136
Chapter 10
Of course, social engineering is nothing new. One person trying to coax
another to perform acts that he normally wouldn’t do is as old as time itself.
Many in the security community believe that social engineering is one of the
biggest risks organizations face, because it’s extremely difficult to protect
organizations from being attacked in this way. (You might remember the
ultrasophisticated Operation Aurora attack, for example, in which social-
engineering was used to attack Gmail and other sources of Google data.)
An
attack vector
is the avenue used to gain information or access to a sys-
tem. SET categorizes attacks by attack vector (such as web, email, and USB-
based attacks). It uses email, spoofed websites, and other vectors to reach
human targets, typically tricking individuals into compromising the target or
releasing sensitive information. Naturally, each vector can have a different
success rate depending on its target and the communication used. SET also
comes prebuilt with email and website templates that can be used for social-
engineering attacks. SET heavily uses the Metasploit Framework.
Because of the social nature of the attacks themselves, each example in
this chapter is coupled with a brief story.
Configuring the Social-Engineer Toolkit
By default, in Back|Track, SET is located in the
/pentest/exploits/set/
directory.
Before you begin, make sure that you are running the latest version of SET.
root@bt:/pentest/exploits/set#
svn update
Next, configure your SET configuration file according to what you’re
attempting to accomplish. We’ll cover a couple of simple features within the
configuration file
config/set_config
within the root SET directory.
When using the SET web-based attack vectors, you can turn
ON
the
WEBATTACK_EMAIL
flag to perform email phishing in conjunction with the web
attack. This flag is turned
OFF
by default, which means that you will configure
SET and use the web attack vector without the support of email phishing.
METASPLOIT_PATH=/opt/framework3/msf3
WEBATTACK_EMAIL=ON
One of the web-based attacks available in SET is the
Java applet attack
,
which uses self-signed Java applets. By default, this attack uses
Microsoft
as
the publisher name; however, if the Java Development Kit (JDK) has been
installed, you can turn this option
ON
and sign the applet with whatever name
you want. When you turn this flag
ON
, additional options will be available
through the interface.
SELF_SIGNED_APPLET=ON
The
AUTO_DETECT
setting is one of the most important flags and is turned
ON
by default. It tells SET to detect your local IP address automatically and to