Well, there are two keys to successfully launching a social engineering attack. The first is to obtain the information needed for the job: usernames, business information, and additional details about networks, systems, and applications, but most of the effort, however, is focused on the second aspect: developing an attack to entice the user to open an executable file or click the link.
Several attacks have modules that require the victim to complete them for the attack to succeed. Unfortunately, users are increasingly wary of running unknown software. However, some ways to increase the likelihood of an attack being successful are as follows:
• Launch an attack from a system that is known and trusted by the intended victim. If the attack appears to be coming from a help desk or IT support and claims to be an urgent software update, it will most likely be performed:
• Rename the executable to something similar to trusted software, such as Java Update.
• Embed a malicious payload into a benign file, such as a PDF file, using an attack such as the Metasploit adobe_pdf_embedded_exe_nojs attack.
• Executable files can also be linked to Microsoft Office files, MSI installation files, or BAT files configured to run silently on the desktop.
• Ask the user to click a link to download a malicious executable file.
• Since SET uses the attacker’s URL as the destination for its attacks, a key success factor is to ensure that the attacker’s URL is plausible to the victim. Several techniques are used for this:
• Shorten the URL using a service such as https://goo.gl/ or tinyurl.com . These shortened URLs are common among social media platforms such as Twitter, and victims rarely take precautions when clicking on such links.
• Enter a link to a social networking site such as Facebook or LinkedIn; the site will create its link to replace yours, with an image of the landing page. Then, delete the link you entered, leaving a new link to the social network.
• Create a fake web page on LinkedIn or Facebook ; As an attacker, you control the content and can create an interesting story to get participants to click on links or download executable files. A well-designed page will target not only employees but also suppliers, partners, and their customers, maximizing success in a social engineering attack.
Escalating an attack using DNS redirection
If an attacker or penetration tester has compromised a host on an internal network, they can escalate the attack using DNS redirection. This is usually considered a horizontal attack (compromising individuals with approximately equal access rights); however, it can also escalate vertically if credentials from privileged individuals are intercepted. In this example, we will use Bettercap as a sniffer, interceptor, and logger for switched LANs. This facilitates man-in-the-middle attacks, but we will use it to launch a DNS redirection attack to redirect users to sites used for our social networks in social engineering attacks.
To launch the attack, we need to install bettercap, which is not installed by default in the latest version of Kali. This can be achieved by running sudo apt install bettercap. We should be able to activate any module that is required; for example, now we will try the DNS spoof module attack on the target by creating a file called dns.conf with IP and domain information as shown in the image below. This will allow any request made to microsoft.com on the network to be forwarded to the attacker’s IP address, in this example 192.168.0.103.
Let’s start the Apache server, which is installed by default, on our Kali Linux by activating the service by running sudo systemctl start apache2.service, run bettercap by typing sudo bettercap in the terminal, and load our DNS configuration with dns.spoof.hosts dns.conf set, and then enable DNS spoofing by running dns.spoof in a bettercap terminal :
To ensure that all targets on the network are ready first, testers need to enable network sniffing and ARP spoofing modules by typing net.sniff on and arp.spoof on in the bettercap terminal.
Successful DNS redirection will be recorded in the better cap terminal as shown in the image below:
When online victims visit microsoft.com, they will be sent to an Apache service that is hosted on the attacker’s IP address. Attackers can clone microsoft.com and host it on their Apache server. This attack is more successful on internal infrastructure where there is no additional DNS protection. Most companies have DNS protection on their external infrastructure servers such as Cloudflare, AWS Shield, and Akamai.
Spear phishing attack
Phishing is an email fraudulent attack that targets a large number of victims, such as a list of well-known American Internet users. Targets are generally not connected, and the email does not attempt to address any specific person.
Instead, the email contains a general interest item (for example, “Click here to get vaccinated against COVID-19 ”) and a malicious link or attachment. The attacker is gambling on the chances that at least some people will click on the attachment to launch the attack. Spear phishing, on the other hand, is a very specific form of phishing attack; By crafting an email message in a particular way, the attacker hopes to attract the attention of a specific audience. For example, if an attacker knows that the sales team uses a particular application to manage customer relationships, they can spoof an email to appear to be from the vendor’s application with the subject line “Crash Fix for <application> – Click Link to Download.”
The following steps are required to successfully launch a spear phishing attack:
1. Before launching the attack, make sure that sendmail ( ) is installed on Kali and change SENDMAIL=OFF to SENDMAIL=ON inside the set.config file located in /etc/setoolkit/ .sudo apt-get install sendmail
If testers receive any error messages related to a broken Exim* package, you should run sudo apt-get purge exim4-base exim4-config, and then run sudo apt-get install sendmail.
2. To perform an attack, run SET and select Social Engineering Attacks from the main menu, then select Spear-Phishing Attack Vectors from the submenu.
This will launch the attack launch parameters as shown in the image below:
3. Select 1 to perform a bulk email attack; You will be presented with a list of payload attacks as shown in the image below:
4. The attacker can select any available payload, according to his knowledge of the available target obtained during the reconnaissance phase. In this example, we will take 7 ) Adobe Flash Player “Button” remote code execution option. If you select 7, you will be prompted to select payloads as shown in the image below.
In this example, we used the Windows Meterpreter reverse HTTPS wrapper :
Once the payload and exploit are ready from the SET console, the attackers will receive a confirmation shown in the image below:
5. Now you can rename the file by selecting option 2. “ Rename the file, I want to be cool. »
6. After you rename the file, you will be given two options to choose from: E-mail Attack Single Email Address or E-mail Attack Mass Mailer.
7. Attackers can choose to send bulk emails or target weaker victims individually, depending on their preference. If we use a single email address, SET provides additional patterns that can be used by attackers, as shown in the image below:
8. After selecting a phishing template, you will be asked to use your own Gmail account to launch the attack ( 1 ) or use your server or open relay ( 2 ). If you are using a Gmail account, there is a chance that the attack will fail; Gmail checks outgoing emails for malicious files, and is very effective at identifying payloads created by SET and the Metasploit platform.
If you need to send a payload using Gmail, use Veil 3.1 to encode it first.
It is recommended to use the sendmail option to send executable files; this allows you to spoof the source of an email to make it appear as if it is coming from a trusted source.
Make sure the email is effective and the attacker should take the following points into account:
• The content should be stimulating (the new server will be faster, the antivirus will be better) and the flash drive (the changes you will need to make before you can access your email).
Most people respond to immediate calls to action, especially when it concerns themselves.
• Make sure your spelling and grammar are correct and the tone of your message matches the content.
• The title of the person sending the email must be consistent with its content.
• If the target organization is small, you may have to fake the name of a real person and send the email to a small group that does not normally interact with that person.
• Include a phone number; this makes the email appear more formal, and there are various ways to use commercial Voice over IP solutions to obtain a short-term area code telephone number.
Once the attack email is sent to the target, successful activation (the recipient runs the executable) will create a Meterpreter reverse tunnel to the attacker’s system. The attacker will then be able to control the compromised system.
That’s all. Have a nice day, everyone!
❤️ If you liked the article, like and subscribe to my channel “Codelivly”.
👍 If you have any questions or if I would like to discuss the described hacking tools in more detail, then write in the comments. Your opinion is very important to me!
