想必大家或多或少都听说过社会工程学技术吧?接下来,让我们看看如何在现实生活中运用社工技巧。
在这篇文章中,我们将会创建一个钓鱼页面,这个页面通过一个流氓WiFi接入点呈现给目标用户。如果接入了流氓WiFi的目标用户在这个页面中输入了自己的账号密码,那么这些数据都将会直接发送给你。
我们将会用到Kali Linux(ParrotSec或Ubuntu也可以)、著名的无线网络渗透工具WiFi-Pumpkin,以及一个外置WiFi适配器。为什么需要外置WiFi适配器(外置无线网卡)呢?比如说,你打算在麦当劳或星巴克设置这个钓鱼页面,此时你笔记本电脑的内部网络控制器将会连接到麦当劳的WiFi,而你就可以将外置WiFi适配器转变成一个流氓接入点了。
外置WiFi适配器将作为中间人攻击之中的“中间人”角色,并负责将钓鱼页面呈现给目标用户,然后欺骗用户输入自己的信息。我强烈建议大家选择WN722N【传送门】,它不仅体积非常小,而且功能还非常强大。它专为黑客设计,非常适用于我们的这种WiFi攻击。更重要的是,它还非常便宜。
如何安装WiFi-Pumpkin
安装过程非常简单,大家按照步骤做就可以了。
1. 切换到你想要安装WiFI-Pumpkin的目录:
|
1
|
<span class=“hljs-built_in”>cd</span> desktop
|
2. 下载源码:
|
1
|
git clone https:<span class=“hljs-comment”>//github.com/P0cL4bs/WiFi-Pumpkin.git</span>
|
3. 切换到源码目录:
|
1
|
<span class=“hljs-built_in”>cd</span> WiFi–Pumpkin
|
4. 完成安装:
|
1
|
./installer.sh–<span class=“hljs-keyword”>install</span>
|
若在上面的命令无法执行且报错的话:
|
1
|
chmod +x installer.sh
|
整个安装过程大概需要10到15分钟,因为它还需要安装一些依赖组件,安装完成之后的界面如下:
注:如果你在安装过程中遇到了问题,请参考官方代码库中的疑难问题解答部分【传送门】。
创建钓鱼登录页面
首先,我们需要根据自己的需求开发一个钓鱼页面。在真实的攻击场景中,如果你想要拿到目标用户的密码,那么你最需要的就是一个在线服务或网站的登录页面了。比如说,如果你想要黑掉某人的Facebook、Twitter或Gmail账户,那么你首先要克隆出这些在线服务的登录页面,然后通过流氓WiFi接入点将页面呈现给目标用户。
现在,我们的浏览器都是非常智能的,所以我们不能在这里直接给你查看这些伪造的登录页面,因为这些网站将会被浏览器标记为恶意网站,然后阻止你打开这些网站。但是,我们开发出了一个登录页面样板【下载地址】,你可以按照这个页面来尝试开发自己的登录页面。当然了,你也可以通过下列命令直接从我们的Github库中clone到本地:
|
1
|
git clone https:<span class=“hljs-comment”>//github.com/XeusHack/Fake-Login-Page.git</span>
|
注:一般来说,你需要将这些文件解压到本地主机的/www目录下。
设置MySQL
开发并保存好了伪造的登录页面之后,我们还需要配置一个数据库,我们的首选当然是MySQL了,因为Linux自带了MySQL。接下来,你可以按照下列步骤配置MySQL。
打开终端窗口,输入下列命令:
|
1
|
<span class=“hljs-attribute”>mysql</span> –u root
|
此时你将进入MySQL命令行界面,我们需要创建一个数据库来保存钓鱼网站中的数据。下列命令将创建一个名叫xeus的数据库:
|
1
|
<span class=“hljs-keyword”>create</span> <span class=“hljs-keyword”>database</span> xeus
|
接下来切换到我们刚刚创建完成的数据库中:
|
1
|
<span class=“hljs-keyword”>use</span> xeus
|
现在,我们要创建一个表(table),并用它来存储目标用户的数据:
|
1
|
<span class=“hljs-keyword”>create</span> <span class=“hljs-keyword”>table</span> logins(network <span class=“hljs-built_in”>varchar</span>(<span class=“hljs-number”>64</span>), email <span class=“hljs-built_in”>varchar</span>(<span class=“hljs-number”>64</span>), <span class=“hljs-keyword”>password</span> <span class=“hljs-built_in”>varchar</span> (<span class=“hljs-number”>64</span>));
|
OK,数据库已经配置妥当啦!接下来,我们需要将数据库与钓鱼页面进行挂接。
切换到主机的/www目录下(也就是你存放钓鱼网站的地方),打开那个名叫database.php的文件,你需要根据自己的情况填写方括号中的数据。
|
1
2
3
4
5
|
$username=<span class=“hljs-string”>“[USERNAME]”</span>;
$password=<span class=“hljs-string”>“[PASSWORD”</span>;
$db_name=<span class=“hljs-string”>“[DATABASE_NAME]”</span>;
$tbl_name=<span class=“hljs-string”>“[TABLENAME]”</span>;
|
我的设置文件如下:
|
1
2
3
4
5
|
$username=<span class=“hljs-string”>“root”</span>;
$password=<span class=“hljs-string”>“toor”</span>;
$db_name=<span class=“hljs-string”>“xeus”</span>;
$tbl_name=<span class=“hljs-string”>“logins”</span>;
|
现在我们要重启MySQL并使配置生效:
|
1
|
sudo <span class=“hljs-meta-keyword”>/etc/</span>init.d/mysql restart
|
设置WiFi-Pumpkin
WiFi-Pumpkin是一款专用于无线环境渗透测试的完整框架,它非常适用于我们的WiFi访问点攻击。它拥有大量的插件和模块,而且它所能做的远远不止钓鱼攻击那么简单,但我们目前只需要使用下面这三种模块:Rogue AP、Phishing Manager和DNS Spoof。在这些模块的帮助下,我们就能够将钓鱼页面连接到流氓热点上,然后将它呈现给毫不知情的用户了。那么,让我们开始吧!
切换到WiFi-Pumpkin的安装目录,然后通过命令python wifi-pumpkin.py运行WiFi-Pumpkin(需要简单的Python知识)。程序界面如下:
|
1
2
|
root@kali:/WiFi–Pumpkin# python wifi-pumpkin.py
WiFi–Pumpkin need PyQt4 :(
|
若产生以上报错:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
root@kali:/WiFi–Pumpkin/www# cd ..
root@kali:/WiFi–Pumpkin# ls -l
total 124
–rw–r—r— 1 root root 10206 Oct 11 03:11 CHANGELOG
–rw–r—r— 1 root root 1443 Oct 11 03:11 CONTRIBUTING.md
drwxr–xr–x 10 root root 4096 Oct 11 03:11 core
drwxr–xr–x 2 root root 4096 Oct 11 03:11 docs
drwxr–xr–x 2 root root 4096 Oct 11 03:11 icons
–rwxr–xr–x 1 root root 3984 Oct 11 03:11 installer.sh
–rw–r—r— 1 root root 267 Oct 11 03:11 ISSUE_TEMPLATE.md
–rw–r—r— 1 root root 35141 Oct 11 03:11 LICENSE
drwxr–xr–x 7 root root 4096 Oct 11 03:11 logs
–rwxr–xr–x 1 root root 2817 Oct 11 03:11 make_deb.sh
drwxr–xr–x 8 root root 4096 Oct 11 03:11 modules
drwxr–xr–x 5 root root 4096 Oct 11 03:11 plugins
–rw–r—r— 1 root root 8365 Oct 11 03:11 README.md
–rw–r—r— 1 root root 235 Oct 11 03:11 requirements.txt
drwxr–xr–x 3 root root 4096 Oct 11 03:11 templates
–rwxr–xr–x 1 root root 70 Oct 11 03:11 wifi–pumpkin
–rw–r—r— 1 root root 225 Oct 11 03:11 wifi–pumpkin.desktop
–rwxr–xr–x 1 root root 2711 Oct 11 03:11 wifi–pumpkin.py
drwxrwxrwx 3 root root 4096 Oct 11 03:24 www
root@kali:/WiFi–Pumpkin# pip install -r requirements.txt
Requirement already satisfied: Twisted in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 1))
Requirement already satisfied: scapy in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 2))
Collecting bs4 (from –r requirements.txt (line 3))
Downloading bs4–0.0.1.tar.gz
Requirement already satisfied: netaddr in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 4))
Collecting config (from –r requirements.txt (line 5))
Downloading config–0.3.9.tar.gz
Requirement already satisfied: dnspython in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 6))
Collecting isc_dhcp_leases (from –r requirements.txt (line 7))
Downloading isc_dhcp_leases–0.8.1.tar.gz
Collecting netifaces (from –r requirements.txt (line 8))
Downloading netifaces–0.10.6.tar.gz
Requirement already satisfied: pcapy in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 9))
Collecting configparser==3.3.0r1 (from –r requirements.txt (line 10))
Downloading configparser–3.3.0r1.tar.gz
Collecting NetfilterQueue (from –r requirements.txt (line 11))
Downloading NetfilterQueue–0.8.1.tar.gz (58kB)
100% |████████████████████████████████| 61kB 29kB/s
Requirement already satisfied: configobj in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 12))
Collecting libarchive–c==2.1 (from –r requirements.txt (line 13))
Downloading libarchive_c–2.1–py2.py3–none–any.whl
Collecting python–magic==0.4.6 (from –r requirements.txt (line 14))
Downloading python–magic–0.4.6.tar.gz
Requirement already satisfied: pefile in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 15))
Requirement already satisfied: capstone in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 16))
Requirement already satisfied: hyperframe in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 17))
Requirement already satisfied: h2 in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 18))
Requirement already satisfied: mitmproxy==0.18.2 in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 19))
Collecting scapy_http (from –r requirements.txt (line 20))
Downloading scapy–http–1.8.tar.gz
Requirement already satisfied: service_identity in /usr/lib/python2.7/dist–packages (from –r requirements.txt (line 21))
Requirement already satisfied: beautifulsoup4 in /usr/lib/python2.7/dist–packages (from bs4->–r requirements.txt (line 3))
Requirement already satisfied: six in /usr/lib/python2.7/dist–packages (from isc_dhcp_leases->–r requirements.txt (line 7))
Requirement already satisfied: enum34<2,>=1.0.4 in /usr/lib/python2.7/dist–packages (from h2->–r requirements.txt (line 18))
Requirement already satisfied: ipaddress<1.1,>=1.0.15 in /usr/lib/python2.7/dist–packages (from mitmproxy==0.18.2->–r requirements.txt (line 19))
Collecting typing==3.5.2.2 (from mitmproxy==0.18.2->–r requirements.txt (line 19))
Downloading typing–3.5.2.2.tar.gz (51kB)
100% |████████████████████████████████| 51kB 30kB/s
Building wheels for collected packages: bs4, config, isc–dhcp–leases, netifaces, configparser, NetfilterQueue, python–magic, scapy–http, typing
Running setup.py bdist_wheel for bs4 ... done
Stored in directory: /root/.cache/pip/wheels/84/67/d4/9e09d9d5adede2ee1c7b7e8775ba3fbb04d07c4f946f0e4f11
Running setup.py bdist_wheel for config ... done
Stored in directory: /root/.cache/pip/wheels/53/3d/4b/b65b93aeeb83b93dcc103f8addd3b4b7e5668496868c103b5a
Running setup.py bdist_wheel for isc–dhcp–leases ... done
Stored in directory: /root/.cache/pip/wheels/90/26/a0/f9ca0d32f37074577dc45bb084a1e0119809060afd9563f4ea
Running setup.py bdist_wheel for netifaces ... done
Stored in directory: /root/.cache/pip/wheels/28/e1/08/e66a4f207479500a27eae682a4773fa00605f2c5d953257824
Running setup.py bdist_wheel for configparser ... done
Stored in directory: /root/.cache/pip/wheels/e7/34/b2/2d95e8a9d44e4b5c43319d6d1de4cda0bc2453d93ad1f60a2d
Running setup.py bdist_wheel for NetfilterQueue ... done
Stored in directory: /root/.cache/pip/wheels/f0/1d/3c/e7552929e92126c3a29e11af1f6d8dfe1acc1232305f8a1b4c
Running setup.py bdist_wheel for python–magic ... done
Stored in directory: /root/.cache/pip/wheels/61/3c/59/27eacd1e57b0bb379873e5b46c7128b1f9f61fe50d6969301f
Running setup.py bdist_wheel for scapy–http ... done
Stored in directory: /root/.cache/pip/wheels/d7/3b/be/1467ee6d5abe4180b16fbaf3d1529204b71a764d1e7c118821
Running setup.py bdist_wheel for typing ... done
Stored in directory: /root/.cache/pip/wheels/08/ed/5d/698ff5d6a6e070db3bd5e534046859fca5419ab6d98a24426c
Successfully built bs4 config isc–dhcp–leases netifaces configparser NetfilterQueue python–magic scapy–http typing
Installing collected packages: bs4, config, isc–dhcp–leases, netifaces, configparser, NetfilterQueue, libarchive–c, python–magic, scapy–http, typing
Found existing installation: configparser 3.5.0
Not uninstalling configparser at /usr/lib/python2.7/dist–packages, outside environment /usr
Found existing installation: typing 3.6.1
Not uninstalling typing at /usr/lib/python2.7/dist–packages, outside environment /usr
Successfully installed NetfilterQueue–0.8.1 bs4–0.0.1 config–0.3.9 configparser–3.3.0.post1 isc–dhcp–leases–0.8.1 libarchive–c–2.1 netifaces–0.10.6 python–magic–0.4.6 scapy–http–1.8 typing–3.5.2.2
root@kali:/WiFi–Pumpkin# python wifi-pumpkin.py
Loading GUI...
WiFi–Pumpkin Running!
|
现在,我们需要完成一些基本配置。
1. 切换到“Settings”标签页;
2. 将“Gateway”设置成路由器的IP地址(一般情况下是192.168.1.1);
3. 将“SSID”设置成一些可信度较高的名字,例如“我绝对是正规WiFi”或者“我绝对不是流氓热点”等等…
4. 如果你想让你的流氓热点安全系数较高,或者说店家的WiFi需要输入密码(那么你的目标用户将需要输入WiFi密码),你可以开启“Enable WiFi Security”,然后输入你想要设置的密码,这样可以进一步增加热点的可信度。如果店家的WiFi不用密码就可以连的话,你就不用开启这个功能了。
5. 别忘了配置你的外置无线网卡,一般来说都是wlan0或wlan1。
6. 在“Plugins”标签页中,取消“Enable Proxy Server”的勾选。
7. 打开“Modules”(菜单栏中),选择“Phishing Manager”。IP地址可以随意设置,例如10.0.0.1(端口为80),WiFi-Pumpkin可以通过多种方式帮助你连接到你的钓鱼页面。现在我们已经设置好了伪造的登录页面,然后在“Options”设置中开启“Set Directory”,将“SetEnv PATH”设置成网站文件的存放地址(/www)。设置完成之后,点击“Start Server”。
8. 在“Modules”->“DNS Spoofer”选项中开启“Redirect traffic from all domains”,然后点击“StartAttack”。
9. 在“View”菜单中选择“Monitor NetCreds”,点击“Capture Logs”。
Ok,一切已配置完成!现在,当目标用户连接到我们的流氓热点之后,他们将会被重定向到我们的钓鱼页面,用户在该页面所输入的任何数据都将会以明文形式存储在我们之前所设置的数据库中。
上面给出的是最基本的配置过程,当然了,我们也可以通过下列操作来优化攻击:
1. 我们所设置的钓鱼页面其可信度很可能不够高,因此我们可以通过HTTrack或wget命令下载官方的登录页面。
2. 重定向到指定的钓鱼页面。比如说,如果用户访问的是facebook.com,那么我们要将用户重定向到伪造的facebook页面。如果用户访问的是Gmail或Twitter,我们也要进行相应的跳转。
3. 直接使用目标服务的API。当用户在钓鱼页面中输入了自己的凭证之后,我们要创建一个合法的Facebook会话,然后将用户重定向到真正的Facebook网站。这样一来,用户就不会意识到自己被攻击了。
总结
如果你对WiFi攻击感兴趣的话,你也可以参考【这篇文章】。
最后,祝大家Happy Hacking!
