Backtrack 4: Penetration Testing with Social Engineering Toolkit

*** Update – Looking for a Backtrack 5 based tutorial? I have created an updated tutorial to cover the newer Backtrack 5 SET.

People do not understand how dangerous it is to click on unknown links in an e-mail or even on a website. Hackers will disguise their malware shell and make it look very appealing. Be it a video codex that you must install to watch a video that you really want to watch or even a webpage that tells you that you have a virus and you must install and run the latest online anti-virus scanner to remove it.

Doing either of these could place the control of your machine into a hacker’s hand. But I have Windows 7 with the latest security updates and my anti-virus is up to date. This may not make any difference at all if you allow the program to run. But it is really complicated and I need to make several bad choices in a row right? No, one wrong mouse click could be all that is needed. You don’t believe me? I was once told by a security instructor that instead of trying to convince people that their systems could be at risk, you need to show them.

Backtrack 4 has included a program that you do not hear much about in the main stream security media. But, it is a penetration testers dream. Under the penetration menu is a program called the Social Engineering Toolkit (SET). If social engineering attacks for penetration testers could be made any simpler, I do not know how.

Okay, timeout for a disclaimer: This is for security experts only, and should only be done in a testing environment (VMWare images on a PC works great) and not on a live network. Or on any machine that will be connected to a live network. Never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail. The following is for informational purposes only, if you chose to try this, you do so at your own risk.

All right, follow along, this is really technical and there are a lot of steps. Okay, I am kidding, it is a really simple, menu driven process. And remember that this is a tool for the good guys, who knows what the bad guys are using. One last note, turn off Apache or the SET won’t run.

  1. Obtain Backtrack 4, the VMWare image works great.
  2. First click on the menu button, Start the networking service. Then click on Backtrack, and then the Penetration Menu and finally Social Engineering Toolkit.
  3. This will bring up a program menu; you need to update both the Social Engineering Toolkit and the Metasploit Framework.
  4. Next, I had to reboot my machine to get it to work right after the updates.
  5. Now, click on main option 2 – Website Attack Vectors (Notice step 3 – Infections USB/CD/DVD Generator…)
  6. Next, chose Option 1, Web Templates, Let SET create a website for you. (Notice options to clone websites to match the company that you are doing the penetration test for…)
  7. Next is your choice for attack methods, the Java attack works well, chose 1 – Java Applet Attack Method
  8. Next select 1- Java Required (Notice other options…)
  9. Next select the type of payload for the attack, I like option 2 – Windows Reverse_TCP Meterpreter.
  10. Next chose the encoder to bypass anti-virus. I have never had anything detect number 2 – Shikata_Ga_Nai with 3 encryption passes (encryption passes is next option).
  11. Next chose port for the Metasploit Listener, 80 is default, I just hit enter
  12. Next option is “Do you want to create a Linux/OSX payload too?” I hit no, my target is a Windows PC.

And that is it. The SET webserver will launch, and it will start up Metasploit to listen for incoming connections. On the Victim’s PC, just surf to the attacker PC’s IP Address through a browser and you will see a generic , kinda plain test website that SET creates. It says something like the CEO is giving a presentation and you need Java installed and need to run the Java applet that pops up to view the broadcast. Then a Java certificate warning pops up, and like any user, they trustingly follow the directions. Once they click “yes” or “accept” you now have a meterpreter shell to their PC.

  1. Back on the attacking PC, it will list the session that the user opened to you.
  2. Type Sessions –L, Once and you get a screen that looks like this:

You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote pc, or running “Execute –f cmd.exe –c –H –i” will give you a remote windows command shell.

That’s it, one bad choice on the victim’s side and security updates and Anti-virus means nothing. They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear.

This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network. Also, this type of attack, like advance persistent threat attacks most likely will not be detected with IDS systems. This makes capturing and monitoring your network traffic critical. There are several ways to analyse traffic captures. The Kneber botnet (Zeus variant) was discovered by traffic analysis with Netwitness software. Try out the Investigator version, it is free and works very well.

Check out the complete How to use Metasploit Training Class videos from the Louisville Metasploit class. And also the the Backtrack 4: Social Engineering Toolkit (SET) – Introduction video by SET creator David Kennedy.

25 thoughts on “Backtrack 4: Penetration Testing with Social Engineering Toolkit”

  1. I am wondering if it is normal for it to set LHOST to

    As far as I can find, that is normal, but I dont know for sure.

    Thank you for your time and great post.. very informative

    1. Hi Colin, I think it should fill the LHOST information in automatically for you when you launch the SET esploit. Is it working for you?

      Dave Kennedy (SET creator) has released a newer version of SET and the instructions here are for the older version.

      Dave has released some excellent how-to videos for SET on his site

      Also, Dave has another great SET how-to video on Irongeek’s website.

      Dave also co-runs which is full of information about social engineering. Dave is the man!

      1. Thanks for the reply… I have literally been at this for about 3 days straight. I just cant seem to get it to fill it in for me… Do you happen to know of a way to get this to work? I have went thru a few videos on both of the sites you mentioned and dont seem to see a change. I am running BT4 thru VMWare as well as Windows 7 the same way.

        Thanks again for your fast response

      2. Bro, no problem, it sounds like it isn’t getting an IP address. Is the networking turned on in Backtrack? It is off by default.

        It is under one of the main Backtrack menu items, “Turn on Networking”. Or you can turn it on from a console prompt with:

        /etc/init.d/networking start
        and if you are using wireless you also need:
        /etc/init.d/NetworkManager start

        Then “ping” or any other site just to make sure you have network access. If that doesn’t work, let me know.

  2. Hello again. I have been setting up my network access before running anything. I also just realized that I should be able to set the LHOST inside metasploit before I even start SET. I will try that and let you know if it worked that way

    1. Wow, I actually have never seen that. I have always just fired backtrack 4 up, turned on networking and went into SET and it has always worked fine.

      I haven’t used the latest version though. Some screenshots of the newer version on show the LHost for some of the attacks.

      Which attack are you trying to run?

      1. I am actually just trying the attack you have in your tutorial. The series of options are the same, just in a little bit different order. Its kinda weird that I am the only one who is experiencing this. II am thinking about uninstalling metasploit and then reinstalling it. I am noticing also, that metasploit isnt actually starting up the entire way. It will hang at:

        Starting payload handler

        Maybe they could be related issues?

      2. How is your Backtrack installed? Is it a “Live CD”, full install or in a Virual session?

        I’ll try the new version tomorrow and see if I run into the same problem.

      3. Colin, wow went to try it today and it’s been a while since I ran Backtrack, so I am trying to get Metasploit to update.

        It keeps erroring out on the update. Strange, but I wonder if that is the problem.

  3. I have a dedicated machine that dual boots Windows 7 and BT4. Then I also have a virtual lan which has a BT4 box and a Windows 7 as well. It is the same on both

    1. Okay, I think I got it Colin. I had to go to Metasploit in the penetration menu, run msfconsole, and do the update there. Just type ‘msfupdate’ at the metasploit console prompt.

      It said it had some lock problem, but cleared it and installed the updates.

      Came back into the SET program, and ran the SET update one last time for kicks, then rebooted the system. Came back in and it worked great. It still shows the LHOST as but it worked.

      In this version of SET it does sit at the “Starting Payload Handler…” prompt until someone connects.

      I just went to my “victim” Windows XP machine (I used the JAVA app attack so I had to put Java on the XP machine) and put in my backtrack’s ip address. It came up with the fake webpage and asked to install the “required java program”.

      Allow it to run and you get a console in SET.

      1. Ok sounds great. I will do the update this evening and post my results.

        Thanks for all your info. Great read at a minimum!! I subscribed to your site and look forward to your future posts btw.

    1. If you are like me and don’t like to type, it is very easy to start and stop the service. Just go to the main menu, select “Services”, next select “HTTPD”, then select “Stop HTTPD”.

      Or from the console prompt you can do:
      /etc/init.d/apache2 stop
      /etc/init.d/apache2 start
      /etc/init.d/apache2 restart

  4. i have problem in the end. i was able to send email to my account. when i download the attachment i found one doc file & one shell script. that script was deleted by anti-virus.
    now second problem is what to do after the question you want to create listening and what to write is exploit(handler)> ..!!?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: