Social Engineering & SET

Social engineering

Social engineering is the acquisition of information, or edicts, secret / sensitive by cheating the owner of such information. Social engineering is typically done via telephone or Internet. Social engineering is one of the methods used by hackers to gain information about the target, by requesting the information directly to the victim or others who have that information.

Social engineering concentrates on the weakest chain of computer network systems, namely humans. As we know, no computer system that does not involve human interaction. And worse, this vulnerability is universal, independent of platforms, operating systems, protocols, software or hardware. That is, each system has the same weakness in human factors. Any person who has physical access to the system is a threat, even if the person is not included in the security policy that had been developed. Other methods such as hacking, social engineering also requires preparation, even most of the work includes the preparation itself.
Behind all the security for systems and security procedures that exist there are other very important factors, namely: human.
In many references, the human factor is rated as the weakest chain in a security system. A good security system, would be useless if handled by an incompetent administrator. In addition, usually on a fairly complex jaingan there are many users who do not understand security issues or do not care enough about it. Take the example of a company, a network administrator has implemented a security policy with both, but there are users who ignore the security problems. For example, the user is using easily guessed passwords, forgot to logout when leaving work, or simply provide access to other colleagues or even to their clients. This can cause an attacker to exploit these gaps and stealing or damaging important datadata company.
Or in the case above, an attacker can pretend to be interested parties and request access to any user who is careless. These actions are classified in Social Engineering.

Social Engineer Toolkit

SET is a toolkit that quite thoroughly demonstrates the fact that people, not technology, are the weakest links in a security system. Social engineering itself is the practice of manipulating people in order to get what you want. SET combines this approach with varying vectors, such as SMS, web browsers, and USB drives. We’re going to go over these features and show you what the SET is all about.

 

Select from the menu: 

Spear Fishing attack vectors

There are 3 different options here: Mass Email Attack, FileFormat Payload, and Social Engineering Template.

Mass Email Attack 

The mass email attack allows you to send emails to a list of addresses, with a PDF embedded with an exe attached. First, you need to turn  SENDMAIL to ON in set/config/set_config. Next, open SET back up and select Mass Email Attack. Once run, the PDF runs the exe, which can be used to open a backdoor on the system by utilizing Metasploit. You are first offered the option of selecting which exploit you want to use to run the exe with. Next, you select the payload, courtesy of Metasploit. Depending on the payload, you will need to enter your IP and port for the reverse TCP connection. The PDF is then generated. The email addresses you specified then receive a custom email,  complete with an attached backdoor PDF.

FileFormat Payload

The FileFormat Payload vector is basically the same thing as Mass Email Attack, minus the email It outputs malware that you can then distribute yourself.

Social Engineering Template

The Social Engineering Template allows you to construct a template to be used with SET, and emails it to the SET developers for consideration in future versions.

Website Attack Vectors

Option 2 is the Website Attack Vector, which contains all browser based attacks.

  

Java Applet Attack Vector

The first, and in my opinion most impressive, is the Java Applet Attack Vector. Basically, this will run a custom Java applet when the URL is opened, and instantly creates a Meterpreter/shell session on the victim. To enable the Java applet, you first need to go to Line ~48 in set/config/set_config and change  SELF_SIGNED_APPLET to ON. Next, open up set and select Java Applet Attack Vector. From here, you have two options: the Site Cloner or Custom Import. The Site Cloner will actually download the page you are trying to emulate, inject the malicious applet. Custom Import allows you to import your own HTML and inject the applet there. After filling in the appropriate details, SET will set up a webserver (locally) hosting the applet and corresponding page, and Metasploit takes care of post social engineering.

This is a very convincing attack, since most users will automatically click “Trust Applet” whenever it pops up, especially if it is signed (SET self signed applet feature) by a “legitimate” source. Moral of the story? Don’t run Java applets unless you are a) expecting it, and b) you trust the site it is hosted on.

Credential Harvester Attack Method

This feature sets up a password/username harvester by downloading a copy of the target site, and reworking the form structure so that all information inputted is read and saved by the attacker. Since it makes an exact copy of the site in question, it is rather convincing and even has the bonus feature of redirecting the user to the actual website after the credentials were stolen, reducing suspicion. One way to prevent falling for this one is to make sure you look at the URL before submitting anything. That includes checking sub-domain usage, since this can easily be used to try to trick victims into giving them information.

Teensy USB HID Attack Vector

This vector uses a USB dongle, the Teensy, in order to act like a physical keylogger on a system. SET outputs an Arduino (microcontroller) sketch containing the payload, which is then uploaded from the Arduino to the Teensy. This vector makes great use of the idea of physical security; as long as a system can be physically accessed, it really isn’t safe.

SMS Spoofing Attack Vector

This vector uses an online service to send a spoofed/custom SMS text message to a number of your choosing. This one is especially interesting, because it hits upon another media that hasn’t been completely tapped into yet: mobile devices. People usually don’t questions if a message that came from a number really came from that number.

That pretty much sums up the Social Engineer Toolkit. Overall, it’s a very interesting example of how error in both human and computer nature can work together in very destructive ways. As always, make sure you don’t use any of the information posted on here for purposes that would be considered questionable, or illegal.