Social Engineer Toolkit – Website Attack How To

You are hopefully familiar with the Social Engineer Website, if not then your missing out to go visit.

They have put together excellent information on the art of social engineering, and have formed an awesome framework with input from many great people. I am sure alot of people have read it, as I have heard people in the industry talking about it, but I dont often hear people talk about the Social Engineering Tools.

In particular I am talking about SET (Social Engineer Toolkit).

The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing Metasploit[1] payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. The goal of SET is to bring awareness to the often forgotten attack vector of social-engineering.

I have heard good things about the tool, and ReL1K (David Kennedy) has done a cracking job of putting a nice tool together.

So if your running a Linux distro and you want the tool, you can get it by simply fetching it “svn co“. For this basic demo I am using Backtrack 4 Final, so its already good to go. SET has various options, and can be configured in various ways. If this post is popular I will put something together to show this. However this post is just to demonstrate a basic function, and to show how well it works, and how simple it is to use, so that others are encouraged to give it a try.

So this is the situation. We are going to replicate a website, in this case I am going to use Twitter as an example, we then will use some social engineering techniques (not demonstrated) to encourage our target to visit a site / ip we have setup, and then we are done. There is spear phishing capabilities in the SET which will obviously provide a more automated attack vector, but for this demo we will assume its done manually, or verbally influenced / encouraged.

So we are in our chosen Linux distro, connected to the Internet / Network, and we make sure we have an IP address assigned. I am demonstrating this in my virtual lab with a BT4 Final Box and XP Sp3. I have also tested this same method on a physical BT4 box and a W7 box, with the same results.

So I assign an IP via DHCP.

Then we navigate to our folder that SET is installed to. In my case its /pentest/exploit/SET/

Next its always good practice to make sure everything is up to date. ReL1K is an updating machine, so it pays to check 🙂 So we simply type ./update_set and its confirmed I am good to go. You can also update within the SET tool, and as metasploit is also used here, its worth making sure you are all up to date there also.

Now its time to get down to business and kick of SET. We simply type ./set and away she goes.

As we can see SET has a few options at its disposal. We are going to take a look at the Website Attack Vectors, so we want option 2.

Again more options are available. Because we are lazy we will let SET do the hard work and clone and setup a fake website. So again option 2.

We now need to select our attack vector. I know my lab machines are fully patched, so a browser exploit will most likely not be successful. So we go with option 1 and a Java Applet Attack method. Then remember we said we shall clone Twitter, so we input also.

Its now time to get our payload selected. I am a fan of reverse TCP meterpreter, so time for option 2 again.

Now we have the fun of encoding our payload to bypass AV. Shikata ga nai is an excellent encoder, but now with have the multi encoding option, I have found in my tests it can be more successful at bypassing the AV. So you guessed it, option 15 please 🙂 We will also need to define our listener port, so we will go within something creative. 4321

The encoding mojo does its thing.

We are asked if we want to create a Linux / OSX payload, but we dont need this here. So no thanks. The tool then goes ahead and sets up our fake site, and gets our listener up and running.

So now we have cloned a site, defined a payload, encoded it for AV bypassing and setup a web server for our cloned site. Simple huh. So now we are ready and waiting. So now we just need someone to go to our cloned site.

So I convince myself 🙂 It would be a good idea to go to Twitter on a strange IP.
So we enter the IP of our SET hosting machine, and oh look its Twitter. Damn I need to install some Java stuff (I believe this can be customised for a better convincer, remember we are doing basics here 🙂 It involves some more work and configuration.)

So we say yes, and assuming the AV bypass does its thing, we can see a session is created, and we are directed to the real Twitter site.

We connect to our session, and voila we have shell. The games begin.

So there we have it,  a doddle right. A great job has been done on this tool to make it effective and childsplay to use. I think it has a place as part of a pentest engagement, but also an effective awareness tool in anyones organisation to demonstrate how these things happen in reality.

It is of course worth mentioning, that not all AV’s can be bypassed by all encoded payloads. In my testing I found that I was able to bypass Avast, but Microsoft Security Essentials was picking this attack up. I didn’t mess about to much with different encoding variations, but you get the idea.

To demonstrate this to hopefully some better effect, I uploaded the file to Virus Total for analysis and you can see the results below. Less than half of the AV’s used can make the detection.

File java.exe received on 2010.03.02 20:51:30 (UTC)
Antivirus Version Last Update Result
a-squared 2010.03.02 Trojan.Win32.Rozena!IK
AhnLab-V3 2010.03.02
AntiVir 2010.03.02
Antiy-AVL 2010.03.02
Authentium 2010.03.02 W32/Rozena.A.gen!Eldorado
Avast 4.8.1351.0 2010.03.02
Avast5 5.0.332.0 2010.03.02
AVG 2010.03.02
BitDefender 7.2 2010.03.02 Gen:Trojan.Heur.TP.cqW@bG50SGgi
CAT-QuickHeal 10.00 2010.03.02
ClamAV 2010.03.02
Comodo 4091 2010.02.28
DrWeb 2010.03.02 Trojan.Packed.447
eSafe 2010.03.02
eTrust-Vet 35.2.7335 2010.03.02
F-Prot 2010.03.02 W32/Rozena.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.03.02 Gen:Trojan.Heur.TP.cqW@bG50SGgi
Fortinet 2010.02.28
GData 19 2010.03.02 Gen:Trojan.Heur.TP.cqW@bG50SGgi
Ikarus T3. 2010.03.02 Trojan.Win32.Rozena
Jiangmin 13.0.900 2010.03.02
K7AntiVirus 7.10.987 2010.03.02
Kaspersky 2010.03.02
McAfee 5908 2010.03.02 Downloader-CCK
McAfee+Artemis 5908 2010.03.02 Downloader-CCK
McAfee-GW-Edition 6.8.5 2010.03.02 Heuristic.LooksLike.Trojan.Rozena.H
Microsoft 1.5502 2010.03.02 Trojan:Win32/Swrort.A
NOD32 4910 2010.03.02 a variant of Win32/Rozena.AB
Norman 6.04.08 2010.03.02
nProtect 2009.1.8.0 2010.03.02
Panda 2010.03.02
PCTools 2010.03.02
Prevx 3.0 2010.03.02
Rising 2010.03.02
Sophos 4.50.0 2010.03.02
Sunbelt 5729 2010.03.02
Symantec 20091.2.0.41 2010.03.02 Suspicious.Insight
TheHacker 2010.03.02
TrendMicro 2010.03.02
VBA32 2010.03.02
ViRobot 2010.3.2.2208 2010.03.02
VirusBuster 2010.03.02
Be Sociable, Share!

12 Responses to “Social Engineer Toolkit – Website Attack How To”

  1. Andrew Waite says:

    Nice work as usual.

    Looks like the SET framework has improved and expanded a lot since the last time I looked at it. Will need to brush the dust off and get it updated, particularly like the look of the automated website cloning, just takes all the hard work away.

    Andrew Waite

    (p.s. Like the new site graphics, brighter than before

  2. Dale says:

    Its certainly got it going on, I highly recommend people take a look and decide for themselves though.
    Thanks for the comments on the site update to, its much appreciated. I like it 🙂

  3. Zuk says:

    Nice read! well done!

  4. […] Social Engineering Toolkit – Website Attack How To […]

  5. […] Social Engineering Toolkit – Website Attack How To […]

  6. […] Social Engineering Toolkit – Website Attack How To […]

  7. … track backe bei ……

    très bon , votre blog design est véritablement grand, Je suis recherche pour obtenir un nouveau thème pour mon moncler doudoune individuels blog , j’aime vôtre, maintenant je vais aller recherche le même thème !…

  8. … track backe bei ……

    bon , votre site web modèle est véritablement grand, je suis cherchant pour la nouveau design pour mon moncler doudoune personnel site Web , j’aime vôtre, maintenant Je vais aller cherchez le similaires disposition style !…

  9. … track backe bei ……

    bon , votre site thème est réellement nice , je suis recherche pour la nouveau modèle pour mon moncler doudoune personnel site Web , j’aime vôtre, maintenant Je vais aller cherchez le même thème !…

  10. … track backe bei ……

    grand , votre site web disposition style est véritablement merveilleux , je suis chasse pour obtenir un nouveau design pour mon moncler doudoune individuels blog , j’aime vôtre, maintenant je vais aller chercher le même modèle !…

  11. … track backe bei ……

    fine, votre blog site thème est véritablement merveilleux , je suis chasse pour la nouveau thème pour mon moncler doudoune personnel blog , j’aime vôtre, maintenant Je vais à aller recherche le identiques modèle !…

  12. […] Social Engineering Toolkit – Website Attack How To […]

Leave a Reply

Your email address will not be published. Required fields are marked *