Tips for an Information Security Analyst/Pentester career - Ep. 40: Client-side attacks (pt. 1)
Concept
Over the previous episodes, we've performed reconnaissance on out targets and attacked one or more vulnerable services running on our victim host(s).
Now, we're going to deal with client-side attacks, which follow a reverse logic.
Instead of us trying to connect to a vulnerable service running on the target system, we're gonna create a server and have our victim connect to it through social engineering, phishing, pharming or other alike attack strategies.
Brief example
As a brief example of such type of attacks, I'm going to use an auxiliary exploit (auxiliary/server/browser_autpwn2).
This exploit launches a series of possible attacks in the browser, until one succeeds.
If we launch show options, we'll notice options here are quite different than other types of attacks.
In fact, now we have SRVPORT (a local port on our server where we want to listen in) and SRVHOST (the IP address of our server, which will be the IP of our Kali machine).
I normally change SRVPORT to 80, but it's not mandatory.
A good practice is to change URIPATH to something meaningful, otherwise random URIs will be generated.
We need to set a payload for this exploit and I chose windows/meterpreter/reverse_tcp.
For this payload, we need to setup LHOST as the IP address of our Kali machine.
Advanced options
I also setup two advanced options (check the embedded video for more details).
I configure ExitOnSession to false, so that our meterpreter sessions will be automatically recreated and we won't have to exploit our target from scratch.
In fact, this specific exploit is all contained in the browser and, if it crashes or our victim closes the related process or other issues occur, we're gonna have to start over.
Another solution to the problem explained below is to migrate to a more stable process but we might not have enough time to do it manually.
For this reason, I also set PrependMigrate to true.
PrependMigrate automatically launches a new process and migrates our Meterpreter session to it.
When using ExitOnSession that way, we need to exploit the target system by running the command exploit -j, instead of exploit, because the exploit will run as a background job.
The exploit generates a URL that we need to open from the victim machine.
After connecting to the above URL, Kali starts sending modules in the background to the victim's browser until we have a shell.
Like I said, though, this exploit isn't very stable and it took me a while (and a couple of failed attempts) until I could finally get a stable session.
Notice how Meterpreter was able to automatically migrate to a new process in the background.
I could also obtain a privilege escalation by using the getsystem command.
Wrap-up
Client-side attacks work in a quite different way than other types of attacks we've seen so far.
We create a server and have our target connect to it.
We'll see how these attacks are often multi-platform, as they leverage multi-platform attack vectors such as the Web browser, Java and PDF files, which I'll be analyzing in the upcoming posts.
Comments
Post a Comment