Jump to content

Using Metasploit to find vulnerable browsers


dovi5988

Recommended Posts

Hi,

I have been tasked with trying to figure out if the systems we use have any vulnerabilities. I need to set up a generic looking website that will look at the browser, OS etc. that the visitor to the site is using and list known vulnerabilities. The only thing I have found so far is Autopwn2 in Metasploit. It seems to be vary limited in that you have the browser go to a specific URL that will then go through a list of known vulnerabilities and when it finds one, try to attack the browser. What I want is:

1) To have a lot larger of a list and try all of them.

2) To NOT attack the browser. I simply want a list of vulnerabilities this browser, OS etc. has and what my options are.

 

Any advice?

Link to comment
Share on other sites

You are going about it the wrong way, you are better asking the machines what they have installed.

You can probably do it with a Powershell script, connect to each machine, query the list of installed software and then pick up the ones you are interested in. If the company can afford it, look at Nessus, it can do this for you with credentials.

Link to comment
Share on other sites

Not sure how your answer is relevant to my question. The goal is to have a site that collects data on users coming in and to give lists on what vulnerabilities they have.

 

To answer your question there is a lot that if I explained you would understand but fro certain reasons I am unable. If you think you can help and I can hire you as a consultant PM me.

 

Link to comment
Share on other sites

This seems more akin to something like browserleaks ( https://browserleaks.com/ ), only, you want to know what exploits are available. This is something that you'd need to have a database of all known exploits for every browser, and then, have a way to scan the visitors, which without their consent, is already going the wrong direction. A click to consent form that then does a browser scan against a visitor, and returns a report is not unheard of. It's convincing someone that you aren't doing nefarious things before this that people here like DigiNinja might be leery of getting involved in, and rightfully so. I don't know that this is something we can help with short of advising, hire a pentester and some security consultants to build you a safe working model that does benign checks for generic flaws you can report to potential clients looking for further testing of their environment. If this is a legit business, go about it the right way and ethically while following local laws. Looking for some sort of metasploit copy and paste on hacking browsers on the forums, will probably not go much further than this given the current info you provided so far.

Link to comment
Share on other sites

I'm wary because if they are trying to sell a security solution that protects against outdated browsers but are coming here to ask how to detect them then there is something wrong in the order things are being done.

Link to comment
Share on other sites

7 hours ago, dovi5988 said:

There are certain things that I can not post in public but if either one of you would accept a PM it would make perfect sense in what I am trying to do. What I am doing is very legal.

 

I think there is a certain post threshold for new users, before they can PM people on the forums to control spam. you can try and PM me though, not sure what I can help with but I'll listen to what you have to say.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...