1
00:00:07,040 --> 00:00:13,760
The social engineers toolkit in Cauli Linux is set up for a number of social engineering and penetration

2
00:00:13,760 --> 00:00:19,570
testing attacks, you can see there's a full menu at every level that we're going to go through today.

3
00:00:19,760 --> 00:00:25,670
We're going to use one attack from one submenu in the social engineer toolkit.

4
00:00:26,060 --> 00:00:29,660
But it is a really important tool kit to get to know, to understand.

5
00:00:29,900 --> 00:00:36,410
I'm just going to show you today how we can spot spearfishing, how we can stop spearfishing, and how

6
00:00:36,410 --> 00:00:42,380
we can train other people on how to spot spearfishing in our organizations and our families so that

7
00:00:42,380 --> 00:00:46,190
your friends and family don't get taken by scammers online.

8
00:00:46,730 --> 00:00:51,200
So let's first open up Meenu number one social engineering attacks.

9
00:00:51,440 --> 00:00:54,950
You notice there are lots of other things down through here, but we're just going to take it one piece

10
00:00:54,950 --> 00:00:55,520
at a time.

11
00:00:56,060 --> 00:01:01,460
We're selecting menu number one social engineering attacks under this menu.

12
00:01:01,460 --> 00:01:07,160
You see once again, we have everything from Arduino based attacks, mass mailers, payloads, listeners,

13
00:01:07,160 --> 00:01:15,920
infectious media generators, so we can inject malware into an MP for or an MPEG movie that we send

14
00:01:15,920 --> 00:01:19,850
someone to a wave file to and a Windows media file.

15
00:01:20,120 --> 00:01:23,960
We can send malware over wireless access points.

16
00:01:23,960 --> 00:01:27,880
We can generate a bad QR code that will take someone to the wrong website.

17
00:01:27,890 --> 00:01:31,160
So these are all social engineering related attacks.

18
00:01:31,850 --> 00:01:33,680
People think that they're getting one thing.

19
00:01:33,680 --> 00:01:39,110
We send them something for free or give them a chance to click through an email or click through and

20
00:01:39,110 --> 00:01:39,950
watch a video.

21
00:01:40,190 --> 00:01:43,910
And you can see it's a really mean world out on the Internet.

22
00:01:44,210 --> 00:01:46,070
People can use these tools for bad.

23
00:01:46,070 --> 00:01:51,320
You're just going to be using these tools ethically to teach other people and to train yourself on why

24
00:01:51,320 --> 00:01:57,020
it's so important to know what you're clicking through every time in this first manual we want to do

25
00:01:57,020 --> 00:02:01,370
is click through to just the website attack vectors number two.

26
00:02:01,850 --> 00:02:08,630
And once again, in the social engineer toolkit, you'll see that just this one submenu to Submenus

27
00:02:08,630 --> 00:02:11,930
Down has a full set of eight attacks.

28
00:02:11,930 --> 00:02:18,800
We have Java applet attacks, Métis browser exploits, credential harvester's tab nabbing means taking

29
00:02:18,800 --> 00:02:20,930
over tabs in your browser web.

30
00:02:20,930 --> 00:02:25,010
JIANQING So it makes it look like they're going to one site, but they're actually going to a different

31
00:02:25,670 --> 00:02:31,400
multi attack where you can combine three or four, all of these into a single attack so that if a person

32
00:02:31,400 --> 00:02:37,580
clicks through, you try everything all at once, a full screen attack, H.T. attacks, all of these

33
00:02:37,580 --> 00:02:42,860
are things that you should get to know and come back and look through, because you should understand

34
00:02:42,860 --> 00:02:49,100
how vulnerable your computer is and how vulnerable your networks computers are, your family and friends

35
00:02:49,100 --> 00:02:49,820
computers are.

36
00:02:50,120 --> 00:02:56,090
But we're going to use just one really clever spearfishing technique under the credential harvester.

37
00:02:56,360 --> 00:03:00,590
When it comes to fishing, we're usually trying to get someone's credentials, their username and their

38
00:03:00,590 --> 00:03:01,220
password.

39
00:03:01,460 --> 00:03:07,340
The credential harvester's the perfect tool for setting someone up for spearfishing attack.

40
00:03:07,610 --> 00:03:11,840
So number three, the credential harvester attack method hit enter three and enter.

41
00:03:12,410 --> 00:03:18,830
And again on this submenu, you'll see that there are lots of options for attacking or for testing your

42
00:03:18,830 --> 00:03:19,460
network.

43
00:03:19,670 --> 00:03:21,650
Number one, you have web templates.

44
00:03:21,950 --> 00:03:25,080
These are templated sites that look like familiar things.

45
00:03:25,080 --> 00:03:30,140
Your your users might go through number to the site cloners what we're going to use.

46
00:03:30,140 --> 00:03:35,060
And then number three, a custom import so that we can build something specific and bring it in to the

47
00:03:35,060 --> 00:03:36,320
social engineers tool kit.

48
00:03:36,320 --> 00:03:43,730
So if your site doesn't clone perfectly using the cyclone or you can actually make a copy of the HTML

49
00:03:44,180 --> 00:03:50,420
page of your organization's email log in, for example, and then you can bring it in with a custom

50
00:03:50,420 --> 00:03:50,840
import.

51
00:03:51,080 --> 00:03:56,630
We're going to use the site, Kloner, because Facebook has a public Web page, Web login page, and

52
00:03:56,630 --> 00:03:59,600
we will use the site, Kloner, to grab that site.

53
00:03:59,600 --> 00:04:01,700
So come with me to number to the site cloner.

54
00:04:02,180 --> 00:04:06,050
And now it's asking for the IP address of the post back.

55
00:04:06,320 --> 00:04:08,870
Well, what we're going to do is set up a fake Facebook page.

56
00:04:08,870 --> 00:04:12,650
It's going to copy that page and run it on our Calli Linux server.

57
00:04:13,040 --> 00:04:19,550
This call Linux VM is going to act like a Web server in just a moment and copy that Facebook page.

58
00:04:19,820 --> 00:04:24,920
So we need to make sure that we're on the right network so you can either come to the left of your screen

59
00:04:24,920 --> 00:04:26,510
and come to terminal.

60
00:04:27,480 --> 00:04:33,030
And open a new window or while you're in the terminal here, we can come to file and open terminal.

61
00:04:34,560 --> 00:04:41,280
We want to double check our IP address, so I'm going to increase the size, so in this separate terminal

62
00:04:41,280 --> 00:04:43,080
window, I'm going to check two things.

63
00:04:43,080 --> 00:04:47,640
I'm going to make sure that I can get my IP address and I'm going to make sure that I've got outside

64
00:04:47,640 --> 00:04:55,830
connectivity because we just switched over to the public network if config will tell us our IP address.

65
00:04:59,040 --> 00:05:04,920
And we do have a ten point nine four, you're going to need this IP address later, so you remember

66
00:05:04,920 --> 00:05:10,620
your call Linux box, yours may be slightly different from mine, minus ten point nine four.

67
00:05:10,630 --> 00:05:12,330
That's going to be very important.

68
00:05:12,630 --> 00:05:14,240
Ten point nine four.

69
00:05:14,610 --> 00:05:21,060
And let's just check to make sure that we have good outside connectivity, ping, Google, for example,

70
00:05:21,210 --> 00:05:24,600
dotcom, and we are getting connectivity out.

71
00:05:26,730 --> 00:05:31,800
If you're not getting either of those things, you can either reboot your Calli Linux box or you can

72
00:05:32,310 --> 00:05:40,920
just go through the steps to restart your network service with pseudo service network dash manager space

73
00:05:40,920 --> 00:05:41,760
restart.

74
00:05:43,430 --> 00:05:50,780
Let me get that if config one more time and my IP address is ten, nine, four, we're going to memorize

75
00:05:50,780 --> 00:05:53,870
that, but we'll also copy it just in case we want to paste it.

76
00:05:55,920 --> 00:06:02,550
And then we can minimize this terminal window, so the IP address for the post back, that means where

77
00:06:02,550 --> 00:06:07,770
it should send the username and password is this computer our calling Linux box?

78
00:06:08,040 --> 00:06:09,240
So we're going to.

79
00:06:09,390 --> 00:06:09,720
Right.

80
00:06:09,720 --> 00:06:14,670
Click and paste that tendo name for address.

81
00:06:15,480 --> 00:06:18,630
Just this to whatever your call Linux boxes.

82
00:06:18,630 --> 00:06:24,330
If Config said the IP address for your machine was on the public mat, make sure you're on the public

83
00:06:24,330 --> 00:06:24,590
map.

84
00:06:24,600 --> 00:06:26,340
That's our ten point nine four.

85
00:06:26,610 --> 00:06:28,320
That's how we can see to the outside world.

86
00:06:28,330 --> 00:06:32,220
So the IP address for the post back is ten point nine four for me.

87
00:06:34,890 --> 00:06:42,420
Now it's asking us to enter the URL, to clone we're going to clone WDW, dot Facebook dot com, but

88
00:06:42,420 --> 00:06:48,420
you could add your bank Web site, your company's email log in your school, only your school.

89
00:06:48,420 --> 00:06:55,530
If you are teaching your friends how to avoid and how to spot these of these social engineering attacks,

90
00:06:56,100 --> 00:07:02,220
you could enter your bank, your favorite social media site, your organization's email login.

91
00:07:02,730 --> 00:07:06,540
If you're doing training for your employees, they need to know how to spot all of those kinds of things

92
00:07:06,840 --> 00:07:11,520
because attackers will try those types of sites.

93
00:07:12,030 --> 00:07:13,350
So we're going to clone the site.

94
00:07:13,360 --> 00:07:18,570
We got Facebook dot com and notice it tells you a few things when you run.

95
00:07:18,600 --> 00:07:20,790
The clone is is cloning the website.

96
00:07:20,790 --> 00:07:28,560
Log in to Facebook dot com slash login that notice we just typed in Facebook dotcom, but it found the

97
00:07:28,560 --> 00:07:31,530
login page specifically and it's cloning that.

98
00:07:31,800 --> 00:07:34,490
And now it says it's running that port 80.

99
00:07:34,500 --> 00:07:39,270
It also gives us the hint that we want to use sites that have a username and a password field on the

100
00:07:39,270 --> 00:07:40,010
same page.

101
00:07:40,320 --> 00:07:43,290
Well, let's just see locally what this Port 80 looks like.

102
00:07:43,560 --> 00:07:47,850
All that means is that it's running a Web server on Port 80.

103
00:07:47,850 --> 00:07:49,380
That's the normal Web server port.

104
00:07:49,870 --> 00:07:59,280
If I just say localhost in my browser, that is the one twenty seven Otto 0.01 one address that is.

105
00:08:00,610 --> 00:08:03,580
The Facebook login page, how can that be?

106
00:08:03,610 --> 00:08:10,480
Well, we have cloned the Facebook login page and notice it's sharing some information back here.

107
00:08:11,560 --> 00:08:18,550
It's saying that someone is on this Facebook page, so if I put Facebook log in like Fred.

108
00:08:20,160 --> 00:08:23,910
At Flintstone Dotcom.

109
00:08:24,910 --> 00:08:29,950
And then give a password of this is a bad password.

110
00:08:32,310 --> 00:08:34,410
And hit enter log in.

111
00:08:36,280 --> 00:08:41,290
Says, would you like Firefox to remember the slogan we'll see in the password section, why you should

112
00:08:41,290 --> 00:08:45,370
never store your passwords on a computer that you don't own and you may not want to store them on a

113
00:08:45,370 --> 00:08:46,150
computer that you do?

114
00:08:46,780 --> 00:08:51,130
Well, it didn't do anything that looks like it just took my information.

115
00:08:51,130 --> 00:08:52,390
But it.

116
00:08:53,330 --> 00:08:59,750
Says Facebook dot com slash log in again, well, for most people, that just seems like almost a mistype

117
00:08:59,750 --> 00:09:00,080
something.

118
00:09:00,080 --> 00:09:08,690
So they reiterate what the social engineering toolkit has done is set up a clone and redirected the

119
00:09:08,690 --> 00:09:15,460
user to the real Facebook login page so that they're not as aware of what happened to them.

120
00:09:15,680 --> 00:09:20,300
But if you look back here in the browser, in our terminal window.

121
00:09:22,270 --> 00:09:25,270
My email address and password.

122
00:09:26,230 --> 00:09:33,080
Went to that the password harvester, the credential harvester on my McCawley Linux computer.

123
00:09:33,760 --> 00:09:36,160
This is damaging enough all by itself.

124
00:09:36,160 --> 00:09:42,070
But in the next lesson, we're going to see how to send this out as a spear phishing attempt and do

125
00:09:42,070 --> 00:09:49,130
some really serious training for our users so that they understand how dangerous it is to click through

126
00:09:49,130 --> 00:09:53,810
a link, even one that looks familiar and enter your information.

127
00:09:54,430 --> 00:09:57,820
Let's see how to make a spear phishing email in the next lesson.