What is a patch?
A patch is a software update that is used to correct a problem (usually called bugs) within an operating system or a software program. A patch is used to update, correct or enhance/improve a flaw in a computer system or its supporting data. The variants of patches include Hotfix, Point release, Program temporary fix, Security patches, Service pack and Unofficial patches.
In this article, I will demonstrate the importance of security patches. This demonstration can be shown using multiple attack vectors. The general idea behind choosing this attack vector is the fact that this target machine (Windows 10) had Windows defender patched last in 2015 and Veil Evasion tool was released in the early months of 2018 which made me sure that this attack vector would be successful and the antivirus software (Windows Defender) could be bypassed.
In this scenario, I will emulate the attacker using a Kali Linux 2016.2 machine and the target will be a Windows 10 machine (64 bit operating system) whose Windows defender (Virus and Spyware) was last updated in 2015. This is a common occurrence in many computer systems due to ignorance of the user or lack of knowledge of the importance of security patches. To exploit the Windows 10 system, I have used Veil Evasion 3.1.X which is a tool used to craft Metasploit payloads that can bypass common antivirus software. First, Veil Evasion is used to create an executable file with the payload (python/meterpreter/rev_tcp.py) embedded in it. A Metasploit handler (exploit/multi/handler) which is a stub that handles exploit outside the framework is setup on the attacker’s machine. Meanwhile, the executable file is then sent across to the target machine using either email or USB file transfer as an attack vector. The executable file looks like a Python application file and the user can be hoodwinked into executing this file. Once the file is executed, the payload embedded inside the malicious Python file runs and connects back to the attacker’s machine. In return, the attacker (Kali Linux machine) gets a meterpreter session of the victim’s machine (Windows 10).
1. Veil Evasion Framework
2. We use payload number 28 called the python/meterpreter/rev_tcp.py to embed in the executable file to be sent across to the victim machine (Windows 10):
3. Once the malicious file (python_install) has been created, we sent it across to the victim’s machine using social engineering techniques. Windows Defender was not able to detect any malicious code inside the executable file. Thus the victim will not suspect any malicious intent and will execute the file:
Different Social Engineering techniques that can be used to make the user click on the file:
- Phishing: Attackers trick the victims into revealing confidential/sensitive information or visiting malicious websites in order to compromise their system through emails, instant messaging, social media or SMS.
- Baiting and Quid Pro Quo attacks: Baiting is a technique used to exploit the human’s curiosity or greed. In a Quid Pro Quo attack scenario, the attacker gains the users confidential/sensitive information or gains access to the user’s system by offering the user a service or a particular benefit.
- Familiarity Exploit: This scenario is used when the attacker gets familiar with victim through interaction, then the attacker might leverage this trust by passing something malicious to the victim through USB stick or email and gain access to the user’s system.
4. Once the file (python_install) gets executed by the victim (Windows 10) and a handler has been setup on the attacker’s machine (Kali Linux), the attacker can get access of the victim machine through a meterpreter shell:
Once the attacker gains control of the victim’s machine, through the meterpreter shell he can:
- Download a confidential/sensitive file from the victim’s machine.
- Upload and execute another malicious file (apk, pdf files for example) on the victim’s machine.
- Escalate privileges on the victim’s machine to gain sysadmin privileges and possibly dump password hashes.
- Display currently available web cams on the victim’s system and grab a picture from a connected web cam on the victim’s system.
- Interact with the registry and the file system of the victim’s system.
- Get a command prompt of the victim’s system.
A fully patched Windows Defender (Virus and Spyware) would be able to prevent this type of a malicious attack due to its updated virus signature database and would be able to detect and the malicious activity caused due to this file.
A fully patched Windows Defender is shown below which detects the malicious payload inside the executable file called “python_install” and prevents it from being copied onto the system and being executed:
Coming back to the main reason behind this article, WHY ARE PATCHES IMPORTANT?
They are important because:
- They help us fix software bug
- They help us find and address new security vulnerabilities
- They help us resolve software stability issues
- They help us upgrade the software