The main goal of social engineering is to entice a target to perform some illicit action that enables you to either exploit their system or to collect information from them.
Social engineering most of the time uses email based attacks through vectors that target client side vulnerabilities, which are exploitable through vectors that only a local user can reach. These attacks usually leverage file format exploits client side and to target the information and perform a USB key drop. Some of the most common social engineering methods are listed in the following categories to at least show some of the types to be noted at this point in time.
Phishing is the social engineering technique that attempts to acquire sensitive information, such as username, password, and credit card information from human targets and receives a bogus email disguised as an authentic email from a trusted source, like a financial institution.
The email contains a link to open a fake webpage that looks nearly identical to the official site. The style logo and image d may appear exactly as they are on the real website. If the phishing attack is successful, the human target will fill out the web from and provide sensitive data that you can use to further compromise their system.
To set up a phishing attack in Metasploit pro, you need to create a campaign that contains the following components.
- Email component: defines the content that you want to send in the email body, and the human targets that you want to receive the phishing attack. Each campaign can only contain one email component.
- Web page component: Defines the web page path, HTML content, and the redirect URL –The web page that you create must contain a form that a human target can use to submit information.
application stored on a victim’s local machine or phishing scams to gather information from human targets.
For example, you can attach a PDF that contains an exploit, like the Cooltype exploit, to an email and send the email to a group of people. When the recipient opens an infected PDF, it can create a session on their machine if it’s vulnerable to the cooltype exploit.
The method that you choose depends on the intent and purpose of the social engineering attack. For example, if you want to see how well an organization handles solicitation emails, you can set up a phishing attack. If you want to gauge how well an organization follows security best practices, you can generate a standalone executable file , load it onto a USB key, and
Client- Side Exploits
A client-side exploit attacks vulnerabilities in client software. Such as web browsers, email applications and media players. In a client side exploit, the victim must visit a malicious site in order for the exploit to run. A client side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine, Traditional exploits, on the other hand, do not require human interaction.
When a human target visits the web page that contains the exploit, a session opens on the target machine and gives you shell access to the target’s system is vulnerable to the exploit. Using the session, you can do things like capture screenshots , collect password files, and pivot to other areas of the network.
To set up a file format or client side exploit in metasploit pro, you need to create a campaign that contains the following components.
- Email component
Web Page component (Optional)
Prepared by: Eyasu Esayas (Jesse)