Humans are the best resource and end-point of security vulnerabilities ever. Social Engineering is a kind of attack targeting human behavior by manipulating and playing with their trust, with the aim to gain confidential information, such as banking account, social media, email, even access to target computer. No system is safe, because the system is made by humans.The most common attack vector using social engineering attacks is spread phishing through email spamming. They target a victim who has a financial account such as banking or credit card information.
Social engineering attacks are not breaking into a system directly, instead it is using human social interaction and the attacker is dealing with the victim directly.
Do you remember Kevin Mitnick? The Social Engineering legend of the old era. In most of his attack methods, he used to trick victims into believing that he holds the system authority. You might have seen his Social Engineering Attack demo video on YouTube. Look at it!
In this post i am going to show you the simple scenario of how to implement Social Engineering Attack in daily life. It is so easy, just follow along the tutorial carefully. I will explain the scenario clearly.
Social Engineering Attack to gain email access
Goal: Gaining email credential account information
Target: My friend. (Really? yes)
Device: Computer or laptop running Kali Linux. And my mobile phone!
Environment: Office (at work)
Tool: Social Engineering Toolkit (SET)
So, based on the scenario above you can imagine that we don’t even need the victim’s device, i used my laptop and my phone. I only need his head and trust, and stupidity too! Because, you know, human stupidity can not be patched, seriously!
In this case we first are going to setup phishing Gmail Account login page in my Kali Linux, and use my phone to be a trigger device. Why i used my phone? I will explain below, later.
Fortunately we are not gonna install any tools, our Kali Linux machine has pre-installed SET (Social Engineering Toolkit), That’s all we need. Oh yeah, if you don’t know what is SET is, i will give you the background on this toolkit.
Social Engineering Toolkit, is design to perform human-side penetration test. SET (shortly) is developed by the founder of TrustedSec (https://www.trustedsec.com/social-engineer-toolkit-set/), which is written in Python, and it is open source.
Alright that was enough let’s do the practice. Before we conduct the social engineering attack, we need to set up our phising page first. Here, i am sitting down on my desk, my computer (running Kali Linux) is connected to the internet the same Wi-Fi network as my mobile phone (i am using android).
STEP 1. SETUP PHISING PAGE
Setoolkit is using Command Line interface, so don’t expect ‘clicky-clicky’ of things here. Open up terminal and type:
You will see the welcome page at the top and the attack options at the bottom, you should see something like this.
Yes, of course, we are going to perform Social Engineering Attacks, so choose number 1 and hit ENTER.
And then you will be displayed the next options, and choose number 2. Website Attack Vectors. Hit ENTER.
Next, we choose number 3. Credential Harvester Attack Method. Hit Enter.
Further options are narrower, SET has pre-formatted phising page of popular websites, such Google, Yahoo, Twitter and Facebook. Now choose number 1. Web Templates.
Because, my Kali Linux PC and my mobile phone were in the same Wi-Fi network, so just input the attacker (my PC) local IP address. And hit ENTER.
PS: To check your device IP address, type: ‘ifconfig’
Alright so far, we have set our method and the listener IP address. In this options listed pre-defined web phising templates as i mentioned above. Because we aimed Google account page, so we choose number 2. Google. Hit ENTER.
Now, SET starts my Kali Linux Webserver on port 80, with the fake Google account login page. Our setup is done. Now i am ready walking into my friends room to login into this phishing page using my mobile phone.
STEP 2. HUNTING VICTIMS
The reason why i am using mobile phone (android)? Let see how the page displayed in my built-in android browser. So, i am accessing my Kali Linux webserver on 192.168.43.99 in the browser. And here is the page:
See? It looks so real, there are no security issues displayed on it. The URL bar showing the title instead the URL itself. We know the stupid will recognize this as the original Google page.
So, i bring my mobile phone, and walk into my friend, and talk to him as if i failed to login to Google and act if I am wondering if Google crashed or errored. I give my phone and ask him to try to login using his account. He doesn’t believe my words and immediately begins typing in his account information as if nothing will happen badly here. Haha.
He already typed all the required forms, and let me to click the Sign in button. I click the button… Now It is loading… And then we got Google search engine main page like this.
PS: Once the victim clicks the Sign in button, it will send the authentication information to our listener machine, and it is logged.
Nothing is happening, i tell him, the Sign In button is still there, you failed to login though. And then i am opening again the phising page, while another friend of this stupid coming to us. Nah, we got another victim.
Until i cut the talk, then i go back to my desk and check the log of my SET. And here we got,
Goccha… I pwnd you!!!
I am not good at story telling (thats the point), to sum up the attack so far the steps are:
- Open ‘setoolkit’
- Choose 1) Social Engineering Attacks
- Choose 2) Website Attack Vectors
- Choose 3) Credential Harvester Attack Method
- Choose 1) Web Templates
- Input the IP address
- Choose Google
- Happy hunting ^_^