CNIT 123 Proj 4: Social Engineering Toolkit Java Exploit (15-25 pts.)

What You Need

Purpose

We will use Kali Linux and the Social Engineering Toolkit to create a malicious Web server, which serves a page containing malware.

A user who views that page and clicks through warning messages will be owned.

Finding the Attacker's IP Address

On your Linux machine, in a Terminal window, execute this command:
ifconfig
Find your IP address and make a note of it. In the example below, it is 192.168.119.169.

Launch the Social Engineering Toolkit

From the Kali desktop, click Applications, "Kali Linux", "Exploitation Tools", "Social Engineering Toolkit", se-toolkit.

If it is the first time you ran it, you will need to agree to the Terms of Service.

The Social-Engineer Toolkit opens, as shown below:

Now select these options from the menus (note that the numbers may change as the toolkit is updated):

The next screen prints incorrectly, so you are typing on top of text. Just type in your Kali Linux machine's IP address, as shown below, and press Enter.

Now select these options from the menus (note that the numbers may change as the toolkit is updated):

If a message says "Apache may be running...", type y to allow SET to stop it.

Wait a few minutes. When you see "Starting the payload handler...", as shown below, your malicious Web server is ready.

Installing Java on the Target Machine

On the target Windows machine, open a Web browser and go to java.com

Download and install Java.

Opening the Evil URL on the Target Machine

On the target Windows machine, open Chrome and go to the IP address of the Kali Linux attacker, as shown below:

At the top right corner of the Chrome window, click the red X.

In the pop-up box, click the "Always allow plug ins..." button, as shown above.

Click Done.

In the Chrome window, click the Refresh button. Wait about 30 seconds.

A box pops up saying "Application Blocked by Security Settings", as shown below. Click OK.

Lowering Java Security Settings

To override the security setting, click Start, "Control Panel", "Classic View".

Double-click Java.

On the Security tab, in the lower right, click the "Edit Site List..." button.

Click the Add button.

Enter http:// followed by the IP address of your Kali Linux attacker, as shown below.

Click OK.

Click Continue.

Click OK.

In the Chrome window, click the Refresh button. Wait about 30 seconds.

Another warning message appears, as shown below. Click the "I accept the risk..." box, and click Run.

Exploiting the Target

On the Kali Linux machine, you should see a "Meterpreter session 1 opened" message, as shown below.

There is no prompt, but type this command, and then press the Enter key:

sessions -i 1

Troubleshooting

If the exploit hangs up, it's probably the Windows target machine. Re-extract a fresh VM from the DVD handed out in class.

Saving the Screen Image

Make sure the "Meterpreter session 1 opened" message is visible, as shown above.

Click on the Windows 7 host computer's desktop to make it active. Press the PrntScrn key to capture the whole screen.

YOU MUST SUBMIT WHOLE DESKTOP IMAGES FOR FULL CREDIT.

Save this image as a PNG file, named "Proj 4a from YOUR NAME"

Post-Exploitation

You now own the target! Here are some fun meterpreter > commands to try:

shellGives you a Windows Command Prompt on the target
screenshotGives you an image of the target's desktop
keyscan_startBegins capturing keys typed in the target
keyscan_dumpShows the keystrokes captured so far
webcam_listShows the available webcams (if any)
webcam_snapTakes a photo with the webcam

Stealing a Password (optional)

This is worth an extra 10 points if you can get it to work.

When I did it, the target tended to crash, so it took several tries.

On the Kali Linux machine, in an open Meterpreter session, execute these commands:

load mimikatz

kerberos

Scroll back up to see the password in plaintext, as shown below.

Saving the Screen Image

Make sure the plaintext password of "P@ssw0rd" is visible, as shown above.

Click on the Windows 7 host computer's desktop to make it active. Press the PrntScrn key to capture the whole screen.

YOU MUST SUBMIT WHOLE DESKTOP IMAGES FOR FULL CREDIT.

Save this image as a PNG file, named "Proj 4b from YOUR NAME"

Turning in Your Project

Email the images to cnit.123@gmail.com with a subject of "Proj 4 from YOUR NAME".

Sources

http://pentestlab.wordpress.com/2013/03/25/dumping-clear-text-credentials-with-mimikatz/

Last modified 5-2-15 1:51 pm

Thanks to Kristina McElveen for helping me update this project to bypass Java security on 1-18-14
Sam Bowne