Quick blog, in response to a conversation I had. Where I was informed that this would be a cool thing to share. Recently, I was doing a simulated attack, playing the part of an individual who had gained access to a customer’s facilities. This customer had the usual stuff such as LLMNR spoofing etc which was good for getting hashes, but I needed access quickly to exfiltrate as much data as possible prior to detection. Carrying out a simple man in the middle against some targeted networks, I say targeted because the company deployed small department/functional VLANs, so it literally meant moving desks to find more victims…. I saw proxy authentication for company users as they were browsing the internet. The response to every request was a HTTP 407 proxy authenticate, providing the options to negotiate NTLM or BASIC. The users were all on the domain and NTLM was taking precedence. Therefore, I would see the hash being transmitted in the response. Great more hashes…..

That was when I though wait a minute…I shouldn’t see any of this traffic. It’s over HTTP!!!!!! I can modify the proxy authentication options in transit.

I created the following Ettercap filter as shown below and changed everything to BASIC. Obviously with BASIC authentication the user is going to be asked for their credentials. One of my colleague actually said no users will put there details in as its too suspicious…..and that was when the Base64 encoded username and password appeared on my Wireshark screen for an individual working in the Cyber Crime Team.

The filter:

To compile and run the filter use the following syntax:

etterfilter etter.filter.proxy -o proxy2.ef
ettercap -T -q -F proxy2.ef -M ARP /Target-IP// ///