LAB MANUAL
ON
THE ART OF SOCIAL ENGINEERING
ESTABLISHMENT OF ADVANCED LABORATORY FOR CYBER SECURITY TRAINING TO
TECHNICAL TEACHERS
DEPARTMENT OF INFORMATION MANAGEMENT AND EMERGING ENGINEERING
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
GOVERNMENT OF INDIA
Principal Investigator: Prof. Maitreyee Dutta
Co Investigator: Prof. Shyam Sundar Pattnaik
PREPARED BY:
Prof. Maitreyee Dutta and Ms. Shweta Sharma (Technical Assistant)
i
�Table of Contents
INTRODUCTION TO SOCIAL ENGINEERING ............................. 2
PHISHING .............................................................................. 3
VISHING (VOICE PHISHING) ................................................... 4
SMiShing (SMS Phishing) ....................................................... 5
OPENING SET ........................................................................ 6
Agreement .................................................................................................. 8
Starting SET Terminal ........................................................................... 9
Selecting from the menu ................................................................... 10
Options in social engineering attacks .......................................... 11
Website attacks vectors options .................................................... 12
Credential harvester method options ......................................... 13
Post back IP address in harvester method ................................ 14
URL to clone website home page................................................... 15
Cloning website..................................................................................... 16
Facebook login page............................................................................ 17
Credentials .............................................................................................. 18
Facebook login page on mobile phone ........................................ 19
Credentials .............................................................................................. 20
COUNTERMEASURES ........................................................... 21
REFERENCES ........................................................................ 21
ii
�MANUAL-3:
THE ART OF
SOCIAL
ENGINEERING
1
� INTRODUCTION TO SOCIAL
ENGINEERING
In social engineering, attackers manipulate victims into doing
something, rather than by breaking in using technical means.
Here, attacker uses human interaction to obtain or steal
personal information of users.
An attacker may appear unassuming or respectable.
Pretend to be a bank employee, customer, new
employee, worker, repair man, etc.
May even offer credentials to lure users.
By asking questions, the attacker may collect enough
information together to infiltrate company’s network.
An attacker can attempt to gain additional information from
many sources with social engineering.
2
� PHISHING
The objective of attacker while performing phishing attack
is to steal users’ data such as username, passwords,
debit/credit card numbers, and so on.
It occurs when an attacker spoofs a trusted party (e.g.,
bank) and tells a victim to open and visit a link sent
through an email.
After clicking a malicious link, the malware can be installed
on victim’s device which can steal sensitive information.
For example: spoofed email
3
� VISHING (VOICE PHISHING)
Instead of using email, regular phone calls, or fake
websites like phishers do, vishers use an internet
telephone service (VoIP).
Using a combination of scare tactics and emotional
manipulation, they try to trick people into giving up their
information.
For example, Unsolicited offers for credit and loans.
4
� SMiShing (SMS Phishing)
SMS phishing is possible when a person receives a
malicious or fake SMS on cell phone.
The victim will respond to a fake SMS and visit a malicious
URL, which leads to downloading of malware without the
user's knowledge.
5
� OPENING SET
Go to Applications-> Social Engineering Tools [1]-> click on SET
social engineering toolkit icon.
6
�7
� Agreement
Type ‘y’ to accept the agreement.
8
� Starting SET Terminal
After accepting the agreement, SET terminal will start.
9
� Selecting from the menu
Type ‘1’ in the terminal to perform social engineering attack.
10
� Options in social engineering attacks
Type ‘2’ in the terminal to perform attack on website.
11
� Website attacks vectors options
Type ‘3’ in the terminal to steal credentials of user by harvester
attack method.
12
� Credential harvester method options
Type ‘2’ in the terminal to clone the website.
13
� Post back IP address in harvester method
Press ‘Enter’ after checking your IP address.
14
� URL to clone website home page
Type the URL to clone (e.g., https://www.facebook.com)
15
� Cloning website
Press ‘Enter’ to clone the website.
16
� Facebook login page
Enter IP address of your system in the browser to open the
cloned webpage.
After entering the IP address, a cloned Facebook webpage will
open where victim will enter username and password.
17
� Credentials
Check the terminal.
The username and password will be shown on the
terminal.
18
�Facebook login page on mobile phone
19
�Credentials
20
� COUNTERMEASURES
The following countermeasures must be followed to avoid this
attack:
Do not open any email from untrusted sources.
Do not click on any link from untrusted sources. It can
download malware on users’ device.
Check the URL before submitting the credentials.
Do not accept offers from strangers- the benefit of the
doubt.
Do not give your personal details with strangers.
Do not share passwords.
Lock your laptop while leaving the lab or office.
Purchase and install anti-virus software on system.
Read and follow privacy policy of your organization.
REFERENCES
[1] O. S. Limited, “SET Package Description,” 2020. https://tools.kali.org/information-
gathering/set (accessed Feb. 10, 2020).
21
