Lab 7

Client-Side Attacts

Client-side attacks, as it pertains to web applications, is viewed as a method to identify who is connecting to web applications, what vulnerabilities exist on those systems, and whether those systems can be a means to gain access or information from a web application. The focus of this lab will be identifying systems accessing web applications, evaluating systems for vulnerabilities, and exploiting those vulnerabilities, if possible.

Social engineering

Humans will always be your weakest links for a target's security posture. The more you try to control the end users, the more they will try to bypass policies. The less controls you put in place, the less likely that the policies will be followed. This creates a double-edge sword when deciding how to protect end users from cyber threats. Hackers know this and target end users in various ways that focus on compromising a key characteristic of the average user, which is trust.

Social engineering is the art of manipulating people into performing actions of divulging information. Many client-side attacks are based on tricking an end user into exposing their systems to an attack. Social engineering can range from calling somebody while pretending to be an authorized employee to posting a link on Facebook that claims to be a service while really being a means to compromise the client.

Best practices for launching a successful social engineering attack is taking the time to understand your target; meaning learn how the users communicate and attempt to blend into their environment. Most social engineering attacks that fail tend to be written in a generic format, and they don't include a strong hook to attract the victim, such as a poorly written e-mail claiming the user is entitled to unclaimed funds. Using social media sources such as Facebook is a great way to learn about a target, such as what hobbies and speaking patterns targets favor. For example, developing traps based on discounted sports tickets would be ideal if a Facebook profile of a target is covered with the sports team logos.

Because most client-side attacks leverage social engineering, the Lab will explore a popular social engineering arsenal available in Kali.

Social Engineering Toolkit (SET)

The Social Engineer Toolkit (SET) was created and written by the founder of TrustedSec . It is an open-source Python-driven tool aimed at Penetration Testing using social engineering. SET is an extremely popular tool used by security professionals to test an organization's security posture. Real-life attackers use SET to craft active and malicious attacks. It is the tool of choice for the most common social engineering attacks.

To launch SET, go to the following link of the menu bar Exploitation Tools | Social Engineering Tools, and select se-toolkit.

Step 1: Using SET to clone and steal password information

Now that you understand some of the basic dynamics of how SET works, let's compromise a client machine using a website they might trust. Although we can use any website, we recommend something that is simple.

Here is an example of cloning the site with the intention of exploiting the victim by stealing their passwords. If you can get them to follow a link to YOUR version of a trusted website's loging page.

To launch SET, go to the following link of the menu bar Exploitation Tools | Social Engineering Tools, and select se-toolkit.

Select "2) Website Attack Vectors"

Then on he next menu:

Select "3) Credential Harvester Attack Method"

The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.

Now select the method. For now:

Select: "2) Site Cloner"

This option will completely clone a website of your choosing and allow you to attack by luring unsuspecting people to attempt to log into your site, thinking it is the real site. When they try, you will capture their credentials.

The system will need the IP address of the web server that will host this sham site. Find the IP address of the Kali machine and enter it when the system asks: "IP address for the POST back in Harvester/Tabnabbing:". Note that since Kali doesn't have a public address, you will only be able to test it from your local machine.

Next it will ask you to enter the url to clone. Use "".

Wait a bit, and you will see:

[*] Cloning the website:
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

You should now be able to point a browser running on you host machine (or another virtual machine). It will allow you to "try" to log in. Kali will diplay the entered text.

Step 2:

Try successfully cloning at utilizing two other sites. Should the results, and explain how it worked, or if it didn't, discuss why.

Step 3

From the main menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

Attempt to get at least one other type be work. Fully document your work. Be prepared to talk about it in class.

Topic revision: r2 - 2014-03-24 - JimSkon
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback