Statistical URL Analyzer – with MetaSploit and SET

In the last post, I had demonstrated the detection of SURL Analyzer when served with exploits generated by MetaSploit. In this post I will be using SET – Social Engineering Toolkit, another favorite tool, used by Phishers.

SET provides you with a framework which will help you in cloning a webpage containing login page and will assist you in stealing.

In this example, I will be using the Credential Harvester Attack.

Our host configuration remains unchanged and to replicate the real-world scenario

Eg 1. entry in hosts file '127.0.0.1      www.facebrok.com'
Eg 2.entry in hosts file '127.0.0.1      www.faceb0ok.com'

SET Configuration:

Select from the menu:
 1) Social-Engineering Attacks
 2) Fast-Track Penetration Testing
 3) Third Party Modules
 4) Update the Metasploit Framework
 5) Update the Social-Engineer Toolkit
 6) Update SET configuration
 7) Help, Credits, and About
 99) Exit the Social-Engineer Toolkit
 Select : 1

Select from the menu:
 1) Spear-Phishing Attack Vectors
 2) Website Attack Vectors
 3) Infectious Media Generator
 4) Create a Payload and Listener
 5) Mass Mailer Attack
 6) Arduino-Based Attack Vector
 7) SMS Spoofing Attack Vector
 8) Wireless Access Point Attack Vector
 9) QRCode Generator Attack Vector
 10) Powershell Attack Vectors
 11) Third Party Modules
 99) Return back to the main menu.
 Select : 2

 1) Java Applet Attack Method
 2) Metasploit Browser Exploit Method
 3) Credential Harvester Attack Method
 4) Tabnabbing Attack Method
 5) Man Left in the Middle Attack Method
 6) Web Jacking Attack Method
 7) Multi-Attack Web Method
 8) Victim Web Profiler
 9) Create or import a CodeSigning Certificate
 99) Return to Main Menu
 Select : 3

 1) Web Templates
 2) Site Cloner
 3) Custom Import
 99) Return to Webattack Menu
set:webattack> 2
[-] Credential harvester will allow you to utilize the clone
capabilities within SET
[-] to harvest credentials or parameters from a website as well
as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in
Harvester/Tabnabbing:192.168.5.200
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.facebook.com
[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[!] I have read the above message.
 Press <return> to continue
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

The goal of this exercise was to see whether SURL Analyzer is able to detect these pages as phishing or not. Detection based solely on algorithm and not a database full of phishing urls.

When SURL Analyzer was submitted the link:

Result:

Checking : http://www.faceb0ok.com
MetaTag ReDirecting to:
https://www.facebook.com/login.php?_fb_noscript=1
action = 2
MT=4
AcL=1 #Phish
AcD1=2
Results=2
Analysis Time=0.108604409903638 seconds
Total Time=1.64641985448429 seconds

SET Console Output

192.168.5.200 - - [06/Oct/2012 02:26:17] "GET / HTTP/1.1" 200 -

How does this web-page look like ?

Fake Facebook Page

SET Console Output when THE VICTIM provides login credentials and presses “LOGIN”

[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
192.168.5.200 - - [06/Oct/2012 02:21:47] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: lsd=AVq2K-ma
PARAM: return_session=0
PARAM: legacy_return=1
PARAM: display=
PARAM: session_key_only=0
PARAM: trynum=1
PARAM: charset_test=€,´,€,´,?,?,?
PARAM: timezone=-330
PARAM: lgnrnd=231821_ALop
PARAM: lgnjs=n
POSSIBLE USERNAME FIELD FOUND: email=yoyo@bye.com
POSSIBLE PASSWORD FIELD FOUND: pass=test
PARAM: default_persistent=0
POSSIBLE USERNAME FIELD FOUND: login=Log+In
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

Analysis:

At the first instance, after looking at the console output of MetaSploit, one would immediately raise the question that – html is being served but none of the exploits have been loaded, so does SURL stop execution of exploits. The answer is NO.

SURL Analyzer will traverse through all the content, download it and analyze it. Upon completion of analysis it will give its report. Every, sample which had been constructed using Metasploit, was detected successfully.

Even in real-world scenarios, the Analysis Time is always in microseconds, however due to latency and link speed the “Total Time” is equivalent to user’s browsing experience.

Some of you may also wonder, what are twitter hash tags doing in the result? This is for the first time that anyone has ever attempted to provide an analyzer service over twitter. Being the author of this SURL analyzer’s algorithm, I wanted to share its usefulness with like minded individuals, individuals who are into fighting malware. During the testing period I came across such spirited individuals and saw them putting in extra efforts to dissect malware. Hence I decided that since every researcher is using twitter as a medium to communicate, why not integrate the analyzer with twitter.

In brief, researchers tweet the suspect url in a specific format , while the analyzer will grab these urls, analyze them, will upload the results to dropbox and the link of the result is tweeted back to the community.

Eg. of the tweet:

#ToolKit #Result =1 Dmn: h00p://www.facebrok.com RPT:
https://dl.dropbox.com/u/12294415/SURL/10_05/p_www_facebrok_com_195848.txt

Conclusion:

Every method is the best method – as long as, it will protect the end-users from Phishing and malware attacks.  SURL analyzer being one of them.

This entry was posted in eScan 11 and tagged . Bookmark the permalink.