Social engineering is a way of using the human psychology against the individual and taking advantage of their trust. The main difference of this avenue of attack than all the others is that this relies on human communication rather than communication between devices. Social engineering attack methods can include

• Impersonation
• Reciprocation
• Influential Authority
• Scarcity
• Social Relationship
• Social Engineering Toolkit

Impersonation seems to be the most commonly used way of social engineering in which someone makes a fake social media account or email to persuade the target they are someone who they are not. If the victim actually falls for this trick then they would be susceptible to phishing attacks as previously mentioned. Fake links, emails, and fake offers can be paired with social engineering to gain the IP Address, Login Credentials, and even Banking Information.

Social Relationship is also something that can be used to gain trust of a victim and persuade them to reveal sensitive information without having to do any technical methods of hacking.

A social engineering tool that is used CUPP (Common User Passwords Profiler) that generates passwords based on the target’s personal, psychological, and social characteristics. Some information of the target is needed for this tool to work but when it is generated it can be a powerful password list to use with hydra or any dictionary attack tool.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

The information is then used to access important accounts and can result in identity theft and financial loss. These are the attributes of a phishing website.

1. Too Good To Be True – Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails. Remember that if it seems to good to be true, it probably is!
2. Sense of Urgency – A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
3. Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
4. Attachments – If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
5. Unusual Sender – Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don’t click on it!

Black Eye Hacking Tool

There is actually a tool for phishing that can make this process very easy. Blackeye is a tool phrase as the ultimate phishing tool that can generate the phishing link for you very easily. This link paired up with Ngrok that exposes local servers behind NATs and firewalls to the public internet over secure tunnels that can be very useful.

Blackeye gives you a whole lot of options to pick from in terms of phishing websites. This includes Facebook, Snapchat, Twitter, etc. When someone clicks this link they are prompted to a very realistic version of the website and a login form. If a user submits their login credentials then the credentials will be fed back to your terminal along with their IP Address.

A phishing tool like this can be extremely powerful with social engineering skills which will be covered next post

Once enumeration is done the ethical hacker can look forward to trying to get the credentials of the admins. There are many ways to do this and get the password by dictionary attacks, phishing, sql injections, eavesdropping, malware and plenty more. Today we will focus on a dictionary attack using Hydra.

A dictionary attack is a form of brute force attack technique for getting through a authentication mechanism via thousands or millions of likely possibilities of usernames and password combinations. Additionally these combinations of passwords and usernames have most likely been extracted from previous data breaches so they have some legitimacy to them. The only way this method works though is because people use short or weak passwords. Nowadays your browser and your phone have provided features to generate safe passwords and store them to make sure

CEWL – is a ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper, Hydra, etc. Basically you can make your own personalized dictionaries from a given target’s website.

Hydra– is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to find the right username and password combination

Implementation- Once you have generated a list of passwords with CEWL or wherever source you choose from, you can start using Hydra. It is important to note a username needs to be provided also and is usually much easier to get than the password as it can be visible most of the times to outsiders and can also be the email associated to the username. These can all be found by the enumeration steps we covered previously.

the example.com is the web domain that you have to provide to hydra. Next is the -L flag that takes in the list of emails file or usernames file as the parameter. The -P flag takes in the parameter of the list of passwords file. The http-post-form is a way to specify how the username and passwords will be submitted via post method in this case. Next is specifying the route for where the post method will be sent to in this case is “/login.php” and we are adding information to the route by providing variables like email and password. This email and password variables are set equal to emails.txt and passwords.txt in that order respectively. Lastly Invalid password is the message we will get if all the combinations are incorrect.

If done correctly Hydra will perform a dictionary attack and attempt to login with all the combinations possible in the dictionaries.

Port Scanning can be done with many tools, today we will be looking at NMAP (Network Mapper) which is a free and open source tool for vulnerability scanning and network discovery. This is commonly used to identify what devices are running on a system and discovering hosts that are available. Along with host information we can also see what services they offer. We can also find open ports and discover security risks. NMAP also offers ping scans and scans to detect the operating system. It has been evolving over the years.

NMAP works by sending packets that make communication via transport layer protocols like TCP, UDP, SCTP, and ICMP. These protocols serve different purposes and are used for different system ports. NMAP also uses banner grabbing which is a technique to gain information about a computer system on a network and the services running on the ports. However some systems may provide filtering and closing of their ports to stay protected. Additionally open ports mostly have firewalls protecting them setup by their administrator. Additionally filtering is the process of filtering the packets sent to the port denying the NMAP probes from ever reaching their destination.

TCP Message Types – These are the messages you will receive when monitoring a TCP connection, also known as a three way handshake.

Examples of Port Scanning with Nmap

Ping Scan

$ proxychain nmap -sn 40.90.170.115/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-14 13:34 EDT
Nmap done: 256 IP addresses (33 hosts up) scanned in 7.30 seconds

Port Scan                                                       

$ proxychain nmap 40.90.170.141 -p1-65535
Not shown: 65534 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Services Scan

$ proxychain nmap -vv -dd 40.90.170.141

Proxy Chains and TOR

One key thing to know before performing port scans is to stay anonymous and mask your IP Address. This is because when doing a port scan most systems have firewalls that detect your scans and can easily find your information. The solution to this is a proxy which is a intermediary machine whose IP address will be detected rather than your own machine. By connecting to the internet through proxies your connection is more private and anonymous.

TOR is a free and open source software for anonymous communication by directing internet traffic through a worldwide network in order to conceal a user’s location. Without TOR your computer makes a direct TCP connection with the websites server you are browsing and from the web server your IP address can easily be detected. However with TOR the service sends your data through multiple nodes and never makes direct access with the web server. The exit node would finally be responsible for contacting with the webserver and it would be very tricky to tracing your IP Address.

Setup and Installation

First check if proxychains is already installed by running ($sudo apt install proxychains). If this says 0 packages installed then your already have it in your computer. Then we will have to navigate to the directory with the config file of proxychains. This can be found in this directory (/etc/proxychains.conf). You can also use the locate command to find the config file however if proxychains is installed the config file has to be somewhere in your system.

Next we will open the proxychains.conf file with VIM or Nano. Whichever you prefer. ($sudo vim proxychains.conf). Then we will press i to go into insert mode and change some things inside to config file. First we will uncomment dynamic chain (remove #) and then scroll down to the proxy list section at the bottom. We will add this code to the proxy list. (socks4 127.0.0.1 9050) and (socks5 127.0.0.1 9050). After that we will we press escape and do (:wq) to write/save and quit the file.

Next check if you have tor installed on your computer by the same process above. ($sudo apt install tor). Once installed on your computer you can run the tor service via this command ($service tor start) and check if the status is active by ($service tor status). Then press ctrl-z to exit the prompt but keep the service running. Ctrl-c would exit the prompt too but terminate the service. Finally run ($proxychains firefox google.com) and check your IP Address and see if your real IP is masked. If it is then you are successfully using proxychains!

Search engines are a very innocent and useful tool that has emerged when the web hit the world by storm. However did you know that these search engines such as Google, Bing, DuckDuckGo, and many more can be used for revealing sensitive information? First lets analyze how these search engines work. SERP otherwise known as Search Engine Results Page prompt you with the most organically relevant results based on your search query not including Paid Advertising. These result pages are determined by Crawling, Indexing, and Ranking however we will only cover Crawling.

Crawling- is the discovery process when the search engine sends out a team of robots known as crawlers to find new updated content. Content can vary such as a web page, an image, a video, pdf, etc. – content is discovered by links. The bots start out by fetching webpages and then follow links to those webpages to find new URLS. By link hopping the crawler is able to find new content and adds it to the index called Caffeine. Robots.txt files are located in the root directory of websites and suggest which parts of your site search engine should and shouldn’t crawl. However google allows us to modify this crawling process with advanced operators. The usage of these operators along with the google search engine is referred to as Google Dorking.

Google Dorking–  is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google hacking involves using advanced operators in the Google search engine to locate specific errors of text within search results. Here are some examples of Google Dorking our professor had us do for exercise.

Summary- as you can see google dorking and utilizing search engines can be very rewarding in finding information on the target and even finding points of interests for which routes to attack. We can go a step further in utilizing search engines with Shodan.

Shodan -is basically a search engine that crawls the Internet while Google and Bing crawl the World Wide Web. In essence Shodan gives you information about devices that are connected to the internet , These devices can vary tremendously such as small desktops, computer labs, etc. Shodan collects information from banners so it banner grabs the metadata about a software that’s running on a device. This can be server software information, services capability, etc. Using Shodan can reveal servers, ports, location, services, and even vulnerabilities.

Target Scoping – a process for gathering target assessment, requirements, and characterizing each of it’s parameters to generate a test plan, limitations, business objectives, and time schedule. To give an example what the end result of Target Scoping would look like here are what the parameters are.

-Company Name
-Address
-Website
-E-mails and Phone Numbers
-Penetration Testing Objectives and Penetration Testing Type
-Devices to be Tested: Servers, Workstations, Network Devices, etc.
-Operating Systems Supported

Target Scoping can be done with enumeration tools that are pre-installed on our Kali Linux machines. Such tools are

-whois command: provides when the website was created, the expiration date of the website, status of the website, the name of the servers, potential location of the company, phone number and email of Sponsoring Registrar.

-nslookup command: provides the potential IP Address and how many web servers are accepting requests

-dig command: provides about the same thing as nslookup but it doesn’t hurt to try

-whatweb command: provides Country, HTTP Server, IP Address, Web Servers, Technologies Used, Potential Operating System.

-theHarvester command: this tool crawls a search engine with your target in mind and provides Emails and Subdomains.

All these tools and strategy of Target Scoping can give us insight of how the network topology of the target is arranged. But what is Network Topology??

Network Topology
arrangement of the links, nodes, etc. of a communication network. The network topology is the structure of a network and may be depicted physically or logically. The physical topology is the placement of the various components of a network. Logical topology illustrates how data flows within a network. There is also something called and OSI Model that divides part of a networks communication functions into layers.

OSI Model – this is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying structure and technology. The goal of the OSI model is interoperability. This model partitions the flow of data in a communication system into seven abstraction layers. This model represents the physical implementation of transmitting bits across a communications medium to the highest level representation of a distributed application. Each intermediate layer serves a class of functionality to the layer above it and served by the layer below it