Backtrack 4: Penetration Testing with Social Engineering Toolkit

People do not understand how dangerous it is to click on unknown links in an e-mail or even on a website. Hackers will disguise their malware shell and make it look very appealing. Be it a video codex that you must install to watch a video that you really want to watch or even a webpage that tells you that you have a virus and you must install and run the latest online anti-virus scanner to remove it.

Doing either of these could place the control of your machine into a hacker’s hand. But I have Windows 7 with the latest security updates and my anti-virus is up to date. This may not make any difference at all if you allow the program to run. But it is really complicated and I need to make several bad choices in a row right? No, one wrong mouse click could be all that is needed. You don’t believe me? I was once told by a security instructor that instead of trying to convince people that their systems could be at risk, you need to show them.

Backtrack 4 has included a program that you do not hear much about in the main stream security media. But, it is a penetration testers dream. Under the penetration menu is a program called the Social Engineering Toolkit (SET). If social engineering attacks for penetration testers could be made any simpler, I do not know how.

Okay, timeout for a disclaimer: This is for security experts only, and should only be done in a testing environment (VMWare images on a PC works great) and not on a live network. Or on any machine that will be connected to a live network. Never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail. The following is for informational purposes only, if you chose to try this, you do so at your own risk.

All right, follow along, this is really technical and there are a lot of steps. Okay, I am kidding, it is a really simple, menu driven process. And remember that this is a tool for the good guys, who knows what the bad guys are using. One last note, turn off Apache or the SET won’t run.

1. Obtain and run Backtrack 4, the VMWare image works great.
2. First click on the menu button, Start the networking service. Then click on Backtrack, and then the Penetration Menu and finally Social Engineering Toolkit.
3. This will bring up a program menu; you need to update both the Social Engineering Toolkit and the Metasploit Framework.
4. Next, I had to reboot my machine to get it to work right after the updates.
5. Now, click on main option 2 – Website Attack Vectors (Notice step 3 – Infections USB/CD/DVD Generator…)
6. Next, chose Option 1, Web Templates, Let SET create a website for you. (Notice options to clone websites to match the company that you are doing the penetration test for…)
7. Next is your choice for attack methods, the Java attack works well, chose 1 – Java Applet Attack Method
8. Next select 1- Java Required (Notice other options…)
9. Next select the type of payload for the attack, I like option 2 – Windows Reverse_TCP Meterpreter.
10. Next chose the encoder to bypass anti-virus. I have never had anything detect number 2 – Shikata_Ga_Nai with 3 encryption passes (encryption passes is next option).
11. Next chose port for the Metasploit Listener, 80 is default, I just hit enter
12. Next option is “Do you want to create a Linux/OSX payload too?” I hit no, my target is a Windows PC.

And that is it. The SET webserver will launch, and it will start up Metasploit to listen for incoming connections. On the Victim’s PC, just surf to the attacker PC’s IP Address through a browser and you will see a generic , kinda plain test website that SET creates. It says something like the CEO is giving a presentation and you need Java installed and need to run the Java applet that pops up to view the broadcast. Then a Java certificate warning pops up, and like any user, they trustingly follow the directions. Once they click “yes” or “accept” you now have a meterpreter shell to their PC.

1. Back on the attacking PC, it will list the session that the user opened to you.
2. Type Sessions –L, Once and you get a screen that shows the active connection to the target PC.

You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote pc, or running “Execute –f cmd.exe –c –H –i” will give you a remote windows command shell.

That’s it, one bad choice on the victim’s side and security updates and Anti-virus means nothing. They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear.

This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network. Also, this type of attack, like advance persistent threat attacks most likely will not be detected with IDS systems. This makes capturing and monitoring your network traffic critical. There are several ways to analyse traffic captures. The Kneber botnet (Zeus variant) was discovered by traffic analysis with Netwitness software. Try out the Investigator version, it is free and works very well.

Cross Posted from Cyberarms.