In the closing part of the presentation, Dave Kennedy reviews some cool features of the new version of SET, and Kevin Mitnick demonstrates his famous whistle.Dave: Now I want to go into the Social-Engineer Toolkit 2.1, which is getting released today. I’ll upload it, probably, tonight when I maybe don’t sleep or whatever. It’s 27 new features, 22 bug fixes, 18 enhancements. And usually the bug fixes actually outweigh the features, so I’m actually getting better with coding this time around. I just have to say I’m proud of myself on this one. Fast-Track is now a part of it.
Just a couple of cool things I want to show you real quick (watch video above). Oh God, that is not a bug. And I just got to give a shout-out to the SET development team. It started off with me, and Jerry Dupree and Joey Furr joined the development team, as well as Thomas Werth. So we actually have a development team working on SET quite a bit. Poor Joey, man – I go through and I just stream through code and I do a bunch of stuff, and he goes through and fixes it, so I got to thank him for all of my “good” coding techniques that he doesn’t like.
And so, in the Social-Engineer Toolkit one of the coolest options is we’ll go ahead and we’ll do the Website Attack Vectors, and then we’ll do the Java Applet Attack Method; we’ll go and clone a site, just like we did last time, and a new option now is option 13, which is ShellCodeExec Alphanum Shellcode. Why that’s important is I rewrote the Java applet to now drop a Meterpreter stage that shoots directly into memory through alphanumeric shellcode and never touches disk, so we no longer have to worry about antivirus.
The options you have is you have reverse Meterpreter, reverse TCP, you have reflective injection, reverse HTTPS stager, and you also have the standard reverse HTTP stager as well. So you can use either one of those, all of them work now.
And so, it’s going to go and generate it for us; we are not going to create another payload. And, by the way, the Java applet targets Linux, OS X and Windows, so no one is safe. So we go ahead and do the Java applet thing again, it loads Gmail, we don’t want to hit Cancel on the popup because we already know it jacks us up, so we hit Run, it redirects back, and now we got the Meterpreter shell. No need to worry about AV. So, that’s one of the features.
One of the ones that I did a long time ago was the MS SQL thing, which is one of my favorites. Obviously, when you install SQL you have the capability of having SA password, if you use mixed mode or just SQL authentication. And one of Fast-Track’s attacks was this type of attack, where we go after an actual SQL Server. This supports CIDR notation and this supports single IPs. But I guarantee, if you’re going through a large customer, you’ll always find a black SA password. So just scan, look for it.
What SET is going to do is look for 1433; we are going to use the default wordlist, we are going to use “sa”, it found a port open and it automatically brute-forced it. I spent a lot of time on tuning performance on multi-threading and brute-forcing, was able to get that through. And you can see on number 1 we have 192.168.235.131 was using username “sa” and password “password123”. We drop into that, and we can either leverage Windows PowerShell or use Windows Debug Conversion, which will, basically, take our binary out. It looks really cool.
And so, I’m going to go ahead and do Meterpreter, it’s going to code and do odd stuff, and now it’s going to deploy our initial stager, which is all going through MS SQL at this point. This is hexadecimal representation of our initial stager payload. And why this is important is, with Windows Debug you have a 64K restriction, and Meterpreter shell is going to be a lot larger than that. It will actually take a stager payload that, essentially, just reads in raw hex and writes out binary. And so, we can, essentially, bypass the 64K restriction on Windows. Now I’m going to go ahead and trigger the payload – and I got Meterpreter shell.
This is just one of the many features in the new version of Social-Engineer Toolkit that will be released today. Again, I’m not releasing the Java code signing one as of yet. It is definitely there, it’s ready to go. I just want to make sure that I’m doing everything legally to it.So, what we really wanted to get out of this talk was, again, just to make yourself think creative. You know, think outside of the box when you are doing these penetration tests, do something unique, do something that hasn’t been done before, do something fun. I mean, the traditional scan and exploit type of penetration tests are not doing any type of value; it’s not we are designed to do as a field. Kevin, do you have anything that you want to say?
Kevin: I really enjoy doing it. I encourage people to think creatively and be innovative. We do use scanning tools, but that’s kind of initial footprint type of stuff. I could run Nmap and look for any low-hanging fruit, but that’s kind of the very initial stages of a security assessment, very initial stages. And then we go on from there. I wouldn’t stop there. And I’m sure a lot of you don’t stop at just simple scanning, I’m sure you guys do a lot of more in-depth pentesting. But you never know, because, again, I’ve dealt with clients that showed me passed reports, and it’s like a 400-page report that doesn’t have much value, that just repackaged information from an automated scanning tool. So, that’s pretty much it.
Question: Kevin, would you demonstrate your famous whistle?
Kevin: I actually recorded my famous whistle. Do you mean the one that launched the nukes? Today I’m not really good at whistling, but hold on… Let’s see if I have it, it’s funny as hell. Here we go (watch video below). That’s my famous whistle.
Dave: Thanks everybody for coming! We appreciate it!