any website and host it locally. The power of this type of attack is that it allows the social engineer to trick users into visiting the site under the pretense of being a developer making changes, or even using the trick of adding or deleting one letter in the URL but pointing people to the new site that is cloned.
Once at the cloned website, many different parts of this attack can be launched—information gathering, credential harvesting, and exploiting are just a few.
To run this attack in SET you would choose option 2, Website Attack Vectors, from the main menu. Upon choosing option 2, you are presented with a few options:
1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Return to the previous menu
A particularly evil attack vector is option 1, a Java Applet Attack. Basically, the Java Applet Attack presents the user with a Java security warning saying that the website has been signed by ABC Company and asks the user to approve the warning.
To perform this attack chose option 1, and then option 2, Site Cloner.
Upon choosing Site Cloner, you will be asked which website you want to clone. Here, you can chose anything you want—the client’s website, a vendor they use, or a government website—the choice is yours. As you might imagine, though, choosing a site that makes sense to the target is essential.
In this exercise, imagine you cloned Gmail. You would be presented with the following on the screen:
SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com
Enter the url to clone: http://www.gmail.com
[*] Cloning the website: http://www.gmail.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: DAUPMWIAHh7v.exe
[*] Malicious java applet website prepped for deployment
Once you are done with this, SET will ask you what type of connection you want it to create between you and the victim. To use a technology discussed in this book, choose the Metasploit reverse shell called Meterpreter.
SET gives you the option to encode your payload with different encoders. This is to help you avoid getting caught by antivirus systems.
Next, SET launches its own built-in web server, hosts the site, and sets up a listener to catch your victim browsing the website.
Now it is up to the social engineer to either craft an email or a phone call to draw the target to the URL. In the end, the user would see what is shown in Figure 7-25.
The end result is the victim is presented with a Java Applet stating the site has been signed by Microsoft and that the user needs to allow the security certification to be run in order to access the site.
As soon as the user allows the security certification, the attacker is presented with a prompt to their computer.
Figure 7-25: Who wouldn’t trust a digitally signed applet from Microsoft?
Other Features of SET
SET was developed by social engineers with social engineers in mind, so the toolset that it gives the user is based around the common attacks needed by those in the auditing business.
SET is constantly growing and expanding. In recent months, for instance, SET has become capable of handling other attacks