What is the least noisy MITM attack to take control of a box

**kazalku** · 07-18-2009, 02:02 PM

There are many tuts & videos explaining the famous man-in-the-middle attack. However, except the sslstrip attack all of them (I think) require the victim to download something & run an exe (or other type) file. This is a bit "noisy". Is there ANY way which cause less suspicion? Say, for example, if the victim tries to go to google.com, it will redirect to fake (look alike) google.com and then "somehow" automatically install a backdoor or connect back to listening msf..... Well, you can ask - what do u mean by "somehow"? I don't know.. that's why I'm asking for help..

**Gitsnik** · 07-18-2009, 03:25 PM

Browsers tend to crap themselves if you try to actually install something. You might get away with a java applet installed but they are sandboxed really damned well so I doubt the avenue is applicable. Your best bet would be some sort of active evilgrade attack, but digital signatures can be a problem.

In terms of MiTM itself, the quietest ways are actually sslstrip and having a valid root certificate installed. I usually deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic.

**kazalku** · 07-18-2009, 03:45 PM

Originally Posted by Gitsnik

In terms of MiTM itself, the quietest ways are actually sslstrip and having a valid root certificate installed.

Thanks.. sslstrip is helpful but it doesn't help to get access to the data in the actual box.

**Gitsnik** · 07-18-2009, 03:50 PM

Originally Posted by kazalku

Thanks.. sslstrip is helpful but it doesn't help to get access to the data in the actual box.

No neither really will, evilgrading is your best bet but it's difficult to implement correctly. The problem really is that, even with abuse of trust in web browsers, there is really not much in the way of "download and run this .exe file" that goes on automatically (in a perfect browser world I mean). You *may* get away with MiTM'ing a citrix service (for example), but it is doubtful.

It is not uncommon for me to manipulate pages on the fly and wait, if I expect my user to get after the latest nmap and I don't want him to have it, I manipulate the page he sees my modifying the md5 sum, and redirecting his .exe installer to my local server - really though this is just evilgrading anyway.

Dooms_day · 07-21-2009, 02:32 PM

now when doing arp poison routing on a LAN, what steps do you go through to inject html into every page? its been said in the middle of other topics but i cant seem to find it, (seems on topic for this topic anyway)

i think redirecting google to a mirror of google seems pretty silent, then use fast-track to do the mass browser exploitation of IE 7 (most 7331 browser eva

)

**imported_vvpalin** · 07-21-2009, 08:50 PM

lol please tell me you did not just put 1337 in you post ....

But anyways do a dns spoofing attack on them and make a custom html page with both ie7 and ff3.5 exploit embedded inside.

You could even try using the filters and injecting it that way .. it might not get everyone if they stay ontop of there updates, but it would probably get more people than you think.

**opreat0r** · 07-22-2009, 02:23 AM

may want to look at the mass client side script for fasttrack.py and also my methods using smb_relay attack with etterfilter
Own Full patched XP box via HTTP - Remote Exploit Forums
Own Full patched XP box via HTTP - Remote Exploit Forums

Dooms_day · 07-22-2009, 08:59 PM

aha i used an iframe to clone the real page while the exploit sits in the background, even if they goto another page, it continues to load the exploit on the first page, cause iframes rock!

also better than a mirror because scripts dont work (php)

**kazalku** · 07-22-2009, 09:20 PM

Originally Posted by operat0r

may want to look at the mass client side script for fasttrack.py and also my methods using smb_relay attack with etterfilter
Own Full patched XP box via HTTP - Remote Exploit Forums
Own Full patched XP box via HTTP - Remote Exploit Forums

That doesn't work anymore, already tested.

Originally Posted by Dooms_day

aha i used an iframe to clone the real page while the exploit sits in the background, even if they goto another page, it continues to load the exploit on the first page, cause iframes rock!

also better than a mirror because scripts dont work (php)

Can you point to any tutorial please.

BackTrack Linux - Penetration Testing Distribution

Thread: What is the least noisy MITM attack to take control of a box

Thread Tools

Search Thread

Display

What is the least noisy MITM attack to take control of a box

Posting Permissions