Thursday, December 27, 2012

[Metasploit Pro] Configure custom campaigns & reporting


We will now cover configuring Custom Campaigns.

Let's start.

Choose the option 'Custom Campaign', give it a name - Demo Custom Campaign. In the Campaign Components, we see there is one (+) that we can use to add an email, a web page, and a portable file type resources. We can add multiple of these to our campaign.


We click on Email & the first step is to configure E-mail settings. The configuration is similar to one described in previous posts. The new addition to this step is the 'Attack type' which can have 2 options:

  1. None
  2. Attach File
With 'None' option, no attachments are sent with the email. With 'Attach File' option, we can configure & define various file types to be sent as attachment.



Give the attachment a name, and we can chose to zip (compress) it if needed. This is useful when the target SMTP server might be configured to block .exe attachments.

There are 3 types of files that can be generated:

  1. .EXE agent
  2. File format exploit
  3. User supplied file
.EXE agent generates a malicious file and send it as an attachment to our email. There is barely any information provided on this option in the Help documentation. Not clear what kind of agent this is supposed to create, what platforms does it target, what are the connect ports, is it encoded to prevent getting picked up by AV etc. A quick strings on the generated .exe file is shown here anyways:

root@localhost:Demos# strings MaliciousEXE.exe
ej@h
CloseHandle
ReadFile
SetFilePointer
VirtualAlloc
CreateFileA
GetModuleFileNameA
KERNEL32.dll
root@localhost:Demos# file MaliciousEXE.exe
MaliciousEXE: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

I attempted to run it in my lab box XP SP3 & the .exe crashed. So I'd rather prefer other options over the .exe agent one.

The option User supplied file is probably more useful if you are sending out malicious files for getting connect backs; generate a meterpreter reverse shell using msfpayload in exe format, run this through encoding iterations using msfencode & it's good to go. We can choose to upload file from the files we uploaded in the Manage Reusable Resources area or can upload a new file on the fly.

For the demo, however, I have chosen the File format exploit attachment type.



Let's click on the Adobe PDF Escape EXE Social Engineering (No JavaScript) to open up its configuration.


Save the configuration, And that's all.


From here, we will create the E-mail Content.


Save the E-mail configuration and we come back out on the dashboard.

Alright, now it gets interesting. Now we will start setting up web pages. Remember, unlike in the canned phishing campaign type, we can create multiple web pages in the custom campaign.

For the Web Pages, there are five types of Attack types that we can configure:

  1. None (okay I didn't count this one in)
  2. Phishing
  3. Exploit
  4. Serve File
  5. Java Signed Applet
  6. Browser Autopwn
Let's create page 1 - Java Signed Applet Web Page - with Attack type as Java Signed Applet.


 Configure the exploit.


Once we save the attack configuration and move to the Page Content step, we see it cannot be configured. Basically, the Content is disabled when serving exploits. So, this applied to all attack types except Phishing.





Similarly, we will configure web pages for Exploit, Serve File & Browser Autopwn attack types.





 



Now, we can also create a new web page where all the above configured web pages can be linked to (as an example) and we can then configure a new phishing web page & redirect the users to this Redirect To Web Page after they submit the phishing form.



Time to configure the Phishing Web Page. Here we have two options for redirection:

  1. Define a redirect URL ( can be one of the above web pages or a separate web server for example BeEF )
  2. Choose another attack page to redirect to - Select one of the web pages we configured earlier above





Make the phishing form & save the configuration.



One more piece that we can configure and plug in to our campaigns is malicious portable file(s). Following is the configuration screen:




At last, when we have configured all the required components, we can view them on the dashboard. The remaining configuration now is for the Email and Web server. 



All sections for our custom campaign are now completed.


This new campaign is now listed under the Manage Campaigns area.


Preview it before launching it.


Progress of the campaign is periodically updated as and when the target user(s) perform a specific action - opening the email, clicking on the malicious url(s), submitted the phishing form and eventually getting pwned.


When the form is submitted, the information can be viewed by clicking on the email address. Note that the email address is being shown as Anonymous, because I did not click the link from the link, but instead opened the link directly in my lab box.



When the target box gets pwned successfully, and a session is opened, the stats get updaed in the last circle, and session information is populated in the table. Click on the session to manage the session.



To conclude, I will touch slightly upon the reporting capability as well.

To generate a new report for this campaign, we just need to click 'Generate Report' provided at the top. On the reporting screen, we have several options we can configure for the report.

We start by selecting the Report Type as Social Engineering Campaign Details. The report can be generated in the following four formats:

  1. PDF
  2. Word
  3. RTF
  4. HTML

Give it a name, and next important step is to select the specific campaign for which we want the report generated for. We can select the campaign from the drop-down.

Next, depending on the audience & deliverable type of our testing engagement, we can include/exclude any specific sections from the report.


Report can be emailed as well if required.



This brings us to closure of Metasploit Pro Client Side campaigns writeups. The overall process is pretty simple & straight forward. While the canned phishing campaign limits the maximum web pages to two - landing page and a redirect to page - it is useful for setting up a campaign quick & dirty, and when only phishing is targeted at, for example. On a contrast, Custom campaigns give a great amount of flexibility in setting up the campaign.

There are few more limitations associated to running campaigns though:

  1. A campaign can contain one email only.
  2. Each metasploit pro instance can run only one campaign at a time.
  3. Metasploit pro does not serve images or asset files locally. For manually created web pages, we must define fully qualified urls.
+++++

See ya guys around.



Tuesday, December 25, 2012

[Metasploit Pro] Managing Resources & Campaigns

In the last post, we covered how to configure a new phishing campaign. We will now cover the 'Manage Reusable Resources' area of the Campaigns dashboard.

Let's start.

Manage Reusable Resources section offers four resource types to be created:

  1. Target Lists
  2. Email Templates
  3. Web Templates
  4. Malicious Files
Selecting Target Lists option shows all the Target Lists we may have created earlier or need to create if not already. In our example, we had already created one Demo Target List earlier.



Clicking on the target list shows all the email addresses in that list. Notice that there is no option to edit the email addresses. If I need to make a change to target emails, I will need to delete old email and add the new email address.


Also Metasploit does not allow deleting all the email addresses from a target list. There needs to be at least one email address in the target list. 


So, now I will add a new email address and delete previous 2 emails.


Pretty cold, mechanistic message comes up!


The Target List is successfully updated.

Next, we can create Email & Web Templates. Templates are message content that we can reuse in our campaigns. Let's start with Email Templates.


Click New Email Template, give it a name and add the message.
Note: We must add the tag {{email_content}} to our message else Metasploit does not allow saving and creating the template.


Similarly, we create a New Web Template, give it a name and add the HTML.
Note: As with email template, we must add the tag {{ web_page_content }} to our message else Metasploit does not allow saving and creating the template. By default this tag is added in the template(s) that come with Metasploit.


The last resource type is Malicious Files. Here we can upload different malicious files which we can attach and send out in our emails. For example, file format exploits (pdf, word etc), reverse meterpreter exe, etc.


Note: The file name must have the file extension provided.


At this point, we have configured a campaign, and configured reusable resources. The final aspect is Managing our campaigns. This is done through the 'Manage Campaigns' area in the dashboard.

As shown below, we have one campaign configured and it has two components - Email & Web. The Start button is still enabled and on the right end, there is an 'Launchable' status message, so we know we are ready to go. We can also Preview, Edit or Delete the campaign.


Preview shows each component configuration one by one. Here we see the E-mail config.


Similarly shown is preview of Landing Page and the Redirect Page



Once we confirm the preview, we can go ahead and launch the campaign.


Once we start the campaign, we can monitor the progress in the Findings screen. This screen gives information on the number of emails sent, % of recipients that opened the email, % of recipients that clicked the link (that we sent in our emails), and % of recipients that submitted the (phishing) form.

We can view the progress in the Task window as well. 




These statistics are updated as and when the target user(s) perform an action - checking email, clicking the link, and submitting the form.

As shown below, when I submit the phishing form, my email & timestamp information gets populated under the 'Recipients that clicked the link' circle.


To view the information submitted to the form, simply click on the email address which then opens a new page with all the details.


And with this we come to a closure to this campaign run.

In future posts, we will cover Custom Campaigns & Reporting. For Custom Campaigns, the process is the same. However unlike phishing campaigns, we can create multiple web pages, each with its own attack method, redirect pages, malicious files to attach etc. Custom Campaigns simply level up the flexibility and add value to the test configurations.

I hope you find these posts useful.

Stay connected.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.