Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/16/2009
03:32 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Anatomy Of A Client-Side Attack Using Metasploit

A new report from the SANS Institute sheds light on some important attack trends that security professionals need to take action on immediately.

A new report from the SANS Institute sheds light on some important attack trends that security professionals need to take action on immediately.The glaring issues are Web application and desktop application vulnerabilities that are being used for combined attacks -- making for a successful one-two punch. The graphs and statistics are useful, but I think the graphical example of a HTTP client-site exploit really drives home the reality and ease in which these attacks can be carried out.

I highly recommend you take a look at the example in the report if you haven't already. It's titled "Tutorial: Real Life HTTP Client-side Exploitation Example." As I was reading through it, I couldn't help but think of the recent NYTimes.com malvertisement incident I wrote about yesterday.

In Step 0 of the example, the attacker places content on a trusted site, which is exactly what happened with the NYTimes.com incident. The difference is the example exploits a client-side vulnerability instead of trying to lure the user into running a fake AV tool and infecting hhimself.

While the similarity in the first part of the attack is interesting, this type of attack is not rocket science. Every single step can be carried out using free and/or open source software that is available for anyone to use. I was originally planning to give examples of the tools to use for each step, but the fact is that every single step can be carried out using the Metasploit Framework.

In Step 0, an attacker (or penetration tester) creates a weaponized PDF file using Metasploit (possibly using the Adobe JBIG2Decode Memory Corruption Exploit) and places it on a social networking site. In Step 1, the victim (or client of the pen-tester) opens the PDF that exploits one of the numerous recent vulnerabilities in Adobe Acrobat. The exploitation results in an meterpreter backdoor for the attacker via HTTPS as discussed in Step 2.

Steps 3 and 4 is where the example gets interesting because pass-the-hash attacks don't make it into the mainstream media like Web and client-side vulnerabilities do. In Step 3, the attacker dumps the local account password hashes and, instead of cracking them with rainbow-tables, "passes" the Administrator's hash to gain access to other systems in Step 4 and eventually, a Microsoft Active Directory Domain Controller in Step 5. Again, all of this can be done in Metasploit, which you can see in this excellent example video demonstrating the Pass-the-Hash attack.

Steps 6 and 7 are where the attacker goes for the crown jewels and starts pilfering data out of the victim's network over HTTPS, thwarting the victim's network-based DLP solution because he can't view the encrypted HTTPS session. Awesome, isn't it?

The report is worth the read and is something you can use to slap your executives around in an effort to get the funding you need to start cleaning up those Web apps and patching those third-party apps. But one of the real gems is this example of a real attack in simple terms and illustrative graphics should really help you get your point across. Oh, and just wait until you tell them you can carry the entire attack out using a freely available tool.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8741
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.
CVE-2020-9399
PUBLISHED: 2020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9442
PUBLISHED: 2020-02-28
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVE-2019-3698
PUBLISHED: 2020-02-28
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux...
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.