1
00:00:00,940 --> 00:00:07,810
Another way to compromise the target systems is to send the malware as a browser add on, you can use

2
00:00:07,820 --> 00:00:13,240
metastable framework to prepare malicious Firefox add ons and serve them from a server.

3
00:00:14,570 --> 00:00:19,850
Select the exploit and the payload, then set the options when you run the exploit.

4
00:00:20,950 --> 00:00:28,240
It starts a handler, as well as an application server to release the add on as soon as the victim allows

5
00:00:28,240 --> 00:00:32,170
you to install the add on, you'll have a session of his or her system.

6
00:00:33,570 --> 00:00:40,530
Let's see how to prepare and use malicious Firefox add ons in Calli, start the Métis Floyd framework

7
00:00:40,530 --> 00:00:43,590
using MSF console command in the terminal screen.

8
00:00:50,380 --> 00:00:56,160
If you do not necessarily know the exact name of an exploit, you can use search command to find it.

9
00:01:01,780 --> 00:01:04,270
Use the exploit with the use command.

10
00:01:13,040 --> 00:01:16,700
List the payloads that you can use with this exploit, show payloads.

11
00:01:19,500 --> 00:01:23,550
Let's select a shell payload with the reverse TCP connection.

12
00:01:31,690 --> 00:01:36,160
Now, look at the options of exploit and payload using the show options command.

13
00:01:37,510 --> 00:01:44,950
Server host is the server where an application server will be started to serve the add on in this example,

14
00:01:44,950 --> 00:01:46,060
it's our call machine.

15
00:01:54,390 --> 00:01:58,060
Server port is the port that the Web applications serve.

16
00:01:58,440 --> 00:02:02,670
You can choose 80, which is the default port of the HTTP protocol.

17
00:02:03,420 --> 00:02:05,910
Yurie path is the path of the payload.

18
00:02:12,590 --> 00:02:18,170
Now set the options of the payload listener host again, our candy machine is in this example.

19
00:02:23,170 --> 00:02:27,490
Listen, a port is 44 44 by default and change it if you want.

20
00:02:28,120 --> 00:02:32,050
Now we are ready to run the exploit when you run the exploit.

21
00:02:32,140 --> 00:02:41,410
A reverse TCP handler on Port 44 44 and an application server serves on Port 80 80 is started.

22
00:02:42,730 --> 00:02:47,230
Let's test if the application is alive, copy the oral.

23
00:02:54,330 --> 00:02:56,790
And pasted in the address bar of the browser.

24
00:03:00,410 --> 00:03:01,820
It seems everything is OK.

25
00:03:02,990 --> 00:03:07,280
In Windows System, which is the system of the victim, run the Firefox.

26
00:03:09,760 --> 00:03:12,670
This is the Firefox version 57.

27
00:03:15,340 --> 00:03:21,100
Now we're going to send a phishing email which contains a link to the add on we prepared in this example,

28
00:03:21,100 --> 00:03:25,450
I use the Yop mail dot com service to send the phishing email to the victim.

29
00:03:26,320 --> 00:03:32,650
Yop Mail is the disposable email address service, which does not require a sign up and provides access

30
00:03:32,650 --> 00:03:37,690
to any email address in the form of any name you want at your mail dot com.

31
00:03:39,130 --> 00:03:44,380
In the attacker system, Calli, prepare the phishing email and send it to the victim.

32
00:04:03,430 --> 00:04:08,050
The victim opens the email in his or her Firefox browser, which is the latest version.

33
00:04:17,580 --> 00:04:22,890
When the victim clicks the link, a warning message which says Firefox prevented this site from asking

34
00:04:22,890 --> 00:04:29,790
you to install software on your system appears if you click the install link directly in the website,

35
00:04:29,790 --> 00:04:30,750
nothing changes.

36
00:04:31,020 --> 00:04:38,940
You're not allowed to install the ad on starting from version 41, Mozilla decided to allow plug ins

37
00:04:38,940 --> 00:04:42,140
only if they're signed and verified by Mozilla.

38
00:04:42,870 --> 00:04:48,750
But don't worry, you'll probably find systems that use Firefox older than Version 41.

39
00:04:50,260 --> 00:04:53,410
Let's repeat our test with an older version of Firefox.

40
00:04:54,540 --> 00:04:57,720
Download an earlier portable version of Firefox.

41
00:05:10,690 --> 00:05:15,700
I chose version 46 for this example, install it and run.

42
00:05:30,840 --> 00:05:33,990
You are now using Firefox version 36.

43
00:05:35,200 --> 00:05:37,570
Go to the mail service of the victim.

44
00:05:47,320 --> 00:05:53,260
When you click the link, Firefox again prevents the site to ask to install software.

45
00:05:54,340 --> 00:06:01,690
In this time, though, clicking the allow button brings you to the software installation window, click

46
00:06:01,690 --> 00:06:02,950
the install now button.

47
00:06:03,190 --> 00:06:06,610
You see the message that the installation is successful.

48
00:06:08,410 --> 00:06:11,620
Go to the listener now, which is our COWEY machine.

49
00:06:12,770 --> 00:06:18,780
Looking at the listener terminal windows, you see that a session on the victim's computer is open.

50
00:06:19,700 --> 00:06:25,820
Go to the session using session dashi session ID come command because we used a shell payload.

51
00:06:26,090 --> 00:06:32,480
We have a special session at this time, not an interpreter session, and we can use all the commands

52
00:06:32,480 --> 00:06:33,740
of the victim's computer.

53
00:06:34,070 --> 00:06:41,630
Since it's a Windows system, we can use Windows Commands right now directory to list the files of the

54
00:06:41,630 --> 00:06:42,540
current folder.

55
00:06:42,920 --> 00:06:45,140
Who am I to see the active user?

56
00:06:47,150 --> 00:06:50,920
IP config to see the IP addresses, et cetera.