Wednesday, March 30, 2011

Social Engineer Toolkit

The Social-Engineer Toolkit (SET) is a toolkit that quite thoroughly demonstrates the fact that people, not technology, are the weakest links in a security system. Social engineering itself is the practice of manipulating people in order to get what you want. SET combines this approach with varying vectors, such as SMS, web browsers, and USB drives. We’re going to go over these features and show you what the SET is all about.

Select from the menu:  1.  Spear-Phishing Attack Vectors 2.  Website Attack Vectors 3.  Infectious Media Generator 4.  Create a Payload and Listener 5.  Mass Mailer Attack 6.  Teensy USB HID Attack Vector 7.  SMS Spoofing Attack Vector 8   Update the Metasploit Framework 9.  Update the Social-Engineer Toolkit 10. Help, Credits, and About 11. Exit the Social-Engineer Toolkit

When you first start SET, you are presented with a main menu that contains topics for the different attacks you can run. I’m going to start with option 1, Spear Fishing Attack Vectors.

Spear Fishing Attack Vectors

There are 3 different options here: Mass Email Attack, FileFormat Payload, and Social Engineering Template.

Mass Email Attack

The mass email attack allows you to send emails to a list of addresses, with a PDF embedded with an exe attached. First, you need to turn SENDMAIL to ON in set/config/set_config. Next, open SET back up and select Mass Email Attack. Once run, the PDF runs the exe, which can be used to open a backdoor on the system by utilizing Metasploit. You are first offered the option of selecting which exploit you want to use to run the exe with. Next, you select the payload, courtesy of Metasploit. Depending on the payload, you will need to enter your IP and port for the reverse TCP connection. The PDF is then generated. The email addresses you specified then receive a custom email, complete with an attached backdoor PDF.

FileFormat Payload

The FileFormat Payload vector is basically the same thing as Mass Email Attack, minus the email It outputs malware that you can then distribute yourself.

Social Engineering Template

The Social Engineering Template allows you to construct a template to be used with SET, and emails it to the SET developers for consideration in future versions

Website Attack Vectors

Option 2 is the Website Attack Vector, which contains all browser based attacks.

Java Applet Attack Vector

The first, and in my opinion most impressive, is the Java Applet Attack Vector. Basically, this will run a custom Java applet when the URL is opened, and instantly creates a Meterpreter/shell session on the victim. To enable the Java applet, you first need to go to Line ~48 in set/config/set_config and change SELF_SIGNED_APPLET to ON. Next, open up set and select Java Applet Attack Vector. From here, you have two options: the Site Cloner or Custom Import. The Site Cloner will actually download the page you are trying to emulate, inject the malicious applet. Custom Import allows you to import your own HTML and inject the applet there. After filling in the appropriate details, SET will set up a webserver (locally) hosting the applet and corresponding page, and Metasploit takes care of post social engineering.

This is a very convincing attack, since most users will automatically click “Trust Applet” whenever it pops up, especially if it is signed (SET self signed applet feature) by a “legitimate” source. Moral of the story? Don’t run Java applets unless you are a) expecting it, and b) you trust the site it is hosted on.

Credential Harvester Attack Method

This feature sets up a password/username harvester by downloading a copy of the target site, and reworking the form structure so that all information inputted is read and saved by the attacker. Since it makes an exact copy of the site in question, it is rather convincing and even has the bonus feature of redirecting the user to the actual website after the credentials were stolen, reducing suspicion. One way to prevent falling for this one is to make sure you look at the URL before submitting anything. That includes checking sub-domain usage, since this can easily be used to try to trick victims into giving them information.

Teensy USB HID Attack Vector

This vector uses a USB dongle, the Teensy, in order to act like a physical keylogger on a system. SET outputs an Arduino (microcontroller) sketch containing the payload, which is then uploaded from the Arduino to the Teensy. This vector makes great use of the idea of physical security; as long as a system can be physically accessed, it really isn’t safe.

SMS Spoofing Attack Vector

This vector uses an online service to send a spoofed/custom SMS text message to a number of your choosing. This one is especially interesting, because it hits upon another media that hasn’t been completely tapped into yet: mobile devices. People usually don’t questions if a message that came from a number really came from that number.

That pretty much sums up the Social-Engineer Toolkit. Overall, it’s a very interesting example of how error in both human and computer nature can work together in very destructive ways. As always, make sure you don’t use any of the information posted on here for purposes that would be considered questionable, or illegal.