Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…
At the Security Bsides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features. One is a very interesting way to get a remote shell by completely bypass Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.
- Fire up SET and pick option number “1” Social Engineering Attacks
- Select option “10” Powershell attack vector:
- Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:
Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:
Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.
SET starts up Metasploit, runs the payload handler and waits for an incoming connection:
All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory
When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:
and Paste it into a Windows 7 command prompt
Once you hit enter, a full remote shell session is created to the Backtrack SET machine:
Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.
Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.
Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.
Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.