Hello again 🙂
I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router ..
We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?
So .. what’s the solution ?
Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!
Are we talking about DNS intercepting ? Hell yeah 😀
Here is a list of the tools we’re going to use :
-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP: 192.168.0.6)
-Burp suite will be running at (IP:192.168.0.10)
First, I’ll explain how I’m going to do the attack :
We’re going to setup our Dnschef proxy
./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106
–interface : is going to tell dnschef at what interface it’ll listen for .
–fakeip : this hijacks requests by returning this IP as the result for every request
The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.
We have to configure burp suite so that it handle requests on port 80
Have to be invisible ..
Repeat these steps for port 443 to handle HTTPS traffic .
Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .
This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.
ok, so now we’ll have to lunch the browser autopwn module on metasploit .
PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .
it’s loaded and waiting for victims to browse 🙂
Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “http://192.168.0.6:8080/” that’s listening on Metasploit.
After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .
We got 3 meterpreter sessions :D,
DO YOU REALIZE WHAT CAN SOMEONE DO IF HE HACKS INTO YOUR ROUTER WITH SOME VULNERABILITY OR JUST DEFAULT PASSWORDS THAT YOU DIDN’T CHANGE ?
Any questions or comments feel free to contact me. And as always : Happy Hacking 🙂