TheXboxHackers
TheXboxHackers



 
HomeLatest imagesSearchLog inRegister

 

 The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes

Go down 
AuthorMessage
SMGMODZ
Administrator
SMGMODZ


Posts : 9
Rep : 1
Join date : 2011-02-04
Age : 36

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes Empty
PostSubject: The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes   The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes I_icon_minitimeSat 30 Apr 2011, 5:22 pm

Thexboxhackers.com and/or any users, Admin's,owner's or anyone affiliated With this site does not take any responsibility U learn from this post and/or anypost like this. I smgmodz does not take any responsibility for what u learn and how u use this post.


One of the hottest new tools in Backtrack 4 final is the Social Engineering Toolkit otherwise known as SET. The tool was written by a major contributor to Backtrack, David Kennedy (ReL1k). He is also a friend. The homepage for SET is http://www.secmaniac.com/ and there is more useful information there.

I am particularly impressed by the new java applet function is SET ( Thanks Thomas Werth!) so I decided to do a quick demo of how it works. This has been tested on IE8 and Firefox, both fully patched and updated.

In order to follow this attack you will need a copy of Backtrack 4 final and it will need to be fully updated.

This can be done with apt-get update && apt-get upgrade in a terminal.

Once you are up to date, change directories in to the /pentest/exploits/SET directory:

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-09-04-PM

The attack we are using is the Web Site Java Applet which is choice #2:

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-09-04-PM.thumbnail

What we want to do is clone a existing website which is choice #2:

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-10-37-PM.thumbnail

We need to enter the URL of the website we want to clone:

(In this case I am using xkcd.com which is a popular web comic)

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-11-50-PM.thumbnail

(I will be using the meterpreter payload which is my favorite. See this article for some tutorials on using meterpreter)
http://www.question-defense.com/2009/12/21/getting-started-with-meterpreter


The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-12-21-PM.thumbnail

The next choice to make is the encoding:

(This is used to bypass pesky anti virus)

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-12-50-PM.thumbnail

We can also select the number of times we want to encode the payload:

(I used 4 for the sake of the tutorial but its probably overkill)

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-14-04-PM.thumbnail

Since we selected a payload which requires a reverse connection we need to enter a port for the listener:
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-14-25-PM.thumbnail
Now just hit enter and let SET create the evil website:
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-14-53-PM.thumbnail
If every thing went correctly you should be looking at a screen similar to this
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-15-20-PM.thumbnail

Now we need to get our target to visit our evil website:

(Its up to you how to do this, for simplicity we are just going to send a email)

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-37-11-PM.thumbnail

Our unsuspecting target checks his mail:

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-10-40-31-PM.thumbnail

And opens the link in his browser:

The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-11-11-15-PM.thumbnail

Notice that at this point we are still at the local IP of our evil web server and there is a digital signature error. This error is the only indication that this attack is taking place.

Once our target accepts the warning message, our payload executes on our attacking machine:
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-11-12-21-PM.thumbnail
One of the coolest parts about this attack is that as soon as the target clicks on any of the links on the page, they are taken to the real page on the web and never know what happened:
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes 2-22-2010-11-11-49-PM.thumbnail
GAME OVER
Brought to u from http://www.question-defense.com/2010/02/23/the-social-engineering-toolkit-creating-fake-web-sites-to-own-boxes#more-5226
Back to top Go down
http://WWW.THEXBOXHACKERS.com
 
The Social Engineering Toolkit: Creating Fake Web Sites to Own Boxes
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
TheXboxHackers :: PC Section ::   :: General :: PC Tutorials-
Jump to: