Backtrack 5r3: Capturing Voice from Remote Mic and Converting it to Searchable Text

Okay, I introduced the cool capability of using Metasploit to capture remote voice via mic and then converting it into keyword searchable text in the last post. As promised, we will take a closer look at setting it up to work on Backtrack 5r3 in this post.

I am going to warn you up front, this can be quite a process, but well worth it.

In this tutorial we will be using a Windows 7 laptop as our target, Backtrack 5r3 as our “attacker” system, the Social Engineering Toolkit (SET), Metasploit, AT&T’s voice to text developer platform, and a proof of concept AT&T interface script by Metasploit developer Sinn3r.

Continue reading “Backtrack 5r3: Capturing Voice from Remote Mic and Converting it to Searchable Text”

Remotely Recording Speech and Turning it into Searchable Text with Metasploit & Watson

WATSON-graphic-5

Technology has made some amazing advances in the past few years. It makes you wonder what computer security will look like in the future. For example, how cool would it be to be able to remotely turn on a microphone, and record what it said. Then process the recorded speech – turning it into searchable text, and scanning it to look for keywords like “Password” or “Social Security Number”?

What if I said you can do that right now?

Well, you can!

Thanks to some amazing work by AT&T labs and “Sinn3r” from the Metasploit development team, you can now take any .wav file that contains spoken words, and search it for keywords like account information and passwords.

AT&T labs has opened up their “Watson” speech to text technology to the public, releasing a development SDK and API so programmers can add speech recognition to their products. With a proof of concept script written by Sinn3r from Rapid7, you can now add speech to text capability to Metasploit!

How does it work?

Amazing!

I will cover it in deeper detail in a following post, but here is a quick walk through:

I had a “target” system attach to my “attacker” Backtrack 5r3 box running a Java exploit. Once the target Windows 7 system (fully patched and updated of course, with AV protection enabled) ran the backdoored Java, I had an open session with it:

Active Sessions 2

Next, I simply ran the “record_mic” command to remotely turn on and capture any audio within the area of the target system:

Record_mic

Finally, I simply fed the resulting .wav file into the sound analyzer script. It converted the sound file to text and searched it for keywords.

Did it find anything?

Of course! It correctly scanned the file and noticed that the word “password” was mentioned:

IT WORKED CLOSE UP

Okay, it wasn’t 100% correct. I used a four number password, followed by a dash and four more numbers. As you can see, the AT&T program mistook it and tagged it as a phone number, dropping the first number off. I also said “secured” instead of “picture” at the beginning of the line.

AT&T tagged the transcription confidence level at .48, this means that the program was about 50% confident that it had the right translation, which was about correct.

Even so, this technology is AMAZING! You have to think, during the process a voice was copied live from a remote system, turned into text and then analyzed for keywords. Without any “voice training” like so many voice programs need, Watson pretty accurately deciphered the .wav file and gave us a useable output.

We will take a much closer look at this in the next few posts. There were a few hurdles to overcome getting the script to run on Backtrack 5r3, so I will create a step by step tutorial. We will even look at some other uses for the technology.

Awesome job AT&T, Sinn3r and the Metasploit development team!

Java Releases Zero-Day Patch – Why you Need to Install it Now

Java Setup

Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.

The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.

Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.

SET Java 0-Day

Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.

Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:

Surf to page

It doesn’t seem that anything happens. No warnings or pop-ups.

But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:

SET Session Created

We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address 192.168.0.114.

We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:

SET Windows 7 Shell

In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.

Now, let’s go to the Java Download page and download the latest update (update 11):

Java Update

Then let it install:

Java Setup Complete

Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.

The webpage opens and acts like it did on the victim’s side. So far no change.

But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:

After Update No Shell

That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.

Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.

Internet Explorer Zero-Day Discovered, Metasploit Module Released

A new 0-Day IE exploit puts a lot of internet users at risk. According to Rapid7 (creator of the Metasploit testing platform) the new zero-day, discovered by security researcher Eric Romang, affects IE 7,8 and 9 on Windows XP, Vista (Anyone really use that anymore?) and Windows 7.

The Zero-Day was found when Eric was analyzing a machine that was infected with “Poison Ivy” a malicious remote administration tool (RAT). Apparently the 0-Day was actually used to install Poison Ivy, possibly by the “Nitro” hacker gang.

Check out the video Eric made (above) and his website for more information.

Microsoft urged users to use their free security tool, the Enhanced Mitigation Experience Toolkit (EMET). Rapid7 countered this saying that the stop-gap does not work well in all circumstances and should switch to another browser until a security patch to IE is released.

Rapid7 also released a Metasploit module (pictured above) so corporate security teams could test their networks to see if they are vulnerable to the exploit. All Metasploit users need to do is just update their install and the module will be pulled down. Backtrack users can simply run “msfupdate”.