The curious case of the failing web vector attack

I recently decided to try experiment with the social engineering toolkit on my penetration testing network. The attack I'm trying to execute is a java applet attack underneath the website attack vectors option. I am pretty sure that I have covered the basics and obvious by having java installed and making the appropriate changes to the set config file. I have even tried removing and reinstalling SET. As I have stated earlier in my blog all of the machines in my test network including BT5 are ran in virtual box. What follows is a brief overview of the options I selected in attempting the attack and a few screen shots to help convey where I think the error is at:

Attacker Machine: BT5R3
SET V3.7.1

 Victim Machine:
Windows XP sp2:
Browser: Firefox v14.0.1

I use the following options in SET to try to execute my attack:
1
2
1
2
(Fill all the fields with bob or w/e)
URL to clone: www.hulu.com
2
16
443
start sendmail: no
1
fill in victim email
fill in attacker email
flag message: no
Craft Email subject
opt for html message
craft email body
~~~~~
  Press <return> to continue
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***

SET then launcher msfconsole and starts a handler waiting for the connection from the victim machine.

Other things I have tried: Using the templates instead of cloning a site, setting the listener to port 80 instead of 443, not using the email attack option along side this attack. Can't think of anything else I have tried at the moment in conjunction with the attack. Here are a few screen shots of my most recent attempt.

BT5R3 Released!

BT5R3 has been released along with some cool new tools. I upgraded yesterday, but haven't been able to test any of the new tools out yet. That is mostly because I was trying to figure out a way to fix metasploit. I'm not sure what other problems I will run into with this upgrade, but not having metasploit to play with was quite irritating. When you try to access the framework the following errors are produced:

When accessing Metasploit from the desktop environment:
sh: msfconsole: command not found
sh: msfupdate: command not found
sh: msfcli: command not found

When accessing Metasploit from the command line the following errors are produced:
msfconsole: command not found
msfupdate: command not found
msfcli: command not found

I tried to figure out a solution, then I tried to find a solution. I couldn't find anything, but I didn't want to just uninstall/reinstall since that felt like defeat. Then I realized that I was just wasting my own time when I already knew that uninstalling and reinstalling metasploit would fix my problem. I removed metasploit then used the installer I had previously downloaded from Rapid7's website for v4.4. The install went smoothly and I proceeded to run msfupdate afterwards. Now I'm back in business fooling around in my test environment.

So why am I writing a post about a frustrating, yet easy to solve problem? As a word of caution to those of you who like me, frustrate easy. R3 maybe the latest and greatest but as of this posting it is not stable and doesn't mix well with R2 if you're performing an upgrade. If stability is important to you, or you don't want to have to spend any time fixing your backtrack it maybe wise to wait a few more weeks before trying to upgrade to R3.

Easy-Creds aka the mosfun you can have with a strangers facebook account.

No, I'm not advocating that you hack random people's Facebook accounts, but I thought the title was catchy. Easy-Creds is a really sweet bash script written by Eric Milam that utilizes other tools (i.e ettercap & sslstrip) to capture credentials mostly via man in the middle attacks (MITM). Normally, I would do a type up on how to set up easy-creds for MITM. However, this week I found a well done youtube video on how to set up easy-creds. I like this video for two reasons. First, it exemplifies the quality that I would like to have in my videos once I am in a position to make them. Secondly, it does a terrific job of walking the viewer through the set up process.

http://www.youtube.com/watch?v=TLJOVozAaXc

The only thing I would add too this is at approximately 4:24 when he is explaining how to fix your dchp3-server, his advice is great, but it won't work for everyone.

When you go to update/install dhcp3 inside easy-creds you will most likely recieve an error message similiar to this:

The following packages have unmet dependencies:
dhcp3-server: Depends: dhcp3-common (= 3.1.3-2ubuntu3.2) but 3.1.3-2ubuntu3.3 is to be installed
E: Broken packages
root@bt:~#

 An alternative solution to the one he outlines in his video is to force a install of the version of dhcp3-common that bt5 is asking us for. One method for doing this is to use synaptic package manager. What follows is a short walk through:

apt-get install synaptic

Once synaptic is done installing fire it up and search for dhcp3-common. It should appear at the top of the search results. Select dhcp3-common then click on the "Package" menu at the top of the screen. Select "Force Version.." A new menu should appear with a drop down box. Select, "3.1.3ubuntu3.2 (stable)" then click force version, and finally "Mark." Press the "Apply" button with the green check mark. When the dialog box opens up, review the changes you are about to make and verify that everything is correct. Let synaptic install the package and then close the program.
Unfortunately, you will be removing dhcp3-common, dhcp3-gtk, dhcp3-daemon, and also Wicd. In my opinion the removal of these other packages makes this a flawed solution, but one that we can fix. It is very important at this point you do not reboot or make any sudden movements towards the power button on the front of your computer. If you do, you'll find that using the internet/networking just got  a lot harder with out Wicd. Open up a terminal and reinstall wicd:

apt-get install wicd

After wicd is installed, go ahead and install dhcp3-server.

apt-get install dhcp3-server

Now, when you go to add the "at0" interface in the walk through your file should appear the same as it does in the video.

just say no to startx

I dislike startx and the generic login process to backtrack. So, this is how you remove it:

apt-get install gdm

Next, open up your root folder and add a blank file. Save it as:

.bash_profile

Open it and add the following text:

startx
ctrl+o
enter
ctrl+x  

Save and exit the file.

Now we need to edit the /etc/rc.local file. Feel free to open it with either gedit or nano and add the following:

/usr/sbin/gdm &

 You're going to want to place that line of text before the line that says, "exit 0." Finally, reboot your computer and rejoice in your new login screen.

JRE for Google Chrome Browser in BT5R2

Chrome is pretty much my default browser for BT5R2. Despite the fact that it refuses to be ran as root with out some tinkering, I have found it easier to operate in BT5 than Firefox. Firefox fights me at every turn when I try to get flash player, JRE, or anything else running. Chrome comes with flash player already operational, and getting JRE going isn't too tricky either. What follows is the commands I used in the CLI to get the JRE going:

mkdir /opt/google/chrome/plugins
cd /opt/google/chrome/plugins
ln -s /usr/local/jre1.6.0_17/lib/i386/libnpjp2.so .

 --note, if you use a different version of JRE or filepath, you'll need to make sure that the last line reflects this.

Essentially, all we are doing is creating the plugins folder for the browser, and then linking JRE to that file. The "-s" switch means that we're making a symbolic link instead of a hard link. When you're finished don't forget to test your work by visiting this website:

http://www.java.com/en/download/testjava.jsp

Update

I reread my first post and I noticed I said I would be posting how-to videos. I still plan on doing this but at the present time I am deployed to SE Asia. My internet is unreliable at the best of times, and at the worst of times it is clogged with idiots downloading crap they don't need. I am currently running a deauth attack against my network using mdk3 to clear up the bandwidth. (On a side note I consider it the epitome of poor etiquette to start a bunch of torrents on your PC then leave the area and go do something else while your downloads finish. You're clogging the internet for everyone around you and not being affected by your own actions).  I suppose I could of made a video on that. Unfortunately, the other problem with living in barracks is that is is incredibly noisy in here at all times and is just not an environment that is conducive to making an instructional video. For now I am content to publishing posts on how to trouble shoot various issues. You would think there would be more resources for the various issues that surround pen test programs and the BT5R2 distro itself. In my experience it is hard to find recent/relevant information. It can be difficult to dig down past the out dated forum posts from 2008 and script kiddies that think they're uber l33t for breaking their neighbors WEP key.

Bash Scripting Revisited

I wish I could say that this script represented a leap in my skill, it doesn't. However, much like my mon0.sh script it represents the cutting edge in functionality and laziness. I'm not sure how other people have burp suite set up on their BT5R2, but on mine I either have to use the GUI to navigate to the folder and double click the jar file, or I have to use the CLI, navigate to the directory and remember the entire command line from memory. Both of these seem like too much work, so I present to you the burp.sh script.
  

#!/bin/bash
cd /root/burpsuite_v1.4.01
java -jar burpsuite_v1.4.01.jar

As with any script don't forget to go back to the directory and run chmod +x to make it executable.

Penetration Testing Lab

Anyone aspiring to get into penetration testing/hacking either recreationally or professionally will realize rather quickly that they need something to practice on. Everyone, solves the what to practice with equation as soon as they see their friend using backtrack or watch a tutorial video on an attack. However, if you're interested in doing more than breaking your neighbors WEP key and telling your friends how l33t you are; you need a penetration testing lab that allows you to explore how deep the rabbit hole goes. This is where purpose built vulnerable Linux distributions, unpatched windows OS's,  and web applications come into play. Currently, I run my penetration testing lab on virtual box. I use virtual box's internal network feature to keep my vulnerable virtual machines off of the web so I'm not vulnerable to the same kind of attacks I'm practicing. I run metasploitable, metasploitable 2.0, windows xp sp3 with mutillidae 2.1.20, Owasp broken web apps, and a few different flavors of Linux.

 Setting up your own network is as easy as downloading. I will provide some links at the end of this post to get you started. All you have to do is follow virtual box's tutorial on setting up your DHCP server, install the virtual machines, configure the network connections to the internal network, and start hacking.

Addendum:
I would like to get a hold of a virtual machine with windows xp sp2, but so far that has been difficult. The virtual machine that I run right now came on a VDI and I have been unable to roll it back to SP2. Acquiring said machine would unlock an entire range of exploits to practice that are currently unavailable to me.
Metasploitable 2.0 comes with mutillidae, however, the version that it operates is 2.1.19 and doesn't seem to be vulnerable to the attacks that it should be vulnerable. Ironically this makes it broke. Hence my xp machine with mutillidae 2.1.20 which works perfectly fine.

Relevant links:
http://updates.metasploit.com/data/Metasploitable.zip.torrent
http://pirateproxy.net/torrent/7351991/Metasploitable_Linux_2.0.0
https://www.virtualbox.org/wiki/Downloads
I'll leave it to your imagination where you can aquire windows xp.
--------
Additional Vulnerable Boxes I have been unable to get to work myself:
http://www.linux23.com/torrent/damn-vulnerable-linux-1-5:03171b19d9be4de01746e73e73781334a60df848
http://code.google.com/p/hacktooldepot/downloads/list

I have had a lot of difficulty with these boxes and so far I have not been able to get them to install properly. Not for lack of trying on my part, but the DVL machine resists the fdisk process like a fat kid avoids the rope climb in gym class. The Ultimate Lamp machine, I don't even know where to get started on why that one is broke. Ultimate Lamp appears to install properly, but I cannot get anything on it to work. It is beyond my skills and patience at this point in time. If anyone could point me in the direction of a clean download for Ultimate lamp I would greatly appreciate it.

Metasploit SVN propfind update error

I think this is more fall out from my last apt-get update. I've encountered this error in the past, but I didn't feel like I had to free time to fix it until today. (Days off are limited out here).

This is what the error looks like:

svn: PROPFIND of '/svn/!svn/bc/15586/framework3/trunk/lib/gemcache/ruby/1.9.1/gems/coderay-1.0.6/lib/coderay/scanners/yaml.rb': could not connect to server (https://www.metasploit.com)

This fix is as follows:

cd /opt/metasploit/common/lib
mv libcrypto.so.0.9.8 libcrypto.so.0.9.8-b
mv libssl.so.0.9.8 libssl.so.0.9.8-backup
ln -s /usr/lib/libcrypto.so.0.9.8
ln -s /usr/lib/libssl.so.0.9.8

Run msfupdate again and enjoy.

Enable Chrome browser in BT5R2

I am currently deployed over seas so the posts to this blog have not come nearly as fast as I had imagined they would when I started this project. This post mostly serves as a reminder for myself on how to fix this issue next time apt-update update's my chrome browser. Anyways with out further adduce:

If you enjoy using BT5 and chrome, it probably didn't take you very long to realize that the two weren't made for each other. Chrome refuses to be ran in root, and well.... BT5 is all root all the time. This conflict can be overcame by making a small addition to the google-chrome file in you /urs/bin directory:

gedit /usr/bin google-chrome

Add: --user-data-dir
To the end of the file on the last line so that it reads like this:

exec -a "$0" "$HERE/chrome" "$@" --user-data-dir 

Save, close, and enjoy.

Writing a simple bash script for a mon0 interface

Recently I wrote my first bash script. While not a master piece by any means I consider it an accomplishment. Bash scripting is something I have been trying to pick up on since I picked up on Linux. I highly recommend that if you're interested in Linux or pen-testing that you try and do the same. Anyways, with out any further tangents I bring you the ./mon0.sh script.


#!/bin/bash
airmon-ng start wlan1
airmon-ng

This script starts a mon0 interface on wlan1 and then verifies that the interface was successfully created by running airmon-ng again with out arguments. Why did I create this script? Because I don't like having to remember to write all that crap to get a mon0 interface up and running. This script reduces the number of characters I have to put into the terminal to start the mon0 interface and relieves me of having to remember the command lines necessary to accomplish this task. If our computer's aren't working for us, then what good are they?

Here are some related links to help you get started on writing your own bash scripts:

http://linuxconfig.org/Bash_scripting_Tutorial
http://tldp.org/LDP/abs/html/index.html

New Blog

This blog is for me to track and document my progress in learning penetration testing related skills. The best way to show case that you've learned a skill is to teach it to others. In that regard this blog will feature a lot of "how to's." If by some miracle you happen to learn something while perusing my blog, or you think the documents I create are worthwhile please feel free to share with your friends.