AdSense

Friday, June 10, 2016

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection



WINDOWS 7 - BYPASSING DNS BY HOSTS FILE INJECTION
- Layout for this exercise:




The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.


- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that
the well known URL www.google.com is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.


- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

- Let's start the attack backgrounding the active meterpreter session:


- Now, the post explotaition inject_host exploit is used:



- Options for this exploit:

The domain to be faked:




The attacker's IP:
- The active meterpreter session:

- Now, all required options are fulfilled:














- The exploit is launched and successfully completed:


- As a result, back into the victim, the hosts file has got now a new entry, pointing www.google.com to the attacker's IP: 


























- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:






- From the victim's machine, when trying to connect to www.google.com, the connection is redirected to the attacker's website:






- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing www.google.com, the resolution is between www.google.com and 192.168.1.12:


- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.



- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves www.google.com into the real IP 216.58.216.228:





As said before, hosts file is used before DNS resolution by Windows systems.






Posted by at
Labels:

METASPLOIT - Windows 7 - Keylogger




WINDOWS 7 - KEYLOGGER


- Layout for this exercise:




- Keyscan_start command starts the process of capturing keystrokes at the victim's machine:




- Now, let's suppose that a user at the victim's machine writes a set of characters, like for instance:




The attacker can achieve all those characters just using the command keyscan_dump:







- Once the attack succesfully performed, the keyscan process can be stopped:







Posted by at
Labels:

METASPLOIT - Windows 7 - Desktop screen grabbing


WINDOWS 7 - DESKTOP SCREEN GRABBING

- Layout for this exercise:
- Windows systems automatically create an interactive window station. When an interactive user logs on, the system associates the interactive window station with the user logon session. The system also creates the default input desktop for the interactive window station (WinSta0\Default). Processes started by the logged-on user are associated with the WinSta0\Default desktop. In other words, WinSta0 stations is used to interact with users:

- The command enumdesktops enumerates all accessible desktops:






- Checking that the active desktop is interactive:




- Loading espia extension from meterpreter:




Then, screengrab command allows to grab a screenshot from active desktop at the victim's machine. The picture is saved under the path /root, receiving a .jpeg extension:










Posted by at
Labels:

METASPLOIT - Windows 7 - Sniffing



WINDOWS 7 - SNIFFING
- Layout for this exercise:


- Metasploit provides the module sniffer, what be loaded from a meterpreter session:




- Checking how many interfaces are available for sniffing, let's take one with parameter "usable:true":



The sniffing process starts on interface 2, allocating 10000 packets to the buffer:




Some traffic is generated, for instance pinging from the attacker Kali to the victim Windows 7:




Statistics of the sniffing process:




 - Captured packets can be dumped to a file with pcap format, for instance let's name it readable_with_wireshark.pcap:




Stopping the sniffing process:


- From another console, captured packets can be read with Wireshark application:




- Wireshark shows all the traffic generated by the ping's between the attacker and the victim:








Posted by at
Labels:

METASPLOIT - Windows 7 - Mimikatz



WINDOWS 7 - MIMIKATZ


- Layout for this exercise:
Once Windows 7 has been exploited and taken over control, mimikatz extension can be loaded and used for dumping credentials.



For instance, Digest Authentication passwords that have been cached can be retrieve with command wdigest:






Posted by at
Labels:

METASPLOIT - Windows 7 - Remote Desktop Protocol - Weak passwords



WINDOWS 7 - REMOTE DESKTOP PROTOCOL - WEAK PASSWORDS
- Layout for this exercise:



Under similar circumstances than the previous example, the victim Windows 7 allows remote connections at the RDP port TCP 3389, with the less secure option:





- The attacker scans the victim and detects that RDP port 3389 is open





- For the purpose of simplicity, let's create a couple of easy wordlists: UserList and PasswordList.




With the help of both wordlists, ncrack discovers the credentials attacking the RDP port ,open on victim 192.168.1.14:






Posted by at
Labels:

METASPLOIT - Windows 7 - Remote Desktop Protocol: Denial Of Service / Blue Screen



WINDOWS 7 - RDP - DoS - BLUE SCREEN



- Layout for this exercise:




- Remote Desktop Protocol (RDP) is a Microsoft protocol which provides a graphical interface for connecting to a computer through a network connection. RDP accepts connections at port TCP 3389

- Operating systems like Windows 7 offer three options for RDP, regarding security: Control Panel -> System and Security -> System -> Remote settings -> System Properties -> Remote:






- An attacker can detect that the RDP 3389/tcp port is open at the victim's computer:




- The less secure option allows any type of RDP connections, which is a vulnerability that can be taken advantage by exploiting it with the appropriate Metasploit module:




- Required options for this module are simple, just the victim's IP and the RDP port (3389):







- Running this module some crafted packets are sent to the victim:





- As a consequence a Denial Of Service attack results in a Blue Screen at the target machine:





- To avoid this DoS attack, the RDP service should be disabled by default:



- Also, the secure option with Network Level Authentication could be considered:








Posted by at
Labels:
Subscribe to: Posts (Atom)