Here’s a little known fact: It’s a lot easier to trick a credulous user into dishing over his password than it is to crack it. People are getting smarter with passwords. It seems like hacked accounts are always in the news so people are wising up by adding numbers, symbols and mixed case. Sure you could still try a dictionary attack or even brute force; however, sometimes it can be as easy as sending one cunning email to the perfect target.
If you could launch an email and craft it so that it appears to originate from a trusted source such as Microsoft or a co-worker that would instantly boost the credibility and consequently the effectiveness of your attack. A better option is to compromise a trusted computer and then send your target an email from his inbox. When the email shows up in his inbox it’ll look legitimate because it’s actually coming from a valid source: there’s no forgery with this technique and it can be very very effective.
Tricking someone into giving up sensitive information is called phishing. Think about tricking a fish with the bait. In the same way, a phisherman treats his victims like gullible fish. And if they take the bait he takes off with valuable information such as passwords and credit card numbers.
Insidious I know.
But how hard would it be to pull something like this off?
With Kali Linux it’s a little too easy. In fact, with the Social Engineering Toolkit (SET) it’s just a matter of pointing and clicking.
Kali Linux makes executing a social engineering attack as easy as order take-out Chinese.
But phishing isn’t the only tool we have in our arsenal.
The Social Engineering Toolkit also includes a website tool that turns your Kali box into a webserver with a bunch of exploits that can compromise almost any browser. The idea is that we would send our target a link which routes them through to our website which automatically downloads and executes the exploit on the target system. You can even clone a valid website so the target is less suspicious. This becomes even more effective if you study your victims browser habits and clone one of their most frequently accessed sites.
The SET let’s you do all this and more. Let’s take a look at this powerful toolkit.
Click Applications in the upper left corner of Kali Linux, browse down to Exploitation Tools choose Social Engineering Toolkit and hit setoolkit.
Now this next part is pretty important and it’s something I need to underscore here. I have a moral question for you:
Is a knife good or bad?
Think about that.
The knife itself is morally neutral. It has no ability to choose. It’s an inanimate object. Knifes are neither good nor bad but people are different. In the hands of a serial killer a knife is bad; conversely, in the hands of a expert surgeon a knife is good.
The knife is merely the tool. It can be used for good or evil. And in the same way the Social Engineer Toolkit is just a tool. In fact, it was designed for the purposes of penetration testing. This is when a company hires an objective security firm to test the security posture of an organization. It’s a way to validate the security controls in place. Usually the Pentesting firm gets approval from managmenet to launch attacks in a very particular way. The scope of work is narrow, precise and deliberate. In other words, Penetration tests are trusted security professionals who help computers stay secure by trying to break into various systems.
SET is designed for penetration testing or for learning how it works in a lab environment. I strongly dissuade you from trying to use this for evil. It’s not worth it.
So go ahead and read the terms and make your decision. I pray it’s the right one.
And now we are at the gateway to exploitation.
Let’s get things started by pressing 1 and enter.
There are a lot of options such as Powershell Attack Vectors, creating infected USB drives (Infectious Media Creator) but let’s go with the Website Attack Vectors so you can get a feel for how this works.
Let’s use the Metasploit Browser Exploit; option 2. Do you see how this works so far? It’s as easy as picking numbers in a phone tree.
We’ll use a generic web template but as you can see you could also clone a website if you wanted to.
Pick option 1, Web Templates, and keep going.
The next prompt asks you if you want to use NAT/Port Forwarding. In this attack example, I’m going to assume both the attacker and the victim are sitting on the same subnet; thus, there’s no need to use NAT here.
The next question will ask you for the IP address of your Kali box.
Mine is at 10.255.70.41.
A quick way to figure that out is to type:
Once we have this we can start the fun.
The next part asks us about the web template. This is the thing that loads to distract the user while the exploit runs in the background. I’m going to pick Java so that it looks like a Java applet is loading. But in reality Java isn’t doing anything. It’s just a facade to keep the user from getting suspicious while the exploit opens a remote connection to his computer.
Now we need to pick our exploit.
Let’s go with Metasploit Browser Autopwn.
Okay, then pick the exploit details. I’m going to pick the Windows Reverse_TCP Meterpreter.
Choose the default port of 443
and then sit back and watch as your new attack site is created.
After a few minutes the server will start and you hit enter to begin.
Alright, so we have 21 exploits in the bag. The last step is to trick the user into clicking the Local IP http//10.255.70.41:8080 listed in the above screenshot.
This actually isn’t as difficult as it sounds.
In basic HTML, theres a tag called band it stands for anchor text. Furthermore, there’s an attribute called href=””. If you opened an email client in HTML mode you could easily paste in the Local IP address and then between the <a> and </a> tags insert some benign text such as “Click here to Update” or “Your email password has expired, click here to reset”.
Here’s what happened when I clicked the link on my Windows 8.1 box running IE11.
How many users are going to think something is wrong with this error? It looks perfectly innocuous. But we know it isn’t.
Every time the user clicks OK the Java popup reappears but behind the scenes Kali Linux is covertly opening additional TCP sessions to the victim.
Check out the output on my Kali box.
My poor Windows 8.1 machine is responding with 15 exploits.
It’s even worse on a Windows XP machine. This is proof why no one should ever run Windows XP. Microsoft cut the cord on Windows XP a while ago for good reason. Anyone still running Windows XP is setting themselves up for disaster.
If you typed sessions you would see the active connections to the victim then you could use any of the dozens of tools in the Metasploit toolkit to compromise the PC. For example, now that the session is active, with a few commands you can log every keystroke of the user and covertly steal files without the user having a clue.
The Social Engineering Toolkit by Kali Linux makes taking over a PC as easy as selecting a few options through a menu. It takes zero skill to implement and this is why it’s critical for managers to arm their staff with the knowledge they need to sidestep these threats. Security Awareness Training could help but the bottom line is that managers need to talk to their employees so they can quickly identify phishing attempts.