[Script] [Video] metasploit-FakeUpdate (v0.1.1)

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3622179
Download video: http://www.mediafire.com/?kz0zyde3gjt
Download Script (metasploit-fakeUpdate[v0.1.4].tar.gz): http://www.mediafire.com/?gjzzzmzztmz


What is this?
This is a bash script to automate 'Manning in the Middle' to 'pwn' whoever it can, via giving them a "Fake Update" screen. The attack is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!), VNC (remote desktop) or whatever the attacker wishes to use.


How does this work?
> Sets up a DHCP and web server
> Creates an exploit with metasploit.
> Waits for the target to connect, download and run the exploit.
> Once successfully exploited it grants access to allow the target to surf the inter-webs.
> Uploads a backdoor; SBD or VNC, via the exploit
> The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does!


What do I need?
> A network with client
> An Internet connection (though you could modify it so its non transparent)
> dhcpd3, apache, metasploit, dnsiff suite --- All on BackTrack
> The script! metasploit-fakeUpdate[v0.1.4].tar.gz (489 KB, SHA1: aac4554f2d09e2a3f1b1061abe3759d445771b5e)

Whats in the tar.gz?
> metasploit-fakeUpdate.sh --- Bash script
> www/index.php --- The page the target is forced to see before they have access to the Internet.
> www/sbd.exe --- SBD Backdoor> www/winvnc.exe, vnchooks.dll, vnc.reg --- VNC Backdoor
> www/Linux.jpg, OSX.jpg, Windows.jpg --- OS Pictures
> www/favicon.ico, animated_favicon1.gif --- FavIcons
How to use it?
1.) Extract the tar.gz file (via tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz).
2.) Copy the "www" folder to /var/www (cp www/* /var/www/)
3.) Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
4.) Edit metasploit-fakeupdate.sh with your "internet"interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
5.) bash metasploit-fakeupdate.sh (don't forget to be in the correct folder!)
6.) Wait for a connection...
7.) ...Game Over.

Commands:

Code:

tar zxf metasploit-fakeUpdate\[v0.1.4\].tar.gz
cd metasploit-fakeUpdate\[v0.1.4\]
cp www/* /var/www
ifconfig
kate metasploit-fakeUpdate.sh
bash metasploit-fakeUpdate.sh

Notes:

• Based on fakeAP_pwn.
• The video uses metasploit-fakeUpdate.sh v0.1
• It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
• I'm running BackTrack 4 Final in VM, The target is running Windows XP Pro SP3 (fully up-to-date 2010-05-13), with no firewall and no AV.
• The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
• As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX...but its taken me this long to update it - so don't hold your breath!

Song: DJ Mummy vs Sean Paul - Nuttin No Go So (Bubbling Remix)
Video length: 3:20
Capture length: 7:59


Blog Post: http://g0tmi1k.blogspot.com/2010/05/...date-v011.html

Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/28364-%5Bscript%5D-%5Bvideo%5D-metasploit-fakeupdate-v0-1-1-a.html#post161838


v0.1.4

+ Added arguments
+ Can detect and uses broadcast address if needed
+ Checks for superuser
+ Checks interfaces/paths/files exists
+ Randomizes ports each time
+ Reversed the VNC connection
+ Stops and removes any existent backdoors
+ Stops any services and/or programs currently running
+ Uses “msfencode” - to prevent detection
+ Webpage now has a "favicon"
> Fix a few minor features - Couple of silly typos
> General code improvements
> Improved "clean up" code
> Improved checking the targets IP Address
> Renamed the backdoor files
> Renamed the output windows
> Updated the help message
> Waits a little bit longer in places

v0.1.2
+ Fix Gateway Bug
+ Checks for other index files. And acts on it.
+ Checks to make sure user copied www/. Else acts on it.
+ Added more tools to "extra".
+ Added extra settings
> Aligned the output windows
> General code improvements
> Improved debug info
> "Started" work on allow a custom backdoor *Needs more work*
- Removed Linux/OSX *was confusing people*


v0.1.1
+ First public release

[EsLaMxBoSS]

Thx g0tmi1k, but after i connect to victim he ask me what's the VNC password?

[Corleone]

@ EsLaMxBoSS : The VNC password is "g0tmi1k" (without "").

c

[g0tmi1k]

metasploit-FakeUpdate - Updated to v0.1.2
+ Fix Gateway Bug
+ Checks for other index files. And acts on it.
+ Checks to make sure user copied www/. Else acts on it.
+ Added more tools to "extra".
+ Added extra settings
> Improved debug info
> Aligned the output windows
> "Started" work on allow a custom backdoor (Needs more work)
> Improved the code/Clean it up.
- Removed Linux/OSX - was confusing people

[num3r]

I have a problem. If you view the page in windows, wants to save the page to disk. It seems to me that this is the wrong Apache configuration. Has anyone ideas for a solution to this problem?

[num3r]

httpd.conf is empty. I do not know what is the reason. Can someone paste the correct httpd.conf configuration? I'll be very, very grateful.

[g0tmi1k]

I have a problem. If you view the page in windows, wants to save the page to disk. It seems to me that this is the wrong Apache configuration. Has anyone ideas for a solution to this problem?

Reinstall? Google? Sorry I dunno enough about apache2 to help you.

httpd.conf is empty. I do not know what is the reason. Can someone paste the correct httpd.conf configuration? I'll be very, very grateful.

/etc/apache2/httpd.conf = blank
Mine is, and so is the live DVD.

[g0tmi1k]

v0.1.3
+ Works again!*Couple of silly typos*
+ Now checks for existent backdoors *kills and removes them!*
+ Added favicons
+ Randomizes ports
> Cleans up after VNC payload
> Updated the VNC payload
> Renamed the backdoor files
> Renamed a couple of output / output windows

[g0tmi1k]

I have a problem. If you view the page in windows, wants to save the page to disk. It seems to me that this is the wrong Apache configuration. Has anyone ideas for a solution to this problem?

Try and empty firefox cache.

[intertan]

having a problem
my setup bt4 final VM with current updates
xp pro with all updates

now do I set the interface (wlan0 in my case) and that is it?
I have tested it with my windows 7 box and got a 404 not found error page but my xp box does nothing, can still surf.

update I was using vnc but switched back to sbd and now my xp box has the 404 not found.