Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against new detection scoring based on Spiderlabs Research .
[---] The Social-Engineer Toolkit (SET) [---]
[---] Written by David Kennedy (ReL1K) [---]
[---] Version: 0.6.1 [---]
[---] Codename: 'Arnold Palmer' [---]
[---] Report bugs to: davek@social-engineer.org [---]
[---] Java Applet Written by: Thomas Werth [---]
[---] Homepage: http://www.secmaniac.com [---]
[---] Framework: http://www.social-engineer.org [---]
[---] Over 1 million downloads and counting. [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
Follow me on Twitter: dave_rel1k
DerbyCon 2011 Sep29-Oct02 - A new era begins...
http://www.derbycon.com
Select from the menu on what you would like to do:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7 Update the Metasploit Framework
8. Update the Social-Engineer Toolkit
9. Help, Credits, and About
10. Exit the Social-Engineer Toolkit
Enter your choice: 1
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu
Enter your choice: 1
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Enter the number you want (press enter for default):
1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)
Enter the payload you want (press enter for default):
* All payload 1 – Windows Reverse TCP Shell with port 2345
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639
File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf
flashplayer-newfunction.pdf Malicious PDF Detected
2. Adobe Collab.collectEmailInfo Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155
File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)
$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf
collab-collectEmailInfo.pdf Malicious PDF Detected
3. Adobe Collab.getIcon Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)
pdf-analisys.pl -s1 -f collab-getIcon.pdf
collab-getIcon.pdf Malicious PDF Detected
4. Adobe JBIG2Decode Memory Corruption Exploit
http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756
File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)
$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf
JBIG2Decode.pdf Malicious PDF Detected
5. Adobe PDF Embedded EXE Social Engineering
http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)
$ pdf-analisys.pl -s1 -f embeddedfile.pdf
embeddedfile.pdf Malicious PDF Detected
6. Adobe util.printf() Buffer Overflow
http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414
File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)
$ pdf-analisys.pl -s1 -f utilprintf.pdf
utilprintf.pdf Malicious PDF Detected
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)
pdf-analisys.pl -s1 -f U3D.pdf
U3D.pdf Malicious PDF Detected
Clamav Results
collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK
----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1
* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .
Virus Total Results
Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)
Average Detection: 14,85 / 42 or 35,37%
Top5* AntiVirus Results
* Top5 antivirus based on most common names not in detection rates
** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Scoring System Results
collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected
We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .
Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .
Regards,
Rodrigo "Sp0oKeR" Montoro
Here I will post some security tips, articles / paper mine or from other blogs that I think interested . I Iove computer subjects related in special: - Penetration Tests - Network Intrusion Detection and Prevention - Network Behaviour - SIEM - Network Security Monitoring (NSM) - Incident Response - Firewall, - Host Intrusion Detection System - The Open Web Application Security Project (OWASP) - Capitulo Brasil - fuzzing - Vulnerability - Packet Analisys - Log Analysis - Beer =)
Assinar:
Postar comentários (Atom)
3 comentários:
Só pra constar: todos os PDFs citados são detectados pelo Kaspersky. Alguns pela heurística, o que não é mostrado numa análise feita pelo VirusTotal.
Parabéns pelo blog
;)
Rodrigo,
Acabei de começar o meu blog com um post que também trata do SET. É uma ferramenta fantástica, de fato.
http://gustavomonteiro.com/
It looks really cool!
I would be interested to test it.
Is it available somewhere?
Postar um comentário