Unlimited Attempts AllowedDetails

Virtual Labs: Sniffing & Social Engineering

Consider what you have learned so far about Sniffing and Social Engineering as you review the objectives and scenario below.  Complete the lab that follows on EC-Council’s website using the link below.

Objective

Social engineering is the art of convincing people to reveal confidential information. Social engineers depend on the fact that people know certain valuable information yet are generally careless in protecting it.

The objective of this lab is to:

• Detect phishing sites
• Protect the network from phishing attacks
• Perform Credential Harvesting
• Perform security assessment on a machine using a payload generated by SET

Scenario

Social engineering is the art of convincing people to reveal sensitive information in order to perform some malicious action. Organizations fall victim to social engineering tricks despite having security policies and best security solutions in place, as social engineering targets people’s weaknesses or good nature. Reconnaissance and social engineering is generally an essential component of any information security attack.

Cybercriminals are increasingly utilizing social engineering techniques to exploit the most vulnerable link in information system security: employees. Social engineering can take many forms, including phishing emails, fake sites, and impersonation.

McAfee’s new “Hacking the Human Operating System” whitepaper focuses on the use of social engineering to attack home and business users and finds once again that people are the weakest link. The McAfee report points out that there are many organizations who develop and deliver user awareness programs into their business areas, but the effectiveness of such programs varies, and in some identified cases, even after the security training has been delivered, it has done very little to educate their end-users with any valued security awareness to mitigate the threat of the social engineering attack.

It is essential for you as an expert Ethical Hacker and Penetration Tester, to assess the preparedness of your organization or the target of evaluation against the social engineering attacks.

Though social engineering primarily requires soft skills, the labs in this module demonstrate some techniques that facilitate or automate certain facets of social engineering attacks.

Week 7 Lab Assignment 1: Protect the Network

Lab Task:

The objective of this lab is to help students learn how to:

• Clone a website
• Obtain username and passwords using Credential Harvester method
• Generate reports for a conducted penetration test

Lab Description:

Social Engineering is an ever-growing threat to organizations all over the world. Social Engineering attacks are used to compromise companies every day. Even though there are many hacking tools available throughout underground hacking communities, Social Engineering Toolkit (SET) is a boon to attackers, as it is freely available and applicable to Spear-phishing attacks, website attacks, and many others. Attackers can draft email messages, attach malicious files, and send them to a large number of people using spear phishing. In addition, the multi-attack method allows the utilization of Java applets, the Metasploit browser, and Credential Harvester/Tabnabbing all at once.

Though numerous sorts of attacks can be performed using SET, it is also a must-have tool for penetration testing to check for vulnerabilities. SET is the standard for social-engineering penetration tests, and is supported heavily in the security community.

As an Ethical Hacker, Penetration Tester, or Security Administrator, you should be familiar with the Social Engineering Toolkit to perform various tests for network vulnerabilities.

The Social Engineering Toolkit is an open-source Python-driven tool aimed at penetration testing. The SET is specifically designed to perform advanced attacks against humans by exploiting human behavior. The attacks built into the toolkit are designed to be targeted and focused on attacks against a person or organization used during a penetration test.

Access the lab here: EC-Council | iLabsLinks to an external site.

Submit proof of this assignment completion by uploading and submitting a screenshot of the graded lab from EC-Council Labs. Refer to the Course Projects page for more information on project submissions.