In this chapter I will go over what it means to attack a fellow human (virtually speaking). Instead of compromising machines we seek to exploit the weaknesses of people through a variety of methods with vary in their difficulty of execution. Someone might be very computer-literate, but there remains other psychological tests which may just get one over on them.

Phishing

The first technique is phishing , which is where - like an ordinary fisherman we cast our bait out to sea and wait to see if someone bites. The attacker will craft emails so that they look as if they were sent by some important bank - urging them to hand over credit card details for whatever reason . This can lead more into scams , but phishing can also be a step in the exploit chain - we need someone to download our malware through a link that we created , directing them to the malicious website. Many many breaches of big corporations have started because some employee clicked a Word Document or Excel spreadsheet not knowing they were filled with macros and began setting up malware, reverse shells you name it.

There are a few different types of Phishing

• Vishing - Phishing done over the phone voice-Phishing. There is that infamous example of a woman calling a guy’s back pretending to be the wife with a crying baby - even though the baby noises the person on the phone hears is merely a YouTube video of a baby crying. She pretends to be stressed and it ends up working. She gets some of his credit card information merely by knowing his name and email … The worker probably wanted to be helpful , nor did he/she want a confrontation with an already stressed out mother…
• SMS Phishing or Smishing , is utilising text-messages to perform the attack.
• Whaling is going after a high-profile or particularly wealthy target - this can be a CEO or vice president of a company .
• Spear Phishing , the most often used and most successful type of Phishing is utilising the information gathering we have conducted about the target to send a cleverly crafted email to send to specific individuals rather than a group.

Social Engineering tactics

Regardless of the method or technology used, phishing attempts are aimed at persuading targeted individuals the message they are receiving is true, legitimate. The key tricks to social engineering (and subsequently Phishing emails) usually lie in one or more of the following:

• Spoofing sender (alias or email).
• Spoofing website URLs
• Cloning websites
• Psychological tricks which employ any of these motivation techniques. Many of these overlap but there are specific cases for each which don’t …
  • Authority. This is quite difficult and you have to make the target believe you have the power to ask them to perform actions or provide information.
  • Scarcity. Often used in scams, it usually tries to get people with the “limited-time” offering or something which is rapidly fleeting.
  • Social proof. This relies on making the target see that their action is something that other people have done, thus giving it a sense of normality and reassuring them.
  • Urgency. This can use many different techniques - not just scarcity - to drive someone to action, the more specific the better. The more personal it becomes the more likely they are to do it. For example, you could perform some OSINT and find an employee is trying to do their week’s work so that they can support their son’s football game on Friday . Using this information you could send them a bogus email from another employee email - attach an excel document and say - “Could you check this for me please?” They click the email as they want to get their jobs done and boom ! These tricks may be inherent in the office , not always a scenario the social engineer has to make. Only start developing when you can’t capitalise on opportunities.
  • Likeness / similarity. This is where trust is built between the social engineer and the target - making it easier for the victim to understand and relate to the engineer lowers boundaries.
  • Fear. There could a looming threat of punishment , being fired etc. That something will go wrong if they don’t help or respond is a common motif. Usually though businesses aren’t so hectic that they get lost in the sea of problems, and the issues the social engineer would raise is usually known before hand - they can quickly confirm with other employees. Fear is a tricky tool to use.

In-Person Social Engineering

We can use any of the tactics above and now we take them into the domain of face-to-face interactions. Some of the techniques we can perform in-person include:

• Elicitation. Gathering information is a core element of any social engineering exercise, but here we want to get information without directly asking for it. We ask questions which skirt around the topic , we leave open ended questions , we do that typical nod when we’re listening to someone , to keep them talking - and just maybe they’ll reveal the data we really want. During the course of an elicitation we may use likeness to build up a relationship with the person , small talk about a project or something can be the open-ended conversation which leads to more specific details. The PenTest+ exam specifically lists “business email” as something we would want to gather from elicitation , we wouldn’t directly ask - “What’s your business email”, but by building rapport we could find out their LinkedIn and from there work our way to getting more sensitive data. Here is one case where authority as a tactic just wouldn’t work, you would probably look deluded !
• Interrogation and Interviews. This is where the social engineer will be asking most , if not all , the questions. This can be unnerving and there needs to be sufficient context to it, we need to watch the target’s body language and mannerisms to see if we’ve gone too far. Interviews are a more open form of interrogation , there isn’t so much direct pressure. Here we would use things like authority to try and get our way.
• Impersonation. So many social engineering attacks involve cloaking ourself behind some disguise . For an in-person test we would try to become an employee - going so far as to clone a lanyard and company ID. Other less secure complexes we could just show in a uniform and claim we work there as a delivery person, maintenance employee or administrative assistant.
• Quid pro quo attacks rely on the social engineer offering something of value to the target in order for the target to feel safe and indebted to them. This builds perceived trust, luring the target into feeling safe in returning the favour.
• Shoulder Surfing . Simply watching over a target’s shoulder can provide valuable information like passwords or access codes. This is known as shoulder surfing, and high-resolution cameras with zoom lenses can make it possible from long distances.
• USB Key Drops. This is where we make a physical honeypot - remember that a honeypot is a computer that has the illusion of being genuinely vulnerable or innocuous but really it has been meticulously designed that way - we have put scripts into the images, or made a malicious Excel spreadsheet etc and left the USB in the car park or somewhere it is likely to be found. If successful it means the person finds it, clicks the file and establishes a reverse shell connection to the attacker’s computer - this direction evades firewalls as it’s an outbound connection.
• Bribing employees at the target organisation to allow you to access systems or facilities will not be in scope for many penetration tests, but penetration testers should be aware that it may be a valid technique under some circumstances. Bribery is a sensitive topic and should be carefully addressed via scoping agreements and the rules of engagement for a penetration test.

Phishing - Practical

I’ll be using thisTryhackme room to go over the basics of phishing using the tool Hidden Eye .

Installing

;; make sure you have PHP, python3, sudo installed...

mkdir hidden-eye ;; choose a location for where we will be cloning the repo into
cd hidden-eye; git clone https://gitlab.com/an0nud4y/HiddenEye
cd HiddenEye
sudo pip3 install -r requirements.txt
python3 HiddenEye.py

This is where it will begin its setup

It will begin installing any python libraries it needs, when we get to this stage select N as we don’t need any tunnelling capabilities yet …

Now then, we have quite a few modules at our disposal and these are basically mediums by which HiddenEye will tailor the link to. I hit 04 for GitHub and it proceeds to ask us for a port (I did 8080) , a webserver - ngrok is fine. And a redirect URL , which can just be github.com

Now with all that done we should get back a URL to give to our victim:

The second link is the one we will be passing on now but it looks mighty suspicious to someone who thought they were being taken to GitHub. Thankfully the ignorance of the internet has created the perfect tool bit.ly which is an innocent toolkit used for link shortening , but now people get used to the bit.ly schema they learn to trust things with such a shorthand - making it possible for attackers like us to generate bit.ly addresses to mask our own malicious links. URLs with massive amounts of JavaScript in the URL can now be hidden with this tool … insane.

Shortening the link

Make a free account with bit.ly and then paste the link in:

You can see the bit.ly shortener has been made and it even tracks the clicks so we can see if it was successful or not.

Pasting this bit.ly link into the browser I was redirected to the ngrok fake GitHub page

It looks exactly like the original , but that link sticks out big time… Nevertheless once I’ve put my details in it redirects me to Github.com just as I programmed. To be truly good, you should watch how Github sends your credentials over to the backend with something like burp and then you can put the username, password and any other headers into the request itself - logging them in , and if they haven’t suspected the link they will have no idea what just happened.

You could even make a CNAME entry by registering a domain that looks much closer to Github’s like

login.github.com

And match it to our ngrok link - with these two tips combined it becomes very difficult for the average person to spot the trick.

Social Engineering Toolkit (SET)

This is an unbelievably powerful tool , it can do anything from spear phishing, cloning websites, PowerShell attacks and more.

We can launch it by doing

sudo setoolkit

;; on first launch you have to run through the disclaimer about not using it for 
;; nerfarious purposes.

I’ll be doing the exact same attack we just did only with set just to get the feel of the tool and to find your way around. First we select Website attack vectors and we can see that the third option - Credential Harvesting is the option which will clone the website and attempt to grab the username and password.

Now we can see below that the number of templates available is rather small - pathetic compared to HiddenEye but the scope of functionality in set is much larger.

This gets setup and we can proceed to that IP where the clone is hosted. Below I went back and retyped my credentials in just so you could see what the Google clone looks like. Only about five years old… The credentials can be seen on the left .

We can press CTRL+C to end the process and a report gets generated

File in XML format exported to /root/.set/reports/2021-03-05 13:42:38.442118.xml

Which shows all the people who fell for it.