[align=center]Social Engineering without the hard work. [MITM/DNS Spoofing/SET][/align]

About
First of all for this tutorial I will be using the social engineers toolkit or SET as it's known. I will also be using a various number of other tools to help me attack a windows machine. The windows machine will have Avast installed and Online Armor Firewall. The specific attack will be a MITM aided DNS spoofing attack that will re-direct a user to a malicious page we have set up locally. This will in turn, open a java drive-by attack on the victim and spawn a Meterpreter session which is a trojan Metasploit developers made for use within the Metasploit environment.

Methods to understand
Java Drive-by
DNS Spoofing
MITM [Man In The Middle] Attack

Tools needed:
- SET
- Ettercap-ng
- macchanger
- possibly netdiscover or nmap but not covered here.

note: you will need netdiscover to find out the targets ip address, you could always use nmap but for this tutorial I won't use either as I know the IP address of the victim.

First we boot linux up on our attacking machine, this can be any form of linux that you have SET and my other tools installed on, however I will be using BT4 as they are all ready and preconfigured.

If you're using BT4 make sure you start networking before you do anything as if you don't you will not be able to continue through this tutorial and have officially failed backtrack basics. ;)

Just to show this is not an elitest tutorial for the more experienced backtrack is availble from www.backtrack-linux.org and the following commands will start networking on your box.

type in a konsole window the following...

/usr/bin/start-network
/usr/bin/wicd-client on

once it shows Done. then you're ready to continue.

I will firstly go through the routine of updating the software from SET. Open up the 'start menu' and navigate to "Backtrack>Penetration>Social Engineering Toolkit". You will now see a konsole window that has opened displaying the SET program. First thing you MUST do is to update the software for both SET and Metasploit. This is a vital step as with older releases of BT4 SET did not have as many features etc as the current release.

Metasploit especially takes a while to update so it is worth (while M'sploit is updating) to open up Ettercap which should be under "Backtrack>Privilege Escalation>All>Ettercap-GTK" You can use the GTK version or if you have knowledge of the command-line version either will do. This is a noob friendly tutorial so I'll use the gtk.

We need first open a new shell (konsole window) and type in the following to allow for IP forwarding, some people have complained in the past on other sites that they cannot use ettercap properly without setting ip forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

After this has been done we need to setup the re-directs, a little like editing the hosts file on a windows machine. To do this we go to the Etter.dns file and write the website we wish to re-direct to and the IP address. Type in the following command in a konsole window to bring up the file for editing.

nano -w /usr/share/ettercap/etter.dns

scroll down and see where they have put microsoft sucks etc and a few examples. We need to enter first the site, in this case www.google.co.uk or .com depending where you are. You can also put google.co.uk to eliminate them being able to navigate around the redirect. Similar to wildcards in hosts editing for windows.

an example would be:

www.google.co.uk A 192.168.1.68

The Ip address being your address that you will be re-directing the victim to. Don't forget to add the " A ". When you have finished editing press "Ctrl-x" then "y" then enter to save then exit the nano editor.

We then go to Ettercap and on the top select "Sniff" on the toolbar and then "Unified Sniffing". Select the device connected to the internet. mine is Wlan1 yours may be wlan0 or eth0 or something different. If you hve problem finding your device or connecting to the internet in Backtrack let me know and i'll try and help but you should pretty much know how to use backtrack. Next in Ettercap press the combination "Ctrl+S" to scan the network for online hosts. You can also use the toolbar "hosts>scan for hosts" once your scan has completed press "h" to show the list of hosts, this can also be done from the menu but I'll let you explore the menu's on your own time :)

You will see on the hosts tab that several have shown up. You need to/should know your default gateway, this is the one that your router will be located at. Select the gateway's ip/MAC and then click "Add to Target 1". For the next bit you will need to find the IP of your victim's machine. If you have the luxury of using two computers like me, just run ipconfig in cmd on the windows box your penetrating. If not you can use netdiscover or nmap to find the victims target IP. You can if you wish target everyone on the network but this is very dangerous and can cause you to DOS the network or at the least slow the router down. My advice is select one target. I have chosen my gateway and victim 192.168.1.xxx and 192.168.1.65 respectively.

The technique being used is called a Man-In-The-Middle or MITM for short, we need to next select to poison the ARP cache, which is under Mitm and just click "ok". Already I have been alerted in Online Armor that their is a change in network configuration however most firewalls wouldn't and even if it did most people wouldn't pay any attention as they are still connected. In Ettercap you can double-check the targets selected by pressing "t" and viewing currently selected targets. Once all the above steps have been completed go to "start>start sniffing" or "ctrl+w".

Now you are currently performing a MITM attack, however this is not the aim of the tutorial. We want to perform a DNS spoofing attack. First in ettercap go to the plugins menu from the toolbar and select manage plugins. we can first check that the arp poison is in effect, this is done by selecting the "chk_poison" plugin and pressing enter. It should come back saying at the bottom that poison was successful, whoopee sorted. Next we stay in the plugins menu and select the “dns_spoof” plugin. This will activate the redirect you edited in the etter.dns file. We probably should have started the SET process first however it took a while to update metasploit on my old testing laptop. So here goes setting up SET for the attack.

You should have it opened in another window after it has finished updating both set and metasploit. You may now see a different menu (due to more features being added) it’s appearance changed. Enter “2” and press enter as we want to perform an attack using a website. Next select “1” from the menu as we will be using a java “drive-by” style method, then select “2” to clone a site already in existence. Whatever URL you decided to clone enter it here, it should be the same url you entered in the Etter.dns file earlier.

Next is the interesting and fun bit, putting together the exploit to be used. It’ll now ask you to select a choice of exploit to use. I’ll be using choice “2” Windows Reverse_TCP Meterpreter exploit, this attack uses the Metasploit Meterpreter to spawn a session shell on the victims’ computer. Most people for the next bit use option two encoding “shikata_ga_nai” however I like overkill and use option 15 “Multi-Encoder”, either is fine. Next choose a port to listen on I chose “999” and press enter.

You will now see SET creating your exploit and starting metasploit. This can take a while depending on the speed of your machine. It shouldn’t take too long though. Metasploit will start and then the Meterpreter 'handler' will activate listening for inbound connections from your victim. Once a session is created use the “sessions -l” command to show any sessions available to you, once you've found a session you want to connect to, ie your victim, then use the “sessions -i” and then the number associated with your chosen session.

For example:

“sessions -i 1”

congratulations, you have now connected to the machine. Without wanting to go into too much detail use the “help” command while in the session to see options available to you.


A good tip that I've missed out because it wasn't entirely necessarily needed here was using macchanger, this tool spoofs your MAC address to another address you specify.

In backtrack macchanger is installed already and the usage as an example is below:

macchanger --mac 00:11:22:33:44:55 wlan0

wlan being your network device.

Important
One thing to note when performing a MITM attack you MUST re-arp your victims cache. If you don't you can ruin a good computer or at least slow the connections down. To do this in Ettercap-gtk go to "MITM>Stop mitm attack[s]"

Sorry there's no pictures guys I'll hopefully be making a video on this at some point to demonstrate it's use. Metasploit was playing up too so if i've missed anything out let me know.
S-P