Social engineering
in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Diversion theft
Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London.
In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner".
With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else".
The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load.
Phising
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
IVR or Phone Phising
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
Social Engineering Toolkit (SET)
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. Originally this tool was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community in incorporating attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted an focused attacks against a person or organization used during a penetration test.
Now, i want to share about how to use the SET.
First, Open the SET tools.
Ok, i want to do The Social-Engineering Attack. So i choose no1.
Then will be appear like this
Then i choose no 2 to use Website Attack Vectors. And then it will be appear like this.
Now, i want to share about how to use the SET.
First, Open the SET tools.
Ok, i want to do The Social-Engineering Attack. So i choose no1.
Then will be appear like this
Then i choose no 2 to use Website Attack Vectors. And then it will be appear like this.
Next, i choose no 1. The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload.
Next, i choose no 1 to create the Web Templates.
Next, i want to create the templates of Facebook. So i choose no 4
Then i choose the Windows Reverse_TCP_Meterpreter for the payload. Then will appear the list of encodings
I choose the shikata_ga_nai encode. So i choose no 2. Next we define the port for the listener.
I'm just use the default port. So i just press ENTER. Then we just waiting.
If it has appear like the picture above, we can try to open from the browser. Just go to the IP address our IP address on the browser.
It should be appear the java applet pop up on the browser. but i dont know why it doesn't appear. i think this is because the setting from the browser.
No comments:
Post a Comment