Well, one of my goals for this blog is to make a note of something that took me a while to figure out, so I can look it up later, rather than relying on myself to remember. If I stumble on something you were trying to figure out, too, so much the better. I put a video together of me exploiting a Firefox browser, and then getting the hashed passwords from the computer. Here, I will put a little more explanation to keep me from talking.
The setup requires two computers. I used a Windows XP computer for my victim machine, and of course my Kali machine for the attacker. I am still using Kali 1.-something, I find it easier to find help for that one. You can get old versions of applications for testing and experimenting here. I used Firefox version 15 for this setup. The metasploit modules I used were
exploit/multi/browser/firefox_xpi_bootstrapped_addon
exploit/firefox/local/exec_shellcode
post/windows/manage/smart_migrate
post/windows/escalate/getsystem
post/windows/gather/smart_hashdump
Follow the links if you want to know more about the modules. If you want to watch the video, go here.
There is some user interaction required, I leave it to your imagination to figure out how an attacker might get a user to install a plugin or add-on. As I mentioned in the video, it is a good idea to migrate out of the Firefox process since you don't want your presence to rely on the user not closing the browser. Additionally, if you change the EXITFUNC setting to 'thread', you will not cause the browser to close when you migrate out of it or close your session. Finally, if the user is not part of the "Administrators" group, the escalation will fail, and the hashdump will fail if it is attempted without SYSTEM privileges.
No comments:
Post a Comment