Failing to exploit some machines

[strakar]

Hello to all BackTrack community.

I have a problem, I created an environment that i expect to attack, im using 4 computers, one with BackTrack the attacker and the others are using Windows 7, Windows XP and Linux CentOS.

What i want to do is get full access to those computers. Well all computers are full patched, i mean no ms08... exploits will work. I know i can exploit the XP machine that way but i want to perform a advanced attack. What i tought that would work was using the "java_rhino" exploit.

1) I spoofed the ARP table of all computers, all the traffic going on, pass through BT machine, i used:

#echo 1 > /proc/sys/net/ipv4/ip_forwarding
#arpspoof -i eth0 -t (victim ip) (router ip)

2) With armitage I found all the computers i want to get access. I had to disable the firewall on Windows Machines since i don't know how to get through the firewall with ICMP packets (if anyone wants to help me with that too, i would be gratefull)

3) I started the "java_rhino" exploit. The victims need to get to the "website" http://192.168.1.100:53/" so i can get the attack done.

4) I created a list of websites that are common that people to visit, since i dont want to go direct to http://192.168.1.100:53/ input on browser and i want to redirect those websites to http://192.168.1.100:53/.

#echo www.google.com > websites.txt ; echo www.facebook.com >> websites.txt ; echo www.youtube.com >> websites.txt

5) I read about hijacking the browser session on a Book about backtrack, written by Vivek Ramachandran, he used on an exaple:

#dnsspoof -i mitm-bridge

mitm-bridge is a bridge that he created comming from a honeypot

I used:

#dnsspoof -i ath0 websites.txt

6) Every time the user connects to www.google.com it gets to a webpage with the text "It works" because he started an apache server.

I don't have apache started but i have the "java_rhino" working as a server.



The problem is that i can't get access to the machines, only if i write http://192.168.1.100:53/, but that takes the fun part out of the attack.

I garantee that i'm performing this in my own network with my own computers. I hope that anyone could help me, thank you very much for reading the post.

Strakar

[0pcode]

What I would suggest is that you try running a web server, backtrack comes with apache out of the box, and then see if that works. The reason why I say that is because a browser goes to port 80 on a machine and tries to load it, but without anything listening on port 80, your BT machine will just silently ignore it. Correct me if I'm wrong, but that's what I would suggest.

[LHYX1]

The dns spoofing points www.google.com and the other sites to your machine but on port 80
Your exploit server is running on port 53.

Redirect port 80 to port 53 using iptables on your machine.
This should do the trick

[strakar]

I thought about that and i used:

#iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 53

But i guess that dnsspoof is working on port 53 UDP and not TCP. And that might be the problem

[strakar]

If i change to... -p udp --destination-port 80 -j REDIRECT --to-port 53

Would it work?

[LHYX1]

First of all make sure the dns spoofing actually works.
Try spoofing google.com to the apache server on your machine just to make sure.

If that works try entering www.google.com:53 with dnsspoofing and without the iptables in the victim browser ? Does this work ?
And why does your exploit server run on port 53 ? Can't you change that ?
I know DNS uses port 53. Might this maybe cause some kind of a problem ?

[strakar]

I can run the exploit in what port i want but when i run dnsspoof it says that it's dnsspoofing is running in port 53.