Posts

BlueKeep Vulnerability - New Metasploit Exploit on Kali Linux

Image
The much awaited BlueKeep exploit for Metasploit-Framework was made publicly available by RAPID7 only 5 days ago, so I took the opportunity to give it a try in my test environment and make a video about it. For more information about the BlueKeep vulnerability and the BlueKeep scanner module for Metasploit - please check my previous post . Check this RAPID7 blog post for more information in regards to the initial release. The exploit released by RAPID7 is currently in initial / development state and it is NOT available via the usual Kali Linux updates repository. In order to install the BlueKeep exploit, we will perform first a new Metasploit-Framework installation from the RAPID7 Github repository located at the following URL:  https://github.com/rapid7/metasploit-framework After that we will perform a pull request for the BlueKeep exploit. The following commands were used for the steps described above: cd /opt git clone https://github.com/rapid7/metasploit-framework.git

BlueKeep Vulnerability - Scanning using Metasploit on Kali Linux

Image
BlueKeep is the nickname for the CVE-2019-0708 - Remote Desktop Services Remote Code Execution Vulnerability. This vulnerability was disclosed by Microsoft in May 2019 and it could be potentially as disruptive as the previous EternalBlue vulnerability. Same as EternalBlue, the BlueKeep vulnerability could allow a remote attacker to completely take over a vulnerable Windows system by executing arbitrary code on the target system. Check the following links for more information in regards to the BlueKeep vulnerability: Microsoft Security Bulletin CVE-2019-0708 Wikipedia ZDNET In this video we will use Kali Linux and the Metasploit BlueKeep scanner module to scan a test vulnerable Windows 7 workstation, then we will apply the patch provided by Microsoft and recheck. The following Metasploit commands were used: search BlueKeep  This command lists the Metasploit modules containing the string "BlueKeep".  use auxiliary/scanner/rdp/cve_2019_0708_bluekeep This command s

Using MITMF with SSLSTRIP and Captive Portal options

Image
In this video we will try out a variation of the man-in-the-middle with SSLSTRIP attack that we performed previously. In MITMF, in addition to ARP spoofing and SSLSTRIP, we will also be using the Captive Portal option. Please review the videos listed below, if needed: Bettercap with SSLSTRIP attack - Does it still work ? SSLSTRIP attacks with Bettercap and MITMF - HSTS and Web browsers We saw in the previous videos that websites correctly configured for HSTS, can't be attacked using SSLSTRIP. On the other hand, at this moment, a lot of websites still don't use HSTS or have HSTS incorrectly configured - which leaves those websites vulnerable to man-in-the-middle and SSLSTRIP attacks. Because it is unlikely for a user to browse ONLY correctly configured HSTS websites; an attacker can redirect the SSLSTRIP vulnerable websites to a Captive Portal and trick the user into giving up credentials belonging to websites that can't be attacked directly (for example: social media

SSLSTRIP attacks - New Bettercap 2.x vs Old Bettercap 1.x

Image
During my previous two SSLSTRIP videos, I preferred to use the "old" Bettercap version 1.6.2, instead of the "new" Bettercap version 2.x. Bettercap version 1.6.2 is the version which is currently available into the Kali Linux repository. Bettercap version 2.x can be installed from the following GitHub link:  https://github.com/bettercap/bettercap In this video I will use the latest Bettercap version 2.11 to perform SSLSTRIP MITM attacks against sample HTTPS websites. These are the same websites that we tested with during the previous SSLSTRIP videos: Bettercap with SSLSTRIP attack - Does it still work ? SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers Bettercap 2.x is an awesome tool, but unfortunately it seems to have a few shortcomings when it comes to SSLSTRIP. These SSLSTRIP-related issues were previously raised into the following post: https://github.com/bettercap/bettercap/issues/154 During this video we will experien

SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers

Image
I've decided to make a follow-up video on SSLSTRIP and man-in-the-middle attacks, in order to clarify and emphasize a few things around HSTS and Web browsers. The client Web browser version seems to be sometimes overlooked when it comes to the overall HSTS protocol. In this video we use Bettercap and different client Web browsers, to simulate man-in-the-middle attacks against websites that are correctly HSTS configured. We will see that the attacks could be successful or not, depending on the Web browser version and capabilities. See below a list of browsers with HSTS capabilities ( Reference:  Wikipedia - HTTP_Strict_Transport_Security ): - Chromium and Google Chrome since version 4.0.211.0 - Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS. - Opera since version 12 - Safari as of OS X Mavericks - Internet Explorer 11 on Windows 8.1 and Windows 7 when KB 3058515 is installed - Microsoft Edge and Internet Explorer 11 on Wind

MS17-010 Vulnerability - New EternalBlue SMB module for Metasploit - Exploiting Windows 8.1

Image
In its July 2018 update, Metasploit has released a new EternalBlue module named: ms17_010_eternalblue_win8    The short description for this module reads: MS17-010 EternalBlue SMB remote Windows Kernel Pool Corruption for Win8+ The July Metasploit update releases can be found on this link. Of course, Metasploit already had an EternalBlue module which was called ms17_010_eternalblue , but this older module was compatible only with Windows 7 and Windows 2008 R2 (x64). On the other hand, the new  ms17_010_eternalblue_win8 is listed as being compatible with Windows 8.1, Windows 10 (selected builds) and Windows 2012 R2 (x64). Before watching my new video on exploiting Windows 8.1 with the new  ms17_010_eternalblue_win8 module, you might find useful reviewing my previous posts related to the EternalBlue exploit, which I list below: 1.   MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit 2. MS17-010 Vulnerability - EternalBlue exploit using a binary payload an

Bettercap with SSLSTRIP attack - Does it still work ?

Image
For a long time, performing a MITM attack with SSLSTRIP was relatively easy to implement. This situation changed after websites had started to use HSTS (HTTP Strict Transport Security). Using SSLSTRIP alone is powerless against HTTPS websites which correctly implement HSTS. On the other hand, many websites on the Internet DO NOT configure HSTS correctly. This misconfiguration still leaves them vulnerable to MITM attacks using SSLSTRIP, in particular conditions. In this video we will test Bettercap and SSLSTRIP against different categories of websites. All the tested websites use HTTPS, but they differ in the way they implement HSTS: - The first category of websites have HSTS correctly implemented and the HSTS status for each website is also preloaded into the Internet browser. (The website's HSTS status is known by the web browser, before the first access.) The test sites in the first category are: facebook.com, gmail.com and twitter.com - The second category of websites hav