I have finally gotten around to adding version 2.2 of the social-engineer toolkit. After several months of working on it, it’s finally here! This release has the cool new attack vector by Matthew Graeber that leverages powershell to directly load shellcode into memory. I’ve added this attack to the teensy HID attack vector within SET. I’ve also rewritten the Java Applet to automatically grab a Metasploit payload, put it in the right format, unicode it, then base64 encode it then embed itself into a parameter that gets pulled from the Java Applet.
This will deploy a payload straight into memory through PowerShell and never touch the disk. Ever. Now what I have to say is that this is somewhat experimental, you can turn this on and test through the config/set_config. There’s a new menu option:
# THIS WILL ENABLE THE POWERSHELL SHELLCODE INJECTION TECHNIQUE WITH EACH JAVA APPLET. IT WILL BE # USED AS A SECOND FORM IN CASE THE FIRST METHOD FAILS. PLEASE NOTE THAT THIS IS EXTREMELY EXPERIMENTAL AT #THIS POINT. IT IS NOT 100 PERCENT WORKING YET.
I’ve noticed some potential instabilities that I’m working through, but need the community to test it. The Java Applet first detects if powershell is installed, if it is, then actually inject it straight into memory versus deploying the normal meterpreter-based executable. Powershell is installed by default on Windows Vista and Windows 7.
Amongst that change, I have decided to not release the legitimately signed Java Applet. The default unsigned applet is still included in SET. In addition to this release, the Java Applet has much more stability now as far as the Java Repeater and the deployment of shellcodeexec.
Full changelog below:
* Added better handling when generating your own legitimate certifcate and ensure proper import into SET
* Adjusted java repeater time to have a little more delay, seems to be more reliable and stable if that occurs.
* Removed the check from the main launch of SET for pymssql and only added it when the fast-track menu was specified
* Removed the derbycon posting since it already happened. When we get closer I’ll re-add it back in with detailed information
* Removed old files in the java applet attack that were not needed.
* Added better granularity checking the Java Applet attack when the shellcode exec or normal attacks were being specified.
* Fixed a bug that caused infectious media bomb out if shellcodeexec was specified as a payload
* Added a legal disclaimer for first inital use of SET that is must be used for lawful purposes only and never malicious intent
* Added improved stability of the java applet attack through better payload detect/selection
* Fixed a bug with shellcodeexec and creating a payload and listener through SET, it would throw an exception, it now exports shellcodeexec properly and exports alphanumeric shellcode
* Added new config check inside core.py, will return value of config, easier..will gradually replace all config checks with this
* Fixed an issue that would cause AUTO_REDIRECT=OFF to still continue to redirect. This was caused from a rewrite of teh applet and the same parameters not being filtered properly
* Added more customizing Options to RATTE. Now you can specifiy custom filename ratte uses for evading local firewalls. So you can deploy RATTE as readme.pdf.exe and it will run as iexplore.exe to bypass local firewalls. You can although specify if RATTE should be persistent or not. For testing network firewalls you won’t need a persistent one. Doing a penetration test you may choose a persistent configuration.
* Fixed a bug in RATTE which could break connection to Server. RATTE now runs much more stable and can bypass high end network firewalls much more reliable.
* Added a new config option called POWERSHELL_INJECTION, this uses the technique discovered by Matthew Graeber which injects shellcode directly into memory through powershell
* Added a new teensy powershell attack leveraging Matthew Graebers attack vector.
* Rehauled the Java Applet attack to incorporate the powershell injectiont technique, its still experimental, so will remain OFF in the config by default. The applet will not detect if Powershell is installed, and if so, use the shellcode deployment method to gain memory execution without touching disk through PowerShell.
* Fixed a bug that would cause mssql bruter to error if powershell injection was enabled or other attack vectors