As a penetration tester, there will be times when your customers' demand will be to carry out social engineering attacks on their employees, in order to check if they follow the company's policies and security controls.
Ultimately, if a hacker fails to gain access to a system, then he can try alternative ways to gain access, such as social engineering attacks.
In this guide we will see how we can use one Credential Harvester Attack Vector to obtain valid passwords.
The first thing we need to do is connect our computer to the company network where we need to carry out the Social Engineering attack. When our computer receives a valid IP address from the DHCP server, we are ready to launch our attack.
To start SEToolkit on Kali linux, just type “setoolkit”In your terminal window.
We will use Website Attack Vectors, because according to our attack scenario, we need to control how vulnerable our client's employees are to phishing attacks.
We will use Credential Harvester Attack method because we want to get the credentials of the employees.
As we can see in the next image, SET gives us 3 options (Web Templates, Site Cloner and Custom Import).
In this case we will use the option "Web Templates", Which has some ready-made web templates that we can easily use.
Now we need to enter our IP address where we want to receive all POST requests.
In the last step, you have to choose the Web template of our choice and in this case, we will choose Facebook, because it is one of the most popular social networking platforms.
So it's time to send our internal IP to users in the form of a website (like http://192.168.179.160). This can be done through fake emails pretending to come from Facebook and asking users to log in to continue.
If a user reads the email and clicks on our link (which is our IP address), they will see the Facebook login page.
Let's see what happens if the victim enters his credentials…
As we can see from the moment our victim submits his / her credentials to the fake website, SET will send us his / her e-mail address as well as his / her password. This means that the attack method was successful.
If many users enter their credentials on our fake website, then it is time to inform our customer to re-evaluate their security policy and take additional action against this type of attack.
- In the scenario that the user logged in to their account, our attack was 100% successful, but even if the user does not log in with their email and password, the attack is still successful because it is in the process of opening a site from an unreliable source.
- This means that if the site had some malware, then it would have infected its computer because the user simply ignored the company's security policy and opened an unreliable link. Thus, the company should provide the necessary training to its employees in order to have a clear understanding of the risks they face.
- Employee training is one of the most important steps, because even if your organization uses the latest anti-phishing software on a daily basis, employees could be the weakest link, opening a link from an unknown source. Employees of a company should know what phishing is, so as not to open links and put their data in dangerous forms and should always check the address bar of the pages, to avoid possible scams.
- Always remember that an admin can fix a computer, but it can not do much about human weaknesses.