Social Engineering

cybermad0 March 11, 2025

 


Social engineering is a term used to describe psychological manipulation techniques aimed at influencing individuals to reveal confidential information or perform specific actions. Often associated with cybersecurity, social engineering relies on exploiting human behavior rather than technical vulnerabilities to breach systems or gain unauthorized access.

Phishing comes in various forms, each tailored to exploit specific situations or vulnerabilities. Here are some of the most common types:

  1. Email Phishing: The classic approach, where attackers send fraudulent emails pretending to be from a legitimate organization to steal sensitive information.

  2. Spear Phishing: A more targeted form of phishing, aimed at specific individuals or organizations, often containing personalized information to appear more credible.

  3. Whaling: Focused on high-profile targets like executives or influential figures within a company, using a sophisticated approach.

  4. Smishing: Uses text messages (SMS) to trick individuals into clicking malicious links or providing personal information.

  5. Vishing: A voice-based attack where fraudsters call and manipulate victims into sharing sensitive data or transferring money.

  6. USB PhishingMany pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systemsThis type of attack involves just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations.

  7. Pharming: Redirecting users from legitimate websites to fraudulent ones without their knowledge, often by exploiting vulnerabilities in DNS systems.

  8. Watering Phishingwatering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. (This redirection is also known as a pivot attack.) 

As a penetration tester or red teamer, you might be asked to simulate what a real-world threat actor or criminal can to do compromise an organization’s physical security in order to gain access to infrastructure, buildings, systems, and employees. In this section, you will learn about various types of physical attacks.

                  Social-Engineer Toolkit (SET)

Step 1. Launch SET by using the setoolkit command.


Step 2. Select 1) Social-Engineering Attacks from the menu to start the social engineering attack.


Step 3. Select 1) Spear-Phishing Attack Vectors from the menu to start the spear-phishing attack.



Step 4. To create a file format payload automatically, select 2) Create a FileFormat Payload.



Step 5. Select 13) Adobe PDF Embedded EXE Social Engineering as the file format exploit to use.



Step 6. To have SET generate a normal PDF with embedded EXE and use a built-in blank PDF file for the attack, select 2) Use built-in BLANK PDF for attack

Step 7. To use the Windows reverse TCP shell, select 1) Windows Reverse TCP Shell.



Step 8. When SET asks you to enter the IP address or the URL for the payload listener, select the IP address of your attacking system (192.168.88.225 in this example), which is the default option since it automatically detects your IP address. The default port is 443, but you can change it to another port that is not in use in your attacking system. In this example, TCP port 1337 is used. if you want to keep default port just press enter.

Step 9. When SET asks if you want to rename the payload, select 2. Rename the file, I want to be cool. and enter chapter2.pdf as the new name for the PDF file.


Step 10. Select 1. E-Mail Attack Single Email Address.



Step 11. When SET asks if you want to use a predefined email template or create a one-time email template, select 2. One-Time Use Email Template.

Step 12. Follow along as SET guides you through the steps to create the one-time email message and enter the subject of the email.

Step 13. When SET asks if you want to send the message as an HTML message or in plaintext, select the default, plaintext.

Step 14. Enter the body of the message by typing or pasting in the text.

Step 15. Enter the recipient email address and specify whether you want to use a Gmail account or use your own email server or an open mail relay.

Step 16. Enter the “from” email address (the spoofed sender’s email address) and the “from name” the user will see.

Step 17. If you selected to use your own email server or open relay, enter the open-relay username and password (if applicable) when asked to do so.

Step 18. Enter the SMTP email server address and the port number. (The default port is 25.) When asked if you want to flag this email as a high-priority message, make a selection. The email is then sent to the victim.

Step 19. When asked if you want to set up a listener for the reverse TCP connection from the compromised system, make a selection.


   Browser Exploitation Framework (BeEF)

BeEF This is a cybersecurity tool used for penetration testing, focusing on web browsers. It helps assess the security posture of a target environment by using client-side attack vectors. let's start.

in parrot os this tools is default. go to system services then start the beef server. 



when you first open it you need to give a password which is need to login the web interface. this the login interface .



open link then login. by default user name is beef.

after login you can see the beef web interface. like this 



if you see the first paragraph of of the content you could see the two link with blue color. just copy one of this and send to the victim. if he open this link you got connections. then in the command bar you can see may option that you can execute.

                                         Phishing 

phishing is another way to steal one's  credentials. in this case attackers send a fake link. and provide you tempting offer. here is some phishing way and tools . 
 
                                         Zphisher

Zphisher is an automated phishing tool designed for educational purposes, demonstrating how phishing attacks work. It includes 30+ templates for various platforms and supports multiple tunneling options like Cloudflared and LocalXpose. The tool is beginner-friendly and offers mask URL support and Docker compatibility.

However, it's important to note that phishing is illegal and unethical if used for unauthorized access. If you're exploring cybersecurity, ethical hacking, or penetration testing, I recommend focusing on defensive security techniques and phishing awareness training instead.  let's see an example or real world scenario with practical.    

first let's dive into a case study. supposed you are a student or a worker . suddenly you noticed in your mail box or your phone massage like this type of mail or massage. 

Subject: Urgent: Password Reset Required
From: IT Support (it-support@yourcompany.com)

Dear [Your Name],

We have detected unusual activity on your account. To ensure security, please reset your password immediately by clicking the link below:

Reset Password

Failure to do so within 24 hours may result in account suspension.

Regards,
IT Security Team

or provide you some tempting mail or massage like you won $10000, IPhone, MacBook, or car etc. and then also told you that filled out the form with you personal information with your bank account number or credit card number and other sensitive information. when you click the link you will redirect to the attacker page. How whatever you type in the page every key stroke of your keyboard send the attacker. let's see a demonstration of the attacking process.  

supposed I am a student. I used to facebook , Instagram or Twitter. in the evening when i was coming back to the house. I noticed one notification in my phone. I opened it and I see the mail looks like abovementioned mail. if you see this mail generally you become afraid and hurry up to rest your password and click the link. when you click the link first of all you public IP he will get and also you credentials too. see the following mail 


when I click on the link it redirect to the attackers page looks like a Facebook page see. 


when you provide your information and submit than you may be see that you are redirect to the another pages now attacker found all of the information. see.



Phishing attacks can be sneaky, but with the right precautions, you can avoid falling into their traps. Here are some key strategies:

  1. Verify the Source – Always double-check the sender of emails or messages. If something feels off, contact the company directly through official channels.
  2. Avoid Clicking Suspicious Links – Hover over links before clicking to see where they lead. If an email urges you to click a link urgently, be cautious.
  3. Use Multi-Factor Authentication (MFA) – Even if attackers steal your password, MFA adds an extra layer of security.
  4. Keep Software Updated – Regular updates help patch vulnerabilities that attackers might exploit.
  5. Watch for Red Flags – Phishing emails often contain poor grammar, generic greetings, or unexpected attachments.
  6. Use Security Tools – Anti-phishing toolbars and security software can help detect malicious sites.
  7. Educate Yourself – Stay informed about new phishing techniques so you can recognize them.

0 Comments

Thanks For your comment