Tuesday, November 15, 2011

Client-side exploitation using Metasploit Pro v4

This write-up shows how you can get up & running with client-side / phishing assessment using Metasploit Pro 4.0.

Let's start by creating a new project.

We are at project home screen now. This screen shows various details like hosts discovered, vulnerabilities, sessions opened, web apps, social engineering campaigns. Social Engineering campaign is what we are doing now. Once we create new campaigns in the upcoming screens, this section will be updated. Also, note that there is a Recent Events screenlet down there. It gives us a log of whatever task(s) is running / has run.

Go to Campaigns option in the menu and click 'New Campaign'.

Enter the details as shown in the next screen. There're different campaigns you can run:

  1. Web campaign -> Basically this runs a web server at a port that you specify. Once someone clicks on the web server URL, metasploit pro will send out client-side payload(s) which you will configure in the next screen.
  2. USB Drive campaign -> Create a bind shell payload exe. Put it on a USB drive, distribute it & wait for connect backs.
  3. Email campaign -> Here specify a SMTP server which you will use to send out phishing emails. Give your user ID, password, & add a Display Name. Lastly you can upload the list of email addresses from a file. You can also choose to add invidual email addresses later.

In this case, is my local interface IP address. Once all information is entered, save the campaign.

Next, we need to build configuration for web campaign. Here we have 2 sections:

  1. Web Template Settings: Either clone an existing website, for example, paypal.com; OR specify your own HTML template
  2. Exploit Settings: This is where you will define what happens when target user accesses the malicious web url. You can chose to not run any exploits, chose a specific exploit, or start browser autopwn. In this demo, AutoPwn is run as soon as end user clicks the web server url.

Autopwn tries out all exploits based on the browser that accesses the URL.

Next, we configure Email Template Settings for our email campaign. Here we have an option to send malicious exploit / payload as attachment.

On the next screen, I enter my email address. Here's the place where you will enter the target user email addresses.

Save & you will reach the summary screen. Here it shows you Campaign configuration(s).

Note that I have already run this campaign earlier in testing so you see 'Sent 1 email'. So you can ignore it for now.

Click on Run Campaign to start the campaign.

Here is the view from victim's email screen. So, the message appears to come from CEO Office, & has a link in it.

Before I click on the link, let's look at the campaign task log. Here we see that metasploit has started various listeners as part of browser autopwn run.

As soon as I click the link, you see metasploit identifies the browser & OS from where the click happened.

Browser Autopwn does it job in the background and pwns the box via ms03-020 vulnerability.

w00t we get a remote meterpreter shell.!

View the session details in Sessions menu.

loot & play with the pwn'd box by accessing the session.

No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.