Using mana toolkit and BDFProxy to backdoor executables on the fly

A week or so back, DecidedlyGray put up a post about using Kali Nethunter, Mana and BDFProxy to backdoor executables on the fly on a rogue Access Point. I'm going to recreate the same AP in Kali 2.0 in this post.

First up you need to install the mana toolkit with 
apt-get install mana-toolkit
This will install the toolkit and set up some of the basic configs.

If you navigate to 
/usr/share/mana-toolkit/run-mana
you will see the runscripts. I had a little play with the start-nat-full.sh script but had issues with SSLStrip, so resolved to use the non-SSL script start-nat-simple.sh

First up, copy 
start-nat-simple.sh
to a new script with:
cp start-nat-simple.sh start-nat-simple-bdfproxy.sh

In this file I didn't make many changes other than to change the physical and upstream interfaces to the ones I use on my Kali VM (eth1 for upstream and wlan0 for phy), and to add the entry required for the redirect to BDFProxy 
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 8080
so my config file ended up looking like this:

Next up is the hostapd-karma config file in 
/etc/mana-toolkit/


I would not recommend using "Free WiFi" as SSID in an environment where there may be other people near enough to see your access point! This will almost certainly land you in trouble.
The only changes I made here were to change the ssid name, and to set the interface to wlan0.

Next, your dhcp settings.
In the same folder as earlier there is 
/etc/mana-toolkit/dhcpd.conf
I actually didn't make any changes in here. It uses Google's DNS servers and assigns clients addresses in the 10.0.0.0/24 range, which is fine for my purposes.

Finally, the bdfproxy settings in 
/etc/bdfproxy/bdfproxy.cfg
I did have to make some changes in here. For some reason the "HOST" addresses were set weirdly, some to 192.168.1.168 and some to 192.168.1.16. Borrowing the fix from decidedlygray:
sed –i 's/192.168.1.168/10.0.0.1/g' bdfproxy.cfg
sed –I 's/192.168.1.16/10.0.0.1/g' bdfproxy.cfg
You will also need to change the value 
transparentProxy = None
to 
transparentProxy = transparent

As far as configs, that should be all set up! You can start mana with:
/usr/share/mana-toolkit/run-mana/start-nat-simple-bdfproxy.sh

And then bdfproxy simply by typing "bdfproxy" into the terminal. And finally, metasploit from the bdfproxy helper file by navigating to /usr/share/bdfproxy and running:
msfconsole -r bdfproxy_msf_resource.rc

I was then able to connect to the AP from my phone, and downloading Putty correctly sent the request via BDFProxy for it to be backdoored:


Success!

As usual, please don't use this to do anything daft.

Comments

Post a Comment

Popular posts from this blog

boot2root: VulnOS

Image
A little bit dated now, but I hadn't actually run through this one so I thought I'd document it as I did! As usual, starting with a: netdiscover -i eth0 We discover that the machine is running on 192.168.56.103. Next we run an nmap scan: root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535 The name "VulnOS" is certainly not a lie! root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535 Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-24 18:41 GMT Nmap scan report for 192.168.56.103 Host is up (0.00017s latency). Not shown: 65507 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA) |_ 2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, ...
Keep reading

boot2root: Tr0ll

Image
Tr0ll: https://www.vulnhub.com/entry/tr0ll-1,100/ I guessed from the name & that it was "inspired by OSCP" that there'd be some curveballs in this boot2root, but I didn't anticipate how many! As usual, beginning with a netdiscover: And following up with an nmap: FTP allows anonymous access - that's interesting. Will come back to that! For now, let's browse the web app. Looks like we found the first troll... The nmap scan showed that there was an entry in the robots.txt, let's have a look: Ah. Not much more helpful. Nothing useful in the source code for either page either. Let's move on to the anonymous FTP. We found a file called "lol.pcap" which is a pcap-ng capture file. Let's open it up in wireshark and see what it contains. Looks like it's a packet capture of someone using the FTP server: In the capture we can see a request for the file listing, which shows a file called secret...
Keep reading