Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson on Client Side Attacks covers basic browser exploitation with a focus on the Windows XP browser. Participants receive step by step instructions on setting up a server to exploit a browser and set up a session. This lesson also teaches about the migrater function which allows sessions to come in.

Video Transcription

00:04
All right. Now, let's take a look at something a little bit different.
00:07
We're going to work with clients. I'd attack. So So for everything we've done, we've gone over the network in some way. Be it
00:15
to port scan to run an exploit to button online password attack.
00:21
This case, we're not going to be working over the network. Instead of directly accessing a port
00:28
to run an attack of some sort. We're going to instead set up our own server and wait for our client or our target to come to us.
00:38
So this will allow us to access things that aren't listening on a port, but may be subject to vulnerabilities. For instance, browsers, pdf viewers, music players. Basically anything that opens some sort of file could be subject to the sort of attack as we can send it
00:56
potentially malicious files.
00:59
So I want to start with
01:00
the basic browser exploitation
01:04
you exploit.
01:07
When does
01:10
rouser
01:14
and I want
01:17
particular one. Our Windows X P browser is actually probably vulnerable to lots of things. You may find
01:23
other things. It's vulnerable to almost do one. That's kind of like a mess. 08067 in terms of same for browsers, so I don't see it quite as much
01:36
now. It's not many people were using totally using such an older, too cheap version of
01:41
Internet Explorer. There will see some more up to date on their abilities in the section. But this particular vulnerability did
01:49
managed to exploit a lot of big name companies when it first came out
01:57
called Aurora Vulnerability that we show our options on it.
02:01
It's a little bit different than anything we've seems over like we don't have our host. It's just not there. So we have server host.
02:09
That's set to all I P addresses, which is fine server port. You change that to 80 or
02:15
443 if you want to,
02:17
could even set up in SSL service. If you have one, you can use it or you can generate one
02:25
and said this isso version
02:30
one that's not necessary but will certainly make our lives easier because we're actually going to send the length.
02:37
Well, we're not going to see the length. Rather, we're going to just type them in as the target
02:42
is your I pass. You don't something. You're AI path. It will just pick a random one, and that's not going to be very nice to have to type in.
02:50
Really. The only thing we have to set here is just your I thought.
02:53
Cool it
02:54
quote
02:59
Sure payloads
03:01
to the usual suspects for Windows
03:06
that Taylor everybody's favorite when his interpreter
03:10
over UCP
03:14
My I p address is, yes, that you don't want to be that wanted seven.
03:24
So where's our session and where things happening?
03:29
Well
03:30
again, we're setting up a server. So all we've done here is created a server in the background. We do jobs. We can see it
03:38
automatically running. It was a background job.
03:42
That server is just running on Port 80 80 at the euro class and anyone who browses to that page
03:49
if they're vulnerable to this invest 10. There is air to Aurora issue.
03:54
Well,
03:55
the chimp to exploit their browser
03:59
and give us a session.
04:00
So we'll look later in the section
04:03
some method of social engineering. But our goal is gonna be one way or another to get people to browse to the site, do something like the D. N s boo thing that we did
04:14
previously in the course we could do social engineering units and then an email with a link in it.
04:18
So anyway, to get them to browse to this page
04:24
course, we'll just play the user. Open up our old version of Internet Explorer and just browse to it
04:32
is Port 80 80 which you could change that.
04:35
And it's called Class.
04:40
The browser should appear to hang. It did see it
04:44
may not work the first time
04:49
in general. It seems that brother flotation self isn't that study is some of the other memory corruption that did work, though in case years didn't and you have to try it again. Just reopen the browser and tried again. Notice where we start the exploit. Your server is still running in the background.
05:05
You don't have to
05:08
said it, not
05:10
kill us or you don't have to change anything. Just
05:14
rerun it.
05:15
We did get a session wouldn't automatically drop into it. Those two sessions Dash are in and says its Session one
05:26
yeah,
05:28
can do it has them?
05:30
I was expected. We are at the usual. We logged in as Georges and administrators here. We can do
05:36
pretty much everything we could do this system
05:42
you're really unfortunate thing about this is that mature prayer actually runs entirely inside of the exploited process.
05:48
And the usual tries to use this brother they're obviously not going to be able to do so. It's memory has been corrupted to the point that it just can't function.
05:59
So you might have to do a task manager and force kill it. But regardless then if user uses Internet Explorer, they're probably pretty used to this sort of thing that their brother hangs and they have to restart.
06:10
So I probably won't even think much of it.
06:15
But we restarted our browser
06:17
per session, actually died,
06:20
so that's not a very good we had our session for about a minute.
06:25
But assuming the user wants to continue using their browser, which they probably will don't look like we're going to have our session for very long.
06:32
So what can we do about this? Let's get our session back first.
06:45
That Oh, yeah, lower.
06:46
You got my session back.
06:50
This is session too.
06:54
Do a PS to see over process is just like on like
06:58
the process I'm currently in is gonna be my I explored a XY,
07:03
but I want to go somewhere That's less likely than just disappear on me.
07:10
That's an explorer, Daddy. Exes are basically the start. Menu seems unlikely to just disappear, so it's
07:16
process. Isay is 388 h.
07:20
I used the metric Ritter command migrate brought us 3888
07:33
Process of migrating actually managed to kill the browser.
07:38
But my session is still alive, so I can use this my great functionality that allows me to take my I'm interpreter
07:46
memory and move it somewhere else into another processes memory space to allow me to live.
07:53
But this, unfortunately
07:56
relies on the fact that I happened to be sitting here
08:00
paying attention when this comes in, and I'm able to do it quickly.
08:03
Well, if we're doing any social engineering and we send out tons of e mails, we certainly don't want to sit here all day
08:11
and even into the night possibly waiting for sessions to come in. So is there some way toe automate this?
08:18
Your show advanced.
08:22
So about previously Cem
08:24
additional options is actually a couple things we can do.
08:28
We'll see metropolis scripting and the post exploitation section. We could actually use, um, interpreter script that's called migrate. The one we just did was a interpreter. Command is also a interpreter script, which could be a little confusing, but we'll talk about that in post exploitation. You could set
08:46
a mature, prettier script
08:48
so automatically migrate.
08:50
You would just spawn a new process, because if you had that process I do. You wouldn't know it.
08:56
You can tell it to dishpan a new process and go into it.
09:00
But there's one way to do it. One that's
09:03
a little bit better, actually. Is this repented? Migrate? Who's our photo run script? It's going to fall on the session
09:11
and then my great,
09:13
a little bit slower than this propensity. Migrate which bones and runs the show could and
09:20
process. So it actually before it gets to the session, has already gone into a new process.
09:26
So this was added in tomatoes. Boy, For this reason, some of your browser and other client side exploits the author will actually go ahead and set pretend migrate to true so you don't have to do it. It really just depends on the
09:41
preferences of the person who wrote it. As far as I can tell, some of them do so of them down.
09:48
So we just wanna *** Crippen migrate True.
09:56
Do you got the same ways Any other options? Problem is, now that we've made changes, this job that's running won't reflect those changes. So we actually need to kill this off.
10:07
Kill zero.
10:09
Come on, run! Explode again
10:11
to take into account our option change.
10:18
It's tries one more time.
10:31
We get our mature, prettier Session
10:33
three.
10:37
I want to hear it
10:41
and let's see if we die, we'll kill the brother.
10:45
Still, non functional
10:48
memory corruption still occurred,
10:52
but this time we get to keep a recession and we didn't have to do anything. We didn't have to be there. We could possibly come back in the morning and it would still be. There was soothing, no user restarted or there wasn't a loss of network connectivity.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor