Social Engineering Toolkit Webattack Vectors

[bobbyb1980]

I took my laptop with me to work yesturday and ran the attack with some limited success. I was not able to execute the java applet attack, and still have not been able to do so. But I was able to execute a client side attack and gain access to the victim machine via meterpreter. I was only able to get a connection after spamming the reload button on the victim machine. Unfortunately, that looks like it was a one time only event. I know not every attack is going to be successfull all the time, but I haven't been able to duplicate my own success since the other night. When I navigate to the attacker machine from the victim machine the webpages either don't load right or don't load at all. If I select the "clone" option from SET, the page simply will not load. The listener will pick up the connection then all activity will stop, and the attack doesn't go through. If I use a template a garbled looking website will load up, with out any images and only entry fields. Again, the listener/handler from msf will pick up some activity, try to execute the attack but nothing will go through.

If I hear you right, the meterpreter listener sends the first stage of the payload, but never completes? Meterpreter staged payloads are pretty big and lots of stuff has to happen right for it to work right. I've had av's, particularly avira (if I remember correctly) that somehow magically blocked everything past stage 1 of the meterpreter payloads inside of java apps but never flagged anything as malicious. Try turning your av off, then try the attack again. You can also try to switch to a smaller payload like a simple shell. You should also go to your victim machine, and run a reverse shell from a .exe to see if that executes as it should, so you can further narrow down if it's a java issue, network traffic being blocked somehow, etc.

You'll have to elaborate on "the page doesn't" load, but it'd be helpful if we know what server you're using (apached, httpd, etc). You might also want to look at the config file for the server to make sure everything is in place, although most are out of the box. However, you should create a basic test page, see if your victim can view that, if so, move onto the next step, if not troubleshoot why...

I also recommend you not use SET, it won't help you learn anything and will probably confuse a beginner. Try to manually setup the attack, learn how to clone the webpage, learn how to get what you want inside of a java app, etc. SET is written in python and generally speaking it's easy to read if you know basic linux commands, even with no programming background, so if you browse through the set source directory you can "trace" through exactly what's happening and that should give you more insight as to why you are not having success.

[na1]

If I hear you right, the meterpreter listener sends the first stage of the payload, but never completes? Meterpreter staged payloads are pretty big and lots of stuff has to happen right for it to work right. I've had av's, particularly avira (if I remember correctly) that somehow magically blocked everything past stage 1 of the meterpreter payloads inside of java apps but never flagged anything as malicious. Try turning your av off, then try the attack again. You can also try to switch to a smaller payload like a simple shell. You should also go to your victim machine, and run a reverse shell from a .exe to see if that executes as it should, so you can further narrow down if it's a java issue, network traffic being blocked somehow, etc.

You'll have to elaborate on "the page doesn't" load, but it'd be helpful if we know what server you're using (apached, httpd, etc). You might also want to look at the config file for the server to make sure everything is in place, although most are out of the box. However, you should create a basic test page, see if your victim can view that, if so, move onto the next step, if not troubleshoot why...

I also recommend you not use SET, it won't help you learn anything and will probably confuse a beginner. Try to manually setup the attack, learn how to clone the webpage, learn how to get what you want inside of a java app, etc. SET is written in python and generally speaking it's easy to read if you know basic linux commands, even with no programming background, so if you browse through the set source directory you can "trace" through exactly what's happening and that should give you more insight as to why you are not having success.

Well I assumed AV was still off.... because I turned it off. But I will go back and double check. Other reverse tcp bind payloads do work.... I like your suggestion on manually running the attack. I could benefit from looking at the java app, the other stuff I tend to deal with already on a daily basis. (work).

If I read and understood the material from the SET page correctly, SET uses its own python based server, unless you enable/setup the apache server. I'm pretty sure I was using the default python SET server.

I'll go back and look at some of your other suggestions as well.

~~~

No one is trying to make anyone look like an ass. In all seriousness we've been trying to help in this thread. The comment someone made to you on the wimax thread, was more or less because there is no consumer market equipment to speak on this spectrum yet and its probably years away from consumer trials. He could have been a little more delicate, but its also semi sarcastic of him and some people just come off that way. Most people here, truly do help others, and while I've had my share of run ins with trolls and people looking to be spoonfed answers vs doing the work themselves (NOT saying that about the op, just in general with other people and threads over the years) we for the most part do what we can to help and steer people in the right direction.

Not everyone here is an expert either, and while we're on the subject of SET, we're also not the SET forum. Dave has an official website, http://www.trustedsec.com as well as an IRC channel devoted to SET where questions like this, would be better served. Not even so much on the BackTrack forums would this help any more than it would here, but in general try the SET IRC channel on Freenode if you have serious issues. They would be the general group to field everything SET related.

Checkout irc.freenode.net #setoolkit

The backtrack forums are all but dead. I did post there last week and still no response. Also I have tried the SET irc channel, repeatedly. The only thing I found was some russian dude trying to send 30k emails for god knows what. This is the only place where I got any responses, and I have appreciated the assistance.

[bobbyb1980]

Use the apache server instead of the python server, IMHO python isn't the best language to have a http server in and could be problematic. All due respect to the creators of SET and python, I never understood why they didn't just default that attack to an apache webserver.

[bobbyb1980]

.... did it work?

[Pwnd2Pwnr]

No one is trying to make anyone look like an ass. In all seriousness we've been trying to help in this thread. The comment someone made to you on the wimax thread, was more or less because there is no consumer market equipment to speak on this spectrum yet and its probably years away from consumer trials. He could have been a little more delicate, but its also semi sarcastic of him and some people just come off that way. Most people here, truly do help others, and while I've had my share of run ins with trolls and people looking to be spoonfed answers vs doing the work themselves (NOT saying that about the op, just in general with other people and threads over the years) we for the most part do what we can to help and steer people in the right direction.

Not everyone here is an expert either, and while we're on the subject of SET, we're also not the SET forum. Dave has an official website, http://www.trustedsec.com as well as an IRC channel devoted to SET where questions like this, would be better served. Not even so much on the BackTrack forums would this help any more than it would here, but in general try the SET IRC channel on Freenode if you have serious issues. They would be the general group to field everything SET related.

Checkout irc.freenode.net #setoolkit

That post was not intended for you, Digip, I was asked what I was smoking when I found out about analog signals being open... just to be clear...