Silly SET Tricks : Combining SET and Ettercap For Surprisingly Amusing Results.

Posted: November 25, 2011 in Guides
Tags: , , , ,

Okay so in the last couple of articles I wrote, I’ve been talking about both SET and ARP poisoning. These are two different applications that can be used by both Security professionals and angsty teens to do some stupid stuff. Here I’m going to illustrate a simple attack, that combines both ARP spoofing with DNS redirection and the Social Engineering Toolkit, this will take you beyond simply sniffing passwords and get you a shell on the victim system. Note standard ARP poisoning rules (same network segment) apply here. The victim machine here will be a fully patched Ubuntu 11.10 install running UFW firewall.

This attack will leverage the afforementioned Java Applet vector from the Social Engineering Toolkit, and it will use Ettercap to redirect our traffic so that our victim THINKS they are visiting Ubuntu Forums when in reality they are just getting shelled.

Preparing Our Attack

I’m not going to go into how to install these various programs, this is already a lame enough thing to have to do, and if you don’t know how to get the programs working you probably have no business doing this.

Configuring SET

The first thing I want to do is configure set to utilize a port other than the default 8081 for our Linux payload’s reverse connection. I’m going to be clever and use port 53, this is for a couple of reasons — mainly, to bypass commonly configured desktop firewalls.

We’re going to edit our set_config file and change the following line




Note : That part is optional, but it’s a good idea.

Now we want to fire up SET and do a typical Java Applet attack, we’re going to clone Ubuntu Forums in this case.

Configuring Metasploit

Now for some reason SET is kind of broken lately, it doesn’t properly configure the listener in Metasploit Framework for any payload other than the Windows Payload (even if it creates the code to execute both Linux and OSX payloads).

So we need to configure our Listener in Metasploit.

Now that we’re listening for our return connection we just have to get the victim, or victim’s to our malicious web site.

Configuring Ettercap

For this attack to work we need to redirect the traffic of the victim to our malicious site. To do this we’re going to use ARP poisoning with the ettercap DNS spoofing plugin.

So first we need to configure our DNS spoofing plugin we will need to add a DNS record for our machine (which in this case’s IP is

So we edit etter.dns (usually in /usr/share/ettercap/etter.dns)

and add the following A

And save the file.

Now we just fire up Ettercap and set it up to do an ARP poisoning attack with our plugin.

Getting the Shell

Now once our victim browses to Ubuntu Forums they will be presented with the following.

Oh hey, it’s from Ubuntu Forums, I know this because it says so, and I typed the address right in the URL bar. Cool whatever I’ll hit run since Ubuntu is secure right? Of course!

And that’s good game folks. Happy Holidays πŸ™‚

P.S: Run NoScript.

  1. Ms. Daisy says:

    Nicely written, DT. This post makes an excellent case for No-Script, showing exactly what a javascript attack looks like. It’s technical enough to provide ample evidence while also describing it simply to a non-technical user (like me!)

    BTW, should I be worried next time I log onto Ubuntu Forums? πŸ˜‰

    Ms. Daisy

    • dangertux says:

      Thanks for the compliment πŸ™‚

      It’s also important to note that the initial Java Applet attack is two fold, one a Javascript that calls a Java Applet. Then the Java Applet which actually executes the payload. THe first part of that attack will be stopped by NoScript thus stopping the Applet from running. (By not giving you the choice to click Run).

      Also as far as being worried about Ubuntu Forums, something I briefly touched on in this. This is NOT something that could be done from home to someone very far away (at least not via this method, they would have to actually poison a DNS server). So this is something you’re looking at happening on shared internet access. Public Library, Wifi, Home network with weak credentials and an angry neighbor kid, office network, etc you get the idea. It’s important to understand and I didn’t screenshot where ettercap shows what is actually happening, but basically when the victim looks for Ubuntu Forums it is told it is at the IP address of the attacker, which has a site that looks identical to Ubuntu Forums plus the payload. Nothing is actually happening to Ubuntu Forums itself.

      Hope that helps.

      • Carlos says:

        Hi Adam,

        So if I dont run that applet the attack wont work?

      • dangertux says:

        Correct — however it’s important to understand that SET uses a Javascript repeater, meaning it will pop that message up over and over again.

        Also, you are ARP poisoned so you wouldn’t be visiting the actual Ubuntu Forums, remember the cloned site is hosted on the attacking machine. So until you straightened out your ARP tables you wouldn’t be able to visit the actual site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s