1
00:00:00,970 --> 00:00:07,840
‫Another way to compromise the target systems is to send the malware as a browser add on, you can use

2
00:00:07,850 --> 00:00:13,270
‫Métis framework to prepare a malicious Firefox add ons and serve them from a server.

3
00:00:14,590 --> 00:00:19,900
‫Select the exploit and the payload, then set the options when you run the exploit.

4
00:00:20,970 --> 00:00:28,260
‫It starts a handler, as well as an application server to release the add on as soon as the victim allows

5
00:00:28,260 --> 00:00:32,220
‫you to install the add on, you'll have a session of his or her system.

6
00:00:33,600 --> 00:00:40,560
‫Let's see how to prepare and use malicious Firefox add ons in Calli, start the Métis Floyd framework

7
00:00:40,560 --> 00:00:43,620
‫using MSF console command in the terminal screen.

8
00:00:50,380 --> 00:00:56,190
‫If you do not necessarily know the exact name of an exploit, you can use search command to find it.

9
00:01:01,790 --> 00:01:04,310
‫Use the exploit with the use command.

10
00:01:13,060 --> 00:01:16,720
‫List the payloads that you can use with this exploit, show payloads.

11
00:01:19,530 --> 00:01:23,580
‫Let's select a shell payload with the reverse TCP connection.

12
00:01:31,720 --> 00:01:36,190
‫Now, look at the options of exploit and payload using the show options command.

13
00:01:37,520 --> 00:01:44,990
‫Server host is the server where an application server will be started to serve the add on in this example,

14
00:01:44,990 --> 00:01:46,100
‫it's our call machine.

15
00:01:54,420 --> 00:01:58,090
‫Server port is the port that the Web applications serve.

16
00:01:58,470 --> 00:02:02,700
‫You can choose 80, which is the default port of the HTTP protocol.

17
00:02:03,450 --> 00:02:05,940
‫Yurie path is the path of the payload.

18
00:02:12,640 --> 00:02:18,190
‫Now set the options of the payload listener host again, our Kelly machine is in this example.

19
00:02:23,200 --> 00:02:27,490
‫Listen, port is 44 44 by default and change it if you want.

20
00:02:28,150 --> 00:02:32,080
‫Now we are ready to run the exploit when you run the exploit.

21
00:02:32,170 --> 00:02:41,440
‫A reverse TCP handler on Port 44 44 and an application server serves on Port 80 80 is started.

22
00:02:42,760 --> 00:02:45,320
‫Let's test if the application is alive.

23
00:02:45,910 --> 00:02:47,260
‫Copy the URL.

24
00:02:54,350 --> 00:02:56,810
‫And pasted in the address bar of the browser.

25
00:03:00,440 --> 00:03:01,850
‫It seems everything is OK.

26
00:03:03,010 --> 00:03:07,300
‫In Windows System, which is the system of the victim, run the Firefox.

27
00:03:09,780 --> 00:03:12,720
‫This is the Firefox version 57.

28
00:03:15,370 --> 00:03:21,130
‫Now we're going to send a phishing email which contains a link to the add on we prepared in this example,

29
00:03:21,130 --> 00:03:25,480
‫I use the Yop mail dot com service to send the phishing emails of the victim.

30
00:03:26,350 --> 00:03:32,680
‫Yop Mail is the disposable email address service, which does not require a sign up and provides access

31
00:03:32,680 --> 00:03:37,720
‫to any email address in the form of any name you want at Hotmail dot com.

32
00:03:39,160 --> 00:03:44,440
‫In the attacker system, Calli, prepare the phishing email and send it to the victim.

33
00:04:03,450 --> 00:04:08,100
‫The victim opens the email in his or her Firefox browser, which is the latest version.

34
00:04:17,610 --> 00:04:22,920
‫When the victim clicks the link, a warning message which says Firefox prevented this site from asking

35
00:04:22,920 --> 00:04:29,820
‫you to install software on your system appears if you click the install link directly in the website,

36
00:04:29,820 --> 00:04:30,780
‫nothing changes.

37
00:04:31,050 --> 00:04:38,970
‫You're not allowed to install the ad on starting from version 41, Mozilla decided to allow plug ins

38
00:04:38,970 --> 00:04:42,180
‫only if they're signed and verified by Mozilla.

39
00:04:42,870 --> 00:04:48,780
‫But don't worry, you'll probably find systems that use Firefox older than Version 41.

40
00:04:50,260 --> 00:04:53,440
‫Let's repeat our test with an older version of Firefox.

41
00:04:54,580 --> 00:04:57,760
‫Download an earlier portable version of Firefox.

42
00:05:10,740 --> 00:05:15,720
‫I chose version 46 for this example, install it and run.

43
00:05:30,890 --> 00:05:34,010
‫You are now using Firefox version 36.

44
00:05:35,230 --> 00:05:37,630
‫Go to the mail service of the victim.

45
00:05:47,350 --> 00:05:53,290
‫When you click the link, Firefox again prevents the site to ask to install software.

46
00:05:54,370 --> 00:06:01,690
‫In this time, though, clicking the allow button brings you to the software installation window, click

47
00:06:01,690 --> 00:06:02,980
‫the install now button.

48
00:06:03,220 --> 00:06:06,640
‫You see the message that the installation is successful.

49
00:06:08,430 --> 00:06:16,110
‫Go to the listener now, which is our Calli machine, looking at the listener terminal windows, you

50
00:06:16,110 --> 00:06:18,820
‫see that a session on the victim's computer is open.

51
00:06:19,710 --> 00:06:25,830
‫Go to the session using session dashi session ID command because we used a shell payload.

52
00:06:26,100 --> 00:06:32,490
‫We have a special session at this time, not an interpreter session, and we can use all the commands

53
00:06:32,490 --> 00:06:33,750
‫of the victim's computer.

54
00:06:34,080 --> 00:06:41,670
‫Since it's a Windows system, we can use Windows Commands right now directory to list the files of the

55
00:06:41,670 --> 00:06:42,570
‫current folder.

56
00:06:42,960 --> 00:06:45,180
‫Who am I to see the active user?

57
00:06:47,200 --> 00:06:50,940
‫IP config to see the IP addresses, et cetera.