Help needed please by a Metasploit Mac user

[papasmurf]

Hi - thanks in advance to any decent folk for looking at this. If anyone with knowledge can assist I'd be grateful.

I'm on windows 8.1 and recently discovered I'd been hacked using metasploit and meterpreter. I won't go into the tedious details of it all, but my whole system is now stuffed. It will need replacement.

I am 100% certain the attack originated from a person I live with. He was hooked up to my wifi and was on the network. He occassionally had physical access to my PC. My problem is how do I prove it.

Can anyone tell me if there is any fairly failproof way of determining if these hacking tools are or were on his Mac? I did a basic check and couldn't seem to find much, however I am a mac ignoramus so unless it was listed in programs I wouldn't have found it anyhow.

I can occassionally access his Mac when he is out. I only want to determine if he was the source of the hack. I have no interest in anything else on his system.

If anyone can help me in any way at all, please let me know.

Cheers and thanks

[digininja]

Hi - thanks in advance to any decent folk for looking at this. If anyone with knowledge can assist I'd be grateful.

I'm on windows 8.1 and recently discovered I'd been hacked using metasploit and meterpreter. I won't go into the tedious details of it all, but my whole system is now stuffed. It will need replacement.

[/quote

Please, go into the details. We need to know how you know that it was Metasploit and Meterpreter that were used. What evidence do you have?

What tyep of hack was it? What was done to the machine?

I am 100% certain the attack originated from a person I live with. He was hooked up to my wifi and was on the network. He occassionally had physical access to my PC. My problem is how do I prove it.

Can anyone tell me if there is any fairly failproof way of determining if these hacking tools are or were on his Mac? I did a basic check and couldn't seem to find much, however I am a mac ignoramus so unless it was listed in programs I wouldn't have found it anyhow.

I can occassionally access his Mac when he is out. I only want to determine if he was the source of the hack. I have no interest in anything else on his system.

If anyone can help me in any way at all, please let me know.

Cheers and thanks

Do you have authorised or unauthorised access to his Mac?

[cooper]

By the sound of things, unauthorised.

You should go by what you find on your own machine - his will not tell you anything unless he took files of yours and you find them on his machine (in which case, he's a total noob).

So let's start there. So You've been hacked. What tipped you off? The thing is, when people hack a system of a specific person, they're after something they know that person has, or they just want to use the machine for their nefarious ends. Since your suspect has hardware access, the latter isn't likely to be the case (no need to hack what you can simply commandeer/ask and probably be granted to use), so he either went for the juicy bits he knew were there and knew you would keep from him or the culprit went for something else and it probably wasn't your current suspect at all.

[papasmurf]

Hi Digininja/Cooper,

The person I lived with suddenly raised a topic of conversation that he could only have known about if he had access to my computer or had a way of directly observing me at some point. I ruled out the latter so started looking into the former. Up to this point, my laptop had been running more-or-less alright, with only a few (unrelated) issues with the touchscreen.

I ran a host of anti-malware/virus apps and I finally began to get somewhere. After a couple of days of non-stop testing, I finally dug deep enough and found the following files on my system. Some could not be deleted- the system was infected at boot level.

-Fraudtocol.hijack - registry

-uxtheme.dll - infected

-sxssrv.dll - infected

-sdwinlogon.dll - infected

-excel.exe/300 ; "E&xport to Microsoft Excel" registry key. Similar "S&end to Onenote" key

Execute unsigned ActiveX in Internet Zone

Execute unsigned ActiveX in Local Intranet Zone

Execute unsigned ActiveX in My Computer Zone

--

In addition to the ones above, Norton picked up about 10-15 seperate entries for "Metasploit" and "Meterpreter". I can't individually list these files at the moment, as the laptop is with tech support. Here are a couple I wrote down:

-template_x86_windows_svc.exe (Backdoor.trojan)

-metsvc.exe (Meterpreter)

--

I also took a screenshot of the network and saw a couple of IP's "established" to my computer and/or modem that I knew nothing about.

--

I don't know what was done to the machine. Whether it was just being observed or used for some reason. No files I know of were missing. My suspician is it was my flatmate snooping, but proving it or disproving it is where I am stuck.

Any other thoughts/ideas?

Thanks gents.

[papasmurf]

NB: I have 'unauthorised' access to the MAC.

[cooper]

Jeez, what a complete and utter noob.

1. You don't discuss your hack with anybody, especially your target.

2. When you're done, you clean up after yourself. Removing the metsvc service is a 2-command operation and could've hidden his presence completely.

The "couple of IP's", were they network-local or internet? Remember the port number? Were either IPs used by this flatmate's machine to the best of your knowledge (donno if the local DHCP service tries to give machines the same IP all the time)? It may very well be that people he talks to every so often, these people being the possessors of those IPs, hacked you and then relayed the info. The FraudTool thing is just a bit of spyware. I'm guessing someone using your machine either directly or remotely allowed the ActiveX stuff to run and then browsed to some unsafe sites which yielded your machine that infection. If you have the meterpreter service running on your machine, there's no need for anybody to run (additional) spyware on your machine. You're pwned, their work is done.

So from where I'm sitting, you got pwned, your flatmate found out about it one way or the other and chose to keep quiet until that conversation, either to test if the info he'd gotten elsewhere was right or to show off by slyly divulging his results. Even if you found Metasploit on his Mac, it proves nothing. The browsing history of IE might tell you something about when the hack may have occurred (or at least when the spyware snuck into your machine) but it would have to be recent and for all we know so far it might've been months ago.

Your only option as I see it is to confront your flatmate and find out how he knew about that specific topic.

The question then becomes, assuming he admits it to you, then what? Since you're talking past tense I'm assuming he's no longer living in the same flat as you are. You already know for a fact he found out stuff about you and chose to not inform you directly about it ("Dude, I was playing with this hacking tool and your machine is totally vulnerable. You should update, man!" / "Dude, I overheard those computer dorks talking about you. They're saying you [....]...") so whatever happened, he's not being upfront to you about it. If you're wondering wether or not you should consider him a friend, you should have your answer to that already.

Nothing you've found will stand up in court with a clear finger pointed at your flatmate. It's all circumstantial and/or hearsay. I'd suggest you simply break off any contact. You can consider informing him about it, but that would be in the form of "I know I can't trust you and as such I never want to talk to you again. Enjoy the rest of your life, I hope it'll be short" and can be an invitation to him to seek you out. Cut your losses, learn from the experience and move on.

[papasmurf]

So from where I'm sitting, you got pwned, your flatmate found out about it one way or the other and chose to keep quiet until that conversation, either to test if the info he'd gotten elsewhere was right or to show off by slyly divulging his results. Even if you found Metasploit on his Mac, it proves nothing. The browsing history of IE might tell you something about when the hack may have occurred (or at least when the spyware snuck into your machine) but it would have to be recent and for all we know so far it might've been months ago.

Hi Cooper,

Sorry for my delays in responding. I am only have access to a computer intermittently at the moment as I organise a replacement for the one that was hacked.

Yeah I think as you say I got pwned. There is no other way it seems to me that he raises a topic out of the blue that he could only have known about if he was directly observing me one way or the other. Then I find meterpreter on my computer etc.

I confronted him about it and he denies it all. I don't believe him as I know his character. I'm evicting him at the moment.

One of the IP's connected had a remote address connecting in via local port 54829.

The other was his Mac, using a remote port 52066 connecting to local port microsoft-dns

There were various 'localhosts' established, but I presume these are no problem

i also have wiresshark logs that show his computer was consistently established to my computer. As I understand it this should not be the case? His computer should only have been connected to the modem we use, which also showed up in the DHCP list in the modem log?

Anyhow, he offered me the opportunity to scan his computer to prove it wasn't him. But correct me if I am wrong, it wouldn't be difficult to delete the offending programs. One other thing is that he uses a remote server to log into and use the internet and other programs. Beats me why the hell he does this, but he keeps saying he doesn't know much about computers, but knows enough to use a remote server for his applications.

Appreciate all your help and if there is anything else you can add, please feel free.

Thank you kindly - Papasmurf.

[cooper]

Could it be that your machine was acting as local DNS server for your network? Would've expected your router to do that, but who knows.... Are there perhaps any other tenants who for some reason have a need to connect to your machine?

Did you run Microsoft's DNS service on your machine? The only advisory I can quickly find that does something with that is MS07-029 which is 7 years old - I'd think you would've patched that by now. It's either benign or someone activated something evil on a typically benign service's port to hide it from you (I run my OpenSSL at home at 443 so I can access it from work via the Bastard Proxy Server From Hell).

It's a pity your wireshark logs only show him being connected. It would be a lot more useful if you captured some actual traffic there.

You could investigate his computer, but what would be the point? If I did something and got caught with mere minutes to spare, I have a stack of neodymium magnets on a shelf behind me. Applying them to the spinning rust in my machine would cause (ahem) strange behaviour on my machine ("Dude, I must've gotten hacked too. Fuckers!"). Given a bit more time (which he probably has had) I could secure the data I was going for, perform a secure wipe of the virtual machine I used for this and offer my machine, along with passwords etc where needed, up for inspection and pass with flying colors. It's effectively impossible to prove something is not there (let alone has never been there to begin with). The only way for him to prove it wasn't him is to inquire about how he discovered that topic. If he can't provide a reasonable and verifiable explanation for that there's nothing he can do to redeem himself.

In the words of George W Bush: "Fool me once, shame on.... shame on you. Fool me.... you can't get fooled again."

So, to summarise, get rid of the punk and move on. You're now spending all sort of time on this that you could've spent doing fun, productive stuff. There is nothing to be gained here. If you were hoping to get legal proof out of either your machine or his, you should've had the police confiscate his laptop very(!) shortly after discovering that you got hacked by him to prevent any tampering. If anything was there to incriminate him, he's long since removed it. It'll cost you an arm and a leg to try and recover removed files from him laptop, assuming this is even possible (clearly he's got _some_ skill) if it was even there to begin with, and this task must be done by some professional forensics company ($$$) to get whatever is found to stand up in court. Having reached this point, it only proves it was that guy's computer that was being used. You don't have the time that the hack occurred so you can't prove he was even in the building. Like I mentioned before, it's all circumstantial. Evict the punk, learn from the experience, reinstall and get back to doing the fun, productive stuff. Life's too short...

[papasmurf]

Well my computer should not have been acting as any kind of server. The only tech link my flatmate and I should have had was that he used the same internet connection. I gave him the password so we could share it. He is the only other person living with me.

To my knowledge I never consciously ran Microsoft's DNS service on the machine. It came with windows 8 and then I upgraded to 8.1, so you would think the MS07-029 vulnerability would have been fixed when I got the machine...?

You are right, none of this would stand up in court. I have no interest in taking him to court anyways. I just want the guy ouy of my house ASAP, which he is dragging his feet on. And yes he is smart enough to lock down the data he got and wipe everything so he doesn't get caught.

NB: I have a couple of days of wireshark activity logged, but other than seeing his continual connecting to my machine, I don't know how to interpret the rest of it. They are not screenshots, but actual logged data in wireshark format.

Cooper thanks for your help on all this!

[cooper]

Windows 8 didn't even exist in '07, so yeah, I don't think you have to worry about that one.

You could consider providing the wireshark data dump for us to look at, but there's probably more in there than you're comfortable sharing and in the case of an established Meterpreter takeover the communication between the attacker and the service will have been encrypted so unless there's traffic going outside of this (downloading additional crap or extracting data via some other means than the Meterpreter session in unencrypted form) the best you're going to get is a time when someone somewhere did something on your machine without your permission.

Interesting point though: Look at your router's config. Check out the port forwarding section. If an outside IP has an established connection to your machine it either means your machine initiated the connection to it or alternatively it was able to initiate the connection to you which, given the port number, would need to be enabled via port forwarding to be possible.

Regardless of what you see in there, change the access codes on it and don't provide them to him. If he's into hacking so much, shutting down his internet access should be another incentive to him to GTFO, which he's more than welcome to I'm sure.

All the best in resolving this situation.

[papasmurf]

I reset the modem and password last week and it's been locked down (as much as what it can be).

I've specified two devices that can be connected only, and so far so good.

I won't bother you with the wireshark logs buddy, you've given me all the help I need.

Thanks again, I really appreciate your time.

PS

[papasmurf]

One more thing Cooper: my flatmate insists it was not him ad nauseam and says all activities on his Apple Mac are logged and to check the log for proof. Is this true? Obviously metasploit would have a way of getting around it anyhow?

[cooper]

It might be true, but everything can be tampered with. Like I said previously, it's impossible to prove that something wasn't there. And if he did the smart(er) thing and use a virtual for the task, all the log would show is that he started a virtual and possibly deleted that virtual some time after. You could write a script to do the removal for you and call it 'quake'. To the log it will just seem like he started a game...

[Hell0w0rld]

hi

If u want to find out the source of the hack... The most important is that u should get to know the IP... So u can use some tools like process explorer or netstat -an to find the established connection Mark this address. Then login into the router to find out the mac and ip etc... Also u can use nmap to scan the ip Get the hostname, port, os version..... Then... you know what to do next :) Good luck

[digininja]

The hack is in the past so nothing should be showing in any of the current network connection lists.

An idea I've just had, if you still have the binaries which were reported as meterpreter, put them in a VM, run up Wireshark and see if they try to call home to anywhere. If there are reverse connections they will have an IP address to connect back to. If that is internal then it could have been your room mate, if it is external then probably not.

[cooper]

If I read this right, there shouldn't be a meterpreter binary...?

[digininja]

It depends on how you deploy Meterpreter, check back and he says he has

-metsvc.exe (Meterpreter)

Depends what the vulnerability used was, some require an exe dropped on a box. Won't be this scenario but I use it when I've got a web app with file upload and remote code exec either directly or through SQLi, upload the file then run it and have it call back home.