Metasploit and Social engineering toolkit: Bypass firewall and antivirus detection

Security, Vulnerability Assessment and Pentest 2 Minutes

Social engineering is a technique used to exploit human weakness as an attack vector. The  way to prevent human weakness as an attack vector is through policy and you must practise what you preach, without adhering to policy you will be a victim of social engineering.

Social engineering toolkit is a program by David Kennedy which works together with Metasploit to use human as an attack vector to bypass firewall and antivirus detection. The previous few post about remote access into a victim’s machine through the used by written exploits and payloads could be achieved because there was no firewall in place.

The location of SET can be found in /pentest/exploits/set/set

Social engineering toolkit menu.

Demonstration

1) Social-Engineering Attacks

2) Website Attack Vectors

2) Metasploit Browser Exploit Method

2) Site Cloner

16) Microsoft Internet Explorer iepeers.dll Use After Free (MS10-018)

2) Windows Reverse_TCP Meterpreter

Use SSL port 443, and wait for the server to start.
Server is ready and waiting for a victim to connect.
Kill the server and modify the options.
change srvhost to the attacker's address.
Start the exploit again.
Caught by AVG2012, victim chose move to vault, however the meterpreter has already attached itself to a process.
As shown in metasploit, the process was successful. meterpreter has attached itself to victim's machine process. However being caught by Antivirus will definitely cause suspicious even if the attack was successful.
Attacker can remotely access the victim's machine.

Use shikata ga nai encoder to encode the file.

shikata ga nai means Nothing you can do about it in Japanese.

Encode with shikata_ga_nai encoder. AVG2012 did not send out alert when using browse attacker's link. The IE however was crashed without any exception error, this is still better than just now when AV alerted the user about an attack.
The stagers and stages processes were successful.. Attacker had gained a session.
Attacker started interacting with victim's machine...

 

 

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s