As a penetration tester, there will be times when your client's requirement is to be performed attacks social engineering their employees to check if they are following the company's security policies and controls.
After all, if a hacker fails to gain access to one system, then it can try alternative ways to gain access, such as social engineering attacks.
In this guide we will see how we can use one Credential Harvester Attack Vector to obtain valid passwords.
The first thing we need to do is connect our computer to the company network where we need to carry out the Social Engineering attack. When our computer receives a valid IP address from the DHCP server, we are ready to launch our attack.
To start SEToolkit on Kali linux, just type “setoolkit”In your terminal window.
We will use the Website Attack Vectors attack, because according to our attack scenario, we need to check how vulnerable our client's employees are against attacks phishing.
We will use Credential Harvester Attack method because we want to get the credentials of the employees.
As we can see in the next image, SET gives us 3 options (Web Templates, Site Cloner and Custom Import).
In this case we will use the option "Web Templates", Which has some ready-made web templates that we can easily use.
Now we need to enter our IP address where we want to receive all POST requests.
In the last step, you have to choose the Web template of our choice and in this case, we will choose Facebook, because it is one of the most popular social networking platforms.
So it's time to send our internal IP to users in the form of a website (like http://192.168.179.160). This can be done through fake emails pretending to come from Facebook and asking users to log in to continue.
If a user reads the email and clicks on our link (which is our IP address), they will see the Facebook login page.
Let's see what happens if the victim enters his credentials…
As we can see from the moment our victim submits his / her credentials to the fake website, SET will send us his / her e-mail address as well as his / her password. This means that the attack method was successful.
If many users enter their credentials on our fake website, then it is time to inform our customer to re-evaluate their security policy and take additional action against this type of attack.
Conclusion:
- In the scenario that the user logged in to their account, our attack was 100% successful, but even if the user does not log in with their email and password, the attack is still successful because it is in the process of opening a site from an unreliable source.
- This means that if the site had some malware, then it would have infected its computer because the user simply ignored the company's security policy and opened an unreliable link. Thus, the company should provide the necessary training to its employees in order to have a clear understanding of the risks they face.
- Employee training is one of the most essential stages, because even if your organization uses the latest anti-phishing software every day, employees could be the weakest link by opening a link from an unknown source. The employees of a company should know what it is electronic phishing, so that they don't open links and put their information in dangerous forms and they should always check the address bar of the pages, to avoid possible scams.
- Always remember that an admin can fix a computer, but it can not do much about human weaknesses.
Stay safe!
