This method was taken out in the Core IMPACT Pro 8 release, but it can still be done. I’ve taken the ‘generic’ knowledge base article from the Core Security customer support portal for the 7.5 product, and edited it to show how it works. Core tell me that they are looking to put the ability to perform a client side attack without attempting an exploit back into the mix in the next rev.
Here’s a couple of points to note though – the chances are the AV on the local machine is going to pick up the ‘click’ as a virus called “Bloodhound.Exploit.196″ – your crew will see a lot of anti virus activity if the exploit works. Also, if you have an internal proxy with AV built in, clicking the link will be immediately redirected, and won’t make it through to the exploit web server. Who has an internal proxy though? Right? We do!
An interesting idea that I’ve heard would be to have a message appear on clicking the link in the exploited email that says “You shouldn’t have clicked that! – Contact IT immediately” or whatever your company dictates is appropriate – I’m liking that idea. Any who – here’s the write up.
How to perform a client-side attack without attempting an exploit, and acquire an understanding of users (via their respective email addresses) who are susceptible to a client-side attack.
After acquiring a list of email addresses via the Client-side Information Gathering wizard, perform the following steps:
1. Launch the Client-side Attack & Penetration wizard, specify an email address in the FROM field, choose one or more target email addresses for the TO field, and click Next.
2. For the Attack Type, choose the Web Browser attack and click Next.
3. For the Exploit, click the Change button and select the IE VML Buffer Overflow exploit. For the E-Mail template, click the Change button and choose a message template. Modify the SUBJECT and click Next.
4. Specify an IP address for the SMTP server to which the messages are to be delivered, select the Connect From connection method and click Next.
5. Once the Client Side Attack & Penetration wizard appears in the Executed Modules window (give it a minute or two if you have a huge list of email addresses), right-click the Agent Connector Manager Module that is running beneath it and select Stop.
What will occur is that the Agent Connector module will stop, which prevents the attempt of the exploit, as well as the Client-side Attack & Penetration wizard itself, and the IE VML Buffer Overflow exploit and child module. The only module that should remain running will be the Web Server module.
Note the purpose of the Web Server module is to record any connectivity to it, received the result of a user having clicked the link offered within the email. And if you examine the Module Log window in relation to the Web Server module, if there is any connectivity, it will be reflected here.
After a period of time has passed, if the User Report is generated (found under the Client Side Report Generation wizard), it will reflect the number of email addresses harvested, the number of email addresses tested (AKA attacked) and the number of email addresses of users who clicked the link offered, as well as pertinent information including their email address and IP address, etc.
