In the last post, I had demonstrated the detection of SURL Analyzer when served with exploits generated by MetaSploit. In this post I will be using SET – Social Engineering Toolkit, another favorite tool, used by Phishers.
SET provides you with a framework which will help you in cloning a webpage containing login page and will assist you in stealing.
In this example, I will be using the Credential Harvester Attack.
Our host configuration remains unchanged and to replicate the real-world scenario
Eg 1. entry in hosts file '127.0.0.1 www.facebrok.com' Eg 2.entry in hosts file '127.0.0.1 www.faceb0ok.com'
Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social-Engineer Toolkit Select : 1 Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu. Select : 2 1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Man Left in the Middle Attack Method 6) Web Jacking Attack Method 7) Multi-Attack Web Method 8) Victim Web Profiler 9) Create or import a CodeSigning Certificate 99) Return to Main Menu Select : 3 1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack> 2 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.5.200 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:http://www.facebook.com [*] Cloning the website: https://login.facebook.com/login.php [*] This could take a little bit... The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [!] I have read the above message. Press <return> to continue [*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below:
The goal of this exercise was to see whether SURL Analyzer is able to detect these pages as phishing or not. Detection based solely on algorithm and not a database full of phishing urls.
When SURL Analyzer was submitted the link:
Checking : http://www.faceb0ok.com MetaTag ReDirecting to: https://www.facebook.com/login.php?_fb_noscript=1 action = 2 MT=4 AcL=1 #Phish AcD1=2 Results=2 Analysis Time=0.108604409903638 seconds Total Time=1.64641985448429 seconds
SET Console Output
192.168.5.200 - - [06/Oct/2012 02:26:17] "GET / HTTP/1.1" 200 -
How does this web-page look like ?
SET Console Output when THE VICTIM provides login credentials and presses “LOGIN”
[*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below: 192.168.5.200 - - [06/Oct/2012 02:21:47] "GET / HTTP/1.1" 200 - [*] WE GOT A HIT! Printing the output: PARAM: lsd=AVq2K-ma PARAM: return_session=0 PARAM: legacy_return=1 PARAM: display= PARAM: session_key_only=0 PARAM: trynum=1 PARAM: charset_test=€,´,€,´,?,?,? PARAM: timezone=-330 PARAM: lgnrnd=231821_ALop PARAM: lgnjs=n POSSIBLE USERNAME FIELD FOUND: firstname.lastname@example.org POSSIBLE PASSWORD FIELD FOUND: pass=test PARAM: default_persistent=0 POSSIBLE USERNAME FIELD FOUND: login=Log+In [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
At the first instance, after looking at the console output of MetaSploit, one would immediately raise the question that – html is being served but none of the exploits have been loaded, so does SURL stop execution of exploits. The answer is NO.
SURL Analyzer will traverse through all the content, download it and analyze it. Upon completion of analysis it will give its report. Every, sample which had been constructed using Metasploit, was detected successfully.
Even in real-world scenarios, the Analysis Time is always in microseconds, however due to latency and link speed the “Total Time” is equivalent to user’s browsing experience.
Some of you may also wonder, what are twitter hash tags doing in the result? This is for the first time that anyone has ever attempted to provide an analyzer service over twitter. Being the author of this SURL analyzer’s algorithm, I wanted to share its usefulness with like minded individuals, individuals who are into fighting malware. During the testing period I came across such spirited individuals and saw them putting in extra efforts to dissect malware. Hence I decided that since every researcher is using twitter as a medium to communicate, why not integrate the analyzer with twitter.
In brief, researchers tweet the suspect url in a specific format , while the analyzer will grab these urls, analyze them, will upload the results to dropbox and the link of the result is tweeted back to the community.
Eg. of the tweet:
#ToolKit #Result =1 Dmn: h00p://www.facebrok.com RPT: https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_195848.txt
Every method is the best method – as long as, it will protect the end-users from Phishing and malware attacks. SURL analyzer being one of them.