+1(978)310-4246 credencewriters@gmail.com
  

Assignment #2: Social Engineering Attacks

Now you have to persuade people to click on a link or open an attachment. You got your target,

you got your pretext. What’s next? Email? SMS text? WhatsApp message? You should probably

utilize the OSINT VMs (Tsurugi VM, TraceLabs VM, Kali VM) to deploy the social engineering

attack. Explore some of the tools for social engineering, for example: The Social Engineering

Toolkit (SET), ZPhisher, BlackEye, SocialPhish, MaskPhish, or MSFVenom, to name a few.

Your task is to harvest credentials of the target you OSINT-ed in the previous assignment.

Determine what tools you will use, templates, and how you will incorporate the phishing link

within the pretexting scenario you have developed. Simply writing “I will send them the phishing

link in a text message” won’t work. You have to show that this indeed works.

What to submit? A Harvested Credentials report:

Again, I have no rubrics for this report. Make sure you write concisely and take good screenshots.

Cybersecurity doesn’t come in rubrics. Nor is social engineering. “Hey professor, you want us to

submit the reports for each assignment separately or a final report will all assignments?” Your

pick. I don’t “want” anything except a concise proof of actual work.

1. Choice of a Web Template: You have to provide a good, sound justification why you picked

this template and how it factors into the pretexting scenario.

2. Step-by-step Deployment (with screenshots): Yes, this is important. You will graduate

and go work in big places and probably write lengthy and nifty tutorials. Practice writing

them and be concise.

3. Emulation Setup: It is easy to copy/paste the phishing link in the same VM. Not going

to cut it, though. You need to make a deployment to show the phishing works from two

individual machines. Build Your Own Lab? Perhaps a Cloud Lab? Your choice. You have

to also explain, step-by-step, concisely how this is to be achieved so someone who has no

clue about the set up can follow your steps successfully.

4. Mock Credentials: Absolutely no actual credentials nor sending links to people. Show me

what you harvested with dummy values.

5. What you Learned: Write about what surprises, hick-ups, hurdles, frustrations, exaltations,

and what you learned as being able to properly deploy a social engineering attack for

harvesting credentials. Write what the victim might do to prevent being phished. Simply

“Use two-factor authentication” doesn’t say much. A bypass?. Go beyond this.

Assignment #1: OSINT (Open Source INTelligence) Collection
OSINT is the homework every proper social engineer does before going to persuade people
to click on a link or open an attachment. It is not sufficient to pick a target; figuring out what
combination of persuasion principles, pretexting, and communication formatting will most likely
work is the hard part. What makes the target tick? You have to figure it out. There are interesting
books and (Virtual Machine) VMs about doing forensics that include an impressive set of
OSINT(Open Source INTelligence) tools, namely: Tsurugi VM, TraceLabs VM, Kali VM, to name a few.
For your first assignment, you have to pick an OSINT VM of your choice. Pick your own
hypervisor too (VirutalBox, VMWare, KVM, QEMU… whatever works for you). Next you have
to pick a target. Then, determine what tools you will use. Your task is to collected OSINT data
that will be the most useful in you creating a pretexting scenario for the target. Simply running
Maltego, Instagram Scraper, Twint, just because I have listed them here is not going to cut it. I expect
you to demonstrate a true OSINT investigation and clever utilization of multiple tools. What to
submit? An OSINT report:
1. Why this target?: You have to provide a good, sound justification why you picked this
target. This will determine if you properly understood the concepts of OSINT in the first
place. Refrain from using targets that under normal circumstances won’t be able to receive
communication from you. You know what I mean.
2. Why this tool(s)?: If you pick a Twint for someone that doesn’t use Twitter you have to
tell me what is your rationale of doing this. And vice versa. Simply “because this target
is vocal on Twitter” won’t give you much points. Someone can be totally vocal on Twitter
and be able to spot any phishing email coming their way.
3. OSINT data: A summary of the OSINT data you collected. Focus on elaborating how this
OSINT data feeds into the pretexting scenario You can provide an Appendix with the
data listed there. Don’t include into the main body of your OSINT report.
4. Pretexting scenario: You got your data on the target, right? Is it enough? You have to
convince me with clear step-by-step what will be your pretexting scenario. Want to use
some persuasion principles as a basis for your explanations? Perhaps Feel free to do so.
What to augment the pretexting scenario with images or mock up communications? Cite
the sources. The pretexting scenario must be realistic though.
5. Expected Outcomes: You have to write all the possible outcomes of your pretexting scenario.
If the target will probably click/download/fall for the pretext, explain me why
you are convinced this is going to happen. There must be an explanation on why the target
might not click/download/fall for the pretext. Also, include a contingency plan on what else you
need to do in your pretexting scenario, or perhaps, the OSINT data collection, to maximize
your preferred outcome.
•
•
Register a hobby account with an email at Spider HX.
Login to your account.
•
•
Select New Scan
•
•
Give a Name to your new scan. Penny Pennington in this case.
•
•
•
•
•
List the targets. In this Penny Pennington is the main target, but I added others to increase
the scope of the search. Hover over the help button to see the format required to enter in a
specific target. Begin the scan.
As the scan begins, it starts to collect information.
•
•
•
•
•
•
After 22 minutes it has collected over 400 bits of information, which can range from bitcoin
accounts to university profiles.
Abort the scan.
Navigate over to Visualisation in the row of blue buttons and you will see this.
Nodes linking gathered data to each other. Here we can hover relevant search terms and see
if things like phone numbers and email accounts are connected to our targets.
Using OSINT for Marketing Purposes: A Report.
1.) We have developed state of the art accounting technology and want to market it to top
executives, in the hopes that they hand it over to their subordinates so that we can do
business with the respective companies. The problem is that we have no marketing budget
and virtually no access to the top executives. Our target is Penny Pennington, managing
partner of Edward Jones, the company we would like to adopt our technology.
2.) The tool we will make use of is Spiderfoot HX, a powerful OSINT that scans other OSINTS for
meaningful information. The tool is easy to use, and provides great search results linked to
the target, furthermore it is good for targeting a specific professional person as APIs such as
email rep can be enabled to find professional/organisational email addresses linked to the
target, which is obviously very useful as that is our medium of communication.
3.) After performing a scan on Penny, we can see that she feels very strongly about social
issues, as evidenced by the fact that she is a board member of the Whittaker Foundation, as
well the fact that she is a senior executive sponsor of Edward Jones’s LGBTA Business
Resource Group. Furthermore, she is connected to the Urban League of St. Louis, and feels
strongly towards social issues in her home town. This is the key to our pretexting scenario.
4.) With the pretexting scenario, we want to invoke emotion in Penny, as that is more likely to
cause her to take note of our email. We will make use of her connection with the Urban
league of St. Louis as our key to doing this. This how: We will pose as an underprivileged
youth that was helped by the Urban League during our adolescence. We will claim that we
were helped to study Accounting and Computer Science, and this enabled us to develop a
state-of-the-art accounting software. We were then told by one of the workers at the Urban
League to pitch the software to Penny Pennington, a staunch ally and supporter that is also
heavily involved in the financial industry.
5.) As for the expected outcomes, there is a high probability that she will simply ignore the
email, as she is a CEO. That if that were the case we simply move on to a new target. There is
possibility though that she will take interest. We only want her to open our document, find
the software interesting and then recommend that a subordinate follow through and make
contact with us. The key here is that while our likelihood of success is small, it is offset by
our payoff being large. If she does click on our link, the most probable reason why will be
because she is intrigued by our mutual connection to the Urban League. One contingency we
can make use of is to investigate the Urban League further to add more legitimacy to our
email.

Purchase answer to see full
attachment

  
error: Content is protected !!