Tag Archives: rel1k

Social Engineering Toolkit – User Agent Switcher – setuas.sh

Imprimis, if you are not familiar with the concept of social engineering, take a look at:

https://en.wikipedia.org/wiki/Social_engineering_(security)

If you are looking for a good book on this topic, then I would highly suggest buying a copy of:

http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1327118815&sr=8-1

As for software implementations that you can use to leverage social engineering attacks on targets, David Kennedy‘s Social Engineering Toolkit (SET) is probably one of the best, if not only social engineering frameworks that I know of. SET does not really rely on vulnerable services which I believe is one of the most useful aspects of this toolkit. What you do have to rely on is social engineering. Services and software will be patched while humans will most likely always be vulnerable to social engineering attacks due to misplaced trust.

Despite the fact that this framework is practically the only of its kind, it does have some limitations in certain realms, namely the web site cloning feature. The issue I have ran into with SET is due to the user agent string not being easily switchable. To switch the user agent string for SET, you must manually edit the cloner.py (which is located in/src/webattack/web_clone/ directory) .

The default user agent of SET is:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

This means that when the Social Engineering toolkit makes a request on a website and clones it, the response of the web service is based on this user agent string.

What if I want to clone a website that is the mobile version? What if I want to clone a website that checks to see if end users are Microsoft Windows users? This is where the Social Engineering Toolkit User Agent Switcher(setuas.sh) is applicable. This is a very simple Bash shell program that edits the user agent string in the cloner.py module of SET to whatever you like. Simply execute this:

./setuas.sh /pentest/exploits/set/src/webattack/web_clone/cloner.py

You will then be prompted to enter in a user agent string which for instance could be:

Mozilla/5.0 (Linux; U; Android 2.3; en-us) AppleWebKit/999+ (KHTML, like Gecko) Safari/999.9

For the moment this is just a quick hack to address the issue. I believe that the SET team should add an option in the config file (/set/config/set_config) for end users to adjust accordingly.

setuas.sh is located here:

http://zitstif.no-ip.org/set/setuas.sh

If you want to just see the plain text version of this file, it is located at:

http://zitstif.no-ip.org/set/setuas.txt

Weaponizing the Nokia N900 – Part 3.7 – More goodness and packet injection!

Thanks to Shawn Merdinger, from infosecisland for the inspiration and  thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.

Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.

In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.

Rogue AP Goodness:

1.) Download SET to your n900 and take note of this information:

a.) You’ll need to install some additional python modules  such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned  in an earlier post: http://zitstif.no-ip.org/?p=451

b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.

c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:

ln -s /usr/bin/rub1.8 /usr/bin/ruby

Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:

http://zitstif.no-ip.org/setfix.txt

2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)

3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section

4.) Select option 1 for the java applet attack method

5.) Now select the site cloner option

6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )

7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)

8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)

www.facebook.com     A      10.105.242.1

9.) Now run this:

ettercap -i wlan0 -q -T -p -u // // -P dns_spoof

What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.

I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁

Aircrack-ng goodness:

I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.

Please see this blog entry:

http://david.gnedt.eu/blog/wl1251/

Also pay close attention to:

http://david.gnedt.eu/wl1251/README

Be careful about using this driver because it seems to drain battery life quite quickly.

(Speaking of which..)

Additional notes:

One more tip I would like to share with fellow N900 owners on extending battery life is as follows:

-Uninstall applications that eat up a lot of CPU time and run in the background

-Disable your wifi connection if you’re not using it

-Dim the brightness of your screen

-Disable anything you don’t need or aren’t currently using

-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)

That’s all for now. As usual, more to come!