UNIT-4

SNIFFING:
Sniffing is the process of monitoring and capturing all the packets passing through a
given network using sniffing tools. It is a form of “tapping phone wires” and get to know
about the conversation. It is also called wiretapping applied to the computer networks.

What can be sniffed:

One can sniff the following sensitive information from a network −

 Email traffic
 FTP passwords
 Web traffics
 Telnet passwords
 Router configuration
 Chat sessions
 DNS traffic

How it works:
A sniffer normally turns the NIC of the system to the promiscuous mode so that it
listens to all the data transmitted on its segment.
Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network
interface cards (NICs), that allows an NIC to receive all traffic on the network, even if it
is not addressed to this NIC.
By default, a NIC ignores all traffic that is not addressed to it, which is done by
comparing the destination address of the Ethernet packet with the hardware address
(a.k.a. MAC) of the device.
Types of Sniffing:
Sniffing can be either Active or Passive in nature.
Passive Sniffing:
In passive sniffing, the traffic is locked but it is not altered in any way. Passive sniffing
allows listening only. It works with Hub devices.
On a hub device, the traffic is sent to all the ports. In a network that uses hubs to
connect systems, all hosts on the network can see the traffic.
Therefore, an attacker can easily capture traffic going through.

Active Sniffing:
In active sniffing, the traffic is not only locked and monitored, but it may also be altered
in some way as determined by the attack. Active sniffing is used to sniff a switch-based
network. It involves injecting address resolution packets (ARP) into a target network
to flood on the switch content addressable memory (CAM) table. CAM keeps track of
which host is connected to which port.
Following are the Active Sniffing Techniques −

 MAC Flooding
 DHCP Attacks
  DNS Poisoning
 ARP Poisoning

There are various types of sniffing attacks such as:

 LAN Sniff – The sniffer attacks the internal LAN and scans the entire IP gaining
access to live hosts, open ports, server inventory, etc. A port-specific vulnerability
attack happens in LAN sniffing.
 Protocol Sniff – The sniffer attacks occur based on the network protocol used.
Different protocols such as ICMP, UDP, Telnet, PPP, DNS, etc., or other protocols
might be used.
 ARP Sniff – ARP Poisoning attacks or packet spoofing attacks occur based on the
data captured to create a map of IP addresses and associated MAC addresses.
 TCP Session stealing – TCP session stealing is used to monitor and acquire traffic
details between the source & destination IP address. All details such as port
number, service type, TCP sequence numbers, data are stolen by the hackers.
 Application-level sniffing – Applications running on the server are attacked to
plan an application-specific attack.
 Web password sniffing – HTTP sessions created by users are stolen by sniffers
to get the user ID, password, and other sensitive information.

Active Sniffing techniques:

 MAC Flooding
 DHCP Attacks
 DNS Poisoning
 ARP Poisoning
 DNS Poisoning: DNS poisoning is a malicious activity that can be used to
interfere with a target system’s DNS configuration.
 The attacker will often use a web browser as part of their attack, by visiting a
website hosting an exploit kit, loading a malicious application from an email
message or file attachment, or even simply visiting an infected site or
opening infected text documents (such as Microsoft Word).

MAC flooding attack:

 In a MAC flooding attack, the attacker floods a network’s MAC address table
with fake data packets with different source MAC addresses. The table
automatically adds these new MAC addresses to its table until it fills up and
can no longer add new MAC addresses

 DHCP Starvation Attack:

 A DHCP Starvation attack can result in a Denial of Service (DoS) attack or
a Man in the Middle (MITM) attack.
 To perform this attack, the attacker sends tons of bogus DHCP Discover
messages with spoofed source MAC addresses.
 The DHCP server tries to respond to all these bogus messages, and as a
result, the pool of IP addresses used by the DHCP server is depleted.
Hence, a legitimate user won’t be able to get an IP address via DHCP.
 This results in a DoS attack. Furthermore, the attacker can set up a rogue
DHCP server to assign IP addresses to legitimate users. This rogue server
can also provide the gateway router and DNS server to users.
 Now, all the network traffic can be routed via the attacker’s machine, and
this is nothing but the MITM attack.

 ARP Spoofing Attack:

 ARP spoofing is a cyber attack that allows hackers to intercept communications
between network devices on a network. Hackers can also use ARP spoofing
to alter or block all traffic between devices on the network.
Passive Sniffing techniques:
 Session Hijacking:
 Session Hijacking is a Hacking Technique. In this, the hackers (the one who
perform hacking) gain the access of a target’s computer or online account
and exploit the whole web session control mechanism.
 This is done by taking over an active TCP/IP communication session by
performing illegal actions on a protected network. Normally, the web
sessions are managed by the session token.
 The Session Hijacker has access over everything which the actual user
has. For Example, shopping in an online store or paying your electricity bills, the
session hijackers attack over web browsers or web application sessions.

Types of Session Hijacking:

Session Hijacking is of Three types:
1. Active Session Hijacking : An Active Session Hijacking occurs when the
attacker takes control over the active session.
The actual user of the network becomes in offline mode, and the attacker
acts as the authorized user. They can also take control over the
communication between the client and the server.
To cause an interrupt in the communication between client and server, the
attackers send massive traffic to attack a valid session and cause a denial of
service attack(DoS).
2. Passive Session Hijacking : In Passive Session Hijacking, instead of
controlling the overall session of a network of targeted user, the attacker
monitors the communication between a user and a server.
The main motive of the hacker is to listen to all the data and record it for the
future use. Basically, it steals the exchanged information and use for
irrelevant activity.
This is also a kind of man-in-middle attack (as the attacker is in between the
client and the server exchanging information.
3. Hybrid Hijacking : The combination of Active Session Hijacking and
Passive Session Hijacking is referred to as Hybrid Hijacking.
In this the attackers monitors the communication channel (the network
traffic), whenever they find the issue, they take over the control on the web
session and fulfill their malicious tasks.

Social engineering :
Social engineering is a manipulation technique that exploits human error to
obtain private information or valuable data. In cybercrime, the human
hacking scams entice unsuspecting users to disclose data, spread
malware infections, or give them access to restricted systems. Attacks
can occur online, in-person, and by other interactions. Social
engineering scams are based on how people think and act.

1. Subversion: Interrupting or corrupting data due to loss or

inconvenience.
2. Theft: Obtaining valuable items such as information access .

Process of social engineering work:

Most social engineering attacks depend on real communication between

attackers and victims. Instead of using brute force methodsto breach the data,
the attacker prompts the user to compromise.
 Prepare by gathering background information on a large group.
 Infiltrate by building trust, establishing a relationship or starting a conversation.
 Establish the victim once more to confront the attack with confidence and
weakness.
 Once the user takes the desired action, release it.
Social engineering attack centerson the attacker's use
of persuasion and confidence.

High emotions: Emotional manipulation gives attackers the upper hand in

any conversation. The below feelings are used equally to explain to you.

o Fear
o excitement
o Curiosity
o Anger
o Crime
o Sadness
o

Identity theft:
 Identity theft is the crime of obtaining the personal or financial information of
another person to use their identity to commit fraud, such as making unauthorized
transactions or purchases. Identity theft is committed in many different ways and
its victims are typically left with damage to their credit, finances, and reputation.
 Identity theft occurs when someone steals your personal information and
credentials to commit fraud.
 There are various forms of identity theft, but the most common is financial.
 Identity theft protection is a growing industry that keeps track of people's credit
reports, financial activity, and Social Security Number use.

 Financial Identity Theft:

 In financial identity theft, someone uses another person's identity or information to
obtain credit, goods, services, or benefits. This is the most common form of
identity theft.2
 Social Security Identity Theft:
 If identity thieves obtain your Social Security Number, they can use it to apply for
credit cards and loans and then not pay outstanding balances. Fraudsters can
also use your number to receive medical, disability, and other benefits.
  Medical Identity Theft:
 In medical identity theft, someone poses as another person to obtain free medical
care. 1
 Synthetic Identity Theft:
 Synthetic identity theft is a type of fraud in which a criminal combines real (usually
stolen) and fake information to create a new identity, which is used to open
fraudulent accounts and make fraudulent purchases.
 Child Identity Theft:
 In child identity theft, someone uses a child's identity for various forms of personal
gain. This is common, as children typically do not have information associated
with them that could pose obstacles for the perpetrator.
 Tax Identity Theft:
 Tax identity theft occurs when someone uses your personal information, including
your Social Security Number, to file a bogus state or federal tax return in your
name and collect a refund.1
 Criminal Identity Theft:
 In criminal identity theft, a criminal poses as another person during an arrest to try
to avoid a summons, prevent the discovery of a warrant issued in their real name
or avoid an arrest or conviction record.2
 Warning Signs of Identity Theft
 It can be difficult to know if you've been a victim of identity theft, especially if
you're not always checking your financial statements.
 Potential Victims of Identity Theft:
 Anyone can be a victim of identity theft. Children and aging adults are
particularly vulnerable to identity theft as they may not understand specific
situations, bills, and their care and finances are handled by other.

Human and Computer Based Social Engineering

Techniques:
 Human-based Social Engineering: Gathers sensitive information by interaction.
 Computer-based Social Engineering: Social engineering is carried out with the help
of computers.
 Mobile-based Social Engineering: It is carried out with the help of mobile
applications.
 Human-based Social Engineering:

Impersonation:

 It is most common human-based social engineering technique where attacker pretends

to be someone legitimate or authorized person.
 Attackers may impersonate a legitimate or authorized person either personally or using
a communication medium such as phone, email, etc.
 Impersonation helps attackers in tricking a target to reveal sensitive information.
 Posing as a legitimate end user: Give identity and ask for the sensitive information.
 Posing as an important user: Posing as a VIP of a target company, valuable
customer, etc.
 Posing as technical support: Call as technical support staff and request IDs and
passwords to retrieve data.

Eavesdropping and Shoulder Surfing:

 Eavesdropping:
o Eavesdropping or unauthorized listening of conversations or reading of messages.
o Interception of audio, video, or written communication.
o It can be done using communication channels such as telephone lines, email, instant
messaging, etc.
 Shoulder Surfing:
o Shoulder surfing uses direct observation techniques such as looking over someone's
shoulder to get information such as passwords, PINs, account numbers, etc.
o Shoulder surfing can also be done from a longer distance with the aid of vision
enhancing devices such as binoculars to obtain sensitive information.

Reverse Social Engineering, Piggybacking, and Tailgating:

 Reverse Social Engineering:

o A situation in which an attacker presents himself as an authority and the target seeks
his advice offering the information that he needs.
o Reverse social engineering attack involves sabotage, marketing, and tech support.
 Piggybacking:
o "I forgot my ID badge at home. Please help me."
o An authorized person allows (intentionally or unintentionally) an unauthorized person to
pass through a secure door.
 Tailgating:
o An unauthorized person, wearing a fake ID badge, enters a secured area by closely
following an authorized person through a door requiring key access.
 Computer-based Social Engineering:
 Pop-up Windows: Windows that suddenly pop up while surfing the Internet and ask
for users' information to login or sign-in.
 Hoax Letters: Hoax letters are emails that issue warnings to the user on new viruses,
Trojans, or worms that may harm the user's system.
 Chain Letters: Chain letters are emails that offer free gifts such as money and
software on the condition that the user has to forward the mail to the said number of
persons.
 Instant Chat Messenger: Gathering personal information by chatting with a selected
online user to get information such as birth dates and maiden names.
 Spam Email: Irrelevant, unwanted, and unsolicited email to collect the financial
information, social security numbers, and network information.

Phishing:

 An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the
user's personal or account information.
 Phishing emails or pop-ups redirect users to fake webpages of mimicking trustworthy
sites that ask them to submit their personal information.

Spear Phishing:

 Spear phishing is a direct, targeted phishing attack aimed at specific individuals within
an organization.
 In contrast to normal phishing attack where attackers send out hundreds of generic
messages to random email addresses, attackers use spear phishing to send a message
with specialized, social engineering content directed at a specific person or a small
group of people.
 Spear phishing generates higher response rate when compared to normal phishing
attack.

Phishing:
Phishing is a type of Social Engineering attack that aims to obtain sensitive
information including the bank account number, usernames, passwords, and
credit card details. It is mostly done by sending fake emails that appear to have
come from a legitimate source..

The recipient is mostly manipulated to click a malicious link that can install
malware or access sensitive information.
.
Common Features of Phishing Emails:

 It will have an eye-catching subject such as “Congratulations! You’ve won an

iPhone”.
 It will reflect a sense of urgency so that the recipient doesn’t get enough time
to re-think and make a mistake in a hurry that can later benefit the attackers.
 It will have attachments that make no sense with respect to that email.

Types of Phishing attacks:

There are different types of phishing attacks that are used by the attacker: –
 Spear Phishing attack: This is a type of attack which is basically done to
target any specific organization or any certain people.
 It is a type of attack which can’t be initiated by any random type of hacker. It
can be initiated by someone who needs information and that can be related
to financial gain.
 A Spear Phishing attack is almost the same as a normal phishing attack.
Both of them will appear from a trusted source. It is considered one of the
most successful attacks.
 Clone Phishing: This is a type of attack which works based on copying
email messages that came from a worthy or trusted source.
 Hackers alter the information present in the original email and also add a link
or attachment.
 This link or attachment is malicious and will make the user go to a fake
website. Now this altered link is sent to a large number of people and the
hacker waits for someone who will take the initial approach of clicking the
malicious link.
 When the link or attachment will be clicked, the email will be sent to the
contacts of the user.
 Cat Phishing: This is a type of attack which is socially engineered.
 It kind of plays with the emotions of the victim and exploits, such that
attackers can have a benefit related to financial gain and information of the
victim.
 Voice Phishing: This is a type of attack that does not require an attacker to
make the user go through their fake website.
 We call this sometimes vishing. Someone who will follow the steps of vishing
will have the knowledge to appear as a trusted source, such that the victim
can be convinced. They use another thing that is IVR which makes the legal
authority face difficulty when needed for tracing, blocking, or monitoring.
 As it is a type of phishing attack, this is also used for getting credit card
details and some confidential information of the victim.

 SMS phishing: This is also a type of attack that makes the user reveal
information that can be related to the credit card details or some sensitive
information.
 Just like other phishing attacks, this will also appear as a trusted source to
the victim. Android phones and smartphones are mostly used by every user
and this gives the opportunity to the attacker to perform this phishing attack.
It makes it easy for the attacker in avoiding the trouble of breaking firewalls
and stealing information.

Social Engineering Toolkit (SET):

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework

designed for social engineering. SET has a number of custom attack vectors that allow
you to make a believable attack in a fraction of time. These kind of tools use human
behaviors to trick them to the attack vectors.

The Social-Engineer Toolkit (SET) was created and written by Dave Kennedy, the
founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration
testing around Social-Engineering.

Known as SET, the Social Engineering Toolkit has been in wide use since its creation.

Written by Dave Kennedy from TrustedSec, it's an open source, free Python
cybersecurity tool used by security researchers, penetration testers, blue and purple
teams from around the world. Instead of targeting apps, SET uses humans as the main
target of its attack techniques.

It offers many brilliant features, including faking phone numbers, sending SMS, or
helping to create a phishing page by instantly cloning the original. Let's explore the full
powers of this toolkit:

Main features:

 Multi-platform: It can run on Linux, Unix and Windows.

 Supports integration with third party modules.
 Allows multiple tweaks from the configuration menu.
 Includes access to the Fast-Track Penetration Testing platform
  Social engineering attack options such as Spear-Phishing Attacks, Website
Attacks, Infection Media Generator, Mass Mailing, Arduino-Based Attack,
QRCode Attacks, Powershell Attack Vectors, and much more.

SET offers multiple attack vectors and techniques, and it's almost impossible to cover
them all in one article. However, we can highlight the main attacks here:

Phishing Attacks: This option allows you to choose from several phishing attack options
to help you decide how to approach your victim. You can craft email messages with
malicious payloads attached, and send them to a small or large number of recipients.

It also lets you spoof your email address by changing simple variables, which makes it
really easy to use.

Web Attack: This module combines different options for attacking your victim to
compromise the remote victim. It includes attack techniques such as Java Applet Attack
and Metasploit Browser Exploit to deliver malicious payloads. Also handy is the
Credential Harvester method, which lets you clone a website and harvest the
information from user and password fields, as well as the TabNabbing, HTA Attack,
Web-Jacking and Multi-Attack techniques, all with the same goal of tricking end users
into revealing their credentials.

Infectious Media Generator: This interesting option enables you to create an infected
media device (USB/CD/DVD) with an autorun.inf file, that can be later inserted into any
PC and will automatically run a Metasploit payload if autorun is enabled.

Create a Payload and Listener: By using the fourth option from the main menu, you'll be
able to create malicious payloads for Windows, including Shell Reverse_TCP,
Reverse_TCP Meterpreter, Shell Reverse_TCP X64 and Meterpreter Reverse HTTPS.
As you can see by the names, you'll be able to spawn command shells, create reverse
connections, tunnels, and more.

Mass Mailer Attack: This type of attack can be performed against one or multiple
individuals, even letting you import users lists to send to any people you wish. It also
lets you use a Gmail account for your email attack, or use your own server or open relay
for mass delivery.

Apart from these main options, you'll also find other useful attack choices such as
Arduino-Based, Wireless Access Point, QR Code Generator and Powershell Attack
Vectors.

Now that you have a general overview of the Social Engineering Toolkit, let's jump into
the fun part, installing and testing this software.
¶Installation

Installing the Social Engineering Toolkit is pretty easy with most operating systems. On
most Linux distros the manual installation can be performed by using the following
commands:

git clone https://github.com/trustedsec/social-engineer-toolkit/ set/

cd set
pip install -r requirements.txt

Just make sure you have pip installed.

¶How can I use it?

Once you have SET installed, you can easily invoke it from command line by typing:

./setoolkit