SEToolkit: Metasploit's Best Friend

Metasploit's Best Friend

SEToolkit: Metasploit's Best Friend

If you read my last tutorial on using SEToolkit, you probably know that SEToolkit is an effective way to make malicious actions look legitimate. But, that was only the beginning... the truth is, Metasploit and SEToolkit belong together, and help each other very well.

Please do not continue reading this article if you don't understand Metasploit or SEToolkit. You can find more information on SEToolkit in my previous tutorial.

Now, I hope you remember how to navigate SEToolkit, as it is very simple. Let's start by opening the attacks menu.

Step 1: Open the Attacks Menu

Open SEToolkit by opening a terminal and typing setoolkit.

Open up the Website Attack Vectors menu by pressing 2:

Step 2: Choose Your Attack

For this tutorial, we will be using the Metasploit Browser Exploit Method. Once you open that menu, you will be prompted to choose a template for your malicious website. For this purpose, I'm going to choose the Web Templates by pressing 1.

You will then be prompted to choose a browser exploit. I find the Metasploit Browser Autopwn to be the most successful. This auxiliary module loads many exploits and payload handlers at once to to grab a wildcard target. This is the best method of attack if you are phishing. However, this can red flag many security systems, so just be careful! Type 43 to choose this option.

Next, SEToolkit will ask you for the payload to use. I find that using your own custom payload will work the best. I will use my own custom executable in this tutorial.

Step 3: Fill in the Blanks

You will then be prompted to insert the port and IP address. I'm going to hide mine in this picture, sorry. (I recommend port 443.) The rest is pretty self explanatory.

If you are using the custom payload, you must upload it to your Apache server, and give SEToolkit the download link. For example, when you put the payload into the root directory of your Apache server, your URL should look similar to http://192.168.1.16/malicious.exe . Just make sure you use your own IP address!

Step 4: Integrate with Metasploit

Now that we have told SEToolkit where our payload lies, it should give you this screen, and then load Metasploit to listen.

Once Metasploit has started, it will automatically start loading its Autopwn auxiliary tool, and listen for incoming connections on port 443. Do not stop Metasploit from loading! It may take a minute. The first thing you should see is something similar to this:

Once Metasploit has finished loading the modules, it should display the amount of modules loaded, and one URL to send to a victim. In this case, Metasploit found 20 exploit modules that would work.

Make sure you port forward if you're doing this over the Internet!

Step 5: Get a Victim

Send this link out on social media, or by email to a friend. While they check out your fake website, Metasploit will try to automatically exploit them. Just make sure you set up persistence before it's too late!

Conclusion

SEToolkit and Metasploit combined are just unstoppable! The exploits of Metasploit and the phishing methods of Social Engineering Toolkit are the way to get the job done.

C|H of C3

11 Comments

A nice tutorial, thank you for posting! SET is one of my favourite tools and it was the first tool I started playing around with when I started teaching myself. Sometimes I find it doesnt always work but I'm pretty sure thats just my forwarding settings.

dayum cracker, you're just spitting out articles!

nontheless a great article again! i love someone finally does a tutorial on social engineering again!

Yeah, not trying to spam 00%.

does it only works on local ?

No, you can do it over the Internet too! Just port forward port 80 to your machine.

What did i do wrong, im not getting any URL?

But the listener is running?

It's ok. You just access the website with your IP. So, http://192.168.1.33/ would do it from the LAN, but replace the local IP with your public IP if doing it over the Interwebs. You can use a service like Freenom to use a free domain that you can use, for example: you could make a domain named malicious.tk that will redirect to your website, but hide the IP in the omnibar.

Alright im in the site, i even wrote my usernam and password in. and nothing was detected?

just continuesly saying "starting the payload handler..."

when setting up account on freenom what ip addess should i use my local ip? got to a point in the registration it told me enter ip

Few questions here....so glad someone else is having a hard time.

  1. In the tutorial, it says local ip 10.0.1.161 <-- where is this ip coming from?
  2. When I google my public ip, I am given the ip of 198.8.80.78 and am running a VPN. Is that sufficient or do I need to sign up for a service like Freenom to get a domain?
  3. When registering at Freenom or noip, what ip do I provide them with? My real IP or my VPN ip?

Thanks for help.

Share Your Thoughts

  • Hot
  • Latest