Backtrack 5: Harvesting Credentials with the Social Engineering Toolkit

The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers to test to see how well their network (and users) would stand up to Social Engineering attacks. With Social Engineering and Spear Phishing attacks on the rise, it is very important to educate your users about these attacks.

In this tutorial I will demonstrate how SET can be used to set up a realistic looking website to harvest e-mail usernames and passwords.

Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.

  1. Obtain Backtrack 5 release 2. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.
  2. The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.
  3. From the menu select, number 1 – “Social Engineering Attacks”
  4. Next select “Website Attack Vectors”
  5. Now “Credential Harvester Attack Method”
  6. We now have the option to use a web template that will create a generic website for us to use, we can import a webpage to use, or we can clone any existing website and use that. The included templates are very good, so let’s try one of them. Select number 1, “Web Templates”
  7. As you can see in the picture above, SET comes with templates for several popular programs. Once you select one of the templates, I chose number 2 – “Gmail”, you will be given a short message about username and password form fields, just hit “return”. SET will now create a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website.

And that is it!

Now if we go to the victim machine and surf to the SET created webpage we will see this:

A Gmail login screen! But wait a minute, take a look at the address bar. An IP address is listed instead of the normal google mail address. If a user enters their user name and password on this site, their credentials are harvested and collected on the SET system. So as user “Security Joe” enters his credentials, we see this on the Backtrack system:

In the picture above you can see the user’s name: “Security+Joe” and the user’s password: P@$$W0Rd!

When you are finished, hit “Control-C” to stop harvesting and view a report of all the sessions that you have captured. The report file will be stored in the SET file directory under Reports. Two reports are created, one in html and one in XML. The picture below shows the html report for this session:

As you can see, unless the user checks the address bar, there is no way he could tell that he was on a fake website handing away his login name and password. And as many users use the same password on multiple sites, this could be very valuable information for a hacker to obtain. That is why it is imperative to educate your users about Social Engineering attacks and how to defend against them.

Backtrack 5: Penetration Testing with Social Engineering Toolkit

Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems?

This is most commonly used in phishing attacks today -craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it?

The Backtrack Linux penetration testing platform includes one of the most popular social engineering attack toolkits available. My previous “How-To” on Backtrack 4’s SET has been extremely popular. Well, Backtrack 5’s SET includes a whole slew of new features and I figured it was time to update the tutorial.

We will use SET to create a fake website that offers a backdoored program to any system that connects. So here goes…

Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.

1. Obtain Backtrack 5 release 1. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.

2. The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.

3. Select number 1, “Social Engineering Attacks”

4. Next select 2, “Website Attack Vectors”. Notice the other options available.

5. Then 1, “Java Applet Attack Method”. This will create a Java app that has a backdoor shell in it.

6. Next choose 1, “Web Templates” to have SET create a generic webpage to use. Option 2, “Site Cloner” allows SET to use an existing webpage as a template for the attack webpage.

7. Now choose 1, “Java Required”. Notice the other social media options available.

8. Pick a payload you want delivered, I usually choose 2, “Windows Reverse_TCP Meterpreter”, but you have several to choose from including your own program . Number 13, “ShellCodeExec Alphanum Shellcode” is interesting as it runs from memory, never touching the hard drive, thus effectively by-passing most anti-virus programs.

9. Next choose an encoding type to bypass anti-virus. “Shikata_ga_nai” is very popular, Multi-Encoder uses several encoders, but number 16 is best, “Backdoored Executable”. It adds the backdoor program to a legitimate program, like Calc.exe.

10. Set the port to listen on, I just took the default.

Now Backtrack is all set and does several things. It creates the backdoor program, encodes and packs it. Creates the website that you want to use and starts up a listening service looking for people to connect. When done, your screen will look like this:

Okay we are all set. Now if we go to a “Victim” machine and surf to the IP address of the “attacker” machine we will see this:

If the “Victim” allows this Java script to run, we get a remote session on our attacking machine:

You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote PC, or running “shell” will give you a remote windows command shell.

That’s it, one bad choice on the victim’s side and security updates and anti-virus means nothing. The “Victim” in this case was a fully updated Windows XP Professional with the top name anti-virus internet security suite installed and updated.

They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear.

This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network.

The easiest way to stop this type of attack is to simply run the FireFox add-in “Noscript”, also BitDefender AV 2012 seems very, very resilient against these types of attacks.

New Version of the Social Engineering Toolkit (2.1) to be Released at Derbycon!

Looks like security Guru David Kennedy and his team have done it again. A new bigger, badder, better version of the Social Engineering Toolkit (SET) is set to be released at the security conference DerbyCon in Louisville, Kentucky at the end of the month.

Don’t be fooled by the 2.1 designation, there looks to be some MAJOR changes here.

One being the ability for the payload to be read and executed straight from memory instead of being written to disk. This should make a huge difference in the payload bypassing Anti-Virus detection.

Another big feature is the addition of Fast Track automation to the Social Engineering Toolkit.

Check out the teaser video:

For more information, and a look at the long list of changes and updates, check out the SecManiac website!