Jump to content

Credential Harvester And Dsn Spoofing Problem

Ech3l0n

By Ech3l0n
in Security

 Share

Recommended Posts

Ech3l0n Newbie

Ech3l0n

Posted
Posted

First a quick hello as this is my first post on the forum, and a quick thanks for all the help I will be getting.

Here is the setup. I setup a wireless LAN, one attacker with BT5r2 and one Win7 victim PC. I use SET Credential Harvester to setup duplicate webpage. If I type in the attack PC IP address into the victim browser everything works great, first log in attempt fails, forwards the credentials to the attack PC, then presents the victim PC with the real site in which I can then log in.

To make the attack more convincing, I chose to use ettercap to do some dns spoofing. So I edit the etter.dns file to send the victim PC to the attack PC when they type in X site. Now the victim can browse to said site, get redirected to the fake Credential Harvester site, and the browser address bar shows the site they typed in rather than the attack PC's IP address, everything is good up to here.

The problem. When Credential Harvester sends the victim PC to the real site after the first log in attempt, ettercap then again spoofs the site and sends that second request back to the attacker, and Credential Harvester has already shut down the fake site after getting the credentials, so to the victim PC it looks as if the site is down. So I have fixed the one problem of the browser bar not showing the legit site name, but in turn caused another by ettercap not allowing the victim PC to continue to the legit site.

Is there any way around this? Maybe some type of scripting I can do with ettercap, or am I re-inventing the wheel and there is already a better way to do this? I know one way is to just use ettercap with SSLstrip, but I want to specifically get this targeted attack working.

Thanks for your help,

Ech3l0n

Link to comment
Share on other sites
skimpniff Newbie

skimpniff

Posted
Posted (edited)

I have used this technique taken from http://www.thedr1ver.com/2011/04/credential-harvesting-with-facebook-and.html

It doesn't answer your DNS Spoof question, but gives an alternative to the problem of getting a victim to bite.

Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like:

@Phisherman123: Shooting at Fells Point Pirate Festival http://bit.ly/ysqb.

First a quick hello as this is my first post on the forum, and a quick thanks for all the help I will be getting.

Here is the setup. I setup a wireless LAN, one attacker with BT5r2 and one Win7 victim PC. I use SET Credential Harvester to setup duplicate webpage. If I type in the attack PC IP address into the victim browser everything works great, first log in attempt fails, forwards the credentials to the attack PC, then presents the victim PC with the real site in which I can then log in.

To make the attack more convincing, I chose to use ettercap to do some dns spoofing. So I edit the etter.dns file to send the victim PC to the attack PC when they type in X site. Now the victim can browse to said site, get redirected to the fake Credential Harvester site, and the browser address bar shows the site they typed in rather than the attack PC's IP address, everything is good up to here.

The problem. When Credential Harvester sends the victim PC to the real site after the first log in attempt, ettercap then again spoofs the site and sends that second request back to the attacker, and Credential Harvester has already shut down the fake site after getting the credentials, so to the victim PC it looks as if the site is down. So I have fixed the one problem of the browser bar not showing the legit site name, but in turn caused another by ettercap not allowing the victim PC to continue to the legit site.

Is there any way around this? Maybe some type of scripting I can do with ettercap, or am I re-inventing the wheel and there is already a better way to do this? I know one way is to just use ettercap with SSLstrip, but I want to specifically get this targeted attack working.

Thanks for your help,

Ech3l0n

Edited by skimpniff
Link to comment
Share on other sites
Ech3l0n Newbie

Ech3l0n

Posted
  • Author
Posted

I have used this technique taken from http://www.thedr1ver.com/2011/04/credential-harvesting-with-facebook-and.html

It doesn't answer your DNS Spoof question, but gives an alternative to the problem of getting a victim to bite.

Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like:

@Phisherman123: Shooting at Fells Point Pirate Festival http://bit.ly/ysqb.

I have one better for you, and thank you for pointing this out. I have used this many times, but of course the link then directs the victim PC to the actual address that then shows up in the browser bar as the IP. At this point they have not committed yet and may shy away from entering their credentials. So I added another step to this. Their are dozens of dynamic DNS sites out there that are free, just as an example, you could make facebook.picserver.org and point that to the IP address credential harvester is on, then tiny URL that as well, and now you have a nice one/two punch that will fool most people. I tried this out on some of my tech savvy friends and they all went for it, even knowing my devious side. I was nice and didn't do anything to them ;) As a reminder, in credential harvester, the connect back address should be entered as the DNS name and not the IP, this way when they click the tinyurl, bit.ly etc it will show up in the browser bar as the dynamic DNS name, rather than the IP. If you put the IP in credential harvester it still shows up as the IP.

Another reminder, use port forwarding for example port 12345 points to 80 on your internal server with CH running on it. When making a tiny URL for this you have to enter the HTTP, so http://facebook.picserver.org:12345 = http://tinyurl.com/xyz If you leave credential harvester running on 80 facing the web it will get whacked by someone in hours if not minutes. I use this as a proof of concept when talking to my clients staff on the importance of not opening unfamiliar mail. I leave it running at home, SSH in with my Android and send someone a link, in the past I get burned because someone ran a tool against the open port 80 and brought down the listener. It really freaks out my clients employees to see that password pop up on my phone right in front of them, cuts down on virus infections because they are now scared to click on anything.

Ech3l0n

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...