social-engineering.md

Social Engineering

Basics

{% tabs %} {% tab title="Guides and Reference" %}

• Awesome Lists Collection: Social Engineering
• https://www.social-engineer.org/
• https://www.social-engineer.com/
• https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/hackers/
• The Hacker's Playbook 3: Social Engineering - pg. 174
• Social Engineering: The Science of Human Hacking - Christopher Hadnagy
• Advanced Penetration Testing: Advanced Concepts in Social Engineering- pg. 194
• Hacking: The next generation - Infiltrating the phishing underground: learning from online criminals, pg 177 {% endtab %}

{% tab title="General Tools" %}

• Social Engineers Toolkit - The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly
  • https://www.kali.org/tools/set/
• BeeLogger - Generate Gmail Emailing Keyloggers to Windows.
• evilgrade - Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. {% endtab %}

{% tab title="Attack Vectors" %}

• ****Phishing - “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” (Hadnagy, Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. Wiley, 2015).
• ****SMiShing **** - “the act of using mobile phone text messages, SMS (Short Message Service), to lure victims into immediate action. This action may include downloading mobile malware, visiting a malicious website, or calling a fraudulent phone number.”
• ****Vishing **** - "practice of eliciting information or attempting to influence action via the telephone."
• ****Impersonation **** - “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.”
• https://www.social-engineer.org/framework/attack-vectors/ {% endtab %}

{% tab title="Attack Phases" %}

• OSINT - The research performed on the target using Open-Source Intelligence tools. This phase does not interact with the target in anyway.
  • Social Engineering: Christopher Hadnagy - pg.17
• Pretext Development - This is where an attacker develops their reason for initial interaction.
• Attack Plan - Planning out the Who, What, When, Where, Why, and How of the attack.
• Attack Launch
• Reporting - The full details of the attack. This is crucial for a client to understand all that was done and what they need to improve their defenses. {% endtab %} {% endtabs %}

Phishing

{% tabs %} {% tab title="Tools" %}

• squarephish - SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
• PhishInSuits - OAuth Device Code Phishing with Verified Apps
• Muraena - Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
  • NecroBrowser - Necrobrowser is a browser instrumentation microservice written in NodeJS: it uses the Puppeteer library to control instances of Chrome or Firefox in headless and GUI mode.
• catphish - Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. Perfect for Red Team engagements.
• king-phisher - Advanced Phishing Campaign toolkit
• evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
• ReelPhish - FireEye phishing and 2fa bypass tool
  • https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.html
• FiercePhish - FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
• CredSniper - CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.
• TigerShark - Bilingual PhishingKit. TigerShark integrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
• Zphisher - An automated phishing tool with 30+ templates.
• SharpPhish - Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing.
• SocialFish - Educational Phishing Tool & Information Collector
• shellphish - Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github
  • https://www.hackingarticles.in/shellphish-a-phishing-tool/
• saycheese - Take webcam shots from target just sending a malicious link {% endtab %}

{% tab title="Guides and Methodology" %}

• https://book.hacktricks.xyz/phishing-methodology
• https://www.blackhillsinfosec.com/how-to-phish-for-geniuses/
• https://sidb.in/2021/08/03/Phishing-0-to-100.html
• https://xapax.github.io/security/#initial_access/social_engineering_-_phishing/
• Phishing Defense
  • https://www.blackhillsinfosec.com/offensive-spf-how-to-automate-anti-phishing-reconnaissance-using-sender-policy-framework/
  • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-of-the-chameleon-phishing-page/
• Auth attacks
  • https://curtbraz.medium.com/you-aint-got-no-problem-jules-i-m-on-the-multifactor-e05d5e2a6ade
  • https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
• Phishing Tool use
  • https://www.ired.team/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing
• Misc
  • https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office
  • https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean
  • https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook
  • https://mrd0x.com/browser-in-the-browser-phishing-attack/ {% endtab %}

{% tab title="Persona Creation" %}

• This Person Does Not Exist
• Why a Fake Resume Generator? – trick the HR but not the job
• This Rental Does Not Exist
• Generate a Random Name - Fake Name Generator
• Random Name Generator | Fake ID Generator
• AI Generated Photos - 100.000 AI generated faces.
• Facial composite (identikit) maker {% endtab %}

{% tab title="User Tracking" %}

• I-See-You - A Bash and Javascript tool to find the exact location of the users during social engineering or phishing engagements. Using exact location coordinates an attacker can perform preliminary reconnaissance which will help them in performing further targeted attacks.
• https://iplogger.org/
• http://canarytokens.org/generate
• http://www.urlbiggy.com/
• https://getnotify.com/
• User tracking with Wireshark and Google Maps -https://youtu.be/xuNuy8n8u-Y {% endtab %} {% endtabs %}

Mal-docs

{% tabs %} {% tab title="Guides and Resources" %}

• https://www.optiv.com/insights/source-zero/blog/defeating-edrs-office-products
• Advanced Penetration Testing: Learning how to use the VBA macro - pg. 5
• Advanced Penetration Testing: VBA Redux, Alternative Command Line Attack Vectors- pg. 116
• Advanced Penetration Testing: Deploying with HTA - pg. 138 {% endtab %}

{% tab title="Tools" %}

• Lucky Strike - create excel docs with payloads within the worksheets
  • https://www.shellintel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator
• Vbad - Heavily obscures vba payloads within word documents
  - destroys references to module containing effective payload in order to mave invisible from VBA dev tools
• demiguise - HTA encryption tool for RedTeams
• EmbedInHTML - Embed and hide any file in an HTML file
• OffensiveVBA - This repo covers some code execution and AV Evasion methods for Macros in Office documents
• malicious-pdf - Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator
• Invoke-PSImage - Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image.
• DDE Dynamic Data Exchange - Sends messages and data between applications
  • https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx
  • https://sensepost.com/blog/2017/macro-less-code-exec-in-msword
• Sub-doc attacks
  • https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc
  • Sub-doc injection http://bit.ly/2qxOuiA
• The Hacker Playbook 3: Maldocs - pg. 178
• https://blog.f-secure.com/dechaining-macros-and-evading-edr/ {% endtab %}

{% tab title="Tips" %}

• General
  • Remember to change .docm extensions to .doc
  • Give the end user a compelling reason to enable macros.
  • Tailor the attack to the client. Gather information with a mass email and get an OOTO response to get a template for the interna email style
• Embeded macros in Microsoft office documents
  • Run test file against VirusTotal to check for ease of detection
  • Review “Tags” section for offending tags that set off signature matches
  • Often AV will only scan the main body of the code and NOT the declaration section.
    • Use an alias for a function import to get around this.
  • Avoid Obvious use of shellcode
  • Functions that will most assuredly get flagged: VirtualAlloc, RtlMoveMemory, Shell, URLDownloadToFile, and CreateThread
  • Automatic execution in macros
    • Three deifferent methods depending on which format you are using: word, excel spreadsheet, or excel workbook
    • Often all three are enabled when auto code execution is enabled.
    • Reduce to 1 or 0 depending on what you need to reduce chance of detection.
  • Using a VBA/VBS Dual Stager
    • While VBA is used exclusively in Office products, VBS is used to perform other tasks outside of office, therefore it is given more freedom of execution.
    • Deploy a VBA macro containing VBS code
    • Two separate scripts, one VBA and one VBS
• Code obfuscation
  • Encoding script with possibilities such as Base64 and XOR and have it decrypted at run-time {% endtab %} {% endtabs %}