OSCP Prep – Episode 11: Client Side Attacks

Client side exploitation is penetration testing from a different perspective. The other attacks I have covered so far have all required direct access to a network to be successful, which has become increasingly difficult as network engineers and software developers strengthen their ‘perimeter’ defenses. As a result, client side attacks, where users unwittingly open the door and grant access to attackers have become increasingly popular.
The ‘client’ in ‘client side attack’ usually refers to the operating system that the end-user interacts with. These operating systems are loaded with applications and software that are required to complete various tasks, which can all be attacked through the exploitation of vulnerabilities independent of the underlying operating system.

For more on what client side attacks are, please visit: https://technical.nttsecurity.com/post/102ej16/what-are-client-side-attacks

As noted above, client side attacks can take the form of many different attack vectors. Some of the different ways client side attacks can be executes are as follows:

Browser Exploitation

Web browsers can be used to trigger security issues and hijack a users session. If the user visits a web page with malicious code, the browser will subsequently load that code (as it does for any webpage). This process can trigger vulnerabilities that exist within the browser, hijacking the memory and creating a shell session.
An example of this is the well known Internet Explorer Aurora vulnerability, which was first exploited in 2010 against major companies worldwide. Using metasploit, the Aurora module can be loaded to start a webserver that runs with a payload attached, ready to be delivered. If a vulnerable Internet Explorer browser navigates to that site, the payload is loaded to the browser and the session is hijacked.
An interesting point about browser exploitation is that they cause the browser to crash and become unresponsive. This is due to the memory being hijacked by the new meterpreter session, leaving the browser no memory left available for it’s standard functions. Typically, users who experience this will force close the browser, closing the newly gained meterpreter session in the process. The result is the meterpreter session being open for less than a minute before the user kills it (without even realizing!)
To solve this issue, the session can be migrated away from the browser memory into something more stable. This process can even be automated, so that the instant a session is opened, it is migrated away from the browser memory. prolonging the time an attacker has with the session in this way allows them to gain further access, retrieve information or set up a persistent backdoor.

PDF Attacks

PDF software can also be exploited through the use of malicious PDF documents. PDF readers such as Adobe Reader have been found to contain vulnerabilities, and they are often not patched as frequently as other applications or operating systems.
After creating a malicious PDF document, it needs to be served and have a handler set up for the payload. Another way a PDF document can be malicious is if it is set up with an executable inside. When opened, the user will be prompted for permission to run the file. Clicking open will trigger the payload and create a session.

Java Attacks

Java attacks function in similar ways to the Browser or PDF attacks, but can be more powerful in the sense that they can gain access to multiple platforms and operating systems.
Any browser that is running a vulnerable version of Java can fall victim to Java attacks, creating sessions using the meterpreter payload java/meterpreter/reverse_tcp. Using HTTP and HTTPS traffic to deliver the payload can be useful in other ways, as they often bypass traffic inspecting filters by appearing to be legitimate traffic.
Signed Java applets can also be accessed via the Browser, and will prompt the user with a warning asking if he/she would like to proceed. Provided the user agrees, the Java applet will then deliver the payload and open a session.

Client side attacks are becoming an increasingly valuable way of gaining access to a system, but rely on the user taking action on the target system first. Social engineering describes the way attackers can trick users into providing information or access, and is often used in conjunction with client side attacks to provide maximum chance of success.
For example, an email could be written to appear like it is coming from a legitimate business, with an ‘invoice’ or ‘bill’ attached as a PDF. Recipients of the email will likely be curious and open the attached PDF. Of course, the PDF was malicious and exploited a vulnerability in the PDF reader software, providing the attacker with access.

Because of the prevalence of these types of attacks, the importance of training and awareness is raised even higher. Users need to be educated on client side attacks and social engineering techniques so they can guard themselves and their organisations from harm. Patching every application in a computer network is also important, and unfortunately often overlooked in many organisations. Vulnerable software can be an easy and effective way for attackers to compromise a system, the less avenues they have to exploit the better.

One thought on “OSCP Prep – Episode 11: Client Side Attacks

  1. Subarashi (Amazing) and well concise…Practicing for Ecpt and I love mimicking black box testing (reading just the scope of engagement and any Important note they might have left) before diving into their solution.

    And the lab I am practicing right now is Client-side attacks lab

    Rather than pouring out a list of metasploit exploits modules , your explanation and description of attack vectors , provide a clearer insight as to the subject

    Thanks a lot…Love your blog


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s