The Java Applet Attack considers as one of the most successful and popular methods for compromising a system.Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast and successful because it affects all the platforms.The only difficulty is how to deliver the Java Applet properly in order to trick our victims.
This attack could be used in engagements that our task is to use social engineer techniques against our client’s employees.
The Java applet Attack vector affects:
- Windows Systems
- Linux Systems and
- Mac OS X
In this tutorial we will see how we can generate an infected Java applet in order to obtain a shell from the remote machine.
We are opening the Social Engineering Toolkit and we choose the option Website Attack Vector.
In the next menu we will choose the first option the Java Applet Attack Method:
In the next image we will see that there are 3 options.The option site cloner would be used in order to recreate the website of our choice that will carry the malicious Java applet.
The Website that it will load the Java Applet in this tutorials is the pentestlab.wordpress.com but you can use any website you feel comfortable that can trick the users to run the Java Applet.
The next part is to decide which payload it will be used.There is a variety of available payloads that SET provides but here we have chosen to use a simple Windows Shell Reverse TCP as you can see it and from the image below:
After the selection of the payload it is necessary to decide which encoding would be used in the payload in order to bypass the antivirus protection of the target.There are 16 options here with a rate from SET so we have chosen the Backdoored Executable which is the best choice there.
The next option has to do with the port of the listener.You can press enter in order the SET to choose the default port which is 443.You can see in the next three images below the following:
- Backdoor generation
- the launch of the web server that will listen to our machine and
- the last settings for the exploit.
Our next step now is to try to find a way to mask our IP address in order to have a domain that will look original.We can register a domain or we can use any of the online shorten URL services to hide our IP when we will send the link to our target.
Although the attack seem very easy to implement this step is the most challenging because we have to convince the target that the website is real in order to allow the Java Applet to run.
For example we can spoof email addresses of the company that we are conducting the penetration test in order our mail to look legitimate.Most of the employees will think that it is an email that came from inside the company so we have many possibilities to open it and to allow the Java Applet to run without knowing that the applet is already infected with a malicious code.
If we write and a good story inside the email for a new website that they must see or something similar and we hide our IP behind a domain then the attack will probably have a huge success rate.
Lets say that someone is opening our link which is our fake website he will see the following:
If our victim click on the Run button then the exploit will executed and it will return a remote shell to our system.The next two images are proving that the attack was successful.
We have used the command sessions -i 1 in order to interact with one of the active sessions.
Another great advantage of that method is that as soon as the victim will run the infected applet it will redirected to the original website without knowing what happened.