Jump to content

Kevin Mitnick at CeBIT


majajobee

Recommended Posts

Basically what he did was use metasploit to embed shell code into any executable that downloads online so he basically used metasploit and when the target downloads a file like a .exe or in his case a .dmg for mac metasploit intercepts the download and injects shell code into the download i really should do a video on this myself its better then the clippy method.

Link to comment
Share on other sites

Basically what he did was use metasploit to embed shell code into any executable that downloads online so he basically used metasploit and when the target downloads a file like a .exe or in his case a .dmg for mac metasploit intercepts the download and injects shell code into the download i really should do a video on this myself its better then the clippy method.

I would like to see you make that video for sure, but are you sure that is what he is doing? It looks to me like the the adobe site is fake, and the .dmg was premade.

Link to comment
Share on other sites

I would like to see you make that video for sure, but are you sure that is what he is doing? It looks to me like the the adobe site is fake, and the .dmg was premade.

It's possible but from what he says and i seen and what it appears he did is that he used metasploit or maybe the SET to intercept the download and inject a reverse_tcp into the download i heard of this before but i don't remember where i heard of it at off hand i don't remember the extact tools you need to do this i did search online but didn't find what i was looking for fast enough when ever get around to feeling like looking more into i try to reply back but im pretty sure all he did was intercept the download as the file was being downloaded a metasploit payload was injected into the download.

It works for any website download i think just executable files like .exe and dmg maybe a few other file formats.

Link to comment
Share on other sites

The beef framework has a fake flash update but it serves the payload straight to the victim without sending them to to an adobe site. He is talking about using the pineapple and doesn't mention beef in the talk. I think he likely took the same functionality of the beef injection and ported it to the pineapple then set up the the fake site on the pineapple to make it look legit.

Link to comment
Share on other sites

I'm pretty sure he really did use a tool i don't remember if it was metasploit or SET that does it maybe it was a tool like https://github.com/secretsquirrel/the-backdoor-factory but not sure i remember someone showing how if you were connected to a network or access point that the target was on you could inject shellcode into the download but he did say something about java script in the video so maybe he did setup a face website however the url must have been dns spoofed i guess so the website looked real.

Link to comment
Share on other sites

I agree with Seb.

The files used by Kevin are probably private that he has written or modified. The first one appears to me to be just a DNS spoofing script. This would then route users to the custom site that is cloned and running on the pineapple. SET was probably used for the cloning.

For the injection of the files, can't that just be done with a proxy? Ettercap can probably even do this, but since you already have control of the victim's traffic, then all that is required is that you modify your cloned page to serve the required update.

Link to comment
Share on other sites

I don't mean to bash Kevin but from what i know about him from people who met him he isn't one to make his own stuff this guy pays people for 0day exploits i got a friend on skype who has personally sold Kevin 2 0 day exploits what he does with them im not sure but he has a website dedicated to buying 0 day exploits so i highly doubt he made them scripts possibly some public stuff he renamed to keep people from using it.

I swear the flash update page in his video is not a fake url i swear it was the legit website for flash he showed i really do believe if used that shell code injection method i really wish i could remember where i seen that demo at but i remember they showed how you can inject code into a live download i really believe that's another reason why most websites offer you a compare hash to make sure the file hasn't been tampered with.

But their really is a way to inject shellcode into a file someone is trying to download over a network.

Link to comment
Share on other sites

I have posted example code about this kind of attack, i never spent the time to build a metasploit module...

a forum post i made, just to see if people are interested.

http://www.backtrack-linux.org/forums/showthread.php?t=53855

here was the working example code i posted in 2012, whipped up in a few hours...

http://pastebin.com/n7AHi5Ny

some basic if expressions, if the binary data found on the wire is a 'exe', 'rar', 'msi', etc... replace the data with a meterpreter and change the content length... header tampering...

and a video remake...

Edited by i8igmac
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...