THIS IS B3c0me

记录生活中的点点滴滴

0%

Metaspoit

发表于 更新于 分类于

一、渗透测试

1.1 什么是渗透测试

PTES标准下渗透测试的7个阶段:

  1. 前期交互阶段
  2. 情报搜集阶段
  3. 威胁建模阶段
  4. 漏洞分析阶段
  5. 渗透攻击阶段
  6. 后渗透攻击阶段
  7. 报告阶段

1.2 漏洞分析与利用

安全漏洞生命周期

典型:
  1. 安全漏洞研究与挖掘:代码审计、逆向、黑盒
  2. 渗透代码开发与测试:POC攻击代码
  3. 安全漏洞和渗透代码在封闭团队中流传
  4. 安全漏洞和渗透代码开始扩散
  5. 恶意程序出现并开始传播
  6. 渗透代码、恶意程序大规模传播并危害互联网
  7. 渗透代码、恶意程序、攻击工具逐渐消亡
0day:从安全漏洞被发现到厂商发布程序修补该漏洞之前的这段期间

安全漏洞的披露方式

  • 完全公开披露:Full-Disclosure邮件列表

  • 负责任的公开披露

  • 进入地下经济链

  • 小范围利用直至被动披露

安全漏洞公共资源库:

  • CNNVD:中国国家漏洞库
  • CNVD: 中国国家信息安全漏洞共享平台
  • 乌云安全漏洞报告平台
  • SCAP中文社区
  • CVE: 通用漏洞与披露
  • NVD:美国国家漏洞数据库
  • SecurityFocus
  • OSVDB:开源漏洞数据库

渗透攻击代码共享站点:

  • Metasploit
  • Exploit-db
  • PacketStorm
  • SecurityFocus
  • SecurityReason
  • SecurityVulns
  • 1337Day
  • CORE Security
  • VUPEN

Metasploit基础

简介

Metasploit是当前信息安全与渗透测试领域最流行的术语,它完全颠覆了已有的渗透测试方式。几乎所有流行的操作系统都支持Metasploit,而且Metasploit框架在这些系统上的工作流程基本一样。本系列文章中的示例以Kali操作系统给为基础,该操作系统预装Metasploit及在其上运行的第三方工具。

  Metasploit框架(Metasploit Framework,MSF)是一个开源工具,旨在方便渗透测试,它是由Ruby程序语言编写的模板化框架,具有很好的扩展性,便于渗透测试人员开发、使用定制的工具模板。

  Metasploit可向后端模块提供多种用来控制测试的接口(如控制台。Web、CLI)。推荐使用控制台接口,通过控制台接口,你可以访问和使用所有Metasploit的插件,例如Payload、利用模块、Post模块等。Metasploit还有第三方程序的接口,例如Nmap、SQLMap等,可以直接在控制台接口里使用,要访问该界面,需要在命令行下输入mfsconsole

术语

MSF框架由多个模块组成,各个模块及其具体功能如下。

Auxiliaries(辅助模块)
  该模块不会直接在测试者和目标主机之间建立访问,它们只会负责执行扫描、嗅探、指纹识别等相关功能以辅助渗透测试。

Exploit(漏洞利用模块)
  漏洞利用是指由渗透测试者利用一个系统、应用或者服务中的安全漏洞进行的攻击行为。流行的渗透攻击技术包括缓冲区溢出、Web应用程序攻击,以及利用配置错误等,其中包含攻击者或测试人员针对系统中的漏洞而设计的各种POC验证程序,用于破坏系统安全性的攻击代码,每个漏洞都有相应的攻击代码。

Payload(攻击载荷模块)
  攻击载荷是我们期望目标系统在被渗透攻击之后完成实际攻击功能的代码,成功渗透目标后,用于在目标系统上运行任意命令或者执行特定代码,在Metasploit框架中可以自由地选择、传送和植入。攻击载荷也可能是简单地在目标操作系统上执行一些命令,如添加用户账号等。

Post(后期渗透模块)
  该模块主要用于在取得目标系统远程控制权后,进行一系列的后渗透攻击动作,如获取敏感信息、实施跳板攻击等。

Encoders(编码工具模块)
  该模块在渗透测试中负责免杀,以防止被杀毒软件、防火墙、IDS及类似的安全软件按检测出来。

目录结构

kali-metasploit框架目录路径:

1
2
3
/opt/metasploit-framework/embeddedd/frameword/

/usr/share/metasploit-framework

kali-metasploit更新:

1
2
3
msfconsole -v #查看版本
apt-get update 
apt-get install metasploit-framework

框架目录:

1
2
3
4
5
6
data---包含metasploit用于存储漏写漏洞、单词列表、图像等所需二进制文件的可编辑文件
documentation---包含框架的可用文档
lib---metasploit的库文件夹
plugins---用来存放metasploit的插件
tools---存放多种的命令行实用程序
modules---存储模块文件

基本使用

1
2
3
4
5
msfconsole   进入框架
msfdb init  初始化数据库
db_status  查看数据库状态
workspace  当前工作区
workspace -h  帮助文档

常用命令

1
2
3
4
5
6
7
8
9
10
11
12
show exploits -查看所有可用的渗透攻击程序代码
show auxiliary - 查看所有可用的辅助攻击工具
show options/advanced - 查看该模块可用选项
showpayloads - 查看该模块适用的所有在和代码
show targets - 查看该模块使用的攻击目标类型
search- 根据关键字搜索某模块
info - 显示某模块的详细信息
use - 使用某渗透攻击模块
back- 回退
set/unset - 设置、撤销模块中的参数
setg/unsetg - 设置/禁用适用于所有模块的全局参数
save - 将当前设置保存下来,下次启动MSF终端时仍可使用

metaspl信息收集

内网主机发现

1
2
3
4
5
db_nmap  #nmap扫描
	-PA: TCP ACK PING
	-PS: TCP SYN PING
	-PR: ARP扫描,是虐转对目标进行一个ARPping扫描的过程,尤其在内网的情况下。防火墙不会进制ARP请求
	hosts: 当前工作区的所有主机

端口、服务、版本探测

1
2
3
4
5
6
7
8
9
10
11
12
db_nmap
	-T[0-5]: 默认为T3,T4表示最大TCP扫描延迟为10ms
    -sS: TCP SYN扫描
    -sA: TCP SYN扫描
    -sT: TCP扫描
    -A:打开操作系统探测和版本探测
auxiliary
   0  auxiliary/scanner/portscan/ftpbounce                   normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/portscan/xmas                        normal  No     TCP "XMas" Port Scanner
   2  auxiliary/scanner/portscan/ack                         normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/tcp                         normal  No     TCP Port Scanner
   4  auxiliary/scanner/portscan/syn                         normal  No     TCP SYN Port Scanner

漏洞探测

1
2
db_nmap
	--script=vuln: 检查是否具有常见漏洞

获取meterpreter

meterpreter是msf的后渗透模块,当我们攻击一个目标机器成功时,就会返回meterpreter

下面ms17_010可执行的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
meterpreter > ?

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bg            Alias for background
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information or control active channels
    close         Closes a channel
    detach        Detach the meterpreter session (for http/https)
    disable_unic  Disables encoding of unicode strings
    ode_encoding
    enable_unico  Enables encoding of unicode strings
    de_encoding
    exit          Terminate the meterpreter session
    get_timeouts  Get the current session timeout values
    guid          Get the session GUID
    help          Help menu
    info          Displays information about a Post module
    irb           Open an interactive Ruby shell on the current session
    load          Load one or more meterpreter extensions
    machine_id    Get the MSF ID of the machine attached to the session
    migrate       Migrate the server to another process
    pivot         Manage pivot listeners
    pry           Open the Pry debugger on the current session
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    resource      Run the commands stored in a file
    run           Executes a meterpreter script or Post module
    secure        (Re)Negotiate TLV packet encryption on the session
    sessions      Quickly switch to another session
    set_timeouts  Set the current session timeout values
    sleep         Force Meterpreter to go quiet, then re-establish session
    ssl_verify    Modify the SSL certificate verification setting
    transport     Manage the transport mechanisms
    use           Deprecated alias for "load"
    uuid          Get the UUID for the current session
    write         Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    del           Delete the specified file
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcat          Read the contents of a local file to the screen
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command       Description
    -------       -----------
    enumdesktops  List all accessible desktops and window stations
    getdesktop    Get the current meterpreter desktop
    idletime      Returns the number of seconds the remote user has been idle
    keyboard_sen  Send keystrokes
    d
    keyevent      Send key events
    keyscan_dump  Dump the keystroke buffer
    keyscan_star  Start capturing keystrokes
    t
    keyscan_stop  Stop capturing keystrokes
    mouse         Send mouse events
    screenshare   Watch the remote user desktop in real time
    screenshot    Grab a screenshot of the interactive desktop
    setdesktop    Change the meterpreters current desktop
    uictl         Control some of the user interface components


Stdapi: Webcam Commands
=======================

    Command       Description
    -------       -----------
    record_mic    Record audio from the default microphone for X seconds
    webcam_chat   Start a video chat
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam
    webcam_strea  Play a video stream from the specified webcam
    m


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play a waveform audio file (.wav) on the target system


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

meterpreter使用

1
2
3
4
sessions -u id : 将某个sessionA片meterpreter
sessions: 查看所有可用的meterpreter
execute -H -i -f cmd.exe 在目标机器执行文件:创建新进程cmd.exe -H不可见 -i交互
upload 上传文件

image-20230805151903812

欢迎关注我的其它发布渠道