Social Engineering - Christopher Hadnagy [154]
SET can also create a simple payload and proper listener for it. If the social engineer just wants to have an EXE that is a reverse shell that will connect back to his servers, he can carry this in a USB key for use on an audit. If he finds himself in front of a machine to which he wants remote access, he can put in the USB key and drop the payload file on the computer then click it. This will give him a quick connection back to his machines.
A newer attack vector is the Teensy HID attack vector. Teensy devices are tiny programmable circuit boards that can be embedded into things like keyboards, mice, or other electronic devices that get plugged into computers.
SET produces the programming needed to tell these tiny boards what to do when they are plugged in; commands like giving reverse shells or setting up listening ports are common.
One of the newest features of SET is a web interface to the tool. This means that a web server will start automatically to host the SET on a webpage for easier use. Figure 7-26 shows what this web interface looks like.
Figure 7-26: The new web interface of the Social Engineer Toolkit.
SET is a powerful tool made to help a social engineer auditor test the weaknesses that usually exist in a company. The SET tool developer is always open to suggestions and help in creating new parts of the tool to continue growing it to become a more popular toolset. Again, www.social-engineer.org has a full explanation of every menu option for review if you want to delve deeper into this amazing tool. Continue to check both www.social-engineer.org www.secmaniac.com for updates to the Social Engineer Toolkit.
Telephone-Based Tools
One of the oldest tools in the book for social engineers is the telephone. Nowadays, with cell phones, VoIP, and homemade phone servers, the options of how a social engineer can utilize the phone have grown considerably.
Because people are inundated with telemarketing calls, sales pitches, and advertisements, a social engineer needs to be skilled to use the phone successfully in an audit. Despite these limitations, using the phone as a social engineering tool can lead to total compromise of a company in a very short period of time.
In an era where everyone has a cell phone and people carry on personal and deep conversations on the bus, subway, or in any public place, the phone can be used in many ways. Eavesdropping or calling a target on their cell phone allows for additional vectors that were not available in days past. With the increased numbers of smart phones and computer-like phones on the market more and more people are storing passwords, personal data, and private information on their phones. This opens up the ability for the social engineer to be able to access the target and their data in many different situations
Also, being connected 24/7 makes people more ready to give out information quickly if the caller passes a certain set of “criteria” that makes him believable. For instance, if the caller ID on the cell phone indicates that the person is calling from corporate headquarters, many people would give over information with no verification. Both the iPhone and Android smart phones have applications that can be used to spoof your caller ID number to any number you want. Apps like SpoofApp (www.spoofapp.com) allow the social engineer to make calls that look as if they originate from anywhere on earth for a relatively low cost per call. All of this goes to building credibility of your pretext.
Using the phone for social engineering can be broken down into two different arenas: the technology behind it and planning out what you say.
Caller ID Spoofing
Caller ID has become a commonplace