Long back, I read a book called The Art of Intrusion by Kevin Mitnick, in which he explained some of his successful techniques to infiltrate into an organization’s network. Among them was one that he employed the most, Social Engineering.
Social Engineering can be defined as a psychological play on people in order to lead them into performing certain desired actions or divulging sensitive information. In lay man’s terms it’s an art of conning people and it has been one of the most successful technique of information gathering and fraud in the history of cyber-crime.
While Social Engineering is primarily conducted in person, there are few tools that can be used as an aid. One of the simplest, but most effective tool that works on the basic concept of social engineering is the Social-Engineer Toolkit (SET). It is written in Python and is developed by TrustedSec as an Open-Source tool.
Given its popularity, SET has been integrated into Kali Linux. Kali is a Debian based linux operating system developed specifically for the purpose of penetration testing. It can be found in “Exploitation Tools” category in the applications menu of Kali Linux.
The backbone of the SET is its configuration file. SET works fine with the default configurations most of the time. However, in order to achieve higher success rates, and to ensure that attacks occur without any hiccups users may need to modify the configuration file as per their requirements.
There are three main subcategories of this toolkit:
- Social-Engineering Attacks
- Fast-Track Penetration Testing
- Third Party Modules
Each of these categories is divided into several modules.
This is the most important part of SET and it contains following sub-modules.
Spear-phishing module: It is used to start an email attack against a single or multiple target(s). It allows the user to customize the message according to recipients along with the ability to embed malicious file attachments. It can either be done manually by creating malicious payloads or social- engineering templates and launching attacks, or automatically via SET. I would recommend the second option for beginners.
Website attack module: The web attack module allows users to utilize multiple web-based attacks to compromise a target victim. These include phishing attacks, Java applet attack, Metasploit browser exploit, credential harvester, tab nabbing, man left in the middle attack, web-jacking attack, and multi-attack which makes a perfect broth of the web attacks.
Infectious USB/CD/DVD module: It creates an autorun.inf file and a Metasploit based payload. The USB/CD/DVD device, once inserted, will compromise the system if autorun is enabled. The attacks can be made through fileformat bugs or using a standard Metasploit executable.
Payload and Listener module: It is capable of creating several type of payloads, export .exe files and generate listeners. The .exe file needs to be executed on victim machine for it to work properly.
Mass E-Mailer module: This module is generally used for mass phishing attacks. It provide users with the capability to customize email messages as per their needs.
Arduino-based attack module: It utilizes the Arduino-based devices. Users can leverage the Teensy USB Device, which has an onboard storage and can allow for remote code execution on the physical system. These devices are registered as USB keyboard and will bypass disabled auto-run or any endpoint protection on the system. It will auto generate the code needed in order to deploy the payload on the system. It will also create .PDE files necessary to import into Arduino. The attack vectors include Powershell based downloaders, WScript attacks etc.
SMS module: It allows users to perform the attack in two ways, either by using a predefined template or by creating their own template. The attack executes when the recipient clicks on a link in their browser, and may be followed by other successive attacks.
Wireless attack module: It creates a fake access point and redirects all DNS queries to the attacker’s machine. It needs a separate wireless card to create an access point, DHCP server, and spoofed DNS to redirect traffic to the attacker’s machine. Once the victim joins the access point and enters a URL, he will redirected to the attacker’s machine with the help of spoofed DNSSpoof. This attack vector requires AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3 to be installed in the attacker’s machine.
QR Code module: It uses the method of QR matrix barcode generation for URLs. After the code is generated, an attack vector needs to be defined within SET. The QR code can then be deployed.
PowerShell attack vector module: It is used to create PowerShell specific attacks. PowerShell is a common feature available in Microsoft Windows Vista and above. It provides a perfect platform to deploy payloads, and perform functions that do not trigger by preventive tools such as IPS. An attacker needs to decide the shell to be used. The shell gets exported in the form of a file. The next step is to coax the victim to run it.
Fast-Track Penetration Testing
It contains following sub-modules.
Microsoft SQL Brute Force Tool: It identifies the live MSSQL servers and attempts to brute force. If the brute force attack is successful, SET compromises the victim system. It can be used to extract confidential data out of MSSQL based databases.
Custom Exploits: This has a group of python based exploits that are still obscure and evolving.
SCCM attack vector module: It can be used to deploy malicious software. The PackageID and SMSServer name of the target package must be known beforehand. The configuration file can then be implanted in the startup directory for all users in the server.
Dell DRAC/Chassis Default Checker: Identifies default Dell DRAC and Chassis installations. After finding such installations, remote administration capabilities can be used to mount a virtual media device with Back|Track or password reset ISO. The entire infrastructure of a victim’s system can be taken-over by adding a local administrator account or dumping the SAM database.
RID_ENUM: It enumerates user accounts through null sessions and SID to RID enum. It is an open source method of performing null session brute forces. For this to work the remote server must have null sessions enabled. This tool uses RID cycle attack to brute force domain controllers.
Third Party Modules
This module includes a number of Remote Administration Tools (RAT), for creating payloads and for launching Java applet attacks.
With the above introduction to SET, I have initiated readers on the path of learning the art of ethical hacking. However, just like any other form of art it requires a lot of practice and patience. So buckle up and keep burning the midnight oil.
Image Credits: Sputnik7.com