Social engineering is an attack method that typically uses a delivery tool, like email, a web page, or a USB key, to induce a target to share sensitive information or perform an action that enables an attacker to compromise the system. You perform social engineering tests to gauge how well the members of an organization adhere to security policies and to identify the security vulnerabilities created by people and processes in an organization.
The data you gather from a social engineering campaign can help paint a clearer picture of the risks and vulnerabilities that exist in an organization's security infrastructure and policies. An organization can leverage the test results to strengthen their security policies, increase IT defense mechanisms and improve the effectiveness of their security training program.
In Metasploit Pro, you create and run campaigns to perform social engineering attacks. A campaign is a logical grouping of the campaign components that you need to exploit or phish a group of people. You can create a campaign using the following components:
- Email, web page, and portable file - The delivery mechanism for a social engineering attack.
- Template - A reusable HTML shell that contains boilerplate can be shared between campaigns in a project. You can create and use a template to quickly generate web page or email content for a campaign.
- Target list - A list that defines the recipients and their email addresses that will receive an email.
The main goal of social engineering is to entice a target to perform some illicit action that enables you to either exploit their system or to collect information from them.
Social engineering typically uses email based attacks that target client-side vulnerabilities, which are exploitable through vectors that only a local user can reach. These attacks usually leverage file format exploits and client-side exploits to target the applications and information stored on a victim’s local machine or phishing scams to gather information from a human target. For example, you can attach a PDF that contains an exploit, like the Cooltype exploit, to an email and send the email to a group of people. When a recipient opens the infected PDF, it can create a session on their machine if it is vulnerable to the Cooltype exploit.
The method that you choose depends on the intent and purpose of the social engineering attack. For example, if you want to see how well an organization handles solicitation emails, you can set up a phishing attack. If you want to gauge how well an organization follows security best practices, you can generate a standalone executable file, load it onto a USB key, and perform a USB key drop. Some of the most common social engineering methods are listed below.
Phishing is a social engineering technique that attempts to acquire sensitive information, such as usernames, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus email disguised as an authentic email from a trusted source, like a financial institution. The email contains a link to open a fake web page that looks nearly identical to the official site. The style, logo, and images may appear exactly as they are on the real website. If the phishing attack is successful, the human target will fill out the web form and provide sensitive data that you can use to further compromise their system.
To set up a phishing attack in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Defines the content that you want to send in the email body, and the human targets that you want to receive the phishing attack. Each campaign can only contain one email component.
- Web page component - Defines the web page path, the HTML content, and the redirect URL. The web page that you create must contain a form that a human target can use to submit information.
A client-side exploit attacks vulnerabilities in client software, such as web browsers, email applications, and media players. In a client-side exploit, the victim must visit a malicious site in order for the exploit to run. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine. Traditional exploits, on the other hand, do not require human interaction.
When a human target visits the web page that contains the exploit, a session opens on the target’s machine and gives you shell access to the target’s system if the target’s system is vulnerable to the exploit. Using the session, you can do things like capture screenshots, collect password files, and pivot to other areas of the network.
To set up a file format or client-side exploit in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Defines the content that you want to send in the email body and the human targets that you want to receive the email. You can provide a link to the web page that serves the exploit.
- Web page component (optional) - Sets the web page component to send a client-side exploit and defines the tracking URL, and the HTML content for the web page.
File format exploits are attacks that take advantage of a vulnerability in the way that an application processes data in a particular kind of file format, such as PDF, DOC, or JPEG. A file format exploit can run when a human target opens a attachment that contains the exploit. For example, you can attach a malicious Word document that contains an exploit, like MS11-006, to an email. When the human target downloads and views the attachment (in thumbnail view), a session opens on the target’s machine and gives you a shell to access their system.
To set up an email attachment attack in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Attaches a file format exploit to the email and defines the content that you want to send in the email body, and the human targets that you want to receive the email.
- Portable file component - Generates a file format exploit that you can store on a USB key.
The Java Signed Applet Social Engineering Code Execution module creates a jar file and signs it. You deliver the Java signed applet to a human target from a web page that contains an applet tag. When a human target visits the web page, the target’s Java Virtual Machine asks the human target if they trust the signed applet. If the human target runs the applet, it creates a session on the victim’s machine and gives you full user permissions to their system.
A portable file can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key. When a human target installs the USB drive and opens the file, a connection is created from the target’s machine to the attacking machine.
To create a portable file in Metasploit Pro, you need to create a campaign that contains the following component:
- Portable file component - Generates an executable or file format exploit that you can store on a USB key.
Before you start building campaigns, you should familiarize yourself with the following terms.
A campaign is a logical grouping of components that you need to perform a social engineering attack. A campaign can contain only contain one email component, but can have multiple web pages or portable files.
Click tracking is a method of client-side testing that tracks the number of human targets that click on a link. The web page tracks the number of visits and helps an organization identify how susceptible members of their organization are susceptible to social engineering attacks.
An email template contains predefined HTML content that you can insert into an email.
An executable file that automatically runs when a human target opens the file. The executable runs a payload that creates a connection from the exploited machine back to the attacking machine.
A file format exploit targets a vulnerability in a specific application, such as Microsoft Word or Adobe PDF.
A human target is the person who receives the social engineering attack or is part of a campaign.
A phishing attack is a form of social engineering that attempts to acquire sensitive information, such as usernames, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus email disguised as an authentic email from a trusted source, like the bank. Generally, the email contains a link that opens a fake web page that looks nearly identical to the official site. The style, logo, and other images may appear exactly as they are on the real website.
A generated executable file that you can attach to an email or save to a USB key. When the victim opens the file, the executable runs the payload, starts a session on the victim’s machine, and connects back to your machine.
A resource file refers to a web page template, email template, or target list. It is a reusable file that you can use in a campaign. Each project has its own set of resource files. The resource files are not shareable between projects.
A target list defines the targets that you want to include in the social engineering campaign. You use the target list to specify the recipients that you want to email the social engineering attack.
A tracking GIF sets a browser cookie when a human target opens an email.
A tracking link consists of a URL path to a web page and a tracking string. When a target clicks on the URL, the system sets a cookie to track the visit and any subsequent visits.
A tracking string is a 64-bit string that encodes the target and email IDs. Campaigns use tracking strings to monitor the activity of a target.
A visit occurs when a target clicks on a link and opens the web page.
An web template contains predefined HTML content that you can insert into a web page.
To create and launch a social engineering attack, here are the general steps you need to follow:
- Upload or create your target lists.
- Create a campaign.
- Add a campaign component, such as an email or web page.
- Customize the campaign component.
- Configure any necessary servers.
- Run the campaign.
- View the campaign statistics to track the actions of the recipients.
- Stop the campaign.
- Generate a social engineering report.