The Teensy devices (http://www.prjc.com) are Arduino based devices that allow you to utilize onboard memory storage on a microcontroller and emulate a keyboard/mouse. In the Social-Engineer Toolkit (SET), gives you the ability to choose Metasploit based payloads and drop a small download stager either through WSCRIPT or through PowerShell to download a backdoor from a remote IP/machine and execute it on the system itself. Why this attack is so useful is that it emulates a keyboard 100 percent, so you can essentially bypass any autorun protections on the system since its a keyboard, not a flash drive or CD/DVD type autorun attack. SET handles the entire creation from a webserver housing the malicious payload, to the actually Metasploit handler.

Be sure to check out DerbyCon – http://www.derbycon.com, it’s a brand new large-scale hacker conference located in Louisville Kentucky, it’s still far off, dates are September 30 – October 2 2011. Check back for frequent updates!

SET v0.6.1 adds the ability to utilize the built-in SET Web Server and combine the attack with SSL. Here are some scenarios where this attack really can be extremely helpful. For one, SET will allow you to create self-signed certificates automatically for you (granted you have openssl installed). In this instance the user would be presented with a certificate mismatch and whether or not to trust the individual site. While this is still most likely going to be successful in nature, it still isn’t 100 percent. My recommendation for this new addition is if your doing a penetration test, register a name of the victims site that is similar in nature, like for example your targeting CompanyXYZLMNOP you register a domain name like CompanyXYZLMNOP-LLC.com or LMNOP.COM is available and you can do CompanyXYZ.LMNOP. In this scenario you would have the DNS records point to the SET website, which you’ve already cloned the legitimate site. From there register for a $80 certificate and utilize SET with an legitimate SSL based certificate that looks and feels real. You will need the private key and client cert in PEM format. The new options are all configurable in config/set_config, the new options look like this:

# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR
WEBATTACK_SSL=OFF
#
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
#
SELF_SIGNED_CERT=OFF
#
# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK
# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem

In the above instance, if you were wanting to utilize SELF_SIGNED certificates you would turn the SELF_SIGNED_CERT to ON as well as the WEBATTACK_SSL to ON. If you wanted to use a legit cert or something you’ve already created in the past, leave SELF_SIGNED_CERT to OFF and it will pull the PEM_CLIENT and PEM_SERVER paths.

This required a fairly large overhaul of the built-in webserver and as such actually improved performance quite a bit.

If you didn’t see SET v0.6 was released last week at BSIDES Las Vegas, it was a huge release and a major upgrade from SET v0.5. There were over 45 bug fixes, three new attack vectors, and heavy improvements to existing attack vectors and the Thomas Werth Java Applet was open-sourced. If you haven’t seen the changelog, check out below:

~~~~~~~~~~~~~~~~
version 0.6.1
~~~~~~~~~~~~~~~~~
* Added the ability to utilize SSL with credential harvesting or tabnabbing attack, you can import your own PEM files or utilize self-signed (SET creates for you)
* Fixed the lnk exploit path since it changed within Metasploit

~~~~~~~~~~~~~~~~~
version 0.6
~~~~~~~~~~~~~~~~~
* Number of bug-fixes through SET and better error handling
* Added the tabnabbing attack vector
* Added favicon pulling per site on tabnabbing
* Fixed dynamic import bug with reloading modules after use
* Added Man Left in the Middle (MLITM) from Kos
* Added the latest IE and Adobe exploits
* Rewrote the HTTP web server handler for WebDav based exploits, it will force SET to use port 8080 as the web server as MSF requires WebDav on 80.
* Rearranged the initial web attack vector menu, it needed to be reversed
* Added the ability to specify your own custom executable for MSF encoding (-x) within the config/set_config file, the new option is called ‘CUSTOM_EXE’
* Added checks for BeautifulSoup, it is now a requirement for SET for the MLITM attack
* Fixed the no encoding issue with Java Applet Attack Vector, when specifying no encoding it will not prompt you to encode the payload
* Fixed bleed over colors when bombing out of any of the SET menus
* Added the ability to be able to customize MLITM web server port address in set_config, default is 80.
* Fixed an issue with Java Applet attack where if WEB_PORT was changed from 80, the Windows and NIX payloads would not deploy properly based off of port change
* Fixed an issue where importing your own executable with the Java Applet attack would fail and not work properly
* Fixed where OSX and LINUX payloads would still be asked for in payloadgen if not using the Java Applet attack
* Added the new Teensy Arduino attack vector menu that can be used with the Teensy USB HID devices that can bypass autorun disabled for physical/social-engineering attacks
* Fixed issue where ettercap was not properly performing DNS_POISON attacks, should now dns poison properly
* Removed the IP address challenge question when importing your own exe
* Fixed issue where other python applications would close when exiting SET
* Rewrote html handler to fix stderr and stdout issues with subprocess and ettercap handlers, should close properly when exiting SET now
* Fixed the main bug with Linux/OSX via Java Applet and no shell being piped, should now be 100 percent operable
* Fixed issue where VNC courtesy shell would still be present even when disabled
* Thomas Werth Java Applet is now open source, can be found under src/java_applet
* Fixed a bug where credential harvester would clone a website twice
* Fixed an issue where some sites would not properly rewrite with the credential harvester
* Added the ability to automate the payload deployment through Teensy
* Added the ability to use Apache with the Teensy attach vector or the built-in SET server
* Fixed a bug where if an invalid response was given in PEXPECT installation, it would continue and cause issues when the requirements were not met
* Changed the MS10-042 to reflect the MSF changes windows/browser/ms10_042_helpctr_xss_cmd_exec
* Added the MS10-XXX LNK file exploit from Metasploit, is now incorporated into the Client-Side Attack vector
* Added defaults to the client-side attack vector, so just hitting return will default to meterpreter and the latest exploit
* Removed the ability to perform tabnabbing and web templates, only clone method supported
* Fixed when webdav is being used the HTTP 8080 server of the cloned site wouldn’t run properly
* Fixed when client-side attack exploit windows/browser/ms10_042_helpctr_xss_cmd_exec would fail and not load properly through webdav
* Fixed issue where Apache and python-based web server was not properly running under Teensy USB HID attack
* Changed name from Infectious USB/DVD/CD to Infectious Media Generator
* Fixed a bug with the Java Applet attack vector where Apache mode wasnt working properly
* Fixed the BeautifulSoup response to ensure it fails out if invalid responses are given
* Fixed an issue where BeautifulSoup and PExpect would not clean up properly after installation
* Changed timing on Teensy PowerShell/WSCRIPT attack method to be faster