WEBVTT 00:00.000 --> 00:02.040 >> Hey guys, welcome back to 00:02.040 --> 00:04.439 the Cyber Kill Chain course on savagery. 00:04.439 --> 00:06.135 This is Abdulrahman Alnaim, 00:06.135 --> 00:10.050 and today's episode we're going to cover delivery. 00:10.050 --> 00:12.150 We went through reconnaissance, 00:12.150 --> 00:14.520 we gathered as much information as we can, 00:14.520 --> 00:16.170 and I know I bored you with this. 00:16.170 --> 00:17.520 However, reconnaissance is 00:17.520 --> 00:20.010 >> an extremely important phase. 00:20.010 --> 00:21.900 >> We're going to use the information that 00:21.900 --> 00:23.910 we learned from reconnaissance in 00:23.910 --> 00:25.845 delivery because we want to create 00:25.845 --> 00:28.755 a successful social engineering attack, 00:28.755 --> 00:32.520 or if we're going to use an open FTP, 00:32.520 --> 00:33.600 that's something that we would have 00:33.600 --> 00:36.330 learned about doing reconnaissance. 00:36.330 --> 00:37.680 In weaponization, we 00:37.680 --> 00:40.250 covered creating the payload 00:40.250 --> 00:41.780 using Unicorn and the Metasploit, 00:41.780 --> 00:44.045 and now we move to delivery. 00:44.045 --> 00:46.760 In delivery, our goal 00:46.760 --> 00:49.205 is to send the malicious payload that 00:49.205 --> 00:53.820 we created in weaponization to the victim's side. 00:53.820 --> 00:56.360 This can be in multiple ways. 00:56.360 --> 00:58.655 The first one is open surfaces. 00:58.655 --> 00:59.930 If you're lucky enough, 00:59.930 --> 01:02.630 and the company, or the target that you're trying to 01:02.630 --> 01:05.585 attack has an open service, 01:05.585 --> 01:09.545 that would be a lot easier because 01:09.545 --> 01:14.405 you can deliver the payload through that open service. 01:14.405 --> 01:17.660 Let's say they have an open FTP port that 01:17.660 --> 01:19.610 allows anonymous connection, and 01:19.610 --> 01:21.095 it gives you some privileges, 01:21.095 --> 01:23.360 you can go ahead, and deliver 01:23.360 --> 01:27.455 the payload using that open service. 01:27.455 --> 01:29.765 The other one is social engineering. 01:29.765 --> 01:33.050 Social engineering is extremely popular, and might 01:33.050 --> 01:38.270 be one of the most skills, or one of 01:38.270 --> 01:41.150 the most tools used to be able 01:41.150 --> 01:45.020 >> to deliver a payload, or at 01:45.020 --> 01:52.290 >> least fish some information back from the target. 01:52.290 --> 01:55.630 The last method is it can be physical. 01:55.630 --> 01:58.490 As we said, attacks are not only technical, 01:58.490 --> 02:00.355 they can be physical. 02:00.355 --> 02:02.920 That's something that I've seen before. 02:02.920 --> 02:04.640 A USB is dropped in 02:04.640 --> 02:06.530 the parking lot, or in the lobby, 02:06.530 --> 02:07.744 >> or something like that. 02:07.744 --> 02:11.870 >> It would have something like a tag that 02:11.870 --> 02:16.805 says compensation 2019, or something like that. 02:16.805 --> 02:21.170 A lot of people would find this interesting, and just 02:21.170 --> 02:26.715 connect it to the workstations. 02:26.715 --> 02:30.345 Then the payload, and the USB 02:30.345 --> 02:34.850 will be delivered to the network 02:34.850 --> 02:39.650 using that USB connection, 02:39.650 --> 02:43.970 or the user that is not really vigilant, 02:43.970 --> 02:48.040 they're connected, that USB to the workstation. 02:48.040 --> 02:50.390 There is a lot of popular, 02:50.390 --> 02:52.220 >> or extremely popular examples 02:52.220 --> 02:54.140 >> of something like this happening. 02:54.140 --> 02:55.760 In today's episode, 02:55.760 --> 02:57.230 what we're going to cover 02:57.230 --> 02:59.555 is the social engineering toolkit, 02:59.555 --> 03:01.595 and it's a fairly simple tool. 03:01.595 --> 03:06.170 We're not actually sending the email, or something, 03:06.170 --> 03:07.790 but we're going to go through 03:07.790 --> 03:09.065 the social engineering toolkit. 03:09.065 --> 03:12.290 I'm going to leave a link to some of 03:12.290 --> 03:13.880 the resources that has 03:13.880 --> 03:16.315 to do with social engineering toolkit. 03:16.315 --> 03:19.620 It comes built-in in Kali Linux. 03:19.620 --> 03:24.315 You just have to open it. 03:24.315 --> 03:29.995 It's one of the easiest tools that you will ever use. 03:29.995 --> 03:33.570 That's the social engineering toolkit. 03:33.570 --> 03:38.870 It was created by a trusted sec, 03:38.870 --> 03:45.445 which is the same guys that created Unicorn. 03:45.445 --> 03:50.880 It gives you a number of options. 03:50.880 --> 03:53.420 The first one is a social engineering attack. 03:53.420 --> 03:55.235 We're going to get into it in a minute. 03:55.235 --> 03:57.755 There's penetration testing. 03:57.755 --> 04:05.040 This is not usually used a lot for penetration testing, 04:05.040 --> 04:07.610 they have a number of third-party models. 04:07.610 --> 04:12.890 Then you can update, and so on because I got 04:12.890 --> 04:20.005 the Kali Linux built-in, social engineering toolkit. 04:20.005 --> 04:23.210 When I update my Kali Linux, 04:23.210 --> 04:26.900 this is automatically updated with it, and obviously, 04:26.900 --> 04:28.460 I did not do my homework, 04:28.460 --> 04:31.205 I did not upgrade my Kali Linux in a while. 04:31.205 --> 04:34.595 Let's go into social engineering attacks. 04:34.595 --> 04:37.775 Again, as I said, this is fairly simple tool. 04:37.775 --> 04:41.250 You can create spear-phishing attacks from here. 04:41.270 --> 04:44.970 Basically, you can perform a mass email attack, 04:44.970 --> 04:47.910 you can create a file format attack, 04:47.910 --> 04:49.305 a social engineering template, 04:49.305 --> 04:50.955 and then we go back, 04:50.955 --> 04:52.430 website attack vectors and 04:52.430 --> 04:54.650 that's extremely popular as well 04:54.650 --> 04:58.655 where you create a website that has a payload, 04:58.655 --> 05:01.220 and then use another tool within 05:01.220 --> 05:02.390 the social engineering tool kit to 05:02.390 --> 05:05.354 >> send an email that has 05:05.354 --> 05:08.330 >> a false link that would 05:08.330 --> 05:13.560 send the victim to the website that you created. 05:14.410 --> 05:20.115 There's a lot of features here. 05:20.115 --> 05:22.020 Mass mailer is one of them. 05:22.020 --> 05:27.195 You can create a mass email attack, 05:27.195 --> 05:29.040 I'm not going to do that. 05:29.040 --> 05:32.295 Let's go backward send a single email as well. 05:32.295 --> 05:35.335 There's also SMS spoofing, 05:35.335 --> 05:38.375 but you need a web service to do that. 05:38.375 --> 05:42.020 Obviously, wireless access point is another one. 05:42.020 --> 05:45.055 If the attacker is doing a physical attack, 05:45.055 --> 05:50.765 he can spoof a wireless access point using this tool, 05:50.765 --> 05:54.380 and then maybe one of 05:54.380 --> 05:56.630 the employees within the company would connect 05:56.630 --> 05:58.890 to his, or the target, 05:58.890 --> 06:01.575 I'm sorry,` I'm assuming it's a company and the target 06:01.575 --> 06:06.620 will connect to his access point 06:06.620 --> 06:08.075 or the log access point, 06:08.075 --> 06:10.460 and the attacker will be able to 06:10.460 --> 06:14.160 deliver the payload that way. 06:16.370 --> 06:19.020 That's the Social Engineering Toolkit. 06:19.020 --> 06:23.900 As I said, I'm going to leave a number of documents in 06:23.900 --> 06:27.275 the resources page that would go 06:27.275 --> 06:29.180 more over Social Engineering Toolkit 06:29.180 --> 06:32.430 and the capabilities of Social Engineering Toolkit. 06:33.050 --> 06:37.510 What is the purpose of the delivery phase? 06:37.820 --> 06:40.550 What we do in the delivery phase, 06:40.550 --> 06:42.530 our main purpose or goal of 06:42.530 --> 06:43.820 the delivery phase is to 06:43.820 --> 06:46.055 deliver our payload to the other side, 06:46.055 --> 06:49.855 to the target of the attack. 06:49.855 --> 06:51.860 There are multiple ways of doing it. 06:51.860 --> 06:53.720 It can be using office services, 06:53.720 --> 06:56.990 social engineering, or even physical. 06:56.990 --> 06:59.930 True or false, a reconnaissance phase 06:59.930 --> 07:03.010 is normally not used during the delivery phase. 07:03.010 --> 07:07.805 As you noticed, in delivery and then weaponization, 07:07.805 --> 07:11.395 I've talked about a lot about reconnaissance. 07:11.395 --> 07:14.630 Because if you did collect reconnaissance, 07:14.630 --> 07:18.860 you will know what interest to the system admin has, 07:18.860 --> 07:22.175 what interests does the CEO has or the CFO has. 07:22.175 --> 07:23.870 Then you can create 07:23.870 --> 07:27.110 a fairly successful social engineering attack or 07:27.110 --> 07:29.045 campaign that would trick them 07:29.045 --> 07:32.940 into helping you deliver your payload. 07:34.120 --> 07:37.880 Finally, social engineering can only be used to get 07:37.880 --> 07:40.204 the FTP server's passwords 07:40.204 --> 07:42.395 in order to upload the payload. 07:42.395 --> 07:46.415 That's one way to use social engineering 07:46.415 --> 07:50.480 is get them to put in their username, 07:50.480 --> 07:54.125 create a website using Social Engineering Toolkit, 07:54.125 --> 07:57.535 a cloner website that looks like that FTP server, 07:57.535 --> 07:59.630 and let them put in their username, and password, 07:59.630 --> 08:02.255 then use this username and password on the FTP server. 08:02.255 --> 08:05.035 However, that's not the only way out there. 08:05.035 --> 08:06.690 As I said, in social engineering, 08:06.690 --> 08:09.830 you can let them click on the link. 08:09.830 --> 08:13.070 The link would send them to a page or 08:13.070 --> 08:15.260 a fake page that would automatically 08:15.260 --> 08:18.540 download, or restore your payload on their machine. 08:18.590 --> 08:22.325 In today's episode, we covered delivery phase, 08:22.325 --> 08:23.930 and we talked a little bit 08:23.930 --> 08:26.165 about the social engineering toolkit. 08:26.165 --> 08:27.350 In the next episode, 08:27.350 --> 08:30.290 we go to exploitation, and installation. 08:30.290 --> 08:31.850 The next episode is 08:31.850 --> 08:35.500 where the hacking begin. See you then.