Advanced Ethical Hacking - Social Engineering Attacks Tutorial

Spear Phishing

We're going to take a look at a different type of speer fishing at this point. And in order to do that, I'm going to use the social engineering toolkit once again just because it's really easy to do this sort of testing. There are other ways of doing it. I could download a bunch of source code for example and I could make alterations to pages but really it's just as easy to use this as a starting point anyway.

So I could do a website attack vector here. And let's use the Java applet method. And, we could do a site cloner. And, in this case, I'm going to say I'm not using NAT or port forwarding, I'm just going to say this is my address here. And, So this is the site that I'm going to clone. And in this case, I'm just going to say, this is the site here. I'm going to use my own site.

So, we're going to clone the website and We're going to the injection. So what I'm actually going to do is a bind shell here. I'm going to use the Windows bind shell and that's going to run the payload, it's going to open up a port on the remote system and then we can forward from there. So I'm going to Do 15 here as my encoding. And the port of the listener let's say is 443. And it's going to run. And we're generating the code. And encoding the payload. 

And I actually want to allow Apache to stop there so that we can set up our own attack. So, in this case, I'm going to go here and I'm going to open up the site.

So you can actually see that it's done the page and it's trying to run a plugin that I don't actually have. And that should be Java because we did the Java-based attack. So it's checking for the Java plugin so that it actually Could execute the Java that's been embedded in the page. So I could actually, let's cancel this and just to see what we've got going on here.

Let's take a look at the page source and we should see that somewhere We've got something that we're trying to include. And there it is. There's the trusted Java applet. And it's right there is the Java archive.

So you can see that It's got the Java archive that's there, and it's actually trying to execute that applet. So, that's how you might do a spear fishing attack using the social engineering tool kit. You could actually clone a website, it will actually inject the Code for you that would run the exploit and connect back or open up a shell that you could connect to.

So that's a pretty quick and easy way of doing a spear-phishing attack using the social engineering toolkit.

Cross-Site Request Forgery

At this point, I wanted to look at something called cross site request forgery. Cross-site request forgery is actually where you get somebody to perform an action that they're not expecting to perform because you are bringing them to a page that is going to reference something where they have some credentials.

So here's an example. I've got a page here that I'm creating, and I'm going to add an image tag to this page. And, instead of an image, I'm actually going to do something else. So I'm going to call a script. And I'm going to make this really obvious here just so it's very clear what's going on, but this is how a cross-site request forgery would work.

So I've got an image tag. And what an image tag does is it tells the browser here's an image go get that image. So what happens here is the browser is going to go to this URL. Not realizing of course that it's not An image file. It's just a script because all it's going to do is, it's going to issue a get request against this URL. And in this case, it's a bank and I am saying, transfer from this account number to this account number.

Now, this is pretty obvious, but this is an example of something you could do with cross-site request forgery. So, if. Somebody has their browser open and they've logged into their bank for example recently so they've got a session open with them.

Now, if we're to send them this page and say here go take a look at this page they would bring the page up And the browser would automatically perform this function because, of course, the session credentials are already in place because that person is already logged into their bank, and the cookies are all there and the session credentials are there and this would just automatically happen in the background without the user even knowing that's what's there.

In fact, the only thing they would see would be a broken image tag, potentially on the page. So this is how cross-site request forgery works are I have a user go to one site, in this case, the one that I'm creating here And it actually refers to something going on on a different site altogether. And that's how you actually get functions performed using the credentials of some other user. And you could do things like this bank transfer, for example, or buy things at Amazon as another example.

So there are lots of different things you could do with cross-site request forgery and at its very basic level, this is just how it works. You Create a webpage and put an image tag in here and point to the script that you want the user to run. Now, worst case scenario here is that it's going to call this script and maybe it will actually have the user log in.

Often, people don't pay attention, they don't recognize that There's a login going on that they didn't really expect. They're so used to seeing things like that. They may just log in without even realizing where they're logging in to or why they're logging in there. And it may actually authenticate them, perform this function and then just move on. So cross-site request forgery has a lot of potential assuming that the web server in question here isn't doing something like making sure that this is a post rather than a get request. That's one way of fixing this particular problem.

Rogue Servers

As you start doing social engineering attacks, one thing that you may need to do is to set up rogue servers. So let's say I wanted to attack somebody at WasHere Consulting. So I've got the domain name and The web address here. Now what I may want to do in order to do a social engineering attack is I may actually want to go register a different domain that sort of looks like that. So one way of doing that may be to do something like Trying to register this particular domain name and in that case, it's actually not available. So I may need to go get a little bit more creative.

So I could do something like this for example. So that one appears to be available. So I could register and then I could set up a DNS entry for Now I'm not going to worry so much about people typing this in and realizing that it's not quite right Because I'm going to send them links. And it's going to look just enough right that, it may not register with them because people don't pay a lot of attention generally, which is one of the reasons why social engineering attacks actually work. So I could register this domain here with the extra "w" and just move the dot over, so it still looks like or, and the dot is just misplaced.

To most people, that may not register at all. So, I could actually set up a server That was pointed to by the DNS entry for this particular hostname here. And then I could use that and replicate what the website looks like. And I could do things like I could actually save this whole page. And I could actually save it here as index.html.

And that makes it really easy because once I go in here, It's going to keep all of the references Available, and I could make it even more specific here. So what I want to do is take a look at the index page here.

Now, I've got all of the HTML and you can see here that I've got some image files. This is really easy to fix. 

And then I don't even have to save the images. I'm just going to reference them directly on the site. So if I do that, and then the same thing To this image here. So that fixes the images and if there were a cascading style sheet I could fix that as well. So any place where there's a reference to something on the site, all I have to do is Insert the link to the Realsite, and just pull the images, and the cascading style sheet, and whatever other resources are actually stored on the Real site. I can pull them down, and all I have to do is store the HTML on my rogue server, and then it really looks like They're going to your site.

And then all you've got to do is, you've got to create a script that's going to get data from them. So if you want their credit card number, or their social security number or something.

You may have a contact form or something like that. And you could replicate that very easily by saving the page source and then just doing some minor alterations. In order to get all of the images and everything exactly the way that it is on the real site. So that's how you might do a rogue server in order to extract information from people using a social engineering attack.

Spoofed Certificates

One thing that you may want to do is actually be able to create a certificate that you can use with a web server and have it look as though it's the certificate for a web server that you're trying to spoof. So what you need to be able to do is generate a self signed certificate.

And people are so used to seeing certificate errors for one reason or another that if they see this rogue certificate, it may not actually occur to them that what they're getting is a fake certificate rather than the real certificate. They'll just click through the certificate error and go on their merry way.

Now I'm actually cheating a little bit, I'm using a webpage here in order to refresh my memory in terms of how to generate a self signed certificate. It's not something I do on a daily basis, and so I don't keep the list of commands right in my head. So there are plenty of pages around that actually will walk you through how to do this.

And I'll explain what it is that we're doing as we're going along. So, what I wanna do here is I'm going to use Open SSL, and I'm doing this under Linux, although Open SSL works under a variety of operating systems.

But I'm just doing this under Linux cause that's where I happen to be at the moment. So, I'm going to generate an RSA key, and RSA is the three letters for the three guys who were responsible for coming up with the algorithm. And I'm going to do a key here, and I'm going to call it server.key. And I'm going to make the key length 1,024 bits. So it's asking me for a passphrase, and I'm just going to give it a passphrase. Now what I need to do is generate a signing request.

So I'm going to use Open SSL again, and I'm going to do a request that's a new request. So I'm going to say the key is the server.key that we just generated. And the output is going to be the server, and that should be the certificate signing request. going to shrink that back again. And now I'm going to type in the passphrase that I had used. And now it's asking me to give information about the certificate. So I'm going to give it some information here.

So, now here's where I'm going to give it the fully qualified domain name of the server. So, right here I'm going to use the domain name that I actually want to pretend to be in this case, and so, now I could just say that's the email address. It's not actually going to email anything, it's just information that's stored in the certificate. So now I've got a signing request, and now what we need to do is we actually need to generate the certificate.

So I'm going to go back here and I'm going to do Open SSL again. We're asking for an x509 certificate. It's a certificate request, the number of days you could set this to anything you want, I'm going to make it ten years, just for fun. And the input is going to be the certificate signing request. And it should ask me for, it should be looking for some output at this point, as well as the sign key.

So -sign key is going to be server.key. And the output is going to be the server certificate. And it's asking me for the passphrase for the key which we had plugged in earlier. And now, I should have the server.crt. So, I can actually look at that server certificate. Having to say x509, And I want it output in a text format, and you'll say server.crt. So now I've actually actually got the information here in the certificate. I've got all the information that I had plugged in, and now I could actually use the certificate with a web server.

And it would appear as though the certificate were being used with the server that we've specified here, which is So, I could do a rogue web server that looked as though it were that website, and it would present that certificate saying, hey, that's for this website. Even though, I wasn't actually sending you to that website, I may send you to something that looked like that website. So, I could register a domain name was here for example and then sends you to

That's one way maybe of doing that sort of rogue server situation. And here I would need this spoofed certificate in order to pretend to be that and actually give you encryption capabilities, and maybe some more authenticity. Hey, guess what, it's encrypted, there's a certificate, all of that sort of thing. So that's how you would do some spoofed certificates or that's one way of doing spoofed certificates.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*