Intro:
So using The Social Engineering Toolkit has been most of my hands-on knowledge when it comes to anything SE. I've only been using it for around 8 months at this point, and I've learned a little bit. When our company decided that it would be too expensive for regular user training we decided to try and make things interesting instead. The plan is still forming, but we've gotten good feedback so far.
The Plan:
The idea is to run a blatantly obvious SE attempt at a subset of users each month from a gmail account. I made the account ourITdepartment@gmail.com. SET will allow you to auth to gmail to send out the campaign email. The targets will receive a plain html email with a link that takes them to a credential harvester embedded in a cloned website of my choosing. After we obtain their credentials this is what they see:
This slideshow takes them through some normal "don't click shit" information, just in a professional format. I may upload the full slide deck, but it still needs a little work. As time goes on and we get less hits, we'll up the complexity.
First Attempt:
Using ./theHarvester.py from Marcus Carey (@marcusjcarey) I scanned for our domain to pull the first list of users, which got me about 50.
./theHarvester.py -d mydomain.com -l 500 -b google
Every year we fill out an employee survey with a third party company. Since we had just completed it I figured an email about the survey results being in would yield a good hit rate.
The link took them to a clone of Survey Monkey's login page. Which yielded a surprising 15/50 credentials being harvested, 3/50 reports of a suspicious email to our helpdesk, and 1 call from a nurse letting us know that she no longer has any respect for us and has lost our trust.
Second Attempt:
To gather a list of users that are more likely to be targeted from the outside we have an active sender list on our postfix mail filtering box. There are about 600 or so that normally get email from outside addresses, out of the 1,400 total mailboxes we have. I took the first 200 this month and will continue on until everyone has been hit with an easy campaign.
At the beginning of the year we switched to an HR system "in the cloud" that uses AD Federated Services to auth our users. I figured a clone of that site would work well, accompanied with this email.
So far we are at 47/200 and they are still rolling in.
1-2-3 SET:
What Comes Next?
So we're currently working on a database to bind to MS Active Directory and store the results of each month. It would allow us to run reports on most phished users, who each campaign hits, etc. All the data from the xml report will be pulled in also.