Unless you don’t follow the Infosec/Social engineering scene you should know what the Social-Engineering toolkit is, and that a new version was  release today, version 0.7 aka “Swagger Wagon”. However since I am really happy that I have a new version to play with I will try to assist anyone that’s new to SET by pointing you in the right direction to get you started and by sharing a bit of information on how the project got started.

I did a post a few weeks back on using version 0.6.1 to exploit the Microsoft windows OS DLL flaw which you can view here. However today’s posting is all about the new features that you are getting with version 0.7, what has been fixed and a mini interview with the creator of SET none other than Mr David Kennedy aka ReL1k.

For a quick recap..

What is SET?

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

New features and bug fixes :

* Fixed the NAT/Port FWD descriptions to be a little bit more descriptive
* Bug fixes on payload gen with x64 bit payloads in Metasploit
* Added new Multi-Attack Payload option to utilize multiple attack vectors
* Incorporated Multi-Attack into each web attack vector
* Added a PID management system in SET for stray processes
* Cleaned up payloadgen code and SET code to reflect new multiattack changes
* Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team
* Fixed an issue with ARP Cache defaulting, it should now poison everyone
* Added better error handling within the SET menus, still needs a bit more work
* Cleaned up color schema and removed old code
* Added the Adobe CoolType SING Table ‘uniqueName’ Overflow zero day from Metasploit in spear  phishing
* Added two more Teensy based payloads, thanks Garland!
* Added HTML support for Spear-Phishing Attack Vector
* Added HTML support when WEBATTACK_EMAIL=ON for web attack vector
* Added the Adobe Cooltype SING Table Overflow zero day for browser exploit
* Added the new SET User Manual to readme/. This is a big update and has updated content for 0.7
* Fixed a simple yes or no answer when requirements for SET were not met

If you are new to SET you should start here:

1. http://www.secmaniac.com/
2. http://www.social-engineer.org
3. IRC.freenode.net #social-engineer
4. http://www.vimeo.com/14837669
5. http://www.offensive-security.com/metasploit-unleashed/SET

Mini interview with SET’s creator David Kennedy aka “ReL1k”:

Question: Do you think social engineering is a growing threat or would you say its something of the pass?

Answer: Social-Engineering has always been problematic however it is ever increasing because of the controls put in place on the external perimeter. Your typically not seeing the same types of attacks externally facing as you once were. This is a good thing and a testament that security is starting to work in the industry however, with social-engineering you face a whole new slew of problems.

Q: Where did the name SET came from?

A: Me and Chris from social-engineer.org were sitting on skype talking about making a tool, kind of just came to mind and stuck with it.. We never had any idea it would get this big.

Q: What made you start this project?

A: When Chris Hadnagy (loganWHD) was starting up social-engineer.org, we were sitting there talking and came to the conclusion that there really was no penetration testing tools out there dedicated to social-engineering. We knew the effects of social-engineering and how easy it was, but there was nothing out there to help aid in testing social-engineering.

Q:Who was your intended audiences for this framework?

A: I try to keep SET as easy as possible, you have the basic setup, but then you can customize and do more advanced setup based of your needs. It’s really intended for super technical folks as well as hobbyists.

Q: What other framework like this can SET be compared too?

A: I’m not sure there are other frameworks out there that can be compared to SET, it’s specially designed to Social-Engineering, not something that’s really out there. SET can’t be compared to something like a exploitation framework like Metasploit who has full time commitment and years of maturity with some of the most brilliant minds in the industry. But someday hope SET will reach that level on the social-engineer side.

Q: Do you plan on commercialising this project at any point in time and start charging for its use?

A: Never, SET will always remain free and open source. That has always and will always be my goal. *Awesome answer *

Q: What was the total number of downloads for version 0.6.1?

A: SET v0.6.1 has over 1.3 million downloads last time I checked. These are unique IP addresses, not downloads over and over again. I think that’s awesome in some fashions, but scary in another…

Q: What are a few of your favorite features in this new version?

A: The multi-attack is awesome, the ability to load multiple attack vectors in one, then have multiple attacks targeted at a victim. The webjacking is really awesome too, it’s a really convincing attack.

Q: What inspired your new code name for the this version?

A: Well 0.6 was inspired on my favorite drink, Arnold Palmers. This drink for some reason gets me to spit out thousands of lines of code effortlessly. Now in 0.7 (swagger wagon), me and my wife recently added two twins to our household and bought a mini-van, so the family was the influence for this version code name . *I think the should give you a free case for saying that *

Q: What’s the best way someone can contribute to this project if the have ideas and suggestions?

A: Email is the best route, I really try to take every one’s recommendations and if it fits, incorporate it into SET. You can always find me on IRC as well on #social-engineer.org. Or like Kos did, he sent me his python code and I worked it into the 0.6 version of SET. I’m always looking at improving SET and making it better, it wouldn’t be anywhere near where it is now without the help of everyone contributing with bug fixes, ideas, and additions.

So there you have it, a new version is out if you haven’t had a chance to play with older versions now is your change at the new and improve version. I am sure in  few months I will be doing another blog posting if ReL1k keeps drinking those “Arnold Palmers” . Go get your copy, send in your sample codes, report your bugs, and lets make this version hit over 2M downloads.

I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

Today one of our faculty member forward an email to our help-desk and indicated we take a look at it because it might be a phising/spam email, you can only image how happy that made me. Now in the past we have had cases where people would reply to these type of emails and receive more  spam in the process, or worst, “give their credentials away” but that was not the case today.

Below is an image of the email that was received today.

Fig-1 Phising Email

Now the first thing that I found funny about this email is the fact that the phone number for tech support was an IP Address, maybe the overlooked that one or it was done out of humor either way it set off some flags for me and it should for anyone that receives an email like this.

Once I identified the email as a phising attempt to harvest login credentials I got curious and decided to load Firefox within sandboxie and clicked on the link in the email to see what it would do.

Fig-2 Firefox Untrusted Error

Now after clicking on the link in the email I was redirected to www.eformit.com , which triggered a FireFox error because Firefox was unable to confirm that my connection to the site was secure. Since I was in search of seeing where the link would take me I went ahead and added the certificate and continued. In general if you ever get this error you should never add the certificate but instead close out your browser and do some research on the site in question.

Next I went ahead and examine the server SSL certificate and realized that it expired a few days ago, that’s another reason that would tell me this site was bad business, but since I already knew that I proceeded all the same.

Fig-3 Expired Cert

Now on to the next portion of this journey, after clicking on the link I was taken to a website with a very contradictory notice, “we will never send emails to users requesting email account information” however that’s exactly what the page is asking you to type in.

Fig-4 Credentials harvesting form

Now lastly after filling in my email and password , I was redirected to a parking page filled with cheap advertising another sign of trouble.

Fig-5 Redirected page

Additional information courtesy of  http://anubis.iseclab.org a very useful source for analyzing uncertain files and URL’s.

Fig-6 Additional network analysis information

In the end its always important to train your users to identify what a good or bad email look like and what your network policies are for these type of emails. Also when in doubt load-up your sandbox and have some fun.

References

http://scanner.novirusthanks.org/

http://anubis.iseclab.org

http://www.sandboxie.com/