1 00:00:06,510 --> 00:00:08,950 - [Instructor] In this quick lesson, I'm gonna talk about 2 00:00:08,950 --> 00:00:12,610 how threat actors or attackers impersonate people 3 00:00:12,610 --> 00:00:15,760 on social media or social networking sites, and 4 00:00:15,760 --> 00:00:20,760 also how attackers can impersonate those websites as well. 5 00:00:21,640 --> 00:00:23,930 And they do that to obtain sensitive information 6 00:00:23,930 --> 00:00:25,410 from their victims. 7 00:00:25,410 --> 00:00:27,970 First, it is extremely easy 8 00:00:27,970 --> 00:00:30,870 for anyone to create a fake account 9 00:00:30,870 --> 00:00:33,510 on either Facebook, Instagram, Twitter 10 00:00:33,510 --> 00:00:36,240 or any other social networking site. 11 00:00:36,240 --> 00:00:39,500 Basically they can do this to impersonate anyone 12 00:00:39,500 --> 00:00:43,600 then basically, you know, they can steal somebody's picture 13 00:00:43,600 --> 00:00:46,790 and create a fake profile to send friend requests 14 00:00:46,790 --> 00:00:50,240 to your friends, interact with those people 15 00:00:50,240 --> 00:00:51,310 and sometimes, you know 16 00:00:51,310 --> 00:00:54,560 perform negative actions in, you know 17 00:00:54,560 --> 00:00:59,120 those websites and those social networking platforms. 18 00:00:59,120 --> 00:01:00,360 And then people will think 19 00:01:00,360 --> 00:01:02,473 that those actions were done by you right. 20 00:01:03,490 --> 00:01:05,730 Now let me shift gears into another tactic 21 00:01:05,730 --> 00:01:09,880 that attackers have used in many cases, and that is 22 00:01:09,880 --> 00:01:13,630 trying to impersonate social networking sites overall 23 00:01:13,630 --> 00:01:16,380 the whole site, and clone them 24 00:01:16,380 --> 00:01:19,820 and then lure those victims to go to those sites 25 00:01:19,820 --> 00:01:22,160 and then obtain information from their victims 26 00:01:22,160 --> 00:01:25,940 whether it's credentials or any other type of information. 27 00:01:25,940 --> 00:01:28,280 Basically the attacker can take advantage 28 00:01:28,280 --> 00:01:33,280 of many different attack scenarios like on the path attacks 29 00:01:33,605 --> 00:01:36,880 which we formally refer to as man in the middle attacks 30 00:01:36,880 --> 00:01:40,910 or DNS poisoning attacks, or any other wire 31 00:01:40,910 --> 00:01:45,090 or wireless type of attack to do this type of action. 32 00:01:45,090 --> 00:01:48,960 Now, in this example, what I'm using is a super popular tool 33 00:01:48,960 --> 00:01:51,240 called a social engineering toolkit. 34 00:01:51,240 --> 00:01:54,540 This tool can be used to launch many different 35 00:01:54,540 --> 00:01:56,360 social engineering attacks 36 00:01:56,360 --> 00:02:00,230 like spearphishing attacks, website attack vectors 37 00:02:00,230 --> 00:02:03,770 create different payloads and much more. 38 00:02:03,770 --> 00:02:06,340 Now, in this example, I'm going to very easily 39 00:02:06,340 --> 00:02:10,520 demonstrate how to impersonate Twitter to then 40 00:02:10,520 --> 00:02:12,280 steal credentials from a user. 41 00:02:12,280 --> 00:02:14,470 Now, of course, you know there's a lot of mitigations 42 00:02:14,470 --> 00:02:16,420 against this because, you know 43 00:02:16,420 --> 00:02:19,100 hopefully you're using multifactor authentication 44 00:02:19,100 --> 00:02:20,830 and so on, but you know 45 00:02:20,830 --> 00:02:24,760 at the same mechanism the hacker can impersonate any website 46 00:02:24,760 --> 00:02:28,840 and then interact with a user to potentially send them 47 00:02:28,840 --> 00:02:32,120 to a malicious one that will steal the session tokens. 48 00:02:32,120 --> 00:02:33,940 And then of course 49 00:02:33,940 --> 00:02:37,880 even bypass multifactor authentication in some scenarios 50 00:02:37,880 --> 00:02:40,640 but let's take a look at how this attack actually works 51 00:02:40,640 --> 00:02:43,430 in the social engineering toolkit. 52 00:02:43,430 --> 00:02:46,230 So again, this is the tool that I was referring to. 53 00:02:46,230 --> 00:02:48,030 From the menu I'm gonna select number one 54 00:02:48,030 --> 00:02:50,230 for social engineering attacks 55 00:02:50,230 --> 00:02:52,960 and then I'm gonna select number two 56 00:02:52,960 --> 00:02:55,430 for website attack vectors. 57 00:02:55,430 --> 00:02:56,390 Now in there I'm gonna do 58 00:02:56,390 --> 00:02:58,730 a credential harvester attack method 59 00:02:58,730 --> 00:03:03,670 and then I have the option to either use a web template, 60 00:03:03,670 --> 00:03:06,680 clone the website, or do a custom import 61 00:03:06,680 --> 00:03:11,530 of all the HTML and CSS files to create that website. 62 00:03:11,530 --> 00:03:13,880 Now, for the simplicity of this example 63 00:03:13,880 --> 00:03:17,850 I'm actually just gonna use number one, the web templates. 64 00:03:17,850 --> 00:03:21,670 And then the first thing that is actually asking you 65 00:03:21,670 --> 00:03:26,500 is what is gonna be the IP address for the post, right? 66 00:03:26,500 --> 00:03:30,450 So the client or the victim to communicate back 67 00:03:30,450 --> 00:03:33,660 to the quote unquote command control system 68 00:03:33,660 --> 00:03:35,910 in this case, your system, right? 69 00:03:35,910 --> 00:03:37,180 But you can actually point this 70 00:03:37,180 --> 00:03:39,470 to a different system as well. 71 00:03:39,470 --> 00:03:42,420 Now, in this example, just for simplicity 72 00:03:42,420 --> 00:03:45,830 the tool already recognize my IP address that you see here 73 00:03:45,830 --> 00:03:50,150 192.168.88.225, I'm just gonna press Enter in there. 74 00:03:50,150 --> 00:03:52,410 And then you see that I have a few options 75 00:03:52,410 --> 00:03:55,420 that are here built in like Java required. 76 00:03:55,420 --> 00:03:58,270 And then the user actually will get a popup message saying 77 00:03:58,270 --> 00:04:02,600 Hey, you need to update Java, or impersonating Google. 78 00:04:02,600 --> 00:04:04,140 But in this case, as I mentioned, you know 79 00:04:04,140 --> 00:04:06,530 I'm gonna impersonate Twitter. 80 00:04:06,530 --> 00:04:08,280 So I'm gonna select number three. 81 00:04:08,280 --> 00:04:10,360 Now in this case, you know of course 82 00:04:10,360 --> 00:04:11,730 this is running on port 80. 83 00:04:11,730 --> 00:04:13,270 So once again, you know 84 00:04:13,270 --> 00:04:16,330 there are different mitigations against this scenario. 85 00:04:16,330 --> 00:04:18,690 However, you can do DNS poisoning attacks 86 00:04:18,690 --> 00:04:20,670 you can do other social engineering attacks 87 00:04:20,670 --> 00:04:22,640 and make these very, very 88 00:04:22,640 --> 00:04:26,100 very intuitive or, you know, I guess, you know 89 00:04:26,100 --> 00:04:31,100 lured your victim to then navigate to that site. 90 00:04:31,360 --> 00:04:33,870 And probably you can build in, you know 91 00:04:33,870 --> 00:04:37,700 these type of modules within captive portals 92 00:04:37,700 --> 00:04:41,140 in a wireless base attack saying, you know, you can log in 93 00:04:41,140 --> 00:04:45,040 with your Twitter account to get free internet access. 94 00:04:45,040 --> 00:04:47,470 And then of course your victims will actually will 95 00:04:47,470 --> 00:04:50,320 will try to do anything that they can to 96 00:04:50,320 --> 00:04:51,870 obtain free internet 97 00:04:51,870 --> 00:04:54,200 and then you can steal their password as well. 98 00:04:54,200 --> 00:04:58,810 So now what I'm going to do is I'm gonna open a new window 99 00:04:58,810 --> 00:05:00,340 from a different system. 100 00:05:00,340 --> 00:05:03,750 And in this case, actually from my Mac, not from Parrot 101 00:05:04,601 --> 00:05:08,550 and as you see, you know, I actually went to 192.168.88.225 102 00:05:08,550 --> 00:05:10,280 and it's asking me for my username and password. 103 00:05:10,280 --> 00:05:14,010 So here I'm actually just putting some fake information 104 00:05:15,060 --> 00:05:17,260 and then whenever I sign in 105 00:05:17,260 --> 00:05:20,640 it redirects me to my real Twitter account. 106 00:05:20,640 --> 00:05:23,570 But in here you see the username 107 00:05:24,530 --> 00:05:25,860 and the password, actually 108 00:05:25,860 --> 00:05:28,560 I just put, this is a password with spaces. 109 00:05:28,560 --> 00:05:30,460 So this is actually correct. 110 00:05:30,460 --> 00:05:33,760 Right? So again, this is just one example out 111 00:05:33,760 --> 00:05:36,830 of many that attackers can do 112 00:05:36,830 --> 00:05:39,520 to do many different type of 113 00:05:39,520 --> 00:05:42,730 impersonations of social media sites. 114 00:05:42,730 --> 00:05:45,330 And again, as I mentioned in the beginning of the lesson 115 00:05:45,330 --> 00:05:48,550 not only, you know, attackers do this type of impersonation 116 00:05:48,550 --> 00:05:53,270 but they impersonate people on social media sites. 117 00:05:53,270 --> 00:05:55,650 So two different things that I actually cover 118 00:05:55,650 --> 00:05:56,683 in this lesson.