Description: This is Part 14 of the Security Metasploit Framework Expert (SMFE) course material. You can begin by watching Part 1 here: http://www.securitytube.net/video/2556 . Enjoy! Certifications page: http://www.securitytube.net/cert-list
In this video, we will explore the fun world of client side exploits. Till now we have seen how we can exploit server side vulnerabilities with Metasploit. These are great! but what if the host we want to exploit is firewalled for all incoming connections? or behind a NAT? in such case, we will not be able to access the service remotely from the Internet and exploit it. This is where client side exploit comes in! using these we will lure the client to use an application such as a web browser (which is not patched) and view a resource such a web page created by us. This web page would contain an exploit which would help us break into the client and then use a reverse connect payload to connect back to us.
The advantage we have with client side exploitation is that (1) we are targeting client side software which is typically more vulnerable in todays world than OS software (2) the victim connects to us, hence we do not have to worry about inbound firewall rules, NAT etc. (3) the reverse connect payload ensures that we do not have to bother about network issues mentioned in 2.
Please do leave your comments behind.
Tags: smfe , metasploit , client , exploit , browser , browser_autopwn ,
Nice Vivek !!
@vivek-ramachandran, Thanks so much vivek :) would like to ask what web server does msf use? and any idea which directory it loads the exploits into? been trying to find it couldnt find the answer on msf's documentation.
@vivek-ramachandran: Correct me if I am wrong but it seems like the browser_autopwn.rb uses its own web server that is hard-coded inside of the exploit and does not use Apache or and other web servers.
I dont have that much experience with ruby but using a text editor I view'd browser_autopwn.rb and found a comment that says Webserver uses a combination of client-side and server-side techniques to fingerprint the HTTP client and then exploits them.
@j0k3rr I think you are right, browser_autopwn uses its own servers, and if I am right they are written in python, but with one way or another you can configure it to use the apache server by creating a custom configuration file
i'm writing to you to say three things first that I love your WiFi pentesting book I have it next to my antenna along side with the dvd form your class and I have to say about the book is such a great complement to the video series and I have learn so much from it i'm going to do the class again in my next uni break so I can sing up of your exam :-) Second that I'm loving the SMFE series keep it up and the last thing is like always my comments in a form of a request can you make a series about the steps before going in to the exploitation part of the pentest stuff like Info gathering techniques/OSINT open services, ports and vulnerability scanning you know all the fun stuff that lead up to pressing the big red exploit button and reward us with a shell or better yet a meterpreter session :-)
as always thank you for making such great videos and shearing your knowledge with everyone
great job
if no activity is performed on server system then how to break the firewall. No one is giving this answer. If some one having the some idea then plz share.
Great job again.
If firewall has port 80 (and most do) open and user goes to your server running metasploit then, you win.
Vivek-Ramachandran Nice video's keep up the good work.
@ringneckparrot: Thanks :) I will look into it and see what I can find. appreciate your comment!
thanks vivek for your time and patients to make this video i was wondering if the server you've created with the autopwn exploit, can you send this to an outside network for an example send it through Facebook, twitter or gmail?? or if you lived in the u.s. in Minnesota and send the exploit to someone in California would you be able to get a meterpreter session?
i got couple more questions to keep you interested : )
in Metasploit when you exploit your autopwn your url link is your ip address is there anyway you can change it into a letters?
CAN you please make demos for SQL Injection and xss and other browser application attacks there my favorite but i seem not to understand very well :/ i feel like you would explain it the best?
and keep the videos going have you ever thought about being a teacher?? : )
Thanks Vivek for these great videos. Your approach is very practical and straight forward. Very easy to follow even in advance techniques. I have two questions:
1. Can I use letters instead of numbers as my url when I do browser_autopwn?
2. What is the best way to scan for an IP over the internet?
Thank you.
Hey Vivek,
just had a question about running 'sesssions -l' after the exploit has been run on the victim. I'm testing these kinds of things out as we go but after it displayed the sessions metasploit crashed with the error:
shell.rb:180:in 'getwd' : no such file or directory
was that a type-o in that ruby script that it's attempting to run and should it be getcwd instead? Everything worked seamlessly up until that point but then it crashed and lost the session, etc.
great videos by the way...I've developed a huge appreciation for Metasploit and how useful it is. Thanks.
forget it. It seems to have been a bug in Kali Linux 1.0.2. I upgraded the version I was on to 1.0.3 and it works like a charm.