Python script for arpspoof

We are going to take advantage of a post exploit module named “ie_proxypac”.

Send the meterpreter session to the background by typing the “background” command. Open the terminal application and type the following without quotes “service apache2 start” The last part of the initial setup is to start Apache on our Kali Linux computer. They will probably assume they typed their credentials into the page incorrectly. This way they will be less suspicious of any issues. Essentially, we are redirecting the victim to after they enter their credentials into our fake. Make sure you are still in the /var/www directory, open your favorite text editor, and type this into the new file: We still need to create this file in order for our victim to be less suspicious of any tampering. We have our index.html page ready, let’s focus on the creds.html page. Let’s just delete this whole section of the index.html file and save it. With, there is a script section of the web page that is going to get in our way. We have to create a creds.html file in our /var/Your index.html file should look like this now: Open the index.html file that wget created in your /var/Now we need to modify this value. We need to modify this page so that we send the victim to our computer, but we also need to make sure they don’t run into any weird issues that might make them suspect that something is amiss. Let’s change the directory into the /var/Now for the tricky part. Specifically, we will need to modify the action that the logon form will take when the user clicks the submit/logon button on the form. The next order of business that we need to attend to, is that we need to get the source for the logon webpage and modify it appropriately. All other HTTPS connections should be forwarded along to their respective hosts. The file will probably look something like this:įor this example, we are concerned with gathering credentials for logins. Technically you can name it whatever you want, as long as the file extension is “.pac”. You need to create a local proxy.pac file. But we don’t want to become a web proxy for all their web browsing habits, simply for the website(s) we want to gather credentials for so we can gain access to that system.įirst there is going to be some setup for this exploit to work properly. The goal – to become a web proxy for them. However, there is a better way to get the user to send their credentials right to your computer. You could try to perform an arpspoof and orchestrate a man in the middle attack, but that could raise some alarms if the client’s intrusion detection system is operating properly. If they follow your instructions, you should see a meterpreter shell created and you can now proceed with the gathering some of their credentials. You could craft your own Powershell script, but since the Social Engineering Toolkit already provides a means to do this, let’s use that tool instead. Why Powershell? We don’t want Anti-Virus to alert any administrators or the users of our penetration test and Anti-Virus software rarely categorized Powershell scripts as malicious. Preferably one that utilizes a Powershell script that creates a reverse connection to your attack system. The first thing that you need to do, is to gain access to their computer via a social engineering attack. You can dump the password hashes or use Mimikatz to output any clear text credentials in memory, but if they haven’t logged into the web application in a day or two, you might be out of luck using either of those methods. You have successfully socially engineered a system administrator or other user with privileges to a web application and you have established a meterpreter shell. There are times during a penetration test when you are having difficulty gaining the credentials you want from a host that has already been compromised.

SSTIC 2017 Wrap-Up Day #3

Here is my wrap-up for the last day. Hopefully, after the yesterday’s social event, the organisers had the good idea to start later… The first set of talks was dedicated to presentation tools.

The first slot was assigned to Florian Maury, Sébastien Mainand: “Réutilisez vos scripts d’audit avec PacketWeaver”. When you are performed audit, the same tasks are already performed. And, as we are lazy people, Florian & Sébastien’s idea was to automate such tasks. They can be to get a PCAP, to use another tool like arpspoof, to modify packets using Scapy, etc… The chain can quickly become complex. By automating, it’s also more easy to deploy a proof-of-concept or a demonstration. The tool used a Metasploit-alike interface. You select your modules, you execute them but you can also chain them: the output of script1 is used as input of script2. The available modules are classified par ISO layer:

app_l7

datalink_l2

network_l3

phy_l1

transport_l4

The tool is available here.

The second slot was about “cpu_rec.py”. This tool has been developed to help in the reconnaissance of architectures in binary files. A binary file contains instructions to be executed by a CPU (like ELF or PE files). But not only files. It is also interesting to recognise firmware’s or memory dumps. At the moment, cpu_rec.py recognise 72 types of architectures. The tool is available here.

And we continue with another tool using machine learning. “Le Machine Learning confronté aux contraintes opérationnelles des systèmes de détection” presented by Anaël Bonneton and Antoine Husson. The purpose is to detect intrusions based on machine learning. The classic approach is to work with systems based on signatures (like IDS). Those rules are developed by experts but can quickly become obsolete to detect newer attacks. Can machine learning help? Anaël and Antoine explained the tool that that developed (“SecuML”) but also the process associated with it. Indeed, the tool must be used in a first phase to learning from samples. The principle is to use a “classifier” that takes files in input (PDF, PE, …) and return the conclusions in output (malicious or not malicious). The tool is based on the scikit-learn Python library and is also available here.

Then, Eric Leblond came on stage to talk about… Suricata of course! His talk title was “À la recherche du méchant perdu”. Suricata is a well-known IDS solution that don’t have to be presented. This time, Eric explained a new feature that has been introduced in Suricata 4.0. A new “target” keyword is available in the JSON output. The idea arise while a blue team / read team exercise. The challenge of the blue team was to detect attackers and is was discovered that it’s not so easy. With classic rules, the source of the attack is usually the source of the flow but it’s not always the case. A good example of a web server returned an error 4xx or 5xx. In this case, the attacker is the destination. The goal of the new keyword is to be used to produce better graphs to visualise attacks. This patch must still be approved and merge in the code. It will also required to update the rules.

The next talk was the only one in English: “Deploying TLS 1.3: the great, the good and the bad: Improving the encrypted web, one round-trip at a time��� by Filippo Valsorda & Nick Sullivan. After a brief review of the TLS 1.2 protocol, the new version was reviewed. You must know that, if TLS 1.0, 1.1 and 1.2 were very close to each others, TLS 1.3 is a big jump!. Many changes in the implementation were reviewed. If you’re interested here is a link to the specifications of the new protocol.

After a talk about crypto, we switched immediately to another domain which also uses a lot of abbreviations: telecommunications. The presentation was performed by  Olivier Le Moal, Patrick Ventuzelo, Thomas Coudray and was called “Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone”. VoLTE means “Voice over LTE” and is based on VoIP protocols like SIP. This protocols is already implemented by many operators around the world and, if your mobile phone is compatible, allows you to perform better calls. But the speakers found also some nasty stuff. They explained how VoLTE is working but also how it can leak the position (geolocalization) of your contact just by sending a SIP “INVITE” request.

To complete the first half-day, a funny presentation was made about drones. For many companies, drones are seen as evil stuff and must be prohibited to fly over some  places. The goal of the presented tool is just to prevent drones to fly over a specific place and (maybe) spy. There are already solutions for this: DroneWatch, eagles, DroneDefender or SkyJack. What’s new with DroneJack? It focuses on drones communicating via Wi-Fi (like the Parrot models). Basically, a drone is a flying access point. It is possible to detected them based on their SSID’s and MAC addresses using a simple airodump-ng. Based on the signal is it also possible to estimate how far the drone is flying. As the technologies are based on Wi-Fi there is nothing brand new. If you are interested, the research is available here.

When you had a lunch, what do you do usually? You brush your teeth. Normally, it’s not dangerous but if your toothbrush is connected, it can be worse! Axelle Apvrille presented her research about a connected toothbrush provided by an health insurance company in the USA. The device is connected to a smart phone using a BTLE connection and exchange a lot of data. Of course, without any authentication or any other security control. The toothbrush even continues to expose his MAC address via bluetooth all the tile (you have to remove the battery to turn it off). Axelle did not attached the device itself with reverse the mobile application and the protocol used to communicate between the phone and the brush. She wrote a small tool to communicate with the brush. But she also write an application to simulate a rogue device and communicate with the mobile phone. The next step was of course to analyse the communication between the mobile app and the cloud provided by the health insurance. She found many vulnerabilities to lead to the download of private data (up to picture of kids!). When she reported the vulnerability, her account was just closed by the company! Big fail! If you pay your insurance less by washing your teeth correctly, it’s possible to send fake data to get a nice discount. Excellent presentation from Axelle…

To close the event, the ANSSI came on stage to present a post-incident review of the major security breach that affected the French TV channel TV5 in 2015. Just to remember you, the channel was completely compromised up to affecting the broadcast of programs for several days. The presentation was excellent for everybody interested in forensic investigation and incident handling. In a first part, the timeline of all events that lead to the full-compromise were reviewed. To resume, the overall security level of TV5 was very poor and nothing fancy was used to attack them: contractor’s credentials used, lack of segmentation, default credentials used, expose RDP server on the Internet etc. An interesting fact was the deletion of firmwares on switches and routers that prevented them to reboot properly causing a major DoS. They also deleted VM’s. The second part of the presentation was used to explain all the weaknesses and how to improve / fix them. It was an awesome presentation!

My first edition of SSTIC is now over but I hope not the last one!

[The post SSTIC 2017 Wrap-Up Day #3 has been first published on /dev/random]

from Xavier