The Social-Engineer Toolkit (SET) version 5.1 codename “Name of the Doctor” has been released. This version adds a complete rewrite of the MSSQL Bruter as well as a new attack vector utilizing the PSExec functionality within Metasploit.
The MSSQL Bruter now incorporates UDP port 1434 quick discovery by sending a specially crafted packet to MSSQL servers and returning the port automatically. This technique eliminates the need to port scan and quickly identifies the SQL server as well as what port the SQL server is listening on. In addition, SET has moved away from the _mssql python module and towards impacket from Core Security. Main reason for this is due to some instabilities in later versions of _mssql with execute_query() being broke as well as the functionality built into impacket makes it much easier to use.
In addition to utilizing impacket, originally in SET you had two options for payload delivery, the first being POwerShell and the second the binary 2 hex debug conversion attack vector. This has been changed to automatically detect if PowerShell is installed on the victim machine, if it is – SET will automatically deploy a PowerShell injection technique that has been completely rewritten in the MSSQL module. If it does not detect PowerShell, it will automatically revert back to the debug. Lastly on the MSSQL Bruter portions, performance has been increased significantly on the brute forcing, discovery, and deploying of payloads.
For a video of the features, check out below:
A new attack vector build into SET is the new psexec attack vector inside the Fast-Track menu. During a penetration test, often times you may have credentials to a server and want Meterpreter on a wide scale level. The psexec traditional module gets picked up by Anti-Virus due to known signatures being used. You can either use the EXE::Custom advanced feature however it still doesn’t give you the ability to select RHOSTS (multiple IP addresses) unless you custom script it or through something like railgun. The newer module “psexec_command” allows you to specify RHOSTS as well as execute a command on the operating system. Inside of SET, the psexec attack vector will automatically created a meterpreter backdoor through PowerShell and deploy it to systems you have permission to (RHOSTS). You can either use a username and password that you’ve decrypted or the hash for the pass the hash attack vector.
In addition to the new attack vectors, a number of other improvements, bug fixes, and enhancements have been made in this release. For more on all of the changes, check out the changelog before:
- when specifying a custom wordlist in SET – added the ability for ports to be specified ipaddr:portnum for example 192.168.5.5:2052 just in case a SQL server is not listening on 1433
- incorporated udp port 1434 enumeration instead of portscanning – much more faster and efficent – also finds ports that are not on port 1433 (thanks Larry Spohn)
- removed the src/core/portscan.py it is no longer needed
- added impacket as a dependacy – will be used for psexec command execution and TDS connections via mssql
- fixed an issue that would cause the import modules to not load properly when relaunching the MSSQL Brute attack
- improved the speed of the MSSQL brute attack on initial brute force
- completely rewrote MSSQL Brute to incorporate impacket – SET no longer uses the _mssql module – highly buggy in the latest versions
- improved udp 1434 detection capability by piping through the printCIDR function which will utilize CIDR notations when scanning
- incorporated new function called capture which will take stdout from function calls and present them as a string – important when doing regex in impacket
- streamlined the MSSQL bruter to automatically profile the system to determine if Powershell is installed, if so it will automatically do powershell injection, if not it will fall back to the Windows debug method for payload delivery
- rewrote the entire powershell deployment module – it now ties in to standard powershell shell payload delivery system
- added dynamic shellcode patching to the MSSQL bruter – now generates shellcode automatically, cast it unicode, then base64 encoding for EncodedCommand powershell bypass technique
- rewrote the hex2binary deployment method to support the new impacket method – it will now automatically deliver a binary based on the attack vector that you want to use
- shrunk the powershell injection code to fit properly within MSSQL xp_cmdshell one call
- added one line for xp_cmdshell disable which works on later versions of Windows
- removed the portscan functionality completely out of the MSSQL payload
- rewrote all portions of the MSSQL bruter to be fully impacket and removed the dependacy for _mssql from fast-track
- added new attack vector within the Fast-Track menu “PSEXEC Powershell Injection” which will allow you to specify psexec_command and compromise via direct memory injection
- added ability to set threads within the new PSEXEC PowerShell Injection technique
- added quick dynamic patching for the powershell injection technique for payloads
- added a new trustedsec intro ascii art that has the TS logo on it
- updated rid_enum to the latest github version inside SET