amoeba Posted August 19, 2012 Share Posted August 19, 2012 How do i get evil java to work, i have downloaded evil java module and turned it on, whats next? Quote Link to comment Share on other sites More sharing options...
loozr Posted September 12, 2012 Share Posted September 12, 2012 I would really like to learn this too. Just some basic tips about how one should do this/what tools to use would be great! :) Quote Link to comment Share on other sites More sharing options...
Neworld Posted September 12, 2012 Share Posted September 12, 2012 I would also like to learn this as well. Quote Link to comment Share on other sites More sharing options...
mondrianaire Posted September 15, 2012 Share Posted September 15, 2012 +1? Quote Link to comment Share on other sites More sharing options...
mreidiv Posted September 16, 2012 Share Posted September 16, 2012 (edited) Hey guys check out the original thread but make sure to read it all and see it that helps. Edited September 16, 2012 by mreidiv Quote Link to comment Share on other sites More sharing options...
Neworld Posted September 17, 2012 Share Posted September 17, 2012 The instructions are kind of pooy on the tread.... Anyone get this working properly? If so, what exactly can you do with it? Quote Link to comment Share on other sites More sharing options...
loozr Posted September 17, 2012 Share Posted September 17, 2012 (edited) I have played a little bit with the Evil Java applet and found that the possibility to lure someone is quite slim.. The user would have to be quite braindead for you to achieve the attack. Just to make it clear I did not start a listener in Metasploit, nor did I test this in the "right side" of the pineapple. The reason for this is both that I'm not sure how to change the listener address in the attack, and I didn't want to create a BT VM in my laptop for this test. This test is made from the WAN/LAN side. And MSE went totally crazy when I entered this site, so the test is run without any AV. Firstly the site is.. well not too bad But the warning speaks for itself Especially when the AV is amok at this point. That said, I have also tested a couple of java attacks from SET in backtrack, but I haven't found any that actually fools MSE. If anyone have any tips to what java attacks one might use without AV going insane would be great! Otherwise I don't see any point in using time on this. In regards to what you can do with it is potentially own the users machine ;) Edited September 17, 2012 by loozr Quote Link to comment Share on other sites More sharing options...
nopenopenope Posted September 17, 2012 Share Posted September 17, 2012 I have played a little bit with the Evil Java applet and found that the possibility to lure someone is quite slim.. The user would have to be quite braindead for you to achieve the attack. Just to make it clear I did not start a listener in Metasploit, nor did I test this in the "right side" of the pineapple. The reason for this is both that I'm not sure how to change the listener address in the attack, and I didn't want to create a BT VM in my laptop for this test. This test is made from the WAN/LAN side. And MSE went totally crazy when I entered this site, so the test is run without any AV. Firstly the site is.. well not too bad But the warning speaks for itself Especially when the AV is amok at this point. That said, I have also tested a couple of java attacks from SET in backtrack, but I haven't found any that actually fools MSE. If anyone have any tips to what java attacks one might use without AV going insane would be great! Otherwise I don't see any point in using time on this. In regards to what you can do with it is potentially own the users machine ;) Get the executable signed by java/oracle :P Quote Link to comment Share on other sites More sharing options...
Neworld Posted September 18, 2012 Share Posted September 18, 2012 Get the executable signed by java/oracle :P How do you do that?? Quote Link to comment Share on other sites More sharing options...
loozr Posted September 18, 2012 Share Posted September 18, 2012 I'm afraid this is easier said than done.. I have no knowledge about this at all, but I'll bet that Oracle protects their signed java applets as good as they can.. However the java client on users computers is breached every now and then.. <_< In my opinion I think most (normal) users have some kind of AV that the computer was originally delivered with, maybe not very god ones, but nevertheless I think that any attacks/pentests should be as stealth as possible i.e. no alert in AV. People that are not using AV would be more aware and not install an applet like the one above, and user not aware would be aware because of the AV. Quote Link to comment Share on other sites More sharing options...
Neworld Posted September 18, 2012 Share Posted September 18, 2012 So applet attacks are useless.... Is there a way around AV? If not, there's no point in using it. Quote Link to comment Share on other sites More sharing options...
Neworld Posted September 23, 2012 Share Posted September 23, 2012 Is there another reliable way to do this without setting off anti-virus?? Quote Link to comment Share on other sites More sharing options...
nopenopenope Posted September 24, 2012 Share Posted September 24, 2012 I'm afraid this is easier said than done.. I have no knowledge about this at all, but I'll bet that Oracle protects their signed java applets as good as they can.. However the java client on users computers is breached every now and then.. <_< In my opinion I think most (normal) users have some kind of AV that the computer was originally delivered with, maybe not very god ones, but nevertheless I think that any attacks/pentests should be as stealth as possible i.e. no alert in AV. People that are not using AV would be more aware and not install an applet like the one above, and user not aware would be aware because of the AV. Ya I was completely kidding. No way would you ever want to do this on a Pentest, Unless you want Oracle to come down on you like a ton of bricks. Quote Link to comment Share on other sites More sharing options...
WallE Posted March 31, 2013 Share Posted March 31, 2013 Ya I was completely kidding. No way would you ever want to do this on a Pentest, Unless you want Oracle to come down on you like a ton of bricks. Still, how someone could make a signed java applet by Oracle? Do you need a java compagnie or...? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted March 31, 2013 Share Posted March 31, 2013 Why not discuss this in the original thread... Quote Link to comment Share on other sites More sharing options...
RebelCork Posted April 1, 2013 Share Posted April 1, 2013 Pentesting is not simply using 1 'hack' The java applet attack may work if you know the victim's machine is susceptible to the attack, but to be honest, the worst thing you can do on a pentest is try and throw everything at a target. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.