Jump to content

Social Engineering Toolkit Webattack Vectors


na1
 Share

Recommended Posts

I recently started expirmenting with SET on my penetration testing network, and I have been unable to get the web attack vectors option to work. I run through the options correctly, I get a msf handler set up, but when I try to navigate to the web page on my victim machine nothing ever happens.

Let me break it down:

Everything is ran in Virtual Box!

Attacker Machine: BT5R3

SET V3.7.1

(I believe I have modified my set config file appropriately to allow for this attack by turning WEBATTACK_EMAIL=ON.)

Victime Machine:

Windows XP sp2:

Browser: Firefox v14.0.1

I use the following options in SET to try to execute my attack:

1

2

1

2

(Fill all the fields with bob or w/e)

URL to clone: www.hulu.com

2

16

443

start sendmail: no

1

fill in victim email

fill in attacker email

flag message: no

Craft Email subject

opt for html message

craft email body

~~~~~

Press <return> to continue

[-] ***

[-] * WARNING: Database support has been disabled

[-] ***

SET then launcher msfconsole and starts a handler waiting for the connection from the victim machine.

If anyone has any insight on what I am doing wrong I would really appreciate it. SET seems really interesting and I look forward to expirimenting with it more. Unfortunately, there doesn't seem to be a lot of good resources out there for learning about it.

Edited by na1
Link to comment
Share on other sites

I found a lot about SET and its' uses... have you tried social-engineer.org? You said ya looked around. I am sure the author of the tool can set ya in the right path. :) ...and if not... I am sure someone can help ya... (just learning linux so I haz no help)

Link to comment
Share on other sites

I have watched the videos on that site. I have two problems with them: They are very general how too videos that do not lend themselves to a deeper understanding of what is going on with the attack or the program. They are more like what I would make for a friend that doesn't know anything about hacking, not someone trying to understand the mechanics of a hack or a program. So their troubleshooting value is a zero. Secondly, none of his material covers anything past v.0.7, the current version is v3.7.1. It maybe the same program but you'll find that things can change dramatically.

For example: even though I have tried tweakin the config file to see if I have/had something wrong in there. There could be a setting some where that I don't have right that I am unaware of that may not of been present in the v0.7, but is present in 3.7.1. There appear to be numerous features relevent to the webattacks vector that are present in 3.7.1, but not present in any of his videos.

Right now, I just finished trying some of the other options on the web attack vector thinking that maybe it was just site cloning that was not working. Unfortunately nothing worked. I'm pretty stuck on this, kind of wondering if there is a bug in the current version, but there is no forum on the SE website or trustedsec.com.

Link to comment
Share on other sites

Stupid videos... just watched them myself... my SET worked right out the box. You have network connectivity and all that BS... right? Well, maybe there is a bug that just does not like your PC... sorry bud... I could make you some nice SETs/ Web Vectors... but that is next to useless...

Link to comment
Share on other sites

Use BackTrack 5 with SET, make sure its up to date, make sure the two networked machines can see each other and all port forwarding if necessary is in order. if behind NAT, forward ports appropriately. Also, if trying the Java exploits, the victim machine, needs to have Java installed, or they don't work. just a heads up.

Link to comment
Share on other sites

Well, I am sorry (no offense to you na1), but I do not click links... but I believe you are having problems...

/pentest/exploits/set# ./set-update

Updating the Social-Engineer Toolkit, be patient...

G config/set_config

U src/smtp/client/smtp_web.py

U src/smtp/client/smtp_client.py

U src/main/version

U src/html/spawn.py

U src/html/clientside/gen_payload.py

U src/html/web_server.py

U readme/CHANGES

U readme/CREDITS

Updated to revision 525.

The updating has finished, returning to main menu..

Does this help? Do you have Ubuntu as your primary OS? Windows is so damned buggy when it comes to VM-ing Linux. The structure of Windows is mental. I have been getting into Linux for just about a year now and feel that Microsoft really does just metaphorically rape its' consumers; all with YOU paying for dinner. Ubuntu takes it nice and slow, whispers sweet nothings into your ear;but when it wants to get freaky, you don't need to pay for her services (very bad metaphor but I think it illustrates my point). LAST CASE SCENARIO... reinstall the VM to a linux distro, then reinstall backtrack 5.

Link to comment
Share on other sites

You installed SET on a system that already had it installed?? I see it in /root, but if you did this, that probably hosed some things up.

SET comes PREINSTALLED and CONFIGURED for backtrack. You don't need to install it to root! BackTrack does not natively install a lot of things without customizing them specifically for backtrack due to how BackTrack works in general, its kernel and customizations made to work with everything thats already installed in it, which is why you should have used the already installed version of SET and work from there.

Before doing that, remove the one you installed.

Then do: apt-get update && apt-get dist-upgrade and let it run, will update your BackTrack and make sure you're current on the latest release.

When done, in your terminal, cd to "/pentest/exploits/set" and run the "set" from that directory. You can use the menu in set to update itself from there to the latest version of set, if its not already the latest. Its paths and setup should work out of the box though. You might need to read the documentation, on editing the configs too for certain attack vectors. Not sure if thing are all on out of the box, I recall some attacks have switches commented on/off, so read the documentation too, but most everything works out of the box in BackTrack.

Link to comment
Share on other sites

Dude you actually insinuated I installed SET on a system that already had a SET installed, after I clearly stated that I had removed set and then reinstalled it. Also, if you had ever used SET you would know that it isn't configured for BT5 at all. You have to go into the config file and set it up yourself.

Also, while in most circumstances, running "apt-get update && apt-get dist-upgrade," is a very valid troubleshooting step. However, R3 is less than three weeks old, and I already stated that I am running it. So how much value can we assume that updating my distro is going to add to our trouble shooting process? I don't want to disuade or discourage anyone from helping me, but if you're not going to read anything I post, or follow along at all I could do with out the comments. If all you're going to do is pop in and suggest some very mundane uninformed steps I could do with out it.

Also, your comment that, "most everything works out of the box in backtrack," just isn't true at all, if I had to guess you haven't dug very deep into what backtrack has to offer. Or hell, maybe you've just had phenomenal luck, what do I know.

What would be very helpful, is if someone tried to replicate my results on their own system. Or run it with the same settings and let me know they where sucessful.

I have updated my SET previously, I forgot to say that in here, I noticed that your version is sitting at 525 pwnd, while mine is sitting at 1488.

Are you using v3.7.1 as I am?

I am wondering if I pull an older version from sourceforge or some other site that it would proove more stable.

Link to comment
Share on other sites

I pulled that info from a blog with someone having a similar problem, that wasn't from my build... my build is the latest build, your build, 1488.... I am pretty upset you can't behold great toolset. When all else fails, ask the programmer... right?

Link to comment
Share on other sites

Dude you actually insinuated I installed SET on a system that already had a SET installed, after I clearly stated that I had removed set and then reinstalled it. Also, if you had ever used SET you would know that it isn't configured for BT5 at all. You have to go into the config file and set it up yourself.

Also, while in most circumstances, running "apt-get update && apt-get dist-upgrade," is a very valid troubleshooting step. However, R3 is less than three weeks old, and I already stated that I am running it. So how much value can we assume that updating my distro is going to add to our trouble shooting process? I don't want to disuade or discourage anyone from helping me, but if you're not going to read anything I post, or follow along at all I could do with out the comments. If all you're going to do is pop in and suggest some very mundane uninformed steps I could do with out it.

Also, your comment that, "most everything works out of the box in backtrack," just isn't true at all, if I had to guess you haven't dug very deep into what backtrack has to offer. Or hell, maybe you've just had phenomenal luck, what do I know.

What would be very helpful, is if someone tried to replicate my results on their own system. Or run it with the same settings and let me know they where sucessful.

I have updated my SET previously, I forgot to say that in here, I noticed that your version is sitting at 525 pwnd, while mine is sitting at 1488.

Are you using v3.7.1 as I am?

I am wondering if I pull an older version from sourceforge or some other site that it would proove more stable.

SET is already installed an configured on BackTrack 5 r3. The WEBMAIL option you turned on has nothing to do with why you cannot see your cloned site.

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y[/CODE]

will update most things, you need to

[CODE]cd /pentest/exploits/set/[/CODE]

and run

[CODE]svn update .[/CODE]

and it should update to the newest revision.

[CODE]
root@bt:~# cd /pentest/exploits/set/
root@bt:/pentest/exploits/set# svn update .
At revision 1488.
root@bt:/pentest/exploits/set#
[/CODE]

Your menu options above were missing IP information for YES/NO for NAT and other things.

[CODE]
cd /pentest/exploits/set/
./set
[/CODE]

[CODE]
1
2
1
2
"Are you using NAT/Port Forwarding?" no

set:webattack> IP address for the reverse connection: 10.1.1.197

set:webattack> Enter the url to clone: www.gmail.com

set:payloads>2

set:encoding>16

set:payloads> PORT of the listener [443]: [Enter]

msf exploit(handler) >
[*] Started reverse handler on 10.1.1.197:8081
[*] Starting the payload handler...


[/CODE]

Then I went to my XPSP3 VM and navigated to 10.1.1.197 and it showed the cloned site.

My XP Machine saw the cloned site but had and issue running the javascript.

http://pastebin.com/szHjQcxF

I have not changed anything in my SET config and even had to accept the EULA because I rarely use my BT Machine. It was a fresh install of BT5 R3.

Shifting gears, I would like to remind everyone that posts should be helpful to the best of your knowledge at that time. This is meant to be a helpful community and hostility will not be tolerated.

Link to comment
Share on other sites

I was just in my backtrack 5, did apt-get udpate, apt-get dist-upgrade, went to set directory, ran ./set asked me y/n to agree to terms, and it RAN. Not sure what you're on about, but I had NO problems runnign it strait from /pentest/exploits/set with ./set after updating everything! You removing a core part of backtrack to install on your own, was your own fault. Its already SETUP and comes with BackTrack, so you screwed the pooch on that one.

I challenge you, to go back to a fresh install or VM of bt5, any version, and without doing anything other than updates, cd /pentest/exploits/set and run ./set afterwards and tell me it doesn't run. setup.py doesn't need to be run, ./set will start it, prompt your compliance with terms y/n, and away you go.

Edited by digip
Link to comment
Share on other sites

Thank you for the reply Mr-protocol. i will try to follow what you did to replicate your results. I will post what I come up with.

By the way, he basically told you same thing I did.
Link to comment
Share on other sites

I am pretty sure it doesn't matter what directory it is ran out of. Regardless of the directory I have not experienced any error messages. My rig was allready fully updated and I had this problem before I uninstalled/reinstalled SET. I reinstalled as apart of the troubleshooting process. I have reinstalled and nothing has changed. I am not getting any error messages that would suggest my uninstalling/reinstalling has damaged anything. Besides, breaking stuff is how you learn how to fix it. So even somehow if that was the issue I would welcome the opportunity to fix it.

Everything seems legit on the attacker machine. The attack sets up exactly how it should, but regardless of what happens on the attacker machine, I am never displayed the cloned web page on the victim machine.

Yes, the two machines are on the same subnet, yes, they can communicate with each other. Yes I am using the IP address of the attacker machine for the reverse connection on the internal network I set up inside virtual box.

Link to comment
Share on other sites

Can you check if you can reach the page on the attacker machine itself? Make sure the web server is up by checking the page locally from backtrack. Make sure it works there first, and if not, check to see if there is a port number set for the web address in the config other than port 80, like say:


http://www.acmecoe.com:8081/
[/CODE]

Link to comment
Share on other sites

I took my laptop with me to work yesturday and ran the attack with some limited success. I was not able to execute the java applet attack, and still have not been able to do so. But I was able to execute a client side attack and gain access to the victim machine via meterpreter. I was only able to get a connection after spamming the reload button on the victim machine. Unfortunately, that looks like it was a one time only event. I know not every attack is going to be successfull all the time, but I haven't been able to duplicate my own success since the other night. When I navigate to the attacker machine from the victim machine the webpages either don't load right or don't load at all. If I select the "clone" option from SET, the page simply will not load. The listener will pick up the connection then all activity will stop, and the attack doesn't go through. If I use a template a garbled looking website will load up, with out any images and only entry fields. Again, the listener/handler from msf will pick up some activity, try to execute the attack but nothing will go through.

Link to comment
Share on other sites

Man, sounds like to me, that you might as well use Metasploits' Armitage. It's UI is beautiful, easy to understand, and seems to need less time configuring and more time spelunking. I know there are a bunch of arrogant asses (got an answer "What are you smoking earlier...") that peruse this site, on the flip side, there are some pretty talented people (the only reason I am still posting here). It seems more would rather have you look like an ass than help. If you want, you may also get a trial version of Cobalt Strike, Raphael Mudge's SET is all laid out in a GUI interface. Aside from networking, certain syntax, and security protocols, I couldn't help ya. I n00b linux... DOS I know, but Linux is still pretty fresh to me. Sorry bud...

Sudo apt-get install sorry_buddy

Link to comment
Share on other sites

It is what it is. I appreciate your help. I have mixed opinions on Armitage. I got my start fooling around with it, but in my humblest of opinions, I didn't feel like it lent itself to gaining a deeper understanding of what was being done. I spent a lot of time just clicking shit, not knowing what I was clicking/doing, and not a lot of learning was getting accomplished. Atleast, that is how I felt about it. Armitage is a pretty well put together product though.

I will try the SET interface inside armitage and see if I get the same results. Thank you for the suggestion.

Link to comment
Share on other sites

Man, sounds like to me, that you might as well use Metasploits' Armitage. It's UI is beautiful, easy to understand, and seems to need less time configuring and more time spelunking. I know there are a bunch of arrogant asses (got an answer "What are you smoking earlier...") that peruse this site, on the flip side, there are some pretty talented people (the only reason I am still posting here). It seems more would rather have you look like an ass than help. If you want, you may also get a trial version of Cobalt Strike, Raphael Mudge's SET is all laid out in a GUI interface. Aside from networking, certain syntax, and security protocols, I couldn't help ya. I n00b linux... DOS I know, but Linux is still pretty fresh to me. Sorry bud...

Sudo apt-get install sorry_buddy

No one is trying to make anyone look like an ass. In all seriousness we've been trying to help in this thread. The comment someone made to you on the wimax thread, was more or less because there is no consumer market equipment to speak on this spectrum yet and its probably years away from consumer trials. He could have been a little more delicate, but its also semi sarcastic of him and some people just come off that way. Most people here, truly do help others, and while I've had my share of run ins with trolls and people looking to be spoonfed answers vs doing the work themselves (NOT saying that about the op, just in general with other people and threads over the years) we for the most part do what we can to help and steer people in the right direction.

Not everyone here is an expert either, and while we're on the subject of SET, we're also not the SET forum. Dave has an official website, http://www.trustedsec.com as well as an IRC channel devoted to SET where questions like this, would be better served. Not even so much on the BackTrack forums would this help any more than it would here, but in general try the SET IRC channel on Freenode if you have serious issues. They would be the general group to field everything SET related.

Checkout irc.freenode.net #setoolkit

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...