One of the hottest new tools in Backtrack 4 final is the Social Engineering Toolkit otherwise known as SET. The tool was written by a major contributor to Backtrack, David Kennedy (ReL1k). He is also a friend.  The homepage for SET is http://www.secmaniac.com/ and there is more useful information there.

I am particularly impressed by the new java applet function is SET ( Thanks Thomas Werth!) so I decided to do a quick demo of how it works. This has been tested on IE8 and Firefox, both fully patched and updated.

In order to follow this attack you will need a copy of Backtrack 4 final and it will need to be fully updated.

This can be done with apt-get update && apt-get upgrade in a terminal.

Once you are up to date, change directories in to the /pentest/exploits/SET directory:

2-22-2010-10-09-04-PM

The attack we are using is the Web Site Java Applet which is choice #2:

2-22-2010-10-09-04-PM

What we want to do is clone a existing website which is choice #2:

2-22-2010-10-10-37-PM

We need to enter the URL of the website we want to clone:

(In this case I am using xkcd.com which is a popular web comic)

2-22-2010-10-11-50-PM

Next we need to choose a payload:

(I will be using the meterpreter payload which is my favorite.  See this article for some tutorials on using meterpreter)

2-22-2010-10-12-21-PM

The next choice to make is the encoding:

(This is used to bypass pesky anti virus)

2-22-2010-10-12-50-PM

We can also select the number of times we want to encode the payload:

(I used 4 for the sake of the tutorial but its probably overkill)

2-22-2010-10-14-04-PM

Since we selected a payload which requires a reverse connection we need to enter a port for the listener:

2-22-2010-10-14-25-PM

Now just hit enter and let SET create the evil website:

2-22-2010-10-14-53-PM

If every thing went correctly you should be looking at a screen similar to this:

2-22-2010-10-15-20-PM

Now we need to get our target to visit our evil website:

(Its up to you how to do this, for simplicity we are just going to send a email)

2-22-2010-10-37-11-PM

Our unsuspecting  target checks his mail:

2-22-2010-10-40-31-PM

And opens the link in his browser:

2-22-2010-11-11-15-PM

Notice that at this point we are still at the local IP of our evil web server and there is a digital signature  error. This error is the only indication that this attack is taking place.

Once our target accepts the warning message, our payload executes on our attacking machine:

2-22-2010-11-12-21-PM

One of the coolest parts about this attack is that as soon as the target clicks on any of the links on the page, they are taken to the real page on the web and never know what happened:

2-22-2010-11-11-49-PM

GAME OVER

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , , , , , ,
41 Responses to “The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes”
  1. matrun says:

    Cool tutorial, dude; and a nice intro to SET. Backtrack for life :)

    [Reply]

    purehate Reply:

    Thanks man, I always appreciate when people leave encouraging comments.

    [Reply]

  2. bnistor says:

    This is very nice. It’s amazing how simplistic things have gotten over time. I will be trying this out, hopefully with great testing success. Thanks again purehate.

    [Reply]

  3. scytale says:

    ^^ +1

    You always read about MITM attacks and I at least have always wondered how practical they were, given that you have to setup a convincing website, lure someone there, etc. As I’m getting in to backtrack I’m realizing just how easy many of these exploits are to pull off given the expansive toolset it provides. I’m becoming totally paranoid about my own security. I’ve done some certs and I think that unless you actually start to use the tools that attackers use, it’s largely just theoretical nonsense. You can follow security best practices and keep your systems patched, but I don’t think you can really “get” security until you start playing with the offensive tools.

    Great work, although you’re making it a little too easy for the skiddies imo. :P

    [Reply]

  4. James says:

    How can you install SET without backtrack

    [Reply]

    purehate Reply:

    I believe there are some instructions on Rel1ks website secmaniac.com although there will be a lot of dependencies and filepaths you will need to modify. It would be much easier to just use backtrack.

    [Reply]

    James Reply:

    I found it and installed it but metasploit isnt started automatically after creating the webserver.

    [Reply]

  5. James says:

    Ok I got it but is this normal?

    msf exploit(handler) > exploit -j
    [*] Exploit running as background job.

    [-] Handler failed to bind to 192.168.1.11:4444
    [-] Handler failed to bind to 0.0.0.0:4444
    [-] Exploit failed: The address is already in use (0.0.0.0:4444).

    It works if they go to the site but when i launch the exploit i get that.

    [Reply]

    purehate Reply:

    That means you already have something running on that port. This happens if you do not properly kill the process which is bound to that port. Either kill the process or specify a different port every time you run the handler.

    [Reply]

  6. rel1k says:

    great tutorial pure|hate, did a nice job explaining it thoroughly…you never told me you wrote this blog! :-)

    [Reply]

  7. purehate says:

    Hey Rel1k, Its actually my best friends site and I just started writing here with him. I really enjoy writing technical articles about any thing that can help someone with computer issues. In case any one doesn’t put it together rel1k is the author of SET.

    [Reply]

  8. kuronity says:

    nice work dude!

    i always appreciate your work !

    first of all, i’m new to linux so i still dont understand how to do this, how to do that and etc, but after reading your tutorials (and others too ) i started to understand linux better.

    i would like to try the tutorials but i dont have supported hardware for injection, sniffing, etc cause its hard to get those in here. but i managed to get alfa awus036h and ubiquity sr71e in 2 or 3 weeks. but the biggest problem is i have to finish my national exam first so i still have to wait until it finished.

    and one more, im going to buy a laptop, so could you help me choose between asus n61jv or lenovo y550p? i read your cuda guides and im stuck choosing the right vga cause im afraid the cuda wont work (the m300 series)

    thanks, without you maybe im still stuck in some easy problems :D

    [Reply]

  9. Ian says:

    what does the attack do? Does it get a password or something from the target? What is the purpose of the fake website?

    [Reply]

    purehate Reply:

    Ian, this is a replication of a hacker attack. The end result is normally a “shell” or command line control of the victim computer. The fake web site is showing how attackers on the web can easily create a fake web site and trick users into going there. Would you really notice if you were going to ebbay.com rather than ebay.com if the site looked exactly the same?

    [Reply]

  10. Ian says:

    Okay, I get what your saying. Except when I try this out everything goes perfectly and when I open the IP address that is the “evil” website on my laptop, it just goes to the website without the pop-up. And when I come back to bt4 on my computer, nothing has changed. Oh and thanks for a great tutorial (or whatever you want to call it), its the best one I’ve found on the web.

    [Reply]

    Manaan Reply:

    You probably don’t have java installed. I ran into the same problem with the XP vm I was using to test this.

    [Reply]

  11. eagle77 says:

    Has anyone tested the exploit on a mac ? does not seem to work for me. Tried everything.

    [Reply]

    Social Engineer Toolkit Reply:

    I have tested this on Mac and Linux. It works, but you need to set the correct payload. Meterpreter is only for Windows. If you’re interested in a tutorial, here’s the Social Engineer Toolkit Tutorial.

    [Reply]

    Social Engineer Toolkit Reply:

    I forgot to mention, you might also what to check out the Metasploit Tutorial from the same site.

    [Reply]

  12. I hate the phishing emails these people seem to get more determined by the day I recieve 2 or 3 on a daily basis and submit them to phishtrackers a web site I recently found that allows you to report them anonymously.

    [Reply]

  13. Manaan says:

    What’s the command to connect once the session is open? I’m stuck with an open session and no idea how to connect.

    [Reply]

  14. purehate says:

    sessions -l will list the active sessions and then sessions -i (number off session)

    So if you only have one session it would be sessions -i 1

    [Reply]

  15. lotas says:

    Is this possible to use over a wide area network or is it only for local purposes?

    [Reply]

  16. Cannot concur a lot more with this, really interesting content. Regards.

    [Reply]

  17. houssem says:

    plz i dont why he tell me that i cant send email connection refused localhost:25

    [Reply]

  18. dreamzzzz says:

    okk i see the webpage is copied entirely what i want to know it is copied and how to edit it..????

    [Reply]

  19. arthur_job says:

    i followed this tutorial as it was a lot easier to undertsand than the other two i had read here online,i do have a question though,once ide followed all commands i click run on the spoofed certificate auth after connecting via weblink and no session is spawned,its like it just hangs on my SET window,any ideas??

    [Reply]

    kevin@Technology-Flow.com Reply:

    Are there any error messages? They would be really useful in figuring out what’s causing the problem.

    [Reply]

  20. raj says:

    a error occured when the target click on the link , the page opened but a error
    ie c:/windows/set.vbs not found at target computer

    [Reply]

  21. raj says:

    and if the target hav windows7 then how to run set.vbs

    [Reply]

  22. Billy says:

    Will this only work on a LAN? How can this be done remotely?

    [Reply]

    alex Reply:

    Hello Billy,

    Doing this remote is the same concept just have the victim visit a website that is reachable via the Internet.

    Thanks.
    alex

    [Reply]

  23. Grant Stone says:

    Thanks, I’ve been looking for this for a while. Thanks for the help.

    [Reply]

  24. Pryce says:

    Does this still work with BackTrack 5? If not could you provide some instructions for doing so? Thanks.

    [Reply]

    Dray Reply:

    This will work in BT5. Th only issue, is that if the victim has a decent AV, the JAVA payload with get picked off.

    [Reply]

  25. John says:

    seems that it doesnt work well on bt5….. i successfully listen on the local port…. But on the vicitm’s it doesnt pop up java applet….. Can somebody else manage it … Im very glad to have a talk to you “John_the_sec at hotmail dot com”

    Best Regards:)

    [Reply]

    alex Reply:

    Hello John,

    You might try updating SET via SVN. It is also possible that the Java version on the victim box isn’t vulnerable so you might look into that as well.

    Thanks.
    alex

    [Reply]

    John Reply:

    Hi alex:
    I have solved this problem because that i have stopped java applet before.. But there comes out another question:
    When i open the attacker’s webstite , it pops up the java applet … i choosed run,, seems that the java applet runs in the backgroud, But the SET doesnt recevie any shell … i test this in the 2 virtual machines The payload is default ,the SET is the latest, the java version on the victim’s is 1.6.2 .. no AV no FW on the victims. The browser then up to 99% cpu…..
    i notice a problem… when i open up the address … it updates frequently…. and the java applet pops up again and again…. How to solve this problem? Need ur help Thanks a lot :)

    [Reply]

  26. Mapendo says:

    Hello,
    I have a question regarding the java applet information : “Name and Publisher”. mine appear as :
    Name : Java
    Publisher : UNKNOWN. How like to change that as in the screen shot in the presentation for i.e.

    Thanks
    Mapendo

    [Reply]

  27. Mapendo says:

    I forgot to add to the previous comment that the JRE at the victim’s machine (Win_7) is 1.6.0_29

    [Reply]

  28. WannaBe says:

    Um hey any help on — after creating a “fake site/clone”, how do i get it to send back the stuff people type in it like id/pass ? and how do i set it to go to a specific folder? in a note/text format… I think i got the hang of the main idea through harvester…. but…im a noob.. at understanding this ish..

    [Reply]

  29.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*