The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes

One of the hottest new tools in Backtrack 4 final is the Social Engineering Toolkit otherwise known as SET. The tool was written by a major contributor to Backtrack, David Kennedy (ReL1k). He is also a friend.  The homepage for SET is http://www.secmaniac.com/ and there is more useful information there.

I am particularly impressed by the new java applet function is SET ( Thanks Thomas Werth!) so I decided to do a quick demo of how it works. This has been tested on IE8 and Firefox, both fully patched and updated.

In order to follow this attack you will need a copy of Backtrack 4 final and it will need to be fully updated.

This can be done with apt-get update && apt-get upgrade in a terminal.

Once you are up to date, change directories in to the /pentest/exploits/SET directory:

2-22-2010-10-09-04-PM

The attack we are using is the Web Site Java Applet which is choice #2:

2-22-2010-10-09-04-PM

What we want to do is clone a existing website which is choice #2:

2-22-2010-10-10-37-PM

We need to enter the URL of the website we want to clone:

(In this case I am using xkcd.com which is a popular web comic)

2-22-2010-10-11-50-PM

Next we need to choose a payload:

(I will be using the meterpreter payload which is my favorite.  See this article for some tutorials on using meterpreter)

2-22-2010-10-12-21-PM

The next choice to make is the encoding:

(This is used to bypass pesky anti virus)

2-22-2010-10-12-50-PM

We can also select the number of times we want to encode the payload:

(I used 4 for the sake of the tutorial but its probably overkill)

2-22-2010-10-14-04-PM

Since we selected a payload which requires a reverse connection we need to enter a port for the listener:

2-22-2010-10-14-25-PM

Now just hit enter and let SET create the evil website:

2-22-2010-10-14-53-PM

If every thing went correctly you should be looking at a screen similar to this:

2-22-2010-10-15-20-PM

Now we need to get our target to visit our evil website:

(Its up to you how to do this, for simplicity we are just going to send a email)

2-22-2010-10-37-11-PM

Our unsuspecting  target checks his mail:

2-22-2010-10-40-31-PM

And opens the link in his browser:

2-22-2010-11-11-15-PM

Notice that at this point we are still at the local IP of our evil web server and there is a digital signature  error. This error is the only indication that this attack is taking place.

Once our target accepts the warning message, our payload executes on our attacking machine:

2-22-2010-11-12-21-PM

One of the coolest parts about this attack is that as soon as the target clicks on any of the links on the page, they are taken to the real page on the web and never know what happened:

2-22-2010-11-11-49-PM

GAME OVER

Share