Saturday, September 1, 2012

The curious case of the failing web vector attack

I recently decided to try experiment with the social engineering toolkit on my penetration testing network. The attack I'm trying to execute is a java applet attack underneath the website attack vectors option. I am pretty sure that I have covered the basics and obvious by having java installed and making the appropriate changes to the set config file. I have even tried removing and reinstalling SET. As I have stated earlier in my blog all of the machines in my test network including BT5 are ran in virtual box. What follows is a brief overview of the options I selected in attempting the attack and a few screen shots to help convey where I think the error is at:

Attacker Machine: BT5R3
SET V3.7.1

 Victim Machine:
Windows XP sp2:
Browser: Firefox v14.0.1

I use the following options in SET to try to execute my attack:
1
2
1
2
(Fill all the fields with bob or w/e)
URL to clone: www.hulu.com
2
16
443
start sendmail: no
1
fill in victim email
fill in attacker email
flag message: no
Craft Email subject
opt for html message
craft email body
~~~~~
  Press <return> to continue
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***

SET then launcher msfconsole and starts a handler waiting for the connection from the victim machine.

Other things I have tried: Using the templates instead of cloning a site, setting the listener to port 80 instead of 443, not using the email attack option along side this attack. Can't think of anything else I have tried at the moment in conjunction with the attack. Here are a few screen shots of my most recent attempt.







Saturday, August 25, 2012

BT5R3 Released!

BT5R3 has been released along with some cool new tools. I upgraded yesterday, but haven't been able to test any of the new tools out yet. That is mostly because I was trying to figure out a way to fix metasploit. I'm not sure what other problems I will run into with this upgrade, but not having metasploit to play with was quite irritating. When you try to access the framework the following errors are produced:

When accessing Metasploit from the desktop environment:
sh: msfconsole: command not found
sh: msfupdate: command not found
sh: msfcli: command not found

When accessing Metasploit from the command line the following errors are produced:
msfconsole: command not found
msfupdate: command not found
msfcli: command not found
I tried to figure out a solution, then I tried to find a solution. I couldn't find anything, but I didn't want to just uninstall/reinstall since that felt like defeat. Then I realized that I was just wasting my own time when I already knew that uninstalling and reinstalling metasploit would fix my problem. I removed metasploit then used the installer I had previously downloaded from Rapid7's website for v4.4. The install went smoothly and I proceeded to run msfupdate afterwards. Now I'm back in business fooling around in my test environment.

So why am I writing a post about a frustrating, yet easy to solve problem? As a word of caution to those of you who like me, frustrate easy. R3 maybe the latest and greatest but as of this posting it is not stable and doesn't mix well with R2 if you're performing an upgrade. If stability is important to you, or you don't want to have to spend any time fixing your backtrack it maybe wise to wait a few more weeks before trying to upgrade to R3.

Thursday, August 9, 2012

Easy-Creds aka the mosfun you can have with a strangers facebook account.

No, I'm not advocating that you hack random people's Facebook accounts, but I thought the title was catchy. Easy-Creds is a really sweet bash script written by Eric Milam that utilizes other tools (i.e ettercap & sslstrip) to capture credentials mostly via man in the middle attacks (MITM). Normally, I would do a type up on how to set up easy-creds for MITM. However, this week I found a well done youtube video on how to set up easy-creds. I like this video for two reasons. First, it exemplifies the quality that I would like to have in my videos once I am in a position to make them. Secondly, it does a terrific job of walking the viewer through the set up process.

http://www.youtube.com/watch?v=TLJOVozAaXc

The only thing I would add too this is at approximately 4:24 when he is explaining how to fix your dchp3-server, his advice is great, but it won't work for everyone.

When you go to update/install dhcp3 inside easy-creds you will most likely recieve an error message similiar to this:


The following packages have unmet dependencies:
dhcp3-server: Depends: dhcp3-common (= 3.1.3-2ubuntu3.2) but 3.1.3-2ubuntu3.3 is to be installed
E: Broken packages
root@bt:~#
 An alternative solution to the one he outlines in his video is to force a install of the version of dhcp3-common that bt5 is asking us for. One method for doing this is to use synaptic package manager. What follows is a short walk through:

apt-get install synaptic
Once synaptic is done installing fire it up and search for dhcp3-common. It should appear at the top of the search results. Select dhcp3-common then click on the "Package" menu at the top of the screen. Select "Force Version.." A new menu should appear with a drop down box. Select, "3.1.3ubuntu3.2 (stable)" then click force version, and finally "Mark." Press the "Apply" button with the green check mark. When the dialog box opens up, review the changes you are about to make and verify that everything is correct. Let synaptic install the package and then close the program.
Unfortunately, you will be removing dhcp3-common, dhcp3-gtk, dhcp3-daemon, and also Wicd. In my opinion the removal of these other packages makes this a flawed solution, but one that we can fix. It is very important at this point you do not reboot or make any sudden movements towards the power button on the front of your computer. If you do, you'll find that using the internet/networking just got  a lot harder with out Wicd. Open up a terminal and reinstall wicd:
apt-get install wicd
After wicd is installed, go ahead and install dhcp3-server.
apt-get install dhcp3-server
Now, when you go to add the "at0" interface in the walk through your file should appear the same as it does in the video.

Friday, August 3, 2012

just say no to startx

I dislike startx and the generic login process to backtrack. So, this is how you remove it:
apt-get install gdm
Next, open up your root folder and add a blank file. Save it as:
.bash_profile
Open it and add the following text:
startx
ctrl+o
enter
ctrl+x  
Save and exit the file.

Now we need to edit the /etc/rc.local file. Feel free to open it with either gedit or nano and add the following:
/usr/sbin/gdm &
 You're going to want to place that line of text before the line that says, "exit 0." Finally, reboot your computer and rejoice in your new login screen.

Sunday, July 29, 2012

JRE for Google Chrome Browser in BT5R2

Chrome is pretty much my default browser for BT5R2. Despite the fact that it refuses to be ran as root with out some tinkering, I have found it easier to operate in BT5 than Firefox. Firefox fights me at every turn when I try to get flash player, JRE, or anything else running. Chrome comes with flash player already operational, and getting JRE going isn't too tricky either. What follows is the commands I used in the CLI to get the JRE going:

mkdir /opt/google/chrome/plugins
cd /opt/google/chrome/plugins
ln -s /usr/local/jre1.6.0_17/lib/i386/libnpjp2.so .
 --note, if you use a different version of JRE or filepath, you'll need to make sure that the last line reflects this.

Essentially, all we are doing is creating the plugins folder for the browser, and then linking JRE to that file. The "-s" switch means that we're making a symbolic link instead of a hard link. When you're finished don't forget to test your work by visiting this website:

http://www.java.com/en/download/testjava.jsp


Monday, July 23, 2012

Update

I reread my first post and I noticed I said I would be posting how-to videos. I still plan on doing this but at the present time I am deployed to SE Asia. My internet is unreliable at the best of times, and at the worst of times it is clogged with idiots downloading crap they don't need. I am currently running a deauth attack against my network using mdk3 to clear up the bandwidth. (On a side note I consider it the epitome of poor etiquette to start a bunch of torrents on your PC then leave the area and go do something else while your downloads finish. You're clogging the internet for everyone around you and not being affected by your own actions).  I suppose I could of made a video on that. Unfortunately, the other problem with living in barracks is that is is incredibly noisy in here at all times and is just not an environment that is conducive to making an instructional video. For now I am content to publishing posts on how to trouble shoot various issues. You would think there would be more resources for the various issues that surround pen test programs and the BT5R2 distro itself. In my experience it is hard to find recent/relevant information. It can be difficult to dig down past the out dated forum posts from 2008 and script kiddies that think they're uber l33t for breaking their neighbors WEP key.

Bash Scripting Revisited

I wish I could say that this script represented a leap in my skill, it doesn't. However, much like my mon0.sh script it represents the cutting edge in functionality and laziness. I'm not sure how other people have burp suite set up on their BT5R2, but on mine I either have to use the GUI to navigate to the folder and double click the jar file, or I have to use the CLI, navigate to the directory and remember the entire command line from memory. Both of these seem like too much work, so I present to you the burp.sh script.
  

#!/bin/bash
cd /root/burpsuite_v1.4.01
java -jar burpsuite_v1.4.01.jar
As with any script don't forget to go back to the directory and run chmod +x to make it executable.