Archive

Archive for the ‘Client Side Attacks’ Category

Hacking Beyond The Browser with BeEF (Robbing Your Wireless Keys)

March 11, 2012 2 comments

Pauldotcom has a very interesting post on “Retrieving Clear Text Wireless Keys” from Compromised Systems” at http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html

As mentioned in the post, this works on Windows Vista and 7.

I have written a BeEF module called “Get Wireless Keys” which automates the process of robbing the victim of the wireless keys using a signed Java applet.

Follow the steps listed on https://github.com/beefproject/beef/wiki/BeEF-and-Backtrack-5  in order to download BeEF.  My module is now available in the repo.

If you are new to BeEF, you can find some video tutorials here. https://github.com/beefproject/beef/wiki

This will act as a bridge to allow hacking beyond the browser as you will easily be able to compromise other systems in the network once you  connect to the victim’s wireless networks using the stolen wireless keys on your computer.

Upon launching the module against the victim, the victim will get a popup on his browser.  The victim would need to click “Run” in order for this to work.

You will see the below output in the console of BeEF. This means that the victim’s has executed the java applet and the applet has returned some results.

In the below screen shot, it shows that the wireless profiles on the victim’s computer has been saved to /pentest/web/beef/exported_wlan_profiles.xml

The next thing that we need to do is to import the wireless into your Windows Vista/7 computer.

You should be able to connect to the wireless networks that have been saved on the victim’s computer without any password prompts.

You might want to use this module together with “get physical location” module that I have written to identify the actual location of the wireless access point that the victim use in his home or office.

Thats if you are within close proximity to the victim. If not, this module is useless to you.

Alternatively, you could mass mail to all emails address that you can find that belong to a domain with the link to beef.

If you are using Preshared Keys instead WPA/WPA2 enterprise in your organisation, then all you need is one person in the organization to click Run to the Java Applet alert popup to get pwned.

Please feel free to leave me your comments or follow me on twitter at @keith55.

BeEF module for Geolocation Tracking (via Wireless Access Points)

February 25, 2012 Leave a comment

I have ported my code over to BeEF #beefproject http://beefproject.com/  My module is not in the repository yet.

1.  Meanwhile, you can download the file attached  and copy and extract the files to /pentest/web/beef/modules/host/ .   After that, you should be able to access the module in BeEF as shown in the below screenshot.

2.  The user will receive the below popup in their web browser.   You can change the name of the Java applet to something more discrete as compared to what I have named.

Within seconds, you should be able to get the geolocation of the remote user.

You can download the BeEF module via one of the below links if you do not want to wait for it to be committed to the repository.

https://www2.dropbox.com/sh/cxpafqhpscszfoe/8bGfta5G5W/get_physical_location.zip

I will be doing a write up about the things I learn about writing BeEF module with Java applet integration in the next couple of days.

I hope it can help other people who are just getting started with BeEF development.

Let me know if you would have any suggestions.   Thanks !

Geolocation via Wireless Access Points

February 23, 2012 1 comment

I was looking online for scripts on scripts on determining geolocation via BSSID. Many of the scripts were based on skyhook api which were broken due to changes in the api. The “Share Location” function by Google seems like an excellent alternative and it is very accurate unless you live in the middle of the desert.

Using Tamper This (Firefox Addon), I am able to find out the information that is passed to Google. Yes, I was too lazy to look up Google’s geolocation APIs

.

It seems that the browser is passing information about neighboring wireless access points to Google.

The information that are passed to Google include BSSID, SSID and RSSI (Received Signal Strength Index) of the access points.

Using these information, Google is able to pinpoint your location accurately.

Sometimes it is useful to find out the an accurate location of a remote target especially when geolocation identification using IP address is vague.

We can hide and run this inside in a Java applet.. No one clicks RUN on a Java applet right?

Currently, the applet outputs the below information to the Java console. It can be modified to send the information to a remote location instead.

What the applet does is that it runs the below system commands to gather information about the access points and pass it to Google so that we can determine your Geolocation accurately.

Below are the system commands that are called by the Java applet to gather the information required.

1. Windows

netsh wlan show networks mode=bssid

2. Mac

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

The applet works on a Mac / Windows OS for now.

The below is the actual URL which retrieves the longitude and latitude based on the access point information

https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&wifi=mac:[mac_address]|ssid:[ssid_name]|ss:[rssi]&wifi=mac:[mac_address]|ssid:[ssid_name]|ss:[rssi]

The below query string is passed to Google to retrieve the Street Address using the GPS longitude and latitude.

https://maps.google.com/maps?q=[longitude],[latitude]&iwloc=A&hl=en

This attack can be made more persistent in future by modifying the Applet to install an agent remotely on the target and then reporting back to the control centre with the updated gps location even after the user had closed the browser.

If you are starting to get paranoid over Wifi, please use the good old LAN cable and disable your wireless card.
You can install QuickJava and NoScript add-ons in Firefox to disable Java, Javascript, Flash, Silverlight and all other goodness from your browser.

But by doing so, you probably will realize that you aren’t able to access 2/3 of the internet after doing so.

I am looking into submitting this to #beefproject in the near future once I fixed some bugs in my #beef module. I suck at #beef.

You can download the files via this link http://flashmirrors.com/files/19vzwqlffpij9rf/getGPSLocation.zip

If you are just interested in the source file, you can get it from here http://pastebin.com/zKENyhXv

[Updated:  A windows executable version of the program has been uploaded to http://flashmirrors.com/files/0t0rjparbzcaxfc/getGPSLocationWin.zip]

XLSinjector

September 27, 2009 5 comments

I have just written a new script to injects meterpreter shell to excel file.

This will speed up the pentesting process to embed malicious VBA scripts in excel files.

For this script to work, you will need windows, microsoft excel, perl and perl module Win32:OLE

To install perl module Win32:OLE (take note that its case sensitive)
C:\>  CPAN
cpan> install Win32:OLE

You can find my project at http://code.google.com/p/xlsinjector/

To run the script, simple type

[If you want it to download an excel file from the web]
C:\ perl xlsinjector.pl -u http://website/excel.xls -o 1234.xls

[If you want it to use a local excel file.  Put the excel file in the same folder as the script]
C:\ perl xlsinjector.pl -i excel.xls  -o 1234.xls

The -o argument is optional.

You can also view my demonstration video at securitytube.net

http://securitytube.net/Injecting-Meterpreter-into-Excel-files-using-XLSInjector-video.aspx

Categories: Client Side Attacks

Beta release of PDFInjector

September 21, 2009 14 comments

I just wrote this script that I called PDFInjector. Its available at http://code.google.com/p/pdfinjector/
It injects the Collab getIcon exploit available at http://milw0rm.com/exploits/9579 into any non-password protected PDFs.

You can check out the video here.

http://www.securitytube.net/Exploitation-u…t%29-video.aspx

I’m thinking of integrating it with some MITM tools for pdf on the fly replacement either via iframe or normal link replacement or integrating some email sending functions into the script.

I have only tested this in BT4 and Windows XP. Let me know if this doesnt work for you. Thanks

Categories: Client Side Attacks
Follow

Get every new post delivered to your Inbox.