1
00:00:00,970 --> 00:00:07,780
‫Another way to compromise the target systems is to send the malware as a browser add on, you can use

2
00:00:07,780 --> 00:00:13,210
‫Metasploit Framework to prepare malicious Firefox add ons and serve them from a server.

3
00:00:14,600 --> 00:00:19,840
‫Select the exploit and the payload, then set the options when you run the exploit.

4
00:00:20,950 --> 00:00:28,240
‫It starts a handler as well as an application server to release the add on as soon as the victim allows

5
00:00:28,240 --> 00:00:29,740
‫you to install the add on.

6
00:00:30,010 --> 00:00:32,170
‫You'll have a session of his or her system.

7
00:00:33,570 --> 00:00:38,340
‫Let's see how to prepare and use malicious Firefox add ons in Cali.

8
00:00:38,790 --> 00:00:43,560
‫Start the Metasploit Framework using MSFT Console Command in the terminal screen.

9
00:00:50,410 --> 00:00:56,140
‫If you do not necessarily know the exact name of an exploit, you can use search command to find it.

10
00:01:01,750 --> 00:01:04,240
‫Use the exploit with the use command.

11
00:01:13,040 --> 00:01:16,670
‫List the payloads that you can use with this exploit, show payloads.

12
00:01:19,500 --> 00:01:23,550
‫Let's select a shell payload with the reverse TCP connection.

13
00:01:31,690 --> 00:01:36,130
‫Now, look at the options of exploit and payload using the show options command.

14
00:01:37,540 --> 00:01:44,920
‫Server host is the server where an application server will be started to serve the add on in this example,

15
00:01:44,920 --> 00:01:46,030
‫it's our machine.

16
00:01:54,420 --> 00:01:58,050
‫Server Port is the port that the Web application is served.

17
00:01:58,440 --> 00:02:02,640
‫You can choose 80, which is the default port of the HTTP protocol.

18
00:02:03,450 --> 00:02:05,880
‫Uri path is the path of the payload.

19
00:02:12,620 --> 00:02:18,140
‫Now set the options of the payload listener host again are calling machine is in this example.

20
00:02:23,170 --> 00:02:26,110
‫Listen to Porges, 44, 44 by default.

21
00:02:26,440 --> 00:02:27,490
‫Change it if you want.

22
00:02:28,120 --> 00:02:36,700
‫Now we are ready to run the exploit when you run the exploit, a reverse TCP handler on Port 44 44 and

23
00:02:36,700 --> 00:02:41,380
‫an application server serves on Port 80 80 is started.

24
00:02:42,760 --> 00:02:45,280
‫Let's test if the application is alive.

25
00:02:45,910 --> 00:02:47,220
‫Copy the URL.

26
00:02:54,360 --> 00:02:56,760
‫And pasted in the address bar of the browser.

27
00:03:00,440 --> 00:03:01,790
‫It seems everything is OK.

28
00:03:03,020 --> 00:03:07,250
‫In Windows system, which is the system of the victim run the Firefox.

29
00:03:09,790 --> 00:03:12,640
‫This is the Firefox version 57.

30
00:03:15,370 --> 00:03:21,070
‫Now we're going to send a phishing email, which contains a link to the add on we prepared in this example,

31
00:03:21,070 --> 00:03:25,450
‫I use the Yop Malcolm's servers to send the phishing emails to the victim.

32
00:03:26,350 --> 00:03:32,620
‫Hotmail is the disposable email address service, which does not require a sign up and provides access

33
00:03:32,620 --> 00:03:37,660
‫to any email address in the form of any name you want at your gmail.com.

34
00:03:39,160 --> 00:03:44,380
‫In the attacker system, Cowley, prepare the phishing email and send it to the victim.

35
00:04:03,460 --> 00:04:08,050
‫The victim opens the email in his or her Firefox browser, which is the latest version.

36
00:04:17,580 --> 00:04:22,860
‫When the victim clicks the link, a warning message which says Firefox prevented this site from asking

37
00:04:22,860 --> 00:04:25,710
‫you to install software on your system appears.

38
00:04:26,610 --> 00:04:30,720
‫If you click the install link directly in the website, nothing changes.

39
00:04:31,020 --> 00:04:36,570
‫You're not allowed to install the add on, starting from version 41.

40
00:04:36,870 --> 00:04:42,120
‫Mozilla decided to allow plug ins only if they're signed and verified by Mozilla.

41
00:04:42,840 --> 00:04:48,720
‫But don't worry, you'll probably find systems that use Firefox older than version forty one.

42
00:04:50,290 --> 00:04:53,380
‫Let's repeat our test with an older version of Firefox.

43
00:04:54,540 --> 00:04:57,690
‫Download an earlier portable version of Firefox.

44
00:05:10,690 --> 00:05:13,210
‫I chose version 46 for this example.

45
00:05:14,110 --> 00:05:15,670
‫Install it and run.

46
00:05:30,870 --> 00:05:33,960
‫You are now using Firefox version 36.

47
00:05:35,230 --> 00:05:37,570
‫Go to the mail service of the victim.

48
00:05:47,320 --> 00:05:53,230
‫When you click the link, Firefox again prevents the site to ask to install software.

49
00:05:54,340 --> 00:06:01,660
‫In this time, though, clicking the Allow button brings you to the software installation window, click

50
00:06:01,660 --> 00:06:02,920
‫the Install Now button.

51
00:06:03,190 --> 00:06:06,580
‫You see the message that the installation is successful.

52
00:06:08,410 --> 00:06:11,620
‫Go to the listener now, which is our Kelly machine.

53
00:06:12,740 --> 00:06:18,770
‫Looking at the listener terminal windows, you see that a session on the victim's computer is open.

54
00:06:19,670 --> 00:06:25,790
‫Go to the session using Session Dash Session ID common now because we used a shell payload.

55
00:06:26,060 --> 00:06:32,450
‫We have a shell session at this time, not a mature operator session, and we can use all the commands

56
00:06:32,450 --> 00:06:35,840
‫of the victim's computer since it's a Windows system.

57
00:06:36,320 --> 00:06:42,530
‫We can use Windows commands right now directory to list the files of the current folder.

58
00:06:43,070 --> 00:06:45,140
‫Who am I to see the active user?

59
00:06:47,210 --> 00:06:50,870
‫IPconfig to see the IP addresses, etc..