0

I watched a generic information security awareness presentation earlier, in which all that was required for the presenter to penetrate an organisation (with a meterpreter/reverse shell), was for someone on the inside to click, or type (or otherwise GET / HTTP/1.1), and access his public URI.

Is this realistic? Surely whatever exploit and payload was used, must require more manual execution than that, right?

voices
  • 1,649
  • 7
  • 22
  • 36

3 Answers3

2

was for someone on the inside to click, or type (or otherwise GET / HTTP/1.1), and access his public URI.

Is this realistic? Surely whatever exploit and payload was used, must require more manual execution than that, right?

There is a phrasing ambiguity in this. "Is a GET enough"? -- no, of course. But is clicking a link, with a vulnerable browser, enough? It is.

It is not the act of GETting a payload that infects the system per se, the problem lies in what is used to do the GETting. That is why you want defense in depth:

  • proxy "guard" software to stop navigation to unsafe shores (the GET never starts),
  • firewall/antivirus to recognize the payload and possibly prevent it from calling home and downloading a bigger brother (the GET does not succeed),
  • continuous system update to ensure vulnerabilities are kept to a minimum (the GET succeeds but has no effects),
  • IDS to detect suspicious behaviour inside the network (the effects are detected and blocked)
  • backups.

If the system is not updated and a browser is vulnerable, the targeted URL might recognize the browser and send a tailored payload (which it wouldn't send to, say, a content-detection system or a site scanning service, in order to appear clean). If the vulnerability allows it, the downloaded content might be able to run itself and take control, and possibly download further, less specific malicious code.

Community
  • 1
LSerni
  • 22,521
  • 4
  • 51
  • 60
1

What you're looking for are Drive-by downloads. Those can infect a computer without any user or attacker intervention. Drive-by infections are very common, as you can see in the following diagram by IBM's X-Force:

enter image description here Source

MiaoHatola
  • 2,284
  • 1
  • 14
  • 22
1

In addition to what was said, most of infections caused by simply clicking on a given URL are caused by what is called "Exploit kits"or "Exploit Packs", as Angler exploit kit and RIG Exploit Pack that take advantage of vulnerabilities in systems/ devices.

Here is a figure that schematize a typical infection chain:

enter image description here

  1. Step 1: Contact - A n attacker convinces people to click the link to a site that serves an exploit kit often through spam and effective social engineering lures.
  2. Step 2: Redirect - The exploit kit finds vulnerabilities in software installed on the systems/devices used to access the link.
  3. Step 3: Exploit - An exploit that takes advantage of the vulnerability found is executed on the system/device.
  4. Step 4: Infect - A payload (a piece of malware) is dropped and executed on the system/device.

source: https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit

Soufiane Tahiri
  • 2,667
  • 12
  • 27