This is a bash script to automate 'Manning in the Middle' to 'pwn' whoever it can, via giving them a "Fake Update" screen. The attack is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!), VNC (remote desktop) or whatever the attacker wishes to use.
Watch video on-line:
Download video: http://download.g0tmi1k.com/videos_archive/metasploit-FakeUpdate_v0.1.mp4
- Sets up a DHCP and web server.
- Creates an exploit with Metasploit.
- Waits for the target to connect, download and run the exploit.
- Once successfully exploited it grants access to allow the target to surf the inter-webs.
- Uploads a backdoor; SBD or VNC, via the exploit.
- The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does!
- A network with client
- An Internet connection (though you could modify it so its non transparent)
- dhcpd3, apache, Metasploit, dnsiff suite --- All on BackTrack
- The script! metasploit-fakeUpdate[v0.1.4].tar.gz (489 KB, SHA1: aac4554f2d09e2a3f1b1061abe3759d445771b5e)
Whats in the tar.gz?
- metasploit-fakeUpdate.sh --- Bash script
- www/index.php --- The page the target is forced to see before they have access to the Internet.
- www/sbd.exe --- SBD Backdoor
- www/winvnc.exe, vnchooks.dll, vnc.reg --- VNC Backdoor
- www/Linux.jpg, OSX.jpg, Windows.jpg --- OS Pictures
- www/favicon.ico, animated_favicon1.gif --- FavIcons
How to use it?
- Extract the tar.gz file (via
tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz).
- Copy the "www" folder to /var/www (
cp www/* /var/www/)
- Make sure to "Start Network" and to have an IP address. (via
dhclient [Internet Interface])
- Edit metasploit-fakeupdate.sh with your "internet"interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
- bash metasploit-fakeupdate.sh (don't forget to be in the correct folder!)
- Wait for a connection...
- ...Game Over.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
- Based on fakeAP_pwn.
- The video uses metasploit-fakeUpdate.sh v0.1
- It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
- I'm running BackTrack 4 Final in VM, The target is running Windows XP Pro SP3 (fully up-to-date 2010-05-13), with no firewall and no AV.
- The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
- As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX... but its taken me this long to update it - so don't hold your breath!
Song: DJ Mummy vs Sean Paul - Nuttin No Go So (Bubbling Remix)
Video length: 3:20
Capture length: 7:59
Blog Post: https://blog.g0tmi1k.com/2010/06/script-video-metasploit-fakeupdate/
- [+] Added arguments
- [+] Can detect and uses broadcast address if needed
- [+] Checks for superuser
- [+] Checks interfaces/paths/files exists
- [+] Randomizes ports each time
- [+] Reversed the VNC connection
- [+] Stops and removes any existent backdoors
- [+] Stops any services and/or programs currently running
- [+] Uses “msfencode” - to prevent detection
- [+] Webpage now has a "favicon"
- [>] Fix a few minor features - Couple of silly typos
- [>] General code improvements
- [>] Improved "clean up" code
- [>] Improved checking the targets IP Address
- [>] Renamed the backdoor files
- [>] Renamed the output windows
- [>] Updated the help message
- [>] Waits a little bit longer in places
- [+] Fix Gateway Bug
- [+] Checks for other index files. And acts on it.
- [+] Checks to make sure user copied www/. Else acts on it.
- [+] Added more tools to "extra".
- [+] Added extra settings
- [>] Aligned the output windows
- [>] General code improvements
- [>] Improved debug info
- [>] "Started" work on allow a custom backdoor Needs more work - Removed Linux/OSX was confusing people
- [+] First public release