|
|
|
The Social-Engineer Toolkit (SET) was developed to coincide with the release of Social-Engineer.orgThe purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. And it has succeeded— SET has been downloaded 1 million times and is now an industry standard for deploying social-engineering attacks. The toolkit attacks human weaknesses, exploiting curiosity, credibility, avarice, and simple human stupidity. Socialengineering attacks are at an all-time high and have always been a large risk for many organizations.Of course, social engineering is nothing new. One person trying to coax another to perform acts that he normally wouldn’t do is as old as time itself. Many in the security community believe that social engineering is one of the biggest risks organizations face, because it’s extremely difficult to protect organizations from being attacked in this way. (You might remember the ultrasophisticated Operation Aurora attack, for example, in which socialengineering was used to attack Gmail and other sources of Google data.) An attack vector is the avenue used to gain information or access to a system. SET categorizes attacks by attack vector (such as web, email, and USBbased attacks). It uses email, spoofed websites, and other vectors to reach human targets, typically tricking individuals into compromising the target or releasing sensitive information. Naturally, each vector can have a different success rate depending on its target and the communication used. SET also comes prebuilt with email and website templates that can be used for socialengineering attacks. SET heavily uses the Metasploit Framework. Because of the social nature of the attacks themselves, each example in this chapter is coupled with a brief story.  Configuring the Social-Engineer Toolkit By default, in Back|Track, SET is located in the /pentest/exploits/set/ directory. Before you begin, make sure that you are running the latest version of SET. 👉👉root@bt:/pentest/exploits/set# Svn update Next, configure your SET configuration file according to what you’re attempting to accomplish. We’ll cover a couple of simple features within the configuration file config/set_config within the root SET directory. When using the SET web-based attack vectors, you can turn ON the WEBATTACK_EMAIL flag to perform email phishing in conjunction with the web attack. This flag is turned OFF by default, which means that you will configure SET and use the web attack vector without the support of email phishing. 👉👉METASPLOIT_PATH=/opt/framework3/msf3 WEBATTACK_EMAIL
ON One of the web-based attacks available in SET is the Java applet attack, which uses self-signed Java applets. By default, this attack uses Microsoft as the publisher name; however, if the Java Development Kit (JDK) has been installed, you can turn this option ON and sign the applet with whatever name you want. When you turn this flag ON, additional options will be available through the interface. SELF_SIGNED_APPLET=ON The AUTO_DETECT setting is one of the most important flags and is turned ON by default. It tells SET to detect your local IP address automatically and to use that as the address for the reverse connection and web servers. If you are using multiple interfaces or your reverse payload listener is housed at a different location, turn this flag OFF. When this option is OFF, SET will allow you to specify multiple scenarios to ensure that the proper IP address scheme is used, for example, in a scenario that includes NAT and port forwarding. These options are reflected within the SET interface. 
The spear-phishing attack vector specially crafts file-format exploits (such as Adobe PDF exploits) and primarily sends email attacks containing attachments to a target, which, when opened, compromise the target’s machine. SET can use Simple Mail Transport Protocol (SMTP) open relays (both anonymous and credentialed), Gmail, and Sendmail to send email. SET can also use standard email or HTML-based email to perform the phishing attack. Let’s consider a real-world penetration test targeting the company CompanyXYZ. You register a domain name similar to Company XYZ, say coompanyxyz.com. You then register the subdomain coom.panyXYZ.com. Next, you send a spear-phishing attack to the target organization, knowing that most employees only glance at email and will open any attachment that appears to be legitimate. In this case, we will send a PDF file format bug to our target, like so. root@bt:/pentest/exploits/set# ./set Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7. SMS Spoofing Attack Vector 8. Wireless Access Point Attack Vector 9. Third Party Module 10. Update the Metasploit Framework 11. Update the Social-Engineer Toolkit 12. Help, Credits, and About 13. Exit the Social-Engineer Toolkit
Welcome to the SET E-Mail attack method. This module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is installed (it is installed in BT4) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON. There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy! 1. Perform a Mass Email Attack 2. Create a FileFormat Payload 3. Create a Social-Engineering Template 4. Return to Main Menu Enter your choice: 1 Select the file format exploit you want. The default is the PDF embedded EXE. ********** PAYLOADS **********
1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP) 2. SET Custom Written Document UNC LM SMB Capture Attack 3. Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow 4. Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087) 5. Adobe Flash Player 'Button' Remote Code Execution 6. Adobe CoolType SING Table 'uniqueName' Overflow 7. Adobe Flash Player 'newfunction' Invalid Pointer Use 8. Adobe Collab.collectEmailInfo Buffer Overflow 9. Adobe Collab.getIcon Buffer Overflow 10. Adobe JBIG2Decode Memory Corruption Exploit 11. Adobe PDF Embedded EXE Social Engineering 12. Adobe util.printf() Buffer Overflow 13. Custom EXE to VBA (sent via RAR) (RAR required) 14. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun 15. Adobe PDF Embedded EXE Social Engineering (NOJS) 16. Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow 17. Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
Enter the number you want (press enter for default): 8
|
|
|
|
was developed to coincide with the release of Social-Engineer.orgThe purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. And it has succeeded— SET has been downloaded 1 million times and is now an industry standard for deploying social-engineering attacks. The toolkit attacks human weaknesses, exploiting curiosity, credibility, avarice, and simple human stupidity. Socialengineering attacks are at an all-time high and have always been a large risk for many organizations.Of course, social engineering is nothing new. One person trying to coax another to perform acts that he normally wouldn’t do is as old as time itself. Many in the security community believe that social engineering is one of the biggest risks organizations face, because it’s extremely difficult to protect organizations from being attacked in this way. (You might remember the ultrasophisticated Operation Aurora attack, for example, in which socialengineering was used to attack Gmail and other sources of Google data.) An attack vector is the avenue used to gain information or access to a system. SET categorizes attacks by attack vector (such as web, email, and USBbased attacks). It uses email, spoofed websites, and other vectors to reach human targets, typically tricking individuals into compromising the target or releasing sensitive information. Naturally, each vector can have a different success rate depending on its target and the communication used. SET also comes prebuilt with email and website templates that can be used for socialengineering attacks. SET heavily uses the Metasploit Framework. Because of the social nature of the attacks themselves, each example in this chapter is coupled with a brief story.
Configuring the Social-Engineer Toolkit
By default, in Back|Track, SET is located in the /pentest/exploits/set/ directory. Before you begin, make sure that you are running the latest version of SET.
👉👉root@bt:/pentest/exploits/set# Svn update
Next, configure your SET configuration file according to what you’re attempting to accomplish. We’ll cover a couple of simple features within the configuration file config/set_config within the root SET directory. When using the SET web-based attack vectors, you can turn ON the WEBATTACK_EMAIL flag to perform email phishing in conjunction with the web attack. This flag is turned OFF by default, which means that you will configure SET and use the web attack vector without the support of email phishing.
👉👉METASPLOIT_PATH=/opt/framework3/msf3 WEBATTACK_EMAIL
ON One of the web-based attacks available in SET is the Java applet attack, which uses self-signed Java applets. By default, this attack uses Microsoft as the publisher name; however, if the Java Development Kit (JDK) has been installed, you can turn this option ON and sign the applet with whatever name you want. When you turn this flag ON, additional options will be available through the interface. SELF_SIGNED_APPLET=ON The AUTO_DETECT setting is one of the most important flags and is turned ON by default. It tells SET to detect your local IP address automatically and to
use that as the address for the reverse connection and web servers. If you are using multiple interfaces or your reverse payload listener is housed at a different location, turn this flag OFF. When this option is OFF, SET will allow you to specify multiple scenarios to ensure that the proper IP address scheme is used, for example, in a scenario that includes NAT and port forwarding. These options are reflected within the SET interface.
The spear-phishing attack vector specially crafts file-format exploits (such as Adobe PDF exploits) and primarily sends email attacks containing attachments to a target, which, when opened, compromise the target’s machine. SET can use Simple Mail Transport Protocol (SMTP) open relays (both anonymous and credentialed), Gmail, and Sendmail to send email. SET can also use standard email or HTML-based email to perform the phishing attack. Let’s consider a real-world penetration test targeting the company CompanyXYZ. You register a domain name similar to Company XYZ, say coompanyxyz.com. You then register the subdomain coom.panyXYZ.com. Next, you send a spear-phishing attack to the target organization, knowing that most employees only glance at email and will open any attachment that appears to be legitimate. In this case, we will send a PDF file format bug to our target, like so.
root@bt:/pentest/exploits/set# ./set Select from the menu:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7. SMS Spoofing Attack Vector
8. Wireless Access Point Attack Vector
9. Third Party Module
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit
Welcome to the SET E-Mail attack method. This module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is installed (it is installed in BT4) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON. There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy! 1. Perform a Mass Email Attack 2. Create a FileFormat Payload 3. Create a Social-Engineering Template 4. Return to Main Menu Enter your choice: 1 Select the file format exploit you want. The default is the PDF embedded EXE. ********** PAYLOADS **********
1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2. SET Custom Written Document UNC LM SMB Capture Attack
3. Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4. Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5. Adobe Flash Player 'Button' Remote Code Execution
6. Adobe CoolType SING Table 'uniqueName' Overflow
7. Adobe Flash Player 'newfunction' Invalid Pointer Use
8. Adobe Collab.collectEmailInfo Buffer Overflow
9. Adobe Collab.getIcon Buffer Overflow 10. Adobe JBIG2Decode Memory Corruption Exploit
11. Adobe PDF Embedded EXE Social Engineering
12. Adobe util.printf() Buffer Overflow
13. Custom EXE to VBA (sent via RAR) (RAR required)
14. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15. Adobe PDF Embedded EXE Social Engineering (NOJS)
16. Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17. Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
Enter the number you want (press enter for default): 8
Posts
0 Comments:
Post a Comment