Social engineering is an attack method that typically uses a delivery tool, like email, a web page, or a USB key, to induce a target to share sensitive information or perform an action that enables an attacker to compromise the system. You perform social engineering tests to gauge how well the members of an organization adhere to security policies and to identify the security vulnerabilities created by people and processes in an organization.
The data you gather from a social engineering campaign can help paint a clearer picture of the risks and vulnerabilities that exist in an organization's security infrastructure and policies. An organization can leverage the test results to strengthen their security policies, increase IT defense mechanisms and improve the effectiveness of their security training program.
In Metasploit Pro, you create and run campaigns to perform social engineering attacks. A campaign is a logical grouping of the campaign components that you need to exploit or phish a group of people. You can create a campaign using the following components:
- Email, web page, and portable file - The delivery mechanism for a social engineering attack.
- Template - A reusable HTML shell that contains boilerplate can be shared between campaigns in a project. You can create and use a template to quickly generate web page or email content for a campaign.
- Target list - A list that defines the recipients and their email addresses that will receive an email.
The main goal of social engineering is to entice a target to perform some illicit action that enables you to either exploit their system or to collect information from them.
Social engineering typically uses email based attacks that target client-side vulnerabilities, which are exploitable through vectors that only a local user can reach. These attacks usually leverage file format exploits and client-side exploits to target the applications and information stored on a victim’s local machine or phishing scams to gather information from a human target. For example, you can attach a PDF that contains an exploit, like the Cooltype exploit, to an email and send the email to a group of people. When a recipient opens the infected PDF, it can create a session on their machine if it is vulnerable to the Cooltype exploit.
The method that you choose depends on the intent and purpose of the social engineering attack. For example, if you want to see how well an organization handles solicitation emails, you can set up a phishing attack. If you want to gauge how well an organization follows security best practices, you can generate a standalone executable file, load it onto a USB key, and perform a USB key drop. Some of the most common social engineering methods are listed below.
Phishing is a social engineering technique that attempts to acquire sensitive information, such as usernames, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus email disguised as an authentic email from a trusted source, like a financial institution. The email contains a link to open a fake web page that looks nearly identical to the official site. The style, logo, and images may appear exactly as they are on the real website. If the phishing attack is successful, the human target will fill out the web form and provide sensitive data that you can use to further compromise their system.
To set up a phishing attack in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Defines the content that you want to send in the email body, and the human targets that you want to receive the phishing attack. Each campaign can only contain one email component.
- Web page component - Defines the web page path, the HTML content, and the redirect URL. The web page that you create must contain a form that a human target can use to submit information.
A client-side exploit attacks vulnerabilities in client software, such as web browsers, email applications, and media players. In a client-side exploit, the victim must visit a malicious site in order for the exploit to run. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine. Traditional exploits, on the other hand, do not require human interaction.
When a human target visits the web page that contains the exploit, a session opens on the target’s machine and gives you shell access to the target’s system if the target’s system is vulnerable to the exploit. Using the session, you can do things like capture screenshots, collect password files, and pivot to other areas of the network.
To set up a file format or client-side exploit in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Defines the content that you want to send in the email body and the human targets that you want to receive the email. You can provide a link to the web page that serves the exploit.
- Web page component (optional) - Sets the web page component to send a client-side exploit and defines the tracking URL, and the HTML content for the web page.
File format exploits are attacks that take advantage of a vulnerability in the way that an application processes data in a particular kind of file format, such as PDF, DOC, or JPEG. A file format exploit can run when a human target opens a attachment that contains the exploit. For example, you can attach a malicious Word document that contains an exploit, like MS11-006, to an email. When the human target downloads and views the attachment (in thumbnail view), a session opens on the target’s machine and gives you a shell to access their system.
To set up an email attachment attack in Metasploit Pro, you need to create a campaign that contains the following components:
- Email component - Attaches a file format exploit to the email and defines the content that you want to send in the email body, and the human targets that you want to receive the email.
- Portable file component - Generates a file format exploit that you can store on a USB key.
The Java Signed Applet Social Engineering Code Execution module creates a jar file and signs it. You deliver the Java signed applet to a human target from a web page that contains an applet tag. When a human target visits the web page, the target’s Java Virtual Machine asks the human target if they trust the signed applet. If the human target runs the applet, it creates a session on the victim’s machine and gives you full user permissions to their system.
A portable file can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key. When a human target installs the USB drive and opens the file, a connection is created from the target’s machine to the attacking machine.
To create a portable file in Metasploit Pro, you need to create a campaign that contains the following component:
- Portable file component - Generates an executable or file format exploit that you can store on a USB key.
A listener is the component that waits for an incoming connection from an exploited system. You must set up a listener if you intend to establish a connection between your Metasploit server and the exploited machine. See Listeners to learn more.
- User Agent - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
- Referrer - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
- SMTP Auth - https://www.samlogic.net/articles/smtp-commands-reference-auth.htm
- STARTTLS - https://www.sparkpost.com/resources/email-explained/ssl-tls-starttls-encyption/
- SSL cipher specifications - https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html