Wifi Router - Dns Possiblities

[shesellsseaSHELLS]

Okay guys first off to save alot of time-wasting and misunderstandings i will re-create a scenario so you can give the best possible feedback !.

SCENARIO

STEP 1: Find unsecured WIFI network or crack WEP of secured.

STEP 2: Connect to WIFI network

STEP 3: Login to Router 10.1.1.1 or any other type 198.162.1.1 doesn't matter

STEP 4: Okay here is what i mean by possibilities, Of course my main objective is to establish a remote desktop connection or be able to view files. I was thinking to do something with DNS re-direct so i can redirect all there attempts to a site of my own which would force a malware download, However this seems to be a little unethical due to the fact that creating a java-drive by will need a crypt of the trojan bla bla bla, So if anyone can think of any other methods i would greatly appreciate it.

So my final goal is to be able to have remote desktop on the other computers of the network or atleast one of them and/or view the files on there boxes.

[Infiltrator]

Clarify one thing for me, how do you want to RDP into the computers?

Via exploitation or just via normal RDP connection? (Like Start->Run->MSTSC and the IP address of the computer!)

Edited April 2, 2012 by Infiltrator

[shesellsseaSHELLS]

Well MSTSC is not really what im looking for because i dont have passwords for the computers on the network. So yeah Exploitation would be my best option, Any ideas on exploitation ?

[Infiltrator]

Well MSTSC is not really what im looking for because i dont have passwords for the computers on the network. So yeah Exploitation would be my best option, Any ideas on exploitation ?

Well, suppose you are already authenticated to the wireless network, next thing you could do is use NMAP to scan the network for live machines and then use Metasploit to exploit your target machine. If you haven't used Metasploit before, I recommend watching the videos at securitytube.net, as well as getting your hands on the Metasploit book, by Jim O'Gorman, David Kennedy and Devon Kearns.

[shesellsseaSHELLS]

I had assumed this to be one method of exploitation (metasploit) However, Metasploit in my past has been VERY unethical for gaining Remote desktop. I use metasploit in a VM instance of Backtrack but i always have technical difficulties, i do find trojan tools alot more simple with client and server (SCRIPT-KIDDIE) i know lol but do you know much on private encryption of exe files ? Because i could then DNS poison all computers on network to a JAVA DRIVE BY DOWNLOAD

[Infiltrator]

do you know much on private encryption of exe files ?

Metasploit has a built in encoder that allows you to do just that, so that way you can evade AVs detection. I know there are other ways, but I will need to research into that!

[bobbyb1980]

I actually started another thread that touches on this subject. As mentioned in the other thread, many routers come with DNS servers hardcoded into the firmware, so for this attack to work you'll have to find one that doesn't (you should be able to edit /etc/resolv.conf on the pineapple to do this).

It sounds like you'd want to reroute traffic to a page that will somehow get you a meterpreter shell, be it java applet attack or browser exploit etc.

Once you get an open meterpreter shell carrying out your attack should be fairly painless from here, but getting axx to RDP especially from over the internet may be quite difficult without having the respective ports forwarded.

[Infiltrator]

Once you get an open meterpreter shell carrying out your attack should be fairly painless from here, but getting axx to RDP especially from over the internet may be quite difficult without having the respective ports forwarded.

Another possibility, would be to setup a reserve TCP connection, once you get a meterpreter shell, you could dump the hashes or create an user account with admin privileges and from there, you could RDP into the compromised host. You will also need port forwarding enabled on your router, if you plan on doing this from the internet.

Just throwing some ideas.

Edited April 2, 2012 by Infiltrator

[bobbyb1980]

Although I've never done it personally, I've read several articles about people who want to accomplish the same net result (GUI) but instead use VNC and SSH to accomplish it. They used the metasploit VNC payloads and got the victim to vnc out via SSH to a remote server. The attacker then connects to the same server and I believe this eliminates the need to port forward. Or something like that : P

[Infiltrator]

Although I've never done it personally, I've read several articles about people who want to accomplish the same net result (GUI) but instead use VNC and SSH to accomplish it. They used the metasploit VNC payloads and got the victim to vnc out via SSH to a remote server. The attacker then connects to the same server and I believe this eliminates the need to port forward. Or something like that : P

If the victim is behind NAT, it would be difficult to penetrate through the firewall, but in situations like this a reverse_TCP_connection would be the way to go. The attacker machine will need to have its port forwarded on the router.