Client side attack - AV Evasion

The weakest chain in the security posture of any organisation is people.

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do. The concept of social engineering is not new; it has existed for thousands of years. Think of scammers or con artists, it is the very same idea. What makes today’s technology so much more effective for cyber attackers is you cannot physically see them; they can easily pretend to be anything or anyone they want and target millions of people around the world, including you. In addition, social engineering attacks can bypass many security technologies. The simplest way to understand how these attacks work and protect yourself from them is to take a look at real-world examples:

SANS - Security Awareness

This client side attack is a fun one and if you are doing OSCP, you are going to see some form of it few times in the labs. Here I will try to explain step by step, how Dave Kennedy and Kevin Mitnick accomplished the task above. I love the ovation at the end, great audience!

Information gathering:

Dave mentioned that the victim was running EOL Windows XP. The video was posted on YouTube on Aug 5, 2013, that means that if it was a java client side attack, java version must have been SE 7 at most. We will have to assume that default security settings were in place. In addition, it seems like this exploit should work either on Firefox or Internet explorer so it is not a browser exploit.

Target IP: 192.168.1.109, Windows XP Professional

How the malicious website could have looked like to the client one the phone. In this case any URL and website content could be spoofed. Since this is java applet client side attack, warning is presented to the user, because of security risks involved with running unsigned code.

Example of client side attack.

Preparation on the attacker side:

Successful exploitation:

Mitigation:

Hackers by nature try to leave small to none footprint when conducting their actions. That is because any evidence (telephone numbers, files, logs) left behind could lead to their compromise. In this case it would be safe to assume that the number they have called from was either "unknown" or spoofed. One way to protect oneself is to ask the person on the other side for a telephone number in order to "call them back". If they cannot fulfil this request the caller was probably up to no good.