Mattia Campagnano

Mattia Campagnano

Tuesday, April 11, 2017

Zero to hero with Social Engineer Toolkit (SET)

I've been playing around with Social Engineer Toolkit over the last couple of days.

I already analyzed how to exploit Windows 7 with SET in my previous post How to hack Windows 7 SP1 64-bit with Social Engineer Toolkit (SET)

This time around I'm going to perform a more accurate simulated pentest on a Windows 7 64-bit virtual machine than I did before.

I created a payload using Windows Meterpreter 64-bit and I moved it to the /var/www/html directory, instead of copying it directly to the victim machine.

This is more realistic, because spam and malicious websites often automatically download files to your local computer in order to compromise your system.

Should you click them accidentally or intentionally (thinking they would give you access to cracked software, porn movies or the like) you're screwed.

Someone like me might immediately pop a shell and own your machine.


If you don't know what I mean by that, it will be clearer in a few.

Creating an exploit with Social Engineer Toolkit (coded by my former boss Dave Kennedy) is actually pretty easy, if you know what you're doing. 

The software creates a payload, which in my case will open a reverse shell allowing me to access the victim machine.
Exploitation

After doing that, I downloaded the infected file on the victim machine through the web browser.


By running the file and launching the exploit at the same time, I could successfully break into the system. 

Post-exploitation
At this point I started a thorough reconnaissance process in order to gather information on the system.

A specific post-exploitation module allows to understand if the victim system is a virtual machine, so the attackers might recognize if they're up with a honeypot.


I could achieve a privilege escalation, assuming the identity of the default Windows system administrator
At this point I was able to do whatever I wanted (check out the two embedded videos for more details).

Wrap-up

This type of attack is much easier than what you might think.
An infected file alike the one I created with SET could be stored in an embedded link contained in a phishing email, or could be automatically downloaded to your computer when browsing shady websites (online betting platforms, porn, cracked software etc.). 

The example below is very common, but there are many more I can't show here, for obvious reasons.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Contact Form

Name

Email *

Message *