Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3622179
Download video: http://www.mediafire.com/?kz0zyde3gjt
Download Script (metasploit-fakeUpdate[v0.1.4].tar.gz): http://www.mediafire.com/?gjzzzmzztmz
Watch video on-line: http://g0tmi1k.blip.tv/file/3622179
Download video: http://www.mediafire.com/?kz0zyde3gjt
Download Script (metasploit-fakeUpdate[v0.1.4].tar.gz): http://www.mediafire.com/?gjzzzmzztmz
What is this?
This is a bash script to automate 'Manning in the Middle' to 'pwn' whoever it can, via giving them a "Fake Update" screen. The attack is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!), VNC (remote desktop) or whatever the attacker wishes to use.
How does this work?
> Sets up a DHCP and web server
> Creates an exploit with metasploit.
> Waits for the target to connect, download and run the exploit.
> Once successfully exploited it grants access to allow the target to surf the inter-webs.
> Uploads a backdoor; SBD or VNC, via the exploit
> The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does!
What do I need?
> A network with client
> An Internet connection (though you could modify it so its non transparent)
> dhcpd3, apache, metasploit, dnsiff suite --- All on BackTrack
> The script! metasploit-fakeUpdate[v0.1.4].tar.gz (489 KB, SHA1: aac4554f2d09e2a3f1b1061abe3759d445771b5e)
Whats in the tar.gz?
Whats in the tar.gz?
> metasploit-fakeUpdate.sh --- Bash script
> www/index.php --- The page the target is forced to see before they have access to the Internet.
> www/sbd.exe --- SBD Backdoor
> www/winvnc.exe, vnchooks.dll, vnc.reg --- VNC Backdoor
> www/winvnc.exe, vnchooks.dll, vnc.reg --- VNC Backdoor
> www/Linux.jpg, OSX.jpg, Windows.jpg --- OS Pictures
> www/favicon.ico, animated_favicon1.gif --- FavIcons
How to use it?
1.) Extract the tar.gz file (via tar zxf metasploit-fakeUpdate[v0.1.4].tar.gz).
2.) Copy the "www" folder to /var/www (cp www/* /var/www/)
3.) Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
4.) Edit metasploit-fakeupdate.sh with your "internet"interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
5.) bash metasploit-fakeupdate.sh (don't forget to be in the correct folder!)
6.) Wait for a connection...
7.) ...Game Over.
Commands:
tar zxf metasploit-fakeUpdate\[v0.1.4\].tar.gz cd metasploit-fakeUpdate\[v0.1.4\] cp www/* /var/www ifconfig kate metasploit-fakeUpdate.sh bash metasploit-fakeUpdate.sh
Notes:
- Based on fakeAP_pwn.
- The video uses metasploit-fakeUpdate.sh v0.1
- It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
- I'm running BackTrack 4 Final in VM, The target is running Windows XP Pro SP3 (fully up-to-date 2010-05-13), with no firewall and no AV.
- The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
- As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX...but its taken me this long to update it - so don't hold your breath!
Video length: 3:20
Capture length: 7:59
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/28364-%5Bscript%5D-%5Bvideo%5D-metasploit-fakeupdate-v0-1-1-a.html#post161838
~g0tmi1k
~g0tmi1k
v0.1.4
+ Added arguments+ Can detect and uses broadcast address if needed
+ Checks for superuser
+ Checks interfaces/paths/files exists
+ Randomizes ports each time
+ Reversed the VNC connection
+ Stops and removes any existent backdoors
+ Stops any services and/or programs currently running
+ Uses “msfencode” - to prevent detection
+ Webpage now has a "favicon"
> Fix a few minor features - Couple of silly typos
> General code improvements
> Improved "clean up" code
> Improved checking the targets IP Address
> Renamed the backdoor files
> Renamed the output windows
> Updated the help message
> Waits a little bit longer in places
v0.1.2
+ Fix Gateway Bug
+ Checks for other index files. And acts on it.
+ Checks to make sure user copied www/. Else acts on it.
+ Added more tools to "extra".
+ Added extra settings
> Aligned the output windows
> General code improvements
> Aligned the output windows
> General code improvements
> Improved debug info
> "Started" work on allow a custom backdoor *Needs more work*
> "Started" work on allow a custom backdoor *Needs more work*
- Removed Linux/OSX *was confusing people*
v0.1.1
+ First public release
Thx man
ReplyDeletenow i got milk :D
metasploit-FakeUpdate - Updated to v0.1.2
ReplyDelete+ Fix Gateway Bug
+ Checks for other index files. And acts on it.
+ Checks to make sure user copied www/. Else acts on it.
+ Added more tools to "extra".
+ Added extra settings
> Improved debug info
> Aligned the output windows
> "Started" work on allow a custom backdoor (Needs more work)
> Improved the code/Clean it up.
- Removed Linux/OSX - was confusing people
very nice =) thks!
ReplyDeleteVery well done.
ReplyDeletemetasploit-fakeUpdate - Updated to v0.1.3
ReplyDelete+ Works again ;) *Couple of silly typos*
+ Now checks for existent backdoors (kills and removes them!)
+ Added favicons
+ Randomizes ports
> Cleans up after VNC payload
> Updated the VNC payload
> Renamed a backdoor files
> Renamed a couple of output windows
It works like a charm...
ReplyDeleteThanks for this gr8 script. We w8 for more
Keep it up
Im very happy to read that. A new beta update it will be great. Some problems more, i found. Maybe could be helpful for you. tight vnc dont refresh the screen sometimes you need to minimize the screen to see like another screen capture. I dont know is the conection speed or how, but happens.
ReplyDeleteAnd another thing today in a wifi lan i cant launch the sbd to the victim. Is neccesary when i choose the ip to attack to be offline? do i need to type the ip to attack before he or she connects to router?
Thx for your great work g0tmi1k !!!
Great script. I've got milk!
ReplyDeleteCould there be a VNC shell w/ mouse and keyboard disabled..for spying
Also does it dns spoof just the first site the user goes to? Noticed if a user would exit the browser when bumped to the malicious website, and open it again only to go to a different website. He could evade the dns/arp spoof right?
@x
ReplyDeleteTry the new beta release - Ive spent a bit of time on VNC, may be better for you now...
Tho it sounsd like its a setting in TightVNC - which Ill look into for beta3
Okay, a few things:
> So VNC works when SBD doesnt?
> So your running the script, using an IP address that isnt connected, THEN they connect? I havent done this myself. and I guess it depends on the router/client.
thanks for tha thanks btw! (=
@тσσ ∂яυик тσ нα¢к
The client shouldnt have to reconnect, it should be able to work when you run it...
and yes, there is a "All IP" features - it uses the broadcast address! Which I believe will also do "new clients".
@Elliot
Thanks for the thanks! (=
Okay, Ill see what I can do for the no mouse/keyboard (view only) for beta3
It SHOULD spoof it for ALL websites!
It will only give them full access AFTER they have downloaded AND run the exploit/payload.
Thanks for the beta. Will test it asap and I will tell you
ReplyDeleteIt worked like a charm. I press "Enter" in the Target Ip and it worked well.
ReplyDeleteI'm going to try the "new clients" feature if it's working
It worked gr8. I tested the beta2 for sbd not with vnc. I will test the vnc reverse and I'll inform.
ReplyDeleteg0tmi1k this version kicks ass ;-)
@тσσ ∂яυик тσ нα¢к
ReplyDeleteThanks you very much for trying out the beta! I'm very glad that its working for you! (=
If something doesnt work OR you can think its missing something - just say!
@x
Again, I don't think its being Spanish effects it.
Trying to visit, 192.168.1.5 (the client!) isn't going to work, unless its running a web server, as this is its own IP, not backtracks!
Right, can each PCs ping each other? Can both surf to google.com (make sure its not using cache)?
When the target, tries and visits a site, does DNSspoof try and fake it?
On the targets PC, what does the ARP table look like?
(start -> run -> cmd -> arp). Is the MAC address, the same for the attacker and the router?
Hi g0tmi1k. It's incredible, but the payload for Windows WORKS in Linux (at least, Backtrack) with Wine activated.
ReplyDeleteBy error I double clicked on the .EXE (In Linux), and got a meterpreter.
Another idea. Because, I suppose, it will be used in a 90% in Wi-Fi networks, the best to do with the initial parameters would be set "gatewayInterface" to wlan0.
ReplyDeleteI agree with the wlan0 but as I saw it will be a -i parameter in the prog in the next releases. So all ok. I want to suggest you except the encode meterpreter payload and the proccess injection like notepad/explorer or something that is running. Is it possible in the fakeupdate?
ReplyDeletethx for Post
ReplyDeletewith the firewall of xp enabled i can upload vnc but it doesnt run. If i disabled xp firewall i can run vnc ok. Any suggestion to attack a pc with firewall enabled?
ReplyDeleteLast question. When i upload and run vnc sucesfully all ok but when pc restarts no vnc session could be open. Any suggestion to this problem?
Thx g0tmi1k.
Nice work: D
ReplyDeleteGreat.
But I would prefer ettercap.
Anyway great job, congratulations.
clshack.
@тσσ ∂яυик тσ нα¢к
ReplyDeleteYep beta2 has got "auto-add new clients as victims in arp poisoning/spoofing"
@x
Try and empty FireFox cache, and then press Ctrl + F5 to remove the "application/x-trash" thing.
Must i change my wlan mac with macchanger to emule the router mac? Nope
Is important antivir and firewall are disabled in the pc target? Yes. In my lab, I dont have either, but with the new beta release, it SHOULD bypass AV, not sure about Firewalls
when sh ask me to enter the ip target must i type the pc ip or the router ip? The targets IP, the PC IP. NOT THE ROUTER
@DarknessTux
Thanks for the heads up about WINE, though not all Linux PCs have it - I did start a while back coding it for Linux (and OSX)
About wlan0 as the default... in my lab its eth0, and that's now I release it - its up to each user to make it fit their need. (and if they can't figure out where to edit the script, they shouldn't be allowed to use it!)
@тσσ ∂яυик тσ нα¢к
See above about the wlan0.
-i = Its something which has been in the ToDo list since v0.1, just haven't had the time to do it. If someone else wants to help out - please do so! (=
In beta2 - it does encode now!
@x
If your using beta2 - it SHOULD encode it now, which bypasses AV - well it did for me, and AVG free!
@shio
Thanks for the thanks!
@x
Simply no. I have no idea about getting it to bypass firewalls - again, in my lab I dont have them.
Saying that...What OS are you running? What version? What firewall?
It doesn't run at started up! Add it! Either via registry OR start up folder or any other method! (e.g. setting it as a service)
@clshack
Thanks for the thanks
Personally, I really don't like ettercap that much.
metasploit-fakeUpdate - v0.1.4
ReplyDelete+ Added arguments
+ Can detect and uses broadcast address if needed
+ Makes sure its ran with root access
+ Randomizes ports each time
+ Reversed the VNC connection
+ Stops and removes any existent backdoors
+ Stops any services and/or programs currently running
+ Uses “msfencode” - to prevent detection
+ Webpage now has a "favicon"
> Fix a few minor features - Couple of silly typos
> General Code improvements + Clean up + Comments
> Improved "clean up" code
> Improved checking the targets IP Address
> Renamed the backdoor files
> Renamed the output windows
> Updated the help message
> Waits a little bit longer in places
Download: http://www.mediafire.com/?mdgzmmzjmzn
i use windows xp sp3 with firewall of xp. The most of people uses this firewall, and i dont know how to bypass this firewall, kill it, or make it a DOS to this service. Anyone could help me?
ReplyDelete@x
ReplyDeletemaybe you can try to make a batch file that disable the firewall and windows notification, then compile it into an exe and bind it to the payload. Like this, when the victim will execute it, it would disable the firewall and windows security center notifications and run the payload. Search on Micro$oft website for conficker I know that it do that. Or I can do it for
you.
For me the script doesn't work, it doesn't auto-redirect the victim to the fake update download page and when I type ' http://192.168.2.14/index.php ' I can get the page but when I click 'download update' it really brings me to MS update website lol.
@x
ReplyDeleteI've been working on a beta release... and found a way/method to disable it (using metasploit).
@Raphaël
It sounds like a DNS fault.
Ive had "problems" with this in the pass.
Again, this will be fix when the next version is out.
and to fix the download, try: http://192.168.2.14/Windows-KB183905-x86-ENU.exe
Once fakeAP_pwn v0.3 is out, I#m going to work on this. (=
heeey he ask me about the IP address
ReplyDelete[>] Target address?:
i wanna make like this 10.0.0.1 to 10.0.0.252
how????
Thx...
@EsLaMxBoSS
ReplyDeleteIm not sure what you mean...
You should be able to type in the IP address you wish to target...
I mean
ReplyDeletemy network 30 PC start from 10.0.0.1 to 10.0.0.30
so i wanna target all PCs not type 1 IP
@EsLaMxBoSS
ReplyDeleteThis script doesn't support this.
i did everythign in the Tut . .i see waiting to connect on my BT4 machine . but neither windows 7 or windows xp are responding to the exploit . . its surfing as usual. and yes i made sure i was putting in the correct ip address of the victum pc in my test lab
ReplyDeleteupdate got it working liek everyone else i see that has problems. just asks me to download a 1kb file that dosent open in anything. but when going to http://IP address/Windows-KB183905-x86-ENU.exe the exploit works fine so good job on that part. just cant get the page to launch on browser opening.
ReplyDelete@christopher
ReplyDeleteThis (metasploit-fakeUpdate) is out-of-date.
I'm working on a replacement script - SITM.
Im glad you got it working in the end (how did you do it?), if you change the HTML to fit your needs that should fix the other issue.
i think you mis understood me. its not like i even get the browser to redirect to the correct page. as soon as i open my web browser or go to a site thats not cached a save file dialog box opens with a 1 kb file in it that dosent open in anything. if i go to facebook.com ittl go open a file called facebook_com something like that.
ReplyDelete@christopher
ReplyDeleteIt sounds like a misconfigured apache config file. I can remember this being an issue in another script... Right now I dont remember the "fix" for it.
However as I said before, I'm not working on this script any more, as I'm adding it into another script.
I got a problem, the script doesnt works against my windows 7 laptop, what can be? Thanks
ReplyDelete[*] g0tmi1k's Metasploit (Fake Update) [MFU] v0.1.4
[>] Target address?: 192.168.2.3
[>] Checking environment...
[-] Clashing file.
[>] Moved: /var/www/index.html to /var/www/index.html.OLD
[*] This is because apache loads .htm(l) before .php...
[*]...meaning the target will see something they are not meant too!
[>] Stopping services and programs...
[>] Setting up our end...
[>] Creating exploit...(Windows)
[>] Creating scripts...
[>] Starting metasploit...
[>] Starting web server...
[>] Getting the backdoor (VNC) ready...
[>] Forcing target to vist our site...
[>] Starting the "Man In The Middle" Attack...
[*] Waiting for target to connect...
Great script as always! Is there a way to bypass the AntiVirus using this script?
ReplyDelete@Boba
ReplyDeleteYou didn't say what wasn't working for you/What was happening/What you did/What should of happen/what didn't happen.
Plus as I said before (in the post just before yours), I'm not working on this script any more as I'm adding it into another script.
@Hector
Yes, manual encode a backdoor that isn't detected, then use that as the payload.
I do plan to cover this at a later date, however I need to complete the other script first.