Social Engineering with SET

It is a useful social engineering tool by David (ReL1k). It can be used to perform a number of Social Engineering attacks with minimal effort. SET can be used with Metasploit to additionally perform metasploit's powerful post exploitation. This tool can be accessed through web interface or command line.

• Gathering credentials
• Shell spawning by browser exploits
• Mass mailing of malicious payloads to spawn shells
• Shell using USB autorun
• Anti-virus evasion through Payload Encoding

Spear-Phishing Attack Vectors
Can be used to send single or mass emails with malicious attachments. Malicious file can be generated using the FileFormat payloads and create custom email messages.
Website Attack Vectors
Can be used through a number of web browser based attacks for compromising the victim. The vector options include:

• Java Applet payload execution
• Credential harvesting by website cloning
• Credential harvesting by tabnabbing
• Metasploit’s browser exploits

Infectious Media Generator
Used to generate a Metasploit exploit payload with options of providing archiving (zip or rar) and specific file type (doc, xls, ppt etc.). Generated attachment can be copied to CD/DVD/USB. Once CD/DVD/USB is inserted, it will execute the exploit (if autorun is enabled).
Teensy USB HID Attack Vector
This attack vector is dependent on Teensy Hardware. Teensy device is programmed to be detected as keyboard rather than USB, thus bypassing USB restrictions. After Teensy is connected on victim, custom commands can be stored on the device storage and executed.
SMS Spoofing Attack Vector
SMS spoofing attack vector can be used to spoof and send SMS to one or more victims. Delivered message contains a malicious link to steal credentials or perform other attacks by coaxing user.
Wireless Access Point Attack Vector
Can be used to set up a rouge wireless access point, Spoof DNS and redirect all traffic to attacker
Third Party Modules
This attack vector consists of Third party module - RATTE (Remote Administration Tool Tommy Edition) which is a HTTP tunneling payload. This can be used in the same way as website attack vectors but with an added advantage of beating security mechanisms like local Firewall and IPS.

Attacker creates a malicious link of cloned https://gmail.com which is stored locally on server. Victim browses the link and the replica of gmail.com is opened. This triggers the java applet payload which is delivered on the victim’s browser. Victim is asked to accept the java applet’s warning. After, victim's acceptance the payload is executed. Payload opens a connection back to attacker’s IP address and port. Attacker has set up a listener to receive the payload connection. Now attacker can remotely capture keystrokes, upload backdoor and open command shell.

Step 1: Attacker crafts a malicious link with following specification using the following features of SET:

• Web site phishing attack vector
• Java Applet method for payload execution
• SET custom shell with reverse TCP connection
• Gmail as cloned web site

Step 2: Attacker entices the victim to browse the malicious link. This link will load the cloned web site (Gmail).

Step 3: Victim browses the link. The opened website is replica of Gmail.com (but with IP address of attacker in URL). This triggers to send payload on victim's browser (in form of Java applet).

Step 4: Attacker has already started the listener on its machine to receive connection when victim browses and runs the payload.

Step5: Victim accepts and runs the payload. Payload creates a connection back to attacker's machine. Attacker is embraced with a SET custom shell. As soon as the victim enters the credentials, the site is redirected to the original web site (i.e. gmail.com). A bunch of activities can be performed on victim:

• Keylogging
• Uploading backdoor
• Download file
• Command Shell
• reboot
• Kill process
• Grab system
• Run persistent backdoor

)

Step 6: Attacker runs the persistence command on victim’s machine. This command will initialize and start a random service and creates a backdoor on victim’s machine. Attacker can specify the IP address and port number on which the random service (started on victim’s machine) would try to connect back.

Persistence feature is very useful in scenario where attacker wants to connect to victim’s machine from some different IP address. Started service (on victim’s machine) will send a connect request to the attacker’s IP address every 30 min. This way attacker will have all time access to victim’s machine.
When the attacker’s activity is over, the “removepersistence” command could be used to stop and remove the started service on victim’s machine.

Step 7: Additionaly, attacker can start the key logging on victim’s machine with “keyscan_start” and “keyscan_dump” commands.
If during any stage of exploit, Anti-virus detects or troubles the attacker’s activity, the ‘kill” command can be used to kill the process corresponding to Anti-virus.
Also, command “local admin” or “domain admin” could be used to create users on victim’s machine.

Functionality of SET can be enhanced further using advanced features such as:

• USB payload using autorun
• Fake Access point creation and traffic redirection with Wireless attack vector
• Using Teensy to execute custom payloads (where USB’s are disabled)
• Mass mailing self created attachments with payloads

Social Engineer Toolkit is a powerful tool for a penetration tester/security enthusiast. This tool includes attack vectors for Social Engineering ranging from malicious link, email templates, custom payloads, tabnabbing, wireless etc. It supports a variety of payloads and shell (Meterpreter or SET custom shell).