DNS Spoofing with Nethunter, cSploit & Kali Linux

•May 28, 2016 • Leave a Comment

Kali Nethunter cSploit 1

How cool would it be as a pentester to walk around a target company, with only your smartphone, and divert individual systems surfing the web to an outside Kali Linux system you have setup that is just waiting for incoming connections. With Kali Nethunter you could!

Using Kali Nethunter & cSploit on your Android phone, you can fairly easily perform a Man-in-the-Middle attack on target systems. Of course you can do all the normal MitM type attacks but what is nice is that you can also do DNS spoofing. This would allow you to divert a system surfing the web (without ever physically touching the target) to a different website.

Well, what if that different website was a Kali Linux system running Social Engineering attacks?

Introduction

If you haven’t played with Nethunter yet, it is one of the coolest things since sliced bread. Nethunter is an adaptation of the most excellent Kali Linux penetration testing platform re-invented for use on smartphones.

As always, it is illegal to attempt to access or modify a system that you do not have express written permission to do so. Doing so could get you into serious legal trouble and you could end up in jail.

Though DNS spoofing attacks are not new, it is just so easy to do them with Nethunter. And as this could be easily misused, I will not show all the steps in this process, only show how the attack could be set up.

Also, I will not show how Nethunter is installed. If you install Nethunter on your phone, you do so at your own risk. Installing Nethunter involves wiping your phone, installing new and custom firmware and rooting it. As with modifying any smartphone, there is a possibility that the phone could be bricked in the process, turning your favorite phone into an expensive drink coaster.

Three systems will be used in this article – The smartphone running Nethunter, a test target system running Windows 7 and a third computer running Kali Linux.

Kali Nethunter cSploit 2

All right, enough talk, let’s get to it!

Using Nethunter

When Nethunter boots up it looks like any other Android phone, other than the epic Kali booting screen that is. Kali Nethunter installs multiple tools found in a regular Kali Linux install and presents you with a nice menu system under the “Nethunter” icon:

Kali Nethunter cSploit 3

There are some great tools here like “HID attacks”. This allows you to turn your phone into an evil USB keyboard that actually types commands on the target system when your phone is connected. There is also the MITM Framework which allows you to do more advanced MITM attacks than we will cover today. Of course you can also run Nmap scans, start Kali Services and several other things.

Don’t forget as well, that you have many of the Kali tools installed in the file system itself, so you can open a terminal and run them just as you would on a regular Kali system.

MitM DNS Spoofing with cSploit

Along with the Kali tools, Nethunter also installs several additional tools that are very helpful to a penetration tester including cSploit. cSploit is probably the fastest way on the phone to scan a connected network and perform basic attacks, including MitM.

Just tap the cSploit icon to start the application.  It will immediately perform an extremely quick scan of all systems connected to the network. You will then be shown a list of all the network devices along with their name, MAC & IP addresses along with how many ports were detected on each device.

Clicking an individual target will give you a list of scans and attacks that can be run against the target:

Nethunter Csploit

Trace and port scanner are self-explanatory. Service inspector runs an indepth scan with service detection. Once this is done, you can then click the “Exploit Finder” button to try to find exploit for any vulnerabilities found during the Service inspection.

Let’s take a look at the MITM attacks:

Nethunter Csploit 2

We can use the DNS spoofing button to redirect the target system to a system we control. Once you click the “DNS Spoofing” button you will be presented with an Ettercap config screen. Simply set the Domain name you want to the IP address that you want it to actually point to.

For example, if we want the target to go to our separate Kali Linux system that we have, we would just put in its IP address. As “microsoft.com” is already added in the config file as an example, we just need to modify the IP address. So if our Kali Linux system was running at 192.168.1.39 then we would modify the Ettercap config screen to look something like this:

 

Ettercap DNS config 1

When Finished:

  • Just click, “SAVE”
  • And then click, “START”

And that is it. cSploit will start the MITM attack and set the Microsoft DNS entry on that target system to point to our Kali Linux box.

On the Kali Linux system, start the Social Engineering Toolkit, and then step through the web attack menu having it clone the Microsoft website.

And then when the target system opens their internet browser and types in “microsoft.com”, they will indeed see this:

Microsoft webpage

But they will actually be connected to the Kali Linux system and be shown the cloned Microsoft website from the Social Engineering Toolkit.

If they click on any links they will get errors as SET does not clone the entire website. But the gist here is that we used our phone to redirect a user to a third system that could be hypothetically anywhere running a program that, when set up properly, could grab any text or credentials entered.

Conclusion

DNS spoofing will not work on all websites, and MitM attacks do not work at every location. But this could work out very well for a penetration tester in some circumstances. They could set up a cloned copy of a website (maybe the target system’s corporate website) on an offsite computer. Then just take their phone into the building, connecting to an open network port or the corporate Wi-Fi, and re-direct individual systems to the outside box for the win.

The best defense against Man-in-the-Middle attacks are to protect your physical network. Use complex passwords for your Wireless networks, disable or protect open & unused network ports, and segment your network when possible. DNS attacks will usually not work against websites using SSL (HTTPS), also they do not work well against websites that are hosted on a server that hosts multiple websites.

If you want to learn more about Kali Linux and Social Engineering attacks, check out my Kali Tutorial books on Amazon.com.

Shodan Search Reveals Open Cloud Control Panels

•April 24, 2016 • Leave a Comment

While researching web server frameworks, I ran across something that seemed very odd. I found what appeared to be unsecured Cloud Cluster controls. And using Shodan I could tell the difference between the ones that were using account login control and those that were surprisingly completely open to the public.

Twisted Web is a Python based web server used in many network applications. Over the years I have noticed that specific versions seem to be used for different tasks. I ran into one the other day that I do not remember seeing before.

An internet search using Shodan (the “search engine for Internet-connected devices”) for Twisted Web servers returned some odd results that I did not recognize. A specific version (10.2.0) returned what appeared to be some sort of cloud control interface on the internet.

If you go to the “Shodan.io” website and search for “twistedweb/10.2.0” it will list all of the systems in question, as seen below:

Shodan Cloud Security 1

There seem to be password protected ones and what appear to be completely unprotected ones. The difference being password protected ones contain a login.html file in the Shodan return, the completely open ones point to index.html.

So to have Shodan find all of the ones that appear completely open to the public, just search for “twistedweb/10.2.0 index.html” as seen below:

Shodan Cloud Security 2

As you can see there are more than 700 of them. They appear to be DataStax Enterprise Cluster Storage controls as seen in this picture from a DataStax YouTube demo:

Shodan Cloud Security 3

From the Datastax YouTube video it explains that you can completely control and monitor the Cluster storage from this interface. I was thinking this was something that really shouldn’t be completely open to the public on the internet. There must be a “require login” setting that people are just not using to secure them. As I wasn’t sure I ran the information by my friends at Evident.io.

“What you are seeing here is the failure to implement proper security controls around administrative interfaces of, in this case, Enterprise Cassandra NoSQL clusters. The unprotected administrative interface gives remote attackers the ability to connect to the cluster and perform administrative functions without authentication or resistance. This is often the result of business pressure to deploy technology to solve complex problems, but failure by the business to invest in time and resources to help those product teams protect the infrastructure and services themselves. A simple verification of security control deployment around this kind of technology would prevent this security incident from happening in the first place, and guarantee continued protection against mistakes that create unnecessary risk for the company,” said Tim Prendergast, co-founder and CEO of Evident.io.

There must be some way to protect these systems, or to notify cloud users of these issues.  Well, according to Prendergast, there is:

“Tools like the Evident Security Platform (ESP) help prevent these kinds of issues from being exploited by attackers by providing comprehensive visibility into the security controls deployed in your cloud, or alternatively you could build your own set of custom security controls through the custom signatures feature. Either way, nobody should operate their cloud environment without fast, accurate, and actionable information on these types of risks. The only way to protect your organization from suffering due to unprotected attack surfaces is to create a continuous, enforceable security practice around your cloud.”

As we have seen here, some improperly protected cloud controls across the world were found very easy using Shodan.  We could also easily differentiate between systems that had account login controls (I hope they used strong passwords) and those that didn’t. The advantages of using the cloud are obvious, but like any computing resource they must be protected properly from online threats.

About the Author

Daniel W. Dieterle is an internationally published author and computer security researcher with over 20 years’ experience in the IT field. His technical “How-To” articles have been featured in numerous computer magazines, and referenced by both industry websites and the media. He has also written three Ethical Hacking Security books based on Kali Linux, including latest book, “Basic Security Testing with Kali Linux 2” –  which contains a chapter on using Shodan.

 

 

How to install Bitdender’s free Ransomware Protection Tool

•March 29, 2016 • Leave a Comment

Bitdefender has just released a free tool that can protect against ransomeware viruses. Here is how to install it.

Hackers have been hitting everything from hospitals to police stations with Ransomeware viruses. Bitdefender has released a tool that could help fight it:

“Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

Installation could not be easier

  1. Download the file:

https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/

  1. Run it:

Ransomeware Protection 1

 

3. Click Next, and then install:

Ransomeware Protection 2

  1. And then Finish

Ransomeware Protection 3

And that is it!

Ransomeware Protection 4

How easy was that?

If you want you can change the settings for the program. You may want to set it to “minimize on startup” and “minimize to tray on close”:

Ransomeware Protection 5

But it is pretty much an install and forget about it type app, no fuss, no muss.

Bitdefender has always been one of my favorite anti-virus programs, and this is a handy tool to have.

Check it out!

Book Review: Basic Security Testing with Kali Linux 2

•March 26, 2016 • Leave a Comment

Basic Kali 2

A fully updated version of the very popular “Basic Security Testing with Kali Linux” is now available! Now totally re-written from the ground up to cover the new Kali Linux “2016-Rolling” with the latest pentesting tools and Ethical Hacking techniques.

I was honestly shocked how well received the first Basic Security Testing book was received by the security community. But all in all, it was my first book attempt and definitely had room for improvement. I was flooded with requests and advice from students, instructors and even military personnel on recommended changes and ways the book could be improved.

I took every comment to heart and with the help of an amazing editorial and reviewer team, that included a computer security professor and a CTF player, created Basic Security Testing 2!

What’s new:

  • Completely re-written to cover topics more logically
  • Better lab layout that is used consistently throughout the book
  • Written for the latest version of Kali (Kali 2.0 “Sana” & Kali “2016-Rolling”)
  • Includes an introduction chapter for the new Kali 2016-Rolling
  • All tools sections have been updated – old tools removed, new tools updated
  • Now uses PowerShell for most of the remote Windows Shells
  • XP removed, Windows 7 used as the main Windows target (though Windows 10 is mentioned a couple times  :)  )
  • More tool explanations and techniques included
  • 70 pages longer than original book

What’s the same:

  • Learn by doing
  • Hands on, Step-by-Step tutorials
  • Plenty of pictures to make steps more understandable
  • Covers the same major topics as the original, but using the latest tools
  • The front cover, well, except for the “2”!

My goal was to provide a common sense Ethical Hacking how-to manual that would be useful to both new and veteran security professionals. And hopefully I have accomplished that task. Thank you to everyone for your continuous support and feedback, it is greatly appreciated!

So what are you waiting for, check it out!

Basic Security Testing with Kali Linux 2

 

 

 

 

 
Follow

Get every new post delivered to your Inbox.

Join 364 other followers