What is social engineering?

Social engineering is the art of exploiting human psychology to gain access to systems or sensitive information.

What are common types of social engineering attacks?

Common types include phishing, pretexting, baiting, and impersonation.

How does phishing work?

Phishing typically involves tricking individuals into revealing sensitive information by exploiting emotions like urgency or fear.

What is the purpose of the demonstration in the video?

The demonstration aims to educate on how phishing attacks work to help individuals recognize and defend against such threats.

What tools are used for the demonstrations?

The tools used include Metasploit for exploiting vulnerabilities and Social Engineer Toolkit for phishing attacks.

How can one defend against social engineering attacks?

Awareness and training for employees about recognizing social engineering tactics are critical for defense.

What is the significance of credential harvesting?

Credential harvesting is significant as it allows attackers to gain unauthorized access to accounts by collecting usernames and passwords.

What should organizations do to prevent phishing attacks?

Organizations should implement security awareness training and enable multi-factor authentication to enhance security.

Simulating Basic Attacks with Metasploit and Social Engineer Toolkit

00:49:16

https://www.youtube.com/watch?v=gKykLr59LW8

Sintesi

TLDRIn this video, the speaker discusses social engineering attacks, focusing on phishing techniques. Social engineering exploits human psychology instead of relying solely on technical vulnerabilities. The video emphasizes the importance of understanding these methods to better defend against them. Key demonstrations include capturing credentials through a fake login interface using Metasploit and creating a malicious PDF to infect user systems. The Social Engineer Toolkit is explored for its capabilities in conducting phishing campaigns. The content aims to educate viewers, especially those studying secure coding, on how to recognize and prevent such attacks.

Punti di forza

🔍 Social engineering exploits human psychology.
📧 Phishing involves tricking users into giving sensitive information.
🛠️ Tools like Metasploit are used for ethical hacking.
📝 Always be cautious with emails and links that prompt urgency or fear.
👨‍🎓 Awareness training is critical for organizations.
💻 Credential harvesting can lead to unauthorized access.
🔒 Multi-factor authentication can help prevent phishing attacks.
🖥️ Social Engineer Toolkit is versatile for phishing demonstrations.
📑 Creating convincing payloads increases phishing effectiveness.
⚠️ Always verify the source of digital communications.

Linea temporale

00:00:00 - 00:05:00
This video discusses basic social engineering attacks, explaining that social engineering relies on exploiting human psychology instead of technical hacking methods to gain unauthorized access to systems and data. The presenter highlights various social engineering techniques, focusing primarily on phishing attacks which lure individuals into revealing sensitive information or clicking malicious links.
00:05:00 - 00:10:00
The video serves as a tutorial for undergraduate students in a secure coding module, detailing the process of implementing basic phishing attacks. The presenter discusses their intention to record this information as an educational resource, acknowledging that the content might vary in relevance for different viewers. They also mention a minor technical issue visible in the video.
00:10:00 - 00:15:00
The presenter outlines a practical demonstration involving capturing user credentials using Metasploit and creating a malicious PDF for phishing purposes. They describe the elements involved in these demonstrations, including establishing persistence and gathering hashes to analyze vulnerabilities, which ultimately aids in understanding social engineering tactics.
00:15:00 - 00:20:00
Metasploit's command options and features are highlighted, explaining how to search for specific modules to conduct a very basic phishing attack. The presenter elaborates on using HTTP basic authentication to simulate a phishing scenario, where victims are tricked into providing their credentials.
00:20:00 - 00:25:00
The video continues with a detailed walkthrough for setting up a fake login page designed to collect credentials from victims, discussing the importance of social engineering in persuading victims to enter their information even when the red flags are apparent. They emphasize that a realistic fake site creation is vital for effective phishing.
00:25:00 - 00:30:00
Next, the focus shifts to creating a malicious PDF file that would deploy malware on a user's system when opened. The presenter explains step-by-step how to customize the PDF to look benign, incorporating details that would entice the victim to open the file, aligning with the goals of social engineering attacks.
00:30:00 - 00:35:00
The speaker then runs through exploiting the system after the malicious PDF is executed, showcasing how to capture keystrokes, take screenshots, and collect various credentials using Metasploit’s Meterpreter. They discuss the power of Meterpreter's post-exploitation capabilities and the different tactics available for privilege escalation, persistence, and exploitation.
00:35:00 - 00:40:00
The presenter runs through various threats posed by malware and social engineering techniques, including the ability for malware to listen to microphones, record webcams, and attempt privilege elevation in order to gain full control over compromised systems.
00:40:00 - 00:49:16
Finally, they transition to discussing the Social Engineer Toolkit (SET), attempting to perform website cloning for phishing and various exploit test demonstrations that do not yield success, showcasing the dynamic challenge faced in penetration testing. The video wraps with a summary of the tools discussed and encourages viewers to share any interesting techniques or tools to explore further.

Mostra di più

Mappa mentale

Video Domande e Risposte

What is social engineering?
Social engineering is the art of exploiting human psychology to gain access to systems or sensitive information.
What are common types of social engineering attacks?
Common types include phishing, pretexting, baiting, and impersonation.
How does phishing work?
Phishing typically involves tricking individuals into revealing sensitive information by exploiting emotions like urgency or fear.
What is the purpose of the demonstration in the video?
The demonstration aims to educate on how phishing attacks work to help individuals recognize and defend against such threats.
What tools are used for the demonstrations?
The tools used include Metasploit for exploiting vulnerabilities and Social Engineer Toolkit for phishing attacks.
How can one defend against social engineering attacks?
Awareness and training for employees about recognizing social engineering tactics are critical for defense.
What is the significance of credential harvesting?
Credential harvesting is significant as it allows attackers to gain unauthorized access to accounts by collecting usernames and passwords.
What should organizations do to prevent phishing attacks?
Organizations should implement security awareness training and enable multi-factor authentication to enhance security.

Visualizza altre sintesi video

Ottenete l'accesso immediato ai riassunti gratuiti dei video di YouTube grazie all'intelligenza artificiale!

Sottotitoli

Scorrimento automatico:

00:00:00
hi everybody in this video we'll be
00:00:02
looking at some basic social engineering
00:00:03
attacks
00:00:04
so social engineering is the art of
00:00:06
exploiting human psychology rather than
00:00:08
technical hacking techniques to gain
00:00:10
access to buildings systems or data so
00:00:13
for example
00:00:14
rather than trying to find and exploit a
00:00:16
software vulnerability
00:00:17
a social engineer might impersonate an
00:00:19
employee and
00:00:21
try to trick employees into giving over
00:00:23
their credentials or opening a malicious
00:00:25
file
00:00:26
or something like that they might drop
00:00:27
some usb sticks around a car park and
00:00:30
hope that some employees pick them up
00:00:31
and plug them in
00:00:33
um so there are quite a few different
00:00:34
social engineering attack types in this
00:00:36
video we'll be focusing primarily on
00:00:38
fishing and quite basic fishing
00:00:40
attacks at that so we all know the
00:00:42
classic fishing scams that we get
00:00:43
through email and they exploit a sense
00:00:46
of
00:00:46
urgency curiosity or fear in order to
00:00:49
try and get us to either reveal
00:00:50
sensitive information or click on a
00:00:52
malicious link or open a file which will
00:00:54
then
00:00:55
infect the system considering that
00:00:58
humans are considered to be the weakest
00:01:00
link typically in security
00:01:02
social engineering and phishing is
00:01:04
obviously a serious issue
00:01:06
you know if employees aren't aware of
00:01:08
these kinds of attacks
00:01:09
then it's very hard for organizations to
00:01:12
defend against it
00:01:14
this video will be a little bit
00:01:15
different to the content i typically put
00:01:16
on youtube
00:01:18
the reason i'm recording this is
00:01:19
essentially i was asked to put together
00:01:21
a basic fishing and social engineering
00:01:23
attack demo for final year students
00:01:25
undergraduate students who are doing a
00:01:26
secure coding module
00:01:28
so i figured i might as well record it
00:01:30
as well and see if it can help anybody
00:01:32
else at the same time so bearing that in
00:01:33
mind this might be
00:01:35
above your level or below your level but
00:01:37
hopefully you can find something in it
00:01:39
that's useful anyway
00:01:40
i'm also re-recording this intro at the
00:01:42
moment because
00:01:44
i had a long run on the last intro about
00:01:47
youtube removing my videos which they
00:01:49
seem to have resolved so i figured i'd
00:01:50
come back and
00:01:51
re-record the intro also i noticed that
00:01:53
there's a little white block at times
00:01:55
around
00:01:56
my cursor throughout the video not not
00:01:57
all the way through but at certain times
00:01:59
and it's quite small it shouldn't cover
00:02:01
too much up but i thought i'd also
00:02:02
mention that as well
00:02:03
you can skip down at the bottom between
00:02:05
the chapters if you want to skip ahead
00:02:06
but
00:02:07
essentially we'll be looking at
00:02:10
capturing some basic auth credentials in
00:02:11
metaexploit
00:02:12
and then we will create a malicious pdf
00:02:15
which will we would
00:02:16
be sending as a phishing email to infect
00:02:19
the victim
00:02:20
and then get them interpret a shell at
00:02:22
which point we'll have a look at some
00:02:23
different
00:02:24
modules we can use how we can establish
00:02:26
persistence and
00:02:28
dump hashes and use some different
00:02:31
modules
00:02:32
to scan for local vulnerabilities and
00:02:34
things like that and then finally we'll
00:02:36
take a look at the social engineer
00:02:37
toolkit so i hadn't actually looked at
00:02:39
this for several years myself
00:02:41
and it's kind of me playing around with
00:02:42
it a bit at the end but we will
00:02:44
do the credential harvester attack and
00:02:47
we'll look at the browser auto pwn mode
00:02:49
and see what we can get working let's
00:02:52
just say this is for educational
00:02:53
purposes we're learning how social
00:02:55
engineering and efficient attacks work
00:02:57
so that we can be aware of them and
00:02:58
defend against them if you're interested
00:03:00
in this topic i would recommend checking
00:03:01
out
00:03:02
the art of deception by kevin mitnick
00:03:04
and
00:03:05
with that out the way i hope you enjoyed
00:03:06
the video and once meta splits booted up
00:03:09
we'll see some statistics here about the
00:03:11
available
00:03:11
exploits and auxiliary modules post
00:03:13
modules payloads encoders
00:03:16
knobs and evasion techniques so
00:03:20
we can check out the help menu here
00:03:21
let's run help and see what kind of
00:03:23
commands we have
00:03:24
got develop developer commands
00:03:26
credential back-end commands
00:03:29
uh database back-end commands job
00:03:31
commands module commands there's a lot
00:03:33
of stuff here
00:03:34
if there's anything particularly you
00:03:35
want to find information on for example
00:03:37
there's a search function there so if we
00:03:38
run search
00:03:39
we can just type search and it'll come
00:03:40
back with a help we can also do help
00:03:42
search and that will bring back the same
00:03:45
information
00:03:46
and then uh so for any modules anything
00:03:48
you're not too sure about
00:03:49
just just run help and you'll get the
00:03:51
you'll get the info you need or just run
00:03:52
it without any parameters and you'll
00:03:53
probably get the info you need as well
00:03:56
so we're gonna search first of all for
00:03:58
http
00:04:00
basic and this is a really really basic
00:04:03
example of a phishing attack
00:04:05
using http basic auth so you can see
00:04:08
here as basic auth credential collector
00:04:10
let's because we want to use this module
00:04:12
we're going to type use and then we'll
00:04:13
just paste that in
00:04:16
and whenever we use a module we can do
00:04:18
show options and we'll get a list of the
00:04:20
options that are required
00:04:22
and opt options which are optional as
00:04:24
well so in this case we can see this is
00:04:26
required it's already filled in for us
00:04:27
you don't need to worry about it
00:04:28
so if it's already filled in you're
00:04:29
probably ready to run it but
00:04:32
let's make a couple of changes here the
00:04:33
first thing is our service host so if we
00:04:35
have a couple of different ips let me go
00:04:37
and do
00:04:38
ifconfig you might have some different
00:04:40
interfaces here so i'm going to specify
00:04:42
and say we want to do this on our
00:04:43
ethernet
00:04:44
so we'll set the service host we can use
00:04:47
auto complete there
00:04:49
paste in the ip address and then we
00:04:51
might want to set ssl as well although
00:04:53
if we do that
00:04:54
bear in mind it's going to be a
00:04:55
self-signed certificate so
00:04:57
it might raise more suspicion than not
00:05:00
using ssl because they're going to get
00:05:02
the victim's going to get an alert
00:05:03
saying this is a self-signed untrusted
00:05:06
certificate do you wish to add an
00:05:07
exception and that's a big
00:05:09
red flag so we'll not do that in this
00:05:11
case
00:05:12
we have a realm so what do we want to
00:05:14
present this authentication as so
00:05:16
let's assume this is a really really
00:05:18
basic attack maybe we're trying to get
00:05:20
into somebody's facebook or something
00:05:22
like that
00:05:22
obviously as a educationally we're not
00:05:25
we're not actually trying to hack into
00:05:27
somebody's facebook that'd be
00:05:29
unethical and illegal um
00:05:32
but if we were in uh doing a pen test or
00:05:35
something like that and we were trying
00:05:36
to
00:05:37
fish some credentials off one of the
00:05:38
employees
00:05:40
with full authorization by the company
00:05:43
then we might set the realm here
00:05:44
let's set the realm to i'm going to put
00:05:47
facebook
00:05:48
login obviously it's going to look
00:05:51
nothing like a facebook login
00:05:52
so that's where the social engineering
00:05:54
comes in that's where
00:05:56
we need to persuade the victim to
00:05:59
entering their credentials into this
00:06:01
even though everything
00:06:02
about it should be telling them don't
00:06:04
put your login details in here
00:06:07
we can also set the uri path so let's
00:06:09
set that to something like uri
00:06:11
path um
00:06:14
slash login and is there anything else i
00:06:18
think that looks good we can set the
00:06:19
redirect url as well so let's do
00:06:20
set redirect url
00:06:25
to facebook.com
00:06:30
all right and we can just go and show
00:06:32
the options just make sure we've got
00:06:33
everything in as we
00:06:34
as we want it and then we can run
00:06:38
the server so now it's given us a url
00:06:40
that this is running on
00:06:43
and essentially then we would pass this
00:06:44
url to the victim so
00:06:46
maybe we would send out a phishing email
00:06:48
or that looks like it's coming from
00:06:50
facebook or something like that maybe we
00:06:51
would
00:06:52
just provide the url to the victim so
00:06:55
we'll go over to i've got a windows xp
00:06:57
system here
00:06:58
a vulnerable system with some vulnerable
00:07:00
plugins and things like that
00:07:01
i was testing out the social engineer
00:07:03
toolkit with this operating system and
00:07:05
with a windows 7
00:07:06
operating system that i used to use for
00:07:08
tracking exploit kits but for some
00:07:10
reason
00:07:11
i was i wasn't able to get the a shell
00:07:14
using any of the methods in there i
00:07:16
tried using the browser
00:07:17
pwning methods i tried using phishing
00:07:20
and
00:07:21
i wasn't able to get it working so we'll
00:07:22
have a look at that at the end anyway
00:07:23
maybe somebody can tell me
00:07:25
what i'm doing wrong or what the bug is
00:07:27
so we give this to the victim they open
00:07:29
the link and they see
00:07:30
facebook login requires a username and
00:07:32
password now obviously
00:07:33
this doesn't look anything like facebook
00:07:35
and the server doesn't look like
00:07:37
facebook
00:07:38
so this could be a bit more realistic
00:07:39
but assuming that we have
00:07:41
um emailed the victim with a convincing
00:07:44
enough email or maybe we have them on
00:07:46
the phone and we're saying okay
00:07:47
you just need to enter in your
00:07:49
credentials here and that'll reset your
00:07:51
password or you need to first put in
00:07:52
your current password so
00:07:54
say they put in crypto and crypto
00:07:57
and then you tell them okay click ok and
00:07:59
then you'll go through to facebook
00:08:00
and now i want you to try and just log
00:08:02
in so they go through to facebook we're
00:08:03
no longer capturing this traffic this is
00:08:05
just them being redirected
00:08:06
they go and log in as normal and see uh
00:08:09
my password is actually working i'm not
00:08:10
too sure what that
00:08:11
password box was about but
00:08:14
on our kali system if we go back we'll
00:08:18
see that
00:08:18
a user attempted to authenticate with
00:08:21
that login box with the credentials
00:08:22
crypto
00:08:23
crypto and then they were redirected to
00:08:25
facebook.com so now we can take those
00:08:27
credentials and we can go and log in as
00:08:28
a user and then presumably change the
00:08:30
password and stuff like that
00:08:32
so that's a really really basic phishing
00:08:34
example wouldn't
00:08:36
really be used in practice typically
00:08:39
what you would do there is you would
00:08:41
actually create a website that looks
00:08:43
like facebook so you can clone the
00:08:44
website there's actually features to do
00:08:46
that in a social engineering toolkit
00:08:48
and then you can you know maybe you set
00:08:50
up a domain with a very similar sound
00:08:52
and domain name
00:08:53
and you would do something similar so it
00:08:55
actually looks like facebook the user
00:08:56
puts in their
00:08:57
facebook credentials and then what you
00:08:59
could do rather than just redirecting to
00:09:01
facebook where they'll have to log in
00:09:02
again
00:09:03
and that would again raise suspicion
00:09:06
because they just think well i just
00:09:07
i just logged in there was it asked me
00:09:08
to log in again you could
00:09:10
automate that so if you if you have a
00:09:13
fake facebook page and the user puts in
00:09:15
their username and password you have
00:09:16
their username password which means you
00:09:17
can redirect them to facebook.com
00:09:19
but you can also log them in with the
00:09:21
credentials that they just entered
00:09:23
so the whole transition between the
00:09:25
attack site and
00:09:26
the actual benign site is is um
00:09:31
invisible so that's a really basic
00:09:33
example
00:09:34
let's now have a look at creating a
00:09:36
malicious pdf
00:09:38
and see how we could actually get
00:09:39
control of the user system
00:09:43
so i'm going to search we'll search for
00:09:45
name pdf
00:09:47
and you can go by the ranks here as well
00:09:48
you see we've got a couple of excellent
00:09:50
ones one
00:09:50
is the adobe pdf embedded exe
00:09:54
social engineering so let's take that
00:09:56
copy
00:09:58
we'll use
00:10:02
and then we want to show the options see
00:10:04
what we need to enter in here
00:10:05
by default the file name is evil.pdf so
00:10:08
obviously that doesn't sound too benign
00:10:10
so we'll change that we'll set file name
00:10:13
to paslip.pdf
00:10:17
you could also modify the launch message
00:10:20
you could modify the template so
00:10:21
in an actual example you could imagine
00:10:23
that
00:10:25
maybe you're doing a pen test against an
00:10:27
organization and
00:10:28
they normally give out their pay slips
00:10:31
through these pdfs
00:10:32
you could you could use an actual pay
00:10:34
slip from that company as the template
00:10:36
so that's what the victim will see
00:10:38
whenever they open it up and then we
00:10:39
also have this launch message so the
00:10:41
launch message to view the encrypted
00:10:42
content please take do not show this
00:10:44
message again and press open
00:10:45
so that might be changed to something
00:10:46
else as well to say something like
00:10:49
uh we're currently updating our pay slip
00:10:51
generation system
00:10:53
um if you get any false positives from
00:10:57
your antivirus please ignore
00:10:59
and um you know click to open
00:11:02
something like that so let's
00:11:05
see what else do we need to change here
00:11:06
we've already got the payload set up
00:11:08
it's set up to use windows meter
00:11:09
reverse tcp which is good we'll leave
00:11:12
that
00:11:14
um here it's set to no handler will be
00:11:16
created that's fine we'll create a
00:11:17
handle
00:11:18
ourselves no worries so let's try and
00:11:22
run that let's create this payslip.pdf
00:11:25
in our root directory so let's copy that
00:11:28
let's copy it over to our
00:11:32
desktop and
00:11:35
now we need to set up the payload so
00:11:37
we're gonna do use
00:11:39
exploit multi handler
00:11:43
and then it's set at the moment to
00:11:44
generic shell so we need to say
00:11:46
um set payload to windows
00:11:53
windows meterpreter
00:11:56
reverse tcp show options
00:12:00
we also need to set our l host so set l
00:12:02
host in this case hopefully i'll be able
00:12:03
to just auto complete
00:12:05
which i can and then we need to make
00:12:07
sure it's on the right port as well we
00:12:08
just left it on the default 444
00:12:10
port so that should be fine so if we
00:12:12
didn't run that
00:12:14
then essentially the victim would open
00:12:15
the pdf it would try to make a
00:12:16
connection back to this ip address on
00:12:18
this port
00:12:19
to open up the meterpreter shell and
00:12:21
this there's no listener here so it'll
00:12:23
just do nothing
00:12:24
really um so now that's running we need
00:12:28
to get this pay slip over to the victim
00:12:30
system so this might be a case of
00:12:32
in an actual pen test it's probably
00:12:33
going to be a case of sending this in an
00:12:35
email
00:12:35
and you would have an email looking like
00:12:37
it's coming from hr with your pay slip
00:12:39
and stuff like that
00:12:40
in our example i don't have the email
00:12:42
set up on these systems and
00:12:45
i don't so we'll do another example
00:12:47
which is kind of realistic as well let's
00:12:48
do
00:12:49
python not in this not for the pay slip
00:12:51
maybe but for a social engineering
00:12:53
attack so we'll do python
00:12:55
m http
00:12:58
dot server and i'm going to run this
00:13:01
port 1337
00:13:02
so now we're running our this directory
00:13:06
as a web server so if we go back to
00:13:09
what's the ip address again let me grab
00:13:11
the ip
00:13:14
so if we go back to our windows system
00:13:15
now
00:13:17
and we'll go http
00:13:21
port 1337 pasteslip.pdf
00:13:26
we get the payslip we'll save it and we
00:13:29
get this message
00:13:30
and we were told to view the encrypted
00:13:32
content please take do not show this
00:13:33
message again so we'll take that
00:13:35
and then press open so we'll do that as
00:13:36
well open okay
00:13:38
where's my pay slip okay that's weird
00:13:42
it's a blank page
00:13:43
and then if we go back to our kelly or
00:13:46
parrot or whatever linux system you're
00:13:48
using here you'll see that we've
00:13:49
actually got a materpa shell open
00:13:51
so if we do get uid we'll see that we're
00:13:54
logged in as admin on that windows
00:13:56
machine
00:13:57
so let's look at some of the things that
00:13:58
we can do in meterpreter so
00:14:00
if if we had just set that up to use
00:14:03
just the generic
00:14:04
shell then we can we can get shell here
00:14:07
from interpreter just type shell hit
00:14:08
enter
00:14:09
and this is this would be us basically
00:14:10
in the command prompt on that windows
00:14:12
system right so we can run
00:14:13
the directories we can do all of our
00:14:14
usual stuff but it's not quite as
00:14:16
powerful as having access to
00:14:19
this materpa shell so interpreter we can
00:14:21
just do ps here get a list of all the
00:14:23
processors
00:14:24
we can actually let's look at the help
00:14:25
section look at help
00:14:27
here's the different commands that we
00:14:28
have available to us and if there are
00:14:29
any commands that we want more
00:14:30
information on
00:14:32
so in here you can see we can get around
00:14:34
the file system while using linux
00:14:35
commands which is quite handy we can
00:14:37
download files we can upload files
00:14:40
we can
00:14:45
um we can look at the network
00:14:48
configurations
00:14:49
we can kill processors
00:14:53
clear the event log execute commands
00:14:56
steal tokens reboot the system so
00:14:59
there's a lot of cool stuff we can do
00:15:00
here we can
00:15:02
uh capture keystrokes we can get
00:15:05
screenshot of the desktop
00:15:07
we can start listening on the mic or
00:15:10
recording the webcam we can play an
00:15:12
audio file on the system just to maybe
00:15:13
freak them out
00:15:15
and get systems try and elevate the
00:15:16
privileges so it'll run through
00:15:18
a few different techniques to try and
00:15:19
get system access
00:15:21
we can do hash dump to dump the contents
00:15:23
uh et cetera so if there's something
00:15:24
here we want more information on let's
00:15:25
do help
00:15:26
dump oh there is no help for that okay
00:15:30
um help get system
00:15:33
okay i'm picking all things that don't
00:15:34
have help available let's do
00:15:37
[Music]
00:15:38
all right we'll do help migrate
00:15:41
and you'll see here then it'll give you
00:15:43
the the syntax here so we need to
00:15:45
migrate
00:15:46
on whatever process id we want to
00:15:48
migrate to so
00:15:50
often maybe not in this case but
00:15:52
normally if you run this
00:15:54
process command we'll have we'll
00:15:56
actually see a binary here with maybe
00:15:58
some randomly
00:15:59
named binary which is actually our
00:16:01
malware
00:16:03
so we might want to migrate to another
00:16:04
process that's not likely to be killed
00:16:06
by the antivirus or
00:16:08
by the the user suspecting there's
00:16:09
something going on with that
00:16:11
so we might try to move to the explorer
00:16:13
let's go
00:16:15
migrate 3804
00:16:18
oops that was not the right one
00:16:21
non-existent process
00:16:22
okay so we can try to migrate
00:16:25
migration completely successfully so now
00:16:27
we're in the so they actually have to
00:16:28
kill ie explorer here
00:16:30
in order to actually we should have done
00:16:32
that to explore.exe i don't know what i
00:16:33
was thinking there
00:16:34
but um that's fine also you also want to
00:16:36
consider what privileges
00:16:38
the process has and what architecture is
00:16:42
so sometimes you might get a shell and
00:16:43
it's a
00:16:44
32-bit shell but in order to get full
00:16:46
contro
00:16:47
in order to get full functionality we
00:16:49
might want to move over to
00:16:50
a 64-bit process
00:16:53
you can see actually we have this
00:16:54
template.pdf running here as well
00:16:57
let's try and run something that's
00:16:58
running as system because we don't have
00:17:00
system access
00:17:03
let's try and migrate to 852.
00:17:13
okay it migrated successfully there okay
00:17:16
that's fine and
00:17:17
we can look at some post modules we can
00:17:19
do run post
00:17:21
um and you can just hit yes to get a
00:17:24
list of all the different types commands
00:17:25
here i'm gonna go run post windows
00:17:28
gather credentials
00:17:32
and see what we have available to us so
00:17:33
you can see we can gather different
00:17:34
types of credentials here
00:17:38
uh we can go for credential correct
00:17:40
collector
00:17:41
let's try and run that and you'll see
00:17:42
it's actually come back with all the
00:17:43
hashes for the
00:17:45
various um accounts as well we could
00:17:47
have also done hash dump
00:17:50
sometimes if we weren't a privilege user
00:17:51
there
00:17:53
then um there's a couple of things we
00:17:54
could do we could try and run this let's
00:17:56
do get uid again
00:17:58
so we could try and run
00:18:02
oh we're yeah we're already in a system
00:18:05
there now okay we were admin i guess
00:18:06
that was
00:18:07
us uh swapping the process but
00:18:10
if we weren't system we could do this
00:18:12
get system command and it would try some
00:18:14
different techniques to see if it can
00:18:15
actually just escalate the privileges to
00:18:17
system
00:18:19
let's see what else we can do there if
00:18:20
we do our
00:18:22
um gather we can also
00:18:25
check vm here as well to see if we're
00:18:27
inside a virtual machine so
00:18:28
the person we're trying to do social
00:18:30
engineering attack on might actually be
00:18:33
a malware analyst who's trying to
00:18:36
analyze the malware or is trying to
00:18:38
track down a threat actor or something
00:18:40
like that
00:18:42
so yeah there's a lot of different
00:18:43
options in there let's
00:18:48
let's move on to get persistence as well
00:18:51
so let's do help
00:18:56
persistence
00:19:00
oh okay
00:19:04
let's run
00:19:08
persistence can i do help dash help
00:19:11
there okay
00:19:13
this is depreciated so you should try
00:19:14
and use exploit local
00:19:16
okay run
00:19:20
exploit
00:19:23
so we can run exploit windows local
00:19:25
persistence from
00:19:27
i guess we'd need to background the
00:19:28
session first
00:19:30
um but we can still use the old syntax
00:19:32
the old syntax would have been to say
00:19:33
run persistence and then we can say dash
00:19:36
u
00:19:36
dash p let's say one three three seven
00:19:40
and this is actually gonna set up
00:19:41
persistence so that every time the
00:19:43
system reboots it's gonna try and
00:19:44
connect back to our ip address
00:19:46
on port one three three seven so as long
00:19:48
as we have uh
00:19:49
a listener opening open waiting for a
00:19:52
connection from the meterpreter
00:19:54
payload then we'll we'll get we'll get a
00:19:56
shell every time the system reboots
00:20:00
which is pretty cool so what else can we
00:20:02
do let's let's grab that screenshot as
00:20:04
well we had the
00:20:04
screenshot option so if you grab a
00:20:07
screenshot
00:20:07
it saves it to our desktop let's
00:20:11
display that
00:20:15
and you can see that we've got the
00:20:16
screenshot of the desktop we could run
00:20:19
the key scan let's do key scan
00:20:23
start and it's starting to sniff the
00:20:26
keystrokes let's go back to
00:20:27
our system here and
00:20:31
we could go to
00:20:34
facebook.com
00:20:37
go and try and log in
00:20:42
and that'll attempt to log us in if we
00:20:44
go back to our
00:20:46
system here and say key scan we don't
00:20:49
have to stop it but i'm going to stop it
00:20:50
here first
00:20:51
let's dump it first key scan dump and it
00:20:53
okay it didn't actually dump anything
00:21:06
uh that's strange let me do that again
00:21:07
key scan start let's go back
00:21:16
crypto crypto
00:21:20
that's strange the last time i tested
00:21:22
that out it worked okay
00:21:29
dump no all right that's weird last time
00:21:31
this worked for me fine i'm not too sure
00:21:33
what's going on there
00:21:34
um that's fine though let's see what
00:21:36
else we can do here we'll run help
00:21:40
and let's actually take a look at some
00:21:41
of the plug-in modules so
00:21:44
if we go and
00:21:46
[Music]
00:21:47
uh use type use and then hit tab and
00:21:49
you'll get a list of some
00:21:50
plugins we can use here so we can can
00:21:52
add in powershell python
00:21:54
sniffer kiwi which is mimi cut so let's
00:21:57
do use kiwi
00:21:58
it loads the extension and then
00:22:03
let's type help again type help and it
00:22:05
now has the list of the
00:22:06
kiwi commands so we can run creds all
00:22:11
and it's gonna try oh we lost our shell
00:22:19
system has been shut down windows must
00:22:21
now restart because it
00:22:22
unexpectedly okay that was not planned
00:22:29
the shutdown was initiated by empty
00:22:31
authority system
00:22:32
okay maybe there might have been
00:22:35
something to do with maybe one of us
00:22:37
the processes i migrated to all right
00:22:39
let me get this restarted
00:22:40
and uh reconnected one second
00:22:44
let's actually see here if we can set
00:22:46
the uh
00:22:47
payload let's show options set the l
00:22:50
port to 1337
00:22:53
and run oh we're already
00:22:56
using that for uh http let's run that
00:22:59
again
00:23:04
i'm just wondering if whenever this
00:23:07
boots up oh
00:23:08
it's probably too late now it already
00:23:09
booted up okay i was just
00:23:11
because we set up that persistence last
00:23:12
time but
00:23:14
let's not worry about it we'll put that
00:23:16
back to 444
00:23:18
we'll run that again and we'll just go
00:23:19
and open up the pdf document again
00:23:24
open up pdf oh it's not a support file
00:23:27
now
00:23:28
interesting all right let's delete that
00:23:32
let's go to our internet explorer again
00:23:37
let's go back and do our python http
00:23:40
server
00:23:43
need to grab that ip
00:23:52
http oh it's still saved great
00:23:57
saver opener
00:24:00
and let's go back we've got a shell back
00:24:03
all right cool what were we doing we
00:24:05
were
00:24:06
using kiwi use kiwi
00:24:10
help and then that's pretty cool wi-fi
00:24:14
list
00:24:14
password change we can change the
00:24:15
passwords we can
00:24:19
execute an arbitrary command
00:24:22
use a kerberos ticket create golden
00:24:24
kerberos ticket
00:24:26
let's just run here creds all
00:24:30
and we're not running a system so
00:24:32
execution may fail so let's use
00:24:33
get let's actually check our get get uid
00:24:36
we're currently running as admin let's
00:24:38
do
00:24:39
in fact instead of let's do get system
00:24:41
let's let me quickly
00:24:42
show how we can check for local
00:24:44
privilege escalation exploits
00:24:46
currently admin but in some cases we
00:24:48
might be an even lower privileged user
00:24:51
we might just be
00:24:52
trying to get up to admin at first
00:24:53
before we try to get ri or system access
00:24:56
so we can do here run post
00:24:59
multi because we can do this on
00:25:00
different architectures
00:25:02
recon let's see what options we actually
00:25:04
have here oh we don't have too much
00:25:06
local exploit suggester and this is
00:25:08
going to
00:25:10
scan the system and see what kind of
00:25:12
local privilege escalation exploits
00:25:14
might work
00:25:14
on the system so quite often these are
00:25:17
quite generic and you know
00:25:18
um in doing a pen test you might run
00:25:21
through
00:25:22
a series of them yes it's not too
00:25:24
reliable
00:25:25
basically so let's try and run through a
00:25:28
couple of them here
00:25:29
and see if see if we can escalate the
00:25:32
privileges we'll also look into how we
00:25:34
can manage sessions as well then
00:25:36
because in order to test out one of
00:25:38
these exploits
00:25:39
we're gonna you can see there are 35
00:25:41
exploits being tried
00:25:43
services running could not be validated
00:25:45
so you get um
00:25:49
some of these uh these are some of the
00:25:52
local exploits we can try so
00:25:54
if we want to try one of these let's
00:25:57
i'm going to copy this we need to
00:26:00
background our session so we do
00:26:01
background
00:26:04
and then we can if we want to look at
00:26:08
our sessions we can type sessions it'll
00:26:09
show what sessions we have and then
00:26:11
we can do help again help sessions and
00:26:13
this will tell us how we can jump
00:26:15
between sessions and background them and
00:26:16
things like that
00:26:17
so we've got a session let's say we want
00:26:20
to use this local exploit now
00:26:23
and it's defaulted to another payload
00:26:25
we'll show options
00:26:26
we need to set the session so set
00:26:29
session
00:26:30
in this case session two because we had
00:26:31
that first session which got killed
00:26:33
um for some reason we'll use a different
00:26:36
port because we're already using port
00:26:38
four four four four so i'll do
00:26:40
four four four five and
00:26:44
okay uh exploit target all right that
00:26:46
all looks good so now if we do
00:26:50
run
00:26:53
and export is complete but no session
00:26:56
was created
00:26:57
so we might want to try another one of
00:26:59
these payloads
00:27:01
i'm trying to think what's a reliable
00:27:04
one
00:27:06
uh let's try this show options hopefully
00:27:10
it's kept all of our options
00:27:11
the same no all right so we need to set
00:27:13
the session
00:27:15
to session two and set the l port to
00:27:18
four four four five we'll run this
00:27:22
see it's trying to exploit it's
00:27:24
injecting the payload
00:27:25
it's done it's verified verify
00:27:27
privileges manually or get uid
00:27:29
to verify okay but it didn't actually
00:27:30
create a session there so
00:27:34
okay we'll try one more
00:27:37
of those local exploits try
00:27:40
proxy or reflection let's try this
00:27:46
reflection
00:27:51
it sets the default payload again all
00:27:53
right set session
00:27:55
two we'll set the l port four four four
00:27:58
five
00:27:59
and then run that
00:28:03
waiting for hopefully privileged payload
00:28:05
execution and there we go we've got a
00:28:06
third
00:28:07
meterpreter session let's do get uid and
00:28:10
we're still an admin so that didn't
00:28:11
actually help at all all right so i'm
00:28:12
going to run get system if i just before
00:28:14
i do that let me show we can now
00:28:16
background that
00:28:17
we can now have a look at our sessions
00:28:19
and we have two different sessions
00:28:20
running so let's go into
00:28:22
sessions dash i three that's our new
00:28:26
session
00:28:27
and you can see that it's on a different
00:28:29
port here and
00:28:32
then we can let's just do get system
00:28:37
and now if we do get uid we'll see that
00:28:39
we are empty authority system
00:28:41
which means if we are
00:28:45
if we use kiwi
00:28:49
and then check the help and now do creds
00:28:51
all
00:28:52
we'll see that oh it actually killed the
00:28:55
session is this
00:28:57
okay didn't crash that time
00:29:05
okay let's see
00:29:09
sessions we still have our session two
00:29:11
sessions i2
00:29:14
we're interacting with it now we are
00:29:17
still an admin here so we'll do get
00:29:19
system
00:29:22
i'm also gonna maybe migrate the process
00:29:24
let's migrate to
00:29:31
[Music]
00:29:33
why is explorer.exe not there okay
00:29:36
i'm not gonna do that leave that we
00:29:39
already have kiwi
00:29:40
here help
00:29:43
creds all and all right there we go we
00:29:47
got
00:29:47
we got our creds so let's come back the
00:29:49
passwords we don't actually have any
00:29:50
passwords they're all set to
00:29:52
um just be blank and then we have our
00:29:55
hashes and stuff there as well
00:29:56
all right cool so that's a demonstration
00:29:58
of using the mimikatz plugin let's see
00:30:00
what other plugins we can check out as
00:30:01
well
00:30:03
so we can again we'll check the use
00:30:08
option here let's have a look and see
00:30:10
what we've actually got incognito
00:30:14
let's do help again incognito so we can
00:30:16
add users
00:30:17
all right so we might want to add a new
00:30:18
user what else can we do we can use
00:30:22
powershell
00:30:26
and help again and this will allow us to
00:30:29
execute powershell commands it will
00:30:31
allow us to import scripts so we could
00:30:33
look at imports in powersplit maybe
00:30:35
which has some really good
00:30:37
uh privilege escalation techniques in
00:30:39
that we can get a powershell
00:30:41
shell if we want if we want to drop
00:30:44
straight into a shell uh what else do we
00:30:47
have there we can use
00:30:50
sniffer help again and a sniffer so we
00:30:53
can actually
00:30:54
sniff interfaces there by look so we can
00:30:56
set up let's do
00:30:58
help sniffer
00:31:05
start okay
00:31:10
sniffer start dash h i'm just wondering
00:31:12
what the parameters are okay so it takes
00:31:14
an interface id
00:31:16
a packet buffer so we can actually
00:31:17
specify what interface on the system we
00:31:20
want to capture the traffic from
00:31:22
that's pretty cool we can start and stop
00:31:24
that we can dump all the
00:31:25
packet captures that been received so
00:31:26
far into a all the packets have been
00:31:28
received so far into a pickup file
00:31:31
so that's pretty cool um
00:31:34
use pe injector
00:31:38
uh help again okay so we can inject
00:31:42
shell code into a given executable
00:31:46
so you can get an idea once you start to
00:31:48
load in these plugins
00:31:49
uh how powerful the interpret shell can
00:31:51
be even with the default commands here
00:31:53
we have a lot of things available so we
00:31:54
can screen share we can watch a remote
00:31:56
users desktop in real time
00:31:59
we can
00:32:03
basically do anything that the user
00:32:04
could do on the system
00:32:06
on and more and automate a lot of that
00:32:09
so
00:32:10
yeah um if you're if you're checking out
00:32:12
my interpreter check out those plugins
00:32:14
remember as well you can run a lot of
00:32:16
different post modules
00:32:18
see there's 231 possibilities here so
00:32:21
you can go through and just play around
00:32:22
with some of these we can enumerate the
00:32:24
networks we can enumerate
00:32:26
different services you can see here and
00:32:28
enumerate snmp
00:32:30
and enumerate mounts we can
00:32:34
check usb device histories um
00:32:38
a lot of different things and i think
00:32:41
that'll do it for the meterpreter post
00:32:42
exploitation demo
00:32:44
what i'll do now is move on to testing
00:32:48
out i'm going to close my social
00:32:54
engineer toolkit which
00:32:57
uh in the last couple of last couple of
00:32:59
times i played around with that i wasn't
00:33:00
able to get anything all working but
00:33:03
we'll have a look at what the options
00:33:04
are what should be available
00:33:06
and maybe if you're watching this video
00:33:07
and you have more experience with the
00:33:09
social engineer toolkit than me you'll
00:33:11
be able to tell me what's going wrong
00:33:12
for me but
00:33:14
it it used to work for me i remember
00:33:15
doing demos with it you know a good few
00:33:16
years ago and
00:33:17
we were able to clone websites and use
00:33:20
them for
00:33:21
phishing and use them for use them as
00:33:24
exploits so actually using browser
00:33:26
exploits in cloned websites and getting
00:33:28
a shell back
00:33:29
but everything i've been trying uh
00:33:31
recently
00:33:32
isn't working so let's take a look at it
00:33:35
now anyway
00:33:38
so i'm going to go and check out the
00:33:40
home page first let's see this tools by
00:33:42
trusted sec
00:33:43
so we'll just open up the home page and
00:33:45
that'll give us
00:33:48
a little bit of info about it and how to
00:33:51
get it set up so we can get clone it
00:33:53
here or we can go and view it on git as
00:33:55
well
00:33:56
and this is created by dave kennedy
00:33:58
founder of trusted sex
00:33:59
open source python driven tool aimed at
00:34:01
penetration testing around social
00:34:03
engineering
00:34:04
been presented at black cat derby con
00:34:07
defcon and schmuck on so
00:34:09
you can go and check out those videos
00:34:12
they're quite old now
00:34:13
and i think a lot of the stuff that did
00:34:15
work on there it's probably not gonna
00:34:16
work now but
00:34:18
you can see here in terms of the
00:34:20
updating of this it seems pretty
00:34:23
it doesn't really seem to be getting too
00:34:24
much maintenance now
00:34:27
so let's run through what we need to
00:34:28
anyway to get this set up
00:34:32
i'm going to clone this to the desktop
00:34:43
and we'll go into the sc toolkit
00:34:47
it wants us to install these so i'm
00:34:49
going to set i'm going to use my
00:34:51
python 3
00:34:55
virtual environment and then do pip
00:34:58
install our requirements
00:35:04
can install whatever's needed
00:35:10
and then we just need to run python
00:35:14
setup
00:35:23
all right so that's set up we'll do
00:35:25
python setup.py
00:35:28
it's right it's trying to install those
00:35:29
anyway and it wants to set up a
00:35:31
shortcut so it's going to need pseudo
00:35:32
privileges i'll just give it that
00:35:35
all right that's it done now it just
00:35:36
says run sc toolkit to start the social
00:35:39
engineering toolkit so let's do that
00:35:43
oh we need to run it as root
00:35:46
so we run that we get some terms and
00:35:49
conditions here we need to use this
00:35:51
purely for good and not evil
00:35:52
so yep we're gonna do that sure
00:35:54
[Music]
00:35:57
all right so we boot this up we've got
00:35:59
our different options available to us
00:36:01
the main menu so we can do social
00:36:03
engineering attacks penetration testing
00:36:04
third party modules and then
00:36:06
updates and config and stuff like that
00:36:08
so let's start off with the social
00:36:09
engineering attack
00:36:10
section where we can do spear phishing
00:36:12
website attacks
00:36:14
infectious media generator create pale
00:36:16
and listener okay
00:36:17
so let's have a look first of all
00:36:21
at the website attack vectors
00:36:26
so these are basically using browser
00:36:28
based exploits
00:36:29
so you have different exploits available
00:36:32
here
00:36:33
the credential harvester i guess we'll
00:36:35
just clone a yes we can clone a website
00:36:37
that has a username password feel and
00:36:39
harvest all the information let's try
00:36:40
that first of all
00:36:42
so this sounds a bit a bit like what we
00:36:44
did with metasploit to begin with the
00:36:46
basic http auth but a more realistic
00:36:48
example where rather than a pop-up box
00:36:51
a generic hp or pop-up box we're
00:36:53
actually going to use the username and
00:36:54
password field of the website so
00:36:57
let's try it out we'll go to three and
00:36:59
then we can import our own we can use
00:37:00
some templates let's actually have a
00:37:02
look at the templates
00:37:04
does it okay it doesn't
00:37:09
um i thought it was going to give a list
00:37:11
of some different ones there okay let's
00:37:12
go back into that it was
00:37:14
spearfishing was it spearfishing no we
00:37:16
were in website attack vectors
00:37:18
you can hit ctrl and c to go back to the
00:37:19
main menu so we're in
00:37:22
oh wait we weren't in we were in social
00:37:25
engineering attacks
00:37:27
and then we were in website attack
00:37:30
vectors right
00:37:31
yeah okay there we go and we've got the
00:37:33
credential harvester attack method
00:37:35
so three i'm going to do the site cloner
00:37:38
let's try and clone facebook here if we
00:37:39
can
00:37:40
ip address for the post back so this is
00:37:43
going to be our ip address
00:37:47
okay so now we want to use the http it
00:37:50
also supports https okay so let's do
00:37:52
face hps www.facebook.com
00:37:59
it's gonna try and clone this
00:38:01
login.facebook.com okay best way to use
00:38:04
this attack is if the username and
00:38:05
password form fields are available
00:38:07
regardless it will capture all posts on
00:38:09
a website okay
00:38:11
and credential harvester is running on
00:38:13
port 80 information will be displayed to
00:38:15
you as it arrives below
00:38:17
okay has it given us
00:38:21
a url
00:38:32
i'm not sure am i supposed to be waiting
00:38:33
for something there or
00:38:36
are they waiting for me okay it went
00:38:37
straight to facebook cool right that's
00:38:39
that's good all right we'll type in here
00:38:41
crypto
00:38:43
and crypto in
00:38:47
say yes and it's actually redirected us
00:38:50
to facebook there you'll see
00:38:51
but if we go back to our
00:38:56
if we go back to our social engineer
00:38:59
toolkit here we'll see that the post
00:39:00
request
00:39:01
actually went through here and we can
00:39:03
see the email
00:39:04
we actually entered in the username
00:39:05
crypto and the password crypto as well
00:39:08
and we were able to harvest those
00:39:10
credentials
00:39:11
all right so that worked actually pretty
00:39:12
well it worked with a https site as well
00:39:16
and it also redirected
00:39:17
to facebook afterwards what would be
00:39:19
cool is if it also took the username and
00:39:21
password and logged into facebook so
00:39:23
this was all kind of seamless
00:39:25
but um that seems to be working quite
00:39:28
well in general anyway all right cool
00:39:29
let's see what else we can do
00:39:36
let's check out we could have a look
00:39:37
multi-attack method or
00:39:39
meta split browser exploit method we
00:39:42
could create a java applet as well i'm
00:39:43
going to do
00:39:44
let's do the multi attack and
00:39:48
site cloner we'll do the same again
00:39:51
we'll say no we're not using port
00:39:53
forwarding
00:39:55
all right that's our local host and now
00:39:57
the website we want to clone we'll just
00:39:58
do the same again
00:40:00
picking on facebook today
00:40:04
and then what attacks we want to use
00:40:07
i'm gonna use them all tactical nuke or
00:40:10
hail mary
00:40:13
and let's see what happens here it's
00:40:15
going to clone the website it's
00:40:16
injecting iframes
00:40:18
for the msf attack what payload do you
00:40:20
want to generate i'm going to leave
00:40:22
these at the default
00:40:23
that will be memory injection port 443
00:40:25
that's fine by me
00:40:28
materpr reverse tcp oh it's set to https
00:40:31
at the moment i'm going to set that to
00:40:32
just set that to one just in case
00:40:36
and
00:40:38
we'll just set that to two use the
00:40:39
built-in here's the list of exploits
00:40:41
that we can attempt to use so
00:40:42
i am running a vulnerable windows xp
00:40:44
system with an old version of internet
00:40:46
explorer on it and some old plugins but
00:40:49
um i do remember trying this before and
00:40:51
not having any luck
00:40:53
so let's try it i'm going to do i'm
00:40:56
going to use the
00:40:57
46 just because let's just throw
00:40:59
everything at it and see if something
00:41:01
works
00:41:04
the site has been moved web server is
00:41:06
now listening it's now going to load up
00:41:08
our net split framework
00:41:10
and it's running this as a background
00:41:13
job starting exploit modules do we need
00:41:15
to hit run here it didn't give
00:41:19
i was kind of expecting to see
00:41:22
i was running a background job okay
00:41:24
running the background okay so let's go
00:41:28
did it give us a url to go to
00:41:32
uh here we go starting starting to
00:41:34
produce some urls now starting these
00:41:36
servers so
00:41:39
each of these exploits is on a different
00:41:41
service and
00:41:42
on a different uri sorry so we could we
00:41:44
could test those out one by one
00:41:47
but i believe if we let this complete
00:41:48
it's just going to give us a url
00:41:50
right here local ip
00:41:53
so this is the url if we were to send
00:41:55
this an email to the victim or somehow
00:41:57
get them to click on this
00:41:59
it's going to essentially run through
00:42:00
each of these exploits and try to get us
00:42:02
a reverse shell
00:42:04
so i'm going to go over to our
00:42:08
victims machine here we'll enter that
00:42:10
url
00:42:11
let's just agree to anything it asks us
00:42:13
and let's also just check as well can we
00:42:22
if we try to view the source here
00:42:28
oh
00:42:34
you can see it's tried to throw these
00:42:36
exploits there you can see
00:42:38
there's our ip address of the windows
00:42:39
system 1.134
00:42:41
it's tried to throw all of these
00:42:42
exploits in
00:42:44
and it doesn't look like it has
00:42:49
achieved a shell
00:42:54
let's go back and just try that again
00:42:58
it does try to load up there but not
00:43:00
able to view the source that's
00:43:01
interesting
00:43:11
okay
00:43:15
um because i loaded that again it looks
00:43:17
like it's just trying to run through all
00:43:18
of those same exploits again it's
00:43:20
responding with these 14 exploits
00:43:23
all the java ones there by the looks of
00:43:25
it
00:43:27
but you can see that it's not actually
00:43:28
[Music]
00:43:30
spawned as a shell yet
00:43:36
so presumably this is just down to my uh
00:43:39
the the honeypot system i have set up
00:43:41
there
00:43:41
i did have a better windows 7 system
00:43:43
with a lot of
00:43:44
which are set up for exploit kit
00:43:47
tracking which had a lot of
00:43:48
anti-analysis stuff
00:43:50
um done to it to make sure that it
00:43:52
wasn't detectable as a vm
00:43:54
and it had a lot of vulnerable stuff on
00:43:56
it but i
00:43:57
i can't find my working version of it's
00:44:01
been a couple of years so
00:44:03
all right doesn't look like it's going
00:44:04
to get us a shell here anyway
00:44:08
we didn't help that i left the page let
00:44:10
me just one more time let's run that
00:44:15
see it's loading we're going to see any
00:44:16
redirections occur in here
00:44:20
[Music]
00:44:21
you can see it's throwing all the
00:44:22
exploits here anyway
00:44:30
in an actual explicit attack this is
00:44:32
kind of you know
00:44:33
a crude example of an actual exploit kit
00:44:36
attack where
00:44:37
maybe you would visit a legitimate
00:44:38
website which has either been
00:44:40
hacked or has a malicious advertisement
00:44:43
or something on it
00:44:44
and maybe in the advertisement will be a
00:44:45
little piece of code which redirects to
00:44:47
another site which redirects to another
00:44:49
site which redirects to another site
00:44:51
and you go through this chain of
00:44:52
redirections without actually maybe
00:44:54
seeing anything happen
00:44:55
in the browser you'll go through this
00:44:56
chain of redirections and then at some
00:44:58
point you'll get to a landing page
00:45:00
where the um the landing page will
00:45:03
basically
00:45:04
scan your system to see what operating
00:45:06
system what
00:45:07
browser what plug-ins you're using and
00:45:09
it'll look to see what co
00:45:10
what corresponding exploits it has what
00:45:12
exploits it has it matched those
00:45:14
vulnerable software versions if it finds
00:45:17
some it'll try and cue them and it'll
00:45:18
run each one until it gets uh
00:45:20
until it until the exploit is successful
00:45:22
and then maybe it'll drop some
00:45:23
ransomware or a key logger or something
00:45:25
like that
00:45:26
if it fails or if the system is not
00:45:28
vulnerable it'll normally just do
00:45:30
nothing or redirect to a benign page so
00:45:32
that
00:45:33
tracking can be quite difficult it also
00:45:36
exploit kits
00:45:37
typically have quite good evasion and
00:45:38
anti-analysis techniques so if they're
00:45:40
running inside a vm
00:45:42
they'll normally not even try to run any
00:45:44
exploits
00:45:45
and um they'll only
00:45:48
even if even if you've got a good honey
00:45:50
pot and you go to visit the
00:45:51
the exploit kit it'll only try to
00:45:54
exploit once
00:45:54
so if you if the exploit fails or if you
00:45:57
want to test it again you'll actually
00:45:58
have to get a new ip address
00:46:00
in order to in order to test it again so
00:46:04
they can be quite tricky to to analyze
00:46:06
in that way
00:46:07
but yeah it doesn't look like it's
00:46:08
getting us a shell here anyway let's
00:46:10
exit this
00:46:14
let's go back and see what else we can
00:46:15
do
00:46:17
so go back to the main menu we have some
00:46:20
powershell attack vectors here let's
00:46:22
have a quick look at that powershell
00:46:24
so we can just um use these to generate
00:46:26
the shells
00:46:30
um all right go back we have a qr
00:46:34
code generator so so generate create a
00:46:37
qr code for whatever url you want so we
00:46:39
could create a malicious url
00:46:41
like in those examples you just did and
00:46:43
then use that to generate a qr code and
00:46:45
then send that to the victim that's
00:46:46
pretty cool
00:46:48
we have the infectious media generator
00:46:51
let's have a look
00:46:54
so this will create a
00:46:57
we can create a malicious usb or cd or
00:46:59
dvd with an auto run file in it so that
00:47:01
if the victim
00:47:02
enters that so if you're doing a pen
00:47:04
test you maybe drop some usb sticks
00:47:05
around
00:47:06
a company's um car park or something
00:47:09
like that
00:47:10
employees go and pick them up and see
00:47:12
who does this belong to we'll plug it in
00:47:13
and find out see if there's some
00:47:14
identifiable information on it
00:47:16
as soon as they plug it in if auto run
00:47:17
is enabled it's just going to execute
00:47:19
straight away the
00:47:21
malicious payload that we've put in
00:47:23
that's pretty cool
00:47:24
we have wireless access point attack
00:47:26
vectors as well let's go back to that
00:47:31
so we can set up a malicious access
00:47:33
point by looks of it okay it's going to
00:47:34
use these modules
00:47:36
these applications to do that
00:47:39
yeah okay that's pretty cool as well i
00:47:42
don't actually have wireless on this
00:47:43
system so we're not gonna be able to do
00:47:44
that you can see that this was not
00:47:45
detected either
00:47:47
let's go back and
00:47:50
the last thing we'll look at then is the
00:47:52
email
00:47:53
as i said before i didn't set up i
00:47:55
haven't set up like an email server i
00:47:57
haven't set this up to send emails back
00:47:58
and forward
00:48:00
and i i know you were able to do this
00:48:02
with gmail before you could just enter
00:48:04
the gmail
00:48:05
email address and password but i'm not
00:48:06
too sure how well it works now but we
00:48:08
can create
00:48:09
we can form a mass mail attack we can
00:48:11
create a file format payload we can
00:48:12
create a social engineering template
00:48:14
let's get an idea
00:48:16
enter name as an author all right so we
00:48:20
can yeah we're basically creating a
00:48:21
phishing email here
00:48:22
i'm going to just go back there we have
00:48:24
the mass mail attack so we can go in
00:48:26
here and again
00:48:27
we've got payloads what do we want to
00:48:28
send it out to let's just go with the
00:48:30
defaults
00:48:31
default default
00:48:34
oh okay maybe it created it there i'm
00:48:36
not too sure
00:48:37
um but uh yeah i think that'll do it for
00:48:40
the video i hope
00:48:43
um i hope this has been
00:48:46
useful um the social engineering toolkit
00:48:49
demo went a bit better than i expected i
00:48:50
didn't expect
00:48:51
really whenever i was trying to run this
00:48:53
previously i was getting a lot of errors
00:48:54
about
00:48:55
strings and bytes which looked like they
00:48:57
were to do with python 3.
00:48:58
um but we didn't see any errors there
00:49:00
which is which is good i guess
00:49:03
um but yeah i hope you've enjoyed this
00:49:05
video if you have any questions comments
00:49:07
if you have any
00:49:08
cool techniques or tools that i should
00:49:10
check out in future videos
00:49:12
do let me know let me know down below
00:49:14
thanks

Tag

social engineering
phishing
cybersecurity
Metasploit
credential harvesting
Social Engineer Toolkit
security awareness
malicious PDF
user education
exploit techniques