![]() ![]() The Credentials Harvester Attack is pretty slick as it clones an existing website (like Facebook) and then stores any credentials that are entered into it. The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. This will create a Java app that has a backdoor shell. Now we choose number 1 for Java Applet Attack method. Then we choose 2 for Website Attack Vectors. We will be using a Windows 8 system as the target in the example.įrom the SET menu we choose number 1 for Social-Engineering Attacks. We will use SET to create a fictitious website that will offer up a booby-trapped Java app, and if user allows the app to run, we get a full remote session to the system. The Java PyInjector attack leverages the anti-virus bypassing capabilities of PowerShell based attacks with a Java application. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user. So far we have just sent a fake e-mail that could redirect someone to a bogus site. The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee’s ability to detect, resist and report phishing attempts. Then press “ Enter” and SET will send out the e-mail to victim. ![]() When finished we type “ END” in the last line. ![]() That way as a security expert we know who in our organization needs to be better educated on the risks of malicious e-mails. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page. Now type-in a fake message, preferably one that will entice our victim to click on a malicious link included or entice them surf to a malicious web page. What about “Important update”Įnter “ p” when prompted to “Send the message as html or plain ?” We don’t want to attach any malicious file so we choose “ no” when prompt “Do you want to attach a file ?” Then we press yes at the prompt “Flag this message/s as high priority ?” Now SET asks for the password of the Gmail account. Pay special attention to this field, as this where the real social engineering takes place. Let’s use so it look that it’s from Google. Then we choose a spoofed name to use for the ‘from’ line of the message. The Gmail address and password must be correct. For this tutorial we will use a fake Gmail account. Now we select option 1 to use a Gmail account or another server. See the following screenshot :įor this example, let’s just send one. One way a Social Engineer will attack a network is to send out a flood of e-,ails to company address and see who will respond or run the malicious attachment we sent with it.Īfter entering in option 5 in SET we got two optionsįor this example let’s just send one. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |